Our Company, in accordance to the conditions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th of April 2016 on the protection of individuals with regard to the processing of personal data and on the free use of such data and having regard to the repeal of Directive 95/46 / EC (General Data Protection Regulation) (hereinafter referred to as “General Regulation”), wishes to inform you as follows, regarding the processing of your personal data.
“Personal data” are defined by the General Regulation as any information concerning an identified or identifiable individual (“data subject”); the identifiable individual is one whose identity can be verified, directly or indirectly, in particular by reference to ID, such as name, ID number, location data, online ID, or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural, or social identity of that individual.
Further, “processing” means any operation or series of operations performed with or without the use of automated means, on personal data or on personal data sets, such as collection, registration, organization, structure, storage, adaptation or alteration, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
The General Regulation sets out certain fundamental principles, which govern the protection of personal data. In particular, personal data must:
• be processed lawfully and fairly in a transparent manner in relation to the data subject (“legality, objectivity and transparency”)
• be collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes (“limitation of purpose”)
• be appropriate, relevant, and limited to what is necessary for the purposes for which they are processed (“data minimization”)
• be accurate and, where necessary, updated, and all reasonable steps must be followed to promptly delete or correct personal data which is inaccurate in relation to the purposes of the processing (“accuracy”)
• be kept in a form which allows the identification of data subjects only for the period required for the purposes of processing the personal data (“limitation of the storage period”), and
• be processed in such a way as to guarantee the appropriate security of personal data, including its protection against unauthorized or unlawful processing and accidental loss, destruction, or deterioration, using appropriate technical or organizational measures (“integrity and confidentiality”).
For our Company, respecting the above principles in the processing of personal data concerning you is a priority. Specifically, the Company as well as its Employees make every effort to ensure the optimal level of protection of your data, as well as full compliance with the requirements of the General Regulation.
Due to the field of our company’s activities, the Personal Data it collects mainly concerns the following categories of subjects:
• People who interact with the Company (customers, prospective customers and in general people who communicate with our Organization): i.e. their personal data and data that refer to the contractual relationship between us, where it exists, or that are used for their communication with our Organization, which include indicative identity and contact information, transaction data as well as financial information related to the compliance of our Organization with its legal contractual obligations.
• Company Employees: i.e. their personal data and data that refer purely to the employment relationship with our Organization, which include indicative identity and communication data, financial data as well as health data of the same or additional members related to the compliance of our Organization with labor and insurance legislation.
• Candidates to be hired: i.e. their personal data and information mentioned in their evaluation as candidates and in the recruitment procedures by the Organization, which include indicative identity and contact details, as well as details of the professional curriculum vitae of the candidates.
• Partners of the Organization (suppliers and other partners in general): i.e. their personal data and data that refer to the contractual relationship between us, which include indicative identity and communication data, transaction data as well as financial data related to the compliance of our Organization to its legal contractual obligations.
We note that we do not collect personal data of specific categories, other than the health data referred to herein, such as personal data relating to race, ethnicity, religion, sexual orientation, or genetic biometric data, etc., which are categorized as specific data categories and receive additional protection in accordance with European data protection legislation.
Our company collects personal data given to our Organization directly by the subjects, for one of the following reasons:
1. Information you give us during the conclusion, development, and termination of the contractual relationship between us.
2. Information you give us during your participation in the events and activities of our Organization.
3. Information you give us when contacting us or submitting a request.
Specifically, our Company processes the following categories of personal data that concern you for the following purposes.
• For your registration in Benefits Club Members, we process your e-mail, your contact phone, as well as the username and password that corresponds to you.
• For your participation in Competitions through our website (www.haciendacafe.com), if you are a member of Benefits Club, we process your name and your card number.
• For your participation in Competitions through the Facebook platform, if you are a member of Benefits Club, we process your name.
• To send you Newsletters we process your e-mail.
• As part of the processing of your satisfaction questionnaire, which you complete as a Customer, we process the data that you optionally fill in, i.e. your name, telephone and e-mail.
• For managing a Platform of Communication with you as a Customer, we process your name, telephone, and e-mail.
• For Home Delivery, we process your name, telephone, mail & Order Delivery Address.
• As part of managing the hacienda Social Wi-Fi Wireless Internet, we process your email, your Facebook account details, and your Twitter account details.
Each of the above methods of processing your personal data is based on some legal basis. Specifically:
• The personal data of the employees / prospective employees, as well as our associates are collected for the conclusion and execution of the employment contract between us and for the compliance with our generally legal obligations (tax, insurance, etc.)
• The personal data of our customers are collected on a case by case basis for the execution of the contractual relationship between us (as customers of our company), for the fulfillment of the legal interests of our company (which are on a case by case basis the promotion and advertising of our company, the further development of our relationship with our customers, etc.) and, where required by applicable law, obtaining explicit, written consent from you prior to the processing of your personal data.
The time period that your personal data provided will be retained, depends primarily on the purpose of the processing, since even their mere storage constitutes an act of processing, which is permitted only if it is governed by the processing authorities. After the retention period the personal data are deleted. Particularly:
• The personal data of the candidate employees are kept for a period of two years from the completion of the selection-recruitment process. The retention is due to a possible re-evaluation of the candidates by the Organization.
• The personal data of the employees, i.e. those who have already drawn up an employment contract with the Organization are first kept for as long as the employment relationship lasts. After the termination of the employment relationship, for any reason, the relevant data are kept for a maximum of twenty years (indicative limitation period of any resulting legal claims), a period during which any legal case of their processing may arise, such as case of civil cases or investigation of a criminal act where it is possible that an employee is involved, case of tax control, etc. The above also applies to data on corporate assets provided to employees, access to electronic and physical files and to work fields and corporate mobile phones, for the purpose of executing the employment contract. They also apply to personal data relating to the granting of leave to employees (absences, absences, hours of attendance, leave, medical leave of sick leave) and the evaluation of staff.
• The personal data of the customers and partners of our Organization are kept first for as long as the contractual relationship between us lasts. After the termination of the contractual relationship, for any reason, the relevant data are kept for a maximum of twenty years (indicative limitation period of any resulting legal claims), a period during which any legal case of their processing may arise, such as case of civil cases or investigation of a criminal act, case of tax audit, etc.
• The personal data of the customers of Online orders are kept in our Database for 2 years.
Our Company does not disclose the data to third parties, except in the following cases. Particularly:
• The Organization transmits personal data of its employees, customers, and associates to an external accountant, with whom it has signed a contract which binds it in its capacity as the executor regarding the observance of confidentiality, security, integrity, and availability of their personal data.
We point out that the above partners have access to the personal data necessary to perform their functions, but are prohibited from using them for other purposes, in addition they have previously committed to our Organization for their relevant obligations regarding the non-use of data for purposes other than the execution of the processing, the observance of confidentiality and the general compliance with the Regulation.
The processing of your personal data is also linked to your respective rights, which, subject to provisions that may restrict the exercise of these, are:
• The right to be informed: You have the right to receive clear, transparent, and comprehensible information about how we use your personal data and what your rights are. For this purpose, we provide you with the information in this Statement – Protection Policy and we urge you to contact us for any clarifications.
• The right of access: You can ask us to correct or supplement your data if it is incomplete or contains inaccuracies.
• The right to correct: You can ask us to correct or supplement your data if it is incomplete or contains inaccuracies.
• The right to the portability of your data: You may request that we provide or transfer to a third party provider in electronic form, specific information that you have provided to us.
• The right to delete: In some cases, you can request the deletion of all or part of your data (if, for example, the data is no longer needed for the purposes for which it was collected, etc.).
• The right to restrict processing: You have the right to restrict the processing of your personal data.
• The right to withdraw consent! If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time by contacting us through the contact information provided herein.
• The right to object: You may object to the processing of your data which is carried out in the pursuit of our legitimate interests, as mentioned above.
• The right to file a complaint to the Personal Data Protection Authority: You have the right to complain directly to your local supervisory authority, the Personal Data Protection Authority, about how we process your personal data.
• Rights related to automated decision making: You have the right not to be subject to a decision based solely on automated processing that has legal or other significant consequences for you. Specifically, you have the right to:
o to intervene human intervention,
o to express your opinion,
o to receive explanations for the decision that emerged after an evaluation,
o to question this decision.
In case of exercising of one of the above rights, we will take every possible measure to satisfy your request within a reasonable time and no later than (1) month since the identification of your submitted request, informing you in writing about the satisfaction of your request, or the reasons that may prevent the exercise of the relevant right, or the satisfaction of one or more of your rights, in accordance with the General Regulation of Personal Protection Data. Please note that in some cases the satisfaction of your relevant requests may not be possible, such as when the satisfaction of the right is contrary to a legal obligation or conflicts with a contractual legal basis for the processing of your data.
However, if you consider that any of your rights or legal obligations of our Organization regarding the protection of Personal Data are violated and after you have previously addressed the Data Protection Officer of the Organization (DPO) for the relevant issue, meaning that you have exercised your rights to the Organization and either you did not receive a response within a month (extension of the deadline to two months in case of a complex request), or you consider that the response you received from the Agency is unsatisfactory and your issue has not been resolved, you can file a complaint to the competent supervisory authority, i.e. to the Hellenic Data Protection Authority (DPA), 1-3 Kifissias Ave., PC 115 23 Athens, email: email@example.com, fax: +302106475628.
We have taken appropriate organizational and technical measures to protect your personal data from misuse, tampering, loss, unauthorized access, modification, or disclosure. The measures we take include the implementation of appropriate methods in access control, technical security of information as well as ensuring that personal data is encrypted, pseudonymized and made anonymous, where necessary and feasible.
Access to your personal data is allowed only to our competent employees and associates and only if it is necessary to support the activity of our Organization, and is subject to strict contractual obligations of confidentiality, when assigned and processed by third parties.