For the purposes of this Policy, the following terms shall be defined as set out below:
‘Personal Data’: any information related to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Special categories of personal data’: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
‘Processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Anonymization’: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject;
‘Pseudonymisation’: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it cannot be attributed to an identified or identifiable natural person;
‘Controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; In this particular case, the applicable body from time to time shall act as the Controller.
‘Processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; In this particular case, the Company shall act as the Processor.
‘Data Subject’: the natural person whose personal data are subject to processing. In this particular case, each Electobox user shall be deemed a data subject.
‘Consent of the data subject΄: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
’Personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthoris
‘Applicable legislation’: The national and Union law in force from time to time on the protection of personal data and, specifically, the General Data Protection Regulation (EU) 2016/679 (hereinafter ‘GDPR’), Greek Law 4624/2019, as well as the Decisions, Guidelines and Opinions issued by the Data Protection Authority (hereinafter ‘DPA’).
Personal Data Collected and Processed by us, Processing Purpose and Legal Ground for Processing
1.1) Personal data collected through the contact form
1.2) Processing Purpose and Legal Ground for Processing
The purpose of processing and collecting the said personal data is the performance of the contractual obligations undertaken by Electobox vis-à-vis the applicable organization. The legal ground for the processing of personal data is the performance of contractual obligations (GDPR article 6 (1) (b)).
2.1) Personal data collected via the 'Get Started' field
2.2) Processing Purpose and Legal Ground for Processing
The purpose of collecting and processing the said personal data is to achieve an optimal response and inform users on how to organize a voting via Electobox. The legal ground for processing personal data is the Company's legitimate interest to improve the services provided to the users of the Platform (GDPR, article 6 (1) (f)).
3.2) Processing Purpose and Legal Ground for Processing.
The purpose of collecting and processing the said data is to improve the Website's operability and the services provided as well as to analyse its traffic. The legal ground for personal data processing is the user's consent (GDPR article 6 (1) (a)), which is provided by accepting the said cookies, with the exception of the absolutely necessary cookies, which are permanently installed and are absolutely necessary for the Website's operation and are based on the Company's legitimate interest as their legal ground for processing (GDPR article 6 (1) (f)).
4.1) Personal data collected when you visit the Website.
When you visit the Website, we collect information communicated by your browser to the Website’s host server. Among others, this information includes your IP address, date and time of your visit to the Website, the type of browser you use, your operating system and the total data sent by you in Bytes.
4.2) Processing Purpose and Legal Ground for Processing.
The purpose of collecting and processing the said personal data is to ensure the security of networks, information and services in terms of fortuitous events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data. The legal ground for processing personal data is the Company's legitimate interest to protect and improve the services provided to the users of the Website (GDPR, article 6 (1) (f)).
Personal data of Underaged Users
Electobox does not address underaged persons and does not wish to collect and process the personal data of underaged persons (i.e. persons that have not completed their 18th year of age). However, because it is impossible to cross check and verify the age of Electobox users, we urge the parents/custodians of underaged persons, in the event they find out of any unauthorized data disclosure on the part of the underaged persons in their care, to communicate promptly with the Company so that the latter may take the necessary protection measures (e.g. delete their data). In the event that Electobox becomes aware of having collected the personal data of an underaged person, it undertakes to delete them immediately and take every necessary measure for the protection of such data.
Transfers to Third Parties
Electobox may transfer the foregoing personal data to third parties to whom it has assigned the processing of personal data on the behalf of the Company (such as service providers, analysis and information providers who help us improve and optimize Electobox, email and sms providers, etc.). In any event, third parties to whom user data may be transferred shall be bound by contract vis-à-vis Electobox so that the confidentiality obligation is ensured together with all the obligations set forth by the Applicable Legislation. At the same time, user personal data may be transferred to public authorities, independent authorities, etc. (e.g. police stations, public prosecution authorities, court authorities, tax authorities, customs authorities, the DAP, etc.) when said authorities exercise their duties by operation of law or upon the request of a third party stating a legitimate interest, in adherence to all legal procedures.
Personal Data Transfers to non-EU countries
n the event of transfers of user personal data collected via Electobox to non-EU and/or non-EEA countries, Electobox shall check beforehand whether:
(a) the Commission has issued a relevant adequacy decision with regard to the third country which the transfer shall take place to.
(b) The appropriate safeguards are implemented according to the Regulation with regard to the said data transfers.
Otherwise, the transfer to a third country shall not be permitted and Electobox shall not transfer user personal data to the said country, unless any of the specific derogations provided for by GDPR applies (e.g. the user's explicit consent and the user being informed on the risks entailed in the transfer, where the transfer is necessary for the performance of a contract upon the data subject's request, for reasons of public interest, where the transfer is necessary to defend legal claims and vital interests of the user, etc.).
Period of Data Retention
The personal data of users shall be collected and kept for a pre-determined and limited period, depending on the processing purpose, after which the data shall be deleted from our records. When processing is imposed as an obligation by current law provisions or a specific retention period is provided for, your personal data shall be stored for the period set forth by the respective provisions. The personal data of users which are collected and are subject to processing for the performance of a contract, shall be kept for as long as necessary for the performance of the contract and for the establishment, exercise or defence of legal claims based on the contract. The personal data of users which are subject to processing for marketing reasons following user consent shall be kept until such consent is withdrawn, without such withdrawal affecting the lawfulness of processing theretofore.
Personal Data Security
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of users posed by the processing, the Company shall implement the necessary technical and organisational measures in order to protect the personal data of the users. Although no method of transferring data through the Internet or online storage method is perfectly secure, Electobox shall take all the necessary digital security measures for the data, such as the use of SSL certification, encryption, anonymization, firewall installation etc., in compliance with its obligations as these arise from the Applicable Legislation.
Rights of Personal Data Subjects
The Company shall see to it so that it can respond promptly to user demands with regard to the exercise of their rights pursuant to the Applicable Legislation. Specifically, each user has the following rights:
(a) Request information on the processing of his/her personal data;
(b) Request access to his/her personal data. Specifically, the user may ask to obtain a copy of his/her personal data that are kept and to check the lawfulness of the processing;
(c) Request the correction of his/her personal data in the event of inaccurate or incomplete registration thereof;
(d) Request the erasure of his/her personal data insofar as their retention has no legal ground or is not based on a legitimate interest;
(e) Request the restriction of his/her personal data processing under specific conditions;
(f) Request the portability/transfer of his/her personal data to the user or to third parties;
(g) Withdraw his/her consent at any time with regard to the processing of personal data, without this withdrawal affecting the lawfulness of the processing theretofore;
(h) Object to the processing of his/her personal data;
(i) Object to a decision that concerns him/her and is made exclusively on the basis of automated processing, including profiling.
In order to exercise your rights, you can use the email address: firstname.lastname@example.org. Where any of the foregoing rights is exercised, the Company shall provide the data subject with information on the processing acts upon the submission of a respective request within one (1) month as of receipt of the request and identification of the data subject. Said time limit may be extended by two (2) more months, if required, when the request is complicated or there is a great number of requests. In this event, the Company shall be obligated, within one month as of receipt of the request, to notify the data subject of the delay as well as of the reasons for it. Within the foregoing period, it shall also inform the data subject on any refusal on the part of the Company to meet the submitted request in whole or in part, as well as on the reasons for such refusal.
For any complaint regarding the present Policy or personal data protection issues, if we fail to meet your request, you may address the Hellenic Personal Data Protection Authority www.dpa.gr.
Disclaimer for Third Party Websites
In the event that Electobox comprises links that redirect users to third party websites, we hereby inform you that Electobox neither controls nor is responsible for the content of these websites or for the manner in which these websites process the personal data of users.
Last Revision: June 2020