• SUMMARY

This Policy describes the framework for the protection of your personal data, including special categories of personal data and our Company’s compliance with legal requirements.

 

• WHO WE ARE

We are «ERGOTRAK (EMPORIKI MIHANIMATON KAI VIOMIHANIKON EIDON S.A.) “, a member of the Sfakianakis Group (hereinafter referred to as “the Company” or “we“), Tax Identification Number: 094394592, which has its registered office in Mandra, Attica, at Patima, P.C. 19600, email ergotrak@ergotrak.gr, tel. 210 6293400. We represent, import, distribute and support after-sales high quality vehicles & machinery in the Greek Market. The company is the exclusive representative and distributor in Greece of the manufacturing companies Cummins (land-sea diesel engines and generators), DAF (heavy trucks and tractors), TEMSA (buses), FORD TRUCKS (heavy trucks and tractors), Linde (lifting and cargo handling machinery), and Hitachi (construction and mining machinery). In addition, Ergotrak offers equipment rental services, as well as full maintenance contracts for all the products it manages.

In the context of its commercial activity and in order to fulfill its statutory purposes, our Company collects, keeps a record and processes your personal data.

The purpose of this policy is to provide you with information about how our Company collects and processes your personal data.

A basic principle of our Company is to respect the privacy of your personal data, which is why we are committed to protecting and keeping your personal data safe.

 

 

• DEFINITIONS

‘Personal data’ means information relating to a living natural person that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifiers or to one or more factors specific to the physical, physiological, economic, cultural or social identity of that natural person.

 

Special categories of personal data are personal data that include information about (a) the data subject’s racial or ethnic origin, (b) his political opinions, (c) his religious beliefs or other similar beliefs, (d) his trade union membership, (e) his physical or mental health or condition, (f) his sex life,  (g) the commission or alleged commission by him of any offence or (h) any proceedings for any offence committed or alleged to have been committed by him, the termination of such proceedings or the sentence imposed by any court.

 

Data processing, in relation to information or data, means the collection, recording or possession of the information or data or the performance of any operation or series of operations on the information or data, including: (a) the organisation, adaptation or modification of the information or data, (b) the retrieval, consultation or use of the information or data, (c) the disclosure of the information or data by transmission;  dissemination or any other form of making available, or (d) the association, combination, blocking, deletion or destruction of the information or data .

 

Data Subject is the natural person, who is the Personal Data Subject.

 

Data Controller means a legal person who (either alone or jointly or jointly with other Controllers) determines the purposes for which and the manner in which personal data are or will be processed.

 

Processor, as far as personal data are concerned, means any natural or legal person other than the data controller who processes the data on behalf of the Data Controller.

 

Third party, with respect to personal data, means any person except: (a) the Data Subject, (b) the data controller, or (c) any data processor or other person authorised to process data for the data controller or processor.

 

 

• PROCESSING PRINCIPLES

We ensure full compliance with the applicable Data Protection Legal Framework, including the General Data Protection Regulation (GDPR), and process personal data in accordance with the applicable basic principles. In this context, we ensure that personal data:

 

1. a) Processed lawfully and fairly in a transparent manner in relation to the data subjects

 

The lawful bases for processing are described below. We ensure that one of them applies when we process personal data:

 

• Contract: the processing is necessary for the performance of a contract between the Company and the natural person or to take measures at the request of the data subject prior to the conclusion of a contract (pre-contractual stage).
• Legal obligation: the processing is necessary for us to comply with the law (tax, insurance obligations).
• Vital interests: processing is necessary to protect someone’s life or other vital interests.
• Public interest: processing is necessary for the performance of a task carried out in the public interest.
• Legitimate interests: processing is necessary for the pursuit of the legitimate interests or legitimate interests of a third party, unless those interests are overridden by the interest of the data subject.
• Consent: the individual has provided clear and unambiguous consent, allowing us to process personal data for a specific purpose.

 

 

(b) they are collected for specific, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes. Further processing for archiving purposes for reasons of general interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes.

 

(c) they are appropriate, relevant and limited to what is necessary for the purposes for which they are processed. Personal data must be adequate, relevant and not excessive in relation to the purpose(s) for which it is processed.

 

(d) accurate and, where necessary, up-to-date. All reasonable measures must be taken to ensure that data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

 

(e) they are kept in a form that allows the identification of the data subjects only for the period necessary for the purposes of the processing of the personal data. Personal data may be stored for longer periods if they are processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes and if the appropriate technical and organisational measures required by the applicable data protection regulatory framework are in place in order to safeguard the rights and freedoms of individuals.

 

(f) processed in a manner that guarantees the appropriate security of personal data, including their protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by taking appropriate technical and organisational measures. Appropriate technical and organizational measures will be taken against unauthorized or unlawful processing of personal data and their accidental loss or destruction, and

 

1. g) they are not transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of the Data Subjects in relation to the processing of personal data.

 

• Processing of special categories of personal data

 

Special Categories of Personal Data, as described in the above definitions, pose more significant risks to the fundamental rights and freedoms of a natural person, if they are not lawfully processed and/or adequately protected. There are certain conditions that must be met in order to allow the processing of special categories of personal data, such as:

 

• the data subject has provided explicit consent to the processing of such personal data for one or more specific purposes.
• the processing is necessary for the fulfillment of the obligations and the exercise of the specific rights of the Company as a Controller in the field of labor law and social security and social protection law, if permitted by law or a collective agreement, which also provides appropriate safeguards.
• processing is necessary for the protection of the vital interests of the data subject or another natural person, where the data subject is physically or legally incapable of consent.
• the processing concerns personal data that has been manifestly disclosed by the data subject.
• processing is necessary for the establishment, exercise or support of legal claims, or where the courts are acting in their judicial capacity.
• processing is necessary for reasons of substantial public interest.
• the processing is necessary for the purposes of preventive or occupational medicine, to assess the employee’s ability to work, to make a medical diagnosis, to provide health or social care or treatment.
• processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or to ensure high standards of quality and safety.

 

• THE DATA WE COLLECT ABOUT YOU

 

Personal data means any information relating to an identified or identifiable natural person (“data subject“). It does not include anonymous data, i.e. where the identity of the individual has been removed (e.g. encrypted or pseudonyms have been used).

We may, therefore, collect, use, store and transfer different types of your personal data, which we have grouped together as follows:

• Identity information includes, but is not limited to, first name, surname, username or similar identifier, marital status, title, date of birth and gender.
• Contact details include, but are not limited to, address, street, city, postal code, telephone number, mobile phone number and e-mail address.
• The financial data includes, but is not limited to, the account number, credit card details.
  • Transaction data includes, but is not limited to, details of the products and services you have purchased from us.
• Marketing and communications data includes, but is not limited to, your preferences for receiving marketing from us and companies that provide us with support services for marketing and communication purposes and your communication preferences.

 

• HOW YOUR PERSONAL DATA IS COLLECTED

 

We use different methods to collect data from and about you, among others:

• 
  Instant interactions. You may provide us with your Identity Information, Contact Information, Financial Information and Transaction Information by filling in forms, by post, telephone, electronically or otherwise.

This includes personal data that you provide when you:
• Apply for our products or services.
• Visit one of our websites.
• Subscribe to our service or publications.
• Search for your local dealer.
• Book a service.
• Request a brochure or other marketing method to be sent to you.
• Participate in a contest, promotion, or survey.
• Send email

• 
  Third parties or public sources. We may receive personal data about you from a variety of third parties, including our network of agents and public sources, as set out below:
  – Contact, financial and transaction information from technical support and payment service providers.
  – Identity, contact, financial and transaction information from our dealer network.

 

• HOW YOUR PERSONAL DATA IS USED

Your personal data is collected for the following purposes:

(a) to serve your request (e.g. to submit an offer for the purchase of vehicle(s), leasing, to conduct a test drive, etc.),

(b) if you enter into a contract with our Company (purchase of a vehicle, etc.) for the execution of the contract, for customer service services and in general the fulfillment of all our contractual rights and obligations,

(c) for customer satisfaction surveys, for statistical reasons and for the general improvement of our Company and our relationship with you,

(d) if you wish to buy a vehicle with financing, to check your creditworthiness, to transmit them to the Bank(s) of your choice, etc.,

(e) to fulfill all our legal obligations, to respond to legal proceedings/requests from competent authorities to provide information (indicatively, for offenses/violations of the Criminal Code, etc.),

(f) provided that you give your consent, for the direct promotion of products and services and the conduct of market research.

 

 

• DISCLOSURES OF YOUR PERSONAL DATA – INTERNATIONAL TRANSFERS – THIRD PARTIES

Your personal data, whenever necessary for your best service, will be transmitted to our official network of representatives/merchants and partners, while it may be transmitted to companies that may provide us with support services for the respective purposes. For the purpose under point d., they will be forwarded to the Bank(s) of your choice/credit rating agency. For the purpose under point (e), they will be forwarded to the competent Authority. For the purpose under point (f), if you give your consent, in addition to ERGOTRAK and to companies that provide it with support services for the above purpose, may be transmitted and/or to other companies of the Sfakianakis Group and to companies that provide them with support services for the above purpose. We will obtain your explicit consent before sharing your personal data with any third-party company for marketing purposes. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links in any marketing message sent to you.

 

In any case of disclosure or transmission of your personal data, we require all third parties to respect the security of your personal data and to process it in accordance with the law. We do not allow our service providers to use your personal data for their own purposes and only allow them to process your personal data for specified purposes and in accordance with our instructions.

Support service providers are service providers providing IT and systems management services, professional advisors including lawyers, bankers, auditors and insurers providing consultancy, banking, legal, insurance and accounting services.

The personal data we collect from you may be transferred outside of the European Economic Area (EEA).

They may also be processed by personnel working outside the EEA who work for us or for one of our suppliers or contractors. Territories outside the EEA may not have equivalent legal protection to those in the EEA, but we are obliged to ensure that suppliers and parties outside the EEA continue to take all measures reasonably necessary to ensure that your data is treated securely and in accordance with this Policy. By submitting your personal data to us, you consent to this transfer, storage or processing. Please contact us if you would like more information about the specific mechanism we use when transferring your personal data from the EEA.

 

• HOW WE PROTECT YOUR PERSONAL DATA

All information you provide to us is stored and transmitted securely and every transaction is protected with appropriate technology. Once we receive your information, we will use strict procedures and security features to try to prevent any unauthorized access. We have put in place appropriate technical and organizational measures to prevent any loss, use, or access to your personal data in an unauthorized manner, alteration, or disclosure. In addition, we limit access to your personal data to those employees, partners, contractors and other third parties who will only process your personal data in accordance with our instructions, will be subject to an obligation of confidentiality and will be committed to using appropriate technical and organizational measures to protect your personal data. We have put in place procedures to deal with any potential breach of personal data and will notify the respective control bodies of any breach and you in the event that the risk you run from any breach is assessed at a high level.

 

• HOW LONG WE KEEP YOUR PERSONAL DATA

Your personal data will be stored and used only for the specific purposes above and for the reasonable period of time required to fulfill each purpose. Whereas, where you have given your consent, until its revocation on your behalf.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of personal data, the potential risk of harm from unauthorized use or the disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes by other means within the applicable legal requirements.

In some cases, we anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

 

• DATA BREACHES

A breach can be considered a security incident that has affected confidentiality, integrity and/or availability of the data, resulting in it being lost, destroyed, altered or disclosed.

If the personal data breach causes a risk to the rights and freedoms of the data subjects, the Company will notify the relevant supervisory authority of the breach within 72 hours of becoming aware of the breach. If the breach poses a high risk to the rights and freedoms of individuals/data subjects, the Company will also inform these individuals without undue delay.

 

• YOUR RIGHTS

Your rights for the processing of your personal data, which you can exercise under the conditions set out in the EU Regulation (2016/679), depending on the purpose and legal basis for their processing, are as follows:

(A) Request access to your personal data. This enables you to receive a copy of the personal data we hold about you in an understandable and easily accessible format.

 

(B) Request correction of the personal data we hold about you. This allows you to correct and update any incomplete or inaccurate data we hold about you, although we may need to verify the accuracy of the new data you provide to us.

 

(C) Request the erasure of your personal data. This allows you to ask us to delete or remove personal data where there is no reason for us to continue processing it. You also have the right to request that we erase or delete your personal data, where you have demonstrated your right to object to the processing (see below)Please note, however, that we may not always be able to comply with the request for erasure for specific legal reasons which will be communicated to you, where applicable, at the time of submitting your request.

 

(D) Request restriction of processing of your personal data. This enables you to request that we suspend the processing of your personal data in the following scenarios: (a) if you want us to determine the accuracy of the data, (b) where the use of the data is not lawful, but you do not want us to delete it, (c) where you need us to keep the data, even if we no longer require it, if you need it to make legal claims, or (d) you object to the use of your data, but we need to verify whether we have legitimate grounds for using it.

 

(E) Object, at any time, to the processing of personal data concerning you. The Company will stop processing your personal data, unless it demonstrates compelling and legitimate reasons for the continuation of the processing, which override your rights and freedoms or for the establishment, exercise or support of legal claims.

 
(F) Request the transfer (portability) of your personal data to you or to third parties. We will provide you or a third party you have opted in with your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information that you originally provided to us with consent or where we used the information to perform a contract with you.

(G) Withdraw your consent at any time to process your personal data where it was required. However, this will not affect the lawfulness of any processing carried out prior to the withdrawal of your consent. If you withdraw your consent, we may not be able to offer you certain products or services. We will advise you if this is the case at the time you request the withdrawal of your consent.

 

(H) You have the right to request not to be subject to decisions taken solely on the basis of automated processing, including profiling, which produces legal effects concerning or significantly affecting you.

 

There is usually no fee required to exercise your rights. You will not have to pay any fees to access your personal data (or exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request under these circumstances.

We may need to ask you for specific information to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure that ensures that personal data is not disclosed to any person who has no right to receive it. We may also contact you to request further information about your request and expedite our response.

We try to respond to all legitimate requests within one month. That deadline may be extended by a further two months, if necessary, taking into account the complexity of the request and the number of requests. In this case, we will duly inform you of this extension within one month of receipt of the request, as well as of the reasons for the delay.

To exercise any of your rights, please contact the Data Protection Officer at dataprotection@sfakianakis.gr by e-mail  or by post to “SFAKIANAKIS S.A.”, at 5-7 Sidirokastrou Street, PC 11855, Athens, Greece, “to the attention of the Data Protection Officer».

 

You also have the right to lodge a complaint with the Data Protection Authority, 1-3 Kifissias Ave., P.C. 115 23, Athens, tel.: +30-210 6475600, e-mail: contact@dpa.gr.

 

Last review: 06.05.2026