Privacy Policy

Personal Data Protection Policy of the company

OHONOS SNACK S.A.

1. Purpose and Principles of the processing of personal data

This Personal Data Protection Policy (hereinafter referred to as the "Policy") aims to inform you about the way in which the company with the name OHONOS SNACK INDUSTRIAL IMPORT S.A. – Export and Trading company of Snacks, food, beverages, juices, soft drinks and the distinctive title OHONOS SNACK S.A. (hereinafter referred to as the "company"), which is headquartered in the Sindos Industrial Area in Thessaloniki at O.T. 37 and is legally represented, collects and processes personal data, as well as the manner in which it undertakes to safeguard the security, confidentiality and privacy of personal data and to meet the security requirements, in order to prevent, as far as possible, any loss of data, their illegal or improper use, as well as unauthorized access to them.

This Policy and the processing of personal data are based on the following principles:

  • Lawfulness, fairness and transparency during processing
  • Purpose limitation of processing
  • Minimization of the data being processed
  • Accuracy and updating of the data being processed
  • Integrity and confidentiality during processing
  • Storage/Retention Limitation
  • Compliance with the applicable legislative and regulatory framework

The company is responsible for demonstrating its compliance with the above principles, as specified in this Policy. The company checks, reviews and updates this Policy at regular intervals and, in any case, whenever deemed necessary, considering the applicable legislative and regulatory framework.

 

2. Definitions

Personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.

Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of unambiguously identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing: any collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, transfer, restriction or erasure of personal data.

Controller: the legal person who determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Controller is the company.

Data subjects: natural persons, employees, contractors and any other natural person contracting with the company.

Processor: the natural or legal person who processes personal data on behalf of the Controller.

Data protection officer: the natural or legal person designated by the Controller to participate in and advise on all matters related to the protection of personal data, in accordance with this Policy and the applicable legislative and regulatory framework.

Third party: any natural or legal person, public authority, agency or body, except for the customer, the Controller, the Processor and the persons who, under the direct supervision of the Controller or the Processor, are authorized to process personal data.

Recipient: the natural or legal person, public authority, agency or other body to which the personal data are disclosed.

Personal data breach: any breach of security leading to accidental or unlawful destruction, loss, alteration, access or unauthorized disclosure of personal data transmitted, stored or otherwise processed.

 

3. Data collected:

Our company collects the following data, depending on the process:

A. CV evaluation process: Name, Gender, Date of Birth, Telephone Numbers, e-mail, Address of Residence, Nationality, Level of Education, Education and training history, Personal Identification Number, Desired remuneration, Work history (Experience)

B. Process for managing personal data of customers in the context of commercial cooperation: Name, Telephone Numbers, e-mail, Address, VAT number, bank accounts

C. Process for managing personal data of suppliers/partners/subcontractors in the context of commercial cooperation: Name, Telephone Numbers, e-mail, Address, VAT number, bank accounts, Personal Identification Number

D. Communication process with website visitors: 1. Through cookies: Settings regarding the consent of the subject, choices and behavior of the visitor during browsing, IP address 2. Through a contact form: name, country, e-mail 3. Through an expression of interest form: name, e-mail, telephone

E. Procedure for monitoring visitors to the Company's premises through a video surveillance system: Image files (moving and static)

It is noted that our company does not seek to collect or process sensitive personal data in the context of its operations. In the event that for any reason it becomes necessary to process sensitive personal data, such processing will be based either on the prior express consent of the data subjects, which will be provided voluntarily (e.g. for marketing purposes), or on specific legal bases of article 9 of the GDPR and in particular par. 2b of Article 9 of the GDPR (processing is necessary for the performance of the company's obligations in the field of labor law and social security law).

4. Legal basis for processing

The legal bases for processing the collected data are as follows:

  • The processing of personal data is necessary for the company to comply with its legal obligations
  • The processing is necessary for the performance of a contract to which the data subject is a party
  • The processing is necessary for the achievement of the legitimate interests of our company • The processing is necessary for the performance of the company's obligations and the exercise of specific rights in the field of labor law and social security law.
  • The processing takes place with the explicit consent of the data subjects, who have previously been informed of the purposes of the processing.

5. Purposes of processing

The purposes of processing the personal data of the subjects are:

  • Serving our consumers and managing their inquiries (e.g. order status, technical issues, product questions/complaints, general questions, etc.).
  • Conducting competitions, marketing and other promotional activities. For these specific purposes and based on the above legal bases for processing, we use the Personal Data concerning you to provide you with information about products and services (e.g. communication or marketing campaigns or activities). This may be done using means such as email, advertisements, text messages (SMS), telephone calls and postal letters, to the extent permitted by applicable law. Some of our company's campaigns and promotional activities are carried out on third-party websites and/or on social media. This use of Personal Data is voluntary, which means that you can object to or withdraw your consent to the processing of your Personal Data for these purposes.
  • Order processing and quality control. We use Personal Data about you to process and ship your orders, notify you of the status of your orders, correct addresses and verify your identity, as well as for other activities in the context of fraud detection. In this context, we use certain Personal Data and information to make payments.
  • Personalization (on and off-line). With your consent (where required), we use your Personal Data to (i) analyze your preferences and habits, (ii) predict your needs based on the analysis of your profile that we have performed, (iii) improve and personalize your experience on our Sites and applications, (iv) ensure that the content of our Sites/applications is optimized for you and your computer or other device, (v) provide you with targeted advertising and content, and (vi) allow you to participate in interactive features, at your choice.
  • Other general purposes (e.g. internal research, market research, analytics, security). In accordance with applicable law, we use your Personal Data for other general business purposes, such as conducting internal or market research and measuring the effectiveness of advertising campaigns.
  • Legal or merger/acquisition reasons. If the company or its assets are acquired or merged with another company for reasons including bankruptcy, we will disclose your Personal Data to our legal successors. We will also disclose your Personal Data to third parties (i) as required by applicable law, (ii) in the context of legal proceedings, (iii) to satisfy a request submitted by a competent law enforcement agency, (iv) to protect the rights, privacy, safety or property of us or the public, or (v) to enforce the terms of a contract or the terms of our Website.

 

6. Recipients and data transfer to third parties

The Company reserves the right to disclose the personal data of the data subjects to any member of its affiliated / subsidiary company (parent company and its subsidiaries) which implement appropriate technical, physical, legal and administrative security measures to protect personal data from loss, misuse, damage, alteration, unauthorized access and disclosure, as provided for by article 32 of the General Data Protection Regulation (EU) 2016/679, or to other third parties to the extent reasonably necessary for the purposes specified in this policy and in particular:

  • The data subjects’ personal data will be transferred to the internal departments of the Company which are responsible for the smooth and uninterrupted provision of the Company's services, the operation of the Website as well as for customer service in the context of the assessment / management of their complaints / requests.
  • The data subjects’ personal data may be transferred and made accessible by legal entities (partners, subcontractors, etc.) with which we conclude contractual agreements from time to time in the context of achieving the legitimate interests of our company. At our Company, we select reliable providers, and we try to set contractual restrictions on third parties who receive your personal data to ensure their lawful use.
  • In addition, our Company's website may contain links that lead to other websites of third parties, independent entities, such as, but not limited to, content providers, payment service providers, etc. which are operated and maintained exclusively by them, and which we do not control, therefore, we bear no responsibility whatsoever for their content, actions or policies. Please read carefully the respective data protection policies of the websites you visit, as they may differ significantly from ours.
  • Personal data related to billing may be transferred and made accessible to banking institutions with which we cooperate for the processing of employee payments as well as to competent public bodies in the context of our compliance with a legal obligation. Such parties may be official state and supervisory bodies (e.g. law enforcement and prosecutorial authorities, Prosecution of electronic crime, DPA, HTPC, IAPR, supervisory authorities), if we are called upon to comply with the legislation and to prevent unlawful actions against us and our customers (e.g. telecommunications fraud, insults, defamation of personality, etc.).
  • Personal data of data subjects may be disclosed to cloud hosting providers for the purpose of storing and safeguarding the data with appropriate technical and security measures
  • During all data transfers, we always take all appropriate measures to ensure that the data transferred is the minimum required for the intended purpose of the processing and that the conditions of lawful and valid processing are always met.

7. Personal Data Retention Period

The retention period of personal data depends on the legal basis for processing, as specified in detail below:

  • In the case where the legal basis for processing is the exercise of legitimate interest, the processing and retention of personal data will be carried out for as long as necessary to achieve the intended purpose of the Company, as well as for as long as is still required until the statute of limitations for any relevant claims expires
  • If the personal data of the subjects are provided with their own consent (indicatively in the context of sending a CV), we will retain their data until the consent granted by the data subject is withdrawn. If, for any reason, this is interrupted, we will retain them for as long as necessary until the statute of limitations for any relevant claims has expired.
  • If the legal basis for processing is the execution of the contract, we will retain your data for as long as you maintain a contractual relationship with us, both in paper and electronic form, or for as long as necessary until the statute of limitations for any relevant claims (civil, tax, etc.) has expired.
  • In cases where the processing of personal data is carried out based on a legal obligation (article 6 par. c of the GDPR), the retention period is determined based on the requirements of the legislation and the period during which audits can be carried out by the competent authorities.

 

 

8. Rights of data subjects

You may exercise, as the case may be, the rights arising from the applicable Greek Legislation and the General Data Protection Regulation (Regulation (EU) 2016/679), which are the following:

a) Right to information and access to the personal data concerning you and to receive information about them, as well as the purposes of their processing, the legal basis for the processing, the recipients or categories of recipients and the period of their storage.

b) Right to rectify inaccurate data and complete incomplete data held.

c) Right to erase data, without prejudice, however, to the obligations and legal rights of the company to retain them for a minimum specific period of time, pursuant to the applicable legislative and regulatory framework.

d) Right to restrict the processing of data, if either their accuracy is disputed, or their processing is unlawful, or the purpose of the processing no longer applies and provided that there is no legitimate reason for their retention.

e) Right to data portability, provided that the processing is based on the consent of the subject and is carried out by automated means. The satisfaction of this right is subject to the company's legal rights and obligations to retain the data for specific purposes.

g) Right to object to the processing of data concerning you for reasons related to your situation.

These rights may be exercised only in cases where the Company acts as a data controller and in particular a) in the processing of personal data of candidate employees for the purpose of assessing the possibility of a potential professional collaboration b) in the processing of personal data related to the pursuit of its statutory purpose (provision of services) c) in the processing of data of the subject customers in the context of the evaluation and processing of complaints/requests process d) in the processing of data of suppliers/partners in the context of invoicing e) in the processing of personal data through the Website f) in the processing of DPA through the video surveillance system

These rights are exercised free of charge to you by sending a relevant letter to the Company's Data Protection Officer at the email: Αυτή η διεύθυνση Email προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε. or to the Company's Complaints/Customer Service Department, via email………. or via phone…….

However, if the aforementioned rights are exercised abusively and without reasonable cause, thereby causing an administrative burden, we may charge you the cost associated with exercising the respective right.

If you exercise any of your rights, we will take all appropriate measures to satisfy your request within thirty (30) days of receipt of the relevant request. We may either inform you of the acceptance of your request or of any objective reason that prevents the processing of your request.

9. Security measures

Additionally, the company applies throughout the data processing procedure, the appropriate technical, physical and administrative security measures for the protection and security of the Personal Data from loss, misuse, damage or modification, unauthorized access and disclosure, in compliance with article 32 of the GDPR 679/2016, in order to ensure the appropriate security level against those risks. Those include, among others, as the case may be: (a) the application of encryption protocols, (b) the ability to ensure confidentiality (article 90 of GDPR 679/2016), integrity, availability and resilience of processing systems and services on an ongoing basis, (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Moreover, the company takes measures so as to ensure that any physical person acting under the authority of the data controller or of the processor, who has access to Personal Data, shall not process those Data except under the instructions of the data controller and that it limits access to your personal information to authorized employees.

The indicative security measures applied are as follows:

A. Organizational Measures

  1. Company DPO appointment 
  2. Personnel organisation/management process - assignment of roles to all individuals involved in Personal Data processing activities
  3. Information systems management 
  4. Personnel training on the protection of Personal Data, information provided to all employees regarding the Company’s policies/processes 
  5. Monitoring of the data processors 
  6. Setting up of a deletion/destruction of data and data storage means process 
  7. Monitoring of Personal Data breach incidents
  8. Monitoring of controls/security measures

B. Technical Measures

  1. Access controls 
  2. Backup data process
  3. Configuration of workstations (PCs)
  4. User log files, security incident logs 
  5. Communications security
  6. Management and protection of portable data storage means 
  7. Software and applications safeguards
  8. Modification controls 

C. Physical Security Measures

  1. Physical access controls
  2. Environmental security - protection from natural disasters 
  3. Document exposure to threats
  4. Protection of portable data storage means

10. Submission of Complaint - Appeal

For any issue regarding the processing of your Personal Data, you may contact us via email ____________

Moreover, you are always entitled to contact the Hellenic Data Protection Authority (DPA), which may accept the submission of relevant complaints in writing at its protocol in its offices at 1-3, Kifissias Street, Postal Code 115 23, Athens or by e-mail (Αυτή η διεύθυνση Email προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.) in accordance with the instructions indicated on its website.

 

11. Amendments

This policy may be renewed from time to time, due to amendments to the related legislation or change to the corporate structure of the company. Thereby, we encourage the clients and visitors to periodically visit this Website to be informed regarding recent information of Personal Date privacy practices. In any case, the clients / visitors may be informed via e-mail or a notice on our website regarding any amendments to this policy.