EKO Hotline 70000356

Privacy Notice EKO Smile app

The company called Hellenic Petroleum Cyprus Ltd and EKO d.t., with a corporate and postal address at 3 Ellispontou, 2015, Strovolos, Nicosia, with registration no. OC 109, an electronic address www.eko.com.cy and a contact phone +35722477000 (hereinafter the “Company”), addresses the personal data protection and privacy issues with responsibility and as a matter of primary concern and adheres to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “Regulation”) and the relevant legislation of the Republic of Cyprus.

 

We hereby inform you of the Notification pursuant to article 13 of the Regulation, within this context, in order to inform you how we collect and process your personal data within the context of using the application (name of app) (hereinafter the “Application”) as well as your membership in the Company’s reward scheme (hereinafter the “Scheme”).

 

1.  Controller

The Company shall be the Controller for collecting your data and processing it for the purpose of ensuring its protection, as specified above. This means that the Company specifies the purposes and the manner of processing your personal data in accordance with the Regulation and the applicable law in general.

 

2.  Sources of personal data collection

The Company shall initially collect personal data directly from you and not from third sources. Your personal data shall be provided within the context of registration and maintaining your status, in general, as a member of the loyalty scheme, which is offered through the Company Application, and shall be considered as a necessary prerequisite for initiating and smoothly continuing the use of the Application’s features, whilst not granting the said data on your part could be a major impediment to the above process, if not a reason for discontinuing it.


 

3.  Personal data processing and legal bases

The following table sets out the purposes of processing the personal data subject to processing by the Company, the categories of such personal data, as well as the legal basis of their processing.

 

Purpose of Processing

Categories of Personal Data

Legal Basis of Processing (provision of Regulation)

1. Registration of member in the loyalty scheme

Personal data (indicatively, name, surname, phone, e-mail)

 

Article 6, para. 1, case b’ -the processing is necessary for the execution of the contract (Application terms of use).

2. Reward management

Personal data (indicatively, name, surname, phone, e-mail)

 

Article 6, para. 1, case b’ – the processing is necessary for the purposes of the execution of the contract.

3. Information about current reward offers

Personal data (indicatively, name, surname, phone, e-mail)

 

Article 6, para. 1, case b’ - the processing is necessary for the purposes of the execution of the contract.

4. Notices about new offers/schemes (to the user’s device)

Personal data (indicatively, name, surname, phone, e-mail)

 

Article 6, para. 1, case a’ – the processing is carried out following consent of the subject of the data.

5. Wallet payment application and payment of fuels from the pump

Personal data (indicatively, name, surname, phone, e-mail), financial data, payments data

 

Article 6, para. 1, case b’ - the processing is necessary for the purposes of the


 

 

 

execution of the contract.

6.              Participation              in promotional competitions/ prizes draws

Personal data and contact information (indicatively, name, surname, phone, e-mail)

 

Article 6, para. 1, case b’ - the processing is necessary for the purposes of the execution of the contract (conditions of competition).

7. Showing of winners of the promotional competitions/ prizes draws

Personal data (indicatively, name, surname, phone, e-mail)

 

Article 6, para. 1, case b’ – the processing is necessary for the purposes of the execution of the contract

8. Publication of the winners’ results of promotional contents/prizes draws to the media

Personal data (indicatively, name, surname, phone, e-mail)

 

6 para. 1 f - The processing is necessary for the purposes of the legal interests sought by the controller and especially the commercial promotion                                 

communication.


 

4.  Notification to third parties and Categories of recipients

 

Your personal data, as described above, may be disclosed for the purposes of processing, as these are set out above under para. 3 (cases 5-8) to associates - employees of the Company authorized to this end (indicatively service station proprietors, drivers, carriers) or contractors, as well as to the relevant banking institutions for the purpose of completing your purchase/order for the time being. Also, further to the above and for the purposes of processing under para. 3, cases 9 - 11 (competitions - promotions), your personal data may be disclosed to media or/and social media (case 11) as well as to contracted advertising companies, which will always operate under the indications and guidance of the Company with a view to protecting your personal data.

 

The Company shall not transmit your personal data to a third country or international organization.

 

5.  Security

 

The Company shall process your personal data in a manner that ensures their protection by taking all the appropriate organizational and technical measures to ensure the safety of the data and its protection from any accidental or unauthorized destruction, accidental loss, alteration, prohibited dissemination or access and any other in the form of unfair treatment.

 

6.  Rights of the subject

 

This section lists your rights with respect to your personal data. These rights are subject to certain exceptions, reservations or restrictions. Please submit your requests responsibly. The Company will reply to you as soon as possible and in any case within one (1) month from the receipt of the request. If the examination of your request requires more time, you will receive relevant information. For the exercise of your rights, please contact the email: dpo@helpe.gr

 

The Company shall ensure about the uninterrupted exercise of your following rights:

 

6.  1.     The right of information

You have the right to request and receive clear, transparent and easily understandable information about how we process your personal data, in accordance with the Company’s policies and procedures for the time being.


 

6.2.             The right of access

You have the right to access your personal data free of charge, in accordance with the Company’s policies and procedures for the time being, with the exception of the following cases where there may be a reasonable charge in order to cover the Company’s administrative expenses:

                     manifestly unfounded or excessive / repeated requests; or

                     additional copies of the same information.

 

6.3.             The right of rectification

You have the right to request the rectification of your personal data if it is inaccurate or incomplete, in accordance with the Company’s policies and procedures for the time being.

 

6.4.  The right of erasure

You have the right to request the erasure or the removal of your personal data when it is no longer necessary for the purposes collected or there is no legitimate reason to continue processing it in accordance with the Company’s policies and procedures for the time being. The right to erase is not absolute, to the extent that there is a particular legal obligation or other legitimate cause for the Company to retain your personal data.

 

6.5.  The right to restrict processing

You have, in certain cases, the right to restrict or abolish further processing of your personal data in accordance with the Company’s policies and procedures for the time being. In cases where the processing has been restricted, your personal data will remain stored without further processing.

 

6.6.  The right to portability

You have the right to request the personal data, which concerns you and which you have provided to us in a structured, commonly used and machine-readable format, as well to transmit the said data to another controller, in accordance with the Company’s policies and procedures for the time being.

 

6.  7. The right to object

You have the right to, at any time and for reasons related to your particular situation, object to the processing of your personal data, which is based on article 6 para. 1 item f of the Regulation (processing for reasons of legitimate interest of the Company), based on the said provision. The Company shall, in such a case, no longer process the personal data as a


 

controller, unless it demonstrates compelling and lawful reasons for the processing, which prevail the interests, the rights and the freedoms of the subject or for the establishment, exercise or support of legal claims.

 

6.8.  Rights of automated individual decision-making and profiling

The Company shall not proceed with an automated individual decision-making, including profiling.

 

6.9.  Right to revoke the consent

In cases where your personal data is processed on the basis of your prior consent, you have the right to revoke your consent at any time and the Company will cease the specific activity for which you had previously consented, unless there is an alternative legal basis justifying the continuation of processing your data for this purpose, for which we will inform you.

 

6.10.  Way to exercise your rights

The exercise of the above referred to rights requires the submission of a written application to the Company, in accordance with its policies and procedures for the time being. The Company reserves the right to reply within one month of receiving the request, in accordance with the terms of the Regulation and its policies and procedures.

 

7.  Time for retaining personal data

 

The Company shall determine the time for retaining personal data for each category of personal data, in accordance with the provisions of the law for each category of personal data and its policies and procedures.

 

8.  Contact Person on personal data issues

For any issue relating to the processing of personal data and this notification, please contact the Data Protection Officer of the HELPE Group:

 

Data Protection Officer of the HELPE Group:

 

Nicolaos Georgoudas

Telephone

+30 210 6302252

e-mail:

dpo@helpe.gr

 

9.  Communication with the supervisory authority


 

For further information and advice on your rights or to file a complaint, you can contact the Office of the Commissioner for Personal Data Protection, the Cyprus Supervisory Authority:

 

Office of the Commissioner for Personal Data Protection

Office Address: 1 Iasonos, 1082 Nicosia

Postal address: P.O.B. 23378, 1682 Nicosia

Telephone: +357 22818456

Fax: +357 22304565

Email: commissioner@dataprotection.gov.cy http://www.dataprotection.gov.cy

 

10.  Adjustments of the present Notification

Our goal is to constantly review and update this Notification in order to comply with the personal data legislation and the new developments. Any update of this Notification will be immediately notified to you.

 

 

Definitions

 

Personal data”: any information relating to an identified or identifiable natural person (“data subject”); the identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the said natural person.

 

“Sensitive personal data”: it is personal data containing information on racial or ethnic origin, political beliefs, religious or philosophical beliefs or participation in trade unions, physical and mental health, genetic and biometric data, data relating to sexual life or sexual orientation, and information on criminal convictions and offenses. Due to the nature of sensitive personal data, the legislation is much stricter as to how such data should be processed. The Company only processes sensitive personal data in accordance with the law.

 

Customers: any natural person who contracts with the Company for the purpose of selling/purchasing from the Company products/derivatives thereof.

 

Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording,


 

organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

 

Restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future.

 

Personal data breach”: the breach of the security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.