Privacy and Personal Data Protection Policy

Processing Principles

In the processing of your data, we follow the main principles mentioned below:

• We make sure that we collect and process only your minimum required data, which is appropriate and clear for the purpose it is collected for.
• Without prejudice to this policy, we do not disclose your personal data to third parties without your own consent, unless required by the Law or permitted under the agreement concluded between us.
• We use the data both to communicate with you in regard to any new products and to offer you better service.
• We are limiting ourselves to the purpose for which the data have been collected
• We use the minimum data required for the intended purpose (minimisation) 
• We retain your personal data for no longer than is necessary.
• We update the personal data in relation to the processing purposes for which they have been collected, and at the same time we take measures for their immediate erasure or correction when this is considered necessary.
  

   

Types of data and collection sources – Purposes – Legal basis for the processing

The types of personal data that we collect from you and process are directly related to the agreement concluded between us, or to the services or/and the products which you choose us to provide you with.

What do we collect?

• When you enrol offline into the customer loyalty programme “elin up rewards” as well as when you use the programme online, through the Roadcube App: e-mail, first name, last name, gender, date of birth, mobile phone number, address, city & postcode, registration number, vehicle make & model, product.
• In the bluedriving.gr website, optionally, the visitor’s name and e-mail.
• When you submit a curriculum vitae: full name, father’s name, date of birth, gender, nationality, military service information, marital status, home address, contact details, VAT ID, photograph, level of education, work experience, references.
• When you browse the bluedriving.gr and www.elin.gr websites: Internet Protocol address, browsing data within the Website, preference and service information, User-generated File.
• As an Electricity and Natural Gas Supplier:

(a) Identification and contact details, information confirming classification under a special customer category (e.g. vulnerable customer) by competent managers, copies of connection contracts signed by competent managers, business commencement certificate from the Tax Office, special information justifying the use of a specific tariff, (b) information about the meter of the property that is or will be the object of a supply contract, proof of legal use of the property, bills or/and from previous supplier, consumption data obtained by customers or/and competent managers, information on transactions and payments made in the framework of our contractual relationship, information related to the communication of prospective or existing customers with the Customer Support Department of the Company, (c) credit reporting information collected from publicly available sources, databases and credit-rating organizations with the purpose of creating a transactional profile and determining the guarantee amount, (d) if you decide to pay your bills through the “myelin” app using a standing order to a Bank for your own convenience: credit/debit card number, expiration date and card holder’s full name.

Our company does not collect or in any way access “sensitive” personal data, unless this is required for grounds of public interest (medical examinations for crews, tanker vehicle drivers), in which cases the only person with access to the data is the company doctor, unless required by the relevant laws in force (vulnerable client or beneficiary of social residential tariff).

We collect such data before or when you sign the agreement between us or when we execute our company’s contractual obligations, when you enter and use the Website, when we provide services, when you enrol into the elin up rewards programme, when we issue an ε-card corporate card, when we receive CVs, when we resolve complaints and when you choose to pay your bills through the “myelin” app using a standing order to a Bank.

In addition, we collect your data from various sources subject to your consent and always pursuant to the legislative framework in place. Given that the processing of your personal data is based on your consent, ELINOIL follows the procedures which are set out by the legislation in force in order to inform you and obtain your consent.

Legitimate grounds for the processing:

(a) the execution of a contract that you have assigned or intend to assign to us;

(b) the safeguarding and protection of legal interests, both yours and ours;

(c) the compliance with a legislative obligation;

(d) the consent you grant under the specific conditions set by the legal framework;

(e) the obvious publication of data by the subject and the processing which is necessary for the protection of the subject’s vital interests regarding any information provided in relation to health data.

More specifically, we use your personal data:

To identify you, to render good service, to serve our pre-contractual or contractual legal relationship between us, to send you personalized information and offers, to respond to your requests, to safeguard legal interests either ours or yours, to inform you about existing or new products and services, to market these, to obtain your opinion for their improvement, to manage and analyse our client base (buying behaviour) in order to improve the quality, diversity and availability of services we offer, and to managerially organise and to run our company, to manage your requests and complaints.

Lastly, to set up Member Accounts for and to provide advice on energy saving to electricity and natural gas clients.

Who else has access to your personal data – Third-Party Data Recipients:

We do not share your Personal Data with third-party private enterprises for an economic or other consideration. Our Company may, after securing the confidentiality of the data, grant access to or transmit your personal data to the following processors so that we can offer you services or boost your service experience.

• To consulting businesses for the provision of technical services, supporting services and analytics services.
• To subsidiaries of the company
• To third-party businesses which are active in marketing, advertising, commercial communication, promotion and advertising, and record-keeping as well as courier companies.
• To companies offering maintenance services and software programme support with databases.
• To the web hosting services provider with whom we are in a contractual relationship.
• To competent law enforcement authorities and partner lawyers.
• To Public Services and State Institutions
• To the Athens Stock Exchange, the Central Securities Depository, the Hellenic Capital Market Commission, the Consignment Deposit and Loans Fund and the General Commercial Register

In these cases, we ensure through contractual terms that the recipients observe the legislation on data protection in a satisfactory fashion.

Your rights regarding the protection of your personal data

You have the following rights:

You have the following rights:

a) To know what personal data concerning you are being kept and processed by ELINOIL SA as well as their origin (right of access). This entails the right to request and obtain a copy of the personal data you have collected.

b) To request that the data be rectified or/and completed so that it is complete and accurate, by delivering any necessary documents whence the need to complete or rectify the data (right to rectification) arises, which is also an obligation of the processor concurrently.

c) To request the restriction of processing for your data (right to restriction).

d) To deny or/and object to any further processing of the personal data kept by ELINOIL SA (right to object).

e) To request the erasure of your data from ELINOIL SA’s records (right to be forgotten).

f) To request ELINOIL SA to transmit any data received by you to any other processor (right to data portability).

g) To withdraw at any time the consent you have given.

h) Our company shall respond to your request within one month from its receipt. After having you informed, we may extend the above deadline accordingly and if necessary, taking the volume and complexity of requests into consideration. Any rejection of your request shall be justified.

i) If your requests do not meet legal requirements, our company reserves the right either to charge a relevant fee, taking into account the time needed to take the requested action, the expense of employment for intra-company information and any possible relevant announcement, or to deny fulfilling your request altogether.

j) If we have any doubts on the details of the natural person filing the request, we may ask for additional information to confirm their identity.

k) To deny any automatic processing, including profiling.

l) To lodge a complaint to the Authority, if you would like to do so; competence lies with the Hellenic Data Protection Authority (DPA), 1-3 Kifissias Str., Ampelokipoi, P.C. GR-115 23 Athens, Website: www.dpa.gr, Tel.: +30 210 6475 600, Fax: +30 210 6475628.

How we safeguard your data

We do our best to safeguard your Personal Data.  We use secure protocols for communication and data transmission and take all appropriate organisational, technical, physical, electronic and procedural safety measures. We use special software to protect our website and server.

Although we try our best, we cannot guarantee the security of the information. Nevertheless, we promise to inform the competent authorities for any suspected data breach. In addition, we will let you know, if there is any threat to your rights or interests. We will do everything in our power to prevent a data breach and to assist the authorities in the event of any such breach.

The company processes data exclusively through designated personnel for the purpose for which it has committed itself, and it is bound by strict obligations of data confidentiality.

Cookies and other technologies we use

Our company’s website uses “cookies”, so that whenever the user connects to the website, the latter can recover information thanks to cookies and offer to the user services related to that information. Our setting up of “cookies” is permitted only with the user’s consent and after their proper information.

Why we use Cookies    

We use cookies to make your browsing experience easier and more pleasant.

Relevant Cookies 

While you are browsing the website, third-party service cookies may be stored on your computer, e.g.: for statistical purposes related to the measurement of traffic and browsing on the website (analytics), on social media or any other internet marketing and website marketing online (Facebook, Twitter, etc.), for internet marketing in video form (YouTube, etc.), navigation services to the business of the website through a map (Google Maps, Foursquare etc.), updating of corporate, financial, statistical or any other information in various forms (pdf, excel, word, txt, etc.).

Cookies we use:

• Strictly necessary cookies: they are strictly necessary, as they enable you to make use of specific important functionalities on our website, such as logging in it. These cookies do not collect any personal information.
• Preferences cookies: They enable features which facilitate the use of our services.
• Analytics cookies: They are used to track the usage and efficiency of our website and services.
• Marketing cookies: They are used to display advertisements related to you and your interests. In addition, they are used to restrict the repetitiveness of an advertisement. Targeted or marketing cookies are often linked to the operability of the website which is offered by the other organisation.

Electronic forms

The electronic forms of our website contain check boxes whereby the user can only accept COOKIES.

Obligations of the website users

By using the Websites and giving your personal data, you acknowledge that you are obliged to give the real, accurate and complete details asked of you by our Company. You can inform our company at any time about any changes to these details, so that they can remain up to date and accurate.

By using the ELINOIL websites, you confirm that you are over sixteen years old. If you are below the age of sixteen years, you must refrain from any use of the Websites whatsoever as well as from any granting of your personal data without the approval of the holder of parental responsibility. The company bears no responsibility for the violation of the above-mentioned obligations.

The company may erase, cross-check, complete or modify the information you provide based on information collected lawfully by third parties, and shall inform you accordingly.

You may unregister or revoke your consent from procedures and actions which involve processing of your data any time you wish.

Personal data retention period

Your personal data is retained, so that we can achieve the purposes set out in this Policy and, upon your request, we can remove all information retained by us (unless the legislation in force requires their retainment for a longer period).

Moreover, our company may retain personal data after achievement of the purposes of collection and processing, to use them: before tax, social insurance and auditing authorities as well as any other public Authority or competent Court until the applicable limitation deadline prescribed by the Law, or for as long as we deem necessary for the protection of our rights and legitimate interests.

Once the retainment period elapses, your personal data is destroyed/erased from our records and our system in compliance with our corporate policy and always provided that their retainment is no longer required for the achievement of the aforementioned purposes.

Shareholders’ privacy

ELINOIL, caring deeply about the security of the personal details of its registered shareholders (former and current), their representatives, those deriving or/and exercising rights on the shares or their representatives and anybody participating in its General Meetings in any capacity, commits itself to manage their personal data according to the current National and European Legal and Regulatory Framework for the protection of personal data. In determining the purposes and the way of processing personal data, the company becomes a Processor of said data and collects the following personal details of its Shareholders in the framework of the shareholders’ capacity and the execution of tasks governing the relationship between them:

• Full name
• Personal identification data and identification documents
• Investor Share Code Number (Κ.Α.Μ.Ε.)
• Securities Account of the Share
• Personal tax information
• Profession or main scope of work
• Contact details (telephone and fax numbers, address, e-mail etc.)
• Proxies’ details
• Bank account number
• Information about the trading activity on shares
• Details on shares and rights on such shares
• Details of various requests filed from time to time with the Company
• Signature

Shareholders’ personal data is collected through electronic files received by ELINOIL periodically or on a case-by-case basis from the Central Securities Depository, as prescribed by the provisions of the law and the Operating Regulation of the Dematerialised Securities System (DSS), issued by the Capital Market Commission; these files contain information regarding its shareholder base and the transactions related to its shares.  Moreover, personal data is collected by the Shareholders themselves for the processing of matters concerning them, e.g. inheritance.

Shareholders make sure that their data is updated in a timely manner, so that the Shareholder Register is constantly up to date. This process takes place through the Operator of their individual share in the Dematerialised Securities System (DSS) of the Depository.

ELINOIL collects and processes the aforementioned Shareholders’ personal data for the purposes mentioned below:

• To make their participation and exercise of rights in General Meetings possible, by confirming their shareholder capacity.
• To manage and keep the Shareholders Book, according to the provisions of the relevant legislation.
• To process requests made by Shareholders in the framework of the services provided by the Company (e.g. issuance of certifications).
• To offer clarifications and answers to specific questions asked or requests made to the Company by Shareholders.
• To enable the Company’s participation in tenders and the development of its activities.
• To track transactions related to its shares.
• To fulfil its obligations under the laws for prevention of financial crime, money laundering and risk of fraud.
• To conduct OTC transferring of its shares due to succession or legacy, according to the provisions of the Civil Code and the DSS Operation Regulation.
• To disclose transactions made by liable individuals to the Athens Stock Exchange.
• To publish acts and information related to the Company at the General Commercial Register (GEMI), the Athens Stock Exchange or our own website, when required by law.

ELINOIL processes Shareholders’ personal data lawfully; for each processing it undertakes there is at least one of the following Legal Bases:

a. Processing is necessary for serving ELINOIL’s legitimate interests.

b. Processing is necessary for the execution of its contractual obligations towards its Shareholders.

c. Processing is necessary for the Company’s compliance with its legal obligations.

d. Processing is carried out with the Shareholders’ consent, who can nevertheless revoke it at any time.

Revocation of the consent does not affect the lawfulness of any processing which had been carried out based on such consent before its revocation.

The period during which the Company retains Shareholders’ personal data, in the framework of their shareholder capacity, as described in the paragraphs above, shall be ELINOIL’s lifetime according to the institutional frameworks in force from time to time.

The aforementioned provisions apply with regard to the security measures, transmission to third-parties, and the Shareholders’ rights.

Leak of information

In the event that we discover a breach of data security, we shall notify the Personal Data Protection Authority within 72 hours, in accordance with the provisions of the Personal Data Protection Regulation.

International jurisdiction and applicable law

The courts of Athens are the competent ones for the settlement of any dispute arising from this data policy, and the Greek law is applicable.

Contact

For any further information or request regarding this data protection policy, you may contact the personal data protection officer of our company, Mrs. Stella Kagianni, in writing at 33 Pigon Str., P.C. GR-145 64 Kifissia, at the e-mail [email protected] as well as at +30 210 6241500.

Last adaptation: 15.4.2021.