Our Company conducts its business activities in agreement with the principles of privacy, applying ethical and responsible practices.

The current legislation sets out our standards for the management and protection of your Personal Data, so that the maximum possible security is provided to you.

These principles, which ensure the protection of your personal information, apply to all types of our activities, including the collection and processing of information about individuals, including, but not limited to, research, production, commercial activities, corporate activities, company support and data transfer.

Indicatively, this Policy applies to:

Promotional and commercial activities: market assessment of our products/advertising, marketing, sales, distribution and delivery of our products/communication with our customers and other end users of our services/sponsorship and event management

Corporate support: hiring, managing and compensating employees/conducting evaluations of employees' performance and talents/providing training/managing ethics and privacy issues/managing and securing our assets and infrastructure/supply and payment for products and services/fulfilling our commitments on the environment, health and safety/communication with the media.

This Policy applies to all natural persons whose data we process, including customers, candidates and associates.

Respectively, each employee of the Company, and third parties who process data for our company, are responsible for understanding and complying with their obligations under this Policy and existing laws.

The privacy principles described below summarise the standards and basic requirements for the collection and processing of personal data of individuals by our company.

Personal data:

a) are subject to lawful and fair processing in a transparent manner in relation to the data subject (“legality, objectivity and transparency”),

b) are collected for specified, express and lawful purposes and are not subject to further processing in a manner that is incompatible with these purposes (“purpose limitation”),

c) are appropriate, relevant and limited to those required for the purposes they are processed for (“data minimisation”),

d) are accurate and updated, when necessary (“accuracy”),

e) shall be kept in a form that allows the data subjects to be identified only for the time required for the processing of personal data (“limitation of storage period”),

f) shall be processed in a way that guarantees the appropriate data safety, including their protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

1. Necessity - data minimisation

• Before collecting, using or distributing Personal Data, we determine and record the specific, legitimate business purpose served.

• We determine and record the time period for which Personal Data is used for the specified business purposes, which is defined on a case-by-case basis depending on the nature and type of activity.

• We do not collect, use or share more Personal Data than is necessary and do not withhold Personal Data in a recognisable form for a longer period of time than is necessary for the specified business purposes.

• We anonymise data when operational legal requirements make it necessary as well as when information about the activity or process is retained for a longer period of time.

• We ensure that these necessary requirements are incorporated into any support technologies and that third parties supporting the activity or processing are notified.

2. Legality, Objectivity and Transparency

• We do not process Personal Data in ways that are unfair to the individuals concerned.

• We determine whether the proposed collection, use or other form of processing of Personal Data constitute a risk for actual or undetermined harm to individuals, always aiming to prevent them.

• If the nature of the data, the types of people or the activity contain an inherent risk of actual or undetermined harm, we ensure that this risk does not outweigh the corresponding benefits for those individuals.

• In cases where it is necessary to process Personal Data of special categories (“sensitive data”), this is done only with the express consent of individuals or as explicitly required or permitted by existing laws.

• We record the risk analysis and design any required mechanisms for obtaining and recording data that demonstrate consent to supportive technologies. We do not process Personal Data in non-transparent ways or purposes.

• All individuals whose Personal Data is processed in accordance with this Policy will be entitled to a copy of this Policy, which is posted on the Internet. The Data Protection Officer will provide digital and/or physical copies of this Policy upon request to the addresses listed below.

• When Personal Data is collected directly by individuals, we inform them through a distinct and easily accessible privacy notice or similar means, providing them with the following information:

-the identity and contact details of the controller

-the purposes of the processing

-if the processing is based on the legal interests of the controller, what are these interests

-recipients of personal data

-occasional data transmission

-the time period for which the data will be stored

-the existence of the right to submit a request to the controller for access and correction or deletion of personal data or restriction of processing

-when the processing is based on the consent of the subject, the existence of the right to revoke his consent at any time, without prejudice to the lawfulness of the processing based on the consent before its revocation

-the right to submit a complaint to the Personal Data Protection Authority

-the legal nature of the provision

-the possibility of automated decision making

• If new reasonable corporate purposes are identified for Personal Data already collected, we ensure that either the new corporate purpose (including a substantially similar purpose) is compatible with the purpose, as described in the Privacy Notice or any other transparency mechanism previously provided to an individual, or we obtain the consent of the individual for the new use of his Personal Data.

We are responsible for maintaining the privacy of your Personal Data when it is transferred to or from other business organisations.

We transfer Personal Data or allow it to be processed by third parties only if the following conditions are met, for which we are responsible.

• If the role of the third party is to process Personal Data on behalf of or to ensure the vital interests of the company, before the third party receives the Personal Data:

(a) we complete the legal inspection to assess the privacy practices and risks associated with such third parties,

(b) we attempt to obtain guarantees through a written agreement from these third parties that they will process Personal Data in accordance with the instructions of our company, and in accordance with this Policy.

(c) We ensure that we are informed in a timely manner of any Security Agreement and that they agree to cooperate when necessary.

(d) If the role of a third party is to provide Personal Data to our company, before we obtain Personal Data from a third party, we ensure that the Transparency Conditions for Collecting Personal Data from other sources, and not specifically under the supervision of the company, are met, and we obtain warranty through written agreement of the third party that does not violate any Law or rights of any third party by providing Personal Data to our company.

(e) If the role of the third party is to obtain from our company data for processing which is not specifically under the supervision of our company, before we deliver the data to the third party, we ensure that the third party will use the data only for the operational purposes set out in the agreement and in accordance with existing legislation.

3. Data Quality, Integrity and Confidentiality

We keep the Personal Data accurate, complete and updated, and in agreement with their desired use

• We ensure that periodic data control mechanisms are integrated into supportive technologies to validate data accuracy.

• We ensure that Sensitive Data is validated as accurate and updated as possible before the use, evaluation, analysis, reporting or other processing thereof, which carries the risk of injustice to individuals if inaccurate or untrue data is used.

• In case of change of personal data, the subject bears the responsibility for informing our company so that the necessary modifications can be made.

We incorporate safeguards to protect Personal Data and Sensitive Data.

• We have implemented a detailed information security program and security controls that are based on information sensitivity and activity risk size, using the best practices of modern technology. Protection policies against loss, misuse, unauthorised access, disclosure or destruction, include, but are not limited to, standards of business continuity and recovery due to disaster, identity and access management, classification of information, management of information security incidents, network access control, physical security and risk management.

4. Rights of Access, Correction, Deletion, Portability, Processing Restriction and Processing Objection

You have the right to access your personal data.

This means that you have the right to be updated by use on whether we process your Data. If we process your Data, you may ask to be informed of the purpose of the process, the type of your Data we keep, who they were disclosed to, the retention period, whether automated decision-making takes place; you may also be informed of your other rights, such as correction, data deletion, processing limitation and filing a complaint to the Personal Data Protection Authority.

You have the right of correction of inaccurate personal data.

If you find there is an error in your Data, you may submit an application for correction (e.g. correction of name or update of address change).

You have the right to delete/the right to be forgotten.

You may request us to delete your data if it is no longer necessary for the aforementioned processing purposes.

You have the right of portability of your Data.

You may request us to receive, in readable form, the Data you have provided or ask us to forward them to another controller

You have the right of restriction of processing.

You may request us to limit the processing of your Data for as long as your objections on processing are pending.

You have the right of objection on processing of you Data.

You may object to the processing of your Data or withdraw your consent and we will stop processing your Data unless there are other compelling and legitimate reasons that prevail over your right.

To exercise your rights you can send us a request, describing the right you want to exercise either to the postal address of the Company, 7 ORAIOPOULOU street, N. HERAKLION Postal Code 14121 with the indication “Exercise of right of access/correction/deletion/restriction/objection”, or to the email address: info@bodypower.gr entitled “Exercise of the right of access/correction/deletion/restriction/objection”, with a description of your request and we will take care to examine it and respond to you as soon as possible.

We respond to your requests free of charge without delay, and in any case within (1) one month from the time we receive your request. However, if your request is complex or there is a large number of your requests, we will inform you within a month if we need an extension of another (2) two months, within which we will respond to you.

If your requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may impose a reasonable fee, taking into account the administrative costs for information or execution of the requested action; or refuse to act on the request. You have the right to lodge a complaint with the Personal Data Protection Authority (mailing 1-3 address Kifisias street, Athens www.dpa.gr), if you consider that the processing of your Personal Data violates the applicable national and regulatory framework law on personal data protection.

Terms you need to know:

Anonymisation. The change, cut-off, elimination or other restriction or alteration of Personal Data in order to make it impossible for them to be used for identification, tracking or communication with the individual.

Legislation. All laws, rules, regulations and orders of opinion that have legal effect.

Personal Data. All data about a recognised or unrecognised person, including the data that identifies the person or that could be used to locate, monitor or communicate with that person. Personal Data also includes direct identification information such as name, identification number or job title, and indirect identification information such as date of birth, telephone number and encrypted data.

Privacy Incident. Violation or breach of this Policy or a privacy law or Data Protection law. Determining whether a privacy incident has taken place and whether it has a physical nature will be implemented by the Data Protection Officer and the Legal Department / Compliance Department.

Processing. Conducting any process or series of processes in data related to people, with or without automated means, including, but not limited to, collecting, recording, organising, storing, accessing, adapting, converting, retrieving, using, evaluating, analysing, reporting, distribution, disclosure, transmission, disposal, alignment, obstruction, deletion or destruction.

Security Incident. Access by an unapproved person to Personal Data or disclosure to an unauthorised person of Personal Data or the reasonable suspicion of our company that this has happened. Access to Personal Data by or on behalf of our company without the intention to violate this Policy is not a Security Incident, provided that the specific Personal Data was then used and disclosed only as permitted by this Policy.

Sensitive Data. Any type of data related to people that contain an inherent risk of harm to individuals, including data defined by law as sensitive, including, but not limited to, data related to health, inheritance, race, ethnicity, religion, or politics philosophical beliefs or faith, criminal record, accurate geographic location information, bank or other financial account numbers, state-issued registration numbers, minor individuals, sex life, relationships with trade unions, security, social security and other employer or government benefits.

Third Party. Any legal entity, organisation or person that does not belong to our company, or for which our company has no controlling interest, or that does not work for our company. Unless explicitly specified in this Policy, no sector of our company is required to meet the requirements of a third party under this Policy, as all subsidiaries and sectors are required to process data about people in accordance with this Policy

Changes to this Policy

This Policy may be revised occasionally, in accordance with the requirements of the existing legislation. Whenever this Policy changes naturally, a notice will be posted on our company's website.

Dispute Resolution

We would like to inform you that in case of any dispute arising from our transaction for the resolution of which you have sent us a relevant written request but we fail to reach a joint agreement, you have the possibility to contact the Electronic Dispute Resolution platform online at webgate.ec.europa.eu/odr/ which connects directly to the competent independent Authority “Consumers Ombudsman” www.synigoroskatanaloti.gr In this platform you can submit a request to resolve the dispute and then our company will be called by the competent Authority at info@bodypower.gr

In addition, we take into account that our Company recognises in the context of good faith the advisory nature of the decisions of the Authority to be taken and has not committed itself to the enforceability of those decisions. In any case, the civil courts are competent to resolve the dispute through the Electronic Dispute Resolution platform.

You can read the Consumer Code of Practice of Electronic Commerce as published in the Official Gazette