MENU

GR
EN
GR

CLOSE

Caption image

PRIVACY POLICY

Privacy and Personal Data Protection Policy

PRIVACY AND PERSONAL DATA PROTECTION POLICY

1. Who is responsible for your data – Where can you exercise your rights?

1.1. The Data Controller of your personal data is the Société Anonyme under the corporate name “AFOI KOBATSIARI – Exploitation Company – Restaurants, Tourist Enterprises S.A.” and the distinctive title “AMALTHEIA S.A.”, headquartered in Assiros (22nd km of the Thessaloniki–Serres National Road), Municipality of Lagadas, Thessaloniki, legally represented, with contact telephone numbers: +30 23940 61991 – Thessaloniki +30 2310 541700 – Athens +30 2105 710480 – Epirus +30 26510 41821 and contact e-mail: info@kobatsiaris.gr

1.2. The above-mentioned Data Controller Company has appointed a Data Protection Officer (DPO), who can be contacted via e-mail at dpo@kobatsiaris.gr. You may address all requests concerning the exercise of the rights listed below (sections 3.1 – 3.7) to the DPO’s e-mail address.

2. General principles followed by the Company regarding transparent information

2.1. Any information provided to you through this document, as well as any information you may request in the future, is provided free of charge, provided that such requests are not repetitive, excessive, or manifestly unfounded (see section 2.3 below).

2.2. For each of the above-mentioned rights you exercise, the Company shall respond within one (1) month from receipt of your request. In cases of objective difficulty, complexity of the request, or due to the number of requests, the Company may respond within a maximum total period of three (3) months, either regarding the completion of your request or the justified refusal to comply for lawful reasons expressly provided in Regulation (EU) 679/2016.

2.3. If the Company considers that any of your above rights are exercised in a manifestly unfounded, excessive, or (even more so) is of a repetitive nature, it is entitled, on the one hand, to charge you a reasonable fee for providing further information (which is generally free of charge) and, on the other hand, to refuse to proceed with the request.

2.4. Where the Company has reasonable doubts concerning your identity when submitting a request to exercise any of the above rights, it may request additional information necessary to confirm your identity prior to processing the request.

2.5. If the Company delays beyond the justified period in responding to your request, or if you believe your rights are being violated or the Company is not complying with its obligations regarding the protection of your data, you have the right to lodge a complaint with the supervisory authority:

Hellenic Data Protection Authority,

1-3 Kifisias Avenue, 11523 Athens, Greece,

contact@dpa.gr,

+30 210 6475600.

2.6. You retain the right to withdraw any consent previously granted at any time by submitting a relevant written request to the e-mail address of the Data Protection Officer at dpo@kobatsiaris.gr (see section 1.2).

3. What are your rights regarding the Personal Data you have provided to us?

3.1. Right to Information

You have the right to request information regarding the personal data we have received from you and retain for one or more purposes, as described below under sections A to D. This document constitutes a general guide for understanding the philosophy of the regulatory framework governing the protection of your personal data. Updates, clarifications, and further explanations may be provided upon submission of a relevant request to exercise your right to information (see section 1.2).

3.2. Right of Access

You have the right to request access to the data we maintain about you and confirmation as to whether your data is being processed. More specifically, you may request information regarding:

the purposes of processing,

categories of personal data,

recipients or categories of recipients,

retention and processing periods,

the existence of the right to lodge a complaint with the Hellenic Data Protection Authority,

any available information regarding the origin of the data where not collected directly from you,

the existence of automated decision-making, including profiling, and the methodology involved,

safeguards applied when data is transferred to third countries,

copies of personal data processed and retained by the Company.

(see section 1.2)

3.3. Right to Rectification

You have the right to request correction of your data in case any information we process has changed or has been incorrectly recorded. (see section 1.2)

3.4. Right to Erasure

You have the right to request full or partial deletion of your data where:

the data is no longer necessary for the purposes collected,

you withdraw your consent,

or the data was collected unlawfully.

The Company shall respond within a reasonable period (not exceeding one month, or under certain conditions up to three months) either confirming deletion or explaining why certain data cannot be deleted due to legal obligations, public interest, freedom of expression, information rights, or legal claims. In such cases, you retain the right to file a complaint with the supervisory authority on the one hand, and pursue legal remedies on the other. (see section 1.2)

3.5. Right to Restriction of Processing

You have the right to request restriction of processing, quantitatively, temporally, or regarding the processing purpose, particularly where:

you contest the accuracy of your data,

processing is unlawful but you prefer restriction instead of deletion,

the Company no longer needs the data but you require it for legal claims,

or you object to processing pending verification of overriding legitimate grounds.

(see section 1.2)

3.6. Right to Data Portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format and to transmit such data to another controller without hindrance, where processing is based on your consent. You may also request direct transmission from the Company to another controller where technically feasible.

This right is exercised subject to the limitations of the right to erasure (see section 3.4) and must not adversely affect the rights and freedoms of others.

3.7. Right to Object

3.7.1. You have the right to object to the use of your personal data for direct marketing purposes, including profiling related to such direct marketing. (see section 1.2)

3.7.2. This right does not apply to Employees / Job Applicants and visitors to the Company’s facilities, as such data is not transferred to the Marketing Department nor processed for such purposes.

4. Can your data be transferred elsewhere?

Your data is not intended to be transferred to any organization outside the Company, except:

(a) providers supporting the Company’s electronic systems and networks, solely for the execution of their support services contract, and

(b) the relevant tax authorities as part of our mandatory compliance with tax laws and to the extent (and subject to the condition) that this is required.

5. Safeguards

We assure you that the Company shall implements all appropriate necessary technical and organizational measures to protect your data and ensures the optimal, minimum, and strictly necessary processing of your data solely for the purposes for which it has been provided, in accordance with applicable law.

Special provisions for specific categories of Personal Data Subjects apply cumulatively with the above general provisions of this Policy.

(A) COMMUNICATION RECIPIENTS

A.1. Purpose

The collection, processing, and retention of your data provided within the framework of communication is carried out exclusively for informing you about the Company’s products, services, and activities. Your data is processed solely for this purpose by the Company’s Marketing Department.

A.2. Legal Basis

Processing is based on your consent pursuant to Article 6(1)(a) of the GDPR.

A.3. Data Retention Period

Your data will be retained for five (5) years from the date consent was provided. After this period, the data will be deleted unless renewed consent is granted.

(B) CUSTOMERS – AND POTENTIAL CUSTOMERS

B.1. Purpose – Legal Basis

(a) During the pre-contractual stage, whether through tender procedures or negotiations, the Company may collect personal data (name, phone number, e-mail, business address, and position) of representatives of legal entities or natural persons for the purpose of evaluating the possibility of submitting an offer and concluding a contract (in this context, general informational material about the Company may also be provided).

The legal basis is the Company’s legitimate interest in pursuing its commercial activities.

(b) Where the Company concludes a contract with the aforementioned legal entities and/or natural persons, the (above) Data provided to us at the pre-contractual stage (as well as any data provided in the context of that specific contract) shall be processed for the purpose of performing the contract concluded between us and (to the extent necessary) for complying with tax legislation.

In this case, the legal basis for the processing is the fact that the processing of personal data is necessary for the performance of the aforementioned contract, as well as for compliance with our legal obligations.

B.2. Data Retention PeriodPre-contractual data will be retained for five (5) years, while contractual data will be retained for as long as required by contractual and tax obligations.

(C) SUPPLIERS – AND POTENTIAL SUPPLIERS

C.1. Purpose – Legal Basis

(a) During the pre-contractual stage, specifically when you fill out an online contact form on our website, send us an email directly, contact us by phone, or fill out a paper form, (in which case you provide us with your full name, email address, and/or phone number, and/or address, and/or title, and/or the products you wish to supply to us), the purpose is to explore the possibility of a transaction with the Company (in the context of which general informational material about the Company may also be provided) and the legal basis is the pursuit of the Company’s legitimate interest in furthering its commercial objectives by responding to the requested communication to explore the possibility of a transaction with you (or with the legal entity on whose behalf you are acting).

(b) If cooperation is established, the data you have provided to us prior to the transaction (as well as any data you provide to us in connection with our transaction —including the personal data of legal representatives of legal entities and your agents)—will be processed for the purpose of fulfilling the contract between us as well as to ensure our compliance with tax legislation. In this case, the legal basis for the processing of your data is the performance of the contract between us as well as our compliance with the law (Art. 6(1)(b) and (c) of the General Data Protection Regulation). Specifically, with regard to the personal data of your agents and/or (in the case of a legal entity) legal representatives, the legal basis for processing such data is the legitimate interest of the Company in duly fulfilling its contractual obligations as set forth above.

C.2. Data Retention Period

Pre-contractual data is retained for five (5) years, while contractual data is retained for the period required under tax legislation.

(D) PATIENTS / DOCTORS RECEIVING CATERING SERVICES

D.1. Purpose

In fulfilling catering service agreements with clinics and hospitals, the Company may access the patient’s full name, room number, and dietary requirements, as well as the details of doctors or personnel entitled to meals.

D.2. Legal Basis

Processing is based on the protection of the vital interests of the data subject and the Company’s legitimate interest in properly fulfilling its contractual obligations.

D.3. Data Retention Period.

Such data is deleted immediately after completion of the processing purpose and no copies are retained. The data is not transferred to any third party.

(E) STUDENTS / TRAINEES RECEIVING CATERING SERVICES

E.1. Purpose

Within the framework of catering agreements with educational institutions, the Company may access lists containing the names and identification details of students entitled to free meals, as provided by the respective educational institution (see also below under F).

E.2. Legal Basis

Processing is based on the Company’s legitimate interest in fulfilling its contractual obligations towards educational institutions.

E.3. Data Retention Period

The data is retained for as long as required by the relevant agreement with the educational institution and is then deleted.

(F) VISITORS TO FACILITIES / RESTAURANTS / CANTEENS

F.1. Purpose

For the protection of visitors and safeguarding Company assets, certain Company facilities (offices, factories, restaurants, canteens) operate Closed-Circuit Television (CCTV) systems recording movement continuously.

F.2. Legal Basis

Processing is based on the Company’s legitimate interests as described above.

ESPA 2025 ESPA