PERSONAL DATA MANAGEMENT SECURITY POLICY

Η VENMAN ABEE, based at 11^ο kilometer of the Old Thessaloniki-Kilkis National Road, is responsible for the processing of personal data in the context of the contractual and transactional relationships it creates to achieve its corporate purposes.

In view of the undisturbed maintenance of a high level of protection during the processing of personal data and the facilitation of the effective exercise of the rights and freedoms recognized by Regulation 2016/679, the company is codifying the applied security policy, so that it is immediately accessible to data subjects.

Principles governing data processing

1. The collection and processing of personal data by the company

a) takes place with adherence to legality, objectivity and transparency,

b) it is done for specified and legal purposes, while the data is not further processed except when this is absolutely legitimate,

c) is carried out with strict adherence to the principles of proportionality and minimization (data minimization), so that the measure that is absolutely necessary to serve the express, lawful and legitimate purposes pursued by the processing is never exceeded,

d) it is carried out with constant care to ensure the accuracy of the data, as well as its updating, while all the necessary measures are taken to immediately delete or correct those data which are inaccurate, in relation to the purposes of the processing and

e) is achieved in a way that guarantees the appropriate security of personal data, based on the principles of integrity and confidentiality.

2. In order to achieve the above principles, the company uses the appropriate techniques

organizational measures to protect the personal information it collects and processes, regardless of whether it is embodied in a physical or an electronic file. The measures it uses are designed to provide a level of security appropriate to the risk of processing personal data.

Collection and Processing of Personal Data

1. The company processes personal data, which have been submitted or will be submitted to it and which are necessary for the initiation, maintenance and execution of existing or future commercial and contractual relationships. The responsibility for the completeness, accuracy and updating of the data, where it is required, rests exclusively with the subject to whom the data relate. In any case, the company reserves the right to request an update of the data it holds, especially when this is deemed necessary for the smooth continuation of business relations, as well as for the fulfillment of obligations arising from the Law.

2. The company also processes personal data, which it receives or comes to its knowledge from a third natural or legal person or public body and which is necessary either to achieve the legal interests of itself or a third party, or to fulfill duties of those performed in the public interest (e.g. tax authorities and social security bodies).

3. The company may also process data it collects from third-party publicly accessible sources (e.g. Mortgage Registries/Land Registry, commercial registers, internet) as long as this data is necessary for the purposes of the processing and for the satisfaction of its legitimate interests and claims .

4. The company does not process personal data, such as data related to racial or ethnic origin, political opinions, religious or philosophical beliefs or membership in a trade union, genetic or biometric data for the purpose of identification as the subject of the processing, as well as health data or data concerning sex life or sexual orientation unless: a) the consent of the data subject has been expressly given for a specific purpose, b) these data have been disclosed to the company by the subject or a third natural or legal entity person in the context of documenting and safeguarding his and/or the company's legitimate interests as data controller (e.g. information about the subject's position in legal aid), c) the data has been made public by the data subject, d) the processing is necessary for reasons of substantial public interest (investigation of a criminally prosecuted act). It is noted that the company has in every case taken all the necessary technical and organizational measures for the safe keeping and processing of personal data belonging to the above special categories.

5. The company does not collect or process personal data of minors, unless the consent of parents or guardians has been previously provided.

Lawfulness of personal data processing

The company legally processes personal data if the processing:

a) It is necessary for the service, support and monitoring of its commercial relations in general and the proper execution of the contracts it has entered into.

b) It is necessary for the company's compliance with its legal obligation or for the pursuit of its legal interests and claims

c) It is necessary for the fulfillment of its duty, which is performed to serve the public interest, within the framework of the applicable legislative and regulatory framework.

d) It is based on the prior express consent of the subject of the personal data.

Withdrawal of Consent

When the prior consent of the data subject is a necessary condition for the admissibility of the processing, any revocation thereof does not affect the legality of the processing based on it, until the revocation is notified to the company. For the notification to be valid, the revocation must be made in writing to the company.

Purposes of personal data processing

The processing of personal data concerns:

a) the service, support and monitoring of business relations with the company, the proper execution of existing or future contracts,

b) the fulfillment of the obligations of the company as responsible or performing the processing,

c) the exercise of the company's legal and contractual rights,

d) carrying out checks provided for by the current legislative framework,

e) the registration, recording and archiving of all types of information that have been legally collected by the company,

f) the upgrading of the products and services provided by the company and the advertising and promotion of the products and services of the company, and of the businesses cooperating with the Bank, subject to the prior consent of the subject of the personal data,

g) the satisfaction of all kinds of requests addressed to the company or the examination of complaints regarding products and services offered by the company,

h) the fulfillment of the company's legal obligations, arising from the current legislative framework,

i) the defense of the company's legal interests, which are indicatively related to: 1) the assertion of its legal claims before the competent judicial authorities or other out-of-court/alternative dispute resolution bodies, 2) the prevention of fraud and other criminally prosecuted acts, 3 ) the evaluation and optimization of security procedures and information systems, 4) the physical security and protection of persons and property (e.g. video surveillance).

Method of Data Processing

The company undertakes that the collection and processing of personal data is carried out in absolute compliance with the law. In particular, the processing is lawful only if at least one of the following conditions applies:

a) the data subject has consented to the processing of his personal data for one or more specific purposes,

b) the processing is necessary for the performance of a contract to which the data subject is a party or to take measures at the request of the data subject prior to the conclusion of a contract,

c) the processing is necessary to comply with a legal obligation of the company,

d) the processing is necessary to safeguard a vital interest of the data subject or another natural person,

e) the processing is necessary for the fulfillment of a task performed in the public interest,

f) the processing is necessary for the purposes of the legal interests pursued by the company.

Use of Security Cameras

1. In order to protect the life and physical integrity of the staff, as well as the safety of the facilities, the company uses technical means of surveillance, specifically closed circuit television.

2. During the operation of the surveillance system, all appropriate organizational and technical measures are taken for the privacy and security of the data as well as for their protection against any form of unlawful processing.

3. The company takes care with thoroughness

a) the security of the recorded material and the avoidance of its dissemination to non-legal recipients,

b) controlling access to the central control area, its storage area

recorded material and in any processing system (at the material level and

software),

c) avoiding reckless use of projection screens,

d) the secure transmission of the recorded events to the legal recipients (e.g. police authorities),

e) the continuous training of the staff in matters of personal data protection.

4. The company ensures the provision of sufficient information about the existence of closed circuit television, through clearly visible signs on which the purpose of the processing is indicated.

5. The company keeps the collected data for the period of time that is absolutely necessary in relation to the legal purpose of the processing.

6. The company is obliged to transmit to the competent judicial, prosecutorial and police authorities data that the latter legally request during the exercise of the

their duties.

7. The company is entitled to proceed with further processing of the personal data it has obtained from the closed circuit television insofar as these are evidence of a criminal act, (eg theft, consumption of coke) committed on its premises, in order to ensure the utilization them by the competent judicial, prosecutorial and police authorities, with identification of perpetrators and documentation of facts.

Automated decision making and profiling

The company does not make decisions based solely on automated personal data processing procedures.

Processing of personal data for marketing purposes (marketing)

The company may, after securing prior consent, process personal data in order to inform the interested public about its products and services. In any case, the right to object to the processing of personal data for the above purpose of direct commercial promotion of the company's products/services is granted, which is exercised by submitting a corresponding request to the company in writing.

Personal data retention time

The company keeps the collected personal data for as long as is provided for each case, by the applicable legislative and regulatory framework and in each case for a period of twenty (20) years.

Recipients of personal data

1. The employees of the company have access to personal data, strictly within the scope of their responsibilities, as well as the Management of the company for the proper execution and fulfillment of contractual and legal obligations and obligations, as well as the company's statutory auditors.

2. The company does not transmit or disclose its personal data to third parties, unless it is to fulfill legal obligations towards judicial/prosecuting authorities and public authorities.

Right of Access

The company provides, if requested by the subject of personal data, information regarding a) the purposes of the data processing, b) the potential recipients of the data (e.g. transmission of data of DOU employees in the context of the calculation of the payroll tax), c) with the period of time for which the personal data will be stored, d) with the existence of the right to submit a request for correction or deletion of personal data and e) with any other issue related to the processing of personal data that is essential - at the discretion of the company - for the exercise of the respective rights of the interested parties.

Right of Correction - Update

The company is obliged to correct any inaccurate personal data without undue delay, if a substantiated request is submitted. The same applies in the case of updating personal data.

Right to Erasure

1. The company is obliged to delete personal data without undue delay if one of the following reasons applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected, b) the data subject objects in the processing and there are no compelling and legal reasons for the processing, c) the personal data were inadvertently submitted to illegal processing.

2. As an exception, the company does not proceed with the deletion of the data to the extent that the processing is necessary: ​​a) to comply with a legal obligation arising from the legislation in force and requiring the processing or to fulfill a duty performed for the sake of the public interest and b) to establish, exercise or support legal claims.

Manner of Exercising Rights

Any request concerning personal data held by the company should be addressed in writing or by post to the address 11° thousand P.E.O. Thessaloniki - Kilkis. TK 57022 – PO Box: 1170 BI.PE.TH. Sindos, Thessaloniki, or by sending an email to the address info@venman.gr.

It is pointed out that the company uses "cookies" on its website in order to improve the electronic services provided. For details about cookies, information is provided on the company's website (https://old.venman.gr/politiki-cookie/).

Finally, the company, based on its current data protection policy and within the current legislative and regulatory framework, may revise or amend this security policy.

Data Access Request As long as you have any user account, you can apply automatic access in the data that it can have been saved for you on the website from the following page: https://old.venman.gr/data-access-request/ For anything that may be needed and related to issues protection of your personal information, please  contact us.

Changes to the Privacy Policy