Privacy Policy

PRIVACY POLICY

Introduction

With this Privacy Policy on the Processing of Website Visitors’ Personal Data (hereinafter “Policy”, “Privacy Policy”), our Company under the name “MENNE S.A.” (hereinafter “Company”, “we”, “us”, “Controller”), respecting the privacy of the users and visitors of this website (hereinafter “visitors”, “you”, “your”) and being vigilant for ensuring the security of their personal data, provides the necessary information and notification regarding the processing of personal data.

For the method of collection, use, processing, and storage of personal data to be transparent, the Company encourages the visitors of its website and every interested party to read this Policy, to receive the following information: 

Legislative framework

The processing of your personal data is governed by the relevant provisions of the applicable legislation on the protection of personal data (Law 4624/2019), the Directives and Regulations of the European Union (especially the General Data Protection Regulation (EU) 2016/679 – GDPR, hereinafter “GDPR”), as well as by the relevant decisions, guidelines, and regulatory acts of the Hellenic Data Protection Authority and is subject to the legal formalities and restrictions defined therein.

Definitions

  • “Data Subject” of personal data:The visitor of the website, and any other natural person who comes into contact with our website.
  • “Personal Data”:Any information that can identify, directly or indirectly, a natural person (the “Data Subject”), such as name and surname, postal address, contact details (telephone, mobile), e-mail address, etc. 
  • “Processing”:Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data that have come or will come to the knowledge of the Company, either directly from you through the website, or in the context of your transactional relationships with it.
  • “Controller”:The Company under the name “MENNE S.A.”, which determines the purposes and means of the processing of personal data.
  • “Processor”:A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
  • “Recipient”:A natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.
  • “Third party”:Any natural or legal person, public authority, agency, or body other than the data subject, Controller, processor, and persons who, under the direct authority of the Controller or processor, are authorized to process personal data.
  • “Consent” of the data subject:Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by an explicit affirmative action, signify agreement to the processing of personal data relating to them.
  • “Data Protection Officer” (DPO):The Data Protection Officer appointed by the Company, as Controller, who holds the position and duties defined by the applicable legislative framework regarding personal data protection.

Personal data that is collected and processed, and the lawfulness of processing (legal basis and purpose of processing)

We collect data and information you disclose to us when you enter and navigate the Company’s website, as well as when you use our services.

Data we collect and instances of processing

During your entry to the website, we collect: 

  • IP Address
  • Date and time of access
  • Geographic time zone
  • Operating system and its version
  • Browser and its version
  • Name of terminal device and/or user

Purpose of processing: The provision of personalized services, correct connection operation, and ensuring the security and stability of the system. 

Legal basis: Legitimate interest of the Company for making the website available to the public and providing services (Article 6(1)(f) GDPR).

During your communication with us via e-mail, we collect: 

  • E-mail address
  • Name and surname (where required)
  • Content of the message

Purpose of processing: Management, settlement, or resolution of your request, question, or complaint. 

Legal basis:

  • If the communication concerns an existing contract, the legal basis is the performance of the contract (Article 6(1)(b) GDPR).
  • In other cases, the processing is based on the Company’s legitimate interest in providing services to the public (Article 6(1)(f) GDPR).

Presence of the Company on Social Media

Our Company maintains official social media pages on Facebook, Instagram, and YouTube. With this section, in conjunction with our Privacy Policy, we provide you with information regarding the processing of your personal data through these platforms. Through social networks, you can submit comments, send us messages, and stay informed about our news.

In these cases, the Joint Controllers of your personal data, pursuant to Article 26 of the GDPR, are both our Company and the respective administrator of the social networking platform (Facebook, Instagram, etc.). Due to the independent management of data by social networking platforms, it is not always feasible for us to have full knowledge of the type and extent of data being processed. However, we make every possible effort to configure our pages to ensure the protection of your personal data, within the capabilities provided to us by the platform administrators and the applicable legislative framework.

For more information regarding the processing of your personal data by social network administrators, you can refer to their respective privacy policies: 

Purpose and Legal Basis of Processing

When you interact with us on social networks, your personal data is processed to serve you, such as when we respond to messages and comments. When you communicate with us via the channels above, the legal basis for processing is our Company’s legitimate interest in serving you and managing your requests or questions (Article 6(1)(f) GDPR).

Processing of special categories of personal data

Our Company does not process and does not collect through its website “sensitive” personal data (special categories of data), such as data related to your racial or ethnic origin, your religious or philosophical beliefs, health data, or data concerning your sex life or your sexual orientation, given that the above data are not necessary for us and the aforementioned purposes of processing. The visitor of the website must refrain from providing, making available, disclosing, etc., special categories of personal data, which concern themselves and/or third parties. If it is ascertained that such data are required, the data are deleted immediately in a secure, non-recoverable manner. The Company bears no liability for any provision and/or processing which is due to their acts and/or omissions, in violation of the above obligation.

Data concerning minors

For this Policy, minors are considered individuals who have not completed their eighteenth (18th) year of age. Our Company does not process, through its website, personal data of minors. We reserve the right, if we ascertain that a minor has made their data available to us without their legal representative’s consent, to proceed with the deletion of said data. If you become aware that a minor has provided their data to us without their legal representative’s permission, please contact us. If you are a parent or guardian and have come to the attention that your minor child has made their personal data available to our Company, please contact us immediately. On our part, if we become aware that personal data we process belongs to a minor without the consent of the parent or guardian, the Company takes appropriate measures to delete such data immediately and to prevent similar incidents in the future.

Recipients of personal data

Our Company safeguards the confidential nature of your personal data and, as a rule, does not transfer it to any third (natural or legal) person, except when and in such cases as this is required and/or permitted by law.

The data we collect from you in the context of our relationship are processed by: 

  • The authorized and properly trained competent personnel of our Company, who are bound by confidentiality and non-disclosure clauses.
  • As the case may be, partners of our Company, to whom the Company, pursuant to Art.28 GDPR, entrusts the execution of specific tasks on its behalf (processors) and with whom it has ensured processing in compliance with the GDPR for the protection of your data, by signing contracts and committing to comply with adequate measures, according to the corresponding provisions of the GDPR (Art. 28, 32 GDPR), such as, indicatively but not limitatively, cooperating transport companies for the shipment of your orders, third-party partners – technical companies in the context of website management and service provision, support of our applications, companies providing promotional services (e.g., sending newsletters, conducting customer surveys for the evaluation of the Company’s services).
  • Public bodies and authorities, such as public services and agencies, independent authorities, regulatory authorities, police, competent authorities, prosecutors, other administrative services, etc., when we are obliged to do so by the applicable legislative framework.

Retention time of personal data

The retention of your personal data is for the specific purposes mentioned above. It lasts for a reasonable period of time, aiming to fulfill the respective purpose (restriction of processing). Our Company retains your personal data, as the case may be in printed and/or electronic Form, throughout the duration of your contractual relationship with the Company and the individual contractual commitments of the latter, depending on its nature, taking into account the legal obligations of the Company and any legal claims that may be raised from it, to justify, accordingly, the retention time of the personal data.

Furthermore, as the case may be, the data received and processed during the pre-contractual stage are retained for a period of five (5) years, subject to applicable legislation, with the possibility of extending this period. However, the Company applies a twenty (20 years) maximum retention period for personal data, with the possibility of extending the above time, in case of a claim being raised or pending litigation or indication of an audit by public (tax, etc.) authorities. In cases where the processing of personal data is based on consent, the data are retained by the Company for as long as required by legislation, depending on the purpose and type of processing, including any legal obligation of the Company to maintain them.

Technical and organizational measures

The Company takes all appropriate technical and organizational measures to safeguard technological and physical security, in accordance with applicable legislation (Art. 32 GDPR). More generally, the Company demonstrates, to the extent possible, due diligence in ensuring the integrity, confidentiality, and availability of personal data. Thus, it remains on standby to address a potential personal data breach in a timely and effective manner. To this end, it adopts, updates, and implements appropriate internal Policies and Procedures that are consistent with good practices and international standards. Additionally, our Company maintains an updated record of processing activities, including the information required by Art. 30 GDPR, and has appointed a Data Protection Officer (DPO) in accordance with Art. 37 et seq. GDPR, and trains and raises awareness among its staff on issues of security and protection of personal data.

Collection of Cookies

For this website to function correctly, cookies are used. For more information about cookies, refer to our Company’s Cookies Policy on our website.

Your rights based on the GDPR

As data subjects, you retain all your rights, as these are provided for in the applicable legislative framework on personal data protection, namely: 

  • Right to transparent information and notificationregarding the exercise of your rights (Art. 12, 13, 14 GDPR), before and during processing, namely the right to be informed regarding the processing of your personal data (as is extensively done with this Policy).
  • Right of access(Art. 15 GDPR) to your personal data being processed by the Company, as Controller, namely the ability to know and receive a copy of the data concerning you.
  • Right to rectificationof inaccurate data and completion of incomplete data (Art. 16 GDPR), namely the right to proceed with the correction of your details and information maintained by our Company.
  • Right to erasureof personal data / “right to be forgotten” (Art. 17 GDPR). This right is subject to conditions and to the obligations and any legal claims of the Company regarding the retention of data, in accordance with the provisions of the applicable legislation. The request for the erasure of some or all personal data may be satisfied under specific circumstances and subject to legal grounds for retention and continuation of processing by the Company, and provided that the interests of the Company are not prejudiced.
  • Right to restriction of processingof personal data if either the accuracy thereof is contested, or the processing is unlawful, or the purpose of processing is missing, and provided that there is no legal ground for processing. However, the data cannot be deleted (Art. 18 GDPR).
  • Right to data portability, namely you are entitled to request the receipt of your personal data in a structured, commonly used and machine-readable format, as well as their transmission, under the legal preconditions and terms, to another controller, provided that this does not adversely affect the rights and freedoms of others, according to the provisions of the legislation (Art. 20 GDPR).
  • Right to objectto the processing of personal data, subject to legal obligations of the Company or when the processing is performed in the context of fulfilling a superior legitimate interest of the Company, such as objection to profiling or direct marketing (Art. 21 GDPR).
  • Right to withdrawalready given consent, concerning the ability to withdraw consent at any time, for processing which is based on consent (Art. 7(3) GDPR). It is noted that, in this case, the lawfulness of the processing of personal data is not affected by the withdrawal of consent, up to the point in time of its withdrawal.
  • Right to human intervention(Art. 22 GDPR), namely the subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects him orthemhese cases, the Company implements suitable measures and safeguards to protect the data subject’s rights and freedoms and legitimate interests and provides the right to human intervention, so as tove clarifications and a reasoned response regarding the relevant decision, which was taken in the context of the above evaluation.

Also, you have the right to complain to a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR). Competent Supervisory Authority is the Hellenic Data Protection Authority (www.dpa.gr).

Method of exercising your rights

For any request regarding your personal data and the exercise of your rights, according to the provisions of the applicable legislative framework for the protection of personal data, please address it in writing, by completing the Exercise of Rights Form, posted on our website and sending it to the Data Protection Officer (DPO) appointed by our Company, at the e-mail address: dpo@mennefoods.gr. Also, you can send it to our postal address or submit the request yourself in person, at our Company’s address. For your information, the role of the Data Protection Officer is purely advisory and involves mediating between our Company and data subjects.

Our Company is committed to making every possible effort to proceed with the required actions within a period of thirty (30) days from the receipt of the respective request, unless the tasks concerning its satisfaction are characterized by particularities and/or complexities, based on which the Company reserves the right to extend the time period for the completion of actions for sixty (60) additional days. Indeed, in this case, the subject will be informed of the above extension within thirty (30) days.

Specific declarations of the Company

The Company declares that it is not liable for any damage (direct, indirect, consequential, incidental) that may be caused to the visitor on the occasion of the website or the use thereof. The visitor is exclusively responsible for protecting their system from viruses and other malicious software. This Policy may be modified at any time. The user will be informed of all significant changes, while the updated version will be posted on the website each time. For this reason, the visitor must be informed and refer to this Policy regularly. The Company will not use the visitor’s personal data for any purposes beyond those mentioned in this Policy, without prior notification and, where required, their consent. By reading this Policy, the user becomes aware of the above processing, which is in accordance with the applicable legislation on the protection of personal data, exclusively for the aforementioned purposes and for purposes compatible with them.

Last modification: December 2025