The company called Hellenic Petroleum Cyprus Ltd and EKO d.t., with a corporate and postal address at 3 Ellispontou, 2015,
Strovolos, Nicosia, with registration no. OC 109, an electronic address www.eko.com.cy
and a contact phone +35722477000 (hereinafter the “Company”), addresses the personal data protection and privacy
issues with responsibility and as a matter of primary
concern and adheres
to Regulation (EU) 2016/679 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data and repealing Directive
95/46/EC (General Data Protection Regulation) (hereinafter “Regulation”) and the
relevant legislation of the Republic
of Cyprus.
We hereby inform
you of the Notification pursuant
to article 13 of the Regulation, within
this context, in order to inform
you how we collect and process your personal data within the context of using the application (name of app) (hereinafter the “Application”) as well as your membership in the
Company’s reward scheme
(hereinafter the “Scheme”).
The Company shall be the Controller for collecting your data and processing it for the purpose of ensuring its protection, as specified above. This means that the Company specifies the purposes and the manner of
processing your personal data in accordance with the Regulation and the applicable law in general.
The Company shall initially collect
personal data directly
from you and not from third sources.
Your personal data shall be provided within the context
of registration and maintaining
your status, in general, as a member of the loyalty scheme, which is offered through the Company Application, and shall
be considered as a necessary prerequisite for
initiating and smoothly continuing the use of the Application’s
features, whilst not granting the said data
on your part could be a major
impediment to the above
process, if not a reason
for discontinuing it.
The following table sets out the purposes
of processing the personal data subject to processing
by the Company, the categories of such personal data, as well as the legal
basis of their processing.
Purpose of Processing |
Categories of Personal Data |
Legal Basis
of Processing (provision of Regulation) |
1. Registration of member in the
loyalty scheme |
Personal data (indicatively, name,
surname, phone, e-mail) |
Article 6, para. 1, case b’ -the processing is necessary for the
execution of the contract (Application terms
of use). |
2.
Reward management |
Personal data (indicatively, name, surname, phone,
e-mail) |
Article 6, para. 1, case b’ – the processing is necessary for the purposes of the execution of the contract. |
3. Information about current reward offers |
Personal data
(indicatively, name, surname, phone, e-mail) |
Article 6, para.
1, case b’ - the
processing is necessary for the purposes of the execution of the contract. |
4. Notices about
new offers/schemes (to the user’s device) |
Personal data
(indicatively, name, surname, phone, e-mail) |
Article 6, para. 1,
case a’ – the processing is
carried out following consent
of the subject
of the data. |
5. Wallet payment application and payment of fuels from the pump |
Personal
data (indicatively, name,
surname, phone, e-mail), financial data,
payments data |
Article 6, para.
1, case b’ - the
processing is necessary for the purposes of the |
|
|
execution of the contract. |
6. Participation in promotional competitions/ prizes draws |
Personal
data and contact
information (indicatively, name,
surname, phone, e-mail) |
Article 6, para.
1, case b’ - the
processing is necessary for the purposes of the execution of the contract (conditions of competition). |
7. Showing of winners of the promotional competitions/ prizes draws |
Personal data (indicatively, name, surname, phone,
e-mail) |
Article 6, para. 1, case b’ – the processing is necessary for the purposes of the execution of the contract |
8. Publication of the winners’ results
of promotional contents/prizes draws to the
media |
Personal data
(indicatively, name, surname, phone, e-mail) |
6 para. 1 f - The processing is necessary for the purposes of the legal interests sought
by the controller and especially the commercial promotion – communication. |
Your personal data, as described above, may be disclosed
for the purposes of processing, as these
are set out above under para. 3 (cases 5-8) to associates - employees of the
Company authorized to this end (indicatively service
station proprietors, drivers,
carriers) or contractors, as well as to the relevant banking
institutions for the purpose of completing your purchase/order for the time being.
Also, further to the above and for the purposes of processing under para. 3, cases 9 - 11 (competitions -
promotions), your personal data may be
disclosed to media or/and social media
(case 11) as well as to contracted advertising
companies, which will always operate under the indications and guidance
of the Company with a view to protecting your personal data.
The Company shall not transmit
your personal data to a third country
or international organization.
The Company shall process your personal data in a manner
that ensures their protection by taking
all the appropriate organizational and technical measures to ensure the safety
of the data and its protection from
any accidental or unauthorized destruction, accidental loss, alteration, prohibited dissemination or access and any other in the form of
unfair treatment.
This section lists your rights with respect to your
personal data. These rights are subject to certain
exceptions, reservations or restrictions. Please submit your requests
responsibly. The Company will reply
to you as soon as possible and in any case within one (1) month from the receipt of the request. If the examination
of your request requires more time,
you will receive relevant
information. For the exercise of your rights,
please contact the email: dpo@helpe.gr
The Company shall ensure
about the uninterrupted exercise
of your following rights:
You have the
right to request and receive
clear, transparent and easily understandable information about how we process your
personal data, in accordance with the Company’s policies and procedures for the time being.
You have the right to access your personal data free of
charge, in accordance with the Company’s
policies and procedures for the time being, with the exception of the following cases where there may be a reasonable charge in order to cover the Company’s
administrative expenses:
•
manifestly unfounded
or excessive / repeated requests; or
•
additional copies
of the same information.
You have the right to request the rectification of your
personal data if it is inaccurate or incomplete, in accordance with the Company’s
policies and procedures for the time being.
You have the right to request the erasure or the removal
of your personal data when it is no longer
necessary for the purposes collected or there is no legitimate reason to
continue processing it in accordance
with the Company’s policies and procedures for the time being. The right to erase is not absolute, to the
extent that there is a particular legal obligation or other legitimate cause for the Company to retain
your personal data.
You have, in certain cases, the right to restrict or
abolish further processing of your personal data
in accordance with the Company’s policies and procedures for the time being. In
cases where the processing has been
restricted, your personal data will remain stored without further
processing.
You have the right to request the personal data, which
concerns you and which you have provided
to us in a structured, commonly used and machine-readable format, as well to transmit the said data to another
controller, in accordance with the Company’s policies and procedures for the time being.
You have the right to, at any time and for reasons
related to your particular situation, object
to the processing of your personal data, which is based on article 6
para. 1 item f of the Regulation
(processing for reasons of legitimate interest of the Company), based on the
said provision. The Company shall,
in such a case, no longer process
the personal data as a
controller, unless it demonstrates compelling and lawful
reasons for the processing, which prevail
the interests, the rights and the freedoms of the subject or for the
establishment, exercise or support of legal claims.
The Company shall not proceed with an automated
individual decision-making, including profiling.
In cases where your personal data is processed on the
basis of your prior consent, you have the
right to revoke your consent at any time and the Company will cease the
specific activity for which you had
previously consented, unless there is an alternative legal basis justifying the continuation of processing your data
for this purpose, for which we will inform
you.
The exercise of the above referred to rights requires
the submission of a written application to
the Company, in accordance with its policies and procedures for the time being.
The Company reserves the right to reply within one month of receiving the request, in accordance
with the terms of the Regulation and its
policies and procedures.
The Company shall determine the time for retaining
personal data for each category of personal
data, in accordance with the provisions of the law for each category of
personal data and its policies and procedures.
For any issue relating to the processing of personal
data and this notification, please contact the Data Protection Officer
of the HELPE Group:
Data Protection Officer of the HELPE
Group: |
Nicolaos Georgoudas |
Telephone |
+30 210 6302252 |
e-mail: |
For further information and advice on your rights or to file a complaint, you can contact the Office
of the Commissioner for Personal Data Protection, the Cyprus Supervisory Authority:
Office Address:
1 Iasonos, 1082 Nicosia
Postal address:
P.O.B. 23378, 1682 Nicosia
Telephone: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy http://www.dataprotection.gov.cy
Our goal is to constantly review and update this
Notification in order to comply with the personal
data legislation and the new developments. Any update of this Notification will
be immediately notified to you.
“Personal data”: any information relating to an
identified or identifiable natural person (“data
subject”); the identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of the said natural person.
“Sensitive personal
data”: it is personal data containing
information on racial or ethnic origin,
political beliefs, religious or philosophical beliefs or participation in trade
unions, physical and mental health,
genetic and biometric data, data relating to sexual life or sexual orientation, and information on criminal
convictions and offenses. Due to the nature of
sensitive personal data, the legislation is much stricter as to how such data should be processed. The Company only processes sensitive personal data in accordance with the law.
“Customers”: any natural
person who contracts
with the Company
for the purpose of selling/purchasing from the Company products/derivatives thereof.
“Processing”:
any operation or set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means,
such as collection, recording,
organization, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction.
“Controller”:
the natural or legal person, public authority, agency or other body which,
alone or jointly with others,
determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be
provided for by Union or Member
State law.
“Restriction of processing”:
the marking of stored personal data with the aim of limiting their processing in the
future.
“Personal data
breach”: the breach of the security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored
or otherwise processed.