As of May 25th 2018, the General Data Protection Regulation (hereinafter referred to as the GDPR or the Regulation) applies. The Regulation has a wide scope and as was the case with the previous legislation (i.e. Law 2472/97 on the “protection of natural persons against the processing of their personal information”) our Business fall within the said scope.
1. Material scope
The Regulation applies to the processing of personal data wholly or partly by automated means, i.e. to any information that concerns an identified or an identifiable natural person.
“Personal data” means any information relating to an identified or an identifiable natural person (“data subject”) such as full name, email, TIN, etc.; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as IP, email etc.) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Regulation applies also to the non-automated processing of such data that are included or intended to be included in a filing system.
2. Duty of Confidentiality
The Business has the duty of confidentiality that arises from the security standards provided in particular in article 32 of the Regulation.
3. Personal data on the e-shop
The data controller processes personal data, information on the customers, full names, address, etc.
4. Compliance review as to the material requirements
4.1 The e-shop and the business as well as any data controller (i.e. the natural or legal entity that determines the scope and the means of processing) must check its compliance with the requirements of the Regulation. These requirements refer by principle to the legal basis and the principles of processing.
4.2 Legal basis:
a) The data retention and processing exclusively serves the execution of the distance selling contract.
b) Consent has been given for the retention of the personal data according to the provisions of the Regulation and it refers to the scope that falls within the performance of the mutual obligations arising from the distance selling contract.
4.3 Data minimization principle: Only those personal data are collected and processed which are strictly necessary, required and appropriate for the scope of the transaction.
4.4 Retention and deletion: The data are deleted/destroyed when they are not any longer necessary for the fulfillment of the purpose for which they were collected and the fulfillment of other legal purposes (e.g. tax controls)
4.5 Access restrictions: The personal data of the customers of the business shall only be accessed by the business and specially appointed employees – partners thereof that shall be bound by a confidentiality duty.
5. Transparency – notification obligations
According to the provisions of the GDPR, the business and this website informs its customers (data subjects) on the collection and processing of personal data as follows:
a) The data controller is the manager of the e-shop Ioannis Iliadis.
b) The retention and processing occurs only in the course of the distance selling contract and for serving the scope thereof as the Law provides.
c) The data remain available to the business for as long as it is necessary for the execution of the said contract as well as for tax purposes and then they are deleted.
d) Data are not transferred to third parties for purposes other than those aforementioned and shall not be used let alone be transferred to any third party for commercial and advertising purposes.
6. Rights of the data subjects
The users-customers / data subjects reserve the:
a. Right of access: The data subject has the right to know whether the data are processed, in what way and for which purpose.
b. Right to rectification – update: The data subject has the right to ask for the correction of inaccurate/missing data.
c. Right to erasure (right to be forgotten): The data subject has the right to ask for the erasure upon the completion of the contract and the performance of the obligations of both parties under the condition that the data are not necessary and under the condition that its storage is not provided by law.
d. Right to restriction of processing
e. Right to object
f. Notification on the exercise of the rights and the filing of requests and complaints to the Business
g. Notification on the right to withdraw the consent under the condition that the processing of the data is based on the said consent.
h. Notification on the right to file a complaint before the Hellenic Data Protection Authority in writing (Kifisias 1-3, P.C. 115 23, Athens) or by email (www.dpa.gr) after the filing of the complaint before the data controller or the data protection officer (DPO).
7. Conclusion of contracts with the data processors
The Business might assign to third parties the processing of personal data on our behalf in the course and under the restrictions set out herein and by the relevant national and European legislation.
These might be different natural persons (other than the personnel of the Business) or companies that provide services: notary public, accountants/accounting firms, bailiffs, mailing companies, software maintenance/support companies etc. The processors are obliged to comply with the instructions of the Business as to the processing of the personal data and comply with their obligations arising from article 28 of the Regulation.
9. Security measures
The Business and the body thereof as data controller introduce all the necessary technical and structural security measures for the protection of personal data which are collected, kept, used etc. in order to protect them especially against any random or illegal destruction, loss, alteration, unauthorized dissemination/publication or access by an unauthorized person (protection against malware, viruses, system attacks, data deterioration etc.).
As for the exercise of your rights, you shall address to the data controller of the Business, by sending an email at the email address: firstname.lastname@example.org or by mail to our address: