The purpose of this Policy is to define and formulate the general framework and the basic principles established and applied by our Company “OIKOS S.A.”, (hereinafter referred to as the “Company”) concerning the processing of personal data, their confidentiality, integrity and availability.



This Policy applies to all of the personal data that the Company processes during the course of its activities.



  • Company Management
  • Data Protection Officer (DPO)
  • All Company staff
  • All partners who manage and / or have access to personal data



4.1. In general

Oikos SA recognizes and respects the importance of the personal data it processes in its activities and has therefore fully adapted its policy to the requirements of the General Personal Data Protection Regulation (hereinafter GDPR) 2016/679 / EU.

With this statement, Oikos SA wishes to inform its counterparties in what capacity, for what purpose and on what lawful basis it processes information relating to them and which can be used to identify them directly or indirectly, that is to say their personal data, their data categories, the sources of their data (when the data are not provided by the person himself), the criteria for determining the period of storage of their personal data, their ability to exercise, regarding their personal data, the rights of accessibiity and rectification and, where appropriate, the rights of erasure, restriction and object to the processing and processing by means of automated decision-making process, including profiling, the eventual transmission of personal data to a third country or an international organization, the ability of individuals to lodge a complaint about any violation of their personal data rights with the Data Protection Authority, as well as the adherence of relevant privacy policies and safeguards by our Company.

If you have any questions or concerns, if you wish to receive a copy of this statement or wish to exercise any of the following rights pertaining to your personal data, please contact our Company’s Data Protection Officer.


4.2. Contact Info

Processor: OIKOS-AROMA




Chalepa 17 str, Gerakas, PC. 15344

T. – F.

T.: 210 66 117 50 – F.: 210 66 119 44





Data Protection Officer:


Advanced Business Process Management

Contact Person

Evangelos Michaloliakos


Tyrnavou & Sarantaporou 1Α Agios Stefanos






4.3 Who collects personal data?

This Policy refers to the collection of personal data by the Company in the development of its business activity, which consists mainly in the production and marketing of quality Greek cosmetics.


4.4. Data Sources

We collect your personal data from various sources, including:

  • directly from the subjects for one of the following reasons:
  • Personal data you give us directly
  • Personal data which are produced from the execution of our contractual relationship
  • Personal data which are produced during the compliance with our legal obligations
  • indirectly, from other sources and on the basis of our legitimate interest, in the following cases:
  1. Information we obtain in the event of a credit check of the subjects who deal with us on terms of credit provision, provided that the relevant legal procedure envisaged is respected and that the subjects are informed where legally required.
  • We receive and store specific kinds of personal data online whenever anyone interacts with us when we use cookies and tracking technologies under the conditions set by applicable law.


4.5. What personal data are collected?

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Due to the nature and nature of the aforementioned activity, our Company mainly collects the following personal data per category of subjects:

  • Employees: personal data and data that refer only to their employment relationship with the Company, including, but not limited to, identity and communication data, financial data and any health data of their own or additional family members, provided that the latter are necessary for the compliance of the Company with the applicable employment and social security and social protection law.
  • Candidates for recruitment: personal data and data referring to their evaluation as candidates and their recruitment procedures by the Company, including, but not limited to, identity and communication details, as well as details of the CVs of the candidates.
  • Company counterparties (customers, prospective customers and in general persons who communicate with the Company): personal data and data referring to our existing contractual relationship, where it exists or is used to communicate the Company with the above persons, including, but not limited to, identification and communication details, transaction data as well as financial information related to the Company’s performance of its legal obligations.
  • Affiliates (third parties, suppliers and other affiliates in general): personal data and data that refer to our existing contractual relationship, including, but not limited to, identification and communication details, transaction data and any financial information relating to the Company’s performance of its statutory obligations.

We note that we do not collect specific categories of personal data, in addition to any health data mentioned in this Policy, such as race, ethnic origin, religion, sexual orientation or genetic biometrics, etc. which constitute special categories of data and enjoy additional protection under the GDPR.


4.6. Particularly regarding children’s personal data

Children’s personal data may be collected exceptionally in the context of the employment relationship of our employees with our Company and solely for the purpose of complying with the Company’s obligations under applicable employment and social security and social protection law (such as obtaining a birth certificate or marital status certificate). Please note that the above information is provided with the consent or explicit notification of the child’s parental responsibility.


4.7. What is the purpose of processing personal data?

The purpose of personal data processing varies according to the relationship between the Company and the underlying personal data. Particularly:

  • Employees’ personal data are provided to the Company for the purpose of concluding, executing or terminating the corresponding employment / cooperation agreement. In addition, the employee’s personal data for attendance, absences, hours of attendance, permits, medical evidence of sick leave are kept for the purpose of granting leave, including sickness, while personal data related to employee performance are provided by the heads of the individual departments the purpose of staff evaluation by the Company.
  • The personal data of candidate employees are provided to the Company during the stages of selection and evaluation of candidates and in particular they are sent to the relevant Department of the Company and its Administration, for the purpose of informing the Company, evaluation, interviews, etc. during the recruitment and co-operation process.
  • The personal data of customers, associates, trainees, and other Company’s counterparties is provided to it for the purpose of concluding and developing the corresponding contractual relationship, our compliance with our statutory contractual obligations and, where applicable, us with the above subjects at their request.


4.8. What is the legal basis for processing?

The collection and processing of the above subjects for the purposes described above is based on:

  • Article 6 par. 1 b: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Article 6 par. 1 c: processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Article 6 (1) (a) GDPR: the data subject has consented to the processing of his or her personal data for one or more specific purposes;
  • Article 9 par. 1b: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.


4.9. Profiling

The Company does not use personal data to create a “profile” within the meaning of the GDPR.


4.10. Transfer of personal data to third parties: Who can be notified?

The Company does not normally disclose personal data to third parties except in the following cases. Particularly:

  • Personal data may be forwarded to an external partner of the Company, which has been contracted to provide logistics services.

We note that our associates have access only to those personal data that are necessary for the performance of their contractual obligations and are prohibited from using them for any other purpose. In addition, they have previously committed themselves to our Company for their relevant obligations regarding the non-use of personal data for a purpose other than processing, confidentiality and general compliance with the GDPR in their capacity as ” Performing the Edit “.


4.11. For how long is personal data retained?

The retention time of personal data depends primarily on the purpose of the processing, and their mere retention is a processing act, which is allowed only if it is governed by the principles of processing. After the retention period, the personal data are deleted with care of our Company. Particularly:

  • Candidates’ data are compiled on a mailserver and fileserver electronically, accessible by the HR Department and Company Management for a period of two (2) years from the completion of the recruitment process. The retention is due to a possible reassessment of the candidates by the Company.
  • Employees’ personal data, are kept in a physical file and fileserver by the HR Department, for as long as the employment relationship lasts. After the termination of the employment relationship for any reason, the relevant information is retained for a maximum of twenty (20) years (indicative limitation period for any relevant legal claims), during which any legal processing case, such as a case of claiming a civil nature of rights or investigating a criminal offense where a worker is likely to be involved, a case of tax audit, etc. The above applies also to employee asset data, access to electronic and physical files and work fields and corporate mobile phones for the purpose of performing the employment contract. They also apply to personal data concerning the granting of leave to employees (presence, absences, hours of attendance, permits, medical evidence of sick leave) and staff assessment.
  • The personal data of our clients and associates are kept in a physical file and in a fileserver by our Customer Service Department for as long as our contractual relationship lasts. After the termination of the contractual relationship, the relevant information is retained for a maximum of twenty (20) years (indicative limitation period for any relevant resulting legal claims), such as e.g. in civil cases or in the investigation of any criminal offense, tax audit, etc.


4.12 What are the rights of the subject of personal data?

The processing of your personal data is also associated with your respective rights, which, subject to any provisions limiting the exercise thereof, are:

  • The right to information. You have the right to receive clear, transparent and comprehensible information about how we use the personal data and what your rights are. To this end, we provide you with the information in this Policy and we urge you to contact our Company and / or DPO of our Company (see the above contact details, see clause 3.1) for any additional clarifications.
  • The right to access and rectification. You have the right to access, correct and update your personal data at any time.
  • The right of data portability. The personal data you have given us is portable. This means they can be moved, copied or transferred electronically.
  • The right to erasure. If you revoke your consent for processing at any time, you have the right to request that you delete your personal data.
  • The right to restrict the processing. You have the right to restrict the processing of your personal data.
  • The right to withdraw consent. If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time by contacting us with the information provided in this document.
  • The right to object exists for processing for the purpose of direct marketing (eg informative e-mails).
  • Rights related to automated decision making. You have the right not to be subject to a decision based solely on automated processing and having legal or other significant consequences for you. Specifically, you have the right:

             o interfering with human intervention,

             o expressing your point of view,

             o get an explanation for the decision that came up after an evaluation, and

             to challenge this decision.

In the event that you exercise any of your rights, we will take all reasonable measures to satisfy your request within a reasonable time and at the latest within one (1) month of the identification of your submitted request, informing you in writing of the satisfaction of your request or the reasons why you may impede the exercise of the right in question or the satisfaction of one or more of your rights under the GDPR. Please note that in some cases it may not be possible to meet your relevant requests, such as when the fulfillment of the right is contrary to a legal obligation or impedes a contractual legal basis for processing your data.

However, if you believe that there occurs any violation of your rights or legal obligations regarding your personal data, and provided that you have previously contacted the Data Protection Officer of the Company (DPO) for that matter and have exercised your respective rights vis-à-vis the Company without receiving a response within one (1) month (extending the deadline to two (2) months in the case of a complex request), or you believe that the response you received from the Company is not satisfactory your issue has not been resolved, you may file a complaint with the appropriate local supervisory authority, namely the Personal Data Protection Authority, 1-3 Kifissias Avenue, TK 115 23 Athens, email: complaints@dpa.gr, fax 2106475628.


4.13. How are personal data protected?

The Company has made every effort to take appropriate organizational and technical measures to protect your personal data from misuse, interference, loss, unauthorized access, modification or disclosure. Measures implemented include the use of appropriate technical systems for access control, technical security of information and ensuring that personal data are encrypted, nicknamed and rendered anonymous where this is necessary and feasible.

Access to your personal data is only allowed to relevant employees and authorized associates of the Company and such access is necessary to support our Company’s activity and is subject to strict contractual confidentiality obligations when assigned and processed by third parties.


4.14. How can I contact the Company?

You can contact us: a) in the address Chalepa 17 str, Gerakas, PC. 15344, or b) by e-mail: info@oikos-sa.com


4.15. Updating this Privacy Policy

This Policy will be reviewed if necessary to adapt to any legislative changes in order to meet the needs of the subject of the personal data and any changes in our Company’s products, services and internal processes. Every change will be published on our Company’s official website, with a review of the latest inform.