Information on the Processing of Personal Data in the Context of the Operation of the “Thales” Application

Data Controller:

HEDNO S.A. (hereinafter referred to as “HEDNO” or “the Company”) places the protection of personal data it processes, in its capacity as Data Controller, among its top priorities, in full compliance with the applicable personal data protection legislation. Such processing takes place under the conditions, safeguards, and principles established by the General Data Protection Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as in force, as well as by Greek Law 4624/2019, the Guidelines and Decisions of the Hellenic Data Protection Authority (HDPA), and in accordance with this notice and HEDNO’s respective data protection policy.

This Information Notice is intended to inform users (hereinafter “users” or “data subjects”) of the “THALES” application (hereinafter the “Application”), which is designed to manage requests submitted by Electricity Suppliers, about the personal data collected and processed by the Company in the context of their use of the Application, as well as the manner and purposes of the collection, storage and use of such personal data.

Categories of Data Collected and Processed

The Company collects and processes the personal data provided by users when submitting a request for access to and creating a profile in the Application, the data required to authenticate users when accessing the Application, as well as the data necessary for the operation of the Application. In particular, the Company collects and processes the following categories of personal data relating to data subjects (users of the Application):

  1. Identification data, specifically: Full name; Tax Identification Number (TIN); and/or
    Identity card details and/or passport details.
  2. Contact details, specifically: Landline and/or mobile telephone number; and Email address.
  3. Employment information, Job title/position.

The above information must be provided by users in order to create a profile in the Application. It is noted that, in order to create a user profile in the Application, at least one of the following is required: a Tax Identification Number (TIN), Identity Card Number or Passport Number, as well as at least one contact telephone number (landline or mobile).

Furthermore, HEDNO collects and processes the following categories of personal data for the administration of Application users:

  1. User authentication data (e.g. username).
  2. Digital footprint data (e.g. logs and metadata generated through use of the Application).

Purpose of processing

The processing of the above personal data is necessary to ensure the proper and uninterrupted operation of the Application, through which Electricity Suppliers submit requests to HEDNO, as well as to ensure the secure and appropriate identification of the Application’s users.

The above personal data are processed exclusively for purposes directly related to HEDNO’s fulfilment of its obligations concerning the implementation of Declarations of Meter Representation or Termination of Meter Representation, Load Meter Deactivation or Reactivation Orders, and requests for the provision of metering data received from Electricity Suppliers. Furthermore, the Application operates as part of the measures necessary for the design, development and day-to-day operation of the required systems and infrastructure, with the objective of ensuring both the proper operation of the Hellenic Electricity Distribution Network and the protection of the confidentiality of the information that comes into HEDNO’s possession in the performance of its duties.

In addition, HEDNO may, where appropriate, process personal data for the management of data subject requests, the investigation of personal data and information security incidents, and the handling and resolution of judicial and out-of-court matters.

Legal Basis for Processing

HEDNO processes the above personal data as follows:

  1. For the purpose of ensuring the uninterrupted and proper operation of the Application and the appropriate identification of its users. In this case, processing is necessary for compliance with HEDNO’s legal obligations (Article 6(1)(c) GDPR), in accordance with the regulatory framework governing its operation (Articles 5, 99 and 100 of the HEDNO Distribution Network Management Code, Articles 6 and 7 of the Meter Representation and Periodic Settlement Manual, and Article 127 of Law 4001/2011).
  2. For the management of data subject requests and the investigation of personal data and information security incidents. In this case, processing is necessary for compliance with a legal obligation to which HEDNO is subject (Article 6(1)(c) GDPR), specifically compliance with the obligations arising under Articles 12–22 and 33–34 of the GDPR, respectively. Processing for the management and handling of judicial and out-of-court matters is carried out on the basis of the legitimate interests pursued by HEDNO (Article 6(1)(f) GDPR), namely the establishment, exercise or defence of legal claims before courts and public authorities.

HEDNO does not process personal data for the purposes of automated decision-making and/or profiling that produces legal effects concerning individuals or similarly significantly affects them.

Recipients of Personal Data

The above personal data are collected through the aforementioned HEDNO Application, to which access is granted exclusively to authorised personnel responsible for the collection, management and assessment of the requests submitted through the Application and who have received appropriate training in the handling of personal data. Such personnel are bound by confidentiality obligations and have been granted specific authorised access rights to the above personal data.

The Company does not disclose personal data to third parties except where there is a lawful basis for doing so; in particular, where such recipients have been granted specific authorised access rights by HEDNO, or where disclosure is strictly necessary for the establishment, exercise or defence of legal claims, or for compliance with the Company’s legal obligations under applicable law. Such disclosures may include, by way of example, competent supervisory, auditing, law enforcement, prosecutorial, independent, judicial, public and/or other authorities and bodies, within the scope of their statutory powers, duties and competences, where disclosure is required or permitted by law, following duly submitted lawful requests made in the exercise of their functions. Disclosure may also take place pursuant to court orders and/or to lawyers, law firms, bailiffs, notaries, experts or court-appointed experts, in the context of legal proceedings for the protection of the Company’s rights and interests.

It is noted that the Electricity Supplier on whose behalf each user accesses and uses the Application will also have access to the above personal data.

Transfers of Personal Data to Countries outside the European Economic Area (EEA) or to an International Organization

The Company does not transfer personal data outside the European Union/European Economic Area (EU/EEA) or to any international organization.

Retention of Personal Data

The retention period for the above personal data is determined in accordance with the principles governing the processing of personal data, in particular those set out in Article 5 of the GDPR, taking into account HEDNO’s responsibilities and role under the applicable legal framework. The above personal data will be retained by HEDNO for the period necessary to fulfil each of the purposes for which they were collected and will not be retained for longer than is strictly necessary to achieve the processing purposes described above. Once the purpose of processing has been fulfilled, the personal data will be deleted, unless their retention is necessary to comply with a legal obligation or to safeguard the Company’s legitimate interests, always in accordance with the applicable legislation.

The retention period for the above personal data shall not exceed the period necessary to achieve the processing purposes described above. More specifically, the above personal data will be retained for as long as the user’s profile in the Application remains active and for five (5) years following the deletion of the user’s profile from the Application.

Personal data contained in HEDNO’s server security logs for information security purposes (e.g. IP address, metadata) are deleted within twelve (12) months of their collection.

Security of Personal Data

As part of the above processing activities, and in accordance with the applicable legal framework, all appropriate technical and organizational measures are implemented to ensure the security of personal data, safeguard the confidentiality of processing, and protect such data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and any other form of unlawful or unauthorized processing. These measures are also intended, to the greatest extent possible, to prevent personal data breaches resulting from malicious acts, accidental loss, or unauthorized access to or use of the data. By way of example, personal data are stored securely within the Company’s own infrastructure. In addition, in the event of a security breach affecting the Application, the Company has implemented appropriate procedures to ensure the proper management of such incidents and the effective mitigation of the associated risks.

Your Rights as a Data Subject

Under the General Data Protection Regulation (GDPR), the Company is required to ensure that data subjects are able to exercise their rights by facilitating their exercise in a concise, transparent, intelligible and easily accessible manner. With regard to your personal data processed as described above, you have the following rights:

Right to Information and Access (Articles 12–15 GDPR) You have the right to be informed about and obtain access to your personal data, as well as to receive supplementary information regarding their processing.

Right to Rectification (Article 16 GDPR) You have the right to request the rectification, amendment, completion or updating of your personal data where they are inaccurate, out of date or incomplete.

Right to Erasure (Article 17 GDPR) You have the right to request the erasure of your personal data, provided that the exercise of this right is not subject to any restrictions under applicable law or other legal limitations.

Right to Restriction of Processing (Article 18 GDPR) You have the right to request the restriction of the processing of your personal data where: (a) the accuracy of the data is contested, pending verification; (b) the processing is unlawful, and you request restriction of use instead of deletion; (c) the data are no longer necessary for processing purposes, but you require them for the establishment, exercise, or defense of legal claims; or (d) you have objected to the processing, pending verification of whether legitimate grounds exist that override your objection.

Right to Data Portability (Article 20 GDPR) You have the right to receive, free of charge, your personal data in a format that allows you to access, use, and further process them. You also have the right, where technically feasible, to request the direct transmission of your data to another data controller. This right applies to data that you have provided to us and that are processed by automated means, based on your consent or for the performance of a contract.

Right to Object to Processing (Article 21 GDPR): You have the right to object at any time to the processing of your personal data, under specific conditions provided by law.

Right to Object to Automated Individual Decision-Making, Including Profiling (Article 22 GDPR) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar way. At present, the Company does not engage in automated individual decision-making. However, should it decide to implement such processing in the future, it will inform the Data Subjects in advance and ensure full compliance with all applicable legal requirements.

Right to Withdraw Consent (Article 7 GDPR) You have the right to withdraw your consent at any time, to the extent that processing is based on consent.

Right to Lodge a Complaint with the Supervisory Authority If you believe that: (a) a request you have submitted has not been adequately or lawfully addressed; or (b) your right to the protection of your personal data has been infringed by any processing carried out by us, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) (Submit a Complaint | Hellenic Data Protection Authority).

Contact

For any matter relating to the above, or to exercise your rights as a data subject, you may contact HEDNO’s Data Protection Officer (DPO) at the following addresses: dpo@deddie.gr or  120 Syngrou Avenue, 117 41 Athens, For the attention of the Data Protection Officer (DPO)