PERSONAL DATA PROTECTION STATEMENT
PRIVACY POLICY

1. Introduction
The company “24 shopen A.E” (hereinafter referred to as the “Company”) always prioritizes the protection of the consumer, respecting both their Privacy and their personal data, by employing all appropriate and effective means and adhering to the relevant European and national legislative framework for the protection of personal data, as well as the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”), in order to engage in lawful processing of personal data.

With this Personal Data Protection Statement, we inform you in a clear, understandable, transparent, and easily accessible manner about the type of personal data collected by our Company, the purpose for which it is collected, the duration of its processing, and your rights as data subjects.

The provision of your personal information to us requires your unambiguous acceptance of this Privacy Policy and your explicit consent for the collection, use, and processing of your personal information. If you do not agree with this, please do not proceed with providing your personal data.

This policy will be reviewed and updated in accordance with amendments to the applicable national and EU legislation on the protection of personal data of individuals.

2. Data Controller
The company 24 shopen A.E, located at VI.PE. Markopoulou, Stroggyli Area, Dorovateza, Markopoulo Mesogaias, Attica, Postal Code: 19003, telephone: 2107707415, and email: contact@24shopen.com, is responsible for the processing of your personal data.

3. General Principles of Processing
The company processes your personal data in a lawful and transparent manner. The processing is done for specific, explicit, and lawful purposes, and your personal data is never subjected to further processing that is incompatible with these purposes. The company ensures that the personal data it collects is necessary for the respective processing purpose. Additionally, your personal data is kept in identifiable form only for the required period of time for processing purposes and for the fulfillment of legal purposes. Finally, the data is processed using appropriate technical measures to ensure their security.

Personal Data Collected by the Company – Purpose – Duration of Collection
The company may process the personal data of its employees, customers, partners, and any other individuals it interacts with in any way. Specifically, it may process the following categories of personal data:

Identity data (full name), contact data (address, phone, email), as well as details of completed purchases.

This data is collected when filling out a physical or electronic form for the issuance and use of the loyalty card and results in privileges and discounts on the purchases made, as well as participation in lotteries and competitions organized by the company, and general communication with you, in accordance with the terms of use of the card. The legal basis for processing the mentioned personal data is the lawful performance of the contract and the legitimate interests of the company. Identity data is retained for the duration of the active loyalty card, and the details of completed purchases of each subject’s data are retained for two years from the respective purchase.

4. Contact details (full name, phone, email, reason for contact).
This data is obtained from the data subjects themselves, initiated by them to communicate with the company, for example, by completing an electronic form with their corresponding request for optimal service. Similarly, through phone, email, and/or the use of social media. The legal basis for processing is the consent of the data subjects to help the company understand the needs of consumers and further improve the quality of its services. This data is retained for six months from the communication.

Participation data in competitions (full name, loyalty card number, details of completed purchases, email, social media ID).

This data is necessary for the conduct of the respective competition or any promotional activity according to the specific Terms and Conditions of each competition. The legal basis for processing is the legitimate interest of the company in promoting its products, the consent for participation declaration, and the relevant communication with the participants. This data is retained for six months after the announcement of the winners of each competition.

5. Image data.
This data is obtained through a closed circuit television system located in our facilities, stores, warehouses, and offices. The legal basis for processing is to ensure our legitimate interests in the security of both the data subjects and the facilities, so as to prevent any form of criminal offenses. Image data is lawfully retained for a minimum necessary period of fifteen (15) days.

Identification and financial data (full name, phone number, address, VAT number, tax office, profession).

This data is collected based on your declaration, with the purpose of entering into a contract for issuing the necessary tax documents. The legal basis for processing is the execution of the contract and compliance with tax legislation or other applicable laws, as well as for managing and resolving any legal or extra-judicial disputes between us. This data is retained in accordance with the provisions of the respective legislation.

Visitor connection data to our website (online identification, IP address).

During your visit/navigation on our website, the Company uses cookies and related technologies to facilitate the use of the website’s services, as well as for statistical purposes. The legal basis for this processing is our legitimate interest in optimizing our products and services.

6. Curriculum vitae (CV).
This data is collected upon the request of the data subject for inclusion in the Company’s personnel selection process. The legal basis for processing is taking pre-contractual measures at the request of the prospective employee before the conclusion of an employment contract and our legitimate interest in managing employment applications. The data is retained for 12 months from their submission.

7. Special categories of personal data (sensitive personal data).
In exceptional cases only, the Company may collect and process data concerning health based on existing labor and social security legislation.

8. Data of minors.
The Company does not knowingly process personal data of minors. It should be noted that the duration of data processing may be extended to comply with a legal obligation based on current legislation, to fulfill duties performed in the public interest or in the exercise of public authority assigned to the Company, for reasons of public interest, for archiving purposes in the public interest, or for scientific or historical research purposes, or for statistical purposes, with the implementation of appropriate technical and organizational measures and based on the principle of data minimization, including pseudonymization and anonymization, as provided for in the applicable Regulation.

9. Data recipients.
The Company does not disclose personal data to third parties. They may be transferred only to selected cooperating companies that process the data on its behalf and provide sufficient assurances for the application of appropriate technical and organizational measures to meet the requirements of the Regulation and ensure the protection of the rights of data subjects. These external partners may be marketing partners, security services providers, certification bodies, employees of a cooperating courier company, etc.
Right to Rectification

Data Subjects have the right to request the Company to rectify their data if any element of the data for which they have the right of processing has changed or has been inaccurately recorded.

10. Right to Erasure
Data Subjects have the right to request the Company to fully or partially erase their data, in cases where the Company has the right of retention and processing, either because the data is no longer necessary for the purposes for which it was collected, or because the Data Subject withdraws their consent, or because the data was collected for an unlawful purpose. Our Company will respond to your request for total or partial erasure of your data, or regarding the inability to erase specific data, within a reasonable time (not exceeding one month and under certain conditions not exceeding a total of three months), confirming the erasure or restriction of your data respectively, or providing information on the inability to erase specific data due to reasons of public interest or for the exercise or support of a legal claim. In this case, you have the right to lodge a complaint with the supervisory authority, as well as the right to seek judicial remedies.

11. Right to Restriction
Data Subjects have the right to request the Company to restrict the processing of their data, quantitatively, temporally, or in relation to the purpose of processing. Specifically, this includes cases where they dispute the accuracy of their data and the Company requires time to verify their accuracy, or cases where they consider the processing to be illegal, but instead of erasure, they choose restriction, or cases where the data is no longer necessary for the Company but they do not wish for it to be erased, as its retention will serve a legal claim, or in cases where they have objections to the processing of their data and until it is verified whether their rights as Data Subjects prevail over the lawful grounds for the Company’s processing.

12. Right to Portability
Data Subjects have the right to request the Company to provide them with their personal data that they have provided to the Company in a structured, commonly used, and machine-readable format, as well as the right to transmit this data to another controller without hindrance, provided that the processing is based on consent.

13. Right to Object
Data Subjects have the right to object to the use of their processed data, unless the Company demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the Data Subjects or for the establishment, exercise, or defense of legal claims. For the exercise of these rights, you can easily contact us at the email address dpo@24shopen.com. For handling Data Subjects’ requests, the Company may request verification of their identity. Please note that you can file a complaint with the competent Personal Data Protection Authority (PDPA) for any complaint regarding the processing of personal data, using the following contact information: email contact@dpa.gr, telephone number 210 6475600, postal address: Kifisias Avenue, No. 1-3, Postal Code 115 23, Athens.

14. Cookies or similar technologies.
Our website uses “cookies” to distinguish you from other visitors, record your IP address, and track how you use the website. Cookies are small files that are stored on your computer’s hard drive. You can disable cookies by changing your browser settings. However, please note that disabling cookies may affect the functionality of the website and your user experience. For more information on how we use cookies, please refer to our Cookies Policy.