Announcement on granting the Regulatory Authority for Waste, Energy, and Water (RAAY) with access to the personal data

Announcement on granting the Regulatory Authority for Waste, Energy, and Water (RAAY) with access to the personal data of the individuals who submitted applications for receiving final connection offers for PV stations, under Article 132, Law 4819/2021, and following the publication of Ministerial Decision ΥΠΕΝ/ΔΑΠΕΕΚ/81744/3673 (GG 4221/Β/10.08.2022).

With this announcement, HEDNO SA, seated at 20 Perraivou and 5 Kallirois Street, Athens, as legally represented, and as a Data Controller under the provisions of the General Data Protection Regulation 2016/EU/679, informs all natural persons or legal persons through which natural persons are identified or are identifiable, and who submitted applications for receiving final connection offers for PV stations, under of Article 132, Law 4819/2021, and following the publication of Ministerial Decision ΥΠΕΝ/ΔΑΠΕΕΚ/81744/3673 (GG 4221/Β/10.08.2022), with title: “Determination of required data and documentation required for the submission of applications for obtaining connection offers for PV stations under para 1 of article 132, Law 4819/2021 (Α’ 129), with the exception of the stations under article 14Α, Law 3468/2006 and the stations under the Special Program for the Development of PV Systems at building facilities”, that HEDNO SA will grant access to the Regulatory Authority for Waste, Energy, and Water (RAAY) as follows:

a) HEDNO will grant access to RAAY for personal data which are relating to the RAAY's responsibilities

- Logs on the systems of HEDNO relating to the application service for granting Final Connection Offers for RES and CHP stations at the saturated grids of Peloponnese and Crete.

- Access to individual (technical) parameters such as the application/platform which accommodated the procedures, the host(s) of the application/platform, the firewall and/or WAF, the accesses and the use of the application, the user authentication files and the security copies pertaining to the systems providing the application submission service.

b) Access is given to ensure that the Regulatory Authority for Waste, Energy, and Water (RAAY) carries out checks as part of its legal responsibilities and, more specifically, the technical investigation of the logs in relation to:

- the smooth and unhindered operation and availability of the platform processing HEDNO’s online application submissions for RES & CHP Stations at the Saturated Grids of Peloponnese and Crete, during the period until the deadline of the applications

- the offers submission frequency, in relation to the IPs from which the offers were submitted

- the offers submission progress (submission time, time from login until submission/logout)

- the time limits from the first to the last successful offer submission and

- successful and unsuccessful offer submission attempts.

c) Legal basis for the transmission of data

The above transmission of data is carried out in accordance and in compliance with the supervisory responsibilities of the Regulatory Authority for Waste, Energy, and Water (RAAY) (especially Articles 4, 22, 23, 27 and 34 of Law 4001/2011) and RAE’S decisions 21/2023 and 61/2023 on conducting digital forensics for reviewing any objections against the tender (Article 6, para 1 c, General Data Protection Regulation 2016/EU/679).

d) Any data processed by the RAAY will be stored until the completion of the checks and the hearing of any submitted objections.

e) Minimization - Processing Security Principle

RAAY and Alphabit SA which perform the processing:

- Shall only process the data required for conducting technical checks at HEDNO's information system.

- Shall not transmit these data to third parties.

- Shall not process these data for purposes other than those specified for conducting these checks.

- Shall not process these data for own/personal purposes and interests.

- Shall take appropriate organizational and technical measures for the security of the provided data and their protection against any accidental or unlawful destruction, accidental loss, alteration, unauthorized circulation or access and any other form of unlawful processing. These measures shall ensure a safety level which is proportionate to the risks involved in the processing and the nature of the data being processed.

f) Data subject rights (articles 12-22 of the General Data Protection Regulation 2016/EU/679).

Right to information & access: You have the right to receive information about and access to your data as well as any additional information regarding their processing.

Right to rectification: You have the right to ask for the rectification, modification, completion and updating of your data.

Right to erasure: You have the right to request erasure of your personal data when we are processing them on the basis of your consent or to ensure protection of our lawful interests. For all other cases (including in case of contract, personal data processing imposed by the law, public interest), this right is subject to specific limitations or does not apply, on a case-by-case basis.

Right to restrict processing: You have the right to ask for restriction of the processing of your personal data when: (a) you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, and (d) you have objected to processing, pending the verification whether the legitimate grounds of the controller override yours.

Right to object: You have the right to object, at any time, to the processing of your personal data when the latter is necessary for lawful interest purposes which we aim for as data controllers, as well as to the processing for direct commercial promotion and profiling purposes.

Right to data portability: You have the right to receive, free-of-charge, your personal data in an accessible format which facilitates their usage and processing, and to request from us, where technically feasible, to directly transmit your personal data to another controller. This right applies for data which you have provided and whose processing is carried out by automated means with your consent or under the performance of a contract.

To exercise any of the above rights, please contact us at: dpo@deddie.gr.

Right to file complaints at the Hellenic Data Protection Authority: You have the right to file a complaint at the Hellenic Data Protection Authority (www.dpa.gr). Call Center: +30 210 6475600, Fax: +30 210 6475628, E-mail: contact@dpa.gr.

For more information please contact HEDNO’s DPO at dpo@deddie.gr.

Contact us

Stay in touch