Data Protection Notice

Name: Roller Kappatos S.A.
Address: Ntampasi, Oinofyta, Viotias, 32011, GR
Telephone: +30 22620 56112

The company under the trade name “THEOFILOS KAPPATOS ANONYMI VIOTECHNIKI EMPORIKI ETAIREIA KATASKEUIS KAI EMPORIAS ILEKTRIKON SYSKEUON KAI OIKIAKON EIDON” (tel: +30 22620 56112, email: info@roller.gr) (hereinafter the “Company”), with registered seat in Avlonas Attika, at Thesi Kaskourti 0, PC 19011 hereby informs you, as the Data Controller, about the processing of your personal data.

A. Definitions

For the purposes of the present Data Protection Notice, the following terms shall have the meaning set out below:

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of this Notice, the Company acts in its capacity as a Data Controller;

‘Processor’ means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘Applicable Law’ means the relevant national and Union legislation on the protection of personal data and in particular Regulation (EU) 2016/679 (hereinafter referred to as the “GDPR”), the relevant jurisprudence of the CJEU, the Hellenic Laws no. 4624/2019, as and no. 3471/2006, as applicable and in force as well as the Decisions, Guidelines and Opinions of the European Data Protection Board (hereinafter referred to as the “EDPB”) and the Hellenic Data Protection Authority (hereinafter referred to as the “HDPA”).

B. Data Processing Cycle

Β1: Personal data we process in the context of the platform www.roller.gr (the “Platform”).

Personal Data Categories:
Identification data (for natural persons) / Company data (for sole traders)

Purpose:
User registration on the Platform

Legal Basis:
Article 6 para. 1 (b) GDPR – Performance of our contract

Retention Period:
Until the expiry of the relevant limitation period (249AK)

Recipients:
Data Processors:
– Accounting service providers,
– providers of IT support services,
– providers of hosting services, cloud providers,
– providers of product and service promotion services.
Financial institutions, to the extent necessary for the execution of transactions.

Tax authorities, in accordance with applicable tax legislation.

Lawyers, in so far as this is necessary for the exercise of the Company’s rights and the protection of its legitimate interests

Personal Data Categories:
Contact Details (postal and e-mail address, telephone number)

Purpose:
User registration on the Platform

Legal Basis:
Article 6 para. 1 (b) GDPR – Performance of our contract

Retention Period:
Until the expiry of the relevant limitation period (249AK)

Recipients:
Data Processors:
– Accounting service providers,
– providers of IT support services,
– providers of hosting services, cloud providers,
– providers of product and service promotion services.
Financial institutions, to the extent necessary for the execution of transactions.

Tax authorities, in accordance with applicable tax legislation.

Lawyers, in so far as this is necessary for the exercise of the Company’s rights and the protection of its legitimate interests

Personal Data Categories:
Billing details (e.g. tax identification number, tax office)

Purpose:
Product billing

Legal Basis:
Article 6 para. 1 (c) GDPR – Compliance with tax law

Retention Period:
Until the expiry of the relevant limitation period (249AK)

Recipients:
Data Processors:
– Accounting service providers,
– providers of IT support services,
– providers of hosting services, cloud providers,
– providers of product and service promotion services.
Financial institutions, to the extent necessary for the execution of transactions.

Tax authorities, in accordance with applicable tax legislation.

Lawyers, in so far as this is necessary for the exercise of the Company’s rights and the protection of its legitimate interests

Personal Data Categories:
Transaction data (e.g. transaction history)

Purpose:
Maintenance of record of orders

Legal Basis:
Article 6 para. 1 (f) GDPR – The Company’s legitimate interest

Retention Period:
Until the expiry of the relevant limitation period (249AK)

Recipients:
Data Processors:
– Accounting service providers,
– providers of IT support services,
– providers of hosting services, cloud providers,
– providers of product and service promotion services.
Financial institutions, to the extent necessary for the execution of transactions.

Tax authorities, in accordance with applicable tax legislation.

Lawyers, in so far as this is necessary for the exercise of the Company’s rights and the protection of its legitimate interests

Personal Data Categories:
Email

Purpose:
Subscription to our Newsletter

Legal Basis:
Article 6 para. 1(a) GDPR & Article 11 para. 1 of Hellenic Law 3471/2006 / Article 6 para. (1)(f) GDPR & Article 11 para. 3 of Hellenic Law 3471/2006, as in force

Retention Period:
Until the expiry of the limitation period following the withdrawal of your consent/ until you object to the processing of your data

Recipients:
Data Processors:
Providers of mass electronic communications services

Β2: Personal data we process for communication purposes

B2C

Personal Data Categories:
Identification details (e.g. full name)

Purpose:
Interactive user communication

Legal Basis:
Article 6 para. 1 (g) GDPR – Our legitimate interest in the direct marketing of the Company’s services

Retention Period:
5 or 20 years based on Articles 249 and 250 of the Hellenic Civil Code

Recipients:
Processors:
– providers of IT support services
– providers of hosting services,
– cloud providers.

Personal Data Categories:
Data contained in contact forms

Purpose:
Interactive user communication

Legal Basis:
Article 6 para. 1 (g) GDPR – Our legitimate interest in the direct marketing of the Company’s services

Retention Period:
5 or 20 years based on Articles 249 and 250 of the Hellenic Civil Code

Recipients:
Processors:
– providers of IT support services
– providers of hosting services,
– cloud providers.

B2B

Personal Data Categories:
Identification details (e.g. full name, geographical area)

Purpose:
Interactive user communication

Legal Basis:
Article 6 para. 1 (g) GDPR – Our legitimate interest in the direct marketing of the Company’s services

Retention Period:
5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code

Recipients:
Processors:
– providers of IT support services
– providers of hosting services,
– cloud providers.

Personal Data Categories:
Contact data (e.g. telephone number, email)

Purpose:
Interactive user communication

Legal Basis:
Article 6 para. 1 (g) GDPR – Our legitimate interest in the direct marketing of the Company’s services

Retention Period:
5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code

Recipients:
Processors:
– providers of IT support services
– providers of hosting services,
– cloud providers.

Personal Data Categories:
Data contained in contact forms

Purpose:
Interactive user communication

Legal Basis:
Article 6 para. 1 (g) GDPR – Our legitimate interest in the direct marketing of the Company’s services

Retention Period:
5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code

Recipients:
Processors:
– providers of IT support services
– providers of hosting services,
– cloud providers.

Β3: Personal data we process in the context of CCTV operation

Personal Data Categories:
Image and video data

Purpose:
Security

Legal Basis:
Article 6 para. 1 (f) GDPR –
Our legitimate interest in the security of our property and employee safety

Retention Period:
7 days
1 month in the event of an incident
3 months in the event of an incident involving a third party

Recipients:
a) The competent judicial, prosecutorial and police authorities, should information be necessary for the investigation of a criminal offence involving persons or property of the Controller,
b) the competent judicial, prosecutorial and police authorities, should they lawfully request data in the performance of their duties,
c) the victim or the offender, should the data constitute evidence of a criminal offence.

Β4. Personal data we process in the context of evaluating candidate employees

Personal Data Categories:
Identification details (full name, father’s name, mother’s name, gender, date and place of birth, ID number/ passport number)

Purpose:
Assessment of the candidate for recruitment purposes

Legal Basis:
Article 6 para. 1 (f) GDPR – Our legitimate interest in the recruitment of qualified personnel for the purposes of our business activities

Retention Period:
6 months or for a greater period subject to your consent

Recipients:
The Company engages Data Processors on its behalf, which are:
– providers of IT support services,
– providers of hosting services,
– cloud providers.

Personal Data Categories:
Contact data (postal and e-mail address, telephone number)

Purpose:
Assessment of the candidate for recruitment purposes

Legal Basis:
Article 6 para. 1 (f) GDPR – Our legitimate interest in the recruitment of qualified personnel for the purposes of our business activities

Retention Period:
6 months or for a greater period subject to your consent

Recipients:
The Company engages Data Processors on its behalf, which are:
– providers of IT support services,
– providers of hosting services,
– cloud providers.

Personal Data Categories:
Data contained in CVs (marital status, education and qualifications data, work experience)

Purpose:
Assessment of the candidate for recruitment purposes

Legal Basis:
Article 6 para. 1 (f) GDPR – Our legitimate interest in the recruitment of qualified personnel for the purposes of our business activities

Retention Period:
6 months or for a greater period subject to your consent

Recipients:
The Company engages Data Processors on its behalf, which are:
– providers of IT support services,
– providers of hosting services,
– cloud providers.

Β5. Vendor data (natural persons)

Personal Data Categories:
Identification details (full name, father’s name, mother’s name, gender, date of birth, ID number/passport number)

Purpose:
Supply of goods and/or services to the Company

Legal Basis:
Article 6 para. 1 (b) GDPR – Performance of the contract

Retention Period:
5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code

Recipients:
The Company engages Data Processors on its behalf, which are:
– providers of IT support services,
– providers of hosting services,
– cloud service providers.
Financial institutions, to the extent necessary for the execution of transactions

Personal Data Categories:
Contact data (postal and e-mail address, telephone number)

Purpose:
Supply of goods and/or services to the Company

Legal Basis:
Article 6 para. 1 (b) GDPR – Performance of the contract

Retention Period:
5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code

Recipients:
The Company engages Data Processors on its behalf, which are:
– providers of IT support services,
– providers of hosting services,
– cloud service providers.
Financial institutions, to the extent necessary for the execution of transactions

Personal Data Categories:
Transaction data (invoices, tax forms, etc.)

Purpose:
Compliance with relevant obligations under tax law

Legal Basis:
Article 6 para. 1 (c) GDPR – Compliance with legal obligation

Retention Period:
5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code

Recipients:
The Company engages Data Processors on its behalf, which are:
– providers of IT support services,
– providers of hosting services,
– cloud service providers.
Financial institutions, to the extent necessary for the execution of transactions

Data we collect automatically

e.g. language settings, IP address, location, device settings, device operating system, activity details, time of use, redirect URL, status report, user information (information about browser version), operating system, browsing result (simple visitor or registered customer), browsing history. We may also collect data through cookies. For information on the use of cookies, click here.

C. Transfer of data outside the EEA

In principle, the Company does not transfer your personal data to third countries and/or International Organizations. In the event of a transfer of your personal data to a country outside the European Economic Area (EEA) or an International Organization, the transfer will be carried out pursuant to one of the legal bases of Article 6 of the GDPR, cumulatively to one of the following:

a) The Commission has issued an adequacy decision for the third country to which the transfer will be made (Article 45 GDPR) or

b) Appropriate safeguards in accordance with the GDPR are in place for the transfer of such data (Article 46 GDPR) or

c) For occasional processing, one of the exceptions provided for in Article 49 of the GDPR applies (e.g. the user’s explicit consent and information about the risks involved in the transfer, the transfer is necessary for the performance of a contract at the interest of the data subject, there are important reasons of public interest, the transfer is necessary for the establishment, exercise or defence of legal claims, the transfer is necessary to protect the vital interests of the data subject, etc.).

Data subject rights

Each data subject has the following rights:
– Portability
– Rectification
– Erasure
– Restriction
– Access

You have the right to object to the processing of your personal data as regards any processing carried out based on our legitimate interests. You also have the right to withdraw your consent, for processing activities based on your consent.

If you wish to exercise any of your rights or acquire any information concerning the processing of your personal data, you can contact us via email in the following address info@roller.gr, and the Company will respond promptly [in any case within thirty (30) days of the request], notifying you in writing of the progress of the request.

If you have any complaints regarding this Notice or any data protection concerns, and if we fail to comply with your request, you may contact the Hellenic Data Protection Authority, 1-3 Kifissias Avenue, 115 23, Athens (www.dpa.gr).