Company Name:	HELLENIC PETROLEUM PROVISION OF ELECTROMOBILITY SERVICES SINGLE MEMBER SOCIETE ANONYME
Gen. Commercial Registry No.:	155428801000
Headquarters:	Chimarras 8A, 15125-Maroussi

Company Name:

HELLENiQ ENERGY DIGITAL SINGLE MEMBER SOCIETE ANONYME

Distinctive Title: HELLENiQ ENERGY Digital

Gen. Commercial Registry No.:

161519601000

Headquarters:

Chimarras 8A, 15125-Maroussi

Company Name:

ATEN ENERGEIAKI ANONYMI ETAIREIA PARAGOGIS ILEKTRIKIS ENERGEIAS

Distinctive Title: ATEN ENERGY S.A.

Gen. Commercial Registry No.:

027076740000

Headquarters:

Chimarras 8Α, 15125-Maroussi

Company Name:

NTIAXON – PLASTIKA YLIKA SYSKEUASIAS MONOPROSOPI ANONYMI VIOMICHANIKI KAI EMPORIKI ETAIREIA

Distinctive Title: DIAXON Α.Β.Ε.Ε

Gen. Commercial Registry No.:

002661001000

Headquarters:

Gravias 4Α, 15125-Maroussi

Company Name:

ELLINIKA KAUSIMA ORYKTELAIA MONOPROSOPI ANONYMOS VIOMICHANIKI KAI EMPORIKI ETAIREIA

Distinctive Title: HELLENIC FUELS SA / EKO AVEE

Gen. Commercial Registry No.:

000248401000

Headquarters:

Chimarras 8A, 15125-Maroussi

Company Name:

HELLENiQ ENERGY CONSULTING Anonymi Etaireia

Distinctive Title HELLENiQ ENERGY CONSULTING A.E.

Gen. Commercial Registry No.:

6368701000

Headquarters:

Chimarras 8A, 15125-Maroussi

Company Name:

HELLENiQ RENEWABLES MONOPROSOPI ANONYMI ETAIREIA

Distinctive Title: HELLENiQ RENEWABLES

Gen. Commercial Registry No.:

007119101000

Headquarters:

Gravias 4Α, 15125-Maroussi

Company Name:	ELPET BALKANIKI S.A. VALKANIKI ANONYMOS ETAIREIA PETRELAIOU, EMPORIAS KAI EPENDYSEON
Gen. Commercial Registry No.:	003434101000
Headquarters:	Gravias 4Α, 15125-Maroussi

Company Name:	ENERGIAKI SERVION S.A.
Gen. Commercial Registry No.:	118445401000
Headquarters:	Gravias 4Α, 15125-Maroussi

Company Name:

HΕLLENIC PETROLEUM WEST PATRAIKOS EXPLORATION AND PRODUCTION OF HYDROCARBONS SINGLE MEMBER S.A.

Distinctive Title: HELPE PATRAIKOS

Gen. Commercial Registry No.:

133838901000

Headquarters:

Gravias 4Α, 15125, Maroussi

Company Name:	ΕNERGIAKI PILOU METHONIS S.A.
Gen. Commercial Registry No.:	007726301000
Headquarters:	Chimarras 8Α, 15125-Maroussi

Company Name:	Distinctive Title: HELLENiQ UPSTREAM S.A./ HELLENiQ UPSTREAM SINGLE MEMBER SOCIETE ANONYME / HELLENiQ UPSTREAM Α.Ε.
Gen. Commercial Registry No.:	135236701000
Headquarters:	Gravias 4Α, 15125, Maroussi

Company Name:

EPICHEIRISI PETRELAIAGOGOU THES/NIKI - SKOPIA - VARDAX ANONYMI ETAIRIA

Distinctive Title: VARDAX S.A.

Gen. Commercial Registry No.:

058928704000

Headquarters:

7^TH KM THESSALONIKI – VEROIA, THESSALONIKI, 57008

Company Name:	EGKATASTASEIS KAFSIMON ORGANISMOU TOPIKIS AFTODIOIKISIS KO AE
Gen. Commercial Registry No.:	071185720000
Headquarters:	Municipality of Kos

Company Name:

KALYPSO K.E.A. MONOPROSOPI ANONYMI ETAIREIA EMPORIAS PETRELAIOEIDON KAI LOIPON PROIONTON KAI PAROCHIS YPIRESION

Distinctive Title: KALYPSO K.E.A. A.E.

Gen. Commercial Registry No.:

0006327401000

Headquarters:

CHIMARRAS 8Α , 151 25 MAROUSSI

(Hereafter referred to as "We", the "Group", the "Company", the "Controller")

1. Objective

This notification describes our practices with regard to personal data processing, i.e. the collection, registration, organization, structure, storage, adaptation or alteration, retrieval, search, use, disclosure by transmission, dissemination or any other form of making available, association or combination, restriction, deletion or destruction of your personal data.

The Company reserves the right to modify and update this notice whenever it is deemed necessary, and the changes will take effect upon their notification to you, either by e-mail or by posting them on the Internet or by any other means the Company deems appropriate.

In the event that the terms of your cooperation with the Company are governed by more specific terms regarding personal data protection, these terms will apply in conjunction with these present terms. In the event of any conflict between the two, the specific terms of use concerning each specific service will prevail.

2. Collected Data

During the procedures concerning the Company’s selection of suppliers and associates as well as in the context of the Company's cooperation with them, the Company collects personal data about its partners, legal representatives, employees, subcontractors, partners’ contact persons - its agents, any authorized representatives, agents, and other persons with whom the Company comes into contact, or persons who may have access to and / or provide work / services on the Company’s premises during the cooperation. If you belong to any of the above, depending on the specific circumstances and the applicable legal provisions, the Company may collect all or some of the following information about you:

Name and surname
Age
Contact information
Training information
Work experience
Curriculum vitae
Copies of identification documents, Tax Identification Number and other information related to the fulfillment of tax and other administrative obligations
Information regarding truck vehicles used for the transportation of the Company's products (driver's license number, driver's ADR, vehicle registration, insurance policy - ADR - Volumetric - Tank inspection)
Bank account details
Details of your contractual relationship or your cooperation with the Company and details about fees
Details that are submitted in the context of tender procedures, evaluation procedures or outsourced assignments to suppliers
Information about your hours worked at the Company and the licenses granted to you if you provide a service or perform work at the Company's premises for one of the Company’s partners or suppliers
Health related data in the event that you are involved in an accident at the Company's premises when providing your services, or if it is necessary to certify your suitability for the provision of these services in the context of our cooperation
Upon entering the company’s premises or/ and at the loading point, data is collected (i.e. ID number, passport number) as well as the date and time of the entry and exit. An entry card is also issued through which your movements are recorded on our premises
Additional information you share with us (i.e. third-party letters of recommendation, curriculum vitae)

Some of the above details are necessary in order for us to fulfill our contractual obligations that we have towards you. For example, your Tax ID is required by Law. Other data are required to ensure for the smooth operation of our contractual relationship or overall cooperation. Depending on the type of personal data and the basis on which we rely on the processing of that data, if you refuse to provide us with this data, we may not be able to fulfill our contractual obligations or cooperate and in some extreme cases it may not be possible to continue working together.

3. Sources of data collection

Your personal data is mainly collected:

From you

The Company needs to know certain information about you in the context of our co-operation in order to fulfill its contractual obligations towards you, as well as its obligations towards third parties. There are a number of ways you share information with us, including:

Filling in various company forms
Exchanging business cards
Identity information (e.g. ID number, passport number) as well as the date and time of your entry and exit upon entry (and exit) at the Company's premises
Via phone
Through documents you send to the Company
Through electronic communication (e-mail, website)

From other sources

We also receive personal data about you from other sources. These sources include third parties with whom you have previously collaborated who have recommended you to the Company, the limited liability company risk checking system company - TERESIAS S.A., ICAP, public sources (Government Gazette, GEMI, Industry Guides) where there is public information regarding your professional activity.

Automatically received personal data

Your automatically collected personal data includes:

Audiovisual material (including date and time) entering an area where a CCTV system operates.
Dates and hours of access to the Company's facilities using personalized magnetic cards.

4. The Objectives of the Processing

The Company collects and processes your personal data, listed above, for the following purposes:

• to fulfill our contractual obligations and to work smoothly with one another

• to manage the risks of the business

• for tax purposes, for pricing and proof of the provision of services

• to protect the Company's property (facilities, infrastructure, equipment, etc.)

The Company collects and processes its affiliates’ personal data solely for the aforementioned purposes and only to the extent strictly necessary to effectively serve those purposes. These data are always concise, relevant and not more than required for the purposes as set out above are accurate and, where appropriate, are subject to consultation.

5. Legal Basis

There are several ways in which the Company lawfully processes its affiliates’ personal data; each processing performed by the Company is in accordance with at least one of the following legal bases:

Processing is necessary if the Company is to fulfill its contractual obligations

In order to be able to fulfill its contractual obligations of the Company vis-à-vis you and to monitor the fulfillment of the contractual obligations of its associates, the Legal Basis on which the Company lawfully processes the data of its associates is Article 6, 1 (b) of the GDPR, where it is foreseen that the Company may process data if "processing is necessary for the performance of a contract to which the data subject is a party".

Processing is necessary in order for the Company to comply with its legal obligations

Apart from its contractual obligations, the Company also has to comply with various obligations arising from the current legal framework. In accordance with Article 6 (1) (c) of the GDPR, the Company may process personal data when the processing is "necessary if it is to comply with its legal obligation".

Processing is necessary for the Company to serve its legitimate interests

Pursuant to Article 6 (1) (f) of the GDPR, the Company may process personal data when such processing is "necessary for the purposes of the legitimate interests pursued by the Company unless such interests prevail over those interests or the fundamental rights and freedoms of data subjects that impose the protection of personal data".

The following cases are a non-exhaustive reference to the legitimate interests pursued in order to successfully achieve corporate objectives:

defending the security and protection of the Company's associates,
protecting the Company's property and the documentation, securing and enforcement of the Company's legal claims against third parties for damages to its property,
improving the quality of the Company's collaborations and provision of services and the Company’s unimpeded and effective communication and interaction with its partners,
monitoring compliance with the Company's practices and procedures, and
the foundation, exercise or support of the Company’s legal claims.

You give us your consent to process your personal data

In extremely limited cases, we may seek for your consent with a positive action (opt-in) before we can make specific edits to your data. For example, we may ask for your consent to promote your information to third parties who may be interested in the services you provide or to publish your information in corporate forms.

6. Retention period

The Company will maintain personal data in accordance with the applicable law and only for as long as it is required to fulfil the purposes as set forth in Sections 4 and 5 or for the time period required by law or for the purposes of the Company defending itself against possible legal action from those in the pursuit of claims against it.

7. Information Security

How the Company processes personal data is conducted in a way that ensures its confidentiality. In particular, it is carried out solely by authorized Company personnel while all appropriate organizational and technical measures are taken to ensure data security as well as to protect data from any accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, or any other form of unfair processing.

8. Data transfer to Third Parties

The Company does not in any way transfer the personal data of its affiliates nor does it interconnect its files for any financial or other consideration with any third party private enterprises, natural or legal persons, public authorities or services or other organizations.

The Company may provide access or forward the personal data of its affiliates and suppliers to:

Third-party service providers who perform various functions (including security and insurance services) and external consultants, associates, lawyers, accountants, auditors, as well as technical and support service providers and IT consultants on behalf of the Company.

Financial institutions: We may exchange data with financial institutions/banks where you hold a bank account in order to process payments.

Other Group companies in the context of centralized procurement management via the Group's competent supply department.

The processing of your personal data by our above-mentioned affiliates is under our control and is conducted only at our command and is subject to the same privacy policy or a policy providing, the same level of protection (at the least).

Furthermore, the Company transfers your data under its regulatory obligations to:

Tax, Audit and other Public Authorities when we believe in good faith that the Law or other regulatory act obliges us to provide access or forward such data.

Competent law enforcement authorities: We may disclose your data to the Police and other competent law enforcement authorities or administrative authorities, if required by the law or by any other lawful enforceable act or order.

Any data transfer to third countries outside the European Economic Area (i.e. outside the EU Member States, Norway, Iceland and Liechtenstein) will only be made in compliance with the data protection legislative framework and only when adequate safeguards are in place to protect your data.

If the Company is merged or acquired by another company in the future, your personal data may be disclosed as part of the merger or the acquisition of the Company.

9. About Your Rights

One of the basic principles of the GDPR is to protect the rights of individuals with regard to the processing of their personal data. In this context, you have a set of rights with respect to your personal data that is processed by the Company. Particularly you have the:

Right to information/communication: You have the right to request and receive clear, transparent and easily understandable information about how we process your personal data.
Right of access: You have the right to access your personal data that the Company keeps for you. We may be asked to provide you with additional information to process your request, but as long as we provide you with access to the information we hold for you, this will be done without any financial charge, except in the following cases where there may be a reasonable charge to cover any administrative expenses of the Company and/or the Group. These include:
- manifestly unjustified or excessive / repeated requests, or
- where additional copies of the same information are requested.

If we have a legitimate right to deny your request, we will inform you of the specific reasons for this refusal.

Right to rectification: You have the right to request the correction of your personal data if it is inaccurate or incomplete.
Right to Deletion: You have the right to request the deletion or removal of your personal data when it is no longer necessary for the purposes it was collected for or there is no legitimate reason to continue processing it. The right of deletion is not absolute, to the extent that there is a particular legal obligation or other legitimate reason for the maintenance of your personal data by the Company and / or the Group.
Right to limit the processing: In some cases, you have the right to limit or restrict any further processing of your personal data. In practice, this means that we can store your data, but we will not be able to process it further unless processing is with your consent, or such processing is necessary either for the foundation, exercise or defense of the legitimate claims of the Company, either for the protection of the rights of another person or for reasons of public interest.
Data portability right: You have the right to request your personal data be forwarded to other controllers. In practice this means that you can transfer the information we hold for you to any third party. In order to serve this right, we will provide you with data in a structured, commonly used and machine readable format so that you can transfer your data to another controller. Alternatively, we can send the data directly for you. The right to portability applies to (a) data we process automatically (i.e. without any human intervention), (b) personal data provided by you, and (c) personal data processed as a result of your consent, or processing that is necessary for the performance of a contract.
Right of objection: You may object to the processing of your personal data, especially when the processing is performed for the purposes of fulfilling the Company’s legitimate interests. If the processing is conducted for the purpose of the Company servicing its legitimate interests, the Company will comply with your objection and will cease such processing unless the Company can demonstrate overriding and legitimate reasons for processing overriding your interests, rights and freedoms or that the processing is conducted to establish, exercise or support the Company’s legal claims. Therefore, if the processing is, to a considerable extent, a legal basis for the performance of contractual obligations, the exercise of those rights may affect the fulfillment of the obligations arising from our contractual relationship or in extreme cases it may make it impossible for us to continue our cooperation.

10. Withdrawing consent

We inform you of the existence of your right to withdraw your consent at any time, without prejudice to the lawfulness of the consent-based processing prior to its revocation, via e-mail to: DPO@helleniq.gr

11. Submitting a complaint

For further information and advice on your rights or to lodge a complaint, please contact the Data Protection Authority, tel: + 30-210 6475600, website: http://www.dpa.gr

You can contact the Personal Data Protection Authority in the following ways:

Postal Address: Personal Data Protection Authority, Offices: 1-3 Kifissias, 115 23, Athens

Call Center: + 30-210 6475600

Fax: + 30-210 6475628

E-mail: contact@dpa.gr

12. Contact details for the Data Protection Officer

Telephone:	+30 210 6302252
e-mail:	DPO@helleniq.gr

Do you have any further questions? Contact us

If you have any questions about this Notice, please contact us by e-mail or telephone using the details of the Personal Data Officer provided above.

Definitions

“General Data Protection Regulation ("GDPR")” - the European Union regulation aimed at harmonizing European legislation on the protection of personal data. The regulation will apply from 25 May 2018, and any reference thereto shall be construed to include national implementing legislation.

“Personal data” means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is someone whose identity can be ascertained, directly or indirectly, in particular by reference to an identifying identifier such as a name, ID number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that person.

“Sensitive personal data” means personal data which contain information on racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, physical and mental health, genetic and biometric data, data relating to gender or sexual orientation, and information on criminal convictions and offenses. Because of the nature of sensitive personal data, the legislation is much more rigorous about how these data should be processed. The Company processes sensitive personal data only in accordance with the law.

"Affiliates": Natural persons or legal entities with whom the Company may maintain any business relationship or contractual relationship or partnership.

"Processing" means any act or set of operations carried out with or without the use of automated means on personal data or personal data sets, such as the collection, registration, organization, structuring, storage, adaptation or change, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, erasure or destruction.

“Controller” means a natural or legal person, a public authority, a service or another body which, alone or jointly with others, defines the purposes and the manner in which personal data are processed; when the purposes and manner of processing the law of the Union or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State.

“Limitation of processing” means the labeling of stored personal data in order to limit its processing in the future.

“Violation of personal data” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

PRIVACY NOTICE FOR ASSOCIATES AND SUPPLIERS

THE COMPANY

CORPORATE RESPONSIBILITY

HEALTH, SAFETY & ENVIRONMENT

MEDIA CENTER

HUMAN RESOURCES