Personal Data Protection Statement TOTTIS PACK S.A.

Last updated on 30/9/2019

TOTTIS PACK S.A. recognizes and respects the importance of the personal data it processes in its activities and has therefore fully adapted its policy to the requirements of the General Personal Data Protection Regulation (hereinafter GDPR) 2016/679 / EU.

With this statement, TOTTIS PACK S.A. wishes to inform its counterparties in what capacity, for what purpose and on what lawful basis it processes information relating to them and which can be used to identify them directly or indirectly, that is to say their personal data, their data categories, the sources of their data (when the data are not provided by the person himself), the criteria for determining the period of storage of their personal data, their ability to exercise, regarding their personal data, the rights of accessibility and rectification and, where appropriate, the rightsof erasure, restriction and object to the processing and processing by means of automated decision-making process, includingprofiling, the eventual transmission of personal data toa third country or an international organization, the ability of individuals to lodge a complaint about any violation of their personal data rights with the Data Protection Authority, as well as the adherence of relevant privacy policies and safeguards by our Company.

To this end, please take a moment to read this statement from TOTTIS PACK S.A.

If you have any questions or concerns, if you wish to receive a copy of this statement or wish to exercise any of the following rights pertaining to your personal data, please contact our Company's Data Protection Officer, Evangelos Michaloliakos, at 210-6216997 and at email: info@abpm.gr

1. Data Protection Officer

TOTTIS PACK S.A. (hereinafter referred to as “the Company”), with registered office in Greece, at Industrial Area of Florina, P.C. 53100 and processes in its activities the personal data of itscounterparties, being the controller.

2. Data sources

We collect your personal data from various sources, including:

• Personal data you give us directly

• Personal Data we collect automatically

We may collect web traffic statistics like:

• Your IP address,

• the time of your visit,

• the request made at the tottis-bingo.gr website,

• the headers sent by your browser

Personal data we collect from other sources

3. Categories of data

The personal data we process on a case by case basis is

Regular Personal Data: full name, birthdate, ID number, VAT number, address, phone number, e-mail.

Special Categories of Personal Data: Health Data

4. Purpose of Processing

The reasons we process your data are on occasion to contact you in order to answer your questions and requests, to evaluate your resume, to sign commercial contracts with you, to check your creditworthiness, to fulfill our contractual obligations to you, to fulfill the legal obligations arising from national and EU law, to meet our legal obligations, to organize our activities in the field of electronic communication with our customers, to protect the security of our facilities and our employees and all third parties who are lawfully entering our premises from invading non-working third parties and by any criminal action against the assets of the company and those who lawfully use its facilities.

5. Lawful basis for processing

In particular, the lawfulbasisforprocessing your data are as follows:

• Article 6 par. 1aGDPR. When you have given your consent to process your data for one or more specific purposes. We use this basis for example, to collect your contact details, to check your creditworthiness, and according to Article 9 par.1 2a GDPR to collect specific health data on diseases which can contaminate food production when it comes to your entering our production areas

• Article 6par. 1bGDPR processing is necessary for the performance of a contract to which you, the data subject,arecounterparty or in order to take steps at the request of the data subject prior to entering into a contract; On this basis we rely, for example, for processing your dataduring negotiations of any kind of contract or commercial agreements by disclosing your data when required by a third party recipient, Bank and Insurance Company through which we can fulfill our contractual obligations to you.

• Article 6 par. 1 GDPRprocessing is necessary for compliance with a legal obligation to which the controller is subject

On this basis, we rely to comply with our statutory obligations such as tax or insurance provisions

6. Transmission of personal data outside the European Union

Your personal data is NOT transmitted outside of the European Economic Community.

7. Disclosure to third parties

TOTTIS PACK S.A. does not discloses or transfers your personal data to third parties.

TOTTIS PACK S.A. may disclose or transmit your data to third parties provided that the legal obligations for that purpose are met, namely when there is:

your previous consent as data subjects

or

Legal Obligation of TOTTIS PACK S.A. to provide employee data to Corresponding State Agencies and Organizations and the relevant Judicial and Prosecution Authorities upon lawful and competent request

8.Τhe period for which your personal data will be stored

The Company retains your personal data for as long as the processing purpose persists, and after its expiration, the Company lawfully maintains your personal data when it is necessary to comply with a legal obligation under ΕU or national law (for example, Labor, Tax Insurance and Administrative Law) as well as in the case where the maintenance is necessary for the foundation, exercise or support of the legal claims of the Company.

9. What are your rights

Right of Access

You have the right to receive a) confirmation regarding the processing of your data, and b) a copy of your personal data

Right to rectification

You have the right to obtain from our Company the rectification of inaccurate personal data concerning you, or askto have incomplete personal data completed, when they are inaccurate.

Right to erasure

You have the rightto obtain fromour Company the erasure of personal data concerning you, if you no longer wish to have such data processed and if there is no legitimate reason for the Company to own it as a controller

In particular, this right shall be exercised:

when the lawful basis for processing is your consent and you withdraw it, so the data should be deleted if there is no other lawful basis for processing.

when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or unlawfully processed or if you object to the processing and there are no compelling and legitimate reasons for processing

It should be noted, however, that this is not an absolute right, as the further retention of personal data by the Company is lawful when necessary for reasons such as compliance with a legal obligation of the Company or the foundation, exercise or support of legal claims.

Right to restriction of processing

As an alternative to the right to erasure and the right to object, you have the right to request thatour Company processes your data only in specific cases.

When do you have this right?

When:

- you invoke the inaccuracy your data, and the Company as Controllerexamines the request,

-the processing is unlawful,

-the data is no longer necessary for the purpose of processing, but you ask from our Company to retain it for the exercise and defense of your legal claims,

- You have exercised the right to objection and the Company as a controller is examining the existence of an overriding legal interest therein.

The exercise of this right may be combined with the right torectification and the right to object.

Specifically,

a) If you request the rectification of your inaccurate data, you may request a restriction of processing for as long as the Company examines the rectification request,

b) If you request the right to objection, you may request at the same time the limitation of the processing for as long as the Company examines the counterclaim.

Right to data portability

You have the right to receive your personal data that has been processed by the Company as a controller in a structured, commonly used and machine readable format (for example XML, JSON, CSV, etc.). You also have the right to ask the Company to transmit this data to another processor without any objection

The right to portability can only be exercised by you when all of the following conditions are fulfilled : personal data are processed by automated means ( printed forms are excluded)

• the lawful basis for processing is either your consent or the performance of a contract to which you are a party (Article 6 (1) (c) of the GDPR);

• It is your own personal data as the data subject that are processed and has been provided by you.

• the exercise of the right does not adversely affect the rights and freedoms of others.

Right of objection

You have the right to oppose, at any time and for reasons related to your particular situation, to the processing of personal data concerning you when the processing is based either on (a task performed in the public interest) or on (if the company has a legitimate interest), including profiling

The Company will be required to stop such processing unless it demonstrates imperative and lawful reasons for processing that override your interests, rights and freedoms, or for the foundation, exercise or support of legal claims.

Right to non-automated individual decision making including profiling

If the Company needs to make a decision that produces legal effects for you based solely on automated processingthe following apply :

• The Company as a controller may lawfully make such a decision only if you have given us your explicit consent or when the decision is necessary for the conclusion or performance of a contract between us or if such a decision is permitted by EU or national law, which provides for appropriate measures to protect the rights of the subject.

• If this decision is made as necessary for the conclusion or performance of a contract between us, namely the Company as a controller and you as the data subject or upon your explicit consent, you have the right to challenge this decision, so that the Company will be obliged to apply measures to protect your rights, ensure human interference in decision-making, or the right to express an opinion and challenge your decision as a subject of the data.

• If the Company intends to perform automated data processing, including profiling, it will provide you, upon receipt of your data (when collected by you) or in a reasonable time (when taken from another source) and the following additional information:

o whether and to what extent automated decision-making takes place, including profiling,

o on the logic followed,

o on the importance and predicted consequences of the processing,

o information on the subject's right to object, which is clearly and separately described from any other information.

• in any case ofprofiling, you are entitled to limit the processing at any stage,

• The Company will be required to delete the relevant personal data if the basis for profiling is your consent and it is revoked or if you exercise the right to delete its data and if there is no other legal basis for processing in accordance with the provisions of Regulation.

• You have the right to oppose at any time and for reasons related to your particular situationto the processing of your personal data when the processing is based on the legitimate interest of the Company, including profiling and the Company will cease submitting the personal data processed unless it demonstrates imperative and legitimate reasons for processing that override the interests, rights and freedoms of the subject or for the foundation, exercise or support of legal claims.

10. You have the right to submit a Complaint to the (Personal) Data Protection Authority

If you find that your personal data is being processed unlawfully or your personal data has been violated, provided that you have previously contacted the DPO for the matter and you have exercised your rights towards the Company, and you either did not receive a reply within one month (extending the deadline to two months in the case of a complex request) and either you believe that the answer you received from the Company is inadequate and your issue is not resolved, you can contact the Data Protection AuthorityKifissias Avenue 1-3 TK 11523 Athens complaints@dpa.gr, fax 2106475628 for more information see the Web Portal www.dpa.gr.

11. Privacy Policy

The Company shall implement appropriate technical and organizational measures to ensure an adequate level of protection of personal data in order to prevent the destruction, loss, alteration during any unauthorized access, disclosure or transmission to a non-entitled person or entity in any way.

The Company does have business continuity and disaster recovery plans that are periodically tested and updated and has in fact established and implemented appropriate policies and procedures for the security and protection of the data it processes.

In addition to this, the Company has reviewed the contracts it holds with processors to force them to respect your personal data under the GDPR by taking and enforcing measures to secure them from risks of destruction of loss of altered unauthorized access to disclosure or transmission to a non-entitled person or entity in any way and by signing compliance with a confidentiality clause.

* WP29: Established under Article 29 of Directive 95/46 / EC on the protection of individuals about the processing of personal data and on the free movement of such data. The Group is advisory to the European Commission but is independent. It is composed of a representative of the Data Protection Authorities of each Member State and examines issues of particular gravity or issues of particular interest in the protection of personal data falling within the first pillar of the EU. Consideration of these issues takes place either at the request of the European Commission either on a proposal from the members of the Group. The Group publishes opinions and working papers. Already after the application of the 2016/679 Regulation, it functions as the European Data Protection Board.