We wish to reassure you that any processing of your personal data, as such processing is explained in the present Policy, will be carried out by our Business in compliance with applicable laws on the protection of personal data, to include Regulation (EU) 2016/679 (hereinafter the “GDPR”), Law 4624/2019, as well as any applicable legislation on the protection of privacy in the electronic communications sector, any decisions and guidelines of the Hellenic Data Protection Authority, as well as any relevant and more specific national or European legislation.
Before visiting or using our Website, we strongly encourage you to carefully read the present Policy, the Terms & Conditions of Use as well as the Cookies Policy. By accessing or using this Website, to include the products and services offered herein, you accept to be bound by its Terms and Policies, as such Terms and Policies are posted on our Website.
The following terms shall have the meaning provided below, in accordance with the provisions of Regulation (EU) 2016/679 (GDPR):
- a) “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- b) “Data Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- c) “Data Controller” means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The data controller regarding all personal data processing operations carried out through the present Website is our Business “WAY CUP ROASTER – ISAVELLA VENAKI ”, having its registered seat in Chrisopigi – Apokofto, in Sifnos, Postal Code 840 03.
- d) “Data Processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
When you access our Website, use our services, communicate or enter into transactions with our Business through our eshop, we collect information about you that allows your identification, either directly or indirectly in combination with other information (hereinafter the “Personal Data”). Such information may be collected when you willingly choose to provide same to us or simply by analyzing your behavior on our Website.
- I) Datawillinglyprovided by you
Data voluntarily provided by you when you interact with our Website and/or use our services (e.g. when you subscribe to our newsletter, when you buy a product, when you participate in a contest, when you complete the “Contact Form” available on our Website or one of our surveys addressed to our clients). Such data include your name, surname, email address, shipping address, billing address (in case different from shipping address), your telephone number (landline and/or mobile), invoicing details (Business name, business activity, VAT and Tax Authority), account details (such as username, password and other identifiers used for your access to our services), as well as the content of any comments or queries that you choose to send us.
Should you request delivery of our products to a third person/recipient, you acknowledge that you are fully responsible to inform said individual and obtain his/her consent to the disclosure of his/her data to our Business, in accordance with the present Policy, and the Business assumes no responsibility whatsoever.
For the completion of an order, your credit/debit card details will be requested (if you choose to pay by credit/debit card), in which case such data will be entered directly in the safe environment of the bank with which we cooperate, without being stored on our Website.
- II) Navigationdata
As part of our Website’s normal operation, information about our Website users is collected, the transmission of which takes place automatically, through internet communication protocols. Although this information is not collected in order to be associated with a specific user, it is possible, in combination with other data held by third parties, to allow your identification. For this reason, such information constitutes, according to applicable legislation, “Personal Data” and is being protected as such. Such information may include your Internet Protocol (IP) address, data collected through cookies, device data (domain name and type of device), as well as information about your activities’ history on our Website e.g. web pages visited, products viewed, search terms used. Through this data we hope to improve the quality of our Website, our products and services. Moreover, such data may be associated with other data that you choose to provide us, in order to offer you more personalized content, based on your interests. For more information, we invite you to check our Website’s Cookies Policy.
Through its Website the Business does not collect nor does it want to have special categories of data (sensitive data) disclosed to it.
The Business intends to use your personal data, collected through its Website and/or in the course of any transactions with our Business, for the following purposes:
i. To process your orders, payments, requests, to execute contracts for the purchase of products or services. To complete purchase orders and deliver products ordered through its Website, as well as to provide all other types of services that you may request, including your participation in contests and information regarding product availability. For the above purposes (hereinafter jointly “Provision of Services”) your consent to the processing of your personal data is not required, as such processing is necessary for the provision of the services that you have requested and, therefore, for the performance of an agreement to which you are a party or for the implementation of measures requested by you prior to entering into an agreement (GDPR article 6, para. 1.b). It is not mandatory for you to provide your personal data to the Business for the above purposes. However, if you fail to provide same, the Business will not be able to respond to your requests or/and provide the services that you have requested.
ii. For marketing, promotional and advertising purposes regarding the Business’s products and services, as well as to send you offers, carry out direct marketing campaigns, send you electronic newsletters and other information about our products and services. Note that your registration for the provision of such a service, i.e. delivery of newsletters and promotional communications, is carried out through our Website. Following your registration, an electronic confirmation of your email registration will be sent to you, while you will be provided with the possibility to immediately and easily revoke your consent in case you change your mind. The processing of your personal data for such purposes (hereinafter “Marketing”) is based on your consent (GDPR article 6, para. 1.a). It is not mandatory to provide your consent to the Business for the use of your personal data for the above purposes and you will suffer no consequence if you choose not to give it, other than the fact that you will not be receiving any marketing communications from the Business. Any consent provided may be withdrawn at a later stage; note that the withdrawal of consent does not affect the lawfulness of processing carried out based on such consent.
iii. For future marketing, promotional and advertising purposes, by sending you direct electronic marketing communications, regarding products and services provided by the Business that are identical or similar to those that you have requested in the past by our Business (hereinafter “Soft Spam”). The processing for the above purposes is based on the Business’s legitimate interest (GDPR article 6, para. 1.f) in sending you direct electronic marketing communications regarding its products and services that are identical or similar to those you have previously requested. You may block such communications without any consequence, by objecting through the unsubscribe link that will be provided at the bottom of any such future communications.
v. For compliance with laws that require from the Business the collection and/or further processing of certain categories of personal data, such as the legislation on consumer protection. When you provide any personal data to the Business, the Business must process same in accordance with applicable law, which may include retaining and reporting your personal data to official authorities, in compliance with tax, customs or other legal obligations. Your consent is not required for such purpose (hereinafter “Compliance”), as such processing is necessary for compliance with a legal obligation to which the Business is subject (GDPR, article 6, para. c).
vi. To protect and defend the security of the Business’s systems and property, to include the prevention and detection of any misuse of our Website or any fraudulent activities taking place through the Website, as well as to defend the Business’s legitimate interests before the competent Courts and Authorities. The processing of your personal data for such purpose (hereinafter “Security/Legitimate Interests”) is necessary for the Business to pursue its legitimate interests (GDPR article 6, para. 1.f).
Our Business does not sell, exchange, lease personal data to third parties, natural or legal persons. We may disclose personal data, to the extent necessary, as follows:
- To our Business’s duly appointed external collaborators, acting on its behalf as data processors and assisting it with the operation of the Website and the provision of services to the public (e.g. internet service providers, IT service providers, service providers for sending newsletters, market research companies, transportation or shipping companies).
- Selected individuals that have been authorized by our Business to process data necessary for the carrying out of activities relating to the provision of the products/services offered through the Website, who are subject to an obligation of confidentiality (e.g. employees of our Business, legal advisers, accountants, tax technicians).
- Suppliers of our Business who assist us with the execution and/or delivery of orders.
- Credit institutions (when users make payments through credit/debit card).
- Public authorities, bodies, or offices, to include tax authorities, to the extent necessary in compliance with applicable law.
- Freud prevention and control organizations (e.g. Cybercrime Unit).
- In the event of a corporate change of our Business, your personal data may be transferred. In this latter case, the Business will make every effort to adequately inform you about the change in control of your data and will provide you with the possibility to exercise your rights, in accordance with applicable law.
In the event that the partners of our Business, suppliers, service providers or authorities, as per article 6 above, are located outside the European Union/European Economic Area, your personal data may be transferred to a third country.
In particular, the electronic platform that hosts our newsletter subscribers’ database is currently located outside the EU, while the provider of such a service is the Business ‘Rocket Science Group LLC (MailChimp)’, having its seat in the U.S.A. Mailchimp participates in and has certified its compliance with the Privacy Shield Framework and acts as data processor on behalf of our Business. Also, our Website uses trackers through Facebook Inc. (Facebook pixel) and Google LLC (Google Analytics), also certified with the Privacy Shield Framework.
We wish to reassure you that in the limited and necessary circumstances that your personal data will be transferred to a third country, outside the EU/EEA, the Business will put in place adequate measures and will provide appropriate safeguards, in order to ensure the privacy and security of your personal data. You may obtain additional information regarding such safeguards, by emailing us at [email protected].
The Business retains your personal data strictly for as long as necessary, in order to fulfill the purposes for which the data were collected. The criteria used by the Business to determine its data retention periods include: (a) for as long as we have an ongoing relationship with you, (b) if the processing is based on your consent, from the moment that you provide such consent until the moment you withdraw same, unless if further retention is necessary for the protection of the rights of the Business, (c) for as long as necessary in light of a legal obligation to which the Business is subject, (d) for as long as necessary in light of the legal position of our Business (indicatively, to defend our rights before the Courts, to comply with regulatory controls etc.). In particular:
- Personal data processed for the Provision of Services (as per article 5.i. above) will be kept by the Business for a maximum period of 20 years. Information will, however, be retained for a longer period if we need to address any claims regarding the services or in case we need to protect the Business’s interests in connection with a potential liability regarding the Provision of Services, in the context of a lawsuit etc.
- Personal data processed for Marketing as well as Advertising/Analysis purposes (as per Articles 5.i. and 5.iv. above), will be kept by the Business from the moment that you provide your consent until the moment you withdraw same. In the case of withdrawal of consent, your personal data will no longer be used for these purposes, however, they may be retained by the Business, as we may be required to protect the Business’s interests in connection with a potential liability relating to such processing.
- Personal data processed for Soft Spam (as per article 5.iii. above) will be kept by the Business from the moment that you provide your data to us until the moment you object to such processing.
- Personal data processed for Compliance purposes (as per article 5.v. above), will be kept by the Business for the period required, in accordance with specific legal obligations for which such data were processed.
- Personal data processed for Security/Legitimate Interests purposes (as per article 5.vi. above), will be kept by the Business for a period that is strictly necessary for the fulfillment of the purposes for which such data were initially collected.
Following the lapse of the above-mentioned periods, all data will be deleted or anonymized, with the exception of data that, based on applicable law, must be retained for a longer period of time.
As a data subject you have the following rights that you may exercise at any time:
- Obtain confirmation on whether your personal data are being processed by the Business and, in the affirmative, access and obtain a copy of such data.
- Modify, update, or complete your personal data, where they may be inaccurate or incomplete.
- Request the erasure of your personal data, where the processing is unnecessary or unlawful.
- Request the restriction of processing of your personal data, when you feel that your personal data is inaccurate or that the processing is unnecessary or unlawful.
- Withdraw your consent to the processing of your personal data when such consent serves as the legal basis for processing.
- Request, under certain conditions, the portability of your personal data, namely, to obtain a copy of your personal data in a structured, commonly used and machine-readable format, as well as to request the transmission of your personal data to another data controller.
- Object to the processing of your personal data.
You also have the right to file a complaint with the Hellenic Data Protection Authority. Regarding the competency of the Authority and for information on how to file a complaint, you may visit the Authority’s website (www.dpa.gr -> Citizen rights -> Complaint to the Hellenic DPA).
The Business does not target, nor does it purposely collect personal data concerning minors. If minors willingly visit our Website, our Business assumes no responsibility whatsoever. Parents/Guardians can prevent a minor from accessing the Website, by using available, easily accessible programs that control access to the internet or to specific websites. If it comes to the Business’s attention that a user of our Website is a minor, we will not process or retain such personal data.
Our Business uses social media tools and applications, such as Facebook and Instagram. If you are connected to one of these networks, the network may match your user account with your visit to our Website. For this reason, if you do not wish to have any data retrieved from your visit to our Website linked to your social media account, you must be logged out of your account before logging in to our Website.
This Website may contain links, hyperlinks, advertising banners and references to websites, platforms, or third-party applications (jointly “third-party websites”), over which our Business has no control. Similarly, access to our Website may be achieved through links that you will find to third-party websites, over which our Business has no control. Note that third-party websites may collect your personal data for their own processing purposes. Our Business does not guarantee the level and the quality of any website to which it links, nor does it assume any responsibility in connection with the content of the websites that do not belong to the Business and/or the terms of collection and processing of personal data applicable to such third-party websites. Following the above, we invite you to be very careful and to check the terms and policies (privacy policies, cookies policies etc.) that govern such third-party websites, as they may differ significantly from ours.
Our Business has implemented appropriate technical and organizational measures for the protection of your personal data. All personal data collected by the Business are stored and processed in a way to minimize the risk of (accidental) loss, destruction, or breach. For online orders, our Business uses the Secure Sockets Layer (SSL: RSA Encryption) protocol, in order to ensure the protection of your personal data. A padlock will appear from your browser to let you know when an SSL connection is being used. This system encrypts your data before sending it over the internet and is one of the best softwares available today for secure trading. The password used when you register on our Website provides additional security, for this reason we recommend that you choose strong passwords (with a combination of letters, numbers and symbols), that you keep them confidential and that you protect them from unauthorized access. The Business, however, cannot guarantee the complete security of your data from persons who attempt to circumvent such security measures and/or prevent the transfer of data over the internet.
The Business, at its sole discretion, reserves the right to amend the present Policy from time to time. For this reason, we invite you to periodically review the present Policy in order to acquaint yourself with the latest updated version. Any changes will apply from the moment they appear on our Website, accompanied by a clear indication of the date that our Policy was last updated.
If you have any request or query regarding this Policy and/or if you wish to exercise any of your rights as a data subject, please contact us by:
- Post: Chrisopigi – Apokofto, Sifnos, Postal Code 840 03
- Email: mail to: [email protected].
We will make every effort to respond to your query the soonest possible.