PRIVACY POLICY PURSUANT TO ART. 13 OF REGULATION (EU) 679/2016 ON THE PROCESSING OF PERSONAL DATA (GDPR – General Data Protection Regulation)

 

This privacy policy is provided by ENEA – National Agency for New Technologies, Energy and Sustainable Economic Development pursuant to art. 13 of EU Regulation 2016/679 – General Data Protection Regulation, with respect to the processing of personal data provided through the website https://www.metrofood.gr  (hereinafter also “Website”).

 

1. IDENTITY AND CONTACT INFO OF THE DATA CONTROLLER

The Data Controller is ENEA – National Agency for New Technologies, Energy and Sustainable Economic Development, based atThessaloniki University campus 54124. You can contact the Data Controller by writing to the address above, or by sending an email to the following certified email address: metrofood18gr@gmail.com

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)

The Data Protection Officer (DPO) for ENEA was appointed by Provision no. 34/2020/PRES of 6 February 2020. For communications relating exclusively to the processing of personal data, the DPO can be contacted at the following email address: uver.metrofood18gr@gmail.com

3. PURPOSES AND LEGAL BASES FOR THE PROCESSING

Users’ personal data are processed in order to:

• Reply to requests sent to email addresses on the website.
• Provide the services offered by ENEA and requested by the User (i.e. participation in courses, etc.).
• Fulfil legal or administrative obligations.

4. NATURE OF DATA PROVISION

The provision of personal data through registration forms and the sending of communications to the email addresses on the Website for requesting information is optional. However, in the event of failure to provide the requested data, ENEA will not be able to provide the User with services that may be requested.

5. TYPES OF DATA PROCESSED

5.1. Navigation data

During their normal operation, the computer systems and applications used to operate this Website acquire some data (whose transmission is implicit in the use of Internet communication protocols) that are not associated with directly identifiable users.

The data collected include IP addresses of the computers used by Users connecting to the website, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the user’s computer environment.

5.2. Data provided voluntarily by the User

Other personal data collected are those provided by the User by sending communications to the email addresses specified on the Website and when registering.

The optional, explicit and voluntary sending of non-compulsory personal data, including through the sending of emails to the addresses specified on this website, entails the subsequent acquisition thereof, the sender’s address necessary to respond to requests, as well as any other personal data included in the message.

6. PROCESSING METHOD AND STORAGE PERIOD

Personal data are processed using electronic tools in compliance with the provisions of art. 32 of the GDPR 2016/679 and the other regulations and specific Provisions of the Personal Data Protection Authority regarding security measures.

The Data Controller shall ensure that the personal data being processed are:

• Processed in a lawful, proper and transparent manner with respect to the Data Subject.
• Collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations in that are terms compatible with these purposes, and in any case to the extent that the processing is necessary for the fulfilment of the aforementioned purposes (in this regard, the use of personal data and identifying data must be reduced to a minimum).
• Accurate, and updated if necessary.
• Pertinent, complete and not exceeding the purposes for which they are collected and subsequently processed.
• Stored in a form that allows their deletion, correction (as well as the consequent notification of any recipients to which the personal data subject to a request for correction or deletion have been disclosed), as well as the restriction or objection to their processing;
• Stored in a form that allows the identification of the data subject for a period of time not exceeding what is necessary for the purposes they were collected and subsequently processed for.

More specifically, browsing data shall be kept for the duration of the browsing session on the Websites, while personal data voluntarily provided by the User shall be kept for the time necessary to respond to the requests of the Data Subject, for the time necessary for the performance of the services requested through the Website and for the data retention times imposed by legal or regulatory obligations.

The sending of emails to the addresses specified on this Website entails the subsequent acquisition of the sender’s address, necessary to respond to the requests, as well as any other personal data included in the message.

The personal data provided by the Data Subjects who submit such requests are used only to perform the services envisaged or to respond to any questions and are disclosed to third parties only if necessary for such fulfilment.

ENEA adopts the necessary security measures envisaged by the GDPR to protect the data collected in order to prevent the risks of loss or theft of data, unauthorised access or illegal or improper uses.

7. CATEGORIES OF RECIPIENTS

For the purposes detailed in art. 3, Users’ personal data may be disclosed or made accessible to:

• ENEA employees and contractors in their capacity as persons authorised to process data pursuant to art. 29 GDPR.
• Any additional outsourced service providers on behalf of the Data Controller (e.g. IT service providers and/or postal services) as Data Processors.
• All parties whose right to access such data is recognised by regulatory or authoritative measures; to all natural and/or legal persons, public and/or private when necessary or functional to the performance of the services requested through the Website, in the ways and for the purposes illustrated above.

In no case will personal data be disclosed, disseminated, sold or otherwise transferred to third parties for unlawful purposes, and in any case without providing suitable information to the Data Subjects and obtaining their consent in advance, where required by law.

This without prejudice to any disclosure of data at the request of judicial or public security authorities, in the manner and in the cases envisaged by law. Personal data shall not be transferred abroad to countries or international organisations not belonging to the European Union that do not guarantee an adequate level of protection, recognised pursuant to art. 45 GDPR on the basis of an adequacy decision of the EU Commission. If for the provision of the services of the Website it is necessary to transfer personal data to countries or international organisations outside the EU for which the Commission has not adopted any adequacy decision pursuant to art. 45 GDPR, this will take place only in the presence of adequate guarantees provided by the recipient country or organisation pursuant to art. 46 GDPR and provided that the data subjects have actionable rights and effective remedies.

In the absence of an adequacy decision by the Commission pursuant to art. 45 GDPR or of adequate guarantees pursuant to art. 46 GDPR, including binding corporate rules, the cross-border transfer shall only take place if one of the conditions indicated in art. 49 GDPR occurs.

8. RIGHTS OF THE DATA SUBJECTS

Articles 15-22 of the Regulation grant the data subject the exercise of the following rights:

• Request confirmation of the existence or otherwise of one’s personal data (art. 15 par. 1).
• Obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed, and when possible the storage period (art. 15 par.1 lett a, c).
• Have the data corrected or deleted (art. 16 and 17).
• Obtain the restriction of processing (art. 18).
• Obtain information from the Data Controller on the recipients which the personal data have been disclosed to and any corrections or deletions or restrictions on processing (art. 19).
• Obtain the portability of the data, i.e. receive them from a Data Controller in a structured, commonly used format that is readable by automatic devices, and transmit them to another data controller without impediment (art. 20).
• Object to an automated decision-making process relating to natural persons, including profiling (art. 21 and 22).
• If the processing is based on consent, be able to withdraw such consent at any time (art. 7, para. 3).

Data Subjects have the right to lodge a complaint with the Supervisory Authority pursuant to art. 77 of the Regulation, or to take appropriate legal action.

9. HOW TO EXERCISE YOUR RIGHTS

The above rights are exercised by submitting a request to the Data Controller by sending an email to metrofood18gr@gmail.com. The request can be made freely and without following any specific format by the Data Subject, who shall be entitled to receive an appropriate reply within a reasonable amount of time, depending on the circumstances of the case.

To exercise his/her rights, the Data Subject may use non-profit bodies, organisations or associations whose statutory objectives are in the public interest and which are engaged in the protection of Data Subjects’ rights and freedoms with regard to the protection of personal data, for this purpose giving them an appropriate mandate. The Data Subject may also be assisted by a trusted person.

You can receive more information on the purposes and methods of processing your personal data by writing to metrofood18gr@gmail.com and specifying “Privacy” in the subject.

To know your rights, lodge a complaint/report/appeal and to remain updated on the laws regarding the protection of individuals with regard to the processing of personal data, the Data Subject can contact the Personal Data Protection Authority, consulting the website at https://www.secdigital.gov.gr/politiki-aporritoy/ .