Privacy Policy

 

BINDING CORPORATE RULES (BCR) FOR THE PROTECTION OF PERSONAL DATA OF THE HAITOGLOU GROUP AND AFFILIATED COMPANIES

1. Purpose

1.1. Legal Nature of the Binding Corporate Rules on Data Protection

The BCR are binding rules related to the processing of personal data by all companies of the Haitoglou Group and affiliated companies that have adopted them with legally binding force.

2. Scope of Application

This Policy applies to the following companies within the Group:

• The company under the name “AFOI HAITOGLOU Anonymous Industrial and Commercial Company”, headquartered in Kalochori, Thessaloniki, with VAT number 094132463, as legally represented.
• The company under the name “BOLERO CONFECTIONARY OF THRACE ANONYMOUS COMPANY”, headquartered in the Industrial Area of Komotini, with VAT number 094450987, as legally represented.
• The company under the name “MAKEDONIKI ETERIA ZACHAROIDON & AMYLOIDON PROIONTON ANONYMOUS COMPANY” and the distinctive title “M.E.Z.A.P.  S.A.”, headquartered in Kalochori, Thessaloniki, with VAT number 093227779, as legally represented.

As well as the following affiliated companies:

• The company under the name “HAITOGLOU SA GRAPHIC ARTS”, headquartered in Kalochori, Thessaloniki, with VAT number 800477117, as legally represented.
• The company under the name “AFOI HAITOGLOU ANONYMOUS COMPANY FOR MARKET RESEARCH & FOOD PRODUCTS PROMOTION S.A.” and the distinctive title “AFOI HAITOGLOU – SALES – MARKETING”, headquartered in Attica, Kifisia, Char. Trikoupi Street No. 197, with VAT number 094396708, as legally represented.

(All the above companies will hereinafter be collectively referred to as the “Companies”).

The BCR applies to all types of processing of personal data exchanged between the above companies, regardless of where the data is collected. The personal data is primarily used by these companies for the following purposes:

• Managing employee data during contract conclusion and execution, as well as providing products and services offered to employees by the “Companies” or third parties.
• Initiating, executing, and processing contracts with corporate clients, as well as for advertising and market research purposes to inform customers and interested third parties about the products and services offered by the “Companies” or third parties.
• Concluding and implementing agreements with service providers to the “Companies” as part of service provision.
• Entering into appropriate agreements with other third parties, mainly with shareholders, partners, or visitors, and complying with legal obligations.
• Personal data is used to serve the current or future purposes of the “Companies” as described in their statutes.
• Data transfers within the “Companies” are necessary for personnel administration, operational needs, and business continuity.

3. Relationship with Other Legal Provisions

The provisions aim to ensure a high and standardized level of personal data protection across all “Companies.” Therefore, regulations, procedures, etc., in force within the “Companies” that exceed the principles set forth by the BCR or impose additional restrictions on the processing of personal data shall continue to apply as they stand.

The implementation of community or national legislation established for national security, national defense, public safety, crime prevention and investigation, and the prosecution of criminals, which requires data transfers to third parties, is not affected by the provisions of the BCR. If a company finds that BCR provisions contradict the General Data Protection Regulation (GDPR) or national data protection laws, the Security Officer of the respective companies must be immediately informed.

4. Expiry and Termination

The BCR ceases to be binding for a company if it terminates them. However, the termination or expiration of the BCR does not relieve the company from obligations regarding the use of data that has already been transferred. Further data transfers to or from the company in question can only occur if other appropriate procedural safeguards are in place according to European legislation requirements.

5. Publicity

This Policy is posted on the website of each “Company” and is freely accessible to all employees, partners, and customers. The “Companies” provide all relevant information regarding the rights of data subjects. This information is made available to the public in an appropriate form.

6. Transparency in Data Processing

Right to Information

Data subjects are informed about how their personal data is used in accordance with applicable legislation and the following terms:

The “Companies” adequately inform data subjects of the following:

• The identity of the data controller(s) and their contact details.
• The intended use and purpose of the data, specifically what data is recorded, processed, or used, for what purpose, and for how long.
• If personal data is transferred to third parties, the data subject is informed about the recipient, the scope, and the purpose of the transfer.
• The data subject’s rights concerning the use of their data.

Regardless of the means of communication, the relevant information must be provided in a clear and understandable manner. The information is available to data subjects when the data is first collected and at any time upon request.

7. Processing of Personal Data

Personal data is processed only under the following conditions and must not be processed for purposes other than those for which it was originally collected. Processing for other purposes is permitted only if:

• The applicable legislation expressly allows the use of personal data for specific purposes.
• The data subject has given their consent for data processing.
• Processing is necessary for the company to fulfill its contractual obligations towards the data subject or to take measures at the data subject’s request before entering a contract.
• The data is used to fulfill a legal obligation of the company.
• Processing is necessary to safeguard the vital interests of the data subject.
• Processing is necessary for the completion of a public interest project or an official authority duty assigned to the company or the third party to which the data is transferred.
• Processing is necessary for the legitimate interests of the company or the third party receiving the data, provided that the data subject’s interests do not override the company’s interests.

8. Common Rules for Processing and Transfers within the Group and Affiliated Companies

8.1. Processing and Transfers of Personal Data

The “Companies” and their employees agree to apply the following rules:

• Purpose Limitation: Personal Data will be processed and transferred only for specified, relevant, and lawful reasons as outlined in the Appendix.
• Data Minimization: Processing is limited to what is necessary and proportionate to the intended purpose.
• Accuracy: Reasonable measures must be taken to ensure data accuracy, completeness, and reliability.
• Data is stored only as long as necessary to fulfill business purposes in compliance with retention policies unless otherwise required by law.
• Consent: Services and products should not be conditioned on data subjects consenting to data processing for purposes other than those outlined in the contract.

9. Legal Basis for Processing Personal Data

Processing must be based on at least one of the following:

• The data subject’s explicit consent.
• Processing is necessary for contract execution or pre-contractual measures.
• Processing is necessary to comply with legal obligations.
• Processing is necessary to protect the vital interests of the data subject.
• Processing is necessary for public interest tasks or official authority execution.
• Processing is necessary for legitimate business interests unless overridden by the data subject’s rights.

 

10. Consent of the Data Subject

The data subject has given their consent provided that:

• The consent has been given explicitly, voluntarily, and after being informed, in such a way that the data subject understands the purpose of their consent. The text of the consent declaration is precise and informs data subjects of their right to withdraw their consent at any time. If withdrawing consent results in the non-fulfillment of contractual obligations, the data subject must be informed accordingly.
• The consent has been obtained in an appropriate form (in writing). In exceptional cases, verbal consent may be accepted, provided that the fact of consent and the specific circumstances making verbal consent sufficient are adequately recorded.

11. Automated Use of Personal Data

Decisions that evaluate individual aspects of a person and may result in legal consequences or significant negative impacts should not be based solely on automated processing of personal data. This includes decisions related to creditworthiness, professional suitability, or the health status of the data subject.
If, in exceptional cases, there is an objective necessity for automated processing of personal data, the data subject shall be promptly informed of the result of the automated processing and given the opportunity to submit their comments within an appropriate time frame. The data subject’s comments shall be considered before a final decision is made.

12. Use of Personal Data for Direct Marketing Purposes

When data is used for direct marketing purposes, data subjects must:

• Be informed about how their data will be used for marketing purposes.
• Be informed of their right to object to the use of their data for such purposes.
• Be provided with the necessary tools to exercise this right, including details on the company to which they can submit their objection.

13. Special Categories of Personal Data (Sensitive Personal Data)

The use of special categories of personal data is permitted only if required by applicable law or if the data subject has given prior explicit consent. Processing is also allowed when necessary to fulfill obligations arising from labor law, provided that this is permitted by national law and appropriate protective measures are taken.
Before collecting, processing, or using sensitive personal data, the company must inform the Security Officer. When assessing the permissible use of the data, particular attention must be paid to the nature, scope, purpose, necessity, and legal basis for processing sensitive personal data.

14. Legal Basis for Processing Sensitive Data

The processing of sensitive data must be based on at least one of the following legal bases:

• Explicit consent of the data subject.
• Necessity for fulfilling obligations and specific rights of the company under labor law, provided that such processing is approved by national legislation ensuring adequate protection measures.
• Processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.
• Processing concerns sensitive data that has been publicly disclosed by the data subject.
• Processing of sensitive data is necessary for the establishment, exercise, or defense of legal claims.
• Processing is required for preventive medicine, medical diagnosis, healthcare provision, or health service management and is carried out by a healthcare professional subject to national confidentiality laws.
• Processing is necessary for reasons of substantial public interest as specified by national law or a decision of the supervisory authority.

15. Limited Access to Personal Data

The processing of personal data shall be restricted to employees whose roles and responsibilities necessitate such processing.

16. Data Minimization, Avoidance, Anonymization, and Pseudonymization

Personal data must be appropriate, relevant, and not excessive in relation to the purpose for which they are used (data minimization). Data must be processed only within the necessary information systems (data avoidance).
Where feasible and economically reasonable, procedures should be used to remove identifying elements of the data subjects (anonymization) or replace them with alternative characteristics (aliasing).

17. Transfer of Personal Data

17.1. Nature and Purpose of Data Transfers

Personal data shall only be transferred when the recipient assumes responsibility for the received data or when the recipient uses the data exclusively in accordance with the sender’s instructions and requirements (commissioned data processing agreement).
Personal data may only be transferred for the purposes described herein within the company’s business activities, due to legal obligations, or with the data subjects’ consent.

17.2. Transfer of Data to Third Countries

The processing of personal data must take place exclusively within the territorial boundaries of an EU Member State or a country that has signed the European Economic Area (EEA) Agreement. Any transfer of data to a third country requires prior written consent from the data subject and must comply with the specific conditions outlined in Chapter 5 of the GDPR.
When transferring personal data to a third party, appropriate technical and organizational measures must be implemented to protect the data in accordance with company requirements and widely accepted security standards.

18. Processing of Data by External Processors and Subcontracting

When one of the “Companies” assigns a third party (processor) to provide services on its behalf and according to its instructions, the service contract must also include obligations regarding data processing. These obligations must specify the type and method of processing, the purpose of processing, and the necessary technical and organizational measures for data protection.
The processor must not use the personal data for its own or third-party purposes without prior consent from the company.
The processor must inform the company in advance if it intends to use subcontractors. The company has the right to refuse the use of subcontractors. If subcontracting occurs, the processor must require the subcontractor to comply with the agreed-upon obligations.
Processors must be selected based on their ability to meet the specified requirements.

19. Security and Confidentiality

Personal data must be accurate and, where necessary, kept up to date.
Appropriate measures must be taken to ensure that incorrect or incomplete information is deleted, prevented from being used, or corrected as necessary.

20. Data Security – Technical and Organizational Measures

The company ensures that appropriate technical and organizational measures are included in corporate procedures and applied to IT systems and platforms used for data collection, processing, or usage to protect personal data.
These measures must include:

• Measures to prevent unauthorized individuals from accessing data processing systems (access authorization control).
• Measures to ensure that data processing systems cannot be used by unauthorized persons (access denial control).

• Measures ensuring that authorized individuals using data processing systems have access exclusively to the data they are authorized for and that personal data cannot be read, copied, altered, or deleted by unauthorized persons during processing, use, or after recording (data access control).
• Measures ensuring that, during electronic transmission, transfer, or recording of data, personal data cannot be read, copied, altered, or removed by unauthorized persons, and that data processors to whom personal data is transferred via transmission equipment can be checked and verified (data transmission control).
• Measures ensuring that it is possible to retrospectively review and verify whether and by whom personal data was entered, modified, or deleted in data processing systems (data entry control).
• Measures ensuring that personal data processed by third parties/contractors is processed only according to the client’s instructions (contractor control).
• Measures ensuring that personal data is protected from accidental destruction or loss (availability control).
• Measures ensuring that data collected for different purposes can be processed separately (separation rule).

21. Data Subject Rights

21.1. Right to Information
Data subjects have the right to contact any company processing their data at any time and request the following information:

• What personal data the company holds, along with their origin and recipients
• The purpose of use
• The individuals and processors to whom the data is regularly transferred, especially if the data is transferred abroad
• The provisions of these BCRs

The relevant information must be made available to the applicant in an understandable form and within a reasonable time. This is generally achieved through written or electronic communication. Providing a copy of the BCRs to the applicant is considered sufficient information regarding the requirements outlined in this document.

21.2. Right to Object, Right to Erasure or Blocking of Data / Right to Rectification and Right to File a Complaint with the Competent Authority
The data subject has the right to object at any time to the use of their personal data if such data is used for purposes not mandated by law.
The right to object remains valid even if the data subject previously consented to the use of their data.
Legitimate requests for erasure or blocking of personal data must be fulfilled immediately. Such requests are particularly valid when related to the deletion of data if the legal basis for processing the personal data no longer applies. If the data subject has the right to have their data deleted but deletion is not possible, the data must be protected against unauthorized use by restricting access. The retention periods for personal data, as provided by the national laws of each company, must be observed.
Data subjects may request the company to correct any incomplete and/or inaccurate personal data it holds at any time.
The data subject must be informed if withdrawing their consent or deleting their personal data results in the non-fulfillment of contractual obligations.
A data subject may file a complaint against any of the “Companies” at any time if they suspect that a company is not processing their personal data in accordance with the law or the provisions of these BCRs. Documented complaints will be reviewed within a reasonable timeframe, and the data subject will be informed accordingly.
If the complaint concerns multiple “Companies,” the Security Officer of the most relevant company coordinates all related communication with the data subject.
There must be appropriate communication channels for reporting personal data protection incidents (e.g., a dedicated email account).
For information on the Authority’s jurisdiction and how to file a complaint, visit its website (www.dpa.gr).

21.3. How Data Subjects Can Exercise Their Rights
Data subjects shall not be subject to discriminatory treatment for exercising the above rights. The communication method with the data subject, whether by phone, electronically, or in writing, should be chosen according to the data subject’s request, where feasible.

21.4. Copy of the BCRs
A printed copy of the BCRs will be provided to anyone who requests it.

22. Administrative Organization

22.1. Responsibility for Data Processing
Each company must ensure compliance with data protection legislation and these BCRs and appoint a Data Security Officer in each company.

22.2. Internal Complaint Management Process
Any data subject who believes that their personal data in the Annex may have been processed in violation of these BCRs by any company may submit their inquiries and complaints via email to: info@haifoods.com.
Any company receiving a complaint is committed to investigating and consulting with colleagues from relevant departments as required to address the complaint and will provide a substantive response to the complainant as soon as reasonably possible, but no later than one (1) month from receipt of the complaint.
If, due to the complexity of the complaint, a substantive response cannot be provided within one (1) month, the complainant will be informed and given a reasonable estimate (not exceeding two [2] months) of the timeframe within which a response will be provided.
If the complaint is justified, all necessary steps will be taken, including appropriate sanctions for employees, in accordance with local rules.
Regardless of the internal complaint management process, data subjects shall always have the right to seek advice and file a complaint with the Competent Data Protection Authority and/or bring a claim before the competent court.

24. Obligation to Report in Case of a Breach

The company must immediately inform the Security Officer of any breach or clear indication of a breach of personal data protection regulations, particularly these BCRs, especially in cases where the incident may impact the public and/or affect multiple “Companies” and/or result in financial loss.

25. Employee Commitment and Training

Companies require employees to maintain the confidentiality of personal data and telecommunications privacy through their employment contracts. Employees receive adequate training on data protection. The company must have relevant procedures and provide the necessary resources for this purpose.
Employees receive training on basic principles of personal data protection at least every two years. The company develops specialized training programs for its employees. The Security Officer of each company keeps an annual record of conducted training sessions.

26. Cooperation with Supervisory Authorities

Companies must cooperate with the Supervisory Authority to which they are subject or with the Competent Authority to which the data-transmitting company is subject, particularly by responding to inquiries and following its recommendations.

27. Contact Person for Inquiries
    The Security Officer of each company is responsible for handling inquiries related to the BCR. Communication with the Security Officer of each company takes place during business hours by sending an email to info@haifoods.com.
28. LIABILITY

28.1. Compensation
Any individual who has suffered damage as a result of a violation of one or more provisions of the BCR by any of the “Companies,” due to the transfer of their personal data between them, is entitled to compensation.

If one of the “Companies” pays compensation, it has the right to seek recourse against the company responsible for the damage or the company that collaborated with the third party that caused it.

The data subject has the right to claim compensation initially from the company that transferred the data. If this company is not legally or factually responsible (based on applicable law or actual circumstances), the data subject has the right to demand compensation from the company that received the data.

The recipient company of the data, in the event of a breach, may not disclaim its liability by invoking the responsibility of the company that transferred the data.

The data subject has the right to file a complaint with the competent supervisory authority or any other relevant supervisory authority at any time.

28.2. Burden of Proof
The burden of proof regarding the proper use of the data subject’s information lies with the responsible company.

29. Jurisdiction of Courts
    The data subject may choose to seek compensation in the competent Greek courts.

Alternatively, if the data subject has habitual residence in an EU Member State or the EEA, the courts of that state may also have jurisdiction.

The right of the data subject to file a complaint with the relevant supervisory authority or to take legal action in the competent courts is not affected by the above-described procedure.

30. FINAL PROVISIONS

30.1. Modification
The Security Officer of each company reviews the BCR regularly, at least once a year, to ensure compliance with applicable legislation and makes all necessary modifications.

The Security Officers of the Companies are obligated to examine whether modifications to the BCR affect compliance obligations with applicable legislation or conflict with national legal provisions.

30.2. Procedural Issues / Severability Clause
If individual provisions of the BCR are or become invalid, they shall be deemed replaced by other provisions that best reflect the true spirit of the BCR and the invalid provisions.

In cases of doubt or absence of relevant provisions, the applicable data protection legislation of the European Union shall apply.

ANNEX

DATA TRANSFERS BETWEEN AFFILIATED COMPANIES

Categories of Personal Data:

Employee Data of the aforementioned companies:
This includes employees in each company (including former employees), as well as applicants who submit job applications or send their resumes for future employment opportunities. Additionally, data of relatives of employees (e.g., spouse, children) may be requested.

Relevant data: Contact details (e.g., full name, home and work addresses, phone numbers, email addresses, business fax numbers, emergency contact details), identity card or passport information, personal characteristics (e.g., gender, date of birth, place of birth, marital status, family composition, nationality), social security number, education level, work experience, areas of expertise, professional information (e.g., job title, position, workplace), employee performance, salary, allowances, compensation, payment-related information (e.g., bank account number), photographs, visual recordings, criminal record, health certificate, medical reports on illnesses, income tax clearance statement.

Data of External Partners and Suppliers (including their representatives/employees):
This includes partners who are not employees of any of the “Companies” but provide services under a contract or similar agreement with one of the affiliated companies.

Relevant data: Contact details (e.g., full name, business addresses, phone and fax numbers, email addresses), payment-related information (including bank account details), VAT number, and other invoicing details.

Customer Data:
This includes customers of each Company as well as the general consumer public to whom the “Companies” offer their services/products.

Relevant data: Identification data, contact details (e.g., full name, home and work addresses, phone numbers, email addresses, fax numbers), payment-related information (e.g., bank account number, credit card number).