APPLICANT PRIVACY POLICY

Introduction

This Policy is issued by the company “SHOP & TRADE SOCIETE ANONYME COMMERCIAL AND INDUSTRIAL COMPANY FOR CLOTHING, DISTRIBUTION AND SERVICE PROVISION” (hereinafter referred to as the “Company” or “Shop & Trade”), headquartered at 222 Piraeus Street, 177 78, Tavros, Attica, Tel.: +30 210 3408400, Email: info@shopandtrade.gr, acting as the Data Controller, to provide individuals who submit their CVs for potential employment (hereinafter referred to as “Applicants”) with the necessary information regarding the collection and processing of their personal data.

The Company is committed to protecting the privacy of Applicants and processes their personal data with respect and in accordance with the applicable legal framework, including Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Greek Law 4624/2019, Law 3471/2006, and relevant decisions, guidelines, and regulatory acts of the Hellenic Data Protection Authority (HDPA).

Definitions

For better understanding of this Policy, key terms used herein are defined below in accordance with the GDPR:

• Personal data: Any information relating to an identified or identifiable natural person (“data subject”).
• Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
• Data Controller: The natural or legal person, public authority, agency, or other body which determines the purposes and means of processing personal data. In this case, the Controller is the Company.
• Processor: The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller.
• Recipient: The natural or legal person, public authority, agency, or another body to whom the personal data are disclosed.
• Consent: A freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data.
• Personal data breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Data Processing Principles

The Company processes Applicants’ personal data in compliance with the following data protection principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality

Categories of Data Collected

The Company collects and processes the following personal data submitted by Applicants:

• Identity data (e.g., name, surname, date/place of birth)
• Contact details (e.g., email, phone, postal address)
• CV information (e.g., education, professional experience, skills, languages, interests, references)
• Cover letter content
• Any other voluntarily submitted information

Note: Applicants are advised not to include sensitive data (special categories of personal data) in their applications unless specifically requested and with appropriate notice.

Source of Data Collection

Data is primarily collected directly from the Applicants through CV submissions, cover letters, and other documents during the application and evaluation process.

Purpose and Legal Basis for Processing

The Company processes personal data for recruitment purposes, including:

• Evaluating qualifications and suitability
• Communicating with Applicants and organizing interviews
• Informing Applicants about future job openings
• Compliance with legal obligations

The legal basis for processing is primarily:

• Pre-contractual measures at the Applicant’s request (Article 6(1)(b) GDPR)
• Consent, where applicable (e.g., CV retention for future roles) (Article 6(1)(a) GDPR)
• Legitimate interest, such as legal defense (Article 6(1)(f) GDPR)

Data Retention

• For non-selected Applicants, data is retained for six (6) months after the recruitment process unless earlier deletion is requested and feasible.
• For hired Applicants, data becomes part of the employee file and is kept throughout the employment period and as required by law thereafter.
• Retention periods may be extended in case of legal disputes (up to 20 years, depending on the case).

Recipients and International Transfers

• Access is limited to authorized personnel involved in recruitment (e.g., HR, department managers), who are bound by confidentiality.
• Data may be shared with third-party service providers (Processors), such as:
  • IT service providers (e.g., application management systems)
  • Assessment/testing companies (with prior notice to Applicants)

Such third parties are contractually obligated to comply with GDPR and ensure appropriate security measures.

• Disclosure to public authorities or courts may occur where legally required.

International Transfers: The Company does not normally transfer data outside the EEA. If required, transfers will only occur where an adequate level of protection is guaranteed (e.g., adequacy decisions, standard contractual clauses).

Data Security

Shop & Trade implements appropriate technical and organizational measures, such as:

• Antivirus and firewalls
• Regular software updates
• Access control policies
• Encryption of critical assets
• Backups
• Internal data security policies
• Processing activity logs
• Regular security audits

Applicants’ Rights

Applicants have the following rights under the GDPR:

• Right to information and access (Articles 12–15)
• Right to rectification (Article 16)
• Right to erasure (“right to be forgotten”) (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent at any time (Article 7)
• Right to lodge a complaint with the supervisory authority (HDPA)

To exercise your rights, contact the Company’s Data Protection Officer (DPO) at:

• Email: dpo@shopandtrade.gr
• Post: 222 Piraeus Street, 177 78 Tavros, Attica

Requests will be handled within one month, extendable by two months in complex cases.

Data Breach Response Procedure

A personal data breach is any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

In the event of a high-risk breach, the Company will promptly notify affected Applicants as required by Article 34 GDPR, and notify the HDPA within 72 hours per Article 33 GDPR. The Company will also take appropriate steps to contain and prevent future incidents.

Applicant Notification

This Policy also serves as an informational notice under Articles 13 and 14 GDPR. By submitting their application and CV, Applicants are deemed informed and to have accepted this data processing notice. The Policy is available on the Shop & Trade website and may be provided during the application process.

Policy Updates

Shop & Trade reserves the right to unilaterally amend or update this Policy as needed to comply with legal requirements or to improve procedures. Updates become effective upon posting on the Company’s website or other suitable notification. Applicants are encouraged to check the website regularly.

Contact Information

Data Controller:
SHOP & TRADE SOCIETE ANONYME COMMERCIAL AND INDUSTRIAL COMPANY FOR CLOTHING, DISTRIBUTION AND SERVICE PROVISION
Address: 222 Piraeus Street, 177 78 Tavros, Attica
Tel.: +30 210 3408400
Email: info@shopandtrade.gr
Website: www.shopandtrade.gr

Data Protection Officer (DPO)
Email: dpo@shopandtrade.gr

Supervisory Authority:
Hellenic Data Protection Authority (HDPA)
Address: 1–3 Kifisias Ave., 115 23 Athens
Tel.: +30 210 6475600
Fax: +30 210 6475628
Email: contact@dpa.gr
Website: www.dpa.gr

Last updated: May 2025