INFORMATION ON PERSONAL DATA

This policy of the societe anonyme named “NRG SINGLE-MEMBER ENERGY SUPPLY AND TRADING SOCIETE ANONYME” with the distinctive title “NRG SUPPLY AND TRADING S.A.”, having its registered office in Marousi, Attica, at the junction of 168 Kifisias Avenue and Sofokleous Street, with T.I.N. 998102480, Tax Office KEFODE ATTIKIS, and with General Commercial Registry Number 008361601000, concerns the collection of personal data via the website titled www.nrg.gr, the application named "mynrg" (https://www.mynrg.gr), the website https://drive.nrgincharge.gr/, the instant bill service, the internet, in general, and telephone.

With this policy we wish to explain to you, as simply and comprehensibly as possible:

• What data we process
• For what purposes and on what legal basis we process such data
• How long we keep such data
• Who are the recipients of your data; and
• What are your rights regarding your data and how can you exercise them.

Via:

• our website www.nrg.gr;
• our application "mynrg" (https://www.mynrg.gr), and its sub-applications;
• our Facebook page https://www.facebook.com/pg/nrgprovider/about/?ref=page_internal;
• our website https://drive.nrgincharge.gr/ (for electric mobility services) and the relevant application;
• the instant bill service;
• use of the telephone bill payment service;
• orders you place by telephone for products we offer for sale, - telephone communications, in general; and
• online promotions, we collect certain information, which may lead to your direct or indirect identification. Pursuant to European and national legislation, some of this information constitutes personal data (e.g. surname and first name, postal address, contact telephone number, e-mail address) and can be used to identify you (hereinafter referred to as "Personal Data" or "Data").

You, as the users of our services and visitors to our websites, are called "data subjects", while we are the "controllers" of your personal data.

“Personal Data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction thereof.

The Controller of your personal data is the societe anonyme named “NRG SINGLE-MEMBER ENERGY SUPPLY AND TRADING SOCIETE ANONYME” headquartered in Marousi, Attica, at 168 Kifisias Avenue  and Sofokleous Street, P.C. 15126, with T.I.N. 998102480, Tax Office for Societes Anonymes of Athens, with General Commercial Registry Number 008361601000, telephone: 18101* and/or 21888 18101** (*charges depend on the price list of the telecommunications provider you cooperate with, ** local rate) - (For calls from abroad or mobile, call +30 211 1032132), E-mail: [email protected].

“NRG SINGLE-MEMBER ENERGY SUPPLY AND TRADING SOCIETE ANONYME” is:

a) holder of an Electricity Supply License, by virtue of RAE Decision No 541/2013 (15/11/2013), as amended and in force, and is registered in the Register of Market Participants kept by the Hellenic Energy Exchange (HEnEx) and by the Non-Interconnected Islands Operator (HEDNO SA) for electrical energy systems as Supplier No 29XNRGTRADING—S; as well as

b) holder of a Natural Gas Supply License, pursuant to RAE Decision No 356/2015 (2/10/2015) and is registered in the Register of Users of the National Natural Gas System under number 51 pursuant to RAE Decision No 287/22-09-2016;

c) registered in the Register of Electric Mobility Market Infrastructure and Operators.

Our company owns and operates the websites titled www.nrg.gr and https://drive.nrgincharge.gr/ and other websites. For any clarification or additional information in relation to this personal data protection policy, as well as for the exercise of your rights and requests arising from European and national legislation, you may contact our Data Protection Officer at the email address [email protected] or at the postal address 168 Kifisias Avenue, Marousi, P.C. 15126, (for the attention of the Data Protection Officer)

We process your data in a lawful and transparent manner, in accordance with European legislation (General Data Protection Regulation 679/2016) and national legislation. We collect and process your data only for explicit, legitimate and specified purposes and only such data as are necessary for the purposes for which we undertake the processing of such data.

We retain such data only for as long as necessary, in accordance with the laws, purposes and policy of the company, and we ensure that such data are as accurate as possible.

We make every effort to ensure that your data remain safe and protected from illicit processing, accidental or fraudulent loss and destruction, as well as from unauthorized access. We have implemented a detailed information security plan. We have adopted appropriate internal security policies and procedures, policies and technologies that ensure data security, and we have trained our executives and staff to abide by confidentiality and data privacy rules. Our staff and third party partners are committed to maintaining the privacy and confidentiality of the data they have access to.

The websites www.nrg.gr and https://drive.nrgincharge.gr/ use the SSL (Secure Sockets Layer) protocol, which utilizes encrypting methods for the data exchanged between two devices (usually computers), implementing a secure connection between them over the internet, resulting in the protection of your personal data. You know that you are on a protected connection when you see the characters https:// and the lock symbol on your browser's address bar.

As a rule, our company collects and processes your data only when you provide them directly and voluntarily, either via the websites www.nrg.gr or https://drive.nrgincharge.gr/ or by telephone (e.g. by submitting a Connection Application or filling out a contact form, in case you declare that you wish to receive updates about the Company's products or by ordering a product from the nrg shop section of our website, nrg.gr).

However, this rule cannot apply absolutely to two cases in the context of the operation of the Website:

i. certain data, which are automatically collected during your visit to our above websites; and

ii. data collected with the help of cookies and similar technologies.

When you visit our website www.nrg.gr and its subsections, or the website https://drive.nrgincharge.gr/ or when you use our "mynrg" application (https://www.mynrg.gr) and its sub-applications, or the instant bill service via your computer, we collect:

• The date and time of your entry to the website.
• Your IP address (Internet Protocol address) when you entered the website. IP addresses are personal data, along with the date and time of your visit, although we cannot identify you with this information ourselves.

The reason (legal basis and purpose) for which we collect your IP address and keep it in special files (log files) is, on the one hand, our legitimate interest to process such data, in order to ensure the security of our networks, information and services against accidental events or illegal or malicious actions, which can compromise availability, authenticity, integrity and confidentiality of the stored or transmitted data and, on the other hand, the legal obligation to provide the most secure environment possible for the processing of your personal data (Article 6 (1)(f) and (c) GDPR).

Data will not be transferred or used in any other way. However, we reserve the right to review server log files if specific indications of illegal use exist.

Like most websites, we use cookies and similar technologies when you access and browse the websites www.nrg.gr,  and https://drive.nrgincharge.gr/, or the “mynrg” application (https://www.mynrg.gr) and its sub-applications, the instant bill service, or when you use it via your computer, in order to make it as comfortable and efficient as possible.

Cookies are small text files that are stored on the hard drive of a computer or other electronic device with which the user accesses the website. Cookies are unique to each web browser (e.g. Google Chrome, Mozilla Firefox, Internet Explorer, Opera, etc.) and contain anonymous information about the websites you visit and the devices you use.

By continuing to use the above websites and applications without changing the settings, you agree to the use of "cookies".

For more information, you can review our cookie policy here https://www.nrg.gr/en/cookies-policy.

For the purpose of your registration in our website https://drive.nrgincharge.gr/, and/or in our "incharge" application, as well as in order for you to receive electric mobility services, we collect and process the personal information you provide to us, on a case-by-case basis, depending on whether you carry out the relevant transaction as a registered user or as a visitor.  The data we collect and store include, among others, the following:

Α) Basic identification data (such as your surname and first name);

Β) Contact details needed for the provision of our services (such as home and email address, telephone number, etc.);

Γ) Any other information you will provide us via our above website, either during your registration or at any other time in the future (e.g. type of your vehicle).

In contrast, we do not collect or store any of your credit card information. In this case, we automatically redirect you to the payment gateway of the online payment management platform (https://www.stripe.com/en-gr) where you complete your payment in a secure environment. More information regarding the policies of the above online payment management platform can be found on the website: https://stripe.com/en-gr/legal/ssa.

Our company collects and stores only some of the digits of your credit card number, your surname and first name and the expiration date, in order to enable you, via its website, to freely detect and select, among any cards you have already used in the above electronic payment platform, the credit cards with which you wish to pay the price of the electric mobility services you receive or to renew your bill balance.

The purpose for the processing of your data that we collect in this way is the provision of electric mobility services (Article 6 (1)(b) GDPR).

In addition, our company reserves the right, either itself or through third party companies cooperating with our company, to use non-identifiable – anonymised information associated with the registration and/or use of the https://drive.nrgincharge.gr/ website and/or your "incharge" application for the purposes of: (i) analysing market trends and using such analysis for its business purposes; (ii) improving its services or products; (iii) carried out research, testing, development, controls and operations related to electric vehicle charging services. In any case, the above additional activities will be provided solely under the condition that the data used in each case cannot identify any individual or their specific personal information, but focus on market trends.

In the context of communication between us via the websites www.nrg.gr, https://drive.nrgincharge.gr/ and other websites (using the special contact form, click2call or email) but also by telephone, we will collect the personal data you will provide to us e.g. by filling out an online contact form (in case you declare that you wish to receive updates about the Company's products) or to participate in an online competition. Such data include surname and first name, telephone number, e-mail address and any other information you may provide to us during our communication. Such data are stored and used exclusively for responding to your request or for communication purposes or for us to address any administrative issues. The legal basis for the processing of such personal data is your consent, pursuant to Article 6(1)(a) GDPR. Your data will be deleted after the final processing of our communication. This will be the case if it can be inferred from the circumstances that the purpose of the communication has been fulfilled, provided that there are no legal claims for storing such data.

You have the option, in order to contract with our company for the supply of electricity and/or natural gas, to submit, either in paper or electronically, all necessary data for the conclusion of the relevant contract using the special application form for the supply of electricity and/or natural gas, respectively.

In such case we will collect data necessary:

a) in order to assess your application; 

b) possibly, in order to contact you regarding your electricity supply request;

c) for the conclusion and performance of the relevant contract, i.e. your surname and first name, address, T.I.N., Tax Office, meter number, electricity supply point number and/or the supply point electronic identification code (IKASP), telephone numbers, e-mail address, fax, and in a few cases some additional information that will be requested from you.

Furthermore, if you choose to contract with our company remotely, e.g. to remotely sign your application using an electronic signature, our company will transmit to the partner company named docusign Inc, which acts as a processor on behalf of our company, your data that are absolutely necessary for your identification and enabling us to provide you with the opportunity to sign remotely (2 factor authentication).

The legal basis for processing is the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 6 (1)(b) GDPR). We retain such data for the entire term of the contract and after its expiry, for as long as any relevant (legislative, tax, etc.) provisions require and/or until our legal claims under the contract become subject to the statute of limitation.

If you grant your consent, we may process data for additional purposes related to the Company's activities, even if not strictly necessary for the performance of the electricity and/or natural gas supply contract, such as information, marketing, commercial communication of products and services, as well as research to assess the quality of the services provided by various means, including automated ones (by e-mail, SMS, MMS, fax, telephone). The legal basis for processing is consent under Article 6(1)(a) of the General Data Protection Regulation (GDPR). You may withdraw your consent at any time, as well as during any subsequent communication between us.

When you participate, via the internet or by phone, in any contest or other promotion, we process your personal data that you give to us, such as your name, surname and contact details, for the purpose of your participation in the competition, publication of the results of the competition, communication and updating you in case you are declared the winner of such competition, in particular, regarding the existence of any Prize, as well as to take all necessary steps for the delivery of such Prize.

We store your data for the period until the end of the competition, the nomination of the winner and the shipment of your prizes, i.e. usually for a period not exceeding six (6) months from the end of the competition. The legal basis for the processing is your consent and the contract, as long as you have consented to the terms of the competition (Article 6 (1)(a) and (b) GDPR).

When you call our company in order to order one or more products we offer for sale, your order is processed by a strictly limited number of our employees, who: (a) have been contractually bound to maintain the confidentiality of the information you disclose during your aforementioned transactions; and (b) have been specifically trained to be able to provide this service. In such a case, the employee who will serve you will collect only the data necessary for the conclusion and performance of the relevant contract, i.e. your surname and first name, address, e-mail address, telephone number (landline and/or mobile phone) and in a few cases, some additional information that will be requested from you (e.g. T.I.N.).

The call you make for the purpose of ordering products by telephone will be recorded and kept encrypted, in a secure environment, for a period of ninety (90) days, after which it will be deleted, unless there are legal claims justifying its longer storage.

The legal basis for processing is the performance of a sales contract to which you are a party (Article 6 (1)(b) GDPR). We retain such data for the entire term of the contract and after its expiry, for as long as any applicable (legislative, tax, etc.) provisions require and/or until the our legal claims under the contract become subject to the statute of limitation.

We offer a free mobile and computer application, through which we collect and process the personal information you give us in approximately the same way as at our website and at the same time enabling you to use additional services, mainly to inform us about the latest readings of your electricity supply meter, so that your bills are issued based on the readings you enter, as well as to enable you to pay your bill(s) online.

The purpose of processing the data you give us and we collect via the application, is the performance of the aforementioned additional services and, in general, the performance of your contract (Article 6 (1)(b) GDPR).

When you pay your bills online via the application, we do not collect or store credit card details and other payment methods, but we automatically redirect you to the payment gateway of Eurobank Ergasias S.A., in the secure environment of which, at an independent website of the Bank, you complete the payment.

The Company maintains an official page at the social networking platform "Facebook" entitled "nrg"  (https://www.facebook.com/pg/nrgprovider/about/?ref=page_internal).

You may contact us through our Facebook page in order to receive more information about our services in the following ways:

1. via the "send message" option;
2. via the "call now" option.

Our Company, in order to answer your relevant questions, collects and processes your Facebook username, as well as other information that is publicly available through your profile (e.g. telephone number, email address, etc.). The sending of a message for the purpose of initiating communication between us implies your consent to the above processing of your data, which is the legal basis of the processing (Article 6 (1)(a) GDPR). Access to and use of our website is subject to this Privacy Policy of our company. In the case of a phone call, the provisions of paragraph 3.4 "Contact Forms - Contact by phone" of this policy, shall apply.

When you choose to click "LIKE" on the Company’s page, you give your consent to view news and promotions (via the newsfeed) distributed by the Company via its Facebook page. If you do not wish to receive such updates, you can click on the "UNLIKE" option at any time.

The Company takes all necessary security measures (both technical and organisational) for the security of data processing through Facebook, including, without limitation, limiting the number of people who have access to the management of its Facebook account.

Finally, we inform you that the Company is responsible only for the methods and means used to process your data for the above purposes (communication, information and promotions). Our Company shall not be responsible for the methods or means that Facebook's social networking platform uses to processes your data. You may be informed about the processing of your data by Facebook's social networking platform at the following links:

https://el-gr.facebook.com/policy.php?CAT_VISITOR_SESSION=c7b73ebc78d1681ade25473632eae199

https://el-gr.facebook.com/business/GDPR

When you call our company in order to pay your electricity and/or natural gas bills, as well as, in general, every time you use the above service, your request is served by a strictly limited number of our employees, who, on the one hand, have been specifically trained to provide this service and, on the other hand, have undertaken increased confidentiality obligations.

These persons will undertake, in real time, all necessary actions exclusively and solely using appropriate technical equipment of our company, entering your card details in a secure payment environment of Eurobank Ergasias S.A. when payment is completed, without keeping copies of your card details. You will be informed directly by the aforementioned employee whether your relevant transaction has been successfully completed or not.

For the execution of the relevant transaction, the aforementioned employee will ask you to read only the following information: card number, cardholder’s name and card expiration date. Also, our employee will ask you for the amount that you wish to pay each time. Charging a third party card is allowed only with the written authorisation of its holder and only if the holder's signature is certified by a public authority.

The call you make for the purpose of using our aforementioned service by telephone will be recorded and kept encrypted, in a secure environment, for a period of ninety (90) days, after which it will be deleted, unless there are legal claims justifying longer storage. The legal basis for processing is the performance of the relevant transaction and, in general, the performance of the contract to which you are a party (Article 6 (1)(b) GDPR).

We offer the possibility to pay your electricity and/or natural gas bills using the instant bill service. This service is provided by a relevant link that you can receive both on your mobile phone via SMS/Viber and via email. When you use the instant bill service, we collect and process the personal information you give us in order to be able to identify you as our customer, as well as to be able to provide you access to the additional features of this service (e.g. bill printing, activation or deactivation of the e-bill). 

The purpose of processing the data you give us and we collect via the application, is the performance of the aforementioned additional services and, in general, the performance of your contract (Article 6 (1)(b) GDPR).

When you pay your bills online via the application, we do not collect or store credit card details and other payment methods; instead, we automatically redirect you to the payment gateway of Eurobank Ergasias S.A., in the secure environment of which, at an independent website of the Bank, you complete the payment.

Data is accessible, depending on the request you submit each time, to the absolutely necessary members of the company's staff who should be made aware of such request and, at the same time, have been authorised to respond to your requests. If required, Data may also be accessible to the company's personnel dealing with administrative and accounting issues, to IT and internal audit personnel, as well as to any other authorised person who needs to process your data in the context of their work duties. In addition, in order to operate our websites, process your requests, perform contracts, provide electric mobility services, etc. we cooperate with third party service providers, legal or natural persons, professionals, independent consultants who provide us with commercial, professional or technical services (e.g. IT services, electronic payment platforms, installation of photovoltaic systems and electric vehicle chargers) for the purposes mentioned above and in order to support the Company, in whole or in part, in the provision of the services you request.

Furthermore, in case of overdue debts to our company, your personal data may be transmitted to third natural and/or legal persons which have been mandated to support our company in informing debtors about their relevant debts and/or in the managing the relevant debts and/or, in general, to pursue in and out-of-court the payment of the relevant debts and/or to provide legal support in general for our claims, including, without limitation, debtor information companies under Law 3758/2009, as in force at times, Loan and Credit Servicing Companies (EDADP), as well as to law firms and lawyers, bailiffs, etc. Where applicable, such natural/legal persons shall act as Data Controllers, Processors or persons authorised to process personal data for the same purposes as mentioned above, under the same assurances and in accordance with applicable law.

Before the third party receives the Personal Data, we: (i) complete the legal privacy review to assess the privacy practices and risks associated with these third parties; (ii) obtain guarantees (e.g. under a contract) from such third parties that they will process Personal Data in accordance with our company's instructions, and in accordance with this Policy and existing Legislation; that they will promptly inform our company of any Privacy Incident, including any inability to comply with the standards set forth in this Policy and existing legislation or of any Security Incident; that they will cooperate for the timely correction of any documented Incident; that they will assist us in responding to the individual rights of the subjects as defined below; and that they will allow our company to carry out inspections and supervise the practices they use during processing to assess compliance with such requirements.

In some cases, data may be transferred to other companies that are affiliated with "NRG SINGLE MEMBER ENERGY SUPPLY AND TRADING SOCIETE ANONYME" within the meaning of Article 99 of Law 4548/2018, as amended and in force, for purposes permitted under law and/or based on legitimate interest (administrative and accounting needs, legal claims, business development, etc.).

Finally, data may be further transmitted to institutions, authorities and public bodies for legitimate purposes, including, without limitation, to network or electricity and natural gas system operators (e.g. HEDNO, IPTO, DAPEEP, etc.), to Local Government Organisations and/or, in general, to administrative, tax, customs, arbitration authorities or other public authorities and regulatory bodies, if necessary for compliance with the law or for the establishment, exercise or defense of legal claims of our company.

With the exception of the above, Data will not be disclosed to any third parties, natural or legal persons, and will not be disseminated.

Furthermore, in case our company needs to transfer Personal Data (e.g. for the use of Cloud services), such transfer will be done under the terms and safeguards provided by Articles 44 et seq. GDPR.

We do not process data or trade with persons under 18 years of age.

You may contact the Data Protection Officer of our Company at the email address dataprotection@nrg.gr, or at the postal address 168 Kifisias Avenue, Marousi, P.C. 15126, at any time, to exercise the rights under Articles 15-22 of the GDPR, namely the rights of access, rectification, erasure (where permitted), restriction of processing, disclosure, portability, as well as the right to withdraw consent in accordance with Article 7 (3) GDPR.

You may, for example, contact our Company's Data Protection Officer to obtain confirmation of the existence or non-existence of personal data relating to you, to check their content, origin, accuracy and location (also in relation to any third country), to request a copy, to request their correction and, in the cases stipulated under the GDPR Regulation, request the restriction of their processing, the deletion of data, to object to direct communication activities (sending a newsletter) by our company, as well as report comments on specific uses of your data that are considered incorrect or unjustified.

You may withdraw your consent at any time, without prejudice to the lawfulness of the processing performed before said consent was withdrawn. However, we reserve the right to further processing if we prove that compelling reasons exist requiring protection that override your interests, fundamental rights and freedoms or if the processing serves to exercise or defend legal claims.

Finally, you may submit complaints to the Personal Data Protection Authority, at 1-3, Kifisias Avenue, P.C. 115 23, Athens, call centre: +30-210 6475600 or a http://www.dpa.gr/.

This policy for the protection of Personal Data may be amended at any time whenever deemed necessary by the Company. Any imminent significant change to our policy will be posted on our website www.nrg.gr and on our other websites. Finally, you may request by post or phone that we send you a copy hereof.

******************************

Marousi, 1^st of April 2025