Personal Data Protection Policy

Information on the processing of personal data

The Company attributes great importance to the lawful processing, security and protection of your personal data, under any capacity that you collaborate with or contact us (such as, for example, as candidates or active citizens, associates, employees, suppliers, visitors to our website, or in general private citizens and third parties that collaborate with or contact the Company). As Controller of Personal Data, it undertakes the commitment to observe the rules for the protection of individuals’ rights and freedoms against the processing of personal data, in compliance with the General Data Protection Regulation 679/2016 (GDPR), current Greek legislation, and the decisions of the Greek Personal Data Protection Authority (PDPA). 
In this Data Protection Policy, the Company provides all the necessary information regarding the use and processing of your personal data, as well as about your rights as a data subject.

1. Who is our Data Processing Officer? 
You can contact him at the email address: dpo@redestos.gr

2. What are personal data, and which personal data does the Company collect? 
Personal data include any information, in print or electronic media, which may lead, on its own or in combination with other information, to the identification of a natural person. 
The Company, in the context of its activities and transactions, collects the following personal data: 
  • Your personal identification data, such as full name, address (or email address), tax identification number, phone number (mobile or land line), etc. 
  • Commercial and financial data, such as debit/credit information, professional information, bank account number, work address, information on previous transactions or commercial contracts/ agreements, etc. 
Processing of special categories of personal data: The Company does not collect or process, firstly, personal data related to your racial or national origin, political opinions, religious or philosophical beliefs, participation in trade unions, genetic or biometric data, for the purpose of identifying you as a data subject; and secondly, health data or data pertaining to your sex life or your sexual orientation. 

3. What is our legal basis for processing your data? 
The Company’s legal basis for collecting and processing your personal data is the following: 
  • in the context of a contractual relationship between us, provided the processing is necessary for the execution of the contract or before the contract’s conclusion, so that necessary measures may be adopted; or 
  • due to the Company’s legal obligation, as a Controller; or 
  • with your own explicit consent. This consent must be provided by you with a clear, positive action and must constitute the free, specific and explicit indication of your agreement to the processing of your personal data. Consent may constitute a written statement, also via electronic means, or an oral statement. Silence and inaction are not perceived by us to signal consent. 

4. For which purposes do we process your data? 
Based on our contractual relationship or the provisions of the law or your own explicit consent, we process your personal data for the following purposes: 
  • For the development, fulfillment, and execution of the contract concluded between us. For example, we mention communications with you to impart information or notifications related to our products or services for which the contract has been concluded or the processing of your data for the handling of invoicing and payments, as well as any processing that is necessary to fulfill and execute the contract. The Company may use your email address to send you notices of payment, to send you information regarding changes in our services, as well as other notifications and notices related to the Company’s scope of operations. In general, users cannot choose to opt out of these communications, which are not related to marketing, but are required within the framework of the relevant transactional relationship.
  • To provide you with support/service in regards to our Company’s services/projects/products. The Company may collect or process your information in order to answer your requests and questions, to resolve any eventual problems, to inform and answer your recommendations and comments for the improvement of our services, or in order to provide you with the best and fastest service during your next contact/transaction with our Company. Furthermore, the Company may invite you to participate in questionnaires and market research. These questionnaires and research will be generally designed in a way that the answers do not require personal data. Nevertheless, if you do input personal data in a questionnaire or research, the Company may use such personal data to improve its products and services. 
  • For reasons of ensuring the quality of our services or the Company’s internal operations, such as e.g. to prevent fraud and other criminal offences, for the physical safety and protection of persons and property (e.g. video surveillance), for the fulfillment of    the Company’s legal obligations that ensue from the current legislative and regulatory framework, for the management of the Company’s information systems and the improvement of safety procedures. 
  • For marketing purposes. This purpose includes the processing of your data for the mailing, through various media (email or SMS) of information regarding the Company’s services, new products, educational programs, actions and initiatives. In regards to forms of communication regarding marketing, the Company (i) where required, provides such information following consent (opt in), and (ii) provides the option to opt out if you no longer wish to receive notifications about the Company’s informational and promotional activities. 
According to a relevant provision and your consent, the Company may use your name, email and mailing addresses, phone number, professional title, and basic information regarding your work, as well as an interactive profile based on previous interactions, to keep you informed about the latest product and service releases, special offers, and other information regarding the Company’s services (including newsletters related to promotions), as well as the Company’s events, campaigns or collaborations, and in order for relevant content to appear on the Company’s websites. 

5. How long are your personal data stored for? 
The Company processes and uses your personal data based on the contractual relationship between us or according to your consent or as provided by law. Consequently, the Company shall store your personal data: 
(i) For the time period required to satisfy the purposes stipulated above, such as for example the completion of a contract or the solution of any eventual issues. Subsequently, the Company keeps your data for a specific period of time, as this is stipulated by law or by your consent. During this time period, you have the right to object to the use of your personal data and to request that your data be erased by the Company. 
By exception, the Company keeps your data if it has a lawful interest or lawful obligation to do so, or whenever your personal data is necessary in order for the Company to claim or defend itself against legal claims. 
(ii) In case processing of the data occurs with your consent, until you withdraw your consent. You have the right to withdraw your consent at any time. However, withdrawal of consent does not affect the legality of processing that was based on your consent before it was withdrawn. 
You may withdraw your consent that is granted hereby at any time, by cancelling the registration on the website, by sending an email to dpo@redestos.gr. If you withdraw your consent, the Company will no longer process personal data subject to this consent unless it is legally required to do so. If the Company is obligated to preserve your personal data for legal reasons, your personal data will not be subject to any further processing and will only be preserved for the time period required by law. Furthermore, if the use of one of the Company’s services or promotions requires your previous consent, the Company shall no longer, following your withdrawal, be able to provide you with that service or product. 

6. Why must I disclose my personal data? 
As a general principle, the granting of any consent and the disclosure of any personal data by dint of this document is entirely discretionary. In general, you will not suffer any harmful consequences should you choose not to grant your consent or not to disclose your personal data. However, there are circumstances in which the Company will not be able to proceed to specific actions if it does not have specific personal data, for example because such data is required for the provision of our services or for the fast and effective service of our customers or to access and receive the Company’s newsletter. 

7. How does the Company process my personal data? 
Our Company and its staff that is trained in matters of personal data processing observe the processing principles stipulated in the General Data Protection Regulation 679/2016 (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability). 
In any case, we adopt appropriate organizational and technical measures in order to ensure that your personal information is transferred, stored, and processed according to the appropriate safety standards and processes and according to the conditions of this Policy and current data protection legislation. At our Company, we employ well-trained and responsible staff and a Data Protection Officer, and we recognize the importance of protecting your privacy and all your personal information. For this purpose, we implement suitable security policies using appropriate technical and operational tools, such as firewalls, properly trained and authorized personnel, and we also conduct frequent internal compliance controls according to Regulation (EU) 679/2016. 

8. What are your rights when you provide us with your data? 
The Company pledges to keep your personal data confidential and to ensure that you can exercise your rights easily. You can contact us, at no cost, by emailing us at dpo@redestos.gr and citing the reason of your request and the right you wish to exercise. 
Specifically, regardless of the legal grounds based on which we process your data, you have the following rights: 
  1. To request access to and information about the data we keep on you (right of access). 
  2. To request that we rectify your data, so that it is true and accurate (right to rectification). 
  3. To request that we erase your data, subject to the Company’s obligations and legal rights as described above (right to erasure). 
  4. To request that we limit the processing of your data in any of the following cases: (i) you state that your personal data in the Company’s possession are incorrect (but only for as long as the Company needs to check the accuracy of said personal data); (ii) there is no legal basis for the processing of your personal data by the Company and it is required that it limit any further processing of your personal data; (iii) the Company no longer needs your personal data but claims that it must keep said data in order to claim or exercise legal rights or defend its rights against third party claims; or (iv) in case you object to the processing of your personal data by the Company, for as long as it takes for our Company to re-examine whether it has a prevailing interest or legal obligation to process your personal data (right to restriction of processing). 
  5. To request to receive the personal data you have provided to us in order to directly transmit them to some other legal person, without any hindrance from us (right to data portability). 
  6. To object to the processing of your personal data, when this is based on our legal interest. You may refuse the use of your personal data by the Company at any time by sending an email to dpo@redestos.gr. With this action, the Company shall stop using your personal data for the above purposes (i.e. according to the legal interest stipulated above) and shall erase them from its systems within a reasonable length of time, unless the Company is allowed to use said personal data for the purposes stipulated in this Privacy Policy or if it determines and proves a justifiable, urgent legal interest in order to continue processing your personal data (right to object). 
Right to file a complaint. If you believe that the Company is not processing your personal data according to the conditions stipulated herein or in the current EU legislation on personal data protection, you may at any time file a complaint with the data protection authorities of the EU country where you live or with the Greek Personal Data Protection Authority. Furthermore, a denial or unjustified delay by the Company in regards to the satisfaction of your requests when exercising your rights entitles you to seek recourse from the Greek Personal Data Protection Authority, as the competent supervising authority.  

9. Do we share your data with third parties? 
In order to fulfill the purposes cited in our Privacy Policy, it is necessary to allow access to your personal data to legal persons in our group of companies. 
Additionally and for the same reasons, we allow access to third parties that provide support for the services we offer you, and specifically: 
  • to suppliers of technology services; 
  • to suppliers of services related to customer service, marketing and sales. 

10. Changes to our Privacy Policy 
We may amend the information contained in this Data Protection Policy when we see fit. In this case, we will notify you in a variety of ways so that you may review the amendments, assess them, and even object or unsubscribe from a service or operation. In any case, we recommend that you review this Policy, which will always be posted on our website, from time to time. This website may contain links to third-party websites. 

​11. Disclaimer 
The Company is not liable for the data protection practices or the content of other websites that are not owned by it. 


Information on the processing of personal data through a video surveillance system

1. Data Controller – Data Protection Officer
REDESTOS SA – Spyros Avgerinos.
2. Purpose of processing and legal basis:
We use a surveillance system for the purpose of protecting people and goods. The processing is necessary for the purposes of legitimate interests pursued by us as controller (Article 6 para. 1. f GDPR).
3. Analysis of legitimate interests
Our legitimate interest consists in the need to protect our space and the goods located in it from illegal acts, such as theft. The same applies to the safety of life, physical integrity, health and property of our staff and third parties who are legally in the supervised area. We only collect image data and limit the surveillance to places where we have assessed that there is an increased likelihood of committing illegal acts e.g. theft, such as at the entrance, without focusing on areas where the privacy of the persons whose image is taken may be unduly restricted, including their right to respect for personal data.
4. Recipients
The material kept is accessible only by our competent / authorized personnel in charge of the security of the site and the Information Security Officer. Regarding the transmission of video surveillance material, the following applies and not what is mentioned in the General Data Protection Policy. In particular, this material is not transmitted to third parties, except in the following cases: a) to the competent judicial, prosecutorial and police authorities when it contains data necessary for the investigation of a criminal offence, which concerns persons or goods of the controller, b) to the competent judicial, prosecutorial and police authorities when they request data, lawfully, in the exercise of their duties, and (c) to the victim or offender of a criminal offence, in the case of data which may constitute evidence of the offence.
5. Retention period
We keep the data for fifteen (15) days, after which they are automatically deleted. In case we find an incident during this period, we isolate part of the video and keep it for up to one (1) more month, in order to investigate the incident and initiate legal proceedings to defend our legal interests or satisfy the rights of the subjects if they have requested it.
6. Rights of data subjects
Data subjects have the following rights:
• Right of access: you have the right to know if we are processing your image and, if so, to receive a copy of it.
• Right to restriction: you have the right to ask us to restrict processing, such as not to delete data that you consider necessary for the establishment, exercise or support of legal claims.
• Right to object: you have the right to object to the processing.
• Right to erasure: you have the right to request that we delete your data.


You can exercise your rights by sending an e-mail to dpo@redestos.gr or a letter to our postal address or by submitting the request to us in person, at the company's address. In order for us to review a request related to your image, you will need to tell us approximately when you were in range of the cameras and provide us with a picture of yourself, to facilitate us in locating your data and hiding the data of third parties depicted. Alternatively, we give you the opportunity to come to our facilities to show you the images in which you appear. We also point out that exercising the right to object or delete does not imply the immediate deletion of data or the modification of processing. In any case, we will respond to you in detail as soon as possible, within the deadlines set by the GDPR. For your information, the cameras focus only on outdoor areas and their positions in the facility are depicted on a diagram maintained by the Information Security Officer while the Data Protection Officer (DPO) also has access to it.
7. Right to lodge a complaint
If you consider that the processing of your data violates Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Greece is the Data Protection Authority, Kifisias 1-3, 115 23, Athens, https://www.dpa.gr/, tel. 2106475600.