Customer Privacy Notice

This Privacy Notice is issued by the following companies:

(hereinafter "We", the "Group", the "Company").

1. Subject Matter

This notice describes our practices regarding the processing of personal data, namely the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data of our wholesale and retail customers (hereinafter the "Customers"), as well as their contact persons or legal representatives. For the said processing activities, the Data Controller for the purposes of this notice is the Group company with which the customer concluded an agreement.

The Company reserves the right to amend and adjust this notice whenever deemed necessary, and any changes shall take effect from the time they are communicated to you, whether by e-mail, by posting on the internet, or by any other means the Company deems appropriate.

2. Data Collected

In the context of entering into a contract, including the pre-contractual stage, as well as during the performance of the contract, the Company collects the following personal data of its Customers:

• Full name,
• Tax Identification Number (TIN),
• other identification data,
• e-mail address,
• contact telephone number (landline and mobile),
• credit or debit card numbers,
• bank account number,
• address (street, number, postal code),
• data submitted in the context of tender procedures or evaluation processes relating to your creditworthiness, financial standing and/or financial behavior,
• data arising during the performance of the contract (e.g. order data, payments, collateral and other security, debts, instalments and outstanding balances).

3. Sources of Data Collection

Your personal data is mainly collected:

From you

In order to fulfil its contractual obligations towards you, the Company requires certain information, such as name, surname, contact telephone number, TIN, etc., which you provide to the Company directly.

From other sources

We also receive personal data about you from other sources. These sources include, indicatively, the company under the name Trapezika Systimata Pliroforion S.A. (TIRESIAS S.A.), ICAP, Hellastat, public sources (Government Gazette, General Commercial Registry, professional directories, etc.), where public records regarding your professional activity are available.

Automatically

Personal data collected automatically includes audiovisual material (including date and time) generated when you enter an area where a closed-circuit television (CCTV) system is in operation.

4. Purposes of Processing

The Company collects and processes your personal data referred to above for one or more of the following purposes:

• For the performance of its contractual obligations, in the context of the sale of heating oil and fuels.
• For the performance of its contractual obligations, in the context of the supply of aviation or marine fuels.
• For the performance of its contractual obligations, in the context of the supply of fuels to large end consumers (e.g. PPC, Armed Forces).
• For the performance of its contractual obligations, in the context of the direct sale of petroleum products to petrol stations and petrol station consortia.
• For the performance of its contractual obligations, in the context of the sale of petrochemicals to petroleum product trading companies, asphalt companies and LPG companies.
• For the conduct of tenders or direct negotiations for entering into contracts.
• For maintaining a record of wholesale and retail Customers.
• For monitoring payments.
• For servicing and supporting its Customers.
• For communicating with LPG and heating oil consumers.
• For the financial assessment of Customers and the assessment of credit risk, through the credit check of Customers.
• For maintaining a record of defaulting Customers.
• For maintaining a record of collateral and other security.
• For the management and securing of its claims against Customers.
• For the assessment of Customers and their transactional behavior.
• For tax purposes, invoicing purposes and proof of the transaction.
• For the protection of the Company's property (facilities, infrastructure, equipment, etc.).
• For sending informational and promotional material.
• For informing Management about agreements between the Company and Customers.
• For conducting internal audits.
• For the confirmation and settlement of transactions and monitoring of payments.
• For the legal support of the Company.
• For the safety and security of the Company's facilities and personnel.
• For profiling; provided that we obtain your consent for such processing, we take into account the data you provide and the information arising from your use of our services, in order to send you commercial communications that match your preferences and profile.

The Company collects and processes the personal data of its Customers exclusively for the aforementioned purposes and only to the extent strictly necessary for the effective fulfilment of those purposes. Such data is in each case relevant, adequate and not excessive in view of the above purposes, and is accurate and kept up to date.

5. Legal Basis

There are various ways by which the Company lawfully processes the personal data of its Customers, and for each processing activity it carries out, there is at least one of the following legal bases:

a) Processing is necessary for the performance of the Company's contractual obligations.

In order for the Company to be able to perform its contractual obligations towards its Customers, as well as to monitor the fulfilment of their contractual obligations, the legal basis under which the Company lawfully processes its Customers' data is Article 6(1)(b) of the GDPR, which provides that the Company may process data where "processing is necessary for the performance of a contract to which the data subject is party".

We inform you that, should you refuse to provide us with data that is necessary for the performance of our contract (such as your full details, your address or your TIN), it will not be possible to evaluate your offer or to enter into and perform the contract between us.

b) Processing is necessary for compliance with the Company's legal obligations.

In addition to its contractual obligations, the Company must also comply with obligations arising from the applicable legislative framework. In accordance with Article 6(1)(c) of the GDPR, the Company may process personal data when processing "is necessary for compliance with a legal obligation to which it is subject", such as, for example, invoicing and the transmission of your data to tax authorities.

c) Processing is necessary for the purposes of the Company's legitimate interests.

In accordance with Article 6(1)(f) of the GDPR, the Company may process personal data when such processing "is necessary for the purposes of the legitimate interests pursued by the Company, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data".

The following cases constitute a non-exhaustive reference to the legitimate interests pursued, so that the corporate objectives may be successfully achieved:

• The smooth operation of the Company, more effective communication with its Customers and faster execution of its transactions.
• Informing Management about agreements between the Company and Customers, in order to ensure the proper operation of the Company.
• The assessment of credit risk through the credit check of Customers, in order for the Company to be able to assess the business risk of its transactions and enter into the corresponding agreements (e.g. granting or not granting credit, obtaining security, etc.).
• Maintaining a record of defaulting Customers, in order for the Company to be able to monitor and pursue the collection of its overdue receivables.
• The confirmation and settlement of transactions, the monitoring of payments and the securing of its claims.
• Conducting audits to ensure compliance with corporate Procedures and Policies.

d) The Company has obtained the consent of its Customers for the processing of their personal data.

In certain cases, we may request your consent by positive action (opt-in) before proceeding with specific processing of your data. For example, we may request your consent to send you informational and promotional material that matches your preferences.

You always have the right, at any time, to withdraw your consent by contacting us at [email protected]. If you withdraw your consent, it will no longer be possible to carry out the processing activities based on it. The withdrawal of consent does not affect the lawfulness of processing based on your consent prior to its withdrawal.

6. Retention Period

The Company will retain personal data in accordance with the applicable provisions of the law and only for as long as is required for the fulfilment of the purposes mentioned above or for the period required by law or for the defence of the Company against possible legal actions and for the court pursuit of its claims.

7. Information Security

The processing of personal data by the Company is carried out in a manner that ensures its confidentiality. Specifically, it is carried out exclusively by personnel authorized for this purpose, while all appropriate organizational and technical measures are taken for the security of the data and its protection against accidental or unlawful destruction, accidental loss, alteration, prohibited dissemination or access, and any other form of unlawful processing.

8. Transfer to Third Parties

The Company does not in any way transfer the personal data of its Customers or interconnect its files in exchange for financial or other consideration with any third-party private companies, natural or legal persons, Public Authorities or services, or other organizations.

The Company may provide access to or transfer the personal data of its Customers to:

• Third-party service providers who perform various functions on behalf of the Company (including site security and insurance) and to external consultants, associates, lawyers, accountants, auditors, as well as providers of technical and support services, and IT consultants.
• Financial institutions: We may exchange data with financial institutions/organizations in which you hold a bank account for the processing of payments.
• Other Group companies in the context of the centralized management of sales by the competent Group Division.

The processing of your personal data by the above entities cooperating with us is carried out under our control and only on our instructions and is subject to this privacy policy or to a policy providing at least the same level of data protection.

Furthermore, the Company transfers your data in the context of its regulatory obligations to:

• Tax, Audit and other Public Authorities, when we reasonably believe that the law sets an obligation to provide access to or transfer such data.
• Competent law enforcement authorities: We may disclose your data to the Police and other competent law enforcement or administrative authorities, where required by law or by any other lawful enforceable act or order.

Any transfer of your data to third countries outside the EU and the European Economic Area (i.e. outside the Member States of the European Union, Norway, Iceland and Liechtenstein) will only be made in compliance with the legislative framework concerning data protection and only when adequate safeguards for the protection of your data are provided.

If the Company merges with or is acquired by another business in the future, or if the Company's claims against its Customers are transferred to another business, your personal data may be disclosed in the context of the merger or acquisition of the Company or the transfer of its claims. In such a case, this notice will be supplemented, as applicable, by a more specific notification.

9. About Your Rights

One of the fundamental principles of the GDPR is the protection of the rights of natural persons with regard to the processing of their personal data. In this context, you have a number of rights regarding your personal data that are processed by the Company. In particular:

• Right to information/notification: You have the right to request and receive clear, transparent and easily understandable information about the way we process your personal data.
• Right of access: You have the right to access your personal data held by the Company. We may ask you for supplementary information in order to process your request; however, where we provide you with access to the information we hold about you, this will be provided free of charge, with the exception of the following cases, where a reasonable charge may apply to cover the administrative costs of the Company and/or the Group:
  • manifestly unfounded or excessive/repeated requests, or
  • additional copies of the same information.

Where we have a lawful right to refuse your request, we will inform you of the specific reasons for such refusal.

• Right to rectification: You have the right to request the rectification of your personal data if it is inaccurate or incomplete.
• Right to erasure: You have the right to request the erasure or removal of your personal data when it is no longer necessary for the purposes for which it was collected or there is no lawful reason for the continuation of its processing. The right to erasure is not absolute to the extent that there is a specific legal obligation or other legitimate reason for the retention of your personal data by the Company and/or the Group.
• Right to restriction of processing: In certain cases, you have the right to restrict or suspend the further processing of your personal data. In practice, this means that we may store your data but will not be able to further process it, unless such processing is carried out with your consent or is necessary either for the establishment, exercise or defence of the Company's legal claims, or for the protection of the rights of another person, or for reasons of public interest.
• Right to data portability: You have the right to request that the personal data concerning you be transferred to other data controllers. In practice, this means that you have the ability to transfer the information we hold about you to any third party. To facilitate this right, we will provide your data in a structured, commonly used and machine-readable format, so that you can transfer your data to another data controller. Alternatively, we can send the data directly on your behalf. The right to portability applies to (a) data that we process by automated means (i.e. without human intervention), (b) personal data that has been provided by you, and (c) personal data that we process on the basis of your consent or where processing is necessary for the performance of a contract.
• Right to object: You may object to the processing of your personal data, primarily when processing is carried out for the purposes of the Company's legitimate interest. Where processing is carried out for the purposes of serving its legitimate interests, the Company will comply with your objection and will cease the specific processing, unless the Company can demonstrate compelling and legitimate grounds for the processing which override your interests, rights and freedoms, or the processing in question is carried out for the establishment, exercise or support of the Company's legal claims. Consequently, where processing is to a significant extent based on the performance of contractual obligations, the exercise of these rights may affect the fulfilment of obligations arising from our contractual relationship or, in extreme cases, may make the performance of the contract impossible.
• Automated individual decision-making, including profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The Company does not engage in automated individual decision-making; however, provided it obtains the user's consent, it creates the user's profile taking into account the data provided by the user and the information arising from the use of its services, in order to send you commercial communications that match the user's preferences and profile and to tailor its services and products to the user's individual needs. Profiling for the above purpose does not produce any legal effects concerning you or similarly significantly affect you.

10. Filing a Complaint

For further information and advice regarding your rights or to file a complaint, you may contact the Hellenic Data Protection Authority (1-3 Kifisias Avenue, P.C. 115 23, Athens), E-mail: [email protected]

11. Details of the Data Protection Officer of the HELLENiQ ENERGY Group

Do you have questions? Contact us

If you have any questions regarding this Notice, please contact us by e-mail or telephone using the Data Protection Officer's above contact details.

Definitions

"General Data Protection Regulation ("GDPR") ": a European Union regulation aimed at harmonising European legislation on the protection of personal data. It has been in effect since 25 May 2018, and any reference thereto shall be interpreted to include also the national implementing legislation.

"Personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Sensitive personal data": personal data that contain information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, physical and mental health, genetic and biometric data, data concerning sex life or sexual orientation, and information relating to criminal convictions and offences. Due to the nature of sensitive personal data, the legislation is much stricter regarding the way such data must be processed. The Company processes sensitive personal data only in accordance with the law.

"Processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Data controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

"Restriction of processing": the marking of stored personal data with the aim of limiting their processing in the future.

"Personal data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Last update: April 2026