PERSONAL DATA MANAGEMENT SECURITY POLICY

VENMAN , based at the 11^th kilometer of the Old National Road Thessaloniki-Kilkis, is responsible for the processing of personal data in the context of the contractual and transactional relationships it creates to achieve its corporate purposes.

In order to maintain an undisturbed high level of protection during the processing of personal data and to facilitate the effective exercise of the rights and freedoms recognized by Regulation 2016/679, the company codifies the applicable security policy so that it is directly accessible to data subjects.

Principles governing data processing

1. The collection and processing of personal data by the company

(a) takes place with due regard for legality, objectivity and transparency;

(b) is carried out for specified and legitimate purposes, and the data are not further processed except where strictly legitimate to do so;

c) is carried out in strict compliance with the principles of proportionality and data minimisation, so that the measure strictly necessary to serve the explicit, legitimate and legitimate purposes pursued by the processing is never exceeded,

d) is carried out with constant care to ensure the accuracy of the data, as well as their updating, while all necessary measures are taken for the immediate deletion or correction of those data which are inaccurate, in relation to the purposes of the processing, and

(e) it is achieved in a manner that guarantees appropriate security of personal data, based on the principles of integrity and confidentiality.

2. In order to achieve the above principles, the company uses the appropriate techniques

organizational measures to protect the personal information it collects and processes, regardless of whether it is incorporated into a physical or electronic file. The measures it uses are designed to provide a level of security appropriate to the risk of processing personal data.

Collection and Processing of Personal Data

1. The company processes personal data, which have been submitted or will be submitted to it and which are necessary for the commencement, maintenance and execution of existing or future business and contractual relations. The responsibility for the completeness, accuracy and updating of the data, where required, lies solely with the data subject. In any case, the company reserves the right to request an update of the data it keeps, especially when this is deemed necessary for the smooth continuation of trading relations, as well as for the fulfillment of obligations arising from the Law.

2. The company also processes personal data received or brought to its knowledge by a third natural or legal person or public body and which are necessary either for the achievement of its legitimate interests or a third party, or for the fulfillment of its duties performed in the public interest (e.g. tax authorities and social security institutions).

3. The company may also process data collected from third-party publicly accessible sources (e.g. Land Registries / Land Registry, commercial registers, internet) if such data are necessary for the purposes of processing and for the satisfaction of its legitimate interests and claims.

4. The company does not process personal data, such as data related to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data for the purpose of identification as a data subject, as well as health data or data concerning sex life or sexual orientation unless: a) the consent of the data subject has been explicitly given for a specific purpose, b) these data have been disclosed to the Company by the subject or a third natural or legal person in the context of documenting and safeguarding his/her legitimate interests and/or the Company as a controller (e.g. information on the position of the subject under legal guardianship), (c) the data have been made public by the data subject; d) processing is necessary for reasons of substantial public interest (investigation of a criminal act). It is noted that the company has in any case taken all necessary technical and organizational measures for the safe keeping and processing of personal data belonging to the above special categories.

5. The company does not collect or process personal data of minors, unless the prior consent of the parents or those exercising parental responsibility has been provided.

Lawfulness of processing of personal data

The company lawfully processes personal data if the processing:

a) It is necessary for the service, support and monitoring of its general trading relations and the proper execution of the contracts it has concluded.

b) It is necessary for the compliance of the company with its legal obligation or for the pursuit of its legitimate interests and claims

c) It is necessary for the fulfillment of its duty, which is carried out in the public interest, within the framework of the applicable legislative and regulatory framework.

d) It is based on the prior express consent of the personal data subject.

Withdrawal of consent

When the prior consent of the data subject is a prerequisite for the permissibility of processing, any revocation does not affect the lawfulness of the processing based on it, until the notification of the withdrawal to the company. For the validity of the notification, the revocation should be made in writing to the company.

Purposes of processing personal data

The processing of personal data concerns:

a) servicing, supporting and monitoring the trading relations with the Company, the proper execution of existing or future contracts,

b) the fulfillment of the Company’s obligations as controller or processor,

c) the exercise of the legal and contractual rights of the company,

d) carrying out controls provided for by the current legislative framework;

e) the registration, recording and archiving of all kinds of information lawfully collected by the company,

f) the upgrading of the products and services provided by the company and the advertising and promotion of products and services of the company and of the enterprises cooperating with the Bank, subject to the prior consent of the subject of personal data,

g) the satisfaction of any kind of requests addressed to the Company or the examination of complaints regarding products and services offered by the Company,

h) the fulfillment of legal obligations of the company, arising from the current legislative framework,

i) the protection of the Company’s legitimate interests, indicatively related to: 1) asserting its legal claims before the competent judicial authorities or other out-of-court/alternative dispute resolution bodies, 2) the prevention of fraud and other criminal offences; 3) the evaluation and optimization of security procedures and information systems, 4) physical security and protection of persons and property (e.g. video surveillance).

How Data Processing

The company is committed that the collection and processing of personal data is done in full compliance with legality. In particular, processing is lawful only if at least one of the following conditions applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specified purposes,

(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,

c) processing is necessary for compliance with a legal obligation of the company,

(d) processing is necessary to safeguard the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest,

f) processing is necessary for the purposes of the legitimate interests pursued by the Company.

Use of Security Cameras

1. In order to safeguard the protection of the life and physical integrity of the personnel, as well as the safety of the facilities, the company uses technical means of surveillance, in particular closed circuit television.

2. During the operation of the surveillance system, all appropriate organisational and technical measures shall be taken to ensure the confidentiality and security of data and to protect them against any unlawful form of processing.

3. The company takes meticulous care

(a) the security of the recorded material and the prevention of its dissemination to unlawful recipients,

(b) control of access to the central control room, its storage area,

recorded material and any processing system (at material level, and

software),

(c) avoiding the imprudent use of projection screens,

d) the secure transmission of recorded incidents to legitimate recipients (e.g. police authorities),

e) the continuous training of staff on personal data protection issues.

4. The company ensures that adequate information is provided on the existence of closed circuit television, through clearly visible signs indicating the purpose of processing.

5. The company retains the collected data for the time strictly necessary in relation to the legitimate purpose of processing.

6. The company is obliged to transmit to the competent judicial, prosecuting and police authorities data that the latter lawfully request in the exercise of

their duties.

7. The company is entitled to further process the personal data it has obtained from closed circuit television to the extent that they constitute evidence of a criminal offence (eg theft, damage, etc.) committed in its premises, in order to ensure their use by the competent judicial, prosecutorial and police authorities, with identification of perpetrators and documentation of facts.

Automated decision-making and profiling

The company does not make decisions based solely on automated processes of processing personal data.

Επεξεργασία δεδομένων προσωπικού χαρακτήρα για σκοπούς εμπορικούς προώθησης (marketing)

The company may, subject to obtaining prior consent, process personal data in order to inform the interested public about its products and services. In any case, the right to object to the processing of personal data for the above purpose of direct marketing of products / services of the company is provided, exercised by submitting a written request to the company.

Personal data retention period

The company retains the collected personal data for as long as it is provided for in each case, by the applicable legislative and regulatory framework and in any case for a period of twenty (20) years.

Recipients of personal data

1. Access to personal data is granted to the company’s employees, strictly within the scope of their responsibilities, as well as to the company’s Management for the proper execution and fulfillment of contractual and legal and obligations, as well as to the company’s statutory auditors from time to time.

2. The company does not transmit or disclose its personal data to third parties, except for the fulfillment of legal obligations towards judicial/prosecutorial authorities and public authorities.

Right of Access

The company provides, upon request by the subject of personal data, information on a) the purposes of data processing, b) any recipients of the data (eg transmission of data of employees of the Tax Office in the context of payroll tax calculation), c) the period for which the personal data will be stored, d) the existence of the right to request correction or deletion of personal data and e) any another issue related to the processing of personal data and is essential – at the discretion of the Company – for the exercise of the respective rights of the interested parties.

Right to Rectification – Update

The company is obliged to correct any inaccurate personal data without undue delay, if a substantiated request is submitted. The same applies in the case of updating personal data.

Right to erasure

1. The company is obliged to delete personal data without undue delay if one of the following reasons applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected; (b) the data subject objects to the processing and there are no compelling legitimate grounds for the processing; (c) the personal data were inadvertently processed unlawfully.

2. Exceptionally, the company does not delete the data to the extent that the processing is necessary: a) for compliance with a legal obligation arising from the applicable legislation and requires processing or for the fulfillment of a task performed in the public interest and b) for the establishment, exercise or support of legal claims.

How to exercise rights

Any request concerning personal data kept by the company should be addressed in writing or by post to the address 11° thousand. O.N.R. Thessaloniki – Kilkis. P.O. Box 57022 – P.O. Box: 1170 BI.PE.Th. Sindos, Thessaloniki, or by sending an email to info@venman.gr.

It is noted that the company uses “cookies” on its website in order to improve the electronic services provided. For details on cookies, information is given on the company’s website (https://old.venman.gr/politiki-cookie/).

Finally, the company, based on its current data protection policy and in the context of the applicable legislative and regulatory framework, may revise or modify this security policy.

Data Access Request If you have one user account, you can request Automatic access to data may have been stored for you on the website from the following page: https://old.venman.gr/data-access-request/ For anything that may be needed and concerns issues Protection of your personal information, please contact us.

Changes to the Privacy Policy