Privacy Policy

Personal Data Protection and Privacy Policy

the sole proprietorship with the name “MITSOU NIKOLAOS” and the distinctive title “MITSOU”located in Stavroupoli Thessaloniki, at 137

Oraiokastro Street, tel: 2310-669355, with VAT number 069516006

(D.O.Y. E΄ Thessaloniki)

I. INTRODUCTION

This Privacy and Data Protection Policy covers and concerns the conditions of collection and management of your personal data by the individual enterprise with the distinctive title “MITSOU”.

This policy aims to inform you about the collection and processing of your personal data by our company, how it can be used and disclosed, how you can control the use and disclosure of your data, how it is protected, as well as information about the actions you can take if you do not want your personal data to be collected or further processed. This Policy is an integral part of our company’s General Policy on Personal Data Protection and is an integral part of it and is subject to periodic improvement and revision. Any changes to this Policy will apply to the information collected, from the date of publication of the revised version, and to the existing data we hold. Publication of this Policy is also published on our website. The use of this, as well as the reception of our services, implies unconditional acceptance of this Policy. In the event of any disagreement with the terms of this Policy, as it may be amended, please stop receiving the services, as well as using our website.

Scope of application

This Policy applies to all your dealings with our business in order to safeguard and protect your personal data. Specifically with regard to the use of our website we mention that links to other websites are contained, however it is expressly stated that this Policy does not apply to data collected through another website. Our company is not responsible for the personal data protection practices of third parties and websites and we recommend that you always read the personal data protection & privacy policy and the terms of use of each website you visit.

II. COLLECTION AND PROCESSING OF PERSONAL DATA 1. DEFINITION OF PERSONAL DATA

Personal Data is any information relating to the data subject, i.e. any natural person to whom the data refer and whose identity is known or can be verified. Such data include, for example, the name, address, date of birth and gender of the user, mobile phone number, e-mail address, as well as usage data, such as, but not limited to, the member name, password and IP address, and all of the following.

2. PERSONAL DATA WE COLLECT

Our company collects, stores and processes the following necessary personal data, as appropriate:


Identification and contact details of natural persons	full name, postal address, email address, telephone number, tax identification number (TIN), professional status, cookies, IP address,

Financial Information, Pricing & Information necessary for the payment of employees’ remuneration & data necessary for the fulfilment of the company’s obligations before tax, insurance and other bodies	Tax ID, Tax Office, bank account number and details (IBAN) or other financial account (e.g. PayPal, Viva etc.), service / order / supply history, number of days and hours of work / leave, reasons for leave, medical certificates in case of sick leave, pregnancy or maternity leave, supply / purchase / service contracts, employment contracts and other contracts

Image, phone call & mail recording data	CCTV recording data collected from CCTV equipment on the premises and recording of the surname and name of those calling the business from the call centre, correspondence history (conventional or electronic)

3. PRINCIPLES GOVERNING THE PROCESSING

The protection of personal data is very important to our business. We ensure full compliance with the applicable Data Protection Legal Framework, including the General Data Protection Regulation (GDPR) and process personal data in accordance with the applicable basic principles. In this context, we ensure that personal data: (a) processed lawfully and fairly in a transparent manner in relation to the data subjects;

collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
are appropriate, relevant and limited to what is necessary for the purposes for which they are processed;
be accurate and, where necessary, updated
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of personal data;
processed in a manner which ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by taking appropriate technical and organisational measures.
are not transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects with regard to the processing of personal data or the transfers are subject to appropriate safeguards or fulfil other specific conditions laid down by applicable law.

4. LEGAL BASES FOR DATA PROCESSING

The processing of data by our company is based on one (or more) of the following legal bases:

Contractual obligation: the processing is necessary for the performance of the contract or to take measures at your request prior to the conclusion of the contract. – Legal obligation: processing is necessary to comply with our legal obligations. – Protection of legitimate interests: processing is necessary for the pursuit of the legitimate interests of our business or the legitimate interests of a third party.
Obligation or right under applicable labour, tax and insurance legislation: the processing of specific categories of data of the data subject is necessary for the performance of obligations and the exercise of specific rights.
To establish, exercise or uphold legal claims: processing is based on our right to pursue legal claims.
Consent: in cases where required by law or where none of the other legal bases apply, our company will lawfully process the data with the written consent of the data subject. Consent will be provided upon informing the subject. The subject will be able to freely and voluntarily choose to provide consent and will be able to withdraw it at any time.

5. PURPOSES OF COLLECTION AND PROCESSING OF PERSONAL DATA

Our business collects personal data when it is absolutely necessary and the purpose is legitimate and has been previously identified. The information is the legal basis on which we base the relevant procedures. Below you will find more information about the purposes of processing and the legal basis:

Purpose of processing

Why we collect data to serve the above purpose

Service and Information for customers / suppliers & third parties

When you contact us to receive information, we store the information you provide in order to offer you personalised services that meet your individual needs. For example, if you contact us, we will store the reason you called us, information regarding the quality of our service, date and time of the call, etc. Depending on the reason you called us, the personal data we will store may differ. In order to improve the service we offer

you, we store the communication in your account. In this way, we can respond to you faster and more satisfactorily.

Categories of personal data:

Identification and contact details of natural and legal persons

Financial information & pricing data

Image and telephone call recording data

Data are collected and processed pursuant to Article 6 GDPR:

a) the data subject has consented to the processing of his or her personal data for one or more specified purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take measures at the request of the data subject prior to the conclusion of the contract.

Procedures for Ordering, Supply and Delivery of Products

When we receive orders or supplies we collect and process the necessary personal data by storing the communication in your account in order to improve the services we provide and receive and our excellent cooperation by offering you personalized services.

Categories of personal data:

Identification and contact details of natural and legal persons

Financial information & pricing data

Image and telephone call recording data

Health data

The data are collected and processed pursuant to Article 6 of the GDPR: a) the data subject has consented to the processing of his or her personal data for one or more specified purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to the conclusion of the contract.

Security and

Transaction

Protection

Our company attaches maximum importance to the security and protection of transactions, which are carried out either with your physical presence or remotely. When you use our website e-mitsou. gr, your transactions are secured through the SSL protocol. In addition, all information sent with the SSL protocol is protected by a mechanism that automatically verifies whether the data has been modified during transmission. In transactions carried out by telephone, the security of transactions is ensured by the use of a telephone call recording system.

When transactions are carried out in your physical presence, the transactions are secured by recording them via a closedcircuit television system.

	Categories of personal data: Identification and contact details of natural and legal persons Image and telephone call recording data Data are collected and processed pursuant to Article 6 GDPR: a) the data subject has consented to the processing of his or her personal data for one or more specified purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take measures at the request of the data subject prior to the conclusion of the contract & Article 24 GDPR: 1. Such measures shall be reviewed and updated when necessary.
Promotional data	These personal data are used for the purpose of information, promotion and marketing communication of products and services, as well as surveys for quality assessment and market research, including by automated means (e.g. by telephone, SMS, MMS, fax, e-mail applications and internet), including by electronic means, on behaviour and consumption habits in order to improve the services provided, to meet specific needs and to formulate business proposals of interest. This data is also used for the purpose of personalised analysis of your consumer behaviour and to send you commercial communications with personalised offers for our products or services according to your preferences so that you can receive personalised updates and offers that best suit your profile and preferences. Categories of personal data: Identification and contact details of natural and legal persons The data are collected and processed pursuant to Article 6 of the GDPR: a) the data subject has consented to the processing of his or her personal data for one or more specified purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take measures at the request of the data subject prior to the conclusion of the contract.
Employee data	We process the data of our employees and those who wish to work with us for the purpose of the recruitment process, the assessment of formal qualifications, the performance of our obligations arising from the employment contract or by law, such as the payment of wages, the provision of vacation days, the provision of benefits, ensuring the health and safety of employees, the provision of benefits provided for in the employment contract, the mandatory disclosure of employees’ data to tax authorities, local authorities and other
	organisations, the provision of information on employees, and the provision of services to employees. Categories of personal data: Identification and contact details of natural persons CV details Financial information Image and telephone call recording data Attendance list The data are collected and processed pursuant to Article 6 of the GDPR: a) the data subject has consented to the processing of his or her personal data for one or more specified purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take measures at the request of the data subject prior to the conclusion of the contract.

6. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

Our company limits access and processing of data only to authorized employees and partners for the fulfillment of the above purposes. Our company, as the controller, assures you that the personal data you provide to us will not be processed further than is required by the company, nor processed in a manner inconsistent with the above purpose. Access is graded according to their position and duties and is limited to the data necessary for the purposes of the specific processing they have undertaken. We may transfer your data to our business partners when this is necessary for the purposes of the specific processing. In these cases, our partners will either act as data controllers, determining the means and purposes of the processing, or they will act as processors on behalf of our business. In both cases, this notice applies.

Outside our business, we transfer as much data as is necessary for the purposes of the processing to the following categories of recipients:

Third parties that provide services to us, such as IT companies that provide technical services to us, such as hosting and technical support services, payroll service providers, telecommunications companies, credit institutions, tax and legal advisors, facility security service providers, insurance companies. The details of third parties are available on request.
to regulatory, tax or other authorities or public bodies or courts, when required by law or regulation or by order of them
to partners when necessary for the communication and execution of the transactions requested. For example, we reserve the right to transfer your personal data for the above purposes to the transport companies listed, to credit card providers to process a payment on your behalf as a result of your purchase.
to third parties – natural or legal persons – who may provide on our behalf promotion and marketing services for our business and our products or services
to third parties who conduct audits of us in the context of our regulatory obligations, customer relationships or obligations under applicable law.

We inform you that the above categories of recipients of your personal data are processors on our behalf and therefore as such they do not process your data beyond the purposes of the transfer mentioned above.

COLLECTION OF DATA WHEN YOU VISIT THE WEBSITE.

When you visit the website only for information, i.e. no personal account is opened for any orders or none of your personal data is given (e.g. contact form), then the only data we collect are those that your browser transfers to our server, the so-called server log files, namely:

Date and time at the time of entering the website.
The volume of data sent in bytes.
The browser you used when you entered the website.
The operating system you usedwhen you entered the website.
Your Internet Protocol (IP) address when you enter the website.

The processing of data is carried out in accordance with Article 6 par. 1(f) of the General Data Protection Regulation (GDPR) based on our legitimate interest in improving the stability and functionality of our website. The data will not be transferred or used in any other way. However, we reserve the right to check server log files if we find specific indications of illegal use.

8. COOKIE POLICY

When you log on to our website, we receive certain information (cookies) in order to offer you personalised services that meet your individual needs. Cookies are data files that are transferred from a web server to the computer of the person visiting the Site for statistical purposes. Cookies are an industry standard, are used by most web sites and facilitate repeat access and use of a particular web site by users. They are not harmful to your computer system or your files and only the website from which a particular cookie was transferred to your computer has the ability to read, modify or delete it. Depending on the options given to you by the browser you use, you can allow cookies to be installed, disable/delete existing ones or be notified each time you receive cookies. Instructions for managing and deleting cookies are usually found within the browser’s “Help”, “Tools” or “Edit” menu. You can also find more detailed guidance on the European Commission’s website

(http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm), which explains in detail how to control and delete cookies in most browsers. Please note that generally disabling cookies may lead to functional limitations of our website. Please read our General Terms of Use in order to understand in more detail the cookies and similar tools we use, their purpose and other information of interest to you.

9. CONTACT FORM

In the context of communication between us (e.g. via the contact form or e-mail), personal data is collected. The data collected in this case is exactly what you fill in on the specific contact form. These data are stored and used exclusively for the response to your request or for contact and technical management by us. The legal basis for the processing of this personal data is our legitimate interest in responding to your request, which finds application in Article 6(1) of the General Data Protection Regulation (GDPR). If the communication is aimed at concluding a contract between us, then the additional legal basis is based on Article 6(1)(b) of the General Data Protection Regulation (GDPR). Your data will be deleted after the final processing of our communication, unless you declare that you consent to further communication and the sending of informative messages about our company and its products.

10. PROCESSING OF DATA WHEN OPENING A CUSTOMER ACCOUNT

Pursuant to Article 6(1)(b) of the General Data Protection Regulation (GDPR), your personal data will continue to be collected and processed if you provide them to us for the performance of a contract or for the opening of a customer account. Which data is collected can be seen from the respective entry forms. It is possible to delete the customer account at any time. This can be done by sending a message to the aforementioned controller address. After the contract has been fully processed, your data will be blocked and deleted, unless you have explicitly given your consent to further use of your data, or you have legally accepted the further binding and use of it by our website.

11. DATA PROCESSING FOR THE HANDLING OF PAYMENTS AND ORDERS

In order to process your order, we work with service providers who support us in whole or in part in the performance of the contracts we have entered into. Certain personal data is transferred to service providers in accordance with the following information.

The personal data collected by us will be transmitted to the transport company entrusted with the delivery to the extent necessary for the delivery of the goods. We will transfer your payment data, to the authorised credit institution as part of the payment processing, if this is necessary to handle payments. The legal basis for the data transfer is based on Article 6 (1) (b) of the General Data Protection Regulation (GDPR).

12. WEB ANALYSIS SERVICES

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses so-called cookies, which are text files stored on your computer, to help our website analyse how users use it. The information generated by cookies about your use of this website (including your IP address) is generally transmitted to a Google server in the USA and stored there.

On our behalf, Google will use this information to evaluate your use of the website, compile reports on website activity and provide other services relating to website and internet usage. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

You can refuse the use of cookies by selecting the appropriate settings in your browser, as listed above. However, we should point out that in this case, you may not be able to use the full functionality of this website. You can permanently refuse to allow Google to collect data generated by cookies about your use of the website (including your IP address) and to process it. You can download and install the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en=GB

More information on how the above service works can be found here: https://support.google.com/analytics/answer/6004245?hl=en

13. USER CONSENT

By conducting any transaction and using any of our Services in accordance with the MITSOU Terms of Use, you consent to this Privacy Policy & Privacy Policy. Otherwise, please refrain immediately from any transaction with us and inform us accordingly.

14. TRANSFER AND STORAGE OF PERSONAL DATA

The storage of your personal data is carried out using appropriate technical and organisational means in order to safeguard them. The transfer of your data is encrypted using the SSL (Secure Sockets Layer) protocol designed to provide security when transmitting sensitive data over the Internet. The company with the distinctive title “MITSOU” does not store and does not control your credit card data.

We are committed to protecting the information of our users. We implement appropriate technical and organizational measures to protect the security of your personal data. However, we point out that no system is completely secure. We have implemented various policies, such as encryption, access and retention policies to protect against unauthorized access and unnecessary retention of personal data on our systems.

The password protects your user account, so we recommend that you use a unique and strong password, restrict access to your computer and the browser you use, and log out after using our website.

TRANSFER OF PERSONAL DATA OUTSIDE THE EEA/EEA.

Our business processes your data within the European Union. However, we work with some service providers, including but not limited to Google, Microsoft, Facebook, Instagram, Twitter, LinkedIn, Dropbox and Onedrive, as well as with our suppliers from outside the European Union (EU) and the Single Economic Area (SEA). In any case, we would like to point out that our company fully applies the applicable provisions of the GDPR on the transfer of personal data outside the EU and the EEA and that all recipients of data must take into account these requirements and adapt to the criteria and conditions as set out in Article 44 et seq. of the GDPR.

16. PERIOD OF RETENTION AND PROCESSING OF PERSONAL DATA

Nevertheless, the above necessary personal data relating to the transactional relations with the company will be kept for as long as required from the conclusion of the respective contract, for the fulfilment of the respective purpose of processing and/or as required for the compliance of the company with any obligation to keep records, as provided by the respective applicable legislation or until the limitation period of any claims (even from a claim under the provision of 904 A.K.). Once the limitation period for any claim has expired, we will proceed to delete the personal data. Indicatively, our company will retain:

As for our employees:

identification and contact details for a period of 6 years from the end of the employment contract
CV data for a period of 1 year from the application for employment and, in case of recruitment, for as long as the employment contract remains in force
financial information and information necessary for the payment of employees’ remuneration & information necessary for the fulfilment of the company’s obligations for a period of 20 years from the end of the employment contract
image & correspondence log data for a period of two months from the date of receipt

As for our customers:

identification and contact details for a period of 6 years from the last transaction
financial information, invoicing data & data necessary for the fulfilment of the company’s obligations for a period of 20 years from the last transaction
image recording data, telephone calls & correspondence for a period of two months from the date of their reception As for our suppliers:
identification and contact details for a period of 6 years from the last transaction
financial information, invoicing data & data necessary for the fulfilment of the company’s obligations for a period of 20 years from the last transaction
image recording data, telephone calls & correspondence for a period of two months from the date of their reception As for our external partners:
identification and contact details for a period of 6 years from the last transaction
financial information, invoicing data & data necessary for the fulfilment of the company’s obligations for a period of 20 years from the last transaction
image, telephone call and correspondence recording data for a period of two months from the date of receipt

(Personal Data Protection Authority) +302106475600, Email: contact@dpa.gr.

17. RIGHTS OF THE DATA SUBJECT PROCESSING DATA SUBJECT

Our business safeguards your rights regarding the processing of personal data and the exercise of those rights. You have the following rights:

Right of access to data: The right to request access to personal data, in accordance with Article 15 of the GDPR. The request for access may inform the purposes of the processing, the categories of personal data concerned, the recipients to whom the data have been or will be communicated, the period for which the data will be stored, the existence of a right to rectification or erasure or restriction of processing or a right to object to processing, information on the origin of the data and the existence of a right to object to processing, the existence of a right of access to the data.
Right to rectification: the right to demand the correction of inaccurate data and the completion of incomplete data in accordance with Article 16 of the GDPR.
Right to restrict processing: Right to request the restriction of processing of personal data, under the conditions of Article 18 GDPR.
Right to object to processing: the right to object at any time and on grounds relating to the data subject’s particular situation to the processing of personal data where the processing is based on Article 6(1)(e) or (f) of the GDPR.
Right to be forgotten: When the data subject no longer wishes personal data to be processed and kept, he or she has the right to request their erasure, provided that the data are not kept for a specific legitimate and stated purpose in accordance with Article 17 GDPR.
Right to data portability: the right to receive or request the transfer of data in a structured and machine-readable format to another controller, if he or she so wishes, in accordance with Article 20 GDPR.
Right to complain: In order to exercise the above rights, the data subject may contact the Personal Data Protection Authority (1-3 Kifissias Street, P.C. 115 23, Athens, +302106475600,contact@dpa.gr).

18. APPLICABLE LAW – JURISDICTION

This policy, and the terms of use of our company’s website and transactions in general, are governed by Greek law. For any dispute that may arise from the competent courts of the city of Thessaloniki.

In any case, if you believe that the protection of your personal data has been violated in any way, you have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr)

19. UPDATE

This policy and all documents related to it are reviewed and revised periodically, where necessary, by the Data Protection Officer. You should therefore visit our website for information.

The last revision of the Terms of Use was made on 30/9/2021.