PRIVACY POLICY & CCTV PRIVACY POLICY

INFORMATION ON PERSONAL DATA PROCESSING

PRIVACY POLICY & CCTV PRIVACY POLICY

HERON PRIVACY POLICY & CCTV PRIVACY POLICY

PRIVACY POLICY

Introduction

We would like to assure you that for the for the société anonyme under the trade name “HERON SINGLE MEMBER S.A. ENERGY SERVICES” / “HERON ΙΙ THERMOILEKTRIKOS STATHMOS VIOTIAS SOCIÉTÉ ANONYME” and the distinctive title “HERON ENERGY S.A.” / “HERON II VIOTIAS S.A.” (hereinafter referred to as the “Company”), member of GEK TERNA Group, the protection of personal data of the natural persons who are in any way involved with the Company, is of paramount importance.

We, therefore, take the necessary measures to protect the personal data of persons that we process, as well as to ensure that personal data is always processed in accordance with the obligations laid down by the legal framework, both by the Company itself and by third parties who process personal data on behalf of the Company.

Data Controller – Data Protection Officer (DPO)

The Company under the trade name “HERON SINGLE MEMBER S.A. ENERGY SERVICES” / “HERON ΙΙ THERMOILEKTRIKOS STATHMOS VIOTIAS SOCIÉTÉ ANONYME”, and the distinctive title “HERON ENERGY S.A.” / “HERON II VIOTIAS S.A.”, headquartered in the Municipality of Athens, 85 Mesogeion Avenue, with operating offices in Athens, 124, Kifissias Avenue, Postal Code 11526, and two (2) Thermal Power stations in Thebes, Viotia in the 4th km PEO Thebes - Eleusis, Postal Code 32200, email: info@heron.gr, website: http://www.heron.gr, informs that, in the context of its business activities, it processes the personal data of the data subjects, natural persons concerned (such as its customers, suppliers and potential personnel), in accordance with current Hellenic Laws and the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation”), as in force.

For any matter concerning the processing of personal data, you can contact directly the Data Protection Officer (DPO) of the Company, namely the Law Firm “ANDERSEN LEGAL, PISTIOLIS – TRIANTAFYLLOS & ASSOCIATES LAW FIRM” at the email address: herondpo@gr.andersenlegal.com, telephone: 210 3626971 and the Company’s Director of Legal Affairs & Head of Compliance, Mr. Panagiotis Alexandrakis, 124, Kifissias Ave., 115 26 Athens, Tel. 213 0075211 Email: palexandrakis@heron.gr).

What personal data do we process?

We process the personal data that you disclose to us [such as, your name and surname, home address, email address, phone number and FAX number if available, identity card number (ID-Card no.) and issuing authority, tax registration number and competent Tax Office, gender and date of birth, etc., as well as your supply account number, photographs of the Clearance Bill for the supply of electricity or natural gas that your current supplier provides you with], only when we have a legitimate reason to do so.

What are the legitimate reasons for processing your personal data?

Legitimate grounds for the processing of your personal data are the following:

(a) The performance of the existing contract between you and the Company, as well as the preparatory actions required within the scope of the contract that is to be drafted between you and the Company, such as, a contract for the supply of electricity or natural gas to our customers, satisfying our customer’s requests / complaints in the context of proper provision of our services, executing project contracts with our collaborating contractors or providing our services through our partners throughout Greece, in order to fulfill our contractual obligations in the above context.

(b) The safeguarding and protection of both your legitimate interest and ours. Therefore, we use closed-circuit television (CCTV) and security cameras in order to protect the safety of natural persons, materials and other facilities of the Company. Additionally, we record details of our visitors and collaborators entering the facilities of the Company in order for them to be served or in order to execute the relevant works that we have been assigned, etc. and to be able to provide access cards for the facilities of the Company.

(c) Compliance with an obligation imposed by law, such as the disclosure of acts and information of a société anonyme (including details of natural persons, such as shareholders, members of the Board of Directors or Company executives), pursuant to Law 4548/2018, as amended in force, the disclosure of transactions of obliged persons to the Stock Exchange, the management of claims for damages caused by accidents while carrying out a project, the management of litigation cases, etc.

(d) The consent you provide us with under the specific conditions set by the legal framework in force.

(e) The manifest disclosure by the subject of the data and the processing which is necessary to protect the data subject's or other natural person's vital interests (in case the data subject is physically or legally incapable to give his/her consent) are the legitimate reasons for which we process any information related to health data.

How and why do we use your personal data?

To properly comply with our contractual obligations and to maintain the quality of our provided services.
We collect and use the information required for the smooth cooperation between us, whether it includes a supply contract, a contract for the provision of services to our customers, a contract for the execution of works by our contractors / subcontractors, etc., or the processing of personal data in the context of actions required at a pre-contractual stage.

Specific examples where the processing of our customers' personal information (as detailed above) is required, include the following:

Provision of authorization of the customer to the Company for the cessation of the Meter Representation & disconnection of power supply
Certification of meter readings and general tariff parameters for Bill amendment
Tariff dispute on behalf of our customer
Customer request for the amendment of tariff category
Customer request for VAT exemption
Request to amend the existing supply contract
Request to withdraw a direct debit for the settlement of bills via credit card
Contract termination by our customer
Activation of direct debit for the settlement of bills via credit card
Withdrawing statement of our customer
Submission of requests / complaints by our customer or a third party
Provision of authorization of the customer to the Company for the cessation of the customer’s Meter Representation by another supplier by 100% and the termination of the contract
Submission of customer request for a new supply contract
Submission of customer expression of interest in an exhibition of our Company
For the purpose of contacting you and optimizing our support

We may need to contact you by email or telephone for administrative purposes, such as informing you about the status of our cooperation, arranging a professional meeting with potential staff, managing your further requests or complaints, etc.

In addition, we may contact you for your participation in customer satisfaction surveys, which help us understand your level of satisfaction in regards to the services offered, in order for us to improve and evaluate the quality of our products, services and Company in general.

To comply with our legal obligations:

In case we publish, for example, information on our website or on the website of the General Electronic Commercial Registry (GEMI) and / or the Board of Directors of the Company (including details of natural persons), we use provide authorizations to designate and notify third party natural persons as representatives of the Company in order to conduct actions within the scope of the Company’s business activities.

To protect our legitimate interests, individuals and premises:

Within the above scope we use closed-circuit television (CCTV) and security cameras to ensure the safety of individuals, materials and premises of the Company.

For newsletters subscription purposes and in order to send information about our new offers:

We ask for your consent in advance and for your email address afterwards, so that you may receive newsletters from our Company about our latest news and offers.

With your consent and subsequent subscription, you will be able to stay informed about our new services and offers that we send via emails and text messages or Instant messaging through related services (for example SMS, Viber, Push Notifications etc.).

To create a Member Account:

In case you wish to create a Member Account, you will need to provide us with your email address and set your own personal passwords.

For the provision of information in regards to the benefits you will gain by concluding a contract for the supply of electricity or natural gas with our Company:

In order to inform you about the amount you would pay if you were a customer of our Company, you are kindly requested to send us photographs of the Clearance Bill that your current supplier provides you with for the supply of electricity or natural gas and your phone number, so that we may contact you through Viber.

For a customized communication (profiling):

In order to provide you with the best possible experience, all personal data collected under our contractual relationship may be used to send personalized news / updates provided you have given your consent under specific conditions set by the legal framework in force.

Who do we disclose your personal data to?

The Company discloses your personal data to the following recipient categories:

Company employees

To our Company employees, who are responsible for the evaluation and realization of your requests, the provision of information at a pre-contractual stage, and in case you express your interest in the conclusion of a customer relationship with the company, the proper execution of your contract with the company, as well as the fulfillment of obligations provided by the contract or by Law.

Your personal data are treated with the strictest confidentiality, since our employees processing your personal data possess an adequate and significant level of knowledge on personal data protection and are either bound by a confidentiality clause or obliged to comply with the confidentiality clause.

State authorities, law enforcement bodies

Personal data is disclosed whenever necessary for verification (e.g. by the Regulatory Authority for Energy, Hellenic Consumer’s Ombudsman, Hellenic Data Protection Authority, etc.) and in accordance with statutory procedures.

Collaborators of our Company (partners, subcontractors, banks, insurance companies, auditing company etc.)

The Company works with collaborators to whom assigns personal data processing on its behalf (e.g. cooperation agreements with call centers which are assigned with the promotion of products and services of our Company, subcontracting, banking transactions, audit of a transfer of shares by a statutory auditor, product promotion or market research companies, financial institutions, companies such as TIRESIAS S.A., in order to verify your credit standing, debtor notification companies, auditors, accountants, notaries, lawyers, bailiffs or other financial or professional consultants). In the above cases the Company remains the controller of the processing of your personal data and sets out the details of the processing, signing a specific contract with the third parties assigned with processing activities, in order to ensure that the processing is carried out in accordance with the applicable legal framework and that any individual may freely and without hindrance exercise the rights conferred on him/her by the legal framework.

In addition, the Company may also transfer data to other affiliated companies of the GEK TERNA Group, as well as collaborating companies (e.g. to joint venture members or company associations) with the purpose to provide a report on the Company’s status provided that consent has been given by the natural person, as mentioned above and that the abovementioned provision on written assignment of processing applies.

Duration of Data Storage

The duration of data storage is defined according to the following specific criteria, as appropriate:

In case the processing is required by provisions of the legal framework in force, your personal data will be stored for as long as the relevant provisions require.

In case the processing is performed on a contractual basis, your personal data will be stored for as long as necessary for the execution of the contract and for the basis, exercise, and / or support of legal claims under the contract.

What are your rights in relation to your personal data?

Any natural person whose data is processed by the Company is entitled to the following rights:

Right of Access

You have the right to be aware of and verify the legality of the processing. Therefore, you have the right to access the data and receive additional information on the data processing thereof.

Right to Rectification

You have the right to examine, rectify, update or modify your personal data by contacting the Data Protection Officer (DPO) at the above contact details.

Right to Erasure

You have the right to request the deletion of your personal data when their processing is legally based on your consent or in order to protect our legitimate interests. In any other case (such as in the context of a contract in effect, a statutory obligation for personal data processing , public interest, etc.), this right is subject to specific restrictions or does not exist on a case-by-case basis.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data in the following cases: (a) the accuracy of the personal data is contested and until such accuracy is verified; (b) when you oppose the deletion of your personal data and request (instead of deletion) the restriction of their use; (c) when personal data are no longer needed for the purposes of processing, they are, however, required for the establishment, exercise or defense of legal claims; and (d) when you object the processing pending the verification whether our legitimate grounds override those of yours.

Right to Object

You have the right to object to the processing of your personal data at any time where, as described above, such processing is necessary for the purposes of legitimate interests we seek as data controllers.

Right to Data Portability

You have the right to receive your personal data, free of charge, in a format that allows you to access, use, and edit them, using commonly used editing methods. You also have the right to ask us, if technically feasible, to transmit the data directly to another controller. This right concerns the data you have provided to us and their processing is carried out in a commonly used format based on your consent or in order to perform a contract.

Right to Withdraw your Consent

Where processing is based on your consent, you have the right to withdraw it. The withdrawal of your consent shall not affect the lawfulness of the processing based on consent before its withdrawal.

In order to exercise any of the above rights, you can contact directly the Data Protection Officer (DPO) of the Company, namely the Law Firm “ANDERSEN LEGAL, PISTIOLIS – TRIANTAFYLLOS & ASSOCIATES LAW FIRM” at the email address: herondpo@gr.andersenlegal.com, telephone: 210 3626971 and the Company’s Director of Legal Affairs & Head of Compliance, Mr. Panagiotis Alexandrakis, 124, Kifissias Ave., 115 26 Athens, Tel. 213 0075211 Email: palexandrakis@heron.gr).

Right to lodge a complaint with the Data Protection Authority

You have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr) digitally, through its portal: https://eservices.dpa.gr/ .

Personal Data Safety

The Company implements appropriate technical and organizational measures aimed at the secured processing of personal data and the prevention of accidental loss or destruction and/or unauthorized access to, use, amendment or disclosure thereof. In any case, the way in which the internet operates and the fact that it is free to anyone cannot guarantee that unauthorized third parties will never be able to violate the applicable technical and organizational measures by gaining access and possibly using personal data for unauthorized and/or unfair purposes.

Information on the processing of personal data through a video surveillance system

Data Controller

HERON SINGLE MEMBER S.A. ENERGY SERVICES, headquartered in the Municipality of Athens, 85 Mesogeion Avenue, with operating offices in Athens, 124, Kifisias Avenue, Postal Code 115 26, email: info@heron.gr, telephone number 18228.

Purpose of the processing and legal basis

We use closed-circuit television (CCTV) in order to protect natural persons and premises. The processing is necessary for the purposes of the legitimate interests we pursue as a controller (article 6 para. 1. (f) GDPR).

Legal Interests

Our legal interest is the need to protect our premises and the materials they include from illegal actions, such as theft. We also need to ensure life safety, physical integrity, health as well as the property of our staff and of third parties legally located in the area under surveillance. We only collect image data and limit the surveillance to places where we have previously assessed that there is an increased possibility of perpetration of illegal actions e.g. theft, for instance, in cash desk and/or the entrance, without focusing on places where privacy of the persons being photographed may be severely restricted, including their right to respect of their personal data.

Recipients

The material held is accessible only by our competent / authorized personnel and cooperating security company who are in charge of security of the premises. This material shall not be disclosed to other third parties without the consent of the data subject, except in the following cases: (a) to the competent judicial, prosecutorial and police authorities when it contains information necessary to investigate a criminal offense involving persons or property of the controller; (b) to the competent judicial, prosecutorial and police authorities when lawfully requesting data in the performance of their duties, and (c) to the victim or perpetrator of a criminal offense, in the case of data which may constitute evidence of the offense.

Retention period

We keep the data for fourteen (14) days, after which they are automatically deleted. In the event that during this period we find an incident, we isolate part of the video and keep it for another (1) month, in order to investigate the incident and initiate legal proceedings to defend our legal interests, while if the incident concerns third parties, we will keep the video for up to three (3) more months.

Data subjects’ rights

Data subjects have the following rights:

Right to access: you have the right to be aware whether we process your image and if so, to receive a copy of the record.
Right to restriction of processing: you have the right to request us to restrict processing, for example, you may ask us not to delete data that you deem necessary to establish, exercise or support legal claims.
Right to object: you have the right to object to the processing.
Right to deletion: you have the right to request for the deletion of your personal data.

You may exercise your abovementioned rights by sending an e-mail to herondpo@gr.AndersenLegal.com or a letter to our postal address or by submitting the request to us in person, at the address of the Company. To examine a request related to your image, you should tell us when you were within the range of the cameras and give us a picture of you to make it easier for us to locate your data and hide the data of third parties pictured. Alternatively, we give you the possibility to come to our facilities to show you the images in which you appear. Moreover, we would like you to note that exercising the right to object or the right to erasure does not imply the immediate erasure of data or the modification of the processing. In any case, we will answer you in detail as soon as possible, within the deadlines set by the GDPR.

Right to lodge a complaint

In case you consider that the processing of your data violates Regulation (EU) 2016/679, you have the right to lodge a complaint with the Data Protection Authority.

The competent supervisory authority in Greece is the Hellenic Data Protection Authority, 1-3, Kifisias Avenue, 115 23, Athens, https://www.dpa.gr/, telephone number +302106475600.