PERSONAL DATA PROTECTION POLICY
OF SUPPLIERS
Ι. Preamble
THE ‘ATHENIAN BREWERY S.A.’, which has its registered seat in 102 Kifissou Avenue, 122 41 Egaleo, Aigaleo, with VAT Number 094000362 (Tax Office of Athens) (contact e-mail: https://www.athenianbrewery.gr/gr/el/epikoinonia) (hereinafter “AZ” or the “Company”), has as its main priority the protection of personal data it processes. For this reason, it collects and processes data in accordance with the principles set out in Regulation (EU) 2016/679 (hereinafter, “GDPR”) and in accordance with the applicable national and European legislation on personal data protection. It also takes all appropriate technical and organizational measures necessary to protect the personal data it collects and processes in the context of its commercial activity.
We invite you to carefully read this personal data protection policy of our Company, the aim of which is to inform you about the terms and conditions governing the processing of personal data by the Company, as well as about your rights under the applicable law.
For the purposes of this Policy, “Personal Data” means any information relating to an identified or identifiable natural person (“data subject“). An identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors that approximate the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person (e.g. name/name of a sole proprietorship, tax identification number, etc.).
It is clarified that any commercial or other information, through which it is not possible to disclose or identify a specific natural person, does NOT constitute Personal Data.
II. GENERAL INFORMATION AND CONTROLLER
The Company “ATHENIAN BREWERY S.A.”, with registered seat in 102 Kifissou Avenue, Aigaleo 122 41 Athens, with VAT Number 094000362 (contact email: https://www.athenianbrewery.gr/gr/el/epikoinonia) is the controller of the collection, storage and in general process of your personal data, as collected and stored for the processing purposes specified in this Privacy Policy.
III. WHAT PERSONAL DATA OF YOURS WE COLLECT
We collect and process your personal data below:
- Details of your business, which directly or indirectly identify the owner/natural person (e.g. name, VAT number, telephone number of sole proprietorship/personal company).
- Address of sole proprietorship/personal company (county, city, town, district, street, number), the market channel to which the supplier’s store belongs, and type of supplier’s store.
- Details and contact data of employees of your business, when and if needed, for the execution of any contract/agreement you have concluded with the Company.
- Data relating to the activity of your business and, in particular, data relating to any direct or indirect cooperation with the government authorities, as well as data relating to any sanctions imposed on your business by the competent authorities in relation to its activity.
IV. PURPOSE OF PROCESSING
The Company processes your aforementioned personal data for the purposes of facilitating the cooperation between us in the scope of the execution of the relevant contract / agreement and for the fulfilment of any legal obligations provided in the applicable legislation. Furthermore, the Company processes your personal data for the purposes of safeguarding its legitimate interests as well as for its transparency, commercial reputation and reliability in the context of its commercial activity and for minimizing the risks of concluding contracts of cooperation with suppliers or for any involvement in situations, that may be related to a breach of the legislation of unfair competition.
V. LAWFULNESS OF PROCESSING
The Company processes your personal data as described above:
- pursuant to a contract and/or agreement, you have concluded with the Company for the purposes of the present contract/cooperation (Art. 6 par.1 (b) GDPR).
- to safeguard its legitimate interests, which take precedence over the protection of the aforementioned specific personal data of suppliers wishing to cooperate with it, as well as to ensure its legal protection, in accordance with the applicable legislation (Art.6 par. 1 (f) GDPR).
- for the purposes of its compliance with its legal obligations (e.g. in case of compliance with warrants issued by Courts or public authorities, etc.) ( Art. 6 par.1 (c) GDPR).
The Company processes your personal data in a legal and legitimate way. Under no circumstances, will it collect or process more information or data than is required to fulfil the above-mentioned purposes of processing. Your data is kept in a secure way. The collection and processing are carried out exclusively to the extent required for the above mentioned purposes of processing . Your data is not used for the creation of profiles.
VI. RECIPIENTS OF YOUR PERSONAL DATA
We may share your personal data with third parties, provided that the legal requirements are met, in order to help us in our operations. Such addressees are companies that are part of the same Group with the Company (e.g. for the purpose of storing personal data due to the common use of information systems).
If the HEINEKEN Group to which the company belongs sells to third parties all or a part of the assets or shares of a Company of HEINEKEN Group, to which the personal data has been transferred, your personal data may be provided to these third parties.
These recipients may be located in Greece or in countries within the EU or anywhere in the world. When the personal data is stored by us outside the EU, we ensure an adequate level of protection of the transferred personal data in accordance with applicable legislation and we expect from our service-providers to use appropriate measures to protect the confidentiality and security of the personal data. If we intend to transfer your personal data to a third country, i.e. a country outside the EEA or an international organization, you will be informed prior to the transfer in accordance with the provisions of Article 13 par.1 (f) of the GDPR.
Such transfer is made solely for the purposes of providing the relevant service and always under the condition that the aforementioned persons accept and comply with the terms of this Policy and the Legislation. In those cases, the Company remains responsible for the processing of your personal data and defines the individual elements of the process, and signs a specific contract with the third parties to whom it entrusts the execution of processing activities, in order to ensure that the process is carried out in accordance with the applicable legal framework and that each natural person can freely and without restriction exercise the rights granted to him/her under the applicable legislation.
We may finally need to provide personal data to law enforcement authorities in order to comply with a legal obligation or with a court order, or to request legal protection, if required.
VII. PERIOD OF RETENTION OF PERSONAL DATA
Suppliers’ personal data are retained only for the period of time that is required to fulfill each of the abovementioned purposes, for which they were collected. When the purpose of the process of your personal data is completed, they will be deleted, unless their retention is necessary for the fulfilment of a legal obligation or to safeguard the legitimate interests of AB, always in accordance with the applicable legislation.
VIII. YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Every natural person whose data are processed enjoys the following rights:
Right to information & access: You have the right to be informed and have access to your data retained by us and to receive additional information about their process.
Right of rectification: you have the right to request the rectification, modification, completion and update of your data retained by us.
Right to erasure: You have the right to request the erasure of your personal data when we have collected and/or processed them with your consent, or in order to protect our legitimate interests.
Right to restriction of process: You have the right to request the restriction of the process of your personal data when: (a) the accuracy of your retained personal data is contested and until verification is carried out; (b) the processing is unlawful and you request the restriction of the use of your personal data instead of erasure (c) the personal data is not necessary for the purposes of the process, but is necessary for the establishment, exercise, support of legal claims(d) you object to the process and until it is verified that there are legitimate reasons relating to us which supersede the reasons for objecting to the process.
Right to object to process: you have the right to object at any time to the process of your personal data when there is no legitimate reason for us to continue the process of your personal data.
Right to portability: You have the right to receive, free of charge, your personal data in a form that allows you to access, use and process it, and to request from us, if it is technically feasible, to transfer your data directly to another controller. This right shall apply to data that you have provided to us and that is processed automatically with your consent or in execution of a contract between us.
Right to revoke the consent: you have the right to revoke at any time your consent, to the extent that it was obtained for the process.To exercise any of the above rights, you may send an email to: DPO_ABOffice@heineken.com
Right to file a complaint to the Hellenic Data Protection Authority: you also have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr): telephone: +30 210 6475600, fax: +30 210 6475628, e-mail: complaints@dpa.gr.
IX. SAFETY OF PERSONAL DATA
The Company assures you that it takes all appropriate technical and organizational measures for the safety of your personal data, to ensure the confidentiality of their process and their protection against any unintentional or unlawful damage/loss/alteration, unauthorized dissemination or access and any other form of unlawful process and ensures the lawfulness of the collection, process and safe storage of the personal data, in accordance with the provisions of national, European and international law relating to the protection of personal data.
Χ. APPLICABLE LAW & JURISDICTION
For any dispute arising regards to this Policy, the Greek courts will have exclusive jurisdiction and the applicable law will be the Greek law.
XI. AMENDMENTS
The present Privacy Policy has been drafted in accordance with the provisions of the General Data Protection Regulation (GDPR). If updated, any changes will be posted on the Company’s official website and will bear a revision date.
For further information, or for any issue regarding the above process of your personal data, please contact the Company’s Data Protection Officer (DPO) at the e-mail address: DPO_ABOffice@heineken.com.
APPENDIX
SPECIFIC DATA PROTECTION POLICY IN THE CONTEXT OF THE ‘SHINE’ PROCEDURE
- INTRODUCTION
“Athenian Brewery S.A.”, which is seated in 102 Kifissou Avenue, Aigaleo, 122 41, with TIN 094000362 (Athens tax office), GEMI No 251401000 (herenafter, “AB” or “Company”) has as its main priority the protection of the personal data it processes. For this reason, it collects and processes data in accordance with the principles set out in Regulation (EU) 2016/679 (hereinafter, “GDPR”) and in accordance with the applicable national and European legislation on personal data protection. It also takes all appropriate technical and organisational measures necessary to protect the personal data it collects and processes in the context of its commercial activity.
We invite you to carefully read this personal data protection policy of our Company, the purpose of which is to inform you about the terms and conditions governing the processing of personal data by the Company in the context of the operation of the “Shine” process (hereinafter, the “Process”). This is an adaptation to the Company’s needs of a process implemented by the Heineken Group, to which the Company belongs.
For the purposes of this Policy, “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is the one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors that correspond to the physical, natural, genetic, psychological, economic, cultural or social identity of that natural person (e.g. name/sole proprietorship name, tax identification number, etc.).
It is clarified that any commercial or other information, through which it is not possible to identify a specific natural person, does NOT constitute Personal Data.
- GENERAL INFORMATION AND CONTROLLERS
“Athenian Brewery S.A.”, which is seated in 102 Kifissou Avenue, Aigaleo, 122 41, with TIN 094000362 (Athens tax office)(contact email: https://www.athenianbrewery.gr/gr/el/epikoinonia), is the controller for the collection, storage and in general processing of your personal data as collected and stored in the context and for the purposes of the Process.
- WHAT PERSONAL DATA OF YOURS WE COLLECT AND HOW
When entering into a new cooperation with a customer or supplier that is active in a sector and provides the Company with work/services, etc. critical for the Company’s business and/or in cases of customers/suppliers that the financial object of their cooperation with the Company is significant in value and/or is related to risks of compliance with legal provisions concerning bribery, money laundering, corruption, environmental protection, protection of human rights and, in general, the violation of the current legislation, or when renewing the cooperation with an existing customer/supplier that has the above characteristics, the following steps are followed:
A) When entering into and/or renewing the cooperation agreement, certain information that you provide us with regarding your business, namely: name/company name, country of establishment/seat, nature/object of business, place of business, contact details (email), language of communication, relations with public etc. bodies and authorities, ownership and management/representation details, Heineken Group company with which you cooperate, is entered into the Shine platform.
B) In the next stage, two processes take place, the Sanction Check (IDD) and the Full Screening (IDD+), which result in the drafting of a due diligence report based on the data you have provided us with yourself in combination with data obtained from the following publicly available and other legal sources:
- Published data on sanctions imposed at local, national and global level;
- Public data on legal and regulatory proceedings that have taken place (such as criminal investigations and convictions);
- Public company data;
- State records, such as, for example, for the identification of political figures, their close associates and family members;
- Mass media, including local newspapers.
These processes take place in an automatic manner, at regular intervals, based on the constantly updated data of your business in order to assess the integrity, reliability and solvency of your business, as well as the degree of its compliance, in the exercise of its business activity, with the provisions of the applicable legislation, always subject to strict compliance with the provisions of the applicable legislation on the protection of personal data. It should be noted that, in this context, it is not the aspects of your personality, if you are a natural person, that are assessed, but your reliability, integrity and solvency, as well as your compliance in general with the applicable legislation in the exercise of your business activity.
C) Based on the result of the above processes, your business is classified into one of the following four risk categories: a) low risk, b) medium risk, c) high risk and d) not acceptable (“black list”).
D) If, on the basis of the above automated assessment, your business is classified as “high risk”, you will also be sent a pertinent due diligence questionnaire, through which you will be asked to provide our Company with certain further information relating to the level of compliance of your business. This information, which include personal data, e.g. if it is about a sole proprietorship, or details of officers/directors/shareholders of your business, relate to, inter alia, key elements of the business, its organizational structure, business activity and plans, details of the beneficial owner (UBO), directors, shareholders holding 25% or more, exports, any relationship – of themselves or their relatives – with the wider public sector, as well as any involvement in illegal activities, and finally, information regarding the implementation of anti-bribery and anti-corruption policies. Depending on the outcome of this process, the Company shall take appropriate measures, such as, but not limited to, training of the persons concerned on subjects related (but not limited) to the risks of bribery, corruption, money laundering, etc., the provision of a Declaration/Certificate of Compliance, the inclusion of contractual statements/guarantees/commitments specific to this direction in the contracts with the persons concerned, etc.
- PROCESSING PURPOSES
The Company processes the above personal data in order to evaluate the prospect of cooperation with your business through the prior assessment of your reliability, integrity and solvency, as well as your degree of compliance with the applicable legislation, in order to ensure the Company’s goodwill in the Greek market, the reliability and security of its transactions and, in particular, to assess the risk assumed by the Company in the context of the intended cooperation. The processing in question ensures, in addition, the protection of the Company from getting involved in potential cases of corruption, bribery, money laundering and, in general, cases related to the violation of legislation, as well as the establishment of long-term and solid trusting relationships with its counterparties.
The Company processes your personal data in a lawful and fair manner. Under no circumstances does it collect or process more information or data than required to fulfil the purposes of processing. Your data is kept in a secure manner. Their collection and processing is exclusively done for the processing purposes stated above.
- LEGALITY OF PROCESSING
The Company processes the aforementioned personal data in the context of satisfying its legitimate interests (Art.6 par. 1(f) of the GDPR).
- RECIPIENTS OF YOUR PERSONAL DATA
We will need to share your personal data with third parties, subject to legal requirements, in order to help us in our activities as described above. These recipients are:
- companies belonging to the same Group as the Company (e.g. for the purpose of storing personal data due to the shared use of information systems, for the purpose of compliance by such companies with their legal obligations, for the purpose of verifying the Company’s compliance with the relevant Group policies),
- service providers, where required, to provide a service to us, such as the provider of the platform through which the Shine Process operates (i.e. EthiXbase).
In the event that the HEINEKEN Group to which the company belongs sells to third parties all or part of the assets or shares of a HEINEKEN Group company to which personal data has been transferred, your personal data may be provided to such third parties.
In each of the above cases, the Company shall ensure, through the conclusion of relevant contracts with the recipients of the personal data, that these persons undertake in writing the necessary obligations and commitments regarding the protection of personal data in accordance with the conditions set by the applicable legislation, in order to ensure that the processing is carried out in accordance with the applicable legal framework and that each natural person can freely and unhindered exercise the rights granted to him/her by the law.
Finally, where required by a legal obligation imposed on us by law, a court decision or a public authority order, or where this is necessary to pursue the legal protection and/or legitimate claims of the Company, we will provide personal data to the relevant judicial or other competent authorities.
- RETENTION PERIOD OF PERSONAL DATA
Your personal data collected under the above described Process are kept for the duration of the business relationship between us and for five (5) years from the point in time when the last collection and update took place. After this point in time, the data is completely deleted and destroyed and cannot be retrieved.
- YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Any natural person whose data are processed as described above shall enjoy the following rights:
- Right of information & access: you have the right to be informed about and have access to your data kept by us and to receive additional information about their processing.
- Right of rectification: you have the right to request the rectification, modification, supplementation and update of your data kept by us.
- Right to erasure: You have the right to request the erasure of your personal data, in accordance with the conditions set by the applicable legislation, when we have collected and/or processed them on the basis of your consent, or in order to protect our legitimate interests.
- Right to restriction of processing: You have the right to request the restriction of the processing of your personal data when: (a) the accuracy of your personal data kept is contested and until verification is carried out; (b) the processing is unlawful and you request the restriction of the use of your personal data instead of erasure; (c) the personal data is not necessary for the purposes of processing, but is necessary for the establishment, exercise, support of legal claims; and (d) you object to the processing and until verification is carried out that there are legitimate grounds for the processing that concern us and override the reasons why you object to the processing.
- Right to object to processing: You have the right to object at any time at the processing of your personal data when there are no legitimate reasons on our behalf to continue to do so.
- Right to portability: You have the right to receive, free of charge, your personal data in a format that allows you to access, use and process it, and to request us, where technically feasible, to transfer your data directly to another controller. This right applies to data that you have provided us with and that is processed by automated means on the basis of your consent or in performance of a contract between us.
- Right to withdraw consent: You have the right to withdraw your consent, to the extent that it was obtained for the intended processing, at any time. Any withdrawal of the consent given does not affect, in any event, the processing of your personal data that has taken place pursuant to your consent up to the point in time of such withdrawal.
In order to exercise any of the above rights, you can send a message to the following email address: DPO_ABOffice@heineken.com
- Right to submit a complaint before the Hellenic DPA: You have also the right to file a complaint at the Hellenic Data Protection Authority (www.dpa.gr): Telephone: +30 210 6475600, Fax: +30 210 6475628, E-mail: complaints@dpa.gr.
- SECURITY OF PERSONAL DATA
The Company assures you that it takes all appropriate technical and organizational measures for the security of your personal data, to ensure the confidentiality of their processing and their protection from accidental or unlawful destruction/loss/alteration, unauthorized disclosure or access and any other form of unlawful processing and ensures the lawfulness of the collection, processing and safe keeping of personal data, as well as for the adoption and compliance with corresponding technical and organizational measures by the respective recipients of such personal data, in accordance with the provisions of national, European and international law on the protection of individuals against the processing of personal data and in particular taking into account the provisions of the GDPR.
- APPLICABLE LAW
For any dispute arising in connection with this Policy, the Greek courts will have exclusive jurisdiction.
- AMENDMENTS
This Privacy Policy has been drafted in accordance with the provisions of the General Data Protection Regulation (GDPR). In case of update, any change will be posted on the Company’s official website and will carry a revision date, otherwise it will be communicated to you in the most appropriate way.
For further information, or for any issue regarding the above processing of your personal data, you may contact the Company’s Data Protection Officer (DPO) at e-mail: DPO_ABOffice@heineken.com.