Tottis Bingo SA recognizes and respects the importance of the personal data it processes in its activities and has therefore fully adapted its policy to the requirements of the General Personal Data Protection Regulation (hereinafter GDPR) 2016/679 / EU.
With this statement, Tottis Bingo AEBE wishes to inform its counterparties in what capacity, for what purpose and on what lawful basis it processes information relating to them and which can be used to identify them directly or indirectly, that is to say their personal data, their data categories, the sources of their data (when the data are not provided by the person himself), the criteria for determining the period of storage of their personal data, their ability to exercise, regarding their personal data, the rights of accessibiity and rectification and, where appropriate, the rights of erasure, restriction and object to the processing and processing by means of automated decision-making process, including profiling, the eventual transmission of personal data to a third country or an international organization, the ability of individuals to lodge a complaint about any violation of their personal data rights with the Data Protection Authority, as well as the adherence of relevant privacy policies and safeguards by our Company.
To this end, please take a moment to read this statement from Tottis Bingo SA.
If you have any questions or concerns, if you wish to receive a copy of this statement or wish to exercise any of the following rights pertaining to your personal data, please contact our Company's Data Protection Officer at email: firstname.lastname@example.org. Contact: Michaloliakos Evangelos.
1. Data Protection Officer
Tottis Bingo SA (hereinafter referred to as “the Company”), with registered office in Greece, at 131-139 Spata Avenue, Gerakas, Greece, P.C. 15344 has S.A. Number: 66472/04 / B / 08/141 and Business Register Number .: 008365201000 processes in its activities the personal data of its counterparties, being the controller.
2. Data sources
We collect your personal data from various sources, including:
• Personal data you give us directly
• Personal Data we collect automatically
We may collect web traffic statistics like:
• Your IP address,
• the time of your visit,
• the request made at the tottis-bingo.gr website,
• the headers sent by your browser
Personal data we collect from other sources
3. Categories of data
The personal data we process on a case by case basis is
Regular Personal Data: full name, birthdate, ID number, VAT number, address, phone number, e-mail, pictures of yourself in a simple CCTV closed circuit.
Special Categories of Personal Data: Health Data
4. Purpose of Processing
The reasons we process your data are on occasion to contact you in order to answer your questions and requests, to evaluate your resume, to sign commercial contracts with you, to check your creditworthiness, to fullfill our contractual obligations to you, to fulfill the legal obligations arising from national and EU law, to meet our obligations as a food industry as well as regarding food safety, to organize our activites in the field of electronic communication with our customers, to protect the security of our facilities and our employees and all third parties who are lawfully entering our premises from invading non-working third parties and by any criminal action against the assets of the company and those who lawfully use its facilities.
5. Lawful basis for processing
In particular, the lawful basis for processing your data are as follows:
• Article 6 par. 1a GDPR. When you have given your consent to process your data for one or more specific purposes. We use this basis for example, to collect your contact details, to check your creditworthiness, and according to Article 9 par.1 2a GDPR to collect specific health data on diseases which can contaminate food production when it comes to your entering our production areas
• Article 6 par. 1b GDPR processing is necessary for the performance of a contract to which you, the data subject, are counterparty or in order to take steps at the request of the data subject prior to entering into a contract; On this basis we rely, for example, for processing your data during negotiations of any kind of contract or commercial agreements by disclosing your data when required by a third party recipient, Bank and Insurance Company through which we can fulfill our contractual obligations to you.
• Article 6 par. 1 GDPR processing is necessary for compliance with a legal obligation to which the controller is subject
On this basis, we rely to comply with our statutory obligations such as tax or insurance provisions
• Article 6 par. 1f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data,
In particular, on this basis, we rely:
• To maintain a closed-circuit television system only in the entrance areas of our premises in the parking area and around our premises, on the outside areas of our property. The legitimate interest of the Company is the protection of the Company's facilities, the safeguarding of its assets (materials and goods), the security of our personnel, the control and the blocking of access to the premises of persons unrelated to its operations. It is emphasized that the processing of the mentioned above data is absolutely necessary and cannot be completed with any other milder means but only for the above security purposes.
The collected data is retained for 48 hours and is then destroyed unless there is an incident and is therefore retained and transmitted immediately within 15 days at most to the relevant Police, Prosecution and Judicial Authorities.
At locations before the facilities’ entrance and within the range of the CCTV system, the Company has installed signs for the imminent entrance to a closed-circuit TV room and lists the information about the purpose of processing, the nature of the system used in the installation sites, the range and storage time interval.
6. Transmission of personal data outside the European Union
Your personal data is NOT transmitted outside of the European Economic Community.
7. Disclosure to third parties
Tottis Bingo SA does not discloses or transfers your personal data to third parties.
Tottis Bingo SA may disclose or transmit your data to third parties provided that the legal obligations for that purpose are met, namely when there is:
your previous consent as data subjects
Legal Obligation of Tottis Bingo SA to provide employee data to Corresponding State Agencies and Organizations and the relevant Judicial and Prosecution Authorities upon lawful and competent request
Legitimate interest of Tottis Bingo, to provide customer data and their transactions with our company to financial institutions
8. Τhe period for which your personal data will be stored
The Company retains your personal data for as long as the processing purpose persists, and after its expiration, the Company lawfully maintains your personal data when it is necessary to comply with a legal obligation under ΕU or national law (for example, Labor, Tax Insurance and Administrative Law) as well as in the case where the maintenance is necessary for the foundation, exercise or support of the legal claims of the Company.
9. What are your rights
Right of Access
You have the right to receive a) confirmation regarding the processing of your data, and b) a copy of your personal data
Right to rectification
You have the right to obtain from our Company the rectification of inaccurate personal data concerning you, or ask to have incomplete personal data completed, when they are inaccurate.
Right to erasure
You have the right to obtain from our Company the erasure of personal data concerning you, if you no longer wish to have such data processed and if there is no legitimate reason for the Company to own it as a controller
In particular, this right shall be exercised:
when the lawful basis for processing is your consent and you withdraw it, so the data should be deleted if there is no other lawful basis for processing.
when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or unlawfully processed or if you object to the processing and there are no compelling and legitimate reasons for processing
It should be noted, however, that this is not an absolute right, as the further retention of personal data by the Company is lawful when necessary for reasons such as compliance with a legal obligation of the Company or the foundation, exercise or support of legal claims.
Right to restriction of processing
As an alternative to the right to erasure and the right to object, you have the right to request that our Company processes your data only in specific cases.
When do you have this right?
- you invoke the inaccuracy your data, and the Company as Controller examines the request,
- the processing is unlawful,
- the data is no longer necessary for the purpose of processing, but you ask from our Company to retain it for the exercise and defense of your legal claims,
- You have exercised the right to objection and the Company as a controller is examining the existence of an overriding legal interest therein.
The exercise of this right may be combined with the right to rectification and the right to object.
a) If you request the rectification of your inaccurate data, you may request a restriction of processing for as long as the Company examines the rectification request,
b) If you request the right to objection, you may request at the same time the limitation of the processing for as long as the Company examines the counterclaim.
Right to data portability
You have the right to receive your personal data that has been processed by the Company as a controller in a structured, commonly used and machine readable format (for example XML, JSON, CSV, etc.). You also have the right to ask the Company to transmit this data to another processor without any objection
The right to portability can only be exercised by you when all of the following conditions are fulfilled : personal data are processed by automated means ( printed forms are excluded)
• the lawful basis for processing is either your consent or the performance of a contract to which you are a party (Article 6 (1) (c) of the GDPR);
• It is your own personal data as the data subject that are processed and has been provided by you.
• the exercise of the right does not adversely affect the rights and freedoms of others.
Right of objection
You have the right to oppose, at any time and for reasons related to your particular situation, to the processing of personal data concerning you when the processing is based either on (a task performed in the public interest) or on (if the company has a legitimate interest), including profiling
The Company will be required to stop such processing unless it demonstrates imperative and lawful reasons for processing that override your interests, rights and freedoms, or for the foundation, exercise or support of legal claims.
Right to non-automated individual decision making including profiling
If the Company needs to make a decision that produces legal effects for you based solely on automated processing the following apply :
• The Company as a controller may lawfully make such a decision only if you have given us your explicit consent or when the decision is necessary for the conclusion or performance of a contract between us or if such a decision is permitted by EU or national law, which provides for appropriate measures to protect the rights of the subject.
• If this decision is made as necessary for the conclusion or performance of a contract between us, namely the Company as a controller and you as the data subject or upon your explicit consent, you have the right to challenge this decision, so that the Company will be obliged to apply measures to protect your rights, ensure human interference in decision-making, or the right to express an opinion and challenge your decision as a subject of the data.
• If the Company intends to perform automated data processing, including profiling, it will provide you, upon receipt of your data (when collected by you) or in a reasonable time (when taken from another source) and the following additional information:
o whether and to what extent automated decision-making takes place, including profiling,
o on the logic followed,
o on the importance and predicted consequences of the processing,
o information on the subject's right to object, which is clearly and separately described from any other information.
• in any case of profiling, you are entitled to limit the processing at any stage,
• The Company will be required to delete the relevant personal data if the basis for profiling is your consent and it is revoked or if you exercise the right to delete its data and if there is no other legal basis for processing in accordance with the provisions of Regulation.
• You have the right to oppose at any time and for reasons related to your particular situation to the processing of your personal data when the processing is based on the legitimate interest of the Company, including profiling and the Company will cease submitting the personal data processed unless it demonstrates imperative and legitimate reasons for processing that override the interests, rights and freedoms of the subject or for the foundation, exercise or support of legal claims.
10. You have the right to submit a Complaint to the (Personal) Data Protection Authority
If you find that your personal data is being processed unlawfully or your personal data has been violated, provided that you have previously contacted the DPO for the matter and you have exercised your rights towards the Company, and you either did not receive a reply within one month (extending the deadline to two months in the case of a complex request) and either you believe that the answer you received from the Company is inadequate and your issue is not resolved, you can contact the Data Protection Authority Kifissias Avenue 1-3 TK 11523 Athens email@example.com, fax 2106475628 for more information see the Web Portal www.dpa.gr.
The Company shall implement appropriate technical and organizational measures to ensure an adequate level of protection of personal data in order to prevent the destruction, loss, alteration during any unauthorized access, disclosure or transmission to a non-entitled person or entity in any way.
The Company does have business continuity and disaster recovery plans that are periodically tested and updated and has in fact established and implemented appropriate policies and procedures for the security and protection of the data it processes.
In addition to this, the Company has reviewed the contracts it holds with processors to force them to respect your personal data under the GDPR by taking and enforcing measures to secure them from risks of destruction of loss of altered unauthorized access to disclosure or transmission to a non-entitled person or entity in any way and by signing compliance with a confidentiality clause.
* WP29: Established under Article 29 of Directive 95/46 / EC on the protection of individuals about the processing of personal data and on the free movement of such data. The Group is advisory to the European Commission but is independent. It is composed of a representative of the Data Protection Authorities of each Member State and examines issues of particular gravity or issues of particular interest in the protection of personal data falling within the first pillar of the EU. Consideration of these issues takes place either at the request of the European Commission either on a proposal from the members of the Group. The Group publishes opinions and working papers. Already after the application of the 2016/679 Regulation, it functions as the European Data Protection Board.