If you wish to be informed in detail on all your rights and our obligations deriving from the applicable (European and National) Legislation, we have created the “Disclosure of the Protection of Personal Data” form for all natural persons who are in business with Electrica, which you can access at any moment electronically, via all the means we provide for your convenience, as well as in print format, provided that you request it as a supplement to the applications, suggestions, order forms, and other documents used in the context of our collaboration.

In this document you can read in detail why we collect and keep your personal data, and exceptionally, your sensitive personal data, in which cases we process this data, and how we secure their confidentiality.

For any further information or clarification on any subject concerning the implementation of the New Regulation and the protection of your personal data, you may contact the Data Protection Officer for the company, at (+30)210-4190810 and/or at the e-mail address: electrica@electricanet.com

Here at Electrica, privacy is precious, and ensuring its protection is our utmost priority, in every way this is understood.

Our company makes every effort to conduct its business in a way that proves our unwavering commitment to ethical and responsible practices. Clearly, innovation and new technologies lead to constant changes regarding risks, expectations, and legislation, which is why we make every effort towards the timely adaptation to the manner we implement them as a response to these changes.

This Policy determines our standards on the management and protection by or on behalf of our company of Personal Data which come, directly or indirectly, from any country in the European Economic Area (EEA) and may be transferred to another country within the scope of the New General Regulation and Domestic Law. These standards apply for our operations in every country, for every operation which includes information on individuals/natural persons which we conduct in each field (including any of our entrepreneur successors and with the conventional limitation of liability which may be provided for during succession), including but not limited to the research, production, commercial activities, corporate support, and data transfer necessary for conducting the aforementioned operations, including but not limited to:

  • Research and Production (cookies policy) that contain:
  • Commercial activities: evaluation of the statistics on our services and the sharing, disclosure, and final reception/use of our services by our customers or other end users, encouragement of our partners to support our commercial activities / compliance with the relevant legal, regulatory, or ethical requirements.
  • Corporate support: hiring, managing, development of and communication with the employees / offering bonuses to the employees / assessing employee performance and talents / providing training and other education and development programs / implementing disciplinary procedures and managing employee complaints / managing concerns on ethics and privacy and conducting research / managing and safeguarding our physical and virtual assets and infrastructure / procuring and paying for products and services / meeting our commitments regarding the environment, health and safety, and corporate responsibility / communication with the media / compliance with the relevant legal, regulatory, and ethical requirements.

This Policy also applies to all the individuals/natural persons whose data we process, including but not limited to customers, candidates, employees, partners, investors and shareholders, state employees, and other counter-parties.

All Company Employees and Senior Managers are aware of the substantive responsibilities regarding privacy which they must observe or seek help and information in order to observe.

We acknowledge that unintentional errors and misjudgment on data protection may threaten people’s privacy as well as the reputation, operations, compliance, and finances of our Company. Each Company employee, as well as other individuals processing data for our company, is responsible for understanding and fulfilling their obligations under this Policy and the existing legislation.

A. Our Values include four lines of action regarding privacy:

Respect: We make every effort to respect the views and interests of individuals and societies and be fair and transparent in how we use and share information on them.

Trust: We make every effort to win and maintain the trust of our customers, employees, and other interested parties regarding the respect and protection of any information that concerns them.

Prevention of Harm: We understand that the misuse of data concerning individuals can cause tangible and intangible harm to these individuals, therefore we make every effort to prevent any physical harm, financial harm, harm to the reputation, or any other harm regarding privacy.

Compliance: Laws and regulations are not always consistent with the rapid developments of technology, data flow, and other related changes to the risks and expectations regarding privacy. We always try to comply with the spirit and regulations of privacy and the data protection laws in a way that is consistent with and operationally efficient for our business activities on a global scale.

B. Overseeing the implementation of Privacy responsibilities. We constantly and regularly inspect our procedures and technologies so that they are consistent with our privacy standards and values, as well as the applicable law. The eight aspects of the Principle of Privacy described below succinctly present the privacy standards and main requirements we try to meet:

1. Necessity – Before collecting, using, or sharing Personal Data, we determine and document the specific, lawful operational purpose for which such an action is necessary.

  • We determine and document the time period during which the Personal Data in question are required for the set operational or scientific purposes, which is a period of ten (10) years, starting from the date of the first collection of data. This time period may be reasonably extended due to continuous recurrent transactions, but it may in no way exceed fifteen (15) years, with the exception of employment relationships. We are available to any person knowingly in business with Electrica to remind us that this time period has concluded if Electra has failed to acknowledge it by mistake.
  • We do not collect, use, or share more Personal Data than necessary, and we do not keep Personal Data in an identifiable form for longer than what is necessary for the set operational purposes.
  • If the operational purposes make keeping information on operations or processing necessary for a longer period of time, we anonymize the data.
  • We make sure that said requirements have been incorporated to any supporting technologies and that any third parties supporting the operation or processing have been informed.

2. Fairness – We do not process the Personal Data in ways that are unfair to the individuals concerned.

  • We determine whether the suggested collection, use, or other form of processing of Personal Data poses a risk of definite or indefinite harm to people, in accordance with the privacy principle on the Prevention of Harm.
  • If the nature of the data, the types of people, or the operations include an inherent risk of definite or indefinite harm to people, we make sure to review that the risk of harm is not greater than any benefits for these people, or than our mission to improve the economy of the personal and professional life both of our counter-parties and our own people.
  • In case the risks are inversely proportional to the benefits for the individuals, we process their Personal Data only with their express consent or as it is expressly required or permitted by the existing laws.
  • We document the performed risk analysis and we design any required mechanisms for obtaining and recording data which prove consent to supporting technologies.

3. Transparency – We do not process Personal Data in ways or for purposes that are not transparent.

  • Every individual whose Personal Data is processed under this Policy has the right to a copy of this Policy. Copies of this Policy shall also be made available online at www.electricanet.com/privacy-policy. Our Data Protection Officer shall provide digital and/or physical copies of this Policy upon request sent to the addresses listed below.
  • We remain informed and make every effort so that the necessary transparency mechanisms, including – where possible – the mechanisms supporting individual rights requests, are introduced to the supporting technologies.

4. Purpose Limitation – We exclusively use Personal Data in accordance with the principles of Necessity and Transparency.

  • If new reasonable corporate purposes for already collected Personal Data are identified, we check whether the new corporate purpose in question (including an essentially similar purpose) is consistent with the purposes described in the privacy notice or other mechanism of transparency previously provided to the individual concerned.
  • The above mentioned principle does not apply to anonymized data or to the cases where Personal Data are used exclusively for the purpose of historical or scientific research, as in such cases (1) it is deemed that the risk to people’s privacy or other rights is acceptable and (2) there is compliance with existing Laws.

5. Quality of Data – We keep your Personal Data accurate, compete, and updated, and in accordance with their intended use.

  • We make sure that the mechanisms of periodic data monitoring have been integrated to supporting technologies so that they confirm data accuracy in relation to their source.
  • We make sure that Sensitive Data has been confirmed as accurate and updated before using, evaluating, analyzing, reporting, or otherwise processing them if the use of inaccurate or not up-to-date data involves the risk of unfairness to the individuals.
  • When changes are made to Personal Data by our company or by third parties working for our company, these changes are promptly made known where possible.

6. Security – We incorporate safeguards to protect Personal Data from loss, misuse, unauthorized access, disclosure, or destruction.

  • We have implemented a detailed program of data security and we perform security checks on the basis of data sensitivity and the proportional risk of the activity, taking into consideration the best practices of contemporary technology and the cost of implementation. Our operational security policies include but are not limited to standards of operational continuity and recovery due to loss, identity and access management, data classification, data security incident management, network access control, physical security, and risk management.

7. Data Transfer – As far as we are concerned and technically allowed, we maintain the privacy of Personal Data when they are transferred to and from other organizations or beyond state borders. We only transfer Personal Data or allow them to be processed by third parties if the following conditions are met:

  • If the role of the third party is to process Personal Data for or on behalf of our company, before they receive any Personal Data we secure guarantees from said third party by contract that they will process Personal Data in accordance with our company’s guidelines and in accordance with this Policy, including, without restrictions, all eight (8) Principles of Privacy and other standards set forth in this Policy and existing Legislation. In the same way we ensure their commitment to promptly inform our company on any Privacy/Security Incident, including any inability to comply with the standards set forth in this Policy and existing legislation, to cooperate for the timely remediation of any documented Incident, and to allow our company to perform checks and oversee their practices during processing as regards compliance with these requirements. In case of (future) affiliated or associated companies, provided that they act exclusively on our behalf and where provided by Law, they will perform internal data processing, in accordance with Principle 8 of this Policy.
  • If the role of the third party is to provide Personal Data to our company, before we obtain said Personal Data we make sure that the Transparency requirements for the collection of Personal Data from other sources and not necessarily under our company’s oversight are met, and we secure guarantees from said third party by contract that they are not violating any Laws or the rights of any party by providing Personal Data to our company.
  • If the role of the third party is to receive data for processing from our company which are not necessarily under our company’s oversight, before we provide the Personal Data to them we secure guarantees from said third party that they will use the data exclusively for the operational purposes set forth in the agreement and in accordance with the existing legislation.

8. Legality – We process Personal Data only if the requirements of local laws and the provided for Legal Bases are met, including the provisions of the GDPR within the region it is stipulated to apply.

C. Data subjects’ rights

We shall promptly respond to requests regarding individual rights on the access to, correction, modification, or deletion of Personal Data or objection to the processing of Personal Data in accordance with the following principles:

– Access, Correction, and Deletion –

Based on Community and Greek Legislation, data subjects have the right to access Personal Data concerning them and to correct, modify, or delete Personal Data that are inaccurate, incomplete, or outdated. We receive every request for access to, correction, and deletion of Personal Data. If a request for access to, correction, or deletion is set forth in existing Legislation which provides greater security to individuals, we shall make sure that the additional requirements based on said Legislation are met.

– Option –

In accordance with the privacy principles of “Respect” and “Trust”, we shall receive the requests of individuals who object to the processing of their Personal Data, including but not limited to the option to not participate in programs or activities in which they had previously agreed to participate, the processing of Personal Data concerning them for direct marketing purposes, communications directed at them based on their Personal Data, and for any evaluation or decision-making regarding said data which may have significant impact and which is conducted using algorithms or automation.

Where prohibited by Law, we may deny the option of a particular request that may hinder the company’s ability to: (1) comply with the Law or an ethical obligation, including cases where we may be forced to disclose personal data at the lawful request of public authorities due to safety principles or national security, (2) investigate, defend, or make legal claims, and (3) conclude contracts, manage relations, or perform other permitted professional activities consistent with the principles of Transparency and Purpose Limitation and which have been entered to the database of the individuals associated with them. In accordance with this Policy, within fifteen (15) working days from any decision to deny a request for option we shall document the decision and communicate it to the petitioner.

– Any person whose Personal Data we process in the context of this Policy may ask questions, make complaints, or express their concerns to our company at any moment. Any question, complaint, or concern expressed by a Person or any notice from an employee or other person working on behalf of our company must be directed to the Data Protection Officer, as previously mentioned:

– by e-mail at: electrica@electricanet.com

– by phone at: (+30)210 4190810

– by mail at: 30, Messologgiou Str. – Post Code 18545

– Our employees, contract workers, or associates must promptly notify the company’s Data Protection Officer on any question, complaint, or concern on the company’s privacy practices.

– The Data Protection Officer shall review and investigate all questions, complaints, and concerns regarding our company’s privacy practices, whether they were received directly by our employees or by other persons or third parties, including but not limited to regulatory bodies, liability officers, or other state authorities.

We shall respond to the person who posed the question, complaint, or concern to our company within thirty (30) calendar days unless a Law or petitioner/third party requires a reply after a longer period of time or unless the circumstances, such as a concurrent state/public authority investigation, require a longer period of time. In such a case, the petitioner/third party shall be informed as soon as the general circumstances contributing to the delay allow.

– The Data Protection Officer shall cooperate with the Privacy/Data Protection regulatory authority in any investigation, inspection, or probe.

– In the case of complaints which cannot be resolved between our company and the petitioner, our company has agreed to participate in the established conflict resolution procedures, and to investigate and address complaints in order to resolve conflicts regarding this Policy.

– If the data of individuals who live in the EEA or whose Personal Data fall under the EU Data Protection Legislation or equivalent legislation for countries connected to the EEA are transferred outside the EEA and are processed in relation to this Policy, then these individuals have the right to request that the requirements of this Policy are enforced as beneficiary third parties, including the right to take legal action to pursue claims.  

Important Terms – Compendium

  • Anonymization: Any changes, cuts, removals, or other limitations or modifications to Personal Data to render their use to identify, locate, or communicate with the person concerned impossible.
  • Legislation: All the laws, rules, regulations, and report mandates with legal effect in every country where our company operates or in which Personal Data are processed by or on behalf of our company.
  • Our Company: Electrica, its successors, its affiliates, and its departments, except for the common business ventures in which it participates.
  • Personal Data: All data concerning an identified or unidentified individual/natural person, including data which identify that individual or which could be used to identify, locate, monitor, or contact them. Personal Data include both directly identifying information, such as name, identification number, or unique job title, and indirectly identifying information, such as date of birth, home or mobile phone number, or codified data.
  • Privacy Incident: The violation or breach of this Policy or a privacy or data protection law, including a Security Incident. The Data Protection Officer and the Legal Advisor shall determine whether a privacy incident has taken place and whether it is of physical substance.
  • Processing: Any process or series of processes on data concerning people, via automated or non-automated means, including but not limited to data collection, recording, organization, storage, access, adaptation, modification, recovery, consultation, use, evaluation, analysis, report, sharing, disclosure, dissemination, transmission, disposal, formatting, combination, obstruction, deletion, elimination, or destruction.
  • Security Incident: Access to Personal Data by a non-authorized person, or disclosure of Personal Data to an non-authorized person, or a reasonable suspicion by our company that such an event has taken place. Access to Personal Data by or on behalf of our company without intent to violate this Policy does not constitute a Security Incident, provided that the Personal Data in question were only used or disclosed as permitted by this Policy.
  • Third Party: Any legal entity, organization, or person that is not part of our company, or that cannot be placed under the direct Administrative Control of our company, or that does not work for our company. Unless expressly established in this Policy, no affiliated or associated company meets the criteria to be considered a “third party” within the concept of this Policy.

D. Changes to this Policy

This Policy may be revised from time to time, in accordance with the requirements of current legislation. Whenever there are changes to this Policy, a notice will be posted on our company website (www.electricanet.com/privacy-policy), where it will remain for thirty (30) days.