Privacy Policy

Information policy for the processing of personal data of website visitors

Introduction

With this Privacy Policy – Information Policy for the Processing of Personal Data of Website Visitors (hereinafter “Policy”, “Privacy Policy”), our Company with the name A TSIKNOPOULOU S SERGAKIS OE with the distinctive title “PANOPTIKI OE” (hereinafter “Company”, “we”, “us”, “Data Controller”), respecting the privacy of the users and visitors of this website (hereinafter “visitors”, “you”, “you”) and being vigilant to ensure the security of their personal data, provides the necessary information and information on the processing of personal data and on their rights, as subjects of the processing of such data. In order to be transparent about the collection, use, processing and storage of personal data, the Company encourages visitors to its website and anyone interested to read this Policy, in order to obtain the following information:

Legislative framework

The processing of your personal data is governed by the relevant provisions of the applicable national legislation for the protection of personal data (law 2472/1997, law 4624/2019, law 3471/2006, as applicable, etc.), of the Directives and Regulations of the European Union (in particular the General Data Protection Regulation (EU) 2016/679 – GDPR, hereinafter of the “GDPR”), as well as by the relevant decisions, directives and regulatory acts of the Personal Data Protection Authority (hereinafter “PDPA”) and is subject to the legal formalities and restrictions they define.

Definitions

Subject” of personal data: The website visitor, the customer / consumer of the online store, who orders and purchases a product, the registered user and any other natural person, comes into contact with our website.

“Personal data“: Any information that can directly or indirectly identify a natural person (the “Subject”), such as his name, postal address, contact details (telephone, mobile), electronic address (e-mail), etc.

“Processing”: Any act or series of acts performed with or without the use of automated means on personal data or sets of personal data, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, limitation, deletion or destruction of personal data that has come or will come to our knowledge of the Company, either directly by you through the website, or in the context of your transactional relations with it.

Processor“: The Company with the name “A TSIKNOPOULOU S SERGAKIS OE” and with the distinguishing title “PANOPTIKI OE”, based in Chania (45 ANDREA PAPANDREOU Str., PO Box 73100), with A.F.M. 998215542, D.O.Y. of Chania, which determines the purposes and manner of processing personal data.

“Processor”: The natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.

“Recipient”: The natural or legal person, public authority, agency or other body to which the personal data is disclosed, whether it is a third party or not.

“Third party”: any natural or legal person, public authority, agency or body, with the exception of the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, are authorized to process the personal data.

“Consent” of the data subject: any indication of intention, free, specific, explicit and fully acknowledged, by which the data subject expresses that he agrees, by statement or by a clear positive action, to be the subject of processing of the personal data concerning him. “Data Protection Officer” (DPO), “DPO”: The Personal Data Protection Officer, appointed by the Company, as Processing Officer, who holds the position and duties defined by the current legislative framework on personal data protection.

Personal data collected & processed & legality of processing (legal basis & purpose of processing)

We collect data and information that you provide to us when you enter and/or navigate the Company’s website, when you use our services (shopping, contacting us, etc.) or when you submit a complaint, question or request, in order to contact you. In addition, information may also be collected from third parties (natural or legal persons), such as e.g. technology companies, social networking platforms.

In particular, we collect and process your following personal data on a case-by-case basis and in the following cases:

Access to the websiteDATA: IP address, date and time of access, geographical time zone, operating system of the terminal device and its version, browser and its version, name of the terminal device and / or user. PURPOSE: Providing personalized services to you, correct connection establishment, security and system stability. LEGAL BASIS: a) legitimate interest, in the context of making our website available to the general public and providing services to it

User registration – DATA: first name, last name, e-mail. PURPOSE: To create an account and register as a member on our website. LEGAL BASIS: a) the terms governing your registration (contract) b) legitimate interest, in the context of optimal service and provision of privileges to our members

Ordering and purchasing products – DATA: name, surname, e-mail, billing and shipping address details, receipt or invoicing details, contact phone number. PURPOSE: Contract conclusion, order management/processing, invoicing, compliance with tax obligations, customer service. LEGAL BASIS: a) the contract between us b) our legal obligations

Promotional actions (sending newsletters) – DATA: e-mail. PURPOSE: Sending newsletters about our offers, products, services, benefits. LEGAL BASIS: a) your consent b) as the case may be, our legitimate interest, in the context of promoting actions and new products and services, to existing customers for similar advertising purposes

Contact by e-mail – DATA: e-mail, first name, last name (if applicable), content of the message. PURPOSE: To communicate, manage/deal with or resolve your request, query or complaint. LEGAL BASIS: a) the contract between us, b) our legal obligation, based on consumer law, c) legal interest, in the context of serving you

We must inform you that the personal data you provide us with the purpose of purchasing products from our online store or providing services is necessary for us, in the context of fulfilling legal and contractual obligations arising from the conclusion of the said application / sales contract, for the pricing of the products, for the fulfillment of our legal obligations, arising from the legislation in force at any given time, in the context of electronic transactions and, finally, for the compliance our compliance with the provisions on consumer protection. Consequently, failure to provide your data during the ordering and execution process makes it impossible to enter into a sales contract between us.

Processing of special categories of personal data

Our Company does not process or collect through its website your “sensitive” personal data (data of special categories), such as data related to your racial or ethnic origin, your religious or philosophical beliefs, health data or data concerning your sex life or sexual orientation, given that the above data is not necessary for us and the above processing purposes.

The website visitor must refrain from providing, making available, posting, etc. personal data of special categories, which concern him and/or third parties. In the event that such data is found to have been provided, the data is immediately deleted in a secure and irretrievable manner. The Company is not responsible for any provision and/or processing, which is due to their actions and/or omissions, in violation of the above obligation.

Data relating to minors

For the purposes of this Policy, persons under the age of eighteen (18) are considered minors. Our Company does not process, through its website, personal data of minors. Our online store is not intended for natural persons who have not reached the age of eighteen (18). Therefore, our Company does not process personal data from minors. We reserve the right, in case we find that a minor has made available, provided, etc. his data to us, without the consent of his legal representative, to delete said data. If you become aware that a minor has provided us with their data without the consent of their legal representative, please contact us.

However, we point out that, when the processing of personal data is based on consent in accordance with art. 6 παρ. 1 στ. a) GDPR, in relation to the offer of information society services directly to a child, the consent provided by the minor and consequently the processing is lawful, if the minor is at least fifteen (15) years old. In the case where the minor is under fifteen (15) years of age, this processing is lawful, only if and to the extent that said consent is provided or approved by the minor’s legal representative (art. 8 GDPR in conjunction with art. 21 Law 4624/2019). If you are a parent or guardian and it has come to your attention that your minor child has provided our Company with their personal data, please contact us immediately. For our part, if we realize that personal data that we are processing belongs to a minor, without the consent of his parent or guardian, the Company takes the appropriate measures to immediately delete this data and to avoid similar incidents in the future.

Recipients of personal data

Our Company preserves the confidential nature of your personal data and, as a rule, does not transmit them to any third party (natural or legal), except when and in all cases this is required and/or permitted by law. The data we collect from you in the context of the relationship between us (e.g. receiving, executing and delivering an order, offering any assistance in searching for and executing your orders, answering any of your questions, etc.) is processed by:

the authorized and properly trained competent staff of our Company, who are bound by confidentiality and confidentiality clauses,
as the case may be, partners of our Company, to whom the Company, in accordance with art. 28 GDPR, assigns the execution of specific tasks on its behalf (processors) and with which it has ensured GDPR-compliant processing for the protection of your data, by signing contracts and committing to comply with adequate measures, in accordance with the corresponding provisions of the GDPR (Art. 28, 32 GDPR), such as, indicatively but not limited to, cooperating transport companies for sending your orders, third-party partners – technical companies in frameworks for managing the website and providing services, supporting our applications, companies providing promotional services (e.g. sending newsletters),
public bodies and authorities, such as public services and bodies, independent authorities (e.g. Consumer Ombudsman), regulatory authorities, police, competent authorities, prosecutors, other administrative agencies, etc., when we are required to do so by the applicable legal framework.

International transfers of personal data

In principle, our Company does not transmit your personal data to third (outside the EU or EEA) countries or international organizations, which do not ensure an adequate level of protection (based on Adequacy Decision, etc.). Any transmission follows and complies with the relevant provisions of the current legislative framework, in particular the art. 44 επ. ΓΚΠΔ.

Retention time of personal data

The retention of your personal data takes place for the specific purposes mentioned above and lasts for a reasonable period of time, with the aim of fulfilling the respective purpose (restriction of processing).

Your personal data is kept by our Company, as the case may be, in paper and/or electronic form, throughout the duration of your contractual relationship with the Company and the latter’s individual contractual commitments, depending on its nature, taking into account the Company’s legal obligations and any legal claims that may arise from it, in order to, accordingly, justify the retention time of the personal data.

In addition, as the case may be, the data received and processed during the pre-contractual stage are kept for a period of five (5) years, subject to applicable legislation, for an extension of this time.

However, the Company applies twenty (20) years as the maximum retention period for personal data, with the possibility of extending the above period, in the event of a claim or pending litigation or an indication of control by public (tax, etc.) authorities.

In those cases where the processing of personal data is based on the consent provided, the data is retained by the Company for as long as provided by law, depending on the purpose and type of processing, including the Company’s legal obligation to retain.

Technical and organizational measures

The Company takes all appropriate technical and organizational measures to safeguard technological and physical security, in accordance with current legislation (Art. 32 GDPR). Indicatively, the Company applies encryption techniques and ensuring the security of electronic transactions where possible (user interaction with the website and product purchases), technical and logical error control and management techniques, Policy and corresponding Procedures for graded access to the infrastructure and personal data, Secure remote access procedure, regular updates of the infrastructure for the provision of services and also of the electronic security infrastructure, implementation of periodic checks and classification of potential threats, installation of applications and infrastructures to prevent malicious actions of any kind, integrated business continuity plan based on the safe download of backup copies, installation of closed-circuit video surveillance (only in the facilities of physical installation of the infrastructures, where this is provided for by law) and infrastructures to provide physical security. Our Company constantly assesses, evaluates and upgrades the desired level of information security, taking additional measures as the case may be, to deal with new threats and associated risks, but also in the context of the planned and in accordance with the will of the Management, the adoption of new factors to further reduce the risk.

More generally, the Company demonstrates, as far as possible, due diligence in ensuring the integrity, confidentiality and availability of personal data. So, it remains ready in order to validly and promptly deal with any personal data breach. To this end, it adopts, updates and implements appropriate internal Policies and Procedures, in accordance with good practices and international standards.

In addition, our Company keeps an updated record of processing activities, with the information required by art. 30 GDPR, has appointed a Data Protection Officer (DPO), based on art. 37 επ. GDPR, trains and sensitizes its staff in matters of security and protection of personal data.

Collection of cookies

For the proper functioning of this website, cookies are used. For more information about cookies, you can refer to our Company’s Cookies Policy posted on our website.

More specific information about the company’s social media

Our Company ensures its presence on social media, Facebook, Twitter, Instagram, Linked In, Youtube. With this paragraph and in combination with our entire Policy, the Company provides users with the necessary information for the processing of their personal data, through social media.

Thus, through social media, our Company often gives you the opportunity to submit comments, send messages, stay informed about our news, etc. In all the above cases, for the processing of your personal data, both our Company and the corresponding operator of the respective social media platform (Facebook, Instagram, etc.) are jointly responsible for Processing, within the meaning of art. 26 GDPR.

So, it is not always possible to have full knowledge of the type of data that the operators of each platform are processing, but nevertheless we make the best efforts, take care of the configuration of our social media pages and act in accordance with the possibilities available to us from the operators, in order to ensure the processing of your personal data, in accordance with the applicable legislative framework.

If you wish to receive more information regarding the processing of your personal data by the operators of the social media platforms and to be further informed, you can refer, as the case may be:

Facebook: www.facebook.com/privacy/explanation
Instagram: help.instagram.com/519522125107875
Twitter: twitter.com/en/privacy
LinkedIn: www.linkedin.com/legal/privacy-policy
YouTube: www.youtube.com/yt/about/policies/
When you interact with us through social media, the purposes of processing your personal data are primarily to serve you (where this possibility exists, e.g. contacting us by sending a message or posting a comment).

In the cases in which you communicate with us in the above ways, the legal basis for processing is the legitimate interest of our Company, in the context of serving you and resolving requests, issues or concerns you submit to us (art. 6 par. 1 para. GDPR).

Our Company ensures its presence on social media, Facebook, Twitter, Instagram, Linked In, Youtube. With this paragraph and in combination with our entire Policy, the Company provides users with the necessary information for the processing of their personal data, through social media.

Thus, through social media, our Company often gives you the opportunity to submit comments, send messages, stay informed about our news, etc. In all the above cases, for the processing of your personal data, both our Company and the corresponding operator of the respective social media platform (Facebook, Instagram, etc.) are jointly responsible for Processing, within the meaning of art. 26 GDPR.

So, it is not always possible to have full knowledge of the type of data that the operators of each platform are processing, but nevertheless we make the best efforts, take care of the configuration of our social media pages and act in accordance with the possibilities available to us from the operators, in order to ensure the processing of your personal data, in accordance with the applicable legislative framework.

If you wish to receive more information regarding the processing of your personal data by the operators of the social media platforms and to be further informed, you can refer, as the case may be:

Facebook: www.facebook.com/privacy/explanation
Instagram: help.instagram.com/519522125107875
Twitter: twitter.com/en/privacy
LinkedIn: www.linkedin.com/legal/privacy-policy
YouTube: www.youtube.com/yt/about/policies/
When you interact with us through social media, the purposes of processing your personal data are primarily to serve you (where this possibility exists, e.g. contacting us by sending a message or posting a comment).

Your rights under the GDPR.
As data subjects, you retain all your rights, as provided for in the current legislative framework on the protection of personal data, namely:

1. The right to transparent information and information for the exercise of your rights (art. 12, 13, 14 GDPR), before and during processing, i.e. the right to information about the processing of their personal data (as detailed in this Policy).
2. Right of access (art. 15 GDPR) to your personal data that is being processed by the Company, as a Processor, i.e. the possibility of knowing and receiving a copy of the data concerning you.
3. Right to correct inaccurate data and fill in incomplete data (Art. 16 GDPR), i.e. the right to correct your data and information, which our Company maintains.
4. Right to delete personal data / “right to be forgotten” (art. 17 GDPR). This right is subject to conditions and subject to the obligations and any legal claims of the Company for the preservation of the data, based on the provisions of the current legislation. The request for the deletion of some or all of the personal data may be granted under specific circumstances and subject to the Company’s legitimate reasons for maintaining and continuing the processing and provided that the Company’s interests are not affected.
5. The right to limit the processing of personal data if, either the accuracy thereof is disputed, or the processing is illegal, or the purpose of the processing is missing and provided that there is no legitimate reason for the processing, but the data cannot be deleted (Art. 18 GDPR).
6. Right to portability of personal data, i.e. you have the right to request the receipt of personal data, in a structured, commonly used and machine-readable format, as well as to be transmitted, under the legal conditions and conditions, to another controller, as long as this does not adversely affect the rights and freedoms of others, in accordance with the provisions of the legislation (Art. 20 GDPR).
7. Right to object to the processing of personal data, subject to the Company’s legal obligations or when the processing is carried out in the context of fulfilling the Company’s superior legal interest, such as objecting to profiling or direct marketing (Art. 21 GDPR).
8. Right to withdraw the consent already given, which concerns the possibility to withdraw the consent at any time, for the processing, which is based on the consent (art. 7 par. 3 GDPR). It is noted, in this case, the legality of the processing of personal data is not affected by the withdrawal of consent, up to the point in time when it was withdrawn.
9. You also have the right to file a complaint with a supervisory authority, in particular in the Member State in which you have your habitual residence or your place of work or the place of the alleged violation, if you consider that the processing of your personal data concerning it violates the GDPR (Art. 77 GDPR). Competent Supervisory Authority, in Greece, is the Personal Data Protection Authority (Kifisias Street 1-3, Athens, P.O. 115 23, +30 210 6475600, contact@dpa.gr).

How to exercise your rights

Any request regarding your personal data and the exercise of your rights, in accordance with the provisions of the current legislative framework for the protection of personal data, please address in writing to the email contact address. You can also send it to our postal address or submit the request yourself in person at our Company’s address.

More special statements of the company

1. The Company declares that it is not responsible for any damage (direct, indirect, positive, consequential) that may be caused to the visitor due to the website or its use. The visitor is solely responsible for protecting their system from viruses and other malware.
2. The Company does not make decisions or carry out profiling based on automated processing of your data.
3. This Policy may be modified at any time. The user will be informed of all important changes, while each time the updated version will be posted on the website. For this reason, the visitor must be informed and consult this policy regularly.
4. The Company will not make any other use of the visitor’s personal data for purposes other than those mentioned in this Policy, without prior information and, where necessary, his consent.
5. The website user, by reading this Policy, becomes aware of the above processing which is in accordance with the current legislation for the protection of personal data, exclusively for the purposes mentioned above and for purposes compatible with them.


Last modified: August 2021