Personal Data Protection Policy

With this Policy, we explicitly and thoroughly inform you of how your Personal Data (hereinafter referred to as “Personal

Data” or “Personal Information”) is collected, processed, used and stored. As building a relationship of trust is a cornerstone for the Company, protecting your Personal Data is a top priority for us.

Visiting our Website and using it in any way, for example by registering for one of the offered events, is tantamount to unconditional acceptance of the practices described in this Policy. Furthermore, the present document is inextricably linked to our Website’s “Terms of Use” and thus - in reading and interpreting these two texts - they should be considered as a single whole. If you do not accept this Policy in whole or in part, please cease using the services provided through the Website.

1) Framework of the Personal Data Protection Policy

Personal Data are collected, processed and used in accordance with the provisions of Greek and EU law in force, including but not limited to the provisions of Law 3471/2006 “On the Protection of Personal Data and Privacy in the Telecommunications Sector”, Law 3917/2011 “On the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks”, of the European Data Protection and Electronic Communications Directive (EU-EC Directive) and Directive 2009/136/EC (ePrivacy Directive), and in particular Directive 680/2016 and Regulation 679/2016 on the protection of personal data (General Data Protection Regulation-GDPR)

This Data Protection Policy is fully in line with the provisions of Regulation 679/2016, taking all appropriate precautionary, security and safety measures and paying due diligence towards the protection of users’ Personal Data. These include, but are not limited to: providing full and detailed consent for cookies, ensuring the possibility of contacting the Controller at any time, access to a copy of the retained data, deletion of the data at any time upon request (“right to be forgotten”), pseudonymisation and/or encryption of the Data.

Furthermore, for the purposes of this Personal Data Protection Policy, all provisions of the General Data Protection Regulation are fully and strictly applicable. Indicatively, the following terms have the following meaning:

“personal data”: any information relating to an identified or identifiable natural person ('data subject')· an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,

“processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,

“consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,

“data controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law,

“processor”: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

“supervisory authority”: an independent public authority which is established by a Member State pursuant to Article 51 of the General Data Protection Regulation.

The Company expressly states that it is in no way responsible for the applicable terms under which the Users’ Personal Data is collected, processed and used by other websites, to which the individual user may be redirected via links from the Company’s Website.

2) Controller:

In accordance with the definitions of this Statement, the Controller is:

Name: Mrs Tatiana Zompola, 35 Sorou St, 151 25 Maroussi, Athens – Greece, Τ +30 210 61 09 992, Email: [email protected]+30 210

3) Personal Data Collection

A) Browsing our Website does not require any kind of registration. However, the use of the services provided requires the recording of the requested data.

B) The Company collects, processes, uses and stores personal information that include both personal data (e.g. name, surname, address and so on, in detail below, under point C) and the financial and billing data required for the execution of the transaction (billing data, debit or credit card data, payment data, etc., similarly in detail below, under point C), as well as data on the use of the Website and Internet activity, as they result from the users’ visit to the Website. It is expressly stated that the recording of data and any general expression of interest by any user in the special registration form of our Website serves as provision of consent for the collection, processing, use and storage of the User’s Personal Data, in accordance with the specific terms set out herein. It is expressly stated that any consent given by a User may be revoked at any time, by sending the Company a written declaration of revocation, submitted either in hard copy or by email.

C) What personal data do we collect, process, use and store?

Identity Data, as provided when you register for an event, when assigning us a task or when expressing interest, in particular the user’s full name and capacity.

Communication Data, as provided a) compulsorily during your registration for an event, during the assignment of a specific task to us or during the expression of interest, in particular the user’s telephone and e-mail address, b) optionally during the expression of interest for the receipt of newsletters on the Company’s events

Financial Data, as provided upon completion of your registration for an event or upon the expression of interest or upon assignment of a specific task to us, through your payment and upon issuance of the relevant document, in particular: Tax identification number, charge and billing details.

Demographic Data, as provided when you register for an event, when you assign us a task or when expressing interest for newsletters, in particular: area of residence, age.

Profile Data, as provided upon completion of registration for an event, upon assignment of a specific task to us or upon expression of interest, such as, indicatively, your capacity, the events you are attending or expressing an interest in.

Electronic identification data, for example MAC address, IP address and cookies (in detail below, Cookie Policy), collected during your browsing and the use of our services in general.


D) Purposes of the collection, processing, use and storage of Personal Data:

The Company expressly declares that the above collected Data are processed only for the following lawful purposes or for the proper performance of a contractual or pre-contractual relationship (created by participating in an event or by assigning a certain task to us and in general related in any appropriate way to the Company’s statutory purposes), to safeguard your vital interests or to fulfil our legitimate interests, namely:

- To fulfil the principal obligations arising from any contract to be signed between you and the Company.

- To fulfil the subordinate obligations arising from the above contract, such as updating the Customer of the course of task execution, provide information, any obligations arising from the bona fide principle etc.

- To handle requests in relation to the service or exercise of your legal rights.

- To ensure a more proper and safer charging and pricing procedure for the services we provide.

- To ensure the smooth operation of this Website

- To respond to your relevant requests and questions and to inform you of services provided, special offers and promotions, provided you have expressly stated that you wish to receive such updates.

- To allow traffic analysis for our Website and therefore improve and assure the quality of the services we offer.

- To support and resolve queries in relation to the provided services.

- To ensure network safety and prevent the committing of any offences, especially cyber crime (such as fraud).

- To provide the necessary information to the competent services and authorities, when needed, in compliance with the legal procedures.

E) Legal basis for the processing

It is expressly stipulated that the collection, processing, use and storage of personal data is based on one of the following cases as expressly provided:

- Your freely given consent (see above, point 1).

- A specific preliminary or contractual agreement, with you as -exclusive or among others- counterparty.

- Compliance with a specific legal obligation.

- Promoting our legal interests, which supersede your interest in protecting our Data.

- Any other expressly provided grounds under the legislation in force.

F) Method of collection, processing, use and storage of Personal Data

Your Personal Data are collected - following your relevant consent - as you use our services, namely:

- upon submission of a participation request and by completion of registration for a specific event,

- when you e-mail, telephone and contact us in general, either to purchase a product or conclude a relevant contract or to complain, comment or express an opinion,

- when you subscribe, upon selection of the relevant option, to our mailing list to receive newsletter, information material and promotions in general.

- upon your visiting our Website and the subsequent collection, through the use and acceptance of cookies, of information from your terminal device, e.g. Information such as the IP address, the MAC address, the operating system used, the type and version of the browser and other web log files,

- upon receipt of documents, requests, orders, legal documents, warrants and all types of similar documents and orders by bodies and authorities, e.g. Supervisory, prosecution, judicial, tax authorities, for the purpose of crime investigation, protection against fraud, combating any type of offences and criminality in general and for preventing the breach of legal and protected rights of any type (e.g. Intellectual property, industrial property and so on).

G) Collection and processing principles:

It is expressly stated that the Company and its skilled staff stringently apply the ten (10) Processing Principles of the General Data Protection Regulation, namely the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability), as also provided under the legislation in force. The above principles apply without exception to all processing actions and to the services provided.

4) Data Security

The Company takes the necessary technical and organisational measures, during transmission of Personal Date between your system and ours, in order to ensure the privacy, secrecy, integrity and availability of your Data. As indicative measures of protection we mention the use of firewalls and specialised detection systems that identify potential attempts of unauthorised persons to access your Personal Data, the establishment of distinct access levels, tokenization, the systematic training of authorised staff, the conduct of period controls, compliance with international security and business continuity standards, as well as any suitable means to ensure protection for your Personal Data. Furthermore, our technicians are constantly working to safeguard the use of the Website, upgrading the protection offered whenever deemed necessary.

Moreover, it is expressly stated that appropriate internal policies have been established for the protection and lawful and proper processing of Data, while appropriate technical measures are applied both at the time of determination of the processing means and at the time of processing, in strict compliance with the principles of data protection by design and of data protection by default.

In specific, at the design stage of the processing actions and systems, and at the stage of determination of the processing means, the Controller - taking into account the risk-based approach and various other parameters (such as the technical developments, the application cost and the nature of the measures applied, the application scope, the framework and the purposes of processing and so on) - applies appropriate measures and uses technologies to enhance privacy and generally to protect Data (privacy by default). Indicatively, protection measures are the pseudonymisation of Data (i.e. the replacement of personally identifiable information with artificial identifiers), the encryption of Data (i.e. the codification of personal Data in a manner that renders them identifiable only to specifically authorised staff), the minimisation of existing processing of Data and, generally, the incorporation of all necessary guarantees throughout the processing procedure, in a manner ensuring that the terms and obligations of the Regulation are met, also including the obligation to prove compliance under the Regulation (accountability obligation) and ensuring the protection of Data subjects’ rights.

Accordingly, the Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only Personal Data which are necessary for each specific purpose of the processing are processed (privacy by default). The above obligation extends, specifically to the range of collected Data, the level of processing, the storage period, their accessibility, in order to ensure first, that the processing is carried out with the highest level of privacy protection only with the necessary data, second, that the Data is not accessible to an indefinite number of natural persons without the intervention of another natural person.

5) Transferring your Personal Data to third parties

It is expressly stated that the Company does not disclose Personal Data to third parties, taking all necessary actions to safeguard your privacy. However it is expressly stated that the Company may share your Personal Data, in order to respond to requests of law-enforcement services or when this is imposed by the provisions of the legislation in force or by court judgements. In specific, police and supervisory authorities, administration bodies, judicial or other public authorities, emergency services and generally services and authorities, to which we are required to provide information or are authorised by law to request it. Moreover, it is possible to disclose your Personal Data in order to protect the rights, property or safety of the Company and the Website or the rights of users or for any other reason provided by the legislation in force. Finally, we may use your Personal Data for the purpose of exercising any legal right or objection and defence against any claims.

6) Obligations and Rights of the User:

As regards your Personal Data, you have the following obligations and rights:

A) Obligations: By using this Website, you accept that you have the obligation to state the true, accurate and full information requested by the Company when registering and creating a personal account. Furthermore, you accept that you are obliged to provide true, complete and accurate information, in any other case it is requested.

B) Rights:

At any time you may contact us, in order to explain exactly which data we keep and how we process them. It is expressly stated that the Company ensures as much as possible all eight (8) rights related to the use of your Personal Data, as provided in the GDPR, namely:

I) Right to Access (article 15 GDPR): namely the right of each data subject to know about Data processing and about the specific terms of processing, e.g. the purposes and categories of processed Data, the Data storage period,

II) Right to Data Portability (article 20 GDPR): Data subjects may receive the kept Data in machine-readable format and may transmit those data to another Controller and require the direct transmission form one Controller to another, provided that this is feasible and the other Controller or Organisation accepts,

III) Right to Rectification (article 16 GDPR): the Data subject has the right to require from the Controller the rectification of any inaccurate Data and the completion of any incomplete Data,

IV) Right to Information (article 13 and 14 GDPR): the Data subject has the right to full, thorough and clear information regarding the collection, processing, storage and use of Data,

V) Right to Erasure - “right to be forgotten” (article 17 GDPR): when the Data subject does not wish their Personal Data to be further processed and kept, they are entitled to request their erasure from the Controller and the Controller is required to proceed to their erasure without delay, provided that the Data are not kept for a specific legal or agreed purpose,

IV) Right to Object to processing (article 21 GDPR): the Data subject is entitled to object, at any time, to the processing of Data, subject to the conditions provided in the legislation in force, especially when concerning purposes of direct marketing, also including “profiling”,

VII) Right to Restriction of processing (article 18 GDPR): the Data subject may request the Controller to restrict the processing, whenever they wish,

VIII) Right to Object to automated, individual decision-making (article 22 GDPR): the Data subject is entitled to refuse to be subject to a decision based solely on automated processing (e.g. profiling), which produces legal effects concerning the subject or similarly significantly affecting them.

It is expressly stated that the above rights of the Data subject, are exercised when conditions set out in the General Data Protection Regulation are met and in accordance with the formalities that are expressly stipulated in the Regulation. Furthermore, the above rights may be exercised either by your physical presence or by e-mail or by using another similar means, provided however that your identity is proven using all suitable means and necessary documentation. In case the exercise of a specific right requires that specific conditions are met and in order to ensure Personal Data safety, the Company reserves the right to request from the Customer to prove that the above conditions are met and to produce the relevant documentation.

In addition to the above, the right to appeal to the Hellenic Data Protection Authority is fully reserved. If you think that the protection of your Personal Data are not adequately safeguarded or that any of your Data or rights are violated, you are entitled to appeal to the Authority. Furthermore, the right to appeal to the Authority is also provided for any matter related to your Data processing in general (for more information:

7) Data Retention

Personal Data are kept exclusively for the entire period imposed by the contractual terms of the relevant service, also based on the purpose of processing, unless their retention is imposed by the legislation in force, and then said Data are anonymised or destroyed. Furthermore, it is possible to request the erasure of Data at any time, by making a relevant written request to the Controller, in which case Data are erased without delay, provided that their retention is not imposed by the legislation in force or by other binding contracts.

8) Cookies Policy

Cookies are small text files or data sets, used for storing and receiving identifiers and other information in browsers, which are accepted by our Website. While you browse our Website, Cookies are sent and installed in your computer or electronic device. These are on-line tools for information collection and analysis, collected from media or social networking platforms in general or cooperating third party web pages. Cookies contribute to the smooth operation and easier use of the site, the measuring of traffic and performance of the Website, the upgrade of content, appearance and function of the Website, the adjustment to the needs and wishes of users, and the improvement and measurement of the effectiveness of display of the Company on third party Websites.

When browsing our Website, anonymous information is collected, especially web log data. These data include, the browser name and type used, the type of computer or electronic device, the operating system, the pages from where you were directed to our Website, without in any way being related to Personal Data, the pages you visited while browsing the Website, the general user preferences (e.g. Language, country etc.) and other information of this type. Moreover, advertising cookies are used to provide content that suits the preferences of visitors, by measuring traffic, promoting targeted offers etc.

As a rule, browsers automatically accept the use of Cookies, so if you wish not to accept the use of Cookies you must adjust the necessary setting of your computer or electronic device and the of your Browser to full deactivation of Cookies. Furthermore, it is also possible to adjust your Browser settings to display a question before receiving any individual cookies, thus allowing the option of accepting or rejecting Cookies separately. Note however that any deactivation or non acceptance of Cookies may limit or disable the use of some of the services or tools provided.

Cookies are sent via the Browser and are stored in the user's computer as trace. Therefore, through the use of Cookies, the computer used may be identified but not the user's Personal Data. Namely, the Cookies used do not collect Data that identify the relevant user and do not gain access or knowledge of any document or file on your electronic device. Moreover, the Cookies used and Data in general are encrypted for security reasons.

Furthermore, when you visit third party websites or log on to social media (e.g. Facebook, Youtube, Google Analytics, Twitter etc.), the installation of Cookies in enabled by the above websites or media, immediately upon connecting to the relevant link. It is expressly stated that the Company has no liability whatsoever or any type of involvement in relation to the above Cookies, as the sole parties liable for them are said third parties. If you do not wish the installation of the above Cookies, you may choose to be excluded from this installation, as per the procedure set out in the Use Policy of the relevant third party.

If you wish, you may delete both specific and all installed and stored Cookies. For more information, visit the relevant web pages of your browser or the device used.

9) Display of targeted advertisements

Upon your express and written consent, we may use Cookies, Personal Data, tags or other similar information to display advertisements related to user preferences and browsing habits, on our Website or on third party websites or on any other medium, e.g. on social media. It is expressly stated that the above display of targeted advertisements is carried out following human intervention of our marketing department managers, while neither the above advertisements are displayed nor any personalised offers are sent using automated tools for consumer profile tracking and assessment and generally using preferences with other personal information of the user (e.g. e-mail address). Moreover, your Personal Data are not shared with any third parties for the display of similar advertisements or for sending promotional messages, unless you provide your express and written consent. You may unsubscribe at any time you wish to stop receiving newsletters or offers, using the relevant field (unsubscribe), while you may also update subscription preferences.

10) Links to third party Websites

Now or in the future, the content of our Website may feature links to third party websites, especially associates and customers of the Company, to facilitate visitors or users. The above websites function and are maintained by exclusive responsibility of third parties and are therefore not controlled by our Company and we have no liability for the content, lawfulness and accuracy of the information given, the quality and features of the products or services, the policies and terms of use of the above websites. Please read carefully the respective Protection Policies on third party websites and note that you visit them exclusively at your own risk.

11) Communication with the Company

The Company will gladly reply to any comments or questions in relation to this Personal Data Protection Policy. In case of doubts, questions in relation to this Policy or to any provided service in general, as well as if you think that the principles set out herein are not met, please contact the Company and the Controller Mrs Tatiana Zobola, 35 Sorou St, 151 25 Maroussi, Athens – Greece Email: [email protected]. Any information or clarification provide in the context of the above communication shall in no way modify, replace or abolish this Protection Policy and shall be construed in the context of this Policy.

12) Validity of the Personal Data Protection Policy - Amendments

The Protection Policy was published by the Company on 05/03/2021 and is effective as of the date of publication and replaces all previous published Protection Policies, as well as any preceding protection practices applied. The Company reserves the right to amend this Policy, but has the obligation to notify these amendments to users during their browsing of the Website, within a reasonable period from the amendment. In case any user continues to use the Website after these amendments have been disclosed, it shall be presumed that they have accepted the amended Protection Policy.

This Policy is governed by the provisions of national and communal law, in relation to Personal Data protection (see also paragraph 1) and the overall protection of privacy and secrecy, as well as by any applicable international conventions. If any changes are effected to the above regulatory texts, we will amend - if necessary - this Policy as well as the practices applied, to ensure harmonisation with the relevant regulatory framework. In this case, any changes in this Policy shall be expressly notified and in all other respects the above provisions apply.