2.     Who is the Data Controller
3.     Principles We Rely On
4.     What Data Do We Collect?
5.     Collection of Personal Data
6.     Categories of Personal Data Subjects
7.     Purposes of Processing & Legal Basis of Data Processing
8.     For how long do we store the data?
9.     Recipients of Data
10.       Processing Location
11.       Data Breach
12.       Your Rights as Data Subject and How to Exercise Them
13.       Contact Details of the Data Controller
14.       Contact Details of the Data Protection Authority
15.       Privacy Policy Update



Privacy Policy
This data protection policy (hereinafter referred to as "Policy") provides information regarding the collection, storage, processing, and use of your personal data.
The company named A. Kalloudis & Sia O.E., with the trade name HaniotisCars, headquartered in Hanioti, Chalkidiki, postal code 63085 (hereinafter referred to as "Company", "we", "us"), telephone number 23740 52258, email address [email protected], acting as the Data Controller, collects, stores, uses, and generally processes personal data.

  • Definitions
  • Personal Data: Any information that relates to and describes an identified or identifiable natural person, such as: identification details (name, age, residence, profession, family status, etc.), physical characteristics, education, work (work experience, work behavior, etc.), financial situation (income, assets, financial behavior), interests, activities, habits, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of the said natural person.
  • Data Subject: The individual (natural person) to whom the data refers.
  • Sensitive Personal Data or Special Categories: The personal data of an individual relating to their racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in a trade union, health, social welfare, sexual life, criminal prosecutions and convictions, as well as participation in associations related to the aforementioned.
  • Health Data: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the individual's health status.
  • Genetic Data: Personal data related to the inherited or acquired genetic characteristics of a natural person, which, in particular, derive from the analysis of a biological sample from the said natural person and provide unique information about the individual's physiology or health.
  • Filing System: Any structured set of personal data accessible according to specific criteria, whether this set is centralized, decentralized, or distributed on a functional or geographical basis.
  • Pseudonymization: The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the data cannot be attributed to an identified or identifiable natural person.
  • Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
  • Data Controller: The natural or legal person which determines the purposes and means of the processing of personal data.
  • Processor: The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
  • Processing of Personal Data: Any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Third Party: Any natural or legal person, other than the data subject, the data controller, the processor, and the persons who, under the direct authority of the data controller or the processor, are authorized to process personal data.


Who is the Data Controller

The "Company" is the data controller of the personal data it processes to fulfill its purposes.

Principles We Rely On

The "Company" adheres to the following principles of personal data processing (Article 5 of the GDPR):

  • Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes.
  •  Data Minimization: Personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy / Data Quality: We ensure that personal data is accurate and, where necessary, promptly updated.
  • Retention – Limitation of Storage Period: We retain personal data for the period necessary or required by law.
  • Personal data processed for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes are stored for longer periods. In these cases, we apply appropriate technical and organizational measures required to ensure the rights and freedoms of the data subject.
  • Integrity and Confidentiality: We are committed to processing personal data securely, protecting it, especially from unauthorized or unlawful processing, accidental destruction or damage, and using appropriate technical or organizational measures.
  • We commit to and adhere to the Principle of Accountability, demonstrating compliance with the above principles.

What Data Do We Collect?

We take care to collect only data that are absolutely necessary for the purpose for which they are given and are used exclusively for the purposes for which they have been collected. In the context of our activities, we will use your contact details to keep you informed about rental matters as well as new offers and services. With the exception of any Data collected from Cookies (see more in the Cookies Policy), the Data is limited to what you have explicitly provided for a specific purpose and only if you have given your consent. Also, we collect Data during your visit to our website and if you have consented to this, consent which is evidenced by completing the corresponding fields.
Identification data, such as name, surname, father's name, date of birth, driving license, tax identification number, ID card.
Contact/shipping data, such as mailing address, email address, phone number.
Payment details, such as credit/debit card number, PayPal, bank account number.
Data on rental contract history with our Company.
Data on any overdue debts to our Company.
Data on automotive accidents involving vehicles from our Company.
Data on any abusive behavior towards our Company’s personnel.
Location data (GPS), electronic application data (Bluetooth, navigator)

Collection of Personal Data

Your data processing is carried out either by our specially authorized personnel or through information technology systems and electronic devices by our Company and, exceptionally, by third parties who, having contractually committed themselves to our Company to maintain confidentiality and protect your Data, process them exclusively and only for the purposes for which they have been provided to us.
In general, your data are processed in order to provide you with the following services:
Quotation Submission: The Company processes your Data to submit a quotation for short-term or long-term car rental.
Car Rental: The Company processes your Data to fulfill its contractual relationship with you, which is the car rental, to provide service (such as maintenance, repairs, replacement of vehicle, etc.), to comply with legal obligations, to counter, raise, or exercise legal claims.
Car Purchase: The Company processes your Data to complete the purchase of used cars.
Compliance with Applicable Legislation: The Company processes your Data to be able to comply with its legal obligations, particularly related to compliance with tax and insurance legislation or vehicle insurance coverage arising from an active insurance contract.
Web-based Information Services: The Company provides information services to its customers.
Data in Electronic Applications (navigator, Bluetooth, GPS, etc.): When using the vehicle by you or any passenger, it is possible to store data in electronic applications that may be pre-installed on it. Our company will never ask you to perform a similar storage. If you do so, it is solely your choice, and it is your responsibility to delete the data from the vehicle's applications upon temporary or final delivery of the vehicle.
GPS Location Data: Our fleet vehicles have the ability to install GPS tracking systems. These systems are activated only in cases of vehicle theft, followed by relevant notification to the lessee/driver.
Maintenance status, etc.), (c) management of property items in cases of significant damage to the vehicle, etc., (d) inventory of property items, namely recording the exact location at any given time of the vehicles (owned by the lessor) and informing the lessor's reference points. The legal basis for processing is the legitimate interest in protecting the lawful property of the company.

Categories of Personal Data Subjects

The services of the 'Company' are exclusively directed to individuals over 18 years of age with full legal capacity.

Purposes of Processing & Legal Basis of Data Processing

The Company processes your data for the purpose of providing you with its services.
Processing is based on the following legal bases, in accordance with Article 6 of the GDPR:

  • Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation of the Company (e.g., tax, labor, insurance legislation, etc.).
  • In pursuit of the legitimate interests of the Company.
  • Based on your consent, where required.

It is noted that the Company does not use automated decision-making processes.
The processing of ordinary personal data is based on one of the "legal bases" referred to in Article 6 of the GDPR.
The processing of special categories (sensitive) of personal data is generally prohibited. It is allowed only if it meets one of the conditions of Articles 9(2) and 10 of the GDPR."

For how long do we store the data?

We retain the personal data collected by the Company for a predetermined and limited period of time, depending on the purpose of the processing. After this period has elapsed, the data is securely deleted and/or destroyed, unless there is explicit legislative regulation establishing a mandatory minimum retention period for records. The primary criterion for data deletion is the absence of a legal basis for their retention.

Recipients of Data

The Company ensures that it will not transfer, disclose, or otherwise provide your Data to third parties (except those mentioned herein) for any purpose or use other than what is mandated by applicable legislation or required by public/judicial authorities.
Access to your Data is granted to the absolutely necessary personnel of our Company, who are bound by confidentiality, and to businesses cooperating with us, which process your Data as Joint Data Controllers or as Data Processors on our behalf and in accordance with our instructions.
Indicatively, recipients of your Data include:
i) Insurance companies cooperating with our Company.
ii) Users of our trademarks and systems cooperating with our Company.
iii) Tourist agencies regarding car rentals. iv) Companies providing repair, bodywork, and maintenance services for vehicles leased to our customers.
v) Certified public accountants auditing the financial statements of our Company.
vi) Companies providing roadside assistance to drivers using our Company's vehicles. vii) Banks and electronic payment companies.
viii) Lawyers or law firms for defending the interests of the Company.
ix) Security service providers.

Processing Location

The personal data we collect and process are subjected to processing within the European Union. In the event that there is a need to transfer personal data to third countries (outside the European Union) or to international organizations, the Company undertakes to carry out such transfer, ensuring compliance, on a case-by-case basis, with the provisions of Articles 44-50 of the GDPR.

Data Breach

In the event of a breach of the security and integrity of the data available to us concerning personal data, the Company will take the following measures, in accordance with Articles 33 and 34 of the GDPR:

  • It will examine and evaluate the procedures required to limit the breach.
  • It will assess the risk and impact on the rights and freedoms of the data subjects.
  • It will attempt to minimize the damage that has been or may be caused.
  • It will notify the data subject within 72 hours of becoming aware of the breach, if required.
  • It will assess the impact on privacy and take appropriate measures to prevent a recurrence of the breach.

Your Rights as Data Subject and How to Exercise Them

Every natural person, whose data is subject to processing, enjoys all the rights arising from the General Regulation and the current legislative framework, namely:
(a) Right to withdraw consent: In cases where the processing is based solely on your prior consent, e.g. for the purpose of receiving informational messages about the actions of the OBI, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the legality of the processing based on consent prior to its withdrawal.
(b) Right of access: You have the right to know your processed data and to verify the legality of the processing. Therefore, upon request, you have access to the data and can receive additional information regarding their processing, to whom we transmit them, or for what purpose we process them.
(c) Right to rectification: You have the right to complete, correct, update, or modify your personal data by submitting a request to the relevant department of the OBI that maintains your personal data.
(d) Right to erasure: You have the right to request the erasure of your personal data when we process them based on your consent or in order to protect our legitimate interests. In all other cases (legal obligation to process personal data imposed by law), this right is subject to specific restrictions or does not exist depending on the case. In any case, we will examine whether your request can be legally satisfied.
(e) Right to restriction of processing: You have the right to request the restriction of the processing of your personal data in the following cases: (i) when you contest the accuracy of personal data until verification is completed, (ii) when you object to the deletion of personal data and request, instead of deletion, the restriction of their use, (iii) when personal data are no longer necessary for us, but are necessary for you to establish, exercise, or support legal claims, and (iv) when you object to processing until verification that there are legitimate reasons concerning us that outweigh the reasons for which you object to processing.
(f) Right to object to processing and right to object to automated individual decision-making, including profiling: You have the right to object at any time to the collection and processing of your personal data in cases where, as described above, it is necessary for purposes of lawful interests we pursue as data controllers. However, it is noted that OBI does not engage in automated decision-making.
(g) Right to data portability: You have the right to receive your personal data free of charge, upon your identification, in a format that allows you to have access to them (pdf, word, etc.), in order to use and process them with commonly used processing methods. Additionally, you have the right to ask us, if technically feasible, to transmit the data directly to another data controller. This right exists for data provided by you to us and processed by us based on your consent or in performance of a relevant contract.
In case of exercising the above-mentioned rights, relevant requests will be forwarded to any third-party recipients to whom your personal data have been disclosed/transferred, as described above. In case of exercising any of the aforementioned rights, the Company is obliged to respond to you within one (1) month from the receipt and verification of your relevant request. This deadline may be extended by two (2) more months if necessary, taking into account the complexity of the request and the number of requests. In such a case, the Company will provide you with relevant information about the extension, within the deadline from the receipt of the request, as well as the reasons for the delay. If the request is submitted electronically, your information will be provided in the same way, unless you request something different.
The exercise of your above-mentioned rights is free of charge for you, by sending a relevant request/letter/email to the Data Controller. Abusive exercise of the above rights (Article 12 §5) may result in the payment of a reasonable fee.
If you are not satisfied with the use of your data by us or with our response to the exercise of the above-mentioned rights, you are entitled to lodge a complaint with the Data Protection Authority.
You can exercise the above rights at the contact details mentioned below.

Contact Details of the Data Controller

For any issue regarding the processing of your personal data and for the exercise of the above-mentioned rights, you can contact the Company at the phone number: [insert phone number here].

Contact Details of the Data Protection Authority

Phone: +30, Website:, and postal address: Leoforos Kifisias 1-3, PC 115 23, Athens.

Privacy Policy Update

The last revision took place on 01/06/2024.