Global Data Protection Policy


Hoteza provides smart solutions to enhance guest experience for hotels worldwide. Personal data may be processed for this purpose. Hoteza strictly complies with personal data protection requirements and safeguards data subject rights and freedoms.
Hoteza is responsible for compliance with the General Data Protection Regulation (GDPR, 2016/679) and other applicable local requirements concerning privacy and personal data protection.
In terms of data protection, Hoteza usually acts as a Processor on behalf of Controllers who determine the purpose and means of personal data processing.
Hoteza’s head office is located in Cyprus. The data centres used by Hoteza are primarily located in Europe but may also be in other countries based on local needs and requirements.
The Lead Supervisory Authority (Data Protection Authority) is the Commissioner for Personal Data Protection (Cyprus).
Additional information on data processing can be found in the specific privacy notices.

Management Commitment

Hoteza’s management demonstrates a commitment to data protection by creating the policy and associated requirements and guidelines, assigning specific roles and responsibilities, continuously developing a positive data protection culture, and allocating appropriate resources.
Hoteza has appointed a Data Protection Officer (DPO).
Hoteza focuses on adhering to data protection best practices, in particular, the ISO 27701 standard.

Data Protection Principles

Hoteza pays special attention to the highest respect for the following data protection principles:
1. Lawfulness, fairness and transparency. We process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
2. Purpose limitation. We collect personal data for specified, explicit and legitimate purposes and do not process them in a way that is incompatible with those purposes.
3. Data minimization. Personal data are adequate, relevant, and limited to what is necessary for processing.
4. Accuracy. It is important to ensure that personal data is accurate and kept up to date as necessary.
5. Storage limitation. We only retain personal data for as long as necessary for processing purposes.
6. Integrity and confidentiality. We process personal data securely using appropriate technical or organizational measures.
7. Accountability. We are able to demonstrate that we follow the data protection principles and meet all the relevant requirements.

The Rights of Individuals

Hoteza Limited respects the general rights of the Data Subjects (the right to be informed, the right to access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right to data portability, the right to object, the rights in relation to automated decision making and profiling) and guarantees their observance.
These rights may also be extended depending on local requirements. More details can be found in the specific privacy notices.
The Data Subjects can contact Hoteza and receive additional information at [email protected].

Security of Processing

Hoteza has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the strict segregation of access rights;
  • the encryption and, if necessary, pseudonymisation of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Hoteza continually improves the suitability, adequacy, and effectiveness of data protection.

General Agreements with Controllers

Where the processing is to be carried out on behalf of a Controller, Hoteza guarantees the implementation of appropriate technical and organisational measures and ensures the protection of the rights of the data subject by entering the Standard Contractual Clauses (SCC) or other forms of contract with the Controller.
Hoteza undertakes to comply with all written instructions received from the Controllers.
Hoteza shall not engage another processor without prior specific or general written authorisation of the Controller.

Date and Revision

The Global Data Protection Policy is subject to periodic assessment, revision and updating every two years or, if necessary, at shorter intervals to reflect changing conditions.
Current version: ver.6, September 29th, 2023. Any previous versions are no longer valid or up-to-date.