PRIVACY STATEMENT OF ATTIKI NATURAL GAS
DISTRIBUTION COMPANY (EDA ATTIKIS S.A.)
«EDA ATTIKIS »
(Pursuant the General Data Protection Regulation EU 2016/679)
(4th Edition, 01/04/2023)
EDA Attikis S.A. acknowledges the importance of privacy and security of your personal data and treats it with due seriousness. In this Privacy Statement, we would like to inform you of our Company’s policy regarding the collection and processing of personal data in accordance with the applicable legislation on the protection of personal data.
General Data Protection Regulation (GDPR – EU GDPR): regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Business activity: EDA Attikis S.A. is the independent Operator of the Attica Gas Distribution Network, as reflected in the Gas Distribution Network Management Code. EDA Attikis’ main activity is the operation, maintenance and development of the distribution network in Attica, as well as the connection of the residents of the basin in a safe and efficient manner. The company aims through its activities to ensure uninterrupted and seamless supply to the consumers of Attica, the safe and reliable operation of the natural gas infrastructure, the provision of modern and efficient solutions to its consumers and the wider promotion and development of the natural gas market in terms of sustainable development.
Personal data: All information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Special categories of (sensitive) personal data:: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of positive identification of a person, data concerning health or data concerning the sex life of a natural person or sexual orientation. They also include data relating to criminal convictions and offences.
Processing of personal data:: An action or series of actions performed, with or without the use of automated means, on personal data or on sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller:: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his or her appointment may be provided for by Union or Member State law.
Data Processor: The natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Third party: Any natural or legal person, public authority, agency or body, with the exception of the data subject, the controller, the processor and persons who, under the direct supervision of the controller or processor, are authorised to process personal data.
Consent of the data subject: Any freely given, specific, explicit and informed indication of intent by which the data subject signifies his or her agreement, by a statement or by a clear affirmative action, to the processing of personal data relating thereto.
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
In the context of providing Basic, Ancillary and Optional Natural Gas Distribution Services, as defined in the current Distribution Network Management Code, EDA Attikis S.A. collects and processes personal data of its customers (former, existing and potential) which are strictly necessary for the processing of their requests regarding the provision of the above (see. Business Activity) mentioned above and have been submitted through our website by filling in the online contact form for the expression of interest in connection or for the submission of a request/complaint.
In addition, there are cases where EDA Attikis S.A. has your personal data because they were provided by you in some capacity. In particular, in the event that we receive your curriculum vitae (CV) as part of an online application for a job at EDA Attikis S.A., we will retain the information provided to us in order to see if it matches any job opportunities at EDA Attikis S.A. for a period of two (2) years.
Upon submission of your personal data to EDA Attikis S.A., you consent to the use of your data as provided in this Statement. In addition, you consent to the use of this data by the Company’s contracted partners, exclusively for the purposes of informing you about natural gas, connection and technical support. Your personal data will not be processed or distributed for further purposes, unless required by law and regulatory framework or by the signed contract or other legal obligations of the Company.
Α. In relation to our current, potential and former customers we collect basic identifying information and more specifically:
- In case of an expression of interest through:
- Physical presence in the store
- Visit to the Company’s website https://edaattikis.gr,
- Call center of the customer service department (call center)
- Network of authorized partners or heating professionals (engineers, plumbers, etc.)
- Users of the distribution network
- Sales representatives of EDA Attikis S.A.
- The data collected include: Given name, Last name, company (optional field), status, street, number, municipality, postal code, contact telephone number, e-mail address and any other, as appropriate, necessary for the initial evaluation of the expression of interest.
- In case of an application for a gas connection contract through:
- Physical presence at the Company’s store
- Network of authorized partners or heating professionals (engineers, plumbers, etc.)
- Users of the distribution network
- Sales representatives of EDA Attikis S.A.
- Call center of the customer service department
- The data collected include Given name, Last name, contact telephone number, email address, mailing address, status, tax information (VAT/ID), ID/passport details and connection details such as property address, between vertical streets, the existence of supply, no. of independent apartments, desired supply address, type of property/delivery point, consumer category floor and any other as appropriate necessary for the approval of the connection request.
- In case of ancillary services through:
- Physical presence at the Company’s store
- E-mail (e-services)
- Users of the distribution network
- The data collected may include: Delivery Point Number (IKASP), Given name, Last name, contact telephone number, address, VAT number, tax number, and any other information necessary for the performance of the auxiliary service.
- In case of submission of design/construction of New Construction interior installation through physical presence at the Company’s storethe information collected shall include the following: Owner’s name, full name, occupation Tax ID number, contact telephone numbers, e-mail address of the designer – supervisor, street, number, municipality, postal code, property classification (detached house, apartment building, etc.), number of meters, volume of the building (m3), installed capacity, Building Permit number.
- 5. In case of a request for a certificate of connectivity and a certificate of existence of a gas network through:
- Physical presence at the Company’s store
- The data collected include: Given name, Last name, contact telephone number, address, VAT/tax number, email.
- In case of a complaint/request via:
- Physical presence at the Company’s store
- E-mail (customer support)
- Visit to the Company’s website https://edaattikis.gr by filling in the relevant contact form for submission
- Call center of the customer service department (call center)
- Users of the distribution network
- The data collected include: Given name, Last name, company (optional field), status, street, number, municipality, postal code, contact telephone number, e-mail address and any other data necessary for their management, depending on the subject matter of their content.
Β. In respect of the Company’s employees, the information collected may include indicatively: Curriculum Vitae, Copy of Degree, Copy of Identity Card, Tax Identification Number, Tax Identification Number, IBAN, Certificates of Studies and certificates of seminars/training as well as marital status information such as civil status information (marriage, birth of children),medical data, contact details.
In addition, there are cases of indirect identification through the collection of electronic identification data (e.g. login details, access rights, IP address, electronic identifiers/cookies). In case you register or log in to an EDA Attikis’ website using a third party unique registration service that authenticates your identity and links your social media login information (e.g. LinkedIn) to EDA Attikis S.A., we collect any information or content needed for registration or login that you have given the social media provider permission to share with us, such as your name and email address. The collection of other information may depend on the privacy settings you have established with the social media provider, therefore please review the privacy statement or policy of the relevant service. The collection of this data allows us to personalize your online experience as a user of our website regardless of the use of different devices, in order to improve the performance, usability and effectiveness of the online presence of EDA Attikis S.A. as well as to evaluate the effectiveness of the promotional (marketing) activities of our services.
Your personal data, in accordance with the General Data Protection Regulation, are collected and processed for one or more of the following purposes:
- For the performance of a contract: The processing of your personal data is necessary for the fulfilment of our obligations under the contract
- To comply with a legal obligation: The processing of your personal data is mandatory, such as in case of record keeping for tax purposes or providing your personal data to a public body or law enforcement authority
- For the protection of legitimate interests: processing of your personal data may take place in the course of carrying out a lawful activity so that we can ensure the continuity of that activity, provided that it does not override your interests
- The fact that you have given your consent: the processing of your personal data will only be done with your permission if you agree to such processing. In any case, however, you may withdraw your consent at any time by submitting your request in writing and following the appropriate channels of communication with the Company.
More specifically, for EDA Attikis S.A., we process your personal data based upon at least once of the following processing situations:
- Conclusion and operation of contracts
- Provision of after-sales services
- We provide customer service and processing of customer requests/complaints
- Management of subsidies
- Providing technical services such as design and construction of supply as well as connection activation
- Finding and servicing potential customers
- Promotion of services to attract new customers
- Improvement of services provided through customer satisfaction surveys
- Compliance of the Company with regulatory obligations to control and inspect network construction
- Proper billing of services and management of overdue debts
- Network construction inspections
- Compliance with energy distributor obligations as defined in the relevant legal framework
- Metering of delivery points
- Conclusion, operation and termination of employment contracts
- Payment of payroll of Company personnel
- Management of benefits granted
EDA Attikis S.A. does not transfer personal data to third parties not affiliated with the Company, unless this is required for the legitimate professional and business needs of the Company, in order for the Company to respond to your requests and/or as required or permitted by law or professional standards. Recipients may include the following:
- All relevant departments of the Company for the purpose of servicing any request.
- All Italgas group of companies for the purposes of support and/or execution of business functions.
- The Company’s contracted partners such as the network of authorised partners, contractors, engineers, security technicians, employees of temporary employment agencies to whom we only disclose personal data to enable them to carry out their assigned actions, such as updating the status/stage of a gas contract connection request or technical support for it, and collection agencies to inform debtors of overdue debts.
- The competent Ministry in cases of subsidies
- Distribution Network Users who represent your property of interest and are also considered to be Processing Managers for the supply of natural gas to final consumers
- All public authorities (Tax Office, EFKA, GEMI, DYPA etc.) to which personal data are transmitted by the Company as a legal obligation
- Courts, judicial authorities, bailiffs, law enforcement authorities or independent/regulatory authorities in the context of the investigation of specific cases and at their request. (e.g. RAE, DPA)
- Banks in the context of providing traditional banking services but also in the context of electronic banking, concerning the payroll of the employees of EDA Attikis S.A.
- The insurance companies that provide group insurance plans to the company’s employees as well as the occupational physician.
- The leasing companies in the context of corporate benefits (company car) for the Company’s employees.
- Any form of audit (e.g., tax, internal or other) that requires disclosures of personal data
EDA Attikis S.A. takes appropriate organizational and technical measures to protect your personal data from any loss, alteration, unlawful destruction, unauthorized disclosure or access and from any other form of unlawful processing.
Indicatively (and not limited to) these measures include:
- Appointment of a Data Protection Officer (DPO)
- Establishment and implementation of policies/procedures
- Implement mechanisms to protect against the leakage of sensitive information (DLP)
- DLP (Digital Privacy Protection Policy)
- Encryption, where required
- Continuous training and awareness raising of staff
You can exercise the following rights in writing by physically attending the Company’s store. Alternatively, you can send the completed form that you will find posted on the Company’s website (here), electronically, at dpo.gdpr@ena-on.gr, or by post to the postal address at the following address 11 Sofokli Venizelou Street, Postal Code 14123 Lykovrysi, Attica (to the attention of the Compliance Department), accompanied by a copy of an official certificate of identity (e.g. identity card, passport).
The rights of the data subjects are as follows:
- updates: receive any information about your processing in a concise, understandable and easily accessible form.
- access: learn exactly the data we process, why we process it and who the recipients are
- rectification: correct any incomplete or inaccurate data we hold about you
- erasure [also known as the “right to be forgotten”]: delete the data from our records, but where processing is no longer necessary
- restriction of processing: in case of a dispute about the accuracy of the data etc.
- portability: in order to receive your data in a structured and commonly used format
- withdrawal of consent/opposition: regarding the processing of your personal data at any time
- not be subject to a decision based solely on automated processing, including profiling.