PRIVACY POLICY

1.Subject of the Personal Data Protection Policy.

The company, with the name «ELTA COURIER S.A» (hereinafter "Company") based in Agia Paraskevi, Attica, 395 Mesogeion Avenue, with Tax Identification Number (VAT) 099759170 of the Tax Authority of ATHENS, with the present Protection Policy Personal Data, aims to inform the users of this application (hereinafter «ELTA Courier"») about the way and purpose of processing their personal data. The Company, as the Data Controller, collects and processes personal data of ELTA Courier users, only if it is absolutely necessary, for clear and legal purposes, in accordance with the existing legislation on personal data protection.

2.Definitions

For the purpose of this Policy, the following terms have the following meaning:

«Personal Data» : Any information related to an identifiable and identified physical person («data subject»); the identified natural/physical person is one whose the identity can be verified, directly or indirectly, in particular by reference to personal identity details, such as name, identity number, location data, online identity(IP address, e-mail, etc.) or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that physical person.

«Specific categories of personal data»: Personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs or trade union affiliation, as well as the processing of genetic, biometric data for the data relating to health or data relating to the natural sexual life or sexual orientation of the person.

«Processing»: any operation or sequence of operations performed with or without the use of automated procedures, on personal data or on personal data sets such as collection, registration, filing, structure, storage, adjustment or modification, retrieval, the search for information, use, disclosure, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.

«Anonymization»: the processing of personal data in such way that the data can no longer be attributed to a specific data subject.

«Pseudonymization»: the processing of personal data in such a way that the data can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is kept separate and is subject of technical and organizational measures to ensure that it cannot be rendered to an identified or identifiable physical person.

«Data Controller»: the physical or legal person, public authority, service or other operator which, alone or in association with others, determines the purpose and manner of processing personal data; where the purpose and manner of such processing are determined by Union law or the law of a member state, the data controller or the specific criteria for his appointment may be provided by Union law or the law of a member state. In this case, the Company acts as the Data Controller.

«Data Processor»: the physical or legal person, public authority, service or other operator that processes personal data on behalf of the data controller.

«Subject of Processing»: the physical person whose personal data are being processed. In this case, each user of this application is considered as the subject of processing.

«Consent/Assent» of the data subject: any indication of volition, free, specific, explicit and fully aware, by which the data subject agrees, with a statement or with a clear positive action, to process the personal data concerning him.

«Personal Data Breach»: breach of security leading to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

«Existing Legislation»: The respective national and EU legislation on personal data protection and specifically the General Data Protection Regulation (EU) 2016/679 (hereinafter «GTPR»), Law 4624/2019 as well as the Decisions, Instructions and Opinions of the Data Protection Authority (hereinafter referred to as «DPA»).

3.Personal Data We Collect and Process, Purpose and Legal Base of Processing.

3.1. Personal data collected to create a User account.

By filling in the user registration form as a physical person, the user enters the name, surname, phone number, date of birth, email and password of his choice. Then, the user can log in as a user by simply filling in his phone number as a username and the password he has chosen, while in case he does not remember the password, he can use the function «forgot password» and receive relevant sms with instructions for resetting the password.

By filling in the user registration form as a legal person and existing customer of ELTA Courier, the user enters the company VAT number, company name, contact person name, phone number, email and password of his choice. The user can then log in as a user of the application by simply entering the EXADA code as the username and the password he has chosen, while in case he does not remember the password, he can use the «forgot password» function and receive relevant email with instructions for resetting the password.

The purpose of the collection and processing of such personal data is to provide the user with access rights to the application. The legal base for the processing of personal data is the legal right of the Company to improve the services it provides to the users of the application.

3.2 Personal data collected during the shipment / receipt of items.

While the user planning the shipment / receipt of items, he must fill in certain information such as name of sender / recipient, address, postal code, city, country, floor, date, time, method of receipt and delivery, method of payment, details such as volume, weight, type, number, etc. to calculate the estimated cost. Upon receipt, the company checks the validity of the data entered by the user. The user then chooses if he wants to continue the order and proceed with the payment.

In case the user wishes to proceed with online card payment, he is transferred to the secure environment of VIVA Payment, through which the payment details are collected (e.g., credit / debit / prepaid card details such as card number, expiration date, cvv), by VIVA Payment, without the Company gaining access to such data.

As long as the shipment is «active», i.e., it has not been delivered to the recipient, the user is allowed to change the details of the order and specifically the recipient, his address, date, time, method of delivery and payment method, without saving the user's initial options.

During the shipment, the user receives status updates for his shipment e.g., the receipt, delivery of the item, the failure of delivery, the return of the item to the sender, etc.

The purpose of the collection and processing of this personal data is the easy and fast planning of the shipment of items, but also the continuous monitoring of its progress by the users. The legal base for the processing of personal data is the execution of the contractual obligations of the Company towards the users of the application and the legal right of the Company is to improve the services it provides to the users of the application.

3.3 Personal data collected during the shipment tracking.

For the convenience of the users, the ability of creating and printing the voucher is available through the app. To create this voucher, the user fills in the details of the sender and the recipient such as name, address, region / city, postal code, and phone number. In fact, if the user selects the «pickup from home» option, he can print the voucher on his printer and place it on the object to be sent. At the same time, the application provides the ability to create a barcode with all the details of the shipment, so that the courier, by scanning it, can easily and quickly pass all the details directly to the «Track and Trace», the Company's tracking system. By using the voucher number or the barcode mentioned above, the user can search and monitor the progress of the shipments that concern him. In any case, the shipments history is preserved, as the user can select the appropriate «filters» to locate the order he is interested in.

The purpose of processing this data is the tracking of the items and the continuously monitoring of the progress of the shipment by the users. The legal base for the processing of personal data is the legal right of the Company to improve the services it provides to the users of this application.

3.4 Personal data collected during the submission of requests and complaints.

In case a user submits a request, complaint or criticism for the services provided, the Company collects personal data, name, surname, phone number, date of birth, email and the content of the request / complaint / review.

The purpose of processing this data is to serve the user and improve the services provided to him. The legal base for the processing of personal data is the execution of the legal and contractual obligations of the Company as well as its legal right to improve the services it provides to the users of this application.

3.5 Social media buttons

In ELTA Courier there are social media buttons-widgets from social networks (e.g., Facebook, Twitter and YouTube) with the use of which, after the user connects to the social network, a special digital fingerprint of the user is created, for which both the Company and the social network itself, act as Data Controllers. For more information on the data processing policy and configuration options of these networks, you can visit the following websites:

The purpose of the collection and processing of this data is to improve the functionality of this application and the services provided as well as the analysis of its traffic. Legal base for the processing of personal data, is the legal right of the Company to improve and ensure the services provided to the users of ELTA Courier

3.6. Links to the privacy policy of third party service providers used by the application

4. Personal Data of Underage Users

This application is not intended for underage users and does not wish to collect and process personal data of underage (i.e., persons under 18 years of age). However, as it is impossible to cross-check and verify the age of ELTA Courier users, we ask the parents / guardians of the underage, in case they find any unauthorized disclosure of data by them, to immediately notify the Company in order to take over protective and necessary measures (e.g., deletion of their data). In case the Company realizes that it has collected personal data of an underage, it undertakes to delete it immediately and to take any necessary measures to protect this data.

5. Data Transmission to Third Parties

The Company may transmit the above personal data to third parties, to whom it has entrusted the processing of personal data on its behalf (such as service companies, website developers, advertising companies, market research companies, customer credit rating companies, companies for the collection of customers' debts, VIVA Payment, etc.).

In any case, the third parties to whom the data of the users may be transmitted, are contractually bound to our Company in order to ensure the obligation of confidentiality as well as all the obligations provided by the Existing Legislation. At the same time, the personal data of the users may be transferred to public authorities, independent authorities, etc. (e.g., Police Departments, Prosecution, Tax, Customs, DPA, etc.) during the exercise of their duties, by the recognized authority or at the request of a third party invoked legal rights and in accordance with legal procedures.

6. Transfer of Personal Data outside the EU

The personal data of the users collected through ELTA Courier are not transmitted to a country outside the European Union (EU) or the European Economic Area (EEA). In case of sharing of personal data of users collected through ELTA Courier, in a country outside the European Union (EU) or the European Economic Area (EEA), the Company previously checks if:

α) The Commission has issued a decision of adequacy for the third country to which the transfer will take place.

β) The appropriate security is taken in accordance with the Regulation for the transmission of this data.

Otherwise, the transfer to a third country is prohibited and the Company will not transfer personal data of users to it, unless one of the special derogations provided by the Existing Legislation applies, e.g., the explicit consent of the user and the information about the risks of the involved transmission, the transmission is necessary for the execution of a contract at the request of the subject, there are reasons of public interest, it is necessary to support legal claims and vital interests of the user, etc.).

7. Data Retention Period

The personal data of the users collected are kept for a predetermined and limited period of time, depending on the purpose of the processing, after the expiration of which the data is deleted from our files. When processing is required by the provisions of the applicable legal framework or a specific retention period is provided, personal data will be stored for as long as the relevant provisions require. The personal data of the users that are collected and processed for the execution of the contract, are kept for as long as is necessary for the execution of the contract and for the establishment, exercise, and / or support of legal claims based on the contract. The personal data of the users that are processed for marketing purposes after the consent of the users are kept until the revocation of the consent, without this revocation affecting the legality of the processing until then.

8. Security of Personal Data

Taking into consideration the latest developments, the cost of implementation and the nature, scope, field, and purposes of processing, as well as the risks of different probability of occurrence and seriousness for the rights and freedoms of users from processing, the Company receives the necessary technical and organizational measures to protect users' personal data. Although no method of transmission via the Internet or method of digital storage is completely secure, the Company takes all necessary digital data security measures (data encryption, SSL / TLS, antivirus, firewall) etc.

9. Data Protection Officer (DPO)

In order to ensure adequate protection of personal data, the Company has designated a Data Protection Officer to whom data subjects can address their requests and questions regarding the protection of their personal data and this Policy, to the following contact details: through email at: dpo@elta-courier.gr or through phone at: +30 2106073215.

10. Personal Data Subject Rights

The Company ensures that is able to respond immediately for requests of users, to exercise their rights in accordance with Existing Legislation.

In particular, every user has the following rights:

a) To request information regarding the processing of his personal data by the Company.

b) To request access to his personal data kept by the Company. More specifically, he can request to receive a copy of his personal data kept and to check the legality of the processing.

c) To request the correction of his personal data in case of incorrect or incomplete registration by the Company.

d) To request the deletion of his personal data if their retention is not based on any legal basis or legal right.

e) To request a restriction on the processing of his personal data, under specific conditions.

f) To request the portability / transfer of his personal data either to himself or to third parties.

g) To revoke at any time the consent he gave for the processing of his personal data, without this revocation affecting the legality of the processing until then.

h) To oppose the processing of his personal data by the Company.

i) To oppose a decision that concerns him and is taken exclusively on the basis of automated processing, including profiling.

To exercise your rights, you can contact the Data Protection Officer (email dpo@elta-courier.gr or phone: +30 2106073215). In case of exercise of any of the above rights, the Company provides the data subject with information about the processing operations following the relevant request submitted within one (1) month from the receipt of the request and the identification of the subject. This deadline may be extended by another two (2) months, if required, if the request is complex or there is a large number of requests. In this case, the Company is obliged, within one month from the receipt of the request, to inform the data subject about the delay, as well as the reasons for it. Within the above period, it also informs the data subject of any refusal to satisfy in whole or in part the submitted request, as well as of the reasons for the refusal.

For any complaint regarding this Policy or personal data protection issues, if we do not satisfy your request, you can contact the Hellenic Personal Data Protection Authority www.dpa.gr.

11. Liability Disclaimer

In case in ELTA Courier there are links that redirect users to third party websites / applications, we inform you that our Company does not control nor is responsible for their content, nor for the way in which users' personal data are processed.

12. Updates on the Privacy Policy

This Privacy Policy may be amended / revised in the future, in the context of the Company's regulatory compliance as well as the optimization and upgrade of ELTA Courier services. We therefore recommend that you refer to the updated version of this Policy each time, for your adequate information.

Last Review: April 2021