Effective Date 1/1/2020
The Company is committed to collecting and processing your personal data in accordance with the EU General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR“) and the applicable national legislation. This policy informs you on how we collect and process information about you that is governed by the terms that follow and the relevant provisions of the GDPR and relevant Greek and European legislation on Personal data protection.
Personal data is any information that refers to natural persons whose identity is known or can be ascertained (hereinafter referred to as “personal data“).
HOW WE COLLECT THE PERSONAL DATA
- Directly from you: we collect personal data directly from you:
- When you visit our website, when you seek information, make a request, contact us for any reason via the contact form or when you subscribe to our Newsletters,
- During your visit to our premises, through our forms and/or our authorized employees.
- Through a variety of means of communication, such as by e-mail, telephone calls, telefax,
- Through all kinds of contracts of sale/provision of services/products/ you perform with our company.
- When you explore the possibility of entering a contract with the company
- By e-mailing your CV in order to apply for a job in the company.
- By automated means using the website: When you visit the company’s website, we may collect data from you based on your browsing and using our services. This data may include search history, IP address, screen resolution, type of browser used, operating system and settings, access times and URL reference as well as data collected through cookies (See Cookies Policy).
WHICH PERSONAL DATA WE COLLECT
The data that we collect in the course of our business activity and operation of our company varies according to the purpose of collection and include the following:
- Personal Data & contact information such as name, surname, father’s name, mother’s name, telephone numbers, address, email, profession /business occupation.
- Contact information of third parties indicated by you (for example, when you authorize another person to receive the products purchased by you). In this case you declare that you have received the explicit consent of these persons for the use of their data by the company.
- Financial data (bank account numbers, credit card details and payment methods, VAT number, tax office)
- Level of education, work history, professional training data, when you submit your CV.
PURPOSE OF PROCESSING
The purpose of the data collection/processing is:
- To support, promote and perform the contractual relationship with our customers, and to inform customers about products and
- To communicate with the client/ user and send informational messages concerning the stages of the contract/processing/delivery.
- To protect and ensure the security of transactions (so that we can detect and prevent cases of fraud, abuse, security incidents and other harmful activities and conduct security surveys and risk assessments)
- To provide information on products and services for which you have expressed interest and in general to respond to customer service requests.
- To comply with the legal obligations
- To conduct a general analysis and evaluation and improve the provided products and services in both our physical store and through our website to tailor our web presence to your needs, making our website easier and more efficient to use.
LEGAL BASIS FOR PROCESSING
The legal basis for the processing of personal data collected in accordance with the above is:
- processing of the personal data is necessary for the performance of the contract between you and HERMES S.A. specifically to provide the services and/or information requested or in order to take steps at your request prior to entering a contract.
- processing is necessary for the purposes of the legitimate interests pursued by HERMES S.A. or by a third party. HERMES S.A. will always balance your rights and interests in the protection of your personal data against HERMES S.A.’s rights and interests or those of the third party.
- processing is necessary for compliance with a legal obligation to which HERMES S.A. is subject (such as tax law or lawful law enforcement requests).
- your consent, in order to process your personal data for direct marketing purposes, to provide personalized offers, or any other instance where consent is required under applicable law.
The company also reserves the right to regularly communicate with our clients by telephone, mail, email, SMS or any other means of communication, using the contact information which has been obtained lawfully, within the context of the company’s contractual relationship with the user/client (article 11§ 3 of Law 3471/2006) provided that the data subject has not opposed this communication. This communication may include an update on services provided, research to improve the services provided to the Customers and other promotional activities and to serve similar purposes.
RECIPIENTS OF PERSONAL DATA
For the data necessary for the fulfilment of each of the above processing purposes and within the scope of recipient’s responsibilities, the recipients of the user/ client’s data may be:
- The competent employees of the company within the exercise of their duties
- Public authorities, such as tax authorities, judicial, public and independent authorities, law enforcement, dispute resolution agencies acting in the context of the Alternative Dispute Resolution (ADR) procedure, where such transfer/access to data is strictly necessary for the defense of legal rights or the fulfilment of the company’s obligations.
- To the extent that this is necessary for the fulfilment of our contractual and legal obligations, provision of services and satisfaction of your requests, your data may be transmitted to company-affiliated providers, such as Legal, Advisory and auditing services companies, IT companies, couriers, Internet service providers, or providers of other services necessary for the operation of the website and the performance of the company’s services.
It should be noted that when storing, accessing and/or processing the user/client’s personal data, the employees and agents of the company fully comply with the relevant provisions of the European General Data Protection Regulation 2016/679 as well as with current Greek legislation and jurisprudence on the protection of personal data. The company requires of its employees, its website hosting and service providers, as well as its third party partners to take all necessary technical and organisational measures (including appropriate policies and procedures) to prevent unauthorised disclosure of users/clients’ personal data to which they gain access, and implement procedures for the management and processing of personal data in a manner that is lawful and protect such data according to GDPR imposed obligations.
We do not transfer your data to third countries. The personal data we collect is processed on servers located in the EU or EEA.
We retain your personal data for the duration of our contractual relationship. The personal data we process is not retained for a longer period than is necessary for the performance of the contract and any services directly related to it:
- in case of performance of a contract we will retain and process your personal data for as long as our contractual relationship lasts. In the event that the contractual relationship is completed or terminated in any way, we will keep your data for as long as is required by the applicable statute of limitations for the relevant claims and in any case for as long as required by the tax legislation, the applicable legal and regulatory framework and the approved Codes of conduct.
- In case you fill out the contact form or submit a request, your personal data is retained for as long as it is required for fulfilling your request and for. ……… after the completion of such procedure.
- If you subscribe to our newsletter, your personal data is retained for as long as you wish to receive the newsletters. You can inform us at any time that you no longer wish to receive newsletters by sending an email to email@example.com and your data will be deleted.
We will also retain personal data:
- To the extent required by law (for example, in order to comply with tax legislation)
- In order to comply with court proceedings (any ongoing or future court proceedings)
- To establish, exercise or defend our legal rights, personal security of the users and the public.
However, some necessary personal data regarding your contractual relationship with the company as well as information concerning your notification on the processing of your data and your consent, where applicable, may be retained so as to establish the lawfulness of processing of user/client data by the company and the legal claims of the parties.
TECHNICAL AND ORGANIZATIONAL MEASURES
The company implements appropriate technical and organizational security measures to protect personal data against unauthorized access, misuse, loss or destruction. Such measures include, but are not limited to, the use of firewalls, secure server facilities, network security measures, implementation of appropriate access rights systems and procedures, application of access control policy, implementation of due diligence in the selection of the Processors and their compliance with the GDPR and other reasonable organisational and technical measures, so as to provide adequate protection of personal data. All employees are bound by confidentiality and privacy clauses and personal data is processed only by specially authorized personnel of the company.
Similarly, the company, the processors and its employees/assistants shall apply appropriate technical and organisational measures to ensure the best protection of personal data from any unlawful processing, as well as to guarantee the possibility of restoring the availability and access to them. These measures aim to ensure a level of security that corresponds to the risk, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, while applying procedures for the regular testing, monitoring and evaluation of the effectiveness of said technical and organisational measures.
Under the GDPR (articles 12-22) you have the following rights:
- Request a copy of your personal data.
- Withdraw your consent when this is the legal basis of the processing of your personal data.
- Request that your personal data be corrected if it is inaccurate.
- Request erasure of the personal data you have provided, under the conditions set out by law.
- Request restriction of processing, under the conditions set out by law.
- Request the portability of your personal data, if you have provided us with the data and the processing is based on consent or performance of a contract and processing is based on automated means.
- Oppose some form of processing of your personal data by the company.
To exercise any of the above rights, you may contact us via e-mail:firstname.lastname@example.org or by mail or in person at the company’s premises at Location Lambrika, 194 00 Koropi, Attiki,P.O. Box 104 Koropi. We will take all possible measures to satisfy your request within a reasonable period, no later than one (1) month after the submission of the request and receipt of proof of your identity. That period may be extended by two months where necessary, taking into account the complexity and number of the requests. Please note that the absolutely necessary user data may be retained, in order to safeguard the legal interests of the Company.
Finally, each user has the right to submit a request to the company inquiring on how the company processes and protects your personal data, and if you consider that your rights are infringed, you have the right to file a complaint with the Data Protection Authority (http://www.dpa.gr/, Kifisias 1-3, P.C. 115 23, Athens, 210 6475600, Fax +30 210 6475628., email: email@example.com ).
Please be aware that the content and services of this site are not intended for persons under 18 years of age. No personal data must be submitted to the company through the website by visitors under 18 years of age. If we become aware that a user under the age of 18 has registered and provided personal data without the explicit consent of the parent or legal guardian, we will immediately delete, after receiving such information or request, the relevant data in accordance with the applicable company policy.
The company may change this policy. Please check the effective date at the top of the policy to see when it was last revised. Every revision will be implemented as soon as we publish the revised policy.
If we make substantive changes to this policy that broaden our rights to use the personal data that we have already collected from you, we will inform you and provide you with a choice for the future use of these data.