Last updated: 16 April 2026
Who we are
Blue Salt Marine Services IKE, VAT/AFM 802943731, with registered office at Gouvia – Kontokali – Potamos, Kerkira 491 00, Greece, is the data controller for the personal data described in this Privacy Policy. This Privacy Policy applies to personal data processed through our website, bluesaltmarine.com, and in the course of our business activities. You can contact us at info@bluesaltmarine.com or by telephone at +30 26610 20725.
Who this policy applies to
This Privacy Policy applies to website visitors, individuals who contact us, prospective and existing clients, supplier and partner contacts, job applicants, current and former employees, and other persons whose personal data we process in the course of our operations. We may provide supplementary privacy notices where a particular processing activity requires more specific information, for example in recruitment or employment contexts.
The personal data we collect
Depending on our relationship with you, we may collect and use identification and contact data, business and transactional data, website and technical data, cookie and preference data, marketing and communications data, recruitment and employment data, and, where strictly necessary and lawful, limited special-category data such as health-related information required for employment-law, occupational or social-protection purposes. We aim to collect only the personal data that is necessary for the relevant purpose and to keep it accurate and up to date.
How and why we use personal data
We process personal data only where we have a valid legal basis. Depending on the circumstances, we use personal data for the following purposes:
| Purpose | Typical data | Main legal basis |
|---|---|---|
| To operate, secure and improve our website and IT systems | Technical data, log data, cookie preference records | Legitimate interests; legal obligation where compliance records are required |
| To answer enquiries and take steps before entering into a contract | Contact details, correspondence, requested service details | Contract / steps at your request |
| To provide services and manage client relationships | Contact, contract, service and invoicing records | Contract |
| To manage suppliers, subcontractors and partners | Business contact details, contract and payment records | Contract; legitimate interests; legal obligation where applicable |
| To keep accounting, tax, payroll and other mandatory records | Invoice, payment, VAT/AFM and compliance records | Legal obligation |
| To send marketing communications where permitted | Contact details, consent status, unsubscribe records | Consent, except where applicable law permits an existing-customer soft opt-in |
| To recruit staff and administer employment relationships | CVs, interview notes, payroll and HR data | Contract; legal obligation; legitimate interests, as applicable |
| To investigate complaints and establish, exercise or defend legal claims | Correspondence, contracts, logs, evidence records | Legitimate interests; legal obligation where applicable |
Where we rely on legitimate interests, we do so only after considering whether those interests are overridden by your interests, rights and freedoms. Our legitimate interests may include website and network security, fraud prevention, business administration, supplier and client relationship management, and the management or defence of legal claims. Where we process special-category data, we do so only where an additional legal condition under the GDPR and applicable Greek law is satisfied.
Cookies and similar technologies
We use cookies and similar technologies on our website. Some cookies are strictly necessary for the operation and security of the website or for providing a service expressly requested by the user. Other cookies, including analytics, personalisation and any marketing cookies, are used only with your prior consent unless a legal exemption clearly applies. You can accept all, reject all, or manage your preferences through our cookie banner and the Cookie Settings tool available on our website, and you can change your choices at any time. Further information about the cookies we use is set out in our cookie information section and consent tool.
Marketing communications
If you ask to receive updates or marketing communications from us, we may send you information about our services, news or offers by email or similar means. Where required by law, we will do this only with your prior consent. If you are an existing client, we may in some cases send you information about our own similar services using contact details obtained in the context of a previous sale or service, but only where the conditions of applicable law are satisfied and you were given a clear opportunity to object both when your details were collected and in every subsequent message. You can opt out at any time by using the unsubscribe link in the message or by contacting us at info@bluesaltmarine.com.
Recipients, processors and third parties
We may disclose personal data, where necessary and lawful, to categories of recipients such as website hosting, domain, CDN, cybersecurity and IT support providers; analytics, consent management, email, cloud and CRM providers; accountants, payroll providers, auditors, insurers, lawyers and other professional advisers; banks and payment service providers; suppliers, subcontractors and operational partners involved in providing our services; and public authorities, regulators, courts and law-enforcement bodies where disclosure is required by law or necessary to protect our rights. Some recipients act as our processors and process personal data only on our behalf and under suitable contractual terms. Others, such as banks, payment service providers, professional advisers or public authorities, may act as independent controllers for their own legal purposes.
International transfers
Some of our service providers may process or access personal data outside the European Economic Area. Where that happens, we will ensure that an appropriate transfer mechanism is in place, such as an adequacy decision adopted by the European Commission or the Standard Contractual Clauses approved by the European Commission, together with supplementary measures where required. You may contact us if you would like more information about the safeguards used for a particular transfer.
How long we keep personal data
We keep personal data only for as long as necessary for the purposes for which it was collected, unless a longer period is required by law or is necessary for the establishment, exercise or defence of legal claims. In broad terms, website security and server log data are generally retained for a limited period, typically 6 to 12 months; enquiry data is generally retained for up to 24 months after the last meaningful contact unless it becomes part of a client file; client, supplier, invoicing and accounting records are generally kept for the duration of the relationship and then for a recommended baseline period of 5 years after the relevant financial period, subject to any longer legal or claims-related requirement; marketing records are retained until you withdraw consent or object, with a limited suppression record retained afterwards so that we can respect your opt-out; and recruitment and employment data are retained for the duration of the relevant process or relationship and thereafter for the period required by law or reasonably necessary for the management of legal claims. Where deletion is not possible because statutory retention rules apply, we will restrict the processing and continue to store the data only for the legally permitted purpose.
Your rights
Subject to the conditions and limitations set by applicable law, you have the right to request access to your personal data, rectification of inaccurate or incomplete data, erasure, restriction of processing, data portability and objection to processing. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. You also have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, subject to the exceptions provided by law.
How to exercise your rights
To exercise your rights, please contact us at info@bluesaltmarine.com and describe your request as clearly as possible. We may ask for information necessary to verify your identity before acting on the request. We will respond without undue delay and, in principle, within one month of receipt. Where permitted by law, that period may be extended if the request is complex or numerous, in which case we will inform you accordingly. Requests are normally handled free of charge, although applicable law allows a reasonable fee or refusal in cases that are manifestly unfounded or excessive. If you are not satisfied with our response, you have the right to lodge a complaint with the Hellenic Data Protection Authority. The Authority’s published contact details include Kifissias 1-3, 115 23 Athens, Greece, telephone +30 210 6475600 and contact@dpa.gr.
Security
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Depending on the risk, those measures may include access controls, role-based permissions, confidentiality obligations, staff awareness measures, vendor due diligence, secure backups, system monitoring, and encryption or pseudonymisation where appropriate.
Personal data breaches
If a personal data breach occurs, we will act promptly to contain and assess it. Where the breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Where the breach is likely to result in a high risk, we will also communicate the breach to affected individuals without undue delay unless a legal exception applies.
Automated decision-making
We do not currently carry out solely automated decision-making, including profiling, through this website in a way that produces legal effects concerning individuals or similarly significantly affects them. If that changes, we will update this Privacy Policy accordingly and provide the information required by law.
Children
Our website and services are not directed to children, and we do not knowingly collect personal data from children through the website. If we discover that we have collected such data without a valid legal basis, we will take appropriate steps to delete it. If we ever offer an information-society service directly to children and rely on consent, Greek law provides that such consent is valid from the age of 15.
Accountability
We maintain records of processing activities where required by law, review our processing operations for data protection risk, and carry out data protection impact assessments where the GDPR requires them. Where residual high risk remains after assessment, we will consult the competent supervisory authority as required by law.
Changes to this policy
We may update this Privacy Policy from time to time to reflect legal, technical or operational changes. The latest version will always be available on our website and will show the effective date at the top of the notice.
Contact
Blue Salt Marine Services IKE
VAT/AFM 802943731
Gouvia – Kontokali – Potamos, Kerkira 491 00, Greece
Email: info@bluesaltmarine.com
Telephone: +30 26610 20725
Plain-language summary, cookie schedule and model wording
Blue Salt uses personal data mainly to run its website safely, answer enquiries, provide services, manage client and supplier relationships, keep accounting and compliance records, administer recruitment and employment, and send marketing only where the law allows it. Users should be able to see who controls their data, what is collected, why it is used, who receives it, whether it may leave the EEA, how long it is kept, and how they can exercise their rights or complain to the Hellenic DPA.
For cookies, the legal position in Greece is clear: non-essential cookies should not be set before valid consent, and the consent banner should allow users to accept all, reject all, or manage preferences with equivalent ease and prominence. Since Blue Salt’s live vendor stack is still unspecified, the cookie table below should be published only after a production-site audit confirms the actual cookies, providers, durations and transfer implications on bluesaltmarine.com.
Model first-layer cookie banner wording
“We use necessary cookies to operate and secure this website. With your consent, we would also like to use analytics cookies and, if applicable, other optional cookies to understand how the website is used and to improve our services. You can accept all, reject all, or manage your preferences. You can change your choices at any time through Cookie Settings.”
Model optional-cookie consent wording
“By selecting ‘Accept’ for optional cookies, you consent to the storage of those cookies and the related processing of your personal data as described in our Cookie Information section. You can withdraw your consent at any time through Cookie Settings, without affecting the lawfulness of processing carried out before withdrawal.”
Template lawful-basis wording for layered notices and forms
“Contract / pre-contract: We process your contact details and request information because this is necessary to take steps at your request before entering into a contract with you, or to perform our contract with you.”
“Legal obligation: We process invoicing, payment and accounting information because we are legally required to keep tax, accounting, employment and related compliance records under applicable law.”
“Legitimate interests: We process limited technical, log and business-contact data where necessary for website and network security, fraud prevention, business administration, supplier and client relationship management, and the establishment, exercise or defence of legal claims, provided that those interests are not overridden by your rights and freedoms.”
“Consent: Where required by law, we rely on your consent, for example for non-essential cookies and certain electronic marketing communications. You can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.”
Model marketing consent wording
“I would like to receive email updates from Blue Salt Marine Services IKE about its services, news and offers. I understand that I can withdraw my consent at any time by using the unsubscribe link in any message or by contacting info@bluesaltmarine.com.”
| Cookie name | Provider | Purpose | Duration |
|---|---|---|---|
| [bsm_cookie_preferences] | bluesaltmarine.com / [CMP provider] | Stores the user’s cookie choices and helps demonstrate compliance with those choices | [6 months / 12 months] |
| [bsm_session] | bluesaltmarine.com / [hosting provider] | Maintains core website session integrity and essential functionality | [Session] |
| [bsm_security] | [hosting / CDN / security provider] | Detects malicious traffic, prevents abuse and protects website availability | [Short-lived / provider setting] |
| [bsm_load_balancer] | [hosting / CDN provider] | Distributes traffic and supports site resilience and performance | [Session / short-lived] |
| [analytics_cookie_name] | [analytics provider, if used] | Measures visits, usage patterns and site performance | [Provider-specific] |
| [embedded_content_cookie_name] | Enables embedded media or third-party content and may collect associated usage data | [Provider-specific] | |
| [payment_cookie_name] | [payment provider, if online payments are used] | Supports secure checkout, fraud prevention and transaction handling | [Provider-specific] |
| [marketing_cookie_name] | [advertising / social provider, if used] | Supports advertising, retargeting or cross-site measurement | [Provider-specific] |
Because provider identities and specific cookie names remain unspecified, Blue Salt should remove any row for technologies it does not actually use and should supplement the table with any transfer information required once the vendor stack is confirmed. If a third-party provider sets optional cookies through the site, Blue Salt should state whether that provider acts as a processor, a joint controller or an independent controller for the relevant processing.
Compliance checklist, breach workflow and primary source list
Before publication, Blue Salt should validate the public wording against the actual build and operational reality of bluesaltmarine.com. The company should not publish a cookie table or transfer statement that it cannot evidence. It should also ensure that the public notice matches its internal records of processing, retention schedule, processor contracts and incident-response plan.
| Action before publication | Why it matters |
|---|---|
| Insert the exact registered office street address in Corfu | Controller identity must be complete and accurate under transparency rules |
| Confirm whether a DPO has been formally appointed; if not, keep info@bluesaltmarine.com as the privacy contact | The DPO label should be used only where accurate |
| Audit bluesaltmarine.com for all live cookies, scripts, tags, embedded content and transfer points | Cookie notices and transfer wording must reflect actual technologies used |
| Configure the CMP so that Reject all is available at the first layer with equal prominence to Accept all | HDPA guidance and enforcement require fair cookie consent design |
| Confirm which vendors act as processors and which act as independent controllers; ensure Article 28 terms where required | Controller–processor relationships must be properly documented |
| Review all non-EEA access and transfers, and document adequacy, SCCs or other safeguards | International transfers require a lawful mechanism and, where needed, supplementary measures |
| Maintain or update Article 30 records of processing covering website, client, supplier, recruitment and HR processing | Accountability requires documented records in most real-world business settings |
| Review whether any processing needs a DPIA, especially if future tools create systematic monitoring or higher risks | High-risk processing must be assessed in advance |
| Validate the recommended retention schedule against Blue Salt’s actual accounting, labour, insurance and sector requirements | Storage limitation requires defensible retention periods |
| Put in place a rights-handling and breach-escalation workflow with verification, logging and deadline tracking | GDPR response deadlines and the 72-hour breach rule require an operational process |
The breach-response workflow below reflects the GDPR and supervisory guidance requiring containment, risk assessment, documentation, supervisory notification where risk exists, and communication to affected individuals where high risk exists.
| Official source | Relevance |
|---|---|
| Regulation (EU) 2016/679, the GDPR | Core rules on principles, lawful bases, transparency, rights, security, accountability, transfers, DPOs, DPIAs and breach notification |
| Greek Law 4624/2019 | Greek GDPR supplement, including the age 15 rule for consent to information-society services and relevant national provisions |
| Greek Law 3471/2006 | Greek ePrivacy rules on cookies, terminal equipment and direct marketing communications |
| Hellenic Data Protection Authority guidance on privacy notices, complaints and rights | Transparency requirements and complaint route to the Greek supervisory authority |
| Hellenic DPA materials on cookies and consent banner design | Cookie consent, layered notices, equal prominence for reject and accept options, and enforcement expectations |
| European Commission materials on lawful bases, consent, DPOs and international transfers | Controller lawful-basis analysis, consent standards, DPO triggers and SCC / adequacy transfer mechanisms |
| Official materials on Article 30 records, DPIAs, prior consultation and breach notification | Internal accountability obligations that should support the public notice |
Remaining company-specific details that still require completion are: the exact registered office street address in Corfu, the identity and contact details of any appointed DPO, the confirmed processor/vendor stack, any live non-EEA transfer routes, and the exact cookie inventory for bluesaltmarine.com. Those points are the only areas in this draft that remain materially unspecified.