“PROMETHEUS GAS SINGLE MEMBER SOCIETE ANONYME” with the distinctive title “Prometheus Gas S.A.” 209, Kifissias Avenue, 15124 Maroussi (VAT number 094320486 – Gen. Com. Reg. No. 000751501000)
Last Amended on 09.12.2020
- Field of Scope
- Categories & Types of Collected Personal Data
Collected Data: Declaration regarding the processing of Personal Data by Prometheus Gas (by its capacity as Data Controller and Processor – in accordance with the General Data Protection Regulation EU 679/2016)
Prometheus Gas Personal Data Processing Purposes
Information collected automatically when visiting and interacting in the Website
- Data Collection Points
- Transfer of Data to Third Parties
- Personal Data Retention Period
- Rights of the Data Subjects
- Data Processing by Prometheus Gas
- Cookies and other technologies
- Submission of Complaint – Appeal
1. Field of Scope
This privacy notice policy lays out the way by which the company “PROMETHEUS GAS SINGLE MEMBER SOCIETE ANONYME” (hereinafter referred to as “Prometheus Gas” and/or “Company”) collects, uses, processes, stores, manages and protects the personal data (hereinafter referred to as “Personal Data” or “PD”) of clients, suppliers, partners, sub contractors, candidate employees and website visitors, so as to meet the data protection standards of the Company and comply with the applicable law. Your Personal Data includes any information on paper or electronic means, which may lead, either directly or in combination with other ones, to your unique identification as an individual (e.g., name, VAT number, telephone numbers, etc.), according to the provisions of the General Data Protection Regulation (hereinafter “GDPR 2016/679”), of law 4624/2019, of the current Greek legislation as well as the decisions of the Hellenic Data Protection Authority (hereinafter “DPA”).
The Company undertakes to protect the privacy of all above visitors/clients/suppliers/candidate employees and of other Personal Data subjects and comply with the national and European Data Protection legislation currently in effect, implementing the key process principles of the GDPR 2016/679 (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability). The above apply without discrimination and to all processings we perform.
2. Categories & Types of Collected Personal Data
A. Candidate CV data evaluation process:
Full name and surname, telephone number, address, e-mail, date of birth, evaluation data (indicatively, character data, behavioral data, logic processing data), images (e.g. candidate’s photograph), nationality, education and training, working experience, criminal records.
B. Clients’ personal data obtained within the framework of their business relationship with the Company Full name and surname, telephone numbers, address, e-mail, VAT number, bank accounts, IBAN C. Suppliers’/Third party personal data obtained within the framework of their business relationship with the Company Full name and surname, telephone numbers, address, e-mail, VAT number, bank accounts, IBAN
D. Website visitors’ contact process
- Cookies: data subject’s consent settings, usage and preferences data, browser data
- Contact forms: full name and surname, e-mail, telephone
E. Visitors’ personal data (on premises) obtained through the use of entry-exit access control system
Full name and surname and capacity (work position)
Declaration regarding the Processing of Personal Data by Prometheus Gas (by its capacity as Data Controller and Processor – in accordance with the GDPR 2016/679)
Prometheus Gas Personal Data Processing Purposes
Prometheus GAS statutory purpose is, inter alia, the supply of natural gas including the purchase, use and resale of natural gas, performing in this context the full range of activities such as, indicatively, studies, research, assembly and construction work, the supply of necessary equipment, materials and assemblies that are necessary for the realization of the above purpose.
In addition, the Company may also lease real estate for domestic or professional use.
The legal basis for the processing of Personal Data in this context, is the performance of the relevant contract (purchase, use, resale of natural gas, provision of the above-mentioned services, leasing of real estate), the legitimate interest of the Company (indicatively, as regards the processing of Personal Data during the monitoring of access to premises/facilities, etc.) and in some cases the consent of data subjects (obtaining visitors’ data through the Website).
In some cases, the Company processes Personal Data of clients/suppliers etc. in compliance with legal obligations (such as in the case of informing authorities about payments to suppliers, clients, partners etc.).
In addition, the Company may collect Personal Data of candidate employees who are interested in working with the Company for the sole purpose of examining the possibility of a future collaboration – employment. The legal basis for the aforementioned data collection is the consent of the data subject who provides the necessary information.
Information automatically collected when visiting and interacting in the Website:
The Company’s Website uses the absolutely essential (necessary) cookies required to store user’s consent while browsing the Website as well as statistical analysis cookies that collect information about the user’s preferences and choices when browsing the Website, such as, indicatively, usage data and visitor choices.
For a full description of the cookies used and the type of data collected through them, please refer to section 8. Cookies and Other Technologies. Prometheus Gas does not manage, collect or process geolocation data, which are collected and processed exclusively by the companies providing operating systems for each device you use (in case of use of iOS-Apple Inc or in case of Android – Google Inc). Prometheus Gas does not have access to the positioning refresh rate of the GPS.
3. Data Collection Points
- Sole proprietorship businesses – clients (directly from the natural persons/data subjects) -B
- Sole proprietorship businesses – suppliers, outsourcers (directly from the natural persons/data subjects) -C
- Candidate employees -Α
- Access control system (entry – exit system) -Ε
- Website -D
- Third parties -Α, C
4. Transfer of Data to Third Parties
Prometheus Gas reserves the right to disclose the data subject’s Personal Data to any of its affiliate/subsidiary companies (parent company and its subsidiaries) or other third parties which in any case apply all appropriate technical, physical, legal and administrative measures to safeguard the Personal Data from loss, unfair use, amendment, unauthorised access and transmission pursuant to Article 32 of GDPR 2016/679, or to other third parties to the extent it is reasonably necessary for the purposes determined in this policy and in particular:
- Data subject’s Personal Data will be transferred to the departments of Prometheus Gas that are competent for the smooth and trouble-free sale of products, provision of services and customer services of the Company (within the framework of the evaluation and management of customer requests)
- Data subject’s Personal Data may be transmitted and become accessible by legal entities (partners, subcontractors, etc.) with which we have entered from time to time into contractual agreements for the purpose of fulfilling our Company’s statutory purpose on the basis of our legitimate interest. Our Company selects reliable providers and we try to set contractual restrictions on third parties who receive your Personal Data, in order to ensure their lawful use. However, we cannot guarantee that they will not use or disclose this Data without your permission. For this reason, we recommend that you carefully review the privacy practices of any third party providers / suppliers whose products or services you may purchase through our Website.
- In addition, our Website may contain links that lead to other websites of third parties, independent entities, such as telecommunications companies, content providers, transport service providers, payment service providers, etc. which are operated and maintained solely by them and which we do not control, as mentioned above, and therefore we bear absolutely no responsibility for their content, actions or policies. Please read the respective data privacy policies on the websites you visit carefully, as they may differ significantly from ours.
- Personal Data related to the invoicing processes may be transmitted and become accessible by bank institutions with which we cooperate in order to process our employees’ and suppliers’ payments, as well as to the competent state authorities in compliance with legal obligations. In particular, such third parties may be official state and supervisory bodies (e.g. law enforcement and prosecuting authorities, Cybercrime Unit, DPA, Hellenic Telecommunications and Post Commission, Independent Authority for Public Revenue, supervisory authorities etc.), in case we are called upon to comply with the law and prevent illegal actions against us and our clients (e.g. telecommunications fraud, insult, insult of personality, etc.).
- Data subject’s Personal Data may be disclosed to cloud hosting providers for the purpose of storing and safeguarding the Data with the appropriate technical and security measures.
- During all data transfers, we always take all appropriate measures so as to ensure that the transmitted data are the minimum required for the intended processing purpose and that the conditions for legitimate and lawful processing will always be met. Prometheus Gas’s partners and shareholders to whom the personal data may be transferred, have signed the necessary data processing agreements or have provided specific guarantees regarding the transfers of Personal Data by implementing in their agreements Standard Contractual Clauses (Model Clauses).
5. Personal Data Retention Period
The Personal Data retention period depends on the lawful basis of processing, as set out in detail below:
- In case the lawful basis for processing is the exercise of legitimate interest, the processing and retention of Personal Data is carried out for as long as it is considered necessary for the achievement of the intended statutory purpose of Prometheus Gas as well as until such additional time it is required for the limitation period of any related claims to expire.
- In case the Personal Data of the data subjects is provided under their own consent, such as in the case of candidate employee CV or through the use of the contact form on the Website, we shall retain their Data until the granted consent by the data subject has been withdrawn. In case the consent is withdrawn for any reason, we shall retain it for as long as it is required until the limitation period of any related claims expires.
- In case the lawful basis for processing is the performance of a contract, we shall retain your Data for as long as you retain the contractual relationship with Prometheus Gas, in hard copy and in electronic form, or we shall retain them for as long as it is required until the limitation period of any related claims (civil claims, tax claims etc.) expires.
- In case where the processing of the Personal Data is based on a legal obligation (Article 6 par. C of GDPR 2016/679), the Data retention period is set in accordance with the pertinent legislation and the limitation period for any inspections that may be performed by competent authorities. In any case, the exact retention periods for each individual Personal Data processing process are recorded in the Company’s Personal Data retention registry in compliance with the provisions of GDPR 2016/679. Additional information in relation to the exact data retention periods may be provided to you by requesting access in accordance with the procedure set out in this policy.
6. Rights of the Data Subjects
You may exercise, as the case may be, the rights deriving from the applicable Greek Legislation and the GDPR 2016/679 which are as follows: a. the right of information (article 13), b. the right of access (article 15), c. the right to rectification (article 16), d. the right to erasure “right to be forgotten” (article 17), e. the right to restriction of processing (article 18), f. the right to data portability (to receive your Personal Data in a structured and commonly used format – article 20 where applicable) and g. the right to object (article 21) which applies to certain data processing activities.
- These rights may be exercised only in cases where the Company acts as a data controller, and in particular: (a) the processing of Personal Data of prospective employees for the purpose of assessing the likelihood of possible professional cooperation; (b) the processing of Personal Data relating to pursuit of its intended statutory purposes; (c) processing of data of existing clients in the course of processing complaints / requests; (d) processing the data of suppliers/subcontractors for invoicing and assessing purposes; and (e) processing the Personal Data of Website visitors.
- These rights shall be exercised free of charge for you by sending a relevant letter to the Data Protection Officer (DPO) of Prometheus Gas: Latsoudis & Associates Law Firm, contact details: telephone no: 210-2205950, via e-mail: email@example.com and to the mailing address: 3, Akti Miaouli Str., PC 18535 Piraeus, Greece. Alternatively, you may also submit your request in writing, by sending it: – To the Complaints/Customer Service Department at Prometheus Gas S.A, 209, Kifissias Avenue, 15142, Maroussi of Attica – To the Company’s Data Protection Officer (DPO) Latsoudis & Associates Law Firm, contact details: telephone no: 210-2205950, email: firstname.lastname@example.org and to the mailing address: 3 Akti Miaouli Street, PC 18535, Piraeus, Greece,
- In case however that the aforementioned rights are exercised excessively and without good cause, thus causing us administrative burden, we may charge you with the cost related to the exercise of the respective right
- In case you exercise any of your rights, we will take all appropriate measures available for the satisfaction of your request within thirty (30) days from the proven receipt of the relevant request. We may either inform you on the acceptance of your request or on any objective grounds that hinder the processing of your request.
- Notwithstanding the above, you may at any time object to the processing of your Personal Data, by withdrawing your consent (article 7, par. 3 of the GDPR 679/2016) by sending a letter to the Data Protection Officer (DPO) of Prometheus Gas: Latsoudis & Associates Law Firm, email: email@example.com or to the mailing address: 3 Akti Miaouli Street, PC 18535, Piraeus. This right applies only in cases where the lawful basis for the data processing is the consent of the data subject.
7. Data Processing by Prometheus Gas
In some instances, our clients provide their business data, such as a customers’, suppliers’ or third parties’ data – which may contain Personal Data (who may refer to individuals or companies) – within the framework of the provision of our services. In such cases, Prometheus Gas shall operate as “processor” of the Personal Data, which are included in the said business data. Consequently, in those cases different provisions of the GDPR 679/2016 shall apply, with which we comply.
Additionally, Prometheus Gas applies throughout the data processing procedure, the appropriate technical, physical and administrative security measures for the protection and security of the Personal Data from loss, misuse, damage or modification, unauthorised access and disclosure, in compliance with article 32 of the GDPR 679/2016, in order to ensure the appropriate security level against those risks. Those include, among others, as the case may be: (a) the application of encryption protocols, (b) the ability to ensure confidentiality (article 90 of GDPR 679/2016), integrity, availability and resilience of processing systems and services on an ongoing basis, (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Moreover, Prometheus Gas takes measures so as to ensure that any physical person acting under the authority of the data controller or of the processor, who has access to Personal Data, shall not process those Data except under the instructions of the data controller and that it limits access to your personal information to authorised employees.
Indicative security measures applied by Prometheus Gas are as follows:
A. Organizational Measures
- Company DPO appointment
- Personnel organisation/management process – assignment of roles to all individuals involved in Personal Data processing activities
- Information systems management
- Personnel training on the protection of Personal Data, information provided to all employees regarding the Company’s policies/processes
- Monitoring of the data processors
- Setting up of a deletion/destruction of data and data storage means process
- Monitoring of Personal Data breach incidents
- Monitoring of controls/security measures
B. Technical Measures
- Access controls
- Backup data process
- Configuration of workstations (PCs)
- User log files, security incident logs
- Communications security
- Management and protection of portable data storage means
- Software and applications safeguards
- Modification controls
Γ. Physical Security Measures
- Physical access controls
- Environmental security – protection from natural disasters
- Document exposure to threats
- Protection of portable data storage means
8. Cookies & Other Technologies
- What are cookies and why does the Company use them: Cookies are small data files which, in the form of a very small text, often comprised of data and numbers, which is stored in the browser (Chrome, Mozilla Firefox etc) used by the user/client, allowing among other things the more efficient operation of the Website. Cookies do not in any way harm users’ computers or files stored on them. The information stored in cookies is used for identification purposes. This is how we manage to operate the Website efficiently.
- What cookies do we use? The cookies described below may be stored in your browser. You can view and manage the cookies in your browser (however mobile browsers may not offer this visibility). Among the different types of cookies available, the Company uses the following:
Technically necessary cookies: CookieConsent These cookies are essential for browsing the Website and for its operation, since it stores the Website visitor’s consent during the browsing. Data retention period: CookieConsent – 1 year, provider: prometheusgas.gr Statistical analysis cookies: _ga _gat _gid These cookies provide statistical data related to the use of websites and to the user preferences (usage data, request rate data etc.). Data retention period varies based on the type of cookie. Data retention period: _ga – 2 years, provider: prometheusgas.gr _gat- 1 day, provider: prometheusgas.gr _gid- 1 day, provider: prometheusgas.gr
- The technical necessary cookies are of primary importance for the proper operation of the Website, as they allow you to browse it and make use of its functions. These cookies do not reveal your identity. Without these cookies, we cannot effectively operate the Website.
- You may also refer to the webpage www.allaboutcookies.org/manage-cookies/index.html for all information related to the most frequently used browsers. Please be advised that, in case you opt to deactivate cookies, certain Website applications may not function as intended.
- The Website’s software is designed to ensure the highest level of security and trust. All information contained in requests submitted through the Website is equally secure and confidential. Only authorized employees who are appropriately trained in the handling of clients’ / visitors’ Personal Data will have access to such information and only when this is necessary for the purposes of servicing them or performing any relevant contractual obligations
9. Submission of Complaint – Appeal
- For any issue regarding the processing of your Personal Data, you may contact us via e-mail at firstname.lastname@example.org
- Moreover, you are always entitled to contact the Hellenic Data Protection Authority (DPA), which may accept the submission of relevant complaints in writing at its protocol in its offices at 1-3, Kifissias Street, Postal Code 115 23, Athens or by e-mail (email@example.com) in accordance with the instructions indicated on its website.
This policy may be renewed from time to time, due to amendments to the related legislation or change to the corporate structure of Prometheus Gas. Thereby, we encourage the clients and visitors to periodically visit this Website so as to be informed regarding recent information of Personal Date privacy practices. In any case, the clients / visitors may be informed via e-mail or a notice on our Website regarding any amendments to this policy.