1. Introduction
The website https://www.enexgroup.gr/ (hereinafter website) provides a wide range of information for the Energy Exchange Group, which consists of “EnΕx Clearing House S.A. (EnExClear S.A.)” and the Company “Hellenic Energy Exchange S.A. (HEnEx S.A.)” both located in 110 Athinon Ave., P.C. 10 442 Athens, Greece, Tel.: (+30) 210-336-6400. These Companies are Joint Controllers of your data, which are processed under it.
This Personal Data Protection Policy, which concerns the website https://www.enexgroup.gr/ (hereinafter the "Data Protection Policy" or the "Policy") defines the terms and conditions that are followed by the Data Controller (each company of the Energy Exchange Group) for the processing and protection of the personal data (hereinafter referred to as "Personal Data" or "Data") as mentioned below.
The Policy shall be updated whenever is necessary. If there are significant changes in the Policy or the way we use your Personal Data, we shall notify you either by posting a notice in a prominent place before the changes take effect or by any other appropriate means. We encourage you to read this Policy regularly to know how your Data is protected. The last review of our policy took place on 12/03 /2021.
Please take some time to read carefully the terms of the Policy.
2. Our Website
The website https://www.enexgroup.gr/ is the website of the Energy Exchange Group. The content of the website is mainly informative, as it hosts a wide range of information regarding the services of the Group Companies, the decisions concerning their operation, their regulatory framework and their human resources.
3. What kind of Personal data do we process?
When browsing our website, your connectivity data are automatically collected through the cookies that are installed on our website, such as IP, preferences data, visit time and navigation data.
When filling out the online contact form, we collect the name, the company you represent and your email address.
When you access the Membership area of the Companies of the Energy Exchange Group you will have to enter your email and password. Please note that access to this area is available only to authorized employees of our Group Members.
In the context of the operation of our website, only the necessary data are collected in accordance with this policy and legislation. No data of special categories are collected, ie indicative information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as processing of genetic data, biometric data for the purpose of uniquely identifying, health data or data relating to sex life of a natural person or sexual orientation.
4. Purpose of Processing Personal Data
The Group Companies and/or third parties, acting, at the behest and on behalf of the Companies as Data Processors, process your personal data for the purpose of better operation of the website and the improvement of navigation on it, as well as to maintain security at a desired level, using cookies.
Learn more about the use of cookies on our website, here.
Group Companies also process your personal data to communicate with you, upon your relevant request, through the contact form.
In addition, the Group Companies process personal data of employees of their Members that are necessary for access to publications and content that can serve them in their daily work.
Your data is processed exclusively for the above purposes or as appropriate for purposes of legislative/regulatory compliance of the Companies or for the support of their legal claims.
The processing of your personal data is carried out in compliance with the basic principles for the protection of personal data, in accordance with the General Personal Data Protection Regulation (GDPR) (EU/2016/679), ie lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and, finally, accountability as well as of all the provisions of the General Personal Data Protection Regulation.
5. Legal basis of the processing
Regarding the data collected through the unnecessary cookies of our website, their processing is based on the explicit consent of the website visitors. For the personal data collected when you fill in the contact form, the processing is based on the fact that it is necessary for the purpose of safeguarding the legitimate interests of our Group Companies, and in particular maintaining the necessary channels of communication with our existing and potential customers and processing their relevant communication requests. For the personal data collected during your entry into the Membership area of the Companies of Energy Exchange Group, the processing is based on safeguarding the legitimate interests of the Group which is the improvement of the services offered to its Members by providing specific forms and information in order to facilitate their daily work.
6. Who has access to your personal data?
Access to your personal data has exclusively the necessary, in any case, personnel of the Company, who have received the appropriate information for the safe processing of your personal data.
In addition, the companies that corporate with us - data processors, can also have access, which support the operation of our website (e.g. ATHEX S.A.) after the relevant assignment of the processing to them, by the Company. The processing of personal data by the processors is carried out under our explicit orders and under the guarantee of taking all appropriate technical and organizational measures to protect your data.
Third parties who may have access to your data are government and regulatory bodies (e.g. prosecution authorities, supervisory authorities etc.), when we are called to comply with the law, when the transmission is deemed necessary for important reasons of public interest, as well as for the establishment, exercise or support of legal claims.
7. Transmission of personal data outside the EEA
Your Personal Data is stored and processed only within the EEA.
8. Do we use automated decision-making/including profiling when processing your Data?
We do not take decisions, nor profiling, based on automated processing of your Data.
9. The period of keeping your personal data
Your personal data is kept only for the period of time required by the nature of the data processing. Indicatively, you can be informed about the retention time of your collected data through the cookies of our website, by reading our Cookies Policy, here. Your data collected by filling in the contact form is kept for as long as it is required to process your request, while the data of the employees of the Members of the Group Companies is kept for as long as the contractual relationship of the Members with the Group lasts.
10. Linking to third - party websites
The possible connection of this site to another third party website through special links, hyperlinks, banners, etc., does not imply any responsibility on our part for the content of this website, the quality and completeness of any products or the services presented on it or its policy on the protection and processing of personal data.
The natural person should make sure that he / she is informed about the protection and processing of his / her data from the above websites and that he / she reads the respective personal data policies that are followed by them.
11. Data security
We pledge that we have taken appropriate organizational and technical measures to secure and protect your Data from any form of accidental or unlawful processing. Our specially authorized personnel who process your personal data, have received the appropriate guidance and information. The measures we take are reviewed and amended when deemed necessary.
12. Your rights as data subject
As Data Subject you have the following rights:
-
Right to access to personal data
This means that you have the right to be informed by us if we process your Data. If we process your Data you may ask to be informed about the purpose of the processing, the categories of your Data we keep, recipients of your Data, where possible the period for which the data will be stored, if automated decisions are made, but also about your other rights, such as rectification, erasure, restriction of processing and submission of a complaint to the Personal Data Protection Authority.
-
Right to rectification of inaccurate personal data
If you find out that there is a mistake in your Data, you may submit your request to correct it (e.g. name correction or phone number change update).
-
Right to erasure/ right to be forgotten
You may ask us to erase your data if it is no longer necessary for the above mentioned processing purpose or you wish to withdraw your consent if this is the only legitimate basis.
-
Right to data portability
You may ask us to receive in readable form the Data you have provided or ask us to transmit it to another data controller.
-
Right to restriction of processing
You may ask us to restrict the processing of your Data for as long as your objections to our processing are pending.
-
Right to object to the processing of your Data
You may object to the processing of your Data, if the conditions of the General Personal Data Protection Regulation are met and we shall stop processing your Data unless there are other imperative and legitimate reasons that override your rights.
-
Right to withdraw consent
You may revoke your consent at any time to the extent that the processing has been carried out on that basis.
13. How can you exercise your rights?
- If you wish to receive further information regarding the processing of your personal data or to exercise any of the above rights, you can contact the designated person for both companies of the Group, Data Protection Officer, at the postal address 110 Athens Ave., Athens, P.C. 10442, Greece or at the e-mail address DataProtectionOfficer@athexgroup.gr, making a description of your Request and we will make sure to review it and respond to you as soon as possible.
- Our response to your request shall take place within (1) one month of receipt and does not involve any cost to you. The above deadline can be extended for a period of two (2) additional months due to the complexity or the number of requests, in which case you will be informed of the extension as soon as possible and no later than one month from the receipt of the request. In the latter case we will inform you about the delay and its reasons.
- In cases where the request is deemed manifestly unfounded or excessive we can either refuse to process it, or request the payment of a reasonable fee for processing it, taking into account the administrative costs of providing the information or performing the requested action.
- In case: a. you consider that your request has not been sufficiently and legally granted or b. you consider that the right to the protection of your personal data is infringed by some processing we perform, we remind you of your right to contact the Personal Data Protection Authority (postal address 1-3 Kifissias Ave., P.C. 115 23, Athens, Greece, tel. (+30) 210.6475600 and at e-mail address: contact@dpa.gr.
This information concerns the processing of your personal data carried out within the context of the use of the products and services offered by the Energy Exchange Group, which consists of the company with the name “HELLENIC ENERGY EXCHANGE S.A.” (hereinafter “HEnex”) and the company with the name “ENEX CLEARING HOUSE S.A.” (hereinafter “EnExClear”), hereinafter collectively referred to as "Companies".This privacy notice is provided in order to inform you on the personal data collected, to explain the way and purpose of data processing, to state any third parties with whom we share your data and finally to inform you on your rights. Please read this notice in order to be informed in detail about the terms of processing your data:
1. Data Controller
Depending on the products and services you receive, HEnEx or EnExClear is, pursuant to the General Data Protection Regulation 2016/679 ("GDPR") the data controller of personal data, which are processed within the context of the use of the products and services provided to you. The registered seat of the Companies is located in Athens, at Athinon Avenue 110, postal code 104 42, contact telephone number: +30 210 33 66 400, e-mail: info@enexgroup.gr.
2. Collection of personal data
The Companies collect and process the personal data that are necessary to achieve the intended purpose of the processing. These data, depending on the product or service provided, relates to:
Data of executives of the candidate participants' and/or members of HEnEx’s markets as well as of the participants (hereinafter “Participants”) and/or members (hereinafter “Members”) of these markets, as well as data of the executives of the candidate clearing members and the existing clearing members (hereinafter "Clearing Members"), which are collected during the procedure for acquiring the aforementioned capacities, such as identification data and contact details. For more information regarding the processing of these personal data, please read the corresponding privacy notice, which is provided in the relevant onboarding form, which is available on the Companies' website.
Data of the employees and executives (a) of the Participants and/or Members, as well as (b) of the Clearing Members, collected in view of the examinations carried out by HEnEx and EnExClear for the granting of certifications, such as identification data, contact details, as well as other information regarding their work experience and education. For more information, please refer to the privacy notice for the processing of personal data of candidate Certified Energy Traders or Energy Clearers.
Data of the participants in the seminars carried out by the Companies, such as identification data, contact data, work data, information regarding the training and professional competence of the natural person.
Personal data of the personnel of the Participants and/or Members in the context of the recording of the conversations carried out by the competent departments of HEnEx to facilitate the operations of the Energy Exchange. For more information regarding the processing of those personal data, please read the privacy notice, which is addressed to employees of Participants and/or Members of the Energy Markets on the transmission of orders in cases of system malfunction
Basic details (name and surname) and contact details (telephone, e-mail address) of the participants in the corporate events held by the Companies.
Basic data (name, surname, national ID number), work data (job position), and other personal data of visitors, such as the license plate number, which are processed in the context of the management of the list of the visitors, kept by the Companies.
3. Purpose and legal basis of the processing of personal data
The Companies, in the context of the products and services they provide, process personal data, according to the following purposes and legal bases:
Consent (Article 6 para. 1a GDPR)
In the context of the organization of corporate events, the Companies process the personal data of the invitees and participants, following their explicit consent.
Legitimate Interest (Article 6 para. 1f GDPR)
The Companies, in order to safeguard and achieve their legitimate interests, process personal data of visitors, within the context of maintaining a list of visitors for the purpose of protecting persons and goods.
Contract (Article 6 para. 1b GDPR)
The Companies process personal data, the processing of which is necessary for the conduction of seminars by the Companies, following an expression of interest by the natural person who sends a relevant application for participation.
4. Recipients of personal data
The Companies ensure that your personal data will be processed by the necessary, in any case, personnel, which has been adequately informed regarding the secure processing of your personal data. In addition, recipients of your data are:
a) Natural and legal persons with whom the Companies cooperate for the fulfilment of the aforementioned purposes. These persons, acting as processors, are contractually bound to ensure confidentiality of personal data, as well as to follow Company's instructions regarding the processing of personal data and take all appropriate measures for their protection.
b) Furthermore, recipients of your necessary personal data may be supervisory, audit, independent judicial, public, and/or other authorities and bodies within the framework of their statutory powers, duties and powers, provided that their disclosure is required by the applicable legislation or provided therein, as well as to lawyers/ law firms, auditors or audit companies.
5. Transfers of data to countries outside the European Economic Area (EEA) or international organisations
Your personal data are not transferred to third countries (outside the EEA).
6. Data retention period
Your personal data are only retained for the reasonable period of time, which is necessary due to the nature of the processing and only for as long as this is required for the fulfillment of each processing purpose. At the end of this period, your personal data will be deleted, unless otherwise required under the applicable legal and regulatory framework or for the establishment, exercise or defense of legal claims.
7. Your rights
According to the GDPR, as a data subject, you have the following rights, which may be exercised on a case-by-case basis:
Right to access your personal data.
Right to rectification and/or completion of your data.
Right to erasure/ right to be forgotten.
Right to restriction of processing.
Right to data portability.
Right to object to the processing of your data.
Right to withdraw consent at any time, as long as the processing was carried out on that legal basis.
8. Exercise of rights
If you wish to receive further information regarding the processing of your personal data or to exercise any of the aforementioned rights, you can address the Companies either in writing at: EnEx Clearing House S.A. or Hellenic Energy Exchange S.A., 110, Athens Avenue, 104 42, Athens, attn: Data Protection Officer (DPO), or by e-mail to the Companies' Data Protection Officer (DPO) at the e-mail address: dataprotectionofficer@enexgroup.gr.
Our response to your request will take place within one (1) month of its receipt and at no cost to you. This time limit may be extended for a period of two (2) more months, due to the complexity or number of requests. In any case, you will be notified regarding the extension and the reasons for it at the earliest and no later than one month after receiving the request.
9. Security of personal data
The Companies implement an information security management system and take appropriate organizational and technical measures, in accordance with applicable laws and regulations, in order to ensure the security of data processing and its protection against accidental or unlawful destruction, loss, alteration, prohibited dissemination or access, as well as from any other form of unfair processing. It is noted that the authorized personnel of the Companies have received the appropriate training and guidance.
10. Right to lodge a complaint
If you believe that: a) any request submitted by you has not been adequately and legally satisfied, or b) your right to personal data protection is being breached by any processing that is carried out by the Companies, you have the right to lodge a complaint, through the dedicated online portal of the Hellenic Data Protection Authority (postal address: 1-3 Kifissias Ave., 115 23, Athens, https://www.dpa.gr/, tel. 210 6475600, e-mail: contact@dpa.gr). You may find detailed guidelines on how to lodge a complaint on the Hellenic Data Protection Authority’s website.