Privacy Policy

Information on the Processing of Personal Data

Introduction

We would like to assure you that for the Company “HERON THERMOILEKTRIKI SOCIÉTÉ ANONYME” (hereinafter ‘’the Company’’), headquartered in the Municipality of Athens, 85 Mesogeion Avenue, operating offices in Athens, 124, Kifissias Avenue, Postal Code 11526, email: info@heron.gr,  website: https://www.MyHeron.gr, the protection of our customers’ personal data is of paramount importance.

That is why we are taking appropriate steps to protect the personal data we process and to ensure that the processing of personal data is always carried out in accordance with the obligations laid down by the legal framework, both by the company itself and by third parties who process personal data on behalf of the company.

Data Controller – Data Protection Officer (DPO)

The Company “HERON THERMOILEKTRIKI SOCIÉTÉ ANONYME” (hereinafter ‘’the Company’’), headquartered in the Municipality of Athens, 85 Mesogeion Avenue, operating offices in Athens, 124, Kifissias Avenue, Postal Code 11526, email: info@heron.gr,  website: https://www.MyHeron.gr,  informs that, in the context of its business activities, it processes personal data of its customers in accordance with the applicable national legislation and the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation”) as currently in force.

For any matter concerning the processing of personal data, please contact directly the Data Protection Officer (DPO), namely the Law Firm “ANDERSEN LEGAL, PISTIOLIS - TRIANTAFYLLOS & ASSOCIATES LAW FIRM” at the following email address: herondpo@gr.andersenlegal.com,  phone number: 213 033 3000.

Which are the categories of personal data we process?

Your personal data we collect and process, are absolutely necessary and appropriate for the achievement of our business purposes. To achieve these purposes, we process the personal data that you provide to us when using the digital platform MyHeron [for example, your name and surname, email address, phone number, home address, ID number etc.].

How and why do we process your personal data?

We collect your data for the following reasons:

  1. To provide you with the services you wish to receive from us as a user of the digital platform MyHeron, such as submitting an online gas or electricity provision application, paying your gas or electricity bill electronically, filing in and submitting an online contact form with the Customer Service Department to submit questions, requests, complaints, etc.
  2. in order to send you newsletters about our products, services, offers etc.

Which are the legitimate grounds for processing your personal data?

We process the personal data you provide us only when we have a legitimate interest to do so.

Legal grounds for processing your personal data are:

  1. the need to process your data as part of our contractual obligation or at the pre-contractual stage upon your request to provide you with our products and services,
  2. the consent you provide us with under the specific conditions set out by the legal framework, in order to receive information on products, services, offers etc.

Storage Time

The data storage time is decided based on the following specific criteria, as appropriate in each case:

When the processing is based on a contractual relationship, your personal data are stored for as long as is necessary to perform the contract and for the establishment, exercise or defense of legal claims in accordance with the contract.

For product and services promotion purposes (marketing activities), your personal data are stored until the withdrawal of your consent.

You have the right to withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of the processing based on consent before its withdrawal.

To withdraw your consent, please contact directly the Data Protection Officer of the Company, namely the Law Firm “ANDERSEN LEGAL, PISTIOLIS - TRIANTAFYLLOS & ASSOCIATES LAW FIRM” at the following email address: herondpo@gr.andersenlegal.com,   phone number: 213 033 3000.

You can also use the unsubscribe options by following (clicking) on the corresponding link, which you can find in our electronic communications.

What are your rights with respect to your personal data?

Any natural person whose data are being processed by the Company enjoys the following rights:

Right of Access:

You have the right to be aware and verify the legitimacy of the processing. So, you have the right to access the data and get additional information about how your data are processed.

Right to Rectification:

You have the right to study, correct, update or modify your personal data by contacting the Data Protection Officer (DPO) with the above-mentioned contact details.

Right to Erasure (“Right to be forgotten”):

You have the right to request the erasure of your personal data when we process them based on your consent or in order to protect our legitimate interests. In all other cases (for example, when there is a contract, or an obligation to process personal data required by law or for public interest reasons), this right is subject to specific restrictions or may not apply, depending on the case.

Right to Restriction of Processing:

You have the right to obtain from us restriction on the processing of your personal data where one of the following applies:

(a) the accuracy of the personal data is contested and until such accuracy is verified;

(b) you oppose the erasure of your personal data and request (instead of erasure) the restriction of their use;

(c) personal data are not needed for the purposes of processing, but they are, however, required for the establishment, exercise or defense of legal claims; and

(d) you object the processing pending the verification whether our legitimate grounds override those of yours.

Right to Object:

You have the right to object at any time the processing of your personal data where, as described above, such processing is necessary for the purposes of legitimate interests we seek as controllers, as well as to the processing for direct marketing purposes, including profiling related to such direct marketing.

Right to Data Portability:

You have the right to receive your personal data free of charge in a format that allows you to access, use, and edit them, using commonly used editing methods. You also have the right to ask us, if technically feasible, to transmit the data directly to another controller. This right concerns the data you have provided to us and their processing is carried out in a commonly used format based on your consent or in order to perform a contract.

Right to withdraw consent

Where processing is based on your consent, you have the right to withdraw it. The withdrawal of your consent shall not affect the lawfulness of the processing based on consent before its withdrawal.

To exercise any of these rights please contact the Data Protection Officer of the Company, namely the Law Firm “ANDERSEN LEGAL, PISTIOLIS - TRIANTAFYLLOS & ASSOCIATES LAW FIRM” at the following email address: herondpo@gr.andersenlegal.com,    phone number: 213 033 3000.

In all the above cases, we will do our best to respond to your request within thirty (30) days of its submission. This deadline may be extended for up to sixty (60) additional days, if necessary, considering the complexity of the request and the number of requests. Therefore, we will notify you within thirty (30) days.

Right to lodge a complaint with the Hellenic Data Protection Authority

You have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr ): Telephone: +30 210 6475600, Fax: +30 210 6475628, email: contact@dpa.gr   

Personal Data Security

The Company implements appropriate technical and organizational measures aimed at the safe processing of personal data and the prevention of accidental loss or destruction and/or unauthorized access to, use, modification or disclosure thereof.

In any case, the way in which the internet operates and the fact that it is free to anyone cannot guarantee that unauthorized third parties will never be able to violate the applicable technical and organizational measures by gaining access and possibly using personal data for unauthorized and/or unfair purposes.

Information on the processing of personal data through a video surveillance system

  1. Controller:

HERON THERMOILEKTRIKI SOCIÉTÉ ANONYME, headquartered in the Municipality of Athens, 85 Mesogeion Avenue, operating offices in Athens, 124 Kifisias Avenue, Postal Code 11526, email info@heron.gr,  telephone number 18228

  1. Purpose of the processing and legal basis:

We use closed-circuit television (CCTV) in order to protect natural persons and premises. The processing is necessary for the purposes of the legitimate interests we pursue as a controller (article 6 para. 1. (f) GDPR).

  1. Legal Interests

Our legal interest is the need to protect our premises and the materials in it from illegal actions, such as theft. We also need to ensure life safety, physical integrity, health as well as the property of our staff and of third parties legally located in the area under surveillance. We only collect image data and limit the surveillance to places where we have previously assessed that there is an increased possibility of perpetration of illegal actions e.g. theft, for instance, in cash desk and/or the entrance, without focusing on places where privacy of the persons being photographed may be severely restricted, including their right to respect of their personal data.

  1. Recipients

The material held is accessible only by our competent / authorized personnel and cooperating security company who are in charge of security of the premises. This material shall not be disclosed to other third parties without the consent of the data subject, except in the following cases: (a) to the competent judicial, prosecutorial and police authorities when it contains information necessary to investigate a criminal offense involving persons or property of the controller; (b) to the competent judicial, prosecutorial and police authorities when lawfully requesting data in the performance of their duties, and (c) to the victim or perpetrator of a criminal offense, in the case of data which may constitute evidence of the offense.

  1. Retention period

We keep the data for fourteen (14) days, after which they are automatically deleted. In the event that during this period we find an incident, we isolate part of the video and keep it for another (1) month, in order to investigate the incident and initiate legal proceedings to defend our legal interests, while if the incident concerns third parties, we will keep the video for up to three (3) more months.

  1. Data subjectsrights

Data subjects have the following rights:

  • Right of access: you have the right to be aware whether we process your images and if so, to receive a copy of them.
  • Right to restriction of processing: you have the right to request us to restrict processing, for example, you may ask us not to delete data that you deem necessary to establish, exercise or support legal claims. 
  • Right to object: you have the right to object to the processing.
  • Right to erasure: you have the right to request that we erase your personal data.

You may exercise your rights by sending an e-mail to herondpo@gr.AndersenLegal.com   or a letter to our postal address or by submitting the request to us in person, at the address of the company. To examine a request related to your image, you should tell us when you were within the range of the cameras and give us a picture of you to make it easier for us to locate your data and hide the data of third parties pictured. Alternatively, we give you the possibility to come to our facilities to show you the images in which you appear. Moreover, we would like you to note that exercising the right to object or the right to erasure does not imply the immediate erasure of data or the modification of the processing. In any case, we will answer you in detail as soon as possible, within the deadlines set by the GDPR.

  1. Right to lodge a complaint

In case you consider that the processing of your data violates Regulation (EU) 2016/679, you have the right to lodge a complaint with the competent supervisory authority.

The competent supervisory authority in Greece is the Hellenic Data Protection Authority, Kifisias Avenue 1-3, 11523, Athens, https://www.dpa.gr/, telephone number  +302106475600.