This Notification applies to all natural and/or legal persons who place an order on the online sales store (the “online store”) of the website www.hau.gr (the “Website”), in order to purchase the Products displayed therein (the “data subjects” or “you”). In this Notification “we”/ “us” refers to the Hellenic American Union (22 Massalias Street, 10680 Athens), who is the controller of your personal data. Terms used in this Notification with an initial capital letter have the meaning attributed to them in the Terms of Sale. Pursuant to the application of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), we inform you of the following:
1. Types of personal data collected and processed
The data that we process may include: (a) personal information (e.g. surname, first name, phone number (home/ mobile), delivery address details of your order (address, city, postal code, country), email address); (b) information relating to your capacity (e.g. job position, phone number, corporate email address (in the case of a legal person)); (c) financial data relating to the payment of Products, such as credit/debit or prepaid card details and payment history as well as the issuance of a tax document (invoice), such as Tax Identification Number and Tax Office, following your request for such issuance; and (d) data relating to the order history you have submitted through the online store and the purchase history you have made through it. Where the data subject does not provide the above data or part thereof, he or she will not be possible to complete the order request and consequently to receive the relevant Products.
2. Source of data
The source of the data, as the case may be, is the natural person himself/ herself disclosing his/ her data in the context of submitting his/ her order through the online store or a third party who makes the relevant entry. To the extent that the persons mentioned above transmit third party personal data to the Hellenic American Union, they shall be responsible for complying with the applicable provisions of the data protection legislation. In this context, they may need to obtain the data subjects’ consent before transmitting data to the Hellenic American Union and the subsequent processing there of under this Notification.
3. Purpose and legal basis of processing data
Depending on the case, we may process personal data: (a) to complete and execute the sale of Products through the online store, to inform you about the progress/ status of your order and any return of Products, as well as to monitor payments and manage complaints related to the Products. For such data processing, the legal basis shall be the performance of the relevant contract (sales contract) concluded with the Hellenic American Union and compliance with a legal obligation of the Hellenic American Union. (b) To safeguard the interests of the Hellenic American Union. For such data processing, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the Hellenic American Union which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data (e.g. for the establishment, exercise, or support of legal claims). (c) To send marketing material via electronic mail. It should be noted that the Hellenic American Union is entitled to use the data subjects’ electronic mail contact details, lawfully obtained in the context of the provision of its services or any other transaction, for the direct promotion of similar services or for the furtherance of similar purposes, even where data subjects have not given their prior consent, provided that they are given, when contact details are collected, as well with every message, a clear and transparent option to object, easily and free of charge, to the collection and use of their electronic data. For such processing of data, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the Hellenic American Union (i.e. the legitimate interests relating to the promotion of its services), which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data. For such processing of data, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the Hellenic American Union (i.e. the legitimate interests relating to the promotion of its services), which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data. For all of the above purposes, the Hellenic American Union does not proceed with automated decision-making, including profiling of the data subjects.
4. Recipients of data
As the case may be and depending on the purpose of processing, personal data may be transmitted to authorized employees of each department/ service of the Hellenic American Union, to companies associated with the Hellenic American Union with which the Hellenic American Union has a relevant contract and which process the data on its behalf (e.g. IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy, and compliance with the data protection legislation. In addition, the Hellenic American Union may transmit personal data to third parties where so required by law, or for the purposes of, or in connection with legal proceedings in which it participates, or otherwise for the purposes of supporting, exercising, or defending its rights, or to third parties that are law enforcement authorities and have submitted a lawful transmission request, or where it considers that transmission is necessary in connection with an investigation into the suspicion or existence of any illegal activity. Personal data shall not be transmitted outside the European Economic Area.
5. Data retention time
The above data will be retained for a period time as required or allowed by the legislation/regulatory framework in force each time, taking into account the applicable prescription period, which may extend to up to 20 years. Specifically: (a) where processing is carried out under a relevant contract, the personal data shall be stored for as long as necessary for the performance of the contract and for the establishment, exercise and/or support of any legal claims of the Hellenic American Union arising from that contract; and (b) where the processing is imposed as an obligation by provisions stemming from the applicable legal framework, personal data shall be stored for as long as the relevant provisions so require
6. Data subjects’ rights
The data subject shall have the following rights under the GDPR: (a) to receive a copy of the personal data held by the Hellenic American Union, together with other information on how data is processed; (b) to request that personal data concerning him or her be rectified and, under conditions, to request the deletion or restriction of processing, or to object to the processing of personal data; (c) to receive a copy or to request the transmission of a copy of his or her personal data to a third party in a structured, commonly used and machine-readable format (right to data portability). Where the processing of data is based on his or her consent, the data subject shall have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. If the data subject wishes to receive further information about the processing of his or her personal data or to exercise any of the aforementioned rights, he or she must email the Hellenic American Union’s Data Protection Officer at: privacy@hau.gr, or send a letter to the mailing address mentioned above. Finally, the data subject has the right to file a complaint with the competent supervisory authority about how the Hellenic American Union handles his or her data (www.dpa.gr).