GDPR Rights

Last updated: 05/04/2026

As a user or customer of Coastbook, you have rights under the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and Greek Law 4624/2019. These rights apply regardless of whether you are a business owner, a customer who made a booking, or a simple website visitor.

Below we explain each right in detail, when it applies, any exceptions, and how you can exercise it. Exercising your rights is free of charge — there is no fee.

1. Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data. If so, you are entitled to:

  • A copy of all personal data we hold about you
  • Information about the purposes of processing
  • The categories of data we process
  • The recipients or categories of recipients
  • The envisaged storage period
  • Information about the source of data (if not collected directly from you)
  • Information about any automated decision-making

Response time: Within 30 days of receiving the request. We will provide the data in electronic format (PDF or JSON).

2. Right to Rectification (Article 16)

You can request the correction of inaccurate personal data or the completion of incomplete data concerning you. This includes:

  • Correcting name, email, or phone on bookings
  • Updating business details (address, phone, description)
  • Correcting any wrong information in your profile

For business owners: You can also make changes directly through your dashboard under "Business Settings".

We will update the data without undue delay and inform you of the correction.

3. Right to Erasure — "Right to be Forgotten" (Article 17)

You can request the deletion of your personal data in the following cases:

  • The data is no longer necessary for the purpose for which it was collected
  • You withdraw your consent and there is no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Exceptions — We cannot delete data that:

  • Is required for tax purposes (5 years under Greek Law)
  • Is necessary for establishing, exercising, or defending legal claims
  • Is subject to a legal retention obligation

Process: After approving the request, data is permanently deleted within 30 days. We also inform third-party recipients to whom the data was disclosed.

4. Right to Restriction of Processing (Article 18)

You can request restriction of processing in the following cases:

  • You contest the accuracy of the data — processing is restricted until we verify the data
  • Processing is unlawful but instead of deletion you request restriction
  • We no longer need the data but you need it for legal claims
  • You have filed an objection (Article 21) — until it is determined whether our interests override yours

During restriction, data is stored but not subjected to any other processing, unless you give consent or it is necessary for legal claims.

5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. This applies to data that:

  • You provided (e.g., booking details, account information)
  • Processing is based on consent or contract
  • Processing is carried out by automated means

Export format: JSON or CSV, depending on your preference.

What is included:

  • Account details (name, email, business details)
  • Booking history (dates, beachbeds, amounts)
  • Zone and beachbed data (if you are an owner)

You can also request the transfer of data directly to another provider, where technically feasible.

6. Right to Object (Article 21)

You can object to the processing of your data in two cases:

A. Objection based on legitimate interest:

  • If processing is based on Article 6(1)(f) GDPR (legitimate interest)
  • You must state the reasons related to your particular situation
  • We will stop processing unless we demonstrate overriding legitimate grounds

B. Objection to direct marketing:

  • You can object to processing for direct marketing purposes at any time
  • This right is absolute — no justification is needed
  • Processing will stop immediately

7. Right to Withdraw Consent

Where processing is based on your consent (Article 6(1)(a) GDPR), you can withdraw it at any time. Withdrawal:

  • Does not affect the lawfulness of processing carried out before it
  • Takes effect immediately upon receipt
  • Is as easy as giving consent

How to withdraw:

  • Cookies: Through the "Manage Cookies" button on the Cookie Policy page
  • Other processing: By sending an email to privacy@coastbook.gr

How to Exercise Your Rights

To exercise any of the above rights, send an email to privacy@coastbook.gr with the following:

  • Your full name
  • The email used for your booking or account
  • A clear description of the right you wish to exercise
  • Any additional information that will help locate your data

Identity verification: For your protection, we may request identity verification before taking action. This is to prevent unauthorized access to your data.

Response time:

  • We will confirm receipt of the request within 3 business days
  • We will respond fully within 30 days
  • In complex cases or multiple requests, the deadline may be extended by 60 days, with notification to you

Cost: Exercising your rights is free of charge. In case of requests that are manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable administrative fee or refuse the request.

Data Protection Officer (DPO)

The Coastbook Data Protection Officer (DPO) is available for:

  • Questions about how we process your data
  • Assistance in exercising your rights
  • Submitting complaints or concerns
  • Providing information about data protection practices

DPO contact: dpo@coastbook.gr

Legal Basis for Processing

The legal basis for each type of processing is described in detail in our Privacy Policy (Section 5). In summary:

  • Contract performance (Article 6(1)(b)): Bookings, payments, business accounts
  • Legitimate interest (Article 6(1)(f)): Platform improvement, security, fraud prevention
  • Consent (Article 6(1)(a)): Analytics and marketing cookies
  • Legal obligation (Article 6(1)(c)): Tax and accounting records

International Data Transfers

When your data is transferred outside the EEA (e.g., to providers in the USA), we ensure appropriate safeguards in accordance with Chapter V of the GDPR, such as the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs). For more information, see Section 10 of our Privacy Policy.

Right to Complain

If you believe your rights have not been satisfied or that the processing of your data violates the GDPR, you have the right to file a complaint:

  • First to us: Contact our DPO at dpo@coastbook.gr — we will try to resolve the issue within 30 days
  • To the supervisory authority: If you are not satisfied, you can file a complaint with the competent supervisory authority. For Greece, this is the Hellenic Data Protection Authority (HDPA).

Hellenic Data Protection Authority (HDPA)

Kifisias 1-3, 115 23, Athens, Greece
Tel: +30 210 6475 600
Fax: +30 210 6475 628
Email: contact@dpa.gr
Website: www.dpa.gr