1. Details of the Data Collector
The Data Collector is the company with the registered legal name “XANTROCOSMOS LIMITED”, which is based in Nicosia, Cyprus, at 32 Spyrou Kyprianou str. and which has a branch in Greece and specifically in the municipality of Nikaia-Agios Ioannis Rentis, Attica, at 7 Xanthou str., tel. 0030-210-5440808, email: [email protected] (hereinafter referred to as the “COMPANY” or “us”) and manages and operates the Website http://www.katerinavassou.gr and the online store that operates therein (hereinafter referred to as the “Website ” or the “katerinavassou e-shop”).
2. To whom is this Policy aimed at
3. What types of personal data do we collect
We ensure to collect only the absolutely necessary, appropriate and relevant personal data in view of the processing purpose for which they are intended and so as to provide the services offered through the katerinavassou e-shop in an adequate and efficient manner. The type and amount of the necessary personal data we collect depends on and varies according to the capacity of the data subject (guest or registered user) and the type of relationship or transaction with it. In view of this, the data that we collect and generally process are indicatively the following and may not apply to you in their entirety, as we explained above:
- Identification Data which includes your name, your surname as well as your electronic identification data for your login in case you have created an account on the Website (username and password). In case of issuance of an invoice, the following are also required: Tax Office, Tax Identification Number, professional activity, registered legal name.
- Contact Data which includes your contact details, your product shipping or invoicing address that do not have to match, your email address and your phone number, landline or mobile. In addition, data that we receive from communications with you, assistance requests, complaints and inquiries and data of recorded telephone communications with you (e.g. orders by phone) in accordance with the legal requirements for the purpose of providing evidence of commercial transaction or other professional communication.
- Financial Data which includes your payment information, details of your bank account from which you are making a transfer to us
- Transaction Data which includes e.g. details of completed product sales to you including information about products or services you have purchased through the katerinavassou e-shop in the past, returns etc.
- Technical data from your use and interaction with the katerinavassou e-shop such as: the Internet Protocol (IP) address of your computer, the type of browser and your operating system, the speed of your connection and information about the software programs installed on your computer, basic server connection information and other information collected through cookies and related technologies, (provided you consent to the use of those that are not technically absolutely necessary, for further information regarding cookies please see our Cookies Policy).
- Advertising data which includes e.g. information about your response to promotions of our Company, your choices, your search history, the categories of products you prefer, links wherefrom you have been redirected to the katerinavassou e-shop , as well as the ways of communication that you use most, this data is provided primarily through advertising cookies and we only retrieve data from them if you have consented to their use (for further information on advertising cookies please see our Cookies Policy ).
- Data of your answers and responses to surveys of the Company insofar as these are not anonymized data.
- Data on the conduct of (implementation, participant validation, communication with winners, awarding of prizes, etc.) and your participation in draws, competitions and promotions carried out by the Company.
- Data collected when you connect using a social media account. If you log in to the katerinavassou e-shop using a social media account, the data we collect includes the username or any nickname you use in that social media as well as the profile information or content you have given the social media service permission to disclose based on your privacy settings etc..
We explicitly declares that we are not interested in and do not collect:
- Data of minors. The Company understands the importance of protecting the personal data of minors. The Website is neither aimed at nor intentionally designed for minors. The Company’s intention is not to collect or retain in its knowledge the personal data of minors who may have access to the Website. For this reason, the Company requires from those who conduct transactions therein, a declaration wherein it is stated that they are over the age of 18 and is explicitly clarified that connection to its Website is allowed only to persons over the age of 18. If it is found that any personal data has been collected from a minor despite the above, this data will be deleted immediately.
- Special category data / Sensitive personal data. We ask that you do not send or disclose sensitive personal information (such as information about your racial or ethnic origin, your ideology or political, religious or philosophical beliefs, information about your physical or mental health, your biometric or genetic characteristics, your sexual orientation, your participation in trade unions or information about your criminal convictions) in or through the katerinavassou e-shop or otherwise. If it is found that any sensitive personal data has been collected despite the above, this data will be deleted immediately.
We also explicitly specify the following:
- Any link to the Website e.g. through special hyperlinks (links, hyperlinks, banners) or otherwise with any other website owned by third parties (e.g. social media, etc.) does not imply that the Company assumes any responsibility for the policy pursued by these websites regarding the protection and management of personal data. You should make sure that you are informed about the protection and management of your data from the above websites.
4. Personal data collection sources
The collection of your personal data is done from the following sources:
- We collect data that you provide to us voluntarily when using the services of the katerinavassou e-shop and especially when submitting a product order, creating an account on the Website, participating in surveys or promotions etc. Data we collect directly from you are in particular those mentioned above under par. 3.a, 3.b, 3.c, 3.g, 3.h.
- We reproduce or collect some information from your computer or device when you interact with the Website. To this category belong data mentioned above under par. 3.e.
- We also collect ourselves data from the transaction relationship between us as mentioned above under par. 3.d.
- We also collect data from third parties (this applies in particular to the above mentioned data under par. 3.i, 3.f, 3.e) or data available to the public. Sometimes we receive information about you from third parties, depending on how you choose to interact with us, this happens e.g. via third party cookies (for further information see our Cookies Policy) or when you log in to your account at the katerinavassou e-shop using the social media connection function.
- If you choose to pick up the product order that you have executed through the katerinavassou e-shop from any of the affiliated with the Company Points of Delivery, which are specifically mentioned in the e-shop, we will receive by it a completed and signed by you order delivery form that will include your full name, your order number, a declaration by you regarding the receipt of the order and the order receipt date.
It is explicitly stated that the above collection of data directly from you also includes the collection of your data by a third party acting on your behalf. In case you provide us with personal data of third parties, where this is allowed, you must have previously informed them (indicatively and by referring them to here) and have secured, where necessary, their consent. At this point we remind you that you must ensure that the personal data you provide to us is correct and accurate and you undertake to notify the Company in a timely manner of any change or modification thereof.
5. For what purposes do we collect your data?
The Company processes your personal data for the following purposes:
- For the provision of services to you, the execution of the contract concluded between us or the taking of pre-contractual measures at your request. This purpose includes indicatively the processing that we carry out in order to be able to execute the orders of the products that you place through our Website or by phone, in order to be able to track the status of a product order that you have submitted or manage it in case of abnormal development thereof, to contact you, to manage your requests or complaints about your orders, for pricing purposes, to provide support services and for the general monitoring of the fulfillment of the mutual obligations arising from our contract.
- To manage your registration on the Website in case you choose to create an account thereon.
- To communicate with you.
- For advertising purposes. This purpose includes the processing in which we undertake:
- To send you newsletters to your e-mail address, if you have requested to receive our newsletters by completing a relevant form on the Website.
- In order for the Company to inform you via e-mails about products that may be of interest to you, provided that you have given us your consent.
- To conduct promotional actions e.g. draws/contests, if you have chosen to participate in them.
- To personalize the ads and information we show you (e.g. online). This processing involves compiling your profile while also taking into account the data listed in section 3 above (in particular browsing and shopping history, cookies information, etc.).
- For analysis and research purposes. This purpose includes the processing that we carry out to send or submit to you questionnaires to examine and analyze your degree of satisfaction with the Company’s services, the upgrade/improvement of services and the general business relationship of the Company with you.
- For the purposes of compliance of the Company with the obligations imposed by the current legal, regulatory framework, as well as the decisions of authorities (public, supervisory, independent, public prosecutors, etc.) or courts (regular or arbitral).
- For purposes of legal interests of the Company or a third party. This purpose includes indicatively the processing for purposes: a. establishment, exercise and support of legal claims of the Company, b. for the purpose of fraud prevention, security, protection of rights, information systems, property of the Company and its related parties, its employees and in general the users of the Website, c. compliance of the Company with its obligations arising from its contracts with third parties, d. conducting corporate transactions in the framework of which we may transfer or encumber the assets of the Company.
6. What is the lawful basis for processing your personal data
In accordance with the requirements of the legal framework on personal data, we ensure that we have a valid legal basis for the processing of your personal data. Below you will find in detail the legal bases for the processing of your data depending on the purpose of their processing (see the purposes in the immediately above section 5 cases A to G):
For the purposes mentioned above under 5.A and 5.C the legal basis for processing is the need to execute the contract entered into between us. The provision and the corresponding processing of the relevant data for these purposes is necessary for the fulfillment of our obligations, e.g. regarding your orders and for the provision of support and assistance services to you and any non-provision thereof would result in the inability on the part of the Company to provide its services to you. The processing for the purpose mentioned under par. 5.C is based on the lawful basis of the legal interests of our Company in cases of communications of the Company with subjects with whom there is no contractual relationship.
For the purposes mentioned above under par. 5.D (a, b, c, d) and 5.B the legal basis for processing is your consent. It is expressly stated that the completion, on your part, of the Website registration form constitutes consent with a clear positive action for the subsequent processing of the necessary data, i.e. to achieve the purpose of your registration on the Website. The processing of your data for these purposes is at your discretion. You can exercise your right to withdraw your consent at any time, without consequences, other than that you will stop receiving advertising messages, newsletters and you will no longer be a registered user of the Website. For the ways of consent revocation/withdrawal see the provisions hereunder under par. 13. On a case by case basis we will inform you about more specific ways of revocation depending on the way you give your consent e.g. in the advertising messages and newsletters that you receive at the end thereof, there will be a hyperlink to withdraw your consent and delete you from the lists of recipients of advertising messages, newsletters, etc.. You can also unsubscribe from the Website at any time by choosing to delete your account on it.
For the purposes mentioned above under par. 5.F the legal basis for processing is the need to comply with a legal obligation of the Company. The provision of data and their processing is mandatory, and non-provision would lead to a breach by the Company of its existing legal obligation.
For the purposes mentioned above under par. 5.G, 5.E and 5.D.e, the legal basis for processing is the legal interests of the Company or a third party (indicatively, of other companies of the group to which the Company belongs, companies cooperating with the Company, suppliers, employees, etc.). This processing shall be preceded by a weighting of whether your interest or your fundamental rights and freedoms that impose the protection of your personal data, prevails over the interests of the Company or the third party.
7. For how long do we keep your personal data?
The personal data are kept for the time necessary for the fulfillment of the purpose that their processing serves, otherwise for the period of time required by the current legal and/or regulatory framework or the exercise of claims or the defense of rights and legal interests of the Company.
In more detail, the criteria based on which we determine the retention time for the various categories of personal data are the following:
- the purpose for which the personal data is collected,
- how long it will take to achieve this goal,
- any legal obligation to retain personal data for a specified period of time, and
- the need to keep the data for reasons of exercising claims or defending our rights and legal interests.
In particular, if you have created an account on the Website, given you choose to delete it, your personal data collected for the purpose of creation and during the use of this account will be deleted, with the exception of those required to be maintained by the applicable legal and/or regulatory framework or the exercise of claims and the defense of the rights and legal interests of the Company.
8. The principles of protection of your personal data that we apply.
Our COMPANY processes your personal data in a fair, legal and transparent manner. We ensure that we have a valid legal basis for the processing of your personal data and that we are transparent to you regarding the processing of your personal data (“lawfulness, objectivity and transparency”).
We collect personal data only for specified, explicit and legitimate purposes. We process the personal data we collect for the purposes we have specified, or further, only for purposes that are compatible with the initial purposes we have identified (“purpose limitation”).
The personal data we collect and process is only this adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (“data minimization”) and we take all reasonable steps to ensure that the data is accurate and up to date along with measures for the immediate erasure or rectification of personal data which is inaccurate in relation to the purposes for which they are processed (“accuracy”).
We do not store personal data in a form that permits the identification of their data subject for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).
We process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
9. How do we keep your personal data secure?
Our highest priority is the secure processing of your personal data. We take appropriate technical and organizational measures to secure your data, ensure the confidentiality of its processing and protect it from accidental or unauthorized destruction, accidental loss, alteration, unauthorized disclosure or access and any other form of unlawful processing, which are constantly reviewed and modified when necessary. However, keep in mind that no website and no transaction in the internet environment provides total security. We try to ensure maximum security using advanced encryption protocols, data pseudonymisation techniques etc.. With regard to the data used to identify you as a registered account user, i.e. username and password, we would like to remind you of your obligation to keep them confidential vis-à-vis third parties.
10. Who are the recipients of your personal data?
During the fulfillment of the contractual and legal obligations of the Company, the service of its legitimate interests or those of third parties, as well as in cases where the Company has received your consent, recipients of your essential data, based on the purpose of each transmission, may, for example, be the following:
- The competent employees and management members of the Company within the framework of their duties (on a need to know basis).
- Third parties with which we cooperate or which provide services that support, facilitate the provision of services by our Company such as the following:
- email management and delivery tool providers – for example, if you sign up to receive katerinavassou e-shop newsletters or other promotional messages, we will manage their delivery to you using a third-party email delivery tool,
- security and fraud prevention service providers – for example, we use providers to identify automated-program-created users which may disrupt our services or to prevent misuse of our services;
- providers of data aggregation and analysis software that allow us to effectively monitor and optimize the delivery of your orders,
- software platform providers that help us communicate with you or provide you with customer support services – for example, we manage and respond to any messages you send to us through the Help Center using a third-party communications management tool;
- providers of online cloud storage services and other basic IT and / or support services,
- postal and/or transport/courier service providers,
- product and/or services marketing companies -advertising companies,
- customer satisfaction or market research companies in general,
- telephone call handling companies (call centers)
- companies that provide reviewing services for the evaluation of the products included in the katerinavassou e-shop as well as the service of the electronic order of the customers
- Points of Delivery contracted with the Company, which are specifically mentioned in the e-shop. If you choose to receive the order of products that you made through the e-shop from a Point of Delivery contracted with the Company, we will send there the absolutely essential data, i.e. your name, the number and date of your order and the products you ordered, in order to be able to deliver your order to you.
- Supervisory, independent, judicial, prosecutorial, police, public and/or other authorities within their remit, accredited mediators and mediation centers, arbitration courts and alternative dispute resolution bodies.
- Lawyers, law firms, bailiffs, experts, specialists, chartered accountants/auditors and consulting service providers (indicatively, financial, etc.) within the scope of their responsibilities.
- We may transfer your data to third parties, potential or existing buyers of all or part of the Company’s activities or assets (including rights) or those entitled to encumber them.
- Other third parties for the transfer of data to which you have given your consent.
For the terms of processing of your personal data by those of the above recipients who have the role of independent data collector, we recommend that you refer to the relevant updates of this personal data.
11. Transfer of personal data outside the European Economic Area (EEA)
The Company may transfer your personal data to third countries or international organizations outside the European Economic Area (EEA), only if:
a) in accordance with a relevant European Commission decision, the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection; or
b) appropriate guarantees have been provided for their processing under EU and/or national law, usually in the form of standard data protection clauses issued by the European Commission.
c) If none of the above conditions apply, a transfer may take place if the derogations referred to in EU and/or national law are met, including, indicatively, the following:
- if you have provided the Company with your express consent for this,
- if the transfer is required for the execution of your contract with the Company or for the implementation of pre-contractual measures at your request or for the conclusion or execution of a contract concluded in your interest,
- the transfer is necessary for the establishment, exercise or support of legal claims.
12. What rights do you have to protect your data
You have the following rights:
- Ask to be informed about the categories of your personal data that we keep and process, their origin, the purposes of their processing, the categories of their recipients, the envisaged period for which they will be stored and your relevant rights (right of access by the data subject).
- Request to have your personal data rectified or completed, so that it is complete and accurate (right to rectification), by submitting any necessary document from which the need for rectification or completion arises.
- Request a restriction on the processing of your data (right to restriction of processing).
- Object to the processing of your personal data (right to object).
- Request the erasure of your personal data from the records we keep (right to be forgotten) under certain conditions, such as when the data is no longer needed, you have withdrawn your consent, the data has been illegally processed, etc.
- Request the transfer of your data from the Company to another controller (right to data portability).
- Withdraw your consent at any time. The withdrawal of consent shall not affect the legality of the processing that has been based on consent prior to its withdrawal.
- Right to lodge a complaint with a supervisory authority: You have the right to submit a complaint to the Hellenic Data Protection Authority (1-3 Kifissias Ave., PC 115 23, Athens) if you deem that your rights are violated in any way. For the area of responsibility of the Authority and the way of lodging a complaint, you can visit its website (www.dpa.gr – Citizen Rights – Complaint to the Hellenic DPA) where there is detailed information.
Please note the following in relation to the above rights of yours:
- We may need to ask you for additional information to verify your identity in order to respond to your request.
- Your rights under c, d and e may not be satisfied, in part or in full, if they relate to data necessary for the preparation and/or execution of a contract.
- The Company has in any case the right to refuse your request for restriction of the processing or erasure of your personal data if the processing or retention of the data is necessary for the establishment, exercise or support of its legitimate rights or the fulfillment of its lawful obligations.
- The exercise of the above rights has a future effect and does not involve data processing already performed.
13. How you can exercise your rights – Contact details of the data protection officer
For the exercise of your rights you can contact, in writing, the Company’s official responsible for the protection of personal data at the postal address: 140-142 Mpelogianni Str., Nikaia-Agios Ioannis Rentis, Greece, PC 18454 or by e-mail at [email protected] through the exercise of rights form. You may also use the above contact details to address any questions or concerns you may have about this Policy.
Specifically regarding your right to withdraw consent we clarify that you can exercise it as described in the immediately preceding paragraph of this section 13 and on a case by case basis and in more specific ways such as e.g. by selecting a relevant hyperlink to unsubscribe from a list of recipients, located at the bottom of each email you receive (e.g. newsletters or promotional/advertising messages).
Also through your account you have access to your data that have been collected for your registration and in relation to the operation of your account and you have the ability to rectify them as well as to delete your account and consequently unsubscribe from the Website which will result in the erasure of your data as specifically referred to in section 7 hereof.
We will make every effort to respond to your request within thirty (30) days of receipt. This deadline may be extended for an additional sixty (60) days, if this is deemed necessary taking into account the complexity of the request and the number of requests. In any case of extension of the deadline, you will be informed within thirty (30) days from the receipt of the request. The above service is provided free of charge. However, in the event that your requests are manifestly unfounded, excessive or repetitive, you may be required to pay a reasonable fee, following a notification sent to you and taking into account the administrative costs of providing the requested information or performing the requested action, or any refusal to respond to your request/requests.
14. Amendments to this Policy
We may modify this Policy from time to time so that it is always in accordance with the legal requirements and the reality of our processing. If we decide to make significant changes to this Policy, we will notify you in any appropriate way, indicatively by posting a notification on this Website (e.g. via banner, pop-up window) and/or by e-mail, etc. To be informed about the latest/updated version of the Policy, in case we make small changes or improvements to it, we recommend that you regularly check this page whereon it (the Policy) will be constantly posted.