This website is provided by the company under the corporate name “PETSIAVAS Societe Anonyme – Industrial and Commercial Enterprise” and with the distinctive title “PETSIAVAS SA”, having its registered seat at Kifissia of Attica, 21 Agion Anargiron Str., with Tax Identification Number 094011782, as legally represented(hereinafter the “Company”).

The Company, in the course of its business activities, collects and processes personal data in full compliance with the principles laid down in Regulation (EU) 2016/679 of the European Parliament and the Council of the 27^th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation” or “GDPR”), as well as with the applicable national and European legislation on the protection of personal data. It also takes all, appropriate technical and organizational measures required to protect the personal data it collects and processes. The company is the Data Controller of the personal data which are collected through the means described in detail in the present Privacy Policy and (which) are processed for the performance of your contract with the Company. Data Protection Officer (DPO) is Mr. Stelios Madias, e-mail: dpo@petsiavas.gr (hereinafter referred to as the “DPO”)

1.Subject

The purpose of the present Privacy Policy is to determine the terms and conditions under which the Company processes, stores, uses personal data on a case-by-case basis and the measures that it adopts for their protection.

The Company reserves the right to amend, update, revise, or otherwise modify this Privacy Policy, as well as the terms of provision of services, whenever this is deemed as necessary, without any prior notice required by law. For that reason please check this Policy on a regular basis in order to become aware of any amended versions.

2.Definitions

For the purposes of this Privacy Policy:

‘personal data’ shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘controller’ shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ shallmean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘recipient’ shall mean a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

‘third party’ shall mean a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

‘consent’ of the data subject shall mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘data concerning health’ shall mean personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

3.Data Subjects

The Company collects and processes personal data of the following categories of individuals, such as: (a) customers, potential customers, suppliers, contractors and service providers of the Company; (b) customers, consumers, potential consumers, employees, members of the Board of Directors, former employees, suppliers, contractors and service providers of Company’s customers; (c) TV viewers and users of the website and the social media of the Company, as well as users of the electronic communication forms in which users insert their data in order to receive newsletters on a regular basis; (d) doctors and other health care professionals; (e) patients; and (f) users of medicines and cosmetics.

4.Personal Data Collected

Each time you request the provision of our services and/or products, visit our facilities or website, contact the Company directly by any means, conclude with the Company any kind of contract for the provision of services and/or employment contract, provide us with your services or make use of the services we provide to you, we collect and process personal data that concern you, such as the following categories of data:

• Identification data and contact information, including your name, surname, date of birth, postal address, e-mail address, telephone number, ID card number, Social Security Number (AMKA), Tax Identification Number, images, etc.;
• Financial data, including your IBAN, bank account details, credit card statement, invoice data, credit standing and rating, debts and payment data;
• Data of special categories relating to your health condition, as well as pharmacovigilance and cosmetovigilance information;
• Technical and other information concerning your activity on the Company’s website and information derived from the use of the Internet and/or automatically through your browser on your desktop, laptop, tablet, or mobile device such as IP address, ISP domain, type and version of your browser, your operating system. etc.

5.Lawfulness of processing

The Company processes personal data only when it has a legitimate reason to proceed in such processing and in particular when:

1. processing is necessary for the performance of a contract;
2. processing is necessary for the compliance of the Company with its legal obligations;
3. processing is necessary to safeguard the legitimate interests of data subjects as well as those of the Company;
4. processing is based on your explicit consent.

6.Purposes of processing

The Company processes personal data only when it has a legitimate reason to proceed in such processing and in particular when:

a)         processing is necessary for the performance of a contract, such as for the execution and management of sales and the return of products, when such returns are required, the management of sales of non-prescription medicinal products and medical devices, the provision of products, services and other offers to healthcare professionals, the management of costumers and retail and wholesale suppliers of consumer goods, the development of new business cooperations, the financial accounting of clients, suppliers as well as the financial accounting of the returned products so as to be invoiced, income receipts and payments, etc.;

b)         processing is necessary for the compliance of the Company with its legal obligations, as such obligations are imposed by virtue of the provision of tax, social security and pharmaceutical legislation and more specifically for the purposes of cosmetovigilance and pharmacovigilance, for the submission of data referring to the health care professionals in the electronic application of the National Organization for Medicines (EOF);

c)         processing is necessary to safeguard the legitimate interests of data subjects as well as those of the Company, including without limitation consumer assistance, the organization and management of promotional competitions to television and social media, the management of complaints, the quality control, the evaluation of the suppliers, contractors and service providers, the financial credit assessment, the monitoring of benefits provided by the Company, the provision of medical information by healthcare professionals, the establishment, exercise and/or support of legal claims of the Company and/or the defense of its rights before Courts, Administrative or Judicial Authorities or in the context of an extrajudicial procedure, etc. In this context, we also use closed circuit television system (CCTV) and security cameras in order to be able to protect the safety of all natural persons, materials, equipment, as well as of our facilities;

d)         processing is based on your explicit consent, in cases where the processing of is made for purposes which require the provision of your consent, such as, for example, for you to be informed for medical matters, as well as for the products and/or services of the Company, and/or in order to receive Company’s newsletter and to participate in promotional competitions and other promotional actions of the Company.

The Company processes your personal data in a lawful and legitimate manner. Under no circumstances does it collect nor process a greater number of information or data than it is required to fulfill the processing purposes. Your data is kept safely. Their collection and processing is exclusively being carried out for the purposes of their processing and use, which are notified to you.

7.Access to personal data by third parties

The Company does not provide to any third parties access to personal data that it collects and processes as the data controller. By way of exception, it may provide access only if it is absolutely necessary for the herein described legitimate purposes, to members of its personnel (to the extent that this is necessary for the performance of their duties) and to companies providing systems and operations and/or services that are essential to the Company in order to provide its services, including but not limited to courier and transport companies, marketing and digital marketing agencies, travel agencies, platforms and companies providing software and applications (i.e. companies providing website evaluation and improvement services, data companies and technical support agencies), banks, insurers, State entities, such as the National Organization for Medicines (EOF), the Ministry of Economic Relations and Development, the Single Social Security Institution (EFKA), the Manpower Employment Organization (OAED), Courts, Administrative or Judicial Authorities, lawyers, experts, technical advisors, witnesses, etc..

Such data shall be accessed exclusively for the purposes and to the extent of providing each service and always on the condition that the abovementioned persons accept and comply with the terms of the present Policy and with the applicable legislation. In such cases, the Company remains responsible for the processing of your personal data and determines the individual elements to be processed; the Company also concludes a special agreement with the third parties to whom it could assign the execution of processing activities, in order to ensure that processing is carried out in accordance with the applicable legal framework and that all natural persons are able to freely and without any hindrance exercise the rights granted to them under the applicable legislation.

8.Retention period for personal data

Τhe period for which the personal data shall be stored is determined based on the particular criteria set below on a case-by-case basis:

(a) When processing is performed on the basis of execution of a contract, personal data shall be stored for as long as it is necessary for the performance of the contract and the establishment, exercise and/or support of legal claims possibly arising from such contract.

(b) When processing is imposed as an obligation by provisions of the applicable legal framework, personal data shall be stored for as long as it is required by the relevant provisions.

9.Your rights in relation to your personal data

All natural persons whose data are being processed by the Company have the following rights:

Right to information and access: You have the right to be informed and to have access to your personal data and to receive additional information concerning their processing.

Right to rectification: You have the right to obtain the correction, amendment, completion and update of your personal data.

Right to erasure (right to be forgotten): You have the right to obtain the erasure of your personal data in the cases when such data is processed on the basis of your consent or in order to safeguard the legitimate interests pursued by the Company or when such right is not restricted by an obligation of the Company imposed by the applicable law.

Right to restriction of processing: You have the right obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing , but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Company and overriding those for which you oppose to the processing.

Right to object the processing: You have the right to object any time to processing of your personal data when specific conditions are met under the legislation.

Right to data portability: You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided it is technically feasible. This right concerns the data that you have provided to the Company and the processing of which is carried out by automated means based on your consent or in performance of a relative contract.

Right to withdraw consent: You have the right to withdraw your consent, to the extent it was given for the intended processing, at any time.

Right of complaint to Greek DPA: You have the right to lodge a complaint to the Greek Data Protection Authority (www.dpa.gr): Telephone Centre: +30 210 6475600, Fax: +30 210 6475628, Email address: complaints@dpa.gr.

10.Third party websites

Our website may contain links to other websites operated by external third parties, while websites operated by external third parties may also contain links to our website. The Company takes all necessary measures in order to ensure that its website is only linked to websites of external third parties which maintain and enforce the same standards and criteria on privacy and security. In any case, the Company bears no responsibility for the content, the privacy and the personal data protection practices adopted in websites of third parties, does not guarantee the permanent and secure accessibility, does not accept or adopt the content of services provided by third websites, nor is it responsible for the privacy and the protection of the personal data that you may have provided to third party websites insofar as you have left the present website.

11.Information security

The Company has adopted and currently applies all appropriate technical and organizational measures in order to secure processing of personal data and to prevent accidental loss or destruction, non- authorized and/or illegal access, use, modification or disclosure, and ensures the lawfulness of the collection, processing and secure maintenance of personal data, under the provisions of national, European and international law in connection with the individual’s protection against unlawful processing of its personal data and particularly taking into account the provisions of the GDPR. Under any circumstances, it shall be noted that the way the internet functions in combination with the fact that is free to anyone cannot guarantee that non- authorized third persons will not be able to violate the applied technical and organizational measures, by gaining access to and potentially making use of personal data for unauthorized and/or illegitimate purposes.

For further information, please contact the Data Protection Officer (DPO) of the Company, Mr. Stelios Madias, at dpo@petsiavas.gr.

---