Personal data protection policy and information for internet users
1. General Information
The company under the name “Hellenic Electricity Distribution Network S.A.” and the distinctive title “HEDNO S.A.” or “HEDNO” is a société anonyme and a subsidiary of PPC S.A., which was established under Law 4001/2011 and in compliance with Directive 2009/72/EC of the European Parliament and of the Council on regulating the internal market in electricity. According to Article 127, Law 4001/2011, HEDNO is responsible for the development, the operation and the maintenance of the Hellenic Electricity Distribution Network (HEDN), in order to ensure its efficient and safe operation, as well as the transparent and impartial access of network users to it.
The protection of the processed personal data is a main priority for HEDNO. To this end, HEDNO is constantly complying with the applicable legislation regarding personal data protection.
This Personal Data Protection and Information Policy (hereinafter the “Policy”) defines the terms and conditions fulfilled by HEDNO in processing and protecting the personal data of the users of this website. Furthermore, this Policy aims to inform you regarding your rights pursuant the personal data protection legislation.
2. Controller
The company under the name “Hellenic Electricity Distribution Network S.A.” and the distinctive title “HEDNO S.A.” or “HEDNO”, seated in the Municipality of Athens, Prefecture of Attica, at 20 Perraivou & 5, Kallirrois Streets, P.C. 117 43 Athens, 117 43, with S.A. Register Number: 41268/01/Β/98/411 and VAT: 094532827 of the Tax Office for Sociétés Anonymes Athens (FAE Athinon) (hereinafter the “Company”) is the Controller for the collection, storage and general processing of the personal data of Internet users.
3. Short explanations-Definitions
-Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, for example by reference to a name, identification number or physical characteristics.
-Processing: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
-Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
-Data Processor: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
-Third party: Any natural or legal person, public authority, agency or other body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
-Internet User: The natural person accessing this website for any purpose.
4. Categories of data collected and processed by the Company
The Company collects and processes the following types of personal data:
i. For submitting complaints/applications through forms, via the online website of the Company or for contacting the applicant-consumer in order to inform them regarding issues of general interest: name and surname, contact details, address, account number, profession. In some cases, the Company may process special categories of personal data (such as a health issue that may be reported through a complaint form).
ii. For sending Company press releases and announcements:name and surname, identification details, contact details.
iii. For finding affiliates via advertisement: CVs, certificates, training history, proof of previous work experience.
iv. For issuing electronic invoices: name and surname, TIN, contact details, financial information.
v. For tender notices and evaluation of bids for the supply of goods/services: personal and professional information, CVs of the work group members, tax and social security identifiers, financial information. Moreover, the Company collects and processes special categories of personal data and, more specifically, personal data relating to health as well as criminal convictions.
5. Purposes and activities of personal data processing
The Company collects and processes personal data with the following purposes:
i. For submitting complaints/applications through forms, via the online website of the Company or for contacting the applicant-consumer in order to inform them regarding issues of general interest: collection, recording, use, evaluation and transmission of customer data.
ii. For sending Company press releases and announcements: collection, recording, use, evaluation and transmission of customer data.
iii. For finding affiliates via advertisement: collection, recording and evaluation of the data of candidates applying to be affiliates via advertisement.
iv. For issuing electronic invoices: collection, recording, storage and transmission of customer personal data.
v. For tender notices and evaluation of bids for the supply of goods/services: collection, recording, use, evaluation of suppliers’ data.
6. Legal basis for processing data
The Company processes personal data of Internet users for the above purposes only when it has a legal reason to proceed with the relevant processing and more specifically:
Α) For submitting complaints/applications through forms, via the online website of the Company or for contacting the applicant-consumer in order to inform them regarding issues of general interest: processing is necessary for the purposes of the legitimate interests pursued by the Company (Article 6, par. 1f GDPR). For the special categories of personal data, the Data Subject has provided express consent for the processing thereof for one or more specific purposes (Article 9 par. 2a GDPR).
Β) For sending Company press releases and announcements: processing is necessary for the purposes of the legitimate interests pursued by the Company (Article 6 par. 1f GDPR).
C) For finding affiliates via advertisement: processing is necessary in order to take steps prior entering a contract to which the Internet users will be contracting parties (Article 6 par. 1b GDPR).
D) For issuing electronic invoices: processing is necessary for the performance of a contract to which the Internet users are contracting parties (Article 6 par. 1b GDPR).
Ε) For tender notices and evaluation of bids for the supply of goods/services: processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6 par. 1c GDPR) and more specifically with articles 73, 74 and 222 Law 4412/2016 on Public Contracts for Projects, Supplies and Services.
Analysis and automated decision-making
We shall process your personal data to carry out analyses only for the legal purposes defined above. More specifically, in some cases only anonymous, cumulative analyses shall be created, but your identification shall not be possible. We do not use analyses for automated decision-making (i.e. decision-making without human participation) which shall be effective or have other relevant, significant impact for you.
7. Recipients of your personal data
The Company transmits your personal data to third parties, provided the legal requirements are met, in order for them to assist in the execution of the above processing purposes. Said personal data recipients are trusted partners of the Company, authorized staff or contractors, which perform as processors on the Company's behalf.
The Company requires from all its partners - providers of services on its behalf to take appropriate measures to safeguard the confidentiality and security of personal data and concludes contracts with them containing relevant commitments, in accordance with the applicable legislation.
Moreover, depending on the processing purposes pursued, the Company transmits your personal data to internal or external recipients/receivers, and they are recorded in a physical or electronic form in information systems. In particular:
Α) For submitting complaints/applications through forms, via the online website of the Company or for contacting the applicant-consumer in order to inform them regarding issues of general interest: data are transmitted to the competent Company Departments and to external contractors via the HEDNO Portal systems and the Complaint Application.
Β) For sending Company press releases and announcements:data are transmitted to the Press, to the Media and other public information means.
C)For finding affiliates via advertisement: data are transmitted to the Department of Financial Operations (DFO), to the Energy Control Center (ECC) and to the Legal Services Department (LSD) via the SAP system, the Central Electronic Registry of Public Contracts (CERPC) and the Ministry of Economy and Development.
D) For issuing electronic invoices: data are transmitted to customers via the SAP and the Paperlessconnect systems.
E) For tender notices and evaluation of bids for the supply of goods/services: data are transmitted to the Competent Authority for cases where an external committee is assigned and to the HEDNO General Record via the cosmoOne system and e-mail.
8. Personal Data Security
The Company takes all appropriate technical and organizational measures to ensure the security of personal data and confidentiality during the processing and their protection from random or unfair destruction/loss/alteration, prohibited diffusion or access and any other form of unfair processing. In addition, the Company binds with confidentiality clauses and the obligation to maintain confidentiality anyone that has access to or processes personal data on its behalf.
Although every effort is made to protect personal data, the Company cannot guarantee the absolute security of the data stored in its information system. Should a breach of personal data is found, the Company shall apply sufficient procedures to ensure the proper management of such incidents and to deal effectively with the danger.
9. Personal data retention period
Your personal data are only retained for the period required to carry out each of the aforementioned purposes for which they were collected. Once the purpose of processing your personal data is complete, they shall be erased, unless their retention is necessary to comply with a legal obligation or to ensure the legitimate interests of the Company, always in compliance with the applicable legislation.
10. Your rights as Data Subject
In relation to your personal data that are subject to the processing described above, you have the following rights:
Right to information & access (Article 12 – 15 GDPR): You have the right to be informed regarding and access your personal data as well as to receive supplementary information regarding their processing.
Right to rectification (Article 16 GDPR): You have the right to request rectification, modification, completion and update of your data, if they are inaccurate, outdated or incomplete.
Right to erasure (Article 17 GDPR): You have the right to request the deletion of your retained personal data, when said right is not subject to restrictions in accordance with the applicable legislation or any other restrictions.
Right to restriction of processing (Article 18 GDPR): You have the right to request the restriction of the processing of your personal data when: (a) the accuracy of the personal data is contested and until it is verified, (b) the processing is unlawful and instead of the erasure of your personal data you request the restriction of their use, (c) your personal data are no longed needed for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims and (d) you object to processing and claim that, pending verification, there are legitimate grounds relating to the relevant Company and they override those for which you object to the processing.
Right to portability (Article 20 GDPR): You have the right to receive free-of-charge your personal data in a format that allows you to access, use and process them, as well as to request, if it is technically possible, to transmit your data directly to a different Controller. Said right applies to data that you have provided to us and the processing of which is carried out with automated means, based upon your consent or pursuant to the performance of a relevant contract.
Right to object to processing (Article 21 GDPR): You have the right to object at any time to the processing of your personal data only under specific circumstances set out in the legislation.
Right to object to automated individual decision-making, including profiling (Article 22 GDPR): You have the right to object to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Currently, the Company does not practice automated individual decision-making. In any case, however, and if, in the future, the Company decides to practice automated individual decision-making, the Data Subjects shall be informed, and all legal requirements shall be met.
Right to withdraw consent (Article 7 GDPR): You have the right to withdraw your consent, to the extent that has been obtained for the intended processing, at any time.
Right to file a complaint with the Personal Data Protection Authority: You have the right to file a complaint with the Personal Data Protection Authority (www.dpa.gr): Call-center: +30 210 6475600, Fax: +30 210 6475628, E-mail: complaints@dpa.gr. However, the Authority recommends to first contact the Controller, i.e. our Company, in order to try and resolve any issue internally.
11. Applicable law & Jurisdiction
This policy is governed by the applicable national and EU law. The Courts of Greece shall have exclusive jurisdiction for for the interpretation of these terms and the resolution of any dispute that may arise.
12. Amendments
This Policy has been drafted in accordance to the provisions of the General Data Protection Regulation (GDPR). In case of an update, any change shall be posted on the official Company website and shall bear the amendment date.
13. Data Protection Officer
For more information regarding the exercise of your aforementioned rights and for any issue relevant to the processing of personal data, you may contact the Data Protection Officer at the following e-mail address: data_privacy@deddie.gr ή dpo@deddie.gr