Privacy Policy
  1. The Company’s Web Site

www.tomanna.gr is the website of the Company, under the corporate name “TO MANNA BAKERY – N.TSATSARONAKIS INDUSTRIAL AND COMMERCIAL SOCIETE ANONYME” and the distinctive title “N.TSATSARONAKIS S.A.”, based in Platanos Kissamos, Chania, Crete: hereafter “the Company”).

  1. What is personal data?

The term “personal data” refers to personal information such as your name, postal address, e-mail address, telephone number, etc. that identify you or identify your identity, hereinafter referred to as “Personal Data, or Data”.

  1. What is Personal Data Processing?

Any act or set of operations carried out with or without the use of automated means on personal data or personal data sets, such as the collection, registration, organization, structuring, storage, adaptation or alteration, recovery, search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, erasure or destruction.

  1. It is mandatory to provide your Data?

Providing Data to the Company may be necessary to achieve the purposes set forth in this Privacy Policy, or for it to be optional.

The mandatory or optional nature of the Data concession is indicated by an asterisk (*) next to the mandatory personal data.

If you refuse to provide the information marked as mandatory, the basic purpose of collecting the particular Data required will be rendered impossible, and may for example, make it impossible for the Company to provide the other services available on the Websites beyond simply browsing them.

In addition to the above, granting Data to the Company is optional and does not affect the main purposes of data collection, but serves to optimize the quality of the services provided.

  1. Which Data we collect and how

In the context of its services and operations, the Company may collect personal data from its employees, as well as its associates, as well as other natural persons whom it deals with. In particular, the following data may be collected:

“Personal data” (simple personal data):

“Candidate data: details from CVs (such as education, training, employee training, past service or experience, evaluation) are collected, submitted by the candidates themselves by sending their curriculum vitae either directly to the Company (via email) or through third party affiliates, which undertake the collection of CVs for certain job positions on behalf of the  Company.

– Employee Data: the Company maintains a file concerning its employees containing all the necessary data for the recruitment process, payroll and management of the employment relationship, such as name, surname, mother’s name, father’s name, year of birth, Identity card number, place of birth, gender, nationality, marital status, home address, Tax Registry Number, work experience data, qualifications, recruitment date, position title, employment hours, work permit (when required for foreign employees), Insurance Registry Number, bank account details and / or bank credit / debit card details, employee arrival and departure data, employee benefits data (e.g. corporate cars, credit cards and loans), training data, evaluation and so on. These data are collected directly from the Company’s employees. It is also possible that such data may not always belong to employees but also to third parties (e.g. members of the family of an employee, children, etc., who benefit from the parent’s compulsory insurance as a dependent).

– Vendor Data: for our suppliers (in the case of natural persons or sole proprietorships), we collect the data that is necessary for us to complete transactions and comply with legal requirements such as name, surname, VAT number, address, telephone, IBAN account details, tax offices, supplier rating data. We collect this data directly from the Suppliers.

– Partner data: for our external partners (e.g. distributors, cleaning contractors, etc.) we collect any data necessary to complete transactions and comply with legal requirements such as name, surname, identity number, VAT number, address; if they enter our facilities, we collect details re. arrival and departure data as well as image data. We collect this data directly from our Partners.

– Customer data (who obtains our products – wholesale): for our customers (in the case of natural persons or sole proprietorships) we collect data such as name, surname, VAT number, address, etc. These data are either collected directly from Customers or through our Representatives.

– Consumer Data: for our consumers, we collect the information they submit to us if they notify us of a complaint, request (by telephone, email, social media, etc.).

– Data for competition participants: for participants in competitions we collect data such as name, surname, telephone, email, home address, age, marital status and so on. These data will be submitted by the participants themselves upon reading the respective Terms and Conditions of the Contest in order to participate.

Data collected from visitors to our facilities: when someone visits our facilities, we may collect image data as well as their name, surname, time of entry and exit, ID number, and so on. The data is collected from the visitors themselves in order to safeguard the Company’s legitimate interests, in particular the safety of persons and goods.

– Data collected from visitors to our websites: the data we collect through our sites is only collected when submitted by the visitors themselves (e.g. via the contact form), in particular their name, telephone and email. We may also collect certain necessary traffic-related information on the site, including, which is not limited to the internet protocol address (IP address), the browser type used by the visitor, and cookies.

On a case by case basis, the Company may process the above data both as a controller and as a third-party processor.

“Special Categories of Personal Data” (Sensitive Personal Data):

In some cases, the Company may collect and process data belonging to specific categories of personal data (sensitive personal data) in order to meet its legal obligations.

– In particular, it may process health-related data (such as health certificates in the recruitment procedure under food hygiene and food safety legislation or in granting employees’ sick leave, the process of reporting accidents at work or when collecting complaints from consumers).

– Similarly, in exceptional circumstances, and particularly when required by the applicable law, the Company may collect and process data relating to criminal convictions or offenses such  as copies of a criminal record, always respecting the principle of proportionality.

  1. Minors’ data

As we do not intend to provide services directly to minors, it is not a Company policy to request and retrieve personal data concerning minors (i.e. persons who have not reached their 18th birthday), either directly or indirectly through third parties, except in cases concerning children’s data, in their capacity as a dependent of their insured parents.

However, since it is impossible to always control the age of persons entering or using the Company’s websites, it is recommended that minors’ parents and guardians communicate directly with the Company if they find any unauthorized disclosure has taken place in regards to the minors for whom they are responsible and to exercise their rights such as requesting that the provided data be deleted.

  1. Processing Objectives

The Company may collect and process personal data for the following purposes:

In order to meet the statutory obligations imposed by legislation, such as tax legislation, etc.

In order to meet its obligations as an employer, in which it can recruit and employ staff and / or contract with external partners.

To ensure for the Company’s smooth operation.

To ensure for the safety of its personnel, facilities and equipment.

In order to enter into legally binding contracts and to meet the legal obligations they impose.

For promotional, marketing and communication purposes.

  1. Transmission to Third Parties

It is likely that the Company will transmit the above data to third parties, in particular if this is provided for by existing legislation as an obligation or alternatively under the safeguards provided by existing legislation. In particular, in the context of the processing objectives mentioned above, data may be transmitted to:

– third party affiliated companies that provide the Company with relevant services such as recruitment companies, banks, insurance companies, social media service providers, certification bodies and others. These companies are contractually bound by our Company and the obligation of confidentiality and all obligations under the GPDR are safeguarded.

– Public Authorities (Police Departments, Prosecutor’s Offices, Hellenic Food Authority, Health, etc.) upon request.

If the transfer concerns a country outside the European Union (EU) or the European Economic Area (EEA), the Company must check whether:

  • The European Commission has issued an adequacy decision concerning the third country to which the transfer is to be made.

Appropriate safeguards are in place in accordance with the Regulation for the transmission of such data.

Otherwise, the transfer to a third country is forbidden and the Company may not transmit personal data to it unless any of the specific derogations provided for in the Regulation apply (e.g. explicit consent provided by the subject and that his / her information regarding transmission is necessary for the performance of a contract at the request of the subject, there are reasons related to public interest, it is necessary to support the legal claims and the vital interests of the subject etc.).

  1. Data Protection and Security

To prevent any unauthorized access, maintain data accuracy, and ensure for the proper use of Subjects’ personal data, the Company has taken reasonable steps to protect personal data. However, it is emphasized that no internet-based method or electronic storage method is 100% safe. With that being said, all necessary digital data security measures (antivirus, firewall) are taken.

Maintaining physical archives of originals or copies of documents containing personal data is conducted in a way that ensures their security against unauthorized access (e.g. lock, alert system, forwarding with a sealed envelope, confidentiality classification) and from deterioration or destruction (e.g. fire protection system, storage in cabinets not accessible to any flood).

  1. Personal Data Subjects’ Rights

Each Data Subject may, at any time, exercise his or her rights in regards to the processing of his or her personal data as defined by the EU GDPR (2016/679). In particular, each subject has the right to:

Request access to his or her personal data. He or she may ask to obtain a copy of his personal data held and check the legitimacy of such processing.

Ask for the correction of his or her personal data. He or she may request the verification of the accuracy of the data held and if it is found incomplete or inaccurate to provide corrected data.

Ask for the deletion of his or her personal data. Subjects can request that their personal data be deleted or removed, provided that the retention is not based on any legal or legitimate interest.

Request a limitation on the processing of his or her personal data.

Request the portability / transmission of his / her personal data to him / her and / or to third parties. In this case, the data will be transferred to the data subject or a third person who has chosen his / her personal data in a structured, widely used, machine-readable form will be provided. The satisfaction of this right is only possible in automated processing.

To withdraw his / her consent at any time regarding the processing of his or her personal data where it was due. In the event that the consent is withdrawn in respect of data the processing of which is strictly necessary for the provision of the services provided by the Company, then the Company reserves the right to discontinue any service to the Subject. However, this will not affect the legitimacy of any processing performed prior to the withdrawal of the Subject’s Consent.

To exercise all of the above rights, you can contact us at info@tomanna.gr or by phone: 2822041770

If any of the above requests / rights are exercised, the Company will immediately arrange for your request to be settled within a reasonable time and no later than thirty (30) days from the identification of the submitted request, informing you in writing about it being fulfilled.

For any complaints concerning this policy or privacy issues, you may contact the Greek Data Protection Authority through the following link: www.dpa.gr.

It would be better, however, for our relations with each other and for the improvement of our services, to be given the opportunity to listen directly to your concerns and to manage them, so we therefore request that before contacting the Data Protection Authority contact us using the contact details listed above.

  1. Data Retention Period

Collected personal data is kept for a predetermined and limited time period, depending on the purpose of the processing after which the data is deleted from the Company’s records, unless a different retention period is provided for or permitted by the applicable law.

  1. Updates to the Personal Data Privacy Policy

The Company may modify this Personal Data Privacy Policy from time to time in order to comply with regulatory changes to optimize its features and services. Up-to-date versions of this Privacy Policy will be posted on the Company’s website with a date indication to let you know which is the most recently updated version.