Personal Data Protection Policy

Introduction
PENGAS CHR. SPYROS & CO GENERAL PARTNERSHIP is committed to protecting its customers’ privacy, and it takes its obligation to safeguard their personal data very seriously. We shall be clear and honest about the data that we collect and the reasons for which we collect them.

This policy determines the following:

• Your personal data that we collect and process due to your relationship to us as our customer
• Where we get the data
• What we do with the data
• How we store the data
• To whom we transmit/disclose the data
• How we handle your rights for the protection of your data
• How we comply with data protection rules

All personal data are collected and processed according to the personal data protection legislation of Greece and the European Union.

What are personal data?
Personal data are any information related to you that allows us to identify you, such as your name, contact information, security code, payment and invoicing information.

Data is collected only with your consent, or by signing a contract or by agreeing to be invoiced when you decide to become a customer of PENGAS CHR. SPYROS & CO GENERAL PARTNERSHIP.

Specifically, we may collect the following categories of data:

1. Name, home address, email address, phone number, police ID card number or number of other recognised identifying document, e.g. TIN, credit/debit card information or information of other means of payment.
2. Communications between you and our company or addressed from you to our company via letter, email, and social media.

For what purposes are personal data used?

Your data may be used for the following purposes:

1. To provide you with goods and services you have requested. We use the data you provide in order to provide you with the services you request.
2. To contact you in case of emergency. We send you communications regarding the services you request and any eventual changes to these services. These communications do not have advertising purposes and cannot be excluded.
3. For administrative or legal purposes: We use your data for statistical and marketing analyses, systems tests, market research, maintenance and development, as well as to deal with disputes or claims. Bear in mind that we may create a data profile with the data we collect from you, for the purpose of compiling statistical and marketing analyses. Any data profile creation activity shall occur only with your consent and we will expend every effort to ensure that all data on which these profiles are based are accurate. By providing us with your personal data, you are explicitly consenting to the use of said data by us to carry out data profile creation activities, according to our Privacy Policy.
4. For safety, health, management, and crime prevention/investigation: We may transmit your data to state authorities or law enforcement agencies in compliance with legal requirements.
5. For communication with the Customer Service department: We use your data to manage our relationship with you as our customer, to improve our services, and to enhance your customer experience.
6. To provide customised services: We use your data to provide you with information we think will interest you and to customise the services we offer you, such as special offers.
7. For marketing: From time to time, we communicate with you electronically and provide you with information on offers and auxiliary products. However, you may choose whether to receive such communications or not, by making your choice known to us at any time through phone, written, or electronic communication.

We process your personal data only when we have legal grounds to do so. The legal grounds depend on the reasons for which we have collected your personal data and the reasons for which we need to use them.

In most cases, we must process your personal data in order to be able to conclude a contract of collaboration between us.

We may also need to process your personal data for the following reasons:

• To comply with any legal or insurance obligation
• Because you have given us your consent to use your personal data (e.g. for marketing purposes)
• To protect your life or the lives of others (e.g. in case of emergency)
• Due to our legal interests during our operation as a service provision company (e.g. for administrative purposes)

Only persons 18 years or older may provide consent for themselves. For minors under 18 years old, the consent of their parents or legal guardians is required.

We do not store your personal data for a period longer than is necessary to complete the purpose for which they are processed. In order to determine the appropriate storage period, we take into consideration the quantity, type, and sensitive nature of personal data, the purposes for which we are processing them, and the possibility of achieving the same purposes through other means.

We also take into account the time periods for which we may need to keep personal data in order to fulfil our legal obligations (e.g. in regards to insurance company claims), or to respond to complaints/questions and to protect our legal interests in case a claim is brought against us.

When we no longer need your personal data, we delete it or safely destroy it.

How do we protect your personal data?
We follow strict security procedures when storing and disclosing your personal data, as well as to safeguard them against random loss, destruction or damage. The data you provide are protected by SSL (Secure Socket Layer) technology. SSL technology is the basic method in the sector of encryption of personal data and credit card information. All payment information is transmitted through a secure SSL link to a dedicated network infrastructure (Multiprotocol Label Switching – MPLS) and stored according to the Payment Card Industry’s Data Security Standards (PCI DSS).

When is it possible for personal data to be disclosed?
It is possible that your personal data may be disclosed to trustworthy third parties for the purposes determined in this policy. We demand of all our third party associates to employ the necessary measures of technical and operational security for the protection of your personal data, according to the laws of Greece and the European Union for data protection, such as:

Legal counsels and other professional consultants, judges and other law-enforcement agencies, in every country where we have business activities, in order to exercise our legal rights that ensue from our contract with you.

Data protection Officer (DPO)
We have appointed a Data Protection Officer (DPO) to supervise compliance with this policy. You have the right at any time to file a complaint with the supervising authority. The Greek Data Protection Commissioner is the primary data protection supervising authority for PENGAS CHR. SPYROS & CO GENERAL PARTNERSHIP, as a Greek data controller.

Your rights in regards to the processing of your personal data

Under certain conditions and according to the law, you have the right:

• To be informed about whether we keep your personal data and, if so, which data and why we keep/process it.
• To request access to your personal data (commonly known as a “data subject access request”). This gives you the option to receive a copy of your personal data in our possession and to check whether we are processing them legally.
• To request that your personal data that we keep be amended. This gives you the option to amend any incomplete or inaccurate information that we have on you.
• To request that your personal data be deleted. This gives you the option to ask us to delete or remove personal data where there is no reason for us to continue processing them. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to their processing (see below).
• To oppose the processing of your personal data, when we invoke a legal interest (or third-party interest) but your specific situation makes you want to oppose the data’s processing for this reason.
• To oppose automated decision-making, such as the creation of a profile that must not be the object of automated decision-making using your personal data.
• To request the restriction of processing of your personal data. This allows you to request that we cease processing your personal data, for example, if you want us to ascertain their accuracy or the reason for their processing.
• To request that your personal data be transmitted to you or to another party (commonly known as the right to “data mobility”) in electronic and structured form. This allows you to receive your data from us in an electronically usable format and to be able to transmit your data to another party in electronically usable format.
• Withdrawal of consent. In limited cases where you may have consented to the collection, processing and transmission of your personal data for a specific purpose, you have the right to withdraw this consent for the specific processing at any time. Once we receive notification that you have withdrawn your consent, we shall cease processing your data for the purpose or purposes for which you had initially consented, unless we have other legal grounds to continue doing so legally.

If you wish to exercise any of your rights, you must contact our DPO in writing, at the following address: PENGAS CHR. SPYROS & CO GENERAL PARTNERSHIP, 19 Proxenou Koromila St., 54623 Thessaloniki, Greece.

You will not need to pay any charge to access your personal data (or to exercise any of your other rights). However, if your request for access is clearly groundless or excessive, we may refuse to satisfy your request.

We may need to ask you for specific information in order to be able to confirm your identity and to ensure your right to access your data (or to exercise any of your other rights). This is yet another important security measure, so that personal data is not disclosed to any person who has no right to them.

Changes to the Privacy Policy
Our Privacy Policy may change from time to time and you shall be notified of any changes either through email or by notices posted on our website.