Data Protection Policy

1. Introduction

1.1 The Data Protection Policy (hereinafter referred to as the “Policy”) covers and concerns the conditions of the collection and management of natural persons’, clients’ and consumers’ personal data, (hereinafter referred to as “natural persons” or “subjects”) by the company under the name Greek Environmental & Energy Network Single Member S.A. (hereafter referred to as the “Company” or “Processing Agent”).

1.2 The purposes of collecting and/ or processing the subjects’ personal data, collected by the Company or third parties performing the processing upon request of and on behalf of the Company are indicatively: 1) the examination of the compliance with the terms of use of this website, 2) the participation in competitions, the election and the winners’ announcement, the publication of their results, the realization of all necessary steps needed to deliver the prizes, 3) the announcement of press releases and newsletters, the organization of promotional activities, through remote promotion and sale of the Company’s products and services, providing information to consumers on services and offers, 4) the communication, the management, the requests and queries’ procession as well as procession of the subjects’ complaints addressed to the Company and responding to them, providing high level specialized services, aiming to achieve prompt and high quality management of requests, 5) the use of the services of company’s website, applications and social media pages by customers and consumers, 6) the examination of a subject’s application for the conclusion of electricity supply agreement and the Company’s decision to conclude, identify, prove the capacity and the interest of the subject, the support, promotion and management of the contractual relations of the Company with its customers, 7) the execution, the regular operation and the fulfillment of the contractual obligations arising from the electricity supply contract, concluded by the Company with the respective subject; 8) the protection of transactions and the safeguarding of the Company’s rights exercise, in respect of its claims, and 9) the Company’s compliance with the legal obligations imposed on electricity suppliers from the current legislative and regulatory framework governing the electricity supply sector in Greece, 10) the non-personalized data processing for statistical purposes and for the purpose of improving the Company’s services, 11) the prevention and deterrence of potential criminal offenses, 12) the protection of the legitimate interests of the Company, customers or third parties and (13) public interest reasons.

1.3 The Company is the owner, creator and beneficiary of all the rights of its pages and services and is the Controller of the personal data that are declared by customers, users of the website, the application or through social networking or consumers.

1.4 The Company may provide links to other websites exclusively for the purpose of facilitating and informing its visitors. These sites do not fall under the control of the Company and are governed by their own privacy policy. The Company does not bear any liability for the privacy practices of these websites. This Privacy Policy applies only to information collected by the Company’s website and it does not cover in any way the legal relationship between visitors/ users of the pages and any other services that are not subject to control and/ or management, and/ or ownership of the Company.

1.5 The Company’s intention is not to collect personal data of minors and adults with legal incapacity who may have access to the website in violation of the above. However, since this is not feasible for the Company to ensure/confirm, any minor users or adults with legal incapacity who transmit their personal data to the Company via the website, are required and expected to have received the consent of their parent or their respective commissioners. If the Company confirms that it has collected any personal information from minors under 18 years old, without a verifiable parental consent or adults with legal incapacity, without the consent of his/ her Commissioner, the Company will delete the information from its database as soon as possible.

1.6 The safe handling and processing of personal data is a primary concern and commitment of the Company. This code, which is applied in conjunction with the national and EU law in force and is binding, sets out the general guidelines for the processing of personal data of natural persons. The Company insures the legitimate and lawful collection and processing of personal data. The Company maintains a record and processes personal data that has been collected either directly by natural persons or through service providers/ processors in command and on behalf of the Company.

1.7 The Company implements all contemporary and appropriate for the processing purposes technical and organizational measures, the effectiveness of which is examined on a regular basis. The Company collects and processes a digital file of personal data, which records the data that individuals voluntarily provide. The management and protection of personal data are governed by these terms, by its provisions and by EU Regulation 2016/679 on the protection of personal data as amended and currently in force (hereafter “the Regulation”). The Company has taken all necessary measures to safeguard the security of the provided services and the confidentiality of information related to natural persons.

1.8 The collection and processing of personal data are performed by the Company solely upon the explicit and voluntary consent of the natural persons for the purposes of concluding, supporting or executing the contractual relationship between them, the consumers’ support during the operation of the services they register for, the fulfillment of their requirements and the promotion of new services.

1.9 The Company may transfer natural persons’ personal data, which it holds according to the lawful means mentioned above, to relevant departments, employees or service providers that need to access that information in order to provide their specialized services, as well as affiliates or any other recipient required by law, as well as for the performance of their collaboration, for statistical purposes or for the promotion of products or services provided by the Company of affiliate companies.

1.10 The Company may share personal data with third parties only in the following cases:

(i) If it has the explicit consent of the subject for the transmission of personal data concerning him/ her,

(ii) Where the transfer of personal data to third parties becomes necessary for the implementation of the requests of the subjects. Third parties, external partners or service providers acting on behalf of the Company and cooperating with it, shall have the right to process the personal data of the subjects only in accordance with this policy and the legal framework and to the extent that it is strictly necessary for the provision and support to these services.

(iii) In case the transmission of personal data is required by law provision or court order or prosecutor’s order/ provision and exclusively to the Competent Authorities, as well as in order to protect the rights of the Company or third parties, including in the context of investigations or requests by regulatory and Public Authorities or Electricity Market Operators in Greece.

1.11 The Company strictly complies with the Greek law on the Record of Personal Data. Any information that may be stated and collected in the above cases is not disclosed to third parties and in no way it is publicized nor exploited by the Company. The Company takes all necessary measures to ensure the fair and lawful collection and processing of personal data and to ensure that it is held in accordance with the conditions laid down by Greek law, while preserving the privacy and confidentiality of any information that comes to its knowledge.

1.12 The Company does not trade, share, publicize, transmit or distribute in any way the subjects’ personal data to third parties, unless in case that it is explicitly permitted in the context of this Privacy Policy. There is a case in which personal data may be occasionally transmitted to third parties who act in the Company’s benefit or on its behalf or in relation to the Company’s activity, in order to be further processed in accordance with the purpose of the data collection, such as the provision of services, their evaluation or technical support. The third parties have been contractually bound by the Company as to use the personal data they received only for the purposes above and will not forward any personal information to third parties, nor will they disclose it to third parties, unless the law requires it.

1.13 Additionally, the Company may collect identification data for visitors/ users of its website and its online application (MyGREEN), using corresponding technologies such as cookies and/ or Internet Protocol (IP) address tracking. In particular, it may take advantage of the features provided by Google Analytics for the proper operation of its website using the technology named “cookies”, in order to update and serve advertising messages based on previous visits of a user of the Company’s website. A cookie is a small data file that a website (including the Company’s website) can send to the browser that the subject uses, which can then be stored on its hard drive without recognizing any document or file from computer, in order to enable it to be recognized as soon as the visitor returns. Cookies can collect information by the visitors of the website (visitor’s browser type, etc.) to facilitate visitor/ user access to the use of specific services or website pages as well as for statistical purposes or to evaluate the effectiveness of the website.

2. Data collected by the Company (indicatively)

2.1 Identification data: first name, last name, father’s name, ID/ passport, VAT number, date and place of birth, occupation, etc.

2.2 Communication data: postal and e-mail address, telephone number, etc.

2.3 Payment data: bank account details, debit/ credit and other bank cards, etc. needed for the bills’ payment or to settle other financial obligations through them.

2.4 Data necessary for the conclusion and execution of the electricity supply contract according to the subject matter. In this context, consumption data, meter readings, property status, rental, etc. of the subjects may be processed in relation to the electrification of installations for which a legitimate interest is shown by the subject.

2.5 Health data, marital status data: Where relevant, data related to vulnerable customers, beneficiaries of the Social Residential Tariff, etc.

3. Data Collection

3.1 The Company collects and processes personal data that natural persons voluntarily provide upon the conclusion of an electricity supply agreement or by registering such data on the relevant website, social media and the online application (Facebook, Twitter, LinkedIn, Instagram, myGREEN) or by submitting their email when participating in competitions and promotions, of any kind, organized by the Company. These pages may include links to other websites that are not controlled by the Company but by third parties (natural or legal persons). Under no circumstances shall the Company be liable for the terms and conditions of the Personal Data Protection Policy adopted and applied by these operators. The Company collects personal data voluntarily provided by natural persons, that are transmitted to it by associates acting on command of and on behalf of the Company, that are also bound by privacy and confidentiality obligations at the pre-contractual stage of electricity supply agreement. In this case, the natural person who suggests to conclude a contract with the Company, gives his/ her consent to the collection and processing of his/her data by signing the Electricity Supply Application and its terms.

3.2 The processing of the data for any other purpose is permitted only upon the prior written consent of the subject, which will be provided either in writing or by marking on a special field on its website upon collection.

4. Data Transmission

4.1 Our company does not transmit personal data collected and processed legally, to third parties, e.g. natural or legal person, entity, public authority or service or any other organization or private entity other than the data subject without its prior consent, without prejudice to paragraph 1.10. Consent will be provided either in writing or with a note/ registration in a specific field on the website, the social media pages or the Company’s application during data collection. As an exception, the Company may also disclose/ forward personal data in response to legal requests, believing in good faith that it is required by law or when it has to comply with law enforcement orders or provisions of current legislation and court rulings, judicial authorities or state mechanisms for the purpose of complying current legislation or to comply with a mandatory legal process or to use them for the operation and the maintenance of the security of its systems, including the prevention or interruption of an attack on computer systems or its networks, or if it is believed in good faith that it is necessary to deal with or to prevent the commission of criminal offenses or to protect the rights of the Company or third party. Such disclosures may also be required for privacy or security controls and/ or for investigating or responding to security complaints or threats.

4.2 Natural persons’ personal data shall be transmitted to the Company’s departments responsible for the operation of the electricity supply contract, for the proper and uninterrupted performance of contractual terms, advertising and sales promotion, for the resolution of any disputes and the collection of related claims of the Company. Personal data may also be transmitted and made available to legal entities and/ or natural persons with whom the Company occasionally maintains contractual relationships for the proper execution of the above and under the terms of the electricity supply contracts. However, in this case, the legal and/ or natural persons will process the customers’ personal data solely for the purpose of providing services to the Company and not for their own benefit, acting as processors.

4.3 In every transmission, the Company always takes every measure in order for the data transmitted to always be the minimum necessary and that the conditions for legitimate and lawful processing will always be applied.

5. Processing

5.1 Processing means any operation or set of operations which is performed by the Company on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

5.2. The Company processes personal data provided by natural persons only after obtaining their written consent for that purpose. As an exception, personal data may be processed without the Customer’s consent when the processing is necessary: for the execution of the contract with the Customer or for the fulfillment of an obligation imposed by the law, or if a relevant legal provision of national or EU law exists, permitting the processing of personal data without the prior consent of the customer. Particularly with respect to the processing of the personal data of the subjects who have already concluded an electricity supply contract with the Company, which remains in force, the legal basis for the Company’s processing shall be the execution of the contract in which the subject is a contracting party.

5.3 The data subject may withdraw his/ her consent at any time, without affecting the legality of consent-based processing prior to its revocation (lack of retroactive effect). The right to withdraw the subject’s consent is exercised in the manner in which it was granted. In the event where a party of the Company exercises the right of revocation, the Company is not obliged to delete its personal data which it processes for legitimate purposes, based on the operation and performance of the contract it has concluded with the subject and which justifies maintaining and continuing the processing of these data (legal basis of processing). As an exception, the processing of personal data is lawful and can be continued without undue delay by the Company, in spite of the exercise of the right of revocation to the subject, when the Company demonstrates imperative and legitimate reasons for the processing, that prevail the interests of rights and freedoms of the subject, or for the foundation, exercise or support of legal claims. This paragraph shall also apply in case of the exercise of the right to delete data.

5.4 Personal data will not be used for purposes other than those for which it was originally collected, and the use of customers’ personal data in order to promote products or services will be performed in accordance with national and EU law.

6. Sensitive Data

6.1 Sensitive data is data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, welfare and erotic life, issues related to criminal prosecution or convictions, as well as to the participation of clients in related persons. The collection and processing of sensitive personal data is prohibited unless: the customer has given his/ her explicit consent for it or if the processing is permitted without the consent of the subject, under applicable national or EU legislation or where such processing is necessary for the fulfillment of the Company’s obligations arising by the law, provided this is permitted by current national law.

7. Basic Principles of Personal Data Processing

7.1 The Company shall take all appropriate technical and organizational security measures in order to ensure that the personal data of natural persons processed, are accurate and updated where necessary. The Company takes all necessary measures in order for inaccurate or incomplete data to be erased or corrected. Personal data that is processed is appropriate and relevant to the needs of the service offered to the customer (electricity supply), the fulfillment of contractual obligations and the promotion of sales to consumers and are collected only for defined, explicit and legitimate purposes.

7.2 The process of personal data processing by the Company is conducted in a manner that ensures its confidentiality and follows rules and other procedures to protect personal data from unauthorized access, misuse, alteration, forbidden dissemination, disclosure, loss or accidental/ unlawful destruction and any other form of unfair processing. The Company applies reasonable policies and technical and organizational security processes in order to protect the personal data collected, from potential breach, loss, misuse, alteration or destruction.

7.3 Routine internal audits on the processing of personal data are conducted by the Company in order to review the effectiveness of the applicable data protection measures.

7.4 Authorized Individuals per Department have access to data processing systems, through which personal data is processed or used only in accordance with the Company’s instructions. Data processing systems cannot be used by unauthorized persons; persons authorized to use data processing systems have access only to the data for which they have been authorized; personal data may not, during the processing or use, or after being recorded, read, copied, modified, or shifted by unauthorized persons of the Company.

7.5 Access to personal data is restricted to those authorized to perform their duties to the Company, provided that it is necessary to become aware of them. People who have access to the data are required to keep the confidentiality of the data.

8. Data retention / Storage time

8.1 The Company makes every possible effort to maintain the personal data collected only for the time period required and solely for the fulfillment of the purpose for which it was collected. The data is stored until it is no longer necessary in the Company’s services’ provision process, serving the purposes as specified in paragraph 1.2.

8.2 In particular, Customers’ personal data is retained by the Company throughout their contractual relationship both in hard copy and digitally as well as after its termination in any way, when required by law, as applicable. The duration of the electrical power supply contract, the fulfillment of contractual obligations and the Company’s compliance with its legal obligations as a supplier of electricity, determine the time period in which the obligation to preserve and store the data applies.

8.3 In case of lack of agreement for the conclusion of a contract for the supply of electricity between the Company and the subject, his/ her personal data will be kept by the Company for a period of five (5) years from the rejection of the application for concluding a contract. Where law or regulations oblige the Company to hold personal data for a period longer than the above, retention periods will be prolonged accordingly.

8.4 In case of explicit consent to the use of personal data for advertising purposes, these will be retained for this purpose until the consent of the subject concerned is withdrawn. Any revocation will become effective for the future.

8.5 In case of judicial proceedings either directly or indirectly related to the subject, the data retention period shall be extended until an irrevocable court order is issued.

9. The Rights of the Subjects

All Subjects’ rights are exercised through the submission of a relevant request to the Company. The application must be in writing and sent to the following address: [email protected] accompanied with supporting documents, which will verify the identity and capacity of the applicant subjects. The Company provides the data subject with information or a response letter on his/ her request regarding the exercise of the above rights without delay and in any case within thirty (30) days after having received the request, responding in writing to the data subject and sending a copy of the applicant’s personal data, which may be kept in its records. Depending on the complexity of the request and the number of requests, the deadline mentioned may be extended by two months. If the subject submits the request by electronic means, the information provided by the Company is also provided in electronic form. If the subject’s claims obviously unfounded or excessive, especially due to their recurrent nature, the Company may impose a reasonable fee or refuse to respond to the request.

9.1 Right of access: Subjects are entitled to be informed whether the personal data concerning them are processed by the Company, the purpose of the processing, the relevant categories of personal data, any recipients and the potential storage space envisaged. The Company provides a copy of these data to the subject and where appropriate, reasonable fee may be charged for administrative expenses. The subjects acknowledge and explicitly accept the collection, management and processing of their personal data by the Company according to the process described and they are solely responsible for the false, inaccurate or untrue statement of their personal data to the Company. The retention periods of personal data set by national law will be applied in all cases, even after termination of the contractual relationship, in any way.

9.2 Right of Correction: In the event of inaccurate, incomplete or false information provided to the Company by the subject regarding his personal data, the subject may request in writing from the Company their correction or completion in order for the processing to be carried out by the Company on correct and true personal data.

9.3 Right of Deletion: In case the subject exercises his/ her right of removal, the Company is obliged to delete the personal data concerning it, unless its processing is necessary for the Company to comply with its legal obligations that require processing under national and EU law, under whose jurisdiction is the Company, as Processing Manager, or for public interest reasons, or for the foundation, exercise or support of its legal claims.

9.4 Right of objection: Subjects have the right to oppose and restrict certain data processing operations carried out for purposes of direct marketing or sales promotion by the Company. In these cases, the Company no longer processes personal data. The same obligation of the Company also applies in other cases, unless it demonstrates reasons for processing, that are imperative and legitimate, the Company’s interests and rights or for the foundation, exercise or support of legal claims. In particular, regarding subjects’ informing using incoming SMS messages via mobile phone, if the subject does not wish to receive SMS notification from the Company regarding its offers, the subject can call on 210.42.93.939 declaring his/ her opposition.

9.5 Portability Rights: The subject has the right to receive personal data concerning him/ her which he/ she has provided to the Company in a structured, commonly used and electronically readable format, as well as the right to transmit such data to another processor without objection by the controller to whom the personal data were provided when: (a) the processing is based on consent or a contract and (b) the processing is carried out by automated means. When exercising the right to data portability, the data subject shall has the right to request the direct transmission of personal data from one controller to another, where technically feasible.

10. Other Terms

For any matter concerning data processing, the subject may contact the Company. He/ She may also contact Personal Data Protection Authority (1-3 Kifissias Avenue, 115 23, Athens) or electronically (www.dpa.gr).

10.1 These terms are valid and apply to the protection of the personal data of the users/ visitors of the Company’s website and the natural persons communicating with the company, regardless of the cause. The use of this website’s services, the Company’s social media pages, the online application, the participation in promotional activities, as well as the conclusion of the contract for electricity supply, imply the full and unconditional acceptance of the present terms.

10.2 The Company reserves the right to periodically add, update, modify and/ or modify the terms of this Policy regarding the management of personal data at its discretion within the existing or potentially new legal framework without prior notice, after posting/ publishing the new, revised policy on its website, posting the date of its revision. The latest Privacy Policy will apply to all data and other information collected, regardless of the version of the Policy that was in effect when the information was collected.

10.3 The subjects’ personal data management and protection by the Company is subject to the terms of this policy and the relevant provisions of Greek and European legislation (Regulation 2016/679) on the protection of personal data, as amended and currently in force and is supplemented by the directives, decisions and normative acts of the Data Protection Authority and other relevant legislative acts in this context, any relevant regulation will be an amendment to the present field of application.

Committed Entity

The Committed Entity for the collection, storage, processing and use of the subjects’ personal data in the sense of the Greek and EU law and in particular the legal framework for the protection of personal data is: Greek Environmental & Energy Network Single Member S.A., 57 Akti Miaouli, 18536, Piraeus Attica, Data Protection Inquiries: tel.: +30 210 42 93 939, + 30 210 42 92 426 fax: +30 210 42 92 710, email: [email protected], website: www.green.com.gr.

The Privacy Policy was updated on 01/10/2018.