Privacy Policy & GDPR Compliance

Scope of the Privacy Policy

The company under the name «ΚΑΣΤΡΙΝΟΣ ΒΑΣΙΛΕΙΟΣ ΤΟΥ ΔΗΜΗΤΡΙΟΥ», with headquarters at
ΣΚ.ΠΟΤΑΜΙΑΣ, ΘΑΣΟ, (hereinafter referred to as the “Company”), with this Privacy Policy aims
to inform users of this website «https://kastrinos-thassos.gr/» (hereinafter referred to as the “Website”)
about the way and purpose of processing their personal data. The Company, as Data Controller, collects and
processes personal data of the users of the Website, only if absolutely necessary, for explicit and legitimate
purposes, in accordance with the existing legislation on personal data protection.

Definitions

For the purposes of this Policy, the following terms shall have the following meanings:

• “Personal Data” means any information relating to an identified or identifiable natural
  person (“data subject”); an identifiable natural person is one whose identity can be verified, directly or
  indirectly, in particular by reference to an identifier such as a name, an identification number, location
  data, an online identifier or one or more factors specific to the physical, physiological, genetic,
  psychological, economic, cultural or social identity of that natural person;
• “Special categories of personal data”: personal data revealing racial or ethnic origin,
  political opinions, religious or philosophical beliefs or trade union membership, as well as the processing
  of genetic data, biometric data for the purpose of positive identification, data concerning health or data
  concerning the sex life of a natural person or sexual orientation.
• “Processing”: means any operation or set of operations which is performed, whether or not
  by automated means, on personal data or on sets of personal data, such as collection, recording,
  organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
  transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or
  destruction.
• “Controller” means the natural or legal person, public authority, agency or other body
  which alone or jointly with others determines the purposes and means of the processing of personal data;
  where the purposes and means of such processing are determined by Union or Member State law, the controller
  or the specific criteria for its appointment may be provided for by Union or Member State law.
• “Processor”: the natural or legal person, public authority, agency or other body which
  processes personal data on behalf of the controller.
• “Data Subject”: the natural person whose personal data are processed. In this particular
  case, the data subject of the processing is considered to be each user of our Website.
• “Consent” of the data subject: any freely given, specific, explicit and informed indication
  of the data subject’s wishes by which the data subject signifies his or her agreement, by a statement or by
  a clear affirmative action, to the processing of personal data concerning him or her.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction,
  loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise
  processed.
• “Anonymisation”: the processing of personal data in such a way that the data can no longer
  be attributed to a specific data subject.
• “Pseudonymisation” means the processing of personal data in such a way that the data can no
  longer be attributed to a specific data subject without the use of supplementary information, provided that
  such supplementary information is kept separately and subject to technical and organisational measures to
  ensure that it cannot be attributed to an identified or identifiable natural person.
• “Existing legislation”: the respective national and EU legislation on personal data
  protection, in particular the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), Law
  4624/2019 as well as the Decisions, Directives and Opinions of the Hellenic Data Protection Authority
  (hereinafter “Hellenic Data Protection Authority”).

General Principles of Personal Data Processing

The Company collects and processes the personal data of data subjects in accordance with the following processing
principles:

• Legitimacy, objectivity, transparency: The Company collects and processes these data
  lawfully, in a transparent manner in relation to the data subjects.
• Limitation of purpose: The Company processes personal data only for specified, explicit and
  legitimate purposes.
• Data minimization: The Company takes appropriate technical and organizational measures to
  ensure that the personal data processed are appropriate, relevant and limited to what is necessary for the
  purposes for which they are processed.
• Accuracy: The Company ensures that the personal data it maintains and processes is always
  accurate and up-to-date.
• Limitation of the storage period: The Company does not retain personal data for a period
  longer than the purposes for which they were collected and processed. However, it may retain it for a longer
  period if the processing of such data is necessary:
  • for compliance with a legal obligation requiring processing under a provision of law;
  • for the performance of a task carried out in the public interest;
  • for reasons of public interest;
  • for archiving purposes in the public interest, or for scientific or historical research purposes, or
    for statistical purposes, after appropriate technical and organisational measures, including
    pseudonymisation, have been taken, and only if these purposes cannot be served by anonymisation of
    the data;
  • for the establishment, exercise or maintenance of legal claims.
• Integrity and confidentiality: The Company ensures that the collection and processing of
  personal data is carried out in a secure manner, using appropriate technical and organizational means to
  protect it from any unauthorized or unlawful processing and accidental loss, destruction or damage.

Personal Data collected and processed through the website – Purpose of processing and lawful basis

Personal data collected through the contact form

Through the contact form, the user has the opportunity to contact the Company for any questions, clarifications,
complaints, etc. as well as to express interest in the services provided. In case the user wishes to use this
service, he/she should fill in the relevant fields such as name, telephone number, email, subject and the
relevant message.

Purpose of Processing and Lawful Basis

The purpose of the collection and processing of such personal data is the optimal communication and information
of the user with the Company. The legal basis for the processing of personal data is the user’s consent (GDPR
Article 6(1a)), which is provided by accepting this Privacy Policy before submitting the message. Such consent
may, in accordance with existing legislation, be withdrawn at any time, without affecting the lawfulness of the
processing until the moment of withdrawal.

Personal data collected through log data

Each time a user accesses the Company’s Website, personal data may be temporarily stored in a log file, such as
information about the browser and operating system used, the internet protocol address (IP address), the date
and time of the request on the server, the amount of data transferred and the resource requested.

Purpose of Processing and Lawful Basis

The purpose of collecting and processing such data is to provide the service for technical and security reasons.
These data are not personalised and are kept for a maximum of 6 months. IP addresses from which malicious
activity originates are permanently stored in the security system of the Website for security reasons and to
prevent further attacks. The legitimate basis for processing personal data is the legitimate interest of the
Company to improve and secure the services provided to the users of the Website [GDPR Article 6 §1 (f)].

Personal data collected from the use of cookies

When you browse our website, we may collect certain necessary information related to the traffic on the website
in question, such as the Internet Protocol (IP) address and the type of browser used by the user, etc. For more
information about the use of cookies on our Website, you can refer to (LINK) Cookies Policy.

Purpose of Processing and Lawful Basis

The purpose of the collection and processing of this data is to improve the functionality of the Website and the
services provided, as well as to analyze the traffic. The legal basis for processing personal data is the user’s
consent (GDPR Article 6(1a)), which is provided by accepting the cookies in question, with the exception of the
strictly necessary cookies that are permanently installed and are absolutely necessary for the operation of the
Website, for which the legal basis for processing is the legitimate interest of the Company (GDPR Article
6(1f)).

Personal Data of Minor Users

This Website is not addressed to minors and does not wish to collect and process personal data of minors (i.e.
persons under the age of 18). However, since it is impossible to cross-check and verify the age of the users of
our Website, we request the parents/guardians of minors, in case they find any unauthorized data disclosure on
behalf of minors, to immediately notify the Company, as to take the necessary protective measures (e.g. deletion
of their data). If the Company becomes aware that personal data of a minor have been collected, it undertakes to
delete them immediately and to take all necessary measures to protect such data.

Transfer of Personal Data

The Company may transfer the above personal data to third parties to whom it has entrusted the processing of
personal data on its behalf (such as service providers, website developers, etc.). In any case, the third
parties to which user data may be transmitted are contractually bound to the Company in order to ensure the
confidentiality obligation and all obligations provided for by the Existing Legislation. At the same time,
users’ personal data may be transmitted to public authorities, independent authorities, etc. (e.g. Police
Departments, Prosecutor’s Court, Tax, Customs Authorities, the DPAA, etc.) in the exercise of their duties on
their own initiative or at the request of a third party claiming a legitimate interest and in accordance with
the legal procedures.

In the event of the transfer of users’ personal data collected through this Website to a country outside the
European Union (EU) or the European Economic Area (EEA), the Company shall first check whether:

• The Commission has issued an adequacy decision for the third country to which the transfer is to be made.
• Appropriate safeguards are in place in accordance with the Regulation for the transfer of such data.

Otherwise, the transfer to a third country is prohibited and the Company will not transfer users’ personal data
to that country, unless one of the special exceptions provided by the Existing Legislation applies (e.g. the
express consent of the user and informing him/her about the risks involved in the transfer, the transfer is
necessary for the performance of a contract at the request of the subject, there are reasons of public interest,
it is necessary to support legal claims and vital interests of the user and so on).

Data Retention Period

The personal data of users collected are kept for a predetermined and limited period of time, depending on the
purpose of processing, after which the data are deleted from our files. Where processing is imposed as an
obligation by provisions of the applicable legal framework or a specific retention period is provided, your
personal data will be stored for as long as the relevant provisions require. Personal data of users collected
and processed for the performance of a contract will be kept for as long as necessary for the performance of the
contract and for the establishment, exercise, and/or support of legal claims based on the contract. Personal
data of users processed for marketing purposes with the consent of the users shall be kept until the consent is
withdrawn, without such withdrawal affecting the lawfulness of the processing carried out until then.

Security of Personal Data

Taking into account the latest developments, the cost of implementation and the nature, scope, context and
purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of
users from processing, the Company takes the necessary technical and organizational measures to protect the
personal data of users. Although no method of transmission over the Internet or method of electronic storage is
completely secure, the Company takes all necessary digital data security measures (antivirus, firewall, etc.).

Data Protection Officer (DPO)

In order to ensure adequate protection of personal data, the Company has appointed a Data Protection Officer to
whom data subjects may address their requests and questions regarding the protection of their personal data and
this Policy, at the following contact details: at dpo@kastrinos-thassos.gr or by telephone:
+30 6947404373.

Rights of Personal Data Subjects

The Company shall ensure that it is able to respond immediately to the requests of users for the exercise of
their rights in accordance with the existing legislation.

In particular, each user has the following rights:

• Request information on the processing of his/her personal data by the Company.
• Request access to his/her personal data held by the Company. More specifically, he/she may request to
  receive a copy of his/her personal data held and to check the lawfulness of the processing.
• To request the correction of his/her personal data in case of incorrect or incomplete registration by the
  Company.
• Request the deletion of his/her personal data if their retention is not based on any legitimate basis or
  legitimate interest.
• Request restriction of the processing of his/her personal data, under certain conditions.
• Request the portability/transmission of his/her personal data either to himself/herself or to third parties.
• To withdraw at any time the consent given for the processing of his/her personal data, without this
  withdrawal affecting the lawfulness of the processing up to that time.
• To object to the processing of his/her personal data by the Company.
• To oppose a decision concerning him or her taken solely on the basis of automated processing, including
  profiling.

To exercise your rights, you can contact the contact details of the Data Protection Officer. In the event of
exercising any of the above rights, the Company shall provide the data subject with information on the
processing operations upon the relevant request submitted within one (1) month from the receipt of the request
and the identification of the data subject. This period may be extended by two (2) more months, if necessary, if
the request is complex or there is a large number of requests. In this case, the Company shall, within one month
of receiving the request, inform the data subject of the delay and the reasons for it. Within the aforementioned
period, it shall also inform the data subject of any refusal to comply with all or part of the request submitted
and of the reasons for the refusal.

For any complaint regarding this Policy or personal data protection issues, if we do not satisfy your request,
you may contact the Hellenic Data Protection Authority www.dpa.gr, 1-3
Kifissias Street, P.O. Box 115 23, Athens.

Disclaimer for Third Party Websites

In the event that our Website contains links that redirect users to third party websites, we inform you that the
Company does not control or is not responsible for the content, actions or policies of these websites, nor for
the way in which they process the personal data of users.

Updates to the Privacy Policy

This Privacy Policy may be amended/revised in the future, in the context of the Company’s regulatory compliance
as well as the optimization and upgrading of our Website services. We therefore recommend that you refer to the
updated version of this Policy each time for your adequate information.

Second edition: 2024-09-02