Privacy Policy

Privacy Policy

PERSONAL DATA PROTECTION POLICY

INTRODUCTION

In the European Union, as of 25 May 2018, the General Data Protection Regulation – EU Regulation 2016/679 (“GDPR”) is in force. You can find the text of the Regulation at the following URL: https://eur-lex.europa.eu/legal-content/EL/TXT/?uri=CELEX:32016R0679.

With this Personal Data Protection Policy, our Company, “M.F.S.A.” (hereinafter the “Company”, “We”, “Us”), acting as the Data Controller, prioritizes and respects the protection of the privacy of its customers, as well as all natural persons who interact with it. We provide you with the necessary information regarding the processing of your personal data (the type of data collected, the way they are processed, and the measures taken to protect them) within the context of our relationship.

This Policy and our practices focus on the processing, management, disclosure, transfer, and storage of your personal information in a lawful and appropriate manner, ensuring the confidentiality, integrity, availability, and security of your personal data.

The processing and protection of your personal data is governed by the terms below, by the relevant provisions of the applicable Greek legislation on personal data protection (Law 2472/1997, Law 4624/2019, Law 3471/2006, as applicable), the Directives and Regulations of the European Union (especially the General Data Protection Regulation (EU) 2016/679 – GDPR), as well as by the decisions, guidelines, and regulatory acts of the Hellenic Data Protection Authority (“HDPA”).

For the purposes of the present Policy, the following definitions are adopted, based on the legislative framework governing personal data protection:

 

DEFINITIONS OF PERSONAL DATA

(Following Article 4 of the GDPR)

1. “Policy”: the content and information of this Personal Data Protection Policy as published on this website.
2. “Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, ID number, location data, online identifier, or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
3. “Company”, “Data Controller”: the legal entity “M.F.S.A.”, which determines the purposes and means of processing personal data.
4. “Processing”: any operation or set of operations performed on personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
5. “Processor”: any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Company.
6. “Data Subject”: the natural persons whose personal data is collected and processed by the Company (in this Policy the Data Subjects are the users of the above-mentioned website, whether identified or not).
7. “Recipient”: a natural or legal person, public authority, agency, or body to which personal data is disclosed.
8. “Third Party”: any natural or legal person, public authority, agency, or body other than the Data Subject, the Data Controller, the Processor, and persons authorized to process personal data under the direct authority of the Controller or Processor.
9. “Consent”: any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they signify agreement to the processing of personal data relating to them.
10. “Personal Data Breach”: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

This Policy contains information applicable to your use of personal data as a customer of M.F.S.A., user of the Company’s website https://www.timberlandshop.gr/, as a consumer in any of our physical stores in Greece, and as a job applicant, where you act as a natural person. For the separate Privacy Policy applying to transactions via our E-shop, please see: https://www.timberlandshop.gr/content/114/prosopika-dedomena-/.

1. Data Controller

The Data Controller is the company “M.F.S.A.”, headquartered in Maroussi, Attica (52 Aigialeias Street, tel.: 210 8771700).

 

2. Principles of Data Processing

We process your personal data based on the following GDPR principles:
• Lawfulness, fairness, and transparency
• Collection for specified, explicit, and legitimate purposes
• Data minimization
• Accuracy and updating of personal data
• Retention only for as long as necessary
• Confidentiality and security of your data
• No disclosure to third parties unless required for our services or with your explicit consent.

3. Purpose of Processing

Your personal data is collected by us, as applicable, for the following purposes (“Permitted Purposes”), specifically:

• Wholesale Customers (Existing/New) – End Consumers

• To carry out transactions with our Company,
• To communicate with you for the receipt and completion of your orders,
• To issue invoices,
• To facilitate the delivery of your orders,
• For the overall execution of your orders and after-sales service,
• For the overall handling of requests concerning our Company and/or its distributed products,
• For sending informational messages (newsletters) via email and/or SMS regarding our products and services, as well as our Company’s activities in general (indicatively, events, competitions, etc.),
• For our compliance with mandatory rules of applicable national and EU legislation (indicatively, tax law, unfair competition law, anti-bribery and anti-corruption rules, prevention of financial crimes, etc.),
• For assessing or reassessing the transactional/credit risk undertaken within the context of our commercial relationship throughout its duration.
To fulfil this purpose, we cooperate with the société anonyme “BANK INFORMATION SYSTEMS S.A.”, trading as “TIRESIAS S.A.” (2 Alamanas St., Maroussi, Tax ID No. 094498725, Athens Tax Office for Commercial Companies, tel. 210-36-76-700), from whose “Financial Behaviour File” (TSEK) we may obtain your data. The processing carried out for this purpose takes place in accordance with the specific information terms of our Company and of TIRESIAS S.A., which you were informed about when entering into your contracts/orders and which you may consult at any time, for
TIRESIAS S.A. here, and for our Company https://www.timberlandshop.gr/content/114/prosopika-dedomena-/.

Natural Persons / Participants in Company Events

• For sending informational messages (newsletters) via email and/or SMS regarding our products and services, as well as our Company’s activities in general (e.g., events, contests, etc.),
• For carrying out promotional actions through the Company’s social media pages (indicatively, Facebook, Instagram),
• For participation in advertising campaigns and competitions organised by our Company. When you submit your entry in one of our competitions, your personal data is processed solely for the administration of the competition (notification and announcement of the winner, dispatch of the prize, etc.) and always in accordance with the terms of this Policy.
Depending on the case, competitions organised by our Company are governed by their respective competition terms, which apply together with this Policy.

Job Applicants

• For processing your application, including reviewing and analyzing your skills and qualifications, assessing your suitability for the job opportunities for which you have applied, verifying your references, background, and education,
• For communicating with you and organizing candidate evaluation procedures (e.g., arranging interviews),
• For including you in our Company’s job applicant database and informing you via the phone number or email you have provided about job opportunities within our Company,
• For sending information and updates about our Company via SMS and email regarding our products, services, news, announcements, programs, customer surveys, or other events,
• For assessing your suitability for any current or future employment opportunities within our Company.

The personal data collected are strictly necessary for carrying out the above services/actions and are not subject to any further processing incompatible with these purposes.

4.1. Personal Data We Process

We collect only data necessary for the above purposes, including:
• Identity details (name, surname, language, country, contact details)
• Financial and transaction data (payment details, order histories, billing info)
• Email address, phone numbers
• Internet connection, geolocation, browsing data
• Commercial information (newsletter subscription, preferences)
• Job applicant data (personal info, employment history, CV, qualifications, identification documents, references, background checks)
• Other data generated in relation to the above purposes

4.2. Processing of Special Category Personal Data (“Sensitive Personal Data”)

It should be noted that, as a rule, we do not process your sensitive personal data (special category data), such as data relating to your racial or ethnic origin, religious or philosophical beliefs, health data, or data concerning your sexual life or sexual orientation, since such data are not necessary for the fulfillment of the above-mentioned purposes. This is in line with the principles of data minimization, necessity, and proportionality, as provided under the GDPR, unless there is a relevant legal obligation for our Company to process such data or you have explicitly given your consent for this purpose.

4.3. Processing of Personal Data Concerning Minors

Our website is not directed at minors. For the purposes of this Policy, minors are considered individuals who have not yet reached the age of 18. Our Company does not process personal data of minors.

Furthermore, when the processing of personal data is based on consent pursuant to Article 6(1)(a) GDPR, in relation to the offer of information society services directly to a child, the consent provided by the minor—and consequently the processing—is lawful if the minor is at least 15 years old. In cases where the minor is under 15 years of age, such processing is lawful only if and to the extent that the consent is given or authorized by the holder of parental responsibility over the minor (Article 8 GDPR in conjunction with Article 21 of Law 4624/2019).

If you are a parent or guardian and become aware that your minor child has provided personal data to our Company, please contact us immediately. From our side, if we become aware that personal data, we are processing belong to a minor without the consent of the parent or guardian, the Company will take appropriate measures to promptly delete such data and prevent similar incidents in the future.

 

5. Legal Basis for Data Processing

We collect the personal data you share with us based on one or more of the following legal bases:

1. When the processing of your data is necessary for the service, support, and monitoring of your transactional relationship with our Company and the proper performance of the contracts between us.
2. When required for our Company to comply with its obligations under the law.
3. When required for the pursuit of the legitimate interests of our Company (or third parties), including our interests in providing innovative, personalized, and secure services to our customers and business partners.
4. When the processing of your personal data is necessary for the performance of a task carried out in the public interest by our Company, within the framework of applicable legislative and regulatory provisions.
5. Based on your prior explicit consent, when the processing is not found on one of the legal bases mentioned above, such as in the case when you wish to subscribe to our Company’s newsletter service and receive updates about new products and promotional activities. In this case, it is necessary for you to provide your consent. This form of consent will be given freely, explicitly, and under the main condition that you have actively chosen to receive the corresponding emails/newsletters.

Therefore, your personal data are processed lawfully by our Company both at the stage of collection and during their processing, in accordance with the applicable personal data protection regulations.

SPECIFIC INFORMATION REGARDING THE COMPANY’S SOCIAL MEDIA

Our Company maintains a presence on social media platforms such as Facebook, Instagram, LinkedIn, etc. Through this section, and in combination with the rest of our Policy, the Company provides you with the necessary information regarding the processing of your personal data via social media.

Through social media, our Company often organizes advertising campaigns, contests, or provides the ability to submit comments, send messages, subscribe to our newsletter, and more. In all of the aforementioned cases, the joint Data Controllers for the processing of your personal data are both our Company and the respective platform operator (Facebook, Instagram, etc.), within the meaning of Article 26 of the GDPR.

Therefore, it is not always possible for us to have full knowledge of the types of data processed by the platform operators. Nevertheless, we make every effort, manage our social media pages responsibly, and act within the capabilities provided by the platform operators to ensure that your personal data is processed in accordance with applicable legal requirements.

If you wish to obtain more information regarding the processing of your personal data by the platform operators and to further familiarize yourself with their practices, you can refer, as applicable, to:

• Facebook: www.facebook.com/privacy/explanation
• Instagram: help.instagram.com/519522125107875
• Twitter: twitter.com/en/privacy
• LinkedIn: www.linkedin.com/legal/privacy-policy
• YouTube: www.youtube.com/yt/about/policies/

When you interact with us through social media, the purposes of processing your personal data are primarily to provide service to you (where this is possible, e.g., contacting us via message or posting a comment) and/or to inform you about our Company through the sending of newsletters regarding its products/services, any offers, promotional activities, etc., only when you have provided your explicit consent for this.

In cases where you contact us via the above channels, the legal basis for processing is the legitimate interest of our Company, in the context of serving you and addressing any inquiries or concerns you may submit.

 

6. Retention of Your Personal Data

In any case, your data are retained by us only for the necessary/reasonable duration required to achieve the purposes for which they were collected, taking into account the nature of the processing, our legal obligations, and any potential legal claims [for example, for the fulfillment of our legal obligations arising from sales for two (2) years, for specific campaigns for the duration of the campaign, for tax purposes for five (5) years, and exceptionally for ten (10) years if additional elements arise under applicable law and case law, etc.], and are deleted when they are no longer reasonably necessary. The lawfulness of the processing of your data based on your given consent is not affected by the withdrawal of consent up to the point at which you requested its withdrawal.

If deemed necessary in order to comply with our legal or regulatory obligations, resolve disputes, or enforce our terms and conditions, we may retain some of your data as required, even if there is no longer a need to provide services to you.

In the event of legal proceedings, the personal data concerning you will be retained in any case until the conclusion of the dispute, even if this exceeds the ten (10) year period mentioned above.

In any case, after the expiration of the above retention periods, your data will be securely and irretrievably deleted in accordance with applicable law and the Company’s relevant policy.

 

7.1. Your Rights as a Data Subject
Through this Policy, our Company informs you that, at any time you wish, you can exercise all the rights you hold under the applicable provisions of the General Data Protection Regulation (EU) 2016/679. In particular:

1. Right to be informed, notified, and to receive information regarding the exercise of your rights (Articles 12, 13, 14 GDPR), meaning your right to be informed about how your personal data is being used (as detailed in this Policy).
2. Right of access to the personal data concerning you, if it is being processed by the Company as the Data Controller (Article 15 GDPR). The Company will provide a copy of your personal data upon your request.
3. Right to rectify your personal data in the event of processing inaccurate data concerning you or to complete incomplete data (Article 16 GDPR).
4. Right to erase your personal data if it is no longer necessary for providing a service, subject to the Company’s obligations and legal rights to retain it under the applicable legislative and regulatory provisions (Article 17 GDPR).
5. Ρight to restriction of processing of your data where, for example, the accuracy of the data is contested, the processing is unlawful, or the purpose of processing no longer exists but erasure is not appropriate (Article 18 GDPR).
6. Right to object to the processing of your data for reasons related to your situation, in cases where your data is processed for the legitimate interests of the Company (Article 21 GDPR), and specifically, the right to object to automated decision-making (Article 22 GDPR).
7. Right to data portability to another data controller, meaning your right to receive your data in a suitable format that allows technical transfer to another data controller, if the processing is based on your consent and carried out by automated means or for the performance of a contract between us (Article 20 GDPR).
8. Right to withdraw consent previously given (Article 7 GDPR) at any time for processing based on consent.

The lawfulness of the processing of your data is not affected by the withdrawal of consent up to the point in time when you requested the withdrawal. Specifically, regarding the sending of promotional emails and/or SMS messages to you, you always have the right to object to the processing of your personal data for promotional purposes, upon your request and at no cost, without the need to provide any specific justification.

You can exercise this right by using the “Unsubscribe” link found in all emails and/or SMS messages you receive from us or by contacting us at the email address info@timberlandshop.gr. Following your request, your data will no longer be processed for this purpose.

Furthermore, you retain the right to file a complaint with the competent supervisory authority. For more information, you can visit www.dpa.gr.

 

 

7.2. How to Exercise Your Rights
You can exercise the above rights by sending an email to the Company at info@timberlandshop.gr or by postal mail to our address: Aigialeias 52, Marousi, P.C. 15125, Attica, Greece.

The Company will make every effort to take the necessary actions within one (1) month after the date of your request, unless the actions required to fulfill your request involve specific complexities and/or complications, in which case the Company reserves the right to extend the completion period by an additional two (2) months. In any case, you will be informed about the status of your request within one (1) month from its submission.

 

8. Processing Security
We inform you that your personal data will always be processed securely, applying and maintaining the necessary technical and organizational measures to protect your data against accidental or unlawful alteration, destruction, unauthorized disclosure, or access, particularly when processing involves the transfer of your data over a network, and against all unlawful forms of processing.

For example, our information infrastructure is equipped with Antivirus software, Firewall protection against internal and external threats, regular updates of the operating systems of our information assets, access matrices (role-based access control), encryption of critical information assets such as company devices, backups, files, etc., and relevant Security Policies are implemented within the Company to ensure both electronic and physical security of the infrastructure and protection of the data.

Specifically, regarding the above-mentioned website, it implements the SSL (Secure Sockets Layer) protocol with strong encryption, enhancing security during the transmission of data over the Internet.

 

9. Provisions (Cookies)
In the online store, we use cookies to facilitate your navigation on the Platform, to understand how you interact with us, and, in certain cases, to be able to show you advertisements based on your browsing habits. Please read the Detailed Cookie Description to gain a more comprehensive understanding of the cookies, their purposes, how to manage your preferences, and other relevant information.

•         Functional Cookies

•         Google Ads-Conversion Tracking Cookie

•         Meta Ads
Detailed information about the cookies used by Meta can be found at the following link: Meta Cookies Policy | Privacy Center | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy

•         Email Marketing

•         Best Price

   10. With Whom We Share Your Personal Data

All your data is processed by our Company (Controller) as the primary recipient, within the framework of fulfilling its contractual and legal/regulatory obligations towards you, serving its legitimate interests, as well as in cases where it is authorized or has obtained your consent, always in full compliance with Regulation (EU) 2016/679 and applicable law. Within the scope of our relationship, access to your personal data will be granted to the following parties:

a) Employees of the Company, who are responsible for evaluating your requests, managing and operating the contract(s) with the Company, fulfilling the obligations arising from them, as well as fulfilling the related legal obligations, all while being bound by strict confidentiality.

b) Entities to which the Company entrusts the performance of specific tasks on its behalf (processors) in accordance with Article 28 of the GDPR, with whom it has ensured GDPR-compliant processing for the protection of your data, through signed contracts and commitments to implement adequate measures in accordance with the relevant provisions of the GDPR (Articles 28, 32). These may include, by way of example but not limited to, partner companies performing various actions related to order fulfillment (transport, storage, etc.), advertising companies and/or providers of promotional services such as social networks, third-party technical partners for website and application support, and market data analysis for statistical purposes to provide technological solutions for enhancing products and services.

c) Public authorities, such as government agencies, regulatory authorities, and police, when we are required to do so under the applicable legal framework.

In all cases, we ensure that any disclosure to these parties is limited to the data necessary for the purpose of their services and that the use of your data is carried out exclusively in accordance with the applicable legal framework.

If there is a change in ownership, your personal information may be transferred to the new owner.

Except as described above, your personal data will not be disclosed, published, or sold to third parties, unless a procedure under the law for lifting confidentiality (Law 2225/1994) is initiated or obligations arise from the national implementation of Directive 24/2006. In such cases, the data held by us may be shared with competent authorities, prosecutors, or other administrative services only in accordance with the rules and provisions of the applicable regulatory framework.

You are also required to maintain the confidentiality of your data and not disclose it to third parties (even negligently) or allow third parties to use this information. The Company reserves the right to seek compensation for any damage resulting from a breach of these obligations on your part.

 

11. International Transfers of Personal Data

Our Company does not directly transfer your personal data to third countries (outside the EU or EEA) or international organizations, unless the transfer is provided for or required by the applicable regulatory or legal framework, or adequate safeguards are in place for such a transfer, in accordance with the provisions of Articles 44 et seq. of the GDPR. Any transfer is conducted in full compliance with the relevant provisions of the applicable legal framework.

12.  Specific Statements of the Company

The Company:

•         Declares that it is not responsible for any damage (direct, indirect, positive, or consequential) that may occur to the visitor in connection with the website or its use. The visitor is solely responsible for protecting their system from viruses and other malicious software.

•         Declares that it does not make decisions or create profiles based on automated processing of your data.

•         Reserves the right to modify these privacy terms at any time, in accordance with the applicable law. Any modification will take effect upon its publication on this website. No change to these terms will have retroactive effect regarding the management of personal data previously collected, unless required by applicable law. In such a case, all registered users will be notified via the email addresses they have provided to us.

•         Emphasizes that your personal and contact information is extremely important for the execution of your online transaction, as it constitutes the primary means of communication with you regarding the fulfillment of our obligations and orders. Therefore, you must ensure that the information provided is entirely accurate. Every effort will be made to ensure that correct information reaches you. We ask that, at the end of entering your details, you carefully review them before submitting them along with your explicit consent. Consequently, the Company bears no responsibility if any contractual or legal obligations are not fulfilled correctly or timely due to incorrect personal information being provided. In particular, any notice sent to the email address provided by you will be considered valid even if it is not delivered due to errors in the submitted information. The same applies to the contact and delivery addresses as well as telephone numbers. You are obliged to update your information whenever any changes occur.

•         By reading this, the user/visitor acknowledges the above-mentioned processing, which complies with the GDPR, its recitals, and the applicable national legislation on personal data protection, exclusively for the purposes previously stated and for purposes compatible with them.

13. Useful Contact Information:

·       Data Controller Contact Details:
MFSA
Address: 52 Aigialeias Street, 15125 Marousi, Athens, Greece
Phone: +30 2108771700
Email: info@mfsa.gr

·       Hellenic Data Protection Authority (HDPA, competent national supervisory authority) Contact Details:
Offices: 1–3 Kifisias Avenue, 115 23, Athens, Greece
Call Center: +30 2106475600
Fax: +30 2106475628
Email: contact@dpa.gr