Privacy Policy and information for the users of the Hellenic Electricity Distribution Network
1. General Information
The company under the name “Hellenic Electricity Distribution Network Operator S.A” and the distinctive title “HEDNO S.A.” or “HEDNO” is a société anonyme whose operation as the Operator of the HEDN has been established with Law 4001/2011, for purposes of inclusion of EU Directive 2009/72/EC of the European Parliament and of the Council concerning common rules for the internal market in electricity and Directive (EU) 2019/944. Pursuant to article 127 of Law 4001/2011, HEDNO S.A. is responsible for the development, operation, and maintenance of the Hellenic Electricity Distribution Network (HEDN) to ensure its efficient and safe operation and the transparent and impartial access of all network users thereto.
HEDNO S.A. prioritizes the protection of the personal data they are processing. To this end, the Company complies with the applicable law on the protection of personal data.
This Privacy Policy and Information (hereinafter the “Policy”) specifies the terms and conditions met by HEDNO S.A. during the processing and protection of the personal data of the electricity distribution network users. This Policy also aims to provide information on your rights as per the law on personal data protection.
If necessary, the Privacy Policy of HEDNO S.A. may be revised, from time to time. You will be notified accordingly through the website of our company. We therefore ask you to regularly check the content of this Policy of HEDNO S.A. on the website of our company to make sure you stay updated on any amended/revised issues.
In addition to this Policy, more information on terms and policies followed by HEDNO S.A. Can be found here https://deddie.gr/el/.
2. Data Controller
The company under the name “Hellenic Electricity Distribution Network Operator S.A” and the distinctive title “HEDNO S.A.” or “HEDNO” or “HEDNO” with registered office (seat) in the Municipality of Athens, Perraivou 20 & Kallirrois 5, P.C. 117 43 - Athens, with Company Registration no. 41268/01/Β/98/411 and TAX ID no.: 094532827, Tax Office: Commercial Companies Athens Office (FAE Athinon) (hereinafter “the Company”/”HEDNO”) is the Data Controller of the personal data of the users of the electricity distribution network which are collected, stored and generally processed with the means and the ways and for the purposes described in detail in this Policy.
3. Short descriptions - Definitions
Personal Data: Means any information relating to an identified or identifiable natural person (“Data Subject”). Identifiable natural person means the person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, or their physical characteristics.
Processing: Means any operation or set of operations which is performed on personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Controller: Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: Means the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
Third Party: Means any natural or legal person, public authority, agency, or other body other than the Data Subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process personal data.
Electricity Distribution Network User: Includes, but is not limited to, consumers, new consumers and/or electricity producers, third persons (in case of authorization, including load representatives), existing electricity producers, electricity self-producers etc.
4. Categories of Data collected and processed by the Company.
The Company collects and processes the following types of Personal Data:
- For new consumers (initial connection): full name, TAX ID no., account/supply number, legal representative details, property address, contact details, identification details, telephone call records produced through the HEDNO customer support lines, documents requested by the Legislative Framework and associated with the supply of electricity.
- For consumers: full name, TAX ID no., account/supply number, legal representative details, property address, contact details, identification details, telephone call records produced through the HEDNO customer support lines, consumption history records, purpose of electricity usage, certificates verifying inclusion into special categories (if applicable), particularly vulnerable consumers, beneficiaries of discounted Greenhouse Gas Emissions Reduction (ETMEAR) charges etc.
- For applicants and existing producers and self-producers: full name, TAX ID no., account/supply number, legal representative/agent details, licensing details, type of station/unit in relation to the technology used, power of the station, station location installation, station/unit technical details, production category, unit category, contact details, identification details, metering records, billing details, if applicable, financial data (for example bank account details) etc.
5. Purposes and activities of the Processing of Personal Data
The Company collects and processes Personal Data for one or more of the following purposes:
A) For the consumers
- For providing access to the electricity network
- For keeping the registries of the special categories of consumers
- For the management of consumer requests
- For the management Electricity Supplier requests, including requests for the deactivation of load meters, representations etc.
- For controlling metering devices and metering purposes
B) For new consumers (initial connection)
- For preparing connection offers for new supplies
- For the connection to the electricity network and the completion of the account
C) For applicants and existing producers / self-producers
- For providing access to the electricity network
- For the management of producer/self-producer requests
- For the publication of information on the website of the Company regarding statistical data for RES & CHP stations: publication of data on the Company’s website and export of statistical data from RES & CHP stations
- For updating the RES registry of the Ministry of Environment and Energy: transfer of producer data to third parties
- For controlling metering devices, inspecting stations and metering
- For updating the DAPEEP registry in relation to the Guarantees of Origin:
- For keeping registries in compliance with the Legislative Framework
6. Lawful basis for the processing of personal data
The Company processes the personal data of the network users for the above purposes on the basis of at least one of the lawful bases for processing as these are specified by the GDPR and Law 4624/2019, as in force. More specifically, the Company may proceed with this processing:
- when the data subject has given consent for the processing of their data for one or more of the above purposes;
- when the data subject is a contracting party or will enter a contract with HEDNO S.A. and the processing is thus necessary for executing or entering the contract;
- to comply with obligations arising from the applicable law, regulatory provisions, court decisions issued to HEDNO S.A. as a Data Controller;
- to protect the vital interests of the data subject or of another natural person;
- when this is necessary for the fulfilment of the duty performed for the benefit of the public or during the exercise of the responsibilities relating to the operation of the network and the access of the network users, as these have been assigned to HEDNO S.A. as the electricity supply network operator.
- for the protection of the lawful interests of HEDNO S.A.
7. Analyses and automated decision making
HEDNO S.A. does not proceed with automated decision making (decision making without any human involvement) that produces legal effects that concern you or similarly significantly affect you.
8. Recipients of personal data
The Company does not permit third parties to gain access to your personal data. Exceptionally, and only if strictly necessary for the above-mentioned processing purposes, third parties may gain access to your personal data, including contractors, suppliers, service providers and their authorized agents, who act as processors on the Company’s behalf.
The Company requires that all service providers, contractors, suppliers (including cloud service providers) who act as processors on its behalf, take all appropriate measures for the protection of the confidentiality and security of the personal data and enters with them contracts that include these obligations, pursuant to the applicable law.
Furthermore, depending on the processing purposes, the Company transfers your personal data to internal or external recipients, and these are entered in a physical or electronic format to information systems. More specifically:
- Personal data of electricity consumers: they are transferred to internal units of the company, contractors, suppliers, the invoicing Company, IDIKA, Electricity Suppliers, Local Government Authorities
- Personal data of potential consumers: they are transferred to internal units of the company, contractors, regional authorities, Electricity Suppliers, Tax Offices (DOYs), the invoicing Company.
- Personal data of producers/self-producers: they are transferred to the competent HEDNO Region Department, the Decentralized Administration of the Competent Region, the Centre for Renewable Energy Sources (KAPE), the Ministry of Environment and Energy.
Furthermore, your personal data are transferred to the Regulatory Authority for Waste, Energy, and Water (RAAY), to Courts, Administrative, Police, Investigation or Judicial Authorities, Lawyers or Law Firms, Probation Officers etc., strictly only if this is necessary for establishing, exercising, or defending legal claims of the Company or for fulfilling its obligations as these arise from the applicable law.
9. Security of personal data
The Company shall take all appropriate technical and organizational measures for the security of your personal data, to ensure the confidentiality of their processing and their protection against accidental or unlawful destruction/loss/alteration, unauthorized disclosure or access and any other form of unlawful processing. Furthermore, it binds with non-disclosure agreements and confidentiality compliance obligations all persons who have access to or are processing personal data on its behalf.
Furthermore, in case of violation of the Company’s information system, the Company guarantees that it implements sufficient procedures for securing the correct management of such incidents and the effective response to such risks.
10. Retention period for personal data
The above personal data are kept exclusively for the period of time required for fulfilling each and one of the above purposes for which they were collected. When the purpose of the processing of your personal data is fulfilled or the period of retention has expired pursuant to the relevant provisions, then these are erased, unless their retention is necessary for fulfilling a legal obligation or for securing the lawful interests of the Company, as per the applicable law.
The retention period of the above data is determined on the basis of the principles governing the processing of personal data and the relevant provisions, particularly article 5 of the General Data Protection Regulation, with the additional consideration of the responsibilities and the role of HEDNO S.A. as part of the electricity market. More specifically, the data is not retained for a period of time longer than the strictly necessary period of time which is necessary for the fulfilment of the purpose of processing, and the Company ensures that these data remain updated for this period of time.
11. Your rights as data subject
Regarding your personal data submitted in the above-mentioned processing, you have the following rights:
Right to be informed & right of access (articles 12 – 15 of the GDPR): You have the right to be informed about and of access to your data as well as any additional information regarding their processing.
Right to rectification (article 16 of the GDPR): You have the right to request the rectification, modification, supplementation and updating of your data, if these are inaccurate or incomplete.
Right to erasure (article 17 of the GDPR): You have the right to request erasure of your retained personal data insofar this right is not subject to limitations pursuant to the applicable laws or any other limitations.
Right of restriction of processing (article 18 of the GDPR): You have the right to request restriction of the processing of your personal data when: (a) the accuracy of the personal data is contested, subject to a relevant verification; (b) the processing is unlawful and instead of erasure you request the restriction of use of your personal data; (c) the personal data are not necessary for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims, and (d) you have objected to the processing and subject to verification that there are lawful reasons that concern the Company, these reasons prevailing to any reasons for which you object to the processing.
Right to data portability (article 20 of the GDPR): You have the right to receive, free-of-charge, your personal data in an accessible format which allows their use and processing, and to request from us, where technically possible, to directly transfer your personal data to another controller. This right applies for data which you have provided and whose processing is carried out by automated means with your consent or under the performance of a contract.
Right to object to processing (article 21 of the GDPR): You have the right to object to the processing of your personal data at any time and only on the basis of specific conditions specified by the law.
Right to object to automated individual decision making, including profiling (article 22 of the GDPR): You have the right to object to any decision which is solely based on automated processing, including profiling, when this decision produces legal effects that concern you or similarly significantly affect you. The Company does not currently carry out automated decision making. However, in any case, and if in the future it decides to proceed with automated decision making, Data Subjects will be informed and all legal conditions will be met.
Right to withdraw consent (article 7 of the GDPR): You have the right to withdraw your consent, to the extent that this was received for the purposes of the processing, at any time.
Right to file complaints at the Hellenic Data Protection Authority: You have the right to file a complaint at the Hellenic Data Protection Authority (www.dpa.gr): Call Centre: +30 210 6475600, Fax: +30 210 6475628, E-mail: complaints@dpa.gr. However, the Authority recommends that you first address your complaint to the Data Controller, our Company, for us to attempt to resolve the matter internally (please see below, paragraph 14).
12. Applicable law & Jurisdiction
This policy is governed by the respective EU and internal/national law. The Courts of Athens shall have exclusive jurisdiction for interpreting these terms and resolving any disputes arising thereof.
13. Amendments
This Policy has been prepared for the purpose of implementing the provisions of the General Data Protection Regulation (“GDPR”) and Law 4624/2019, as in force. Any changes applied to this Policy must be published on the official website of the Company and shall display the respective date of revision.
14. Data Protection Officer
For more information on exercising your above rights and any other matter relating to the processing of personal data, please contact the Data Protection Officer at dpo@deddie.gr, or the following address: 98-100 Syngrou Avenue, 1741 Athens, c/o Data Protection Officer (DPO)