SHAREHOLDER PRIVACY NOTICE
1. Introduction
 
HELLENIC PETROLEUM S.A. (hereinafter, the “Company” or “we”) takes the privacy and security of the personal information of its registered shareholders very seriously and is therefore committed to handling their personal data responsibly and in accordance with the applicable national and European legislative and regulatory framework on the protection of personal data. By determining the purposes and means of processing of personal data, the Company acts as Data Controller with regard to such personal data.
 
This Privacy Notice describes how the Company processes the personal data of its current and former registered shareholders or of their representatives, of persons who benefit from and/or exercise rights on the shares of the Company, as well as of their representatives, and of those who participate, under any capacity, in the General Meetings of Shareholders of the Company (hereinafter the “Shareholders”). 
 
2. Data processed by the Company
 
The Company, as Data Controller, in the context of enabling its Shareholders exercising their capacity and in order to carry out the tasks required under its relationship with them, collects the following personal data:
  • Name and surname
  • Personal identifiers and identity documents (including, but not limited to: Father’s or spouse’s name, date of birth, nationality)  
  • The type and details of the identity document (by way of example, a copy of the ID card or passport)
  • Investor Share Code Number (“K.A.M.E.”)
  • Securities Account
  • Personal tax information, such as Tax Identification Number (“A.F.M.”), the competent Tax Authority (“D.O.Y.”), the country of tax residence, as well as any special tax treatment.
  • Occupation or main scope of business
  • Contact details (telephone and fax numbers, address, e-mail etc.)
  • Proxies’ details
  • Bank account number
  • Information regarding any trading activity on shares
  • Details of the  shares and of any rights they hold on such shares 
  • Information regarding any shareholders requests addressed to the Company from time to time
  • Signature
 
3. Sources of collection of personal data
 
Shareholders’ personal data are collected through electronic records provided to the Company on a regular or on a case by case basis by the Hellenic Central Securities Depository, pursuant to the applicable provisions of the Law and the Regulation of the Dematerialized Securities System (DSS) issued by the Hellenic Capital Market Commission, which contain information related to the Company’s shareholder structure and any transactions on the shares thereof. 
 
Furthermore, Shareholders may also directly provide their personal data, for the performance of tasks that concern them, including, but not limited to, matters of succession, participation in General Meetings of Shareholders etc.
 
In the event of any changes in their personal data, Shareholders are advised to ensure the timely update of their personal information (e.g. change of address or ID) so that the Shareholders Registry remains up-to-date and accurate. This procedure is performed through the Operator of their Securities Account within the Dematerialized Securities System (DSS) of the Depository.
 
4. Grounds for processing of personal data
 
The Company collects and processes the aforementioned Shareholders’ personal data for the following purposes:
  • To enable the participation of Shareholders in the General Meeting and the exercise of their rights therein upon confirmation of their shareholder capacity.
  • To manage and maintain the Shareholder Register, in accordance with the applicable legal provisions.
  • To respond to requests submitted by Shareholders in connection with the services provided by the Company (e.g. issuance of certificates).
  • To provide clarifications and reply to specific inquiries or requests addressed to the Company by its Shareholders.  
  • To enable the participation of the Company or other companies of HELPE Group in public tenders or other tender processes.
  • To monitor transactions on its shares.
  • To fulfil its obligations under prevention of financial crime, anti-money laundering and counter fraud legislation.
  • To perform over the counter (OTC) transfers of its shares, due to inheritance or legacy, in accordance with the provisions of the Greek Civil Code and the DSS Regulation.
  • To disclose transactions of liable individuals and entities to the Athens Stock Exchange. 
  • To publish acts and information of the Company in the General Commercial Registry, the Athens Stock Exchange or on the website of the Company, as required by law.
 
5. Legal basis for processing
 
Processing of Shareholders’ personal data by the Company is lawful, and before proceeding to processing the Company ensures that it relies on one of the following legal bases:
 
a. Processing is required for the purposes of the legitimate interests pursued by the Company, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (article 6 (1) point (f) of the GDPR). Examples include the submission of detailed Shareholders Registry of HELPE, where required for the participation of the Company or other companies of HELPE Group in public tenders or in relation to application procedures for inclusion in development programs.
 
b. Processing is necessary for the fulfilment of contractual obligations of the Company towards Shareholders (article 6 (1) point (b) of the GDPR, such as the distribution of dividends on their shares.
 
c. Processing is necessary for the compliance of the Company with the legal obligations to which the Company is subject (article 6 (1) point (c) of the GDPR). Such legal obligations, that entail the processing of personal data, include the transfer of Shareholders data for the recording of their shares in the DSS records in the case of corporate actions establishing new securities or rights (beneficiaries’ allocation table file).
 
d. Processing is performed on the basis of the Shareholders’ consent (article 6 (1) point (a) of the GDPR). In some cases, the Company may request Shareholders to give their consent by means of a statement or an explicit action (opt - in) before proceeding to specific types of processing of their data, such as the use of photographs on printed material of the Company. In such cases, the Data Controller shall provide Shareholders with additional and adequate information on the use of their personal data, in order to allow them to decide whether or not to give their consent, as well as to withdraw their consent at any time by sending an e-mail to: DPO@helpe.gr.
 
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
 
6. Period of time for which the personal data are retained
 
The retention period of Shareholders’ personal data by the Company in the context of their shareholder capacity, as described in the paragraphs above, is determined for the whole duration of the Company and in accordance with the applicable regulatory framework as in force. Any additional personal information provided for the performance of specific tasks, such as in the case of inheritance succession, shall be kept for the period determined by law, or as long as is necessary for the purposes of the legitimate interests pursued by the Company or by the companies of the HELPE Group, or for defending the Company against any legal actions brought for the satisfaction of claims, as well as for the performance of contractual obligations.
 
7. Information Security
 
The Company takes the appropriate security measures to ensure safeguarding of personal data at the highest level possible and to prevent any accidental loss, use or unauthorised access to such data and restricts access to persons who need it exclusively for the performance of their duties. 
 
Persons who process personal data on behalf of the Company act under authorization from the Company and in accordance therewith and they commit to keeping their actions confidential. The Company has established procedures to handle data security infringements, in order to comply with its legal obligations in such cases. 
 
8. Transfer of data to third parties
 
The Company may grant access or transfer Shareholders’ personal data to:
 
Third party service providers, who provide various services on behalf of the Company, acting either independently as data controllers or jointly with the Company, such as external advisers, partners, lawyers, accountants, auditors, as well as technical and support services providers. 
 
In such cases, processing is performed under Company’s control and following its instructions, in compliance with this Privacy Policy or a Policy providing at least the same level of protection.
 
Tax, regulatory and other public authorities, the Athens Stock Exchange, the Hellenic Central Securities Depository, the Hellenic Capital Market Commission, the Deposits and Loans Fund and the General Commercial Registry, where the Company considers in good faith that there is a legal or regulatory requirement to provide access or to transfer personal data, or where the provision of information is required for the purposes of the legitimate interests pursued by the Company, or other companies of the HELPE Group, such as in the case of participation in public tenders or the submission of grant applications, under the applicable investment laws as in force.
 
Competent law enforcement authorities: The Company may transfer personal data to police and other competent law enforcement or administrative authorities, to the extent required by Law or any other enforceable act or order.
 
Other companies of the HELPE Group, as well to third party affiliated companies (e.g. members of consortia or Joint Ventures), in order to provide information on the Company or for pursuing the legitimate interests of the above-mentioned affiliated companies. 
 
Any transfer of personal data to third countries outside the European Economic Area (i.e. to countries other than the EU member states, Norway, Iceland and Lichtenstein) shall be subject to compliance with the legislative framework on the protection of personal data and on condition that sufficient safeguards are provided for the protection of such data.
 
In the event of a merger or acquisition of the Company by another entity, the personal data of Shareholders may be disclosed as a result of this process.
 
9. Rights of the Shareholders 
 
Shareholders enjoy certain rights with regard to the processing of their personal data by the Company. More specifically:
 
a) Access, rectification and erasure rights
 
Shareholders may request, at any time, information on their personal data which are kept by the Company and request the modification, rectification, update or erasure of this information, to the extent that these data are collected directly by the Company. Shareholders may be requested to provide additional information to enable the Company to carry out their request; however, access to personal data is provided free of charge, unless the request is manifestly unfounded or abusive. In the event that a large number of copies of data is requested, the Company may charge a reasonable fee based on administrative costs. Where the Company has the right to refuse to carry out a request, it must provide Shareholders with a detailed justification for such refusal.  
 
b) Right to object
 
Shareholders have the right to object to the processing of their personal data, especially where processing is performed for the purposes of a legitimate interest of the Company. In such a case, the Company shall comply with the objection and shall no longer process the data in question unless the Company demonstrates compelling legitimate grounds for continuing the processing, which override the interests, rights and freedoms of Shareholders, such as in the case of processing for the establishment, exercise or defence of legal claims of the Company. In the event that Shareholders object to processing relating to benefits granted to them by the Company and therefore request the cessation of such processing, this may, as a result, prevent the Company from granting such benefits overall.
 
c) Right to restriction of processing
 
In some cases, Shareholders shall have the right to restrict processing or to cease further use of their personal data. In practice, this means that the Company may store the personal data, but may not process them any further, unless processing is based on the Shareholders’ consent or where processing is required for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. 
 
d) Right to data portability 
 
Shareholders have the right to transfer the personal data which they have provided to the Company for the purposes of processing, to other Data Controllers. To allow Shareholders to exercise this right, the Company shall provide the data in a structured, commonly used and machine-readable format. Alternatively, Data Controllers may directly receive the personal data on behalf of the Shareholders. 
 
e) Right to file a complaint with the competent Authority
 
Shareholders have the right to file a complaint with the competent supervisory Authority, namely the Hellenic Data Protection Authority.
 
The Hellenic Data Protection Authority may be contacted in one of the following ways:
  • Postal Address: Hellenic Data Protection Authority, Head Office: 1-3 Kifissia’s Ave. P.C. 115 23, Athens
  • Call center: +30-210 6475600
  • Fax: +30-210 6475628
  • e-mailcomplaints@dpa.gr
  • Submitting the complaint in person: At the head office of the DPA, 1stfloor, Protocol Office, from 9:00 -to 13:00.
 
Contact
For any further information regarding this Notice, please do not hesitate to contact us either by telephone at 210 6302252 or by email at DPO@helpe.gr.