1.INTRODUCTION & DEFINITIONS           

The protection of your personal data is particularly important for our company.          

By the present policy, "SAINT - GOBAIN SEKURIT SERVICE HELLAS SINGLE MEMBER SOCIETE ANONYME" (the Company or we or us), with seat at Alimos, Athens (4 Ethnikis Antistaseos Str, 17456, G.E.MI. No. 57541504000), communicates the terms on which, acting as Controller, it stores, uses and, in general, processes your personal data it collects when you visit, register or use its websites, when you communicate with the Company, as well as when you transact with it through its physical or electronic points of sale or in another way. By the present Policy, the Company communicates the necessary information by law regarding the above processing and informs you about the way of communication with the Company and the exercise of your rights. The present Policy also includes references for the cases where the Company acts as Processor of personal data, on behalf of other Controllers.

The Policy is consistent with the General Data Protection Regulation (GDPR) and the institutional framework for the protection of personal data in Greece (including Law 4624/2019 and the relevant decisions and opinions of the Hellenic Data Protection Authority (HDPA)).

Processing: is every act or series of acts performed with or without the use of automated means, on personal data or on sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of disposal, alignment or combination, restriction, erasure or destruction.

Processor: is the natural or legal person, the public Authority, the service or other body which processes personal data on behalf of the Data Controller.

Websites: the websites http://www.sekurit-service.gr, https://www.glassdrive.gr/ which, as their content, belong to the Company and/or to companies of the Saint -  Gobain Group.

Personal Data: is every information concerning an identified or identifiable natural person (data subject); the identifiable natural person is one whose identity can be verified, directly or indirectly, especially through reference to an identifier element of identity, such as name, an ID number, an online identifier of identity or to one or more factors that suit the physical, physiological, genetic, psychological, economic, cultural or social identity of said natural person.

Data Controller: the natural or legal person, the public authority, the service or other body which, alone or jointly with others, determines the purposes and the manner of the processing of personal data.

The Company is committed to the protection of the Personal Data of every visitor/user of the Websites, as well as of any natural persons within the framework of the cooperation they have developed or wish to develop with it.

The Company regularly reviews this c Policy in order to monitor and ensure continuous compliance with the requirements of the applicable legislation.

2.PRINCIPLES GOVERNING THE PROCESSING

We process your Personal Data in accordance with the current basic principles of the GDPR and we ensure that such:

(a) are submitted to lawful and fair processing in a transparent manner in relation to the data subjects.

(b) are collected for specified, explicit and legitimate purposes and are not submitted to further processing in a way incompatible with these purposes.

(c) are adequate, relevant and limited to the necessary for the purposes for which they are submitted to processing.

(d) are accurate and, where required, updated.

(e) are kept in a form which permits identification of data subjects only for the period required for the purposes of the processing of Personal Data.

(f) are submitted to processing in a manner that guarantees their adequate security, among others their protection from unauthorized or illegal processing and accidental loss, destruction or damage, by taking appropriate technical and organizational measures.

3.PERSONAL DATA PROCESSED BY THE COMPANY AND PURPOSES OF PROCESSING

We aim to collect only your strictly necessary Personal Data, which are appropriate for the intended purpose. Such Data include the following:

(a) Data that you provide to us during your registration and the creation of a user account on a Website or through the communication form that exists on our Website or through your initial contact with our Company or with our sellers and specifically data such as electronic mail address (e-mail) and user password/login password and name, surname, postal address, employer details, phone number.

(b) Data and information that you provide to us through transactions between us (purchases, orders, etc.) and communications between us (via our physical stores, our online store, our sellers, phone, electronic mail or through any other way/medium), such as name, surname, Tax ID (AFM), address, way and details of communication (phone, electronic mail address).

(c) Data concerning the method of payment for the transactions you carry out with us (your bank account number and credit institution).

(d) Data related to the scheduling of appointments and the glass replacement/repair service through the Company’s Glassdrive network, such as name, surname, phone, electronic address (e-mail), vehicle details (e.g. make, model, license plate), type of damage, appointment details, details of payments, guarantees and after-service services.

(e) Information collected from the use of cookies in your browser when you visit our Website.

In the above cases the Processing of Data takes place for Company’s purposes thus it acts as Data Controller. For such cases, the provision of Personal Data often constitutes a legal or contractual obligation or requirement for the conclusion of a contract and the data subject is obliged to provide said data (e.g. personal details and vehicle details for the glass replacement/repair service or details concerning the payment). The non-provision of these data results in the inability to complete the transaction and the provision of the relevant service.

The Company within the framework of its cooperation with other businesses (mainly insurance companies and vehicle leasing companies) undertakes the management of insurance claims on behalf of these businesses based on a relevant contract and assignment of the claim from the insured to the Company. For this purpose it processes Personal Data of insured persons on behalf of these businesses, which determine which Personal Data are subject to processing (e.g. name, surname, country, address, insurance policy number, vehicle license plate, other vehicle and damage details) and records them on a specific claims management platform. In this framework the Company processes these data strictly according to the documented instructions of the Data Controller and for the purpose of the fulfillment of the service provision contract it has concluded with them.

4. LEGAL BASES OF DATA PROCESSING

The Processing of Personal Data by the Company is based on one (or more) of the following legal bases:

(a) Contract: the processing is necessary for the execution of any concluded contract between the Company and a natural person (e.g. regarding product purchase, as regards a submitted request, by the creation of a user account, for the supply of goods/ services to the Company and for other online and offline transactions).

(b) Legal obligation: the processing is necessary for the compliance of the Company with the obligations imposed on it by law (not including the obligations from the contract) such as tax legislation obligations.

(c) Legitimate interests: the processing is necessary for the pursuit of the legitimate interests of the Company or the legitimate interests of a third party, unless against these interests your interest as a subject of personal data prevails. Cases of pursuit of legitimate interests of the Company are for example the optimization of the provided services, the prevention of business risks, the establishment, exercise, support of legal claims and the provision of after-service services.

(d) Vital interests: the processing is necessary for the protection of someone's life or other vital interests.

(e) Consent: exceptionally in cases where it is required by law or when none of the other legal bases apply, the Company will process the data lawfully following your explicit and written consent, which you have the right to revoke at any time. The revocation does not affect the lawfulness of the processing based on consent before its revocation.

5. DATA RECIPIENTS

In order for the Company to fulfill the aforementioned purposes, it communicates the above Personal Data only to the employees of the Company’s corresponding department and only to the extent that this is necessary for the performance of its obligations. Access is graded according to their position and duties and is limited to the data necessary for the purposes of the specific processing they have undertaken.

Your data can also be transmitted:

• to national or international regulatory, tax or other Authorities or public bodies or courts, when required by law or law or following a legal order.

• to third-party service providers, who process your Data as Processors on our behalf (e.g., cooperating workshops, external IT providers, software providers, accountants, auditors, external consultants), according to our instructions and based on a specific agreement for the processing of your data. In this case we provide them only with the information they need for the performance of their specific services. They can use your data only for the precise purposes we specify in our contract with them. We cooperate closely with them to ensure that your privacy is respected and protected at all times. If we stop using their services, any of the data they hold will be deleted, returned or made anonymous.

Also, if this is necessary, your data may be transmitted also to an affiliated Company of the SAINT - GOBAIN group for IT support and Help Desk purposes.

6.RIGHTS OF THE DATA SUBJECT

Subject to the exceptions provided by the GDPR and national legislation, subjects have the following rights regarding their Personal Data:

(a) Right to information: You have the right to know which of your Personal Data we store. This allows you to understand how we use your Personal Data.

(b) Right of access: You have the right of access to your Personal Data. This allows you to know and verify the lawfulness of the processing.

(c) Right of rectification: You have the right to request rectification of the Personal Data we maintain for you. This gives you the possibility to correct any incomplete or inaccurate information we have about you.

(d) Right of erasure (Right to be forgotten): You have the right to ask us to delete your Personal Data under the legal conditions. Note that this right does not constitute an absolute "right to be forgotten".

(e) Right of restriction of processing: You have the right to request the restriction of the processing of your Personal Data. This allows you to ask us to restrict the processing of your personal details, if, for example, you want to verify the accuracy of your Personal Data or the reason for the processing.

(f) Right to data portability: You have the right to receive your data and transmit them to another controller. This allows you to retrieve your data in a widely used and machine-readable structured format (i.e. data format that can be read and processed automatically by a computer).

(g) Right to object: You have the right to object to the processing of your data.

(i) Rights related to automated decision making, including profiling: You have the right to object to profiling and automated decision making under certain conditions.

The Company respects the rights you have to your Personal Data and facilitates their exercise. You can exercise your rights or address any request, question or complaint regarding your Personal Data by communicating via electronic mail with the Data Protection Officer (DPO) at the address privacycontact.Greece@saint-gobain.com.

We will answer your request within thirty (30) days from its receipt. In case an extension of the above deadline is required for the investigation and/or processing of the request, we will inform you accordingly, explaining to you the reasons for which the extension of the deadline is necessary.

The Company will satisfy your request for the exercise of your rights, according to the terms set by the law. The possibility of exercising a right that the law provides to you does not always entail the possibility of its full satisfaction, especially when there are other legal provisions that restrict it. If we are not able to satisfy your request, we will inform you of the reasons.

In any case, if you consider that the protection of your Personal Data has been violated in any way, you have the right to appeal to the Hellenic Data Protection Authority. For the competence of the Authority and the way of submitting a complaint, detailed information is provided on the website of the Hellenic Data Protection Authority (www.dpa.gr).

In cases where we act as Processor on behalf of another Data Controller (e.g. an insurance company) the request for the exercise of your rights should be communicated by you to the corresponding Controller. If by mistake such a request is communicated to the Company we will forward it without delay to the competent Data Controller, co-assisting in the fulfillment of their legal obligations.

7.RETENTION TIME OF PERSONAL DATA

Your Personal Data are maintained only for the period required for the purposes of their processing. The basic criterion for the determination of said period is whether there exists transactional relationship between us and/or a contract has been concluded. In this case your details are maintained for a period of 5 years after the completion of the transaction or the dissolution/ expiration of the contract unless the legislation provides for a longer period. In the case that you simply submit a query their retention period is 12  months from the completion of the response procedure. In case of raising a claim, the retention period is extended until the irrevocable resolution of such claim, or, if the processing is necessary for the compliance of the Company with its legal obligations (deriving from tax law etc.), until the expiration of the retention period provided by the law. For more information on the retention period for recorded phone communications of our call center, please refer to the corresponding policy on our websites.

In cases where we act as Processor on behalf of another Data Controller (e.g. insurance company) the time of keeping of your data is determined by said Data Controller and the Company complies with their instructions for this time.

8.SECURITY OF PERSONAL DATA

The Company implements appropriate technical and organizational measures in order to ensure an appropriate level of security of Personal Data taking into account any risks, in compliance with the GDPR and national legislation (e.g. firewalls, encryption etc).

The details that you submit to the Company are managed exclusively by its specifically authorized personnel that it is under its control and only upon its request, possibly by recipients, in  cases where this is necessary for the fulfillment of its obligations. For any such Processing the Company chooses persons with corresponding professional qualifications who provide sufficient guarantees from the side of technical knowledge and personal integrity as regards the observance of confidentiality. The Company also through the corresponding contractual commitments and of its collaborators, takes all those necessary security measures for the protection and safeguarding of the secrecy, confidentiality and integrity of your Personal Data.

9.TRANSMISSION TO THIRD COUNTRIES

The general rule is that the Company does not transmit your Personal Data to third countries (outside EEA).

In case of transmission of Personal Data to third countries (outside EEA), the Company will ensure that the processing is carried out based on appropriate guarantees according to the provisions of the applicable legislation for data protection. In this case, you will be entitled to ask for a copy of the measures the Company takes so as to ensure the appropriate handling of the Personal Data concerning you.

10.COMMUNICATION

You can address any request, question or complaint regarding your personal data by communicating with the Data Protection Officer (DPO) at the address privacycontact.Greece@saint-gobain.com.

11.REVISIONS

The policy is reviewed and revised periodically, where required, according to the applicable Legislation, the circulars and the decisions of the Hellenic Data Protection Authority. Any modifications to it will be communicated, through the pages of the present Website.