Privacy Policy

Personal Data Protection Policy

The protection of personal data and respect for the privacy of visitors and users of grland.com constitute a fundamental priority for us.
We process personal data responsibly, confidentially, and in full compliance with the applicable data protection legal framework, including specifically the General Data Protection Regulation (GDPR – EU 2016/679), the UK GDPR, as well as applicable data protection provisions in force in third countries (indicatively the United States of America, Australia, and other jurisdictions), to the extent applicable to internationally accessible media outlets.
Our goal is not only to provide high-quality, independent, and reliable information but also to ensure maximum transparency, security, and control regarding the processing of personal data.
Through this policy, we clearly inform you about:

• the type of data that may be collected,
• the purposes and legal bases for processing,
• the rights of data subjects,
• as well as the organizational and technical measures we take for their protection.

This Data Protection Policy provides a comprehensive and proactive overview of all technically available services, tools, technologies, and plugins that may be used within the operation of the website, including analysis tools, embedded third-party content, communication services, and security systems.
For reasons of full transparency and legal accuracy, the specific section listed at the end of this document refers exclusively to the services and technologies actually used at the time of operation of this website.
Grland operates as an internationally accessible news and journalistic media outlet, based in Greece, and addresses audiences within and outside the European Union.
Data processing is carried out, where required, within the framework of the journalistic exemption and freedom of expression and information, pursuant to Article 85 GDPR and corresponding national provisions.
For any question, clarification, or exercise of rights regarding personal data protection, interested parties may contact us at any time via the official contact details of the website.

1. Information regarding the Data Controller

The protection of personal data of grland visitors and users is a fundamental priority for us. This section provides information regarding the type, scope, and purpose of collection and processing of personal data within the context of website operation, in accordance with the General Data Protection Regulation (EU 2016/679 – GDPR) and applicable national law.

Company Name: Hellenic Nexus Media & Services
Headquarters: Greece
Legal Representative: Samaridis Georgios
Business Activity: Journalistic and news content
Contact Email Address: newsroom@grland.com

For issues regarding personal data protection, a contact point has been designated at the email address dpo@grland.com, through which interested parties may address relevant questions, requests, or clarifications. A separate Data Protection Officer (DPO) has not been appointed, as, pursuant to Article 37 of the GDPR in conjunction with applicable provisions of Greek data protection law, there is no legal obligation to appoint a Data Protection Officer for this specific processing activity.

2. SSL / TLS Encryption

For security reasons and to protect the transmission of confidential information, such as requests via contact forms or functions regarding user accounts, the grland website uses modern SSL or TLS encryption technologies.
An encrypted connection is recognized by the “https://” indication in the browser address bar as well as by the lock icon.
Data transmission takes place exclusively via a secure connection and is protected against unauthorized third-party access during transfer.
Encryption is implemented via an SSL certificate provided by a recognized certification authority (Let’s Encrypt) and is applied at the server level (“Full SSL”), ensuring encryption of communication between the user’s terminal device and the website infrastructure.
The certificate is renewed automatically and on a regular basis to ensure the applicable security level is constantly maintained.
Furthermore, HTTP Strict Transport Security (HSTS) technology is applied, which enforces the exclusive use of encrypted HTTPS connections and prevents access via insecure protocols.
In this way, the risk of downgrade attacks is reduced, and communication security is overall enhanced.
The above technical and organizational measures are taken in compliance with Article 32 paragraph 1(a) of the GDPR and the principles of data integrity and confidentiality.
It is noted that, in case of using external services or embedded third-party content (e.g., social media platforms, multimedia services, or CDNs), independent encryption and security standards may apply, over which we do not have direct technical control.
For sending particularly sensitive information, the use of secure and encrypted communication channels is always recommended.
Despite measures taken, it is pointed out that absolute data security on the internet cannot be fully guaranteed.
Users are invited to act with caution and avoid transmitting data requiring increased protection via insecure channels.

3. Collection and storage of personal data during website visit

Upon accessing grland, information of a general technical nature is automatically collected, which the user’s browser transmits to the server.
This information is technically necessary for the proper operation, security, stability, and optimization of the website.
Data recorded in this context include notably:

• IP address (full or truncated, depending on hosting provider configuration),
• date and time of access,
• name and URL of the retrieved file,
• referrer URL (website of origin),
• browser type and version and, potentially, the operating system of the terminal device,
• hostname,
• HTTP status code,
• volume of transferred data.

The above data do not allow direct identification of a natural person, are not merged with other data sources, and are not used for marketing purposes, user profiling, or automated decision-making.
Processing of this data is carried out by the website hosting provider, as well as by technical security systems and traffic analysis tools, which operate exclusively with anonymized or aggregated data.
In individual cases, Content Delivery Networks (CDNs) may be used for security reasons and optimization of loading speed.
These services may process technical access data (e.g., IP address, geographic origin, timestamp) exclusively for detecting malicious actions and protecting infrastructure.
Corresponding log files may also be generated by firewall mechanisms.
Server log files are stored for a period of up to 30 days and are deleted automatically, unless further retention is required in individual cases for security reasons or proof of abuse incidents.
Aggregated statistical usage data may be retained for a period of up to 12 months, exclusively for purposes of technical analysis and evaluation of website reach.
The legal basis for this processing is Article 6 paragraph 1(f) of the GDPR.
The legitimate interest consists in the secure, stable, and technically reliable operation of the website, as well as in the optimization of the offered informational service.
Users retain the right to request information regarding the processing of this data or to object to processing for reasons related to their particular situation, as defined in the “Rights of Data Subjects” section.

4. Server Log Files & Do Not Track (DNT) signals

When visiting grland, the server operating environment automatically generates server log files.
These files are technically necessary for continuous monitoring of website operation, error diagnosis, ensuring stability, and protecting infrastructure from malicious actions, attacks, or attempts at abuse.
Processing of log files takes place within the context of website hosting and its technical management.
Access to this data is strictly limited to authorized persons who have undertaken the maintenance, security, and operation of the website, within the framework of a contractual relationship and with the application of appropriate technical and organizational protection measures.
Data are not transmitted to third parties for their own purposes and are not used outside of technically necessary functions.
Within the context of log files, the following technical data may notably be recorded:

IP address of the terminal device (full or pseudonymized, depending on configuration),

• date and time of access,
• URL of the requested resource,
• information regarding the browser and, potentially, the operating system,
• referrer URL,
• HTTP status codes and technical error messages,
• volume of transferred data.

This data is used exclusively for technical and security reasons.
No personal evaluation takes place, nor merging with other data, nor use for marketing purposes, profiling, or automated decision-making.
Processing is based on Article 6 paragraph 1(f) of the GDPR.
Our legitimate interest consists in ensuring the secure, uninterrupted, and technically reliable operation of the website, as well as protecting data and infrastructure from unauthorized access.
Log files are retained for a period of up to 30 days and are deleted automatically, unless further retention is required in individual cases for investigation or documentation of security-related incidents.
Upon completion of the relevant investigation, data are permanently deleted.

Do Not Track (DNT)

Certain browsers provide the ability to send a “Do Not Track” (DNT) signal, through which the user indicates they do not wish their online activity to be tracked.
Currently, there is no binding legal or technical standard imposing a specific way for websites to respond to such signals.
Our website does not actively recognize DNT signals and does not automatically differentiate its operation based on them.
Processing of technical data continues to take place exclusively in accordance with GDPR provisions and these data protection declarations.
In case a binding legal framework or technical standard is established, we reserve the right to adapt our practices accordingly.

5. Legal Basis for Data Processing

Processing of personal data within the context of grland operation takes place exclusively in accordance with the requirements of the General Data Protection Regulation (GDPR) and applicable Greek and Union law, taking into account the character of the website as an internationally accessible news and journalistic media outlet.
Depending on the purpose and type of each processing, we rely on the following legal bases of Article 6 paragraph 1 GDPR:

a) Consent (Article 6 para. 1(a) GDPR)

When you provide explicit consent for specific processing operations, such as accepting non-essential cookies, subscribing to a newsletter, participating in competitions, or using optional functions, processing is carried out exclusively based on this consent.
Consent may be withdrawn at any time, with effect for the future, without negative consequences.

b) Performance of contract or pre-contractual measures (Article 6 para. 1(b) GDPR)

To the extent that data processing is necessary for the performance of a contract or for taking pre-contractual measures upon user request (e.g., responding to contact requests, providing requested services, managing accounts or partnerships), data are processed exclusively for this purpose.

c) Legal obligations (Article 6 para. 1(c) GDPR)

In certain cases, processing of personal data is necessary for our compliance with legal obligations arising from Union or Greek law.
This concerns notably obligations to keep and retain documents, such as accounting records, invoices, contractual documents, and related communication files, to the extent and for the time period prescribed by tax, commercial, or other applicable legislation.
This data is processed exclusively for the fulfillment of relevant legal obligations and is not used for other purposes.

d) Legitimate interest (Article 6 para. 1(f) GDPR)

In certain cases, we process personal data based on our legitimate interests, provided that the fundamental rights and freedoms of data subjects do not override them.
Legitimate interests concern notably:

• ensuring technical security, availability, and stability of the website (e.g., via server log files, error detection mechanisms, and protection against attacks),
• statistical evaluation of traffic and content usage, exclusively with anonymized or aggregated data,
• protection against abuse, fraud, automated attacks, or malicious use of infrastructure,
• improvement of functionality, usability, and overall user experience, to the extent this does not require consent.

In any case, we perform a balancing of interests and take all necessary measures to ensure user rights.
Users retain the right to object to processing for reasons related to their particular situation, in accordance with GDPR provisions.
It is noted that in certain cases more than one legal basis may apply for the same processing.
In any case, the suitability of the legal basis is reviewed regularly.

6. Use of Cookies and Similar Technologies

The website uses cookies and similar technologies for storing or accessing information on the user’s device (such as localStorage, sessionStorage, or pixel technologies), for the purpose of technically proper website operation, ensuring security, usage analysis, and, where permitted, improving content and user experience.

What are cookies

Cookies are small text files stored on the user’s device allowing the recognition of basic technical information, such as language settings, consent preferences, or session details.
Similar technologies can be used for corresponding technical or analytical purposes.

Categories of cookies

The website uses the following categories of cookies and technologies:

Strictly Necessary Cookies

These are necessary for the basic operation and security of the website and cannot be deactivated.
They include, among others, cookies for consent management and protection against malicious actions.

Functional Cookies

They allow the storage of user choices and settings in order to improve website usability.

Statistical and Analysis Cookies

They are used to analyze website usage with the aim of optimizing content and structure.
Processing takes place only upon consent and, where possible, with anonymized data.

Marketing and Tracking Cookies

They are used for purposes of displaying content or advertisements and are activated exclusively upon explicit user consent.

Legal Basis

Storage of information on the user’s device or access to it takes place in accordance with the ePrivacy Directive (2002/58/EC), as incorporated into national law, in conjunction with the GDPR.
Strictly necessary cookies are based on a legitimate technical reason for operation, while all other cookies and technologies are activated exclusively upon explicit consent pursuant to Article 6 para.
1(a) GDPR.

Consent Management via CookiesFirst

For the lawful collection, recording, and management of user consent, we use the consent management tool CookiesFirst.
Upon the first visit to the website, a relevant banner appears, through which users are informed in detail about technologies used and can choose which cookie categories they wish to accept.
Consent is provided voluntarily and can be modified or withdrawn at any time via the “Cookie Settings” link in the website footer.
Upon withdrawal, all non-essential cookies are deactivated automatically.
The consent decision is stored in a pseudonymized manner and for a limited time, exclusively for purposes of documenting compliance with legal requirements.

Browser Settings

Users can additionally manage or delete cookies via their browser settings.
In this case, certain website functions may not be fully available.

7. Consent Management (Compliance)

For the management, documentation, and legally compliant implementation of consent requirements arising from data protection legislation and the European Directive on privacy in electronic communications (ePrivacy), the website uses a Consent Management Platform (CMP).
This system ensures that storing information on the user’s device and processing personal data via cookies or similar technologies take place exclusively with a valid legal basis and full transparency.

Function and Display

Upon the first visit to our website, a consent banner appears, through which users are clearly informed about the categories of cookies and technologies used.
The option to accept or reject non-strictly necessary cookies is provided, as well as personalized selection of categories.
Strictly necessary cookies are activated only to the extent required for basic operation, security, and management of consent itself.
Users can modify or withdraw their consent at any time via the “Cookie Settings” link in the website footer.
Changes are applied immediately, and non-essential cookies are deactivated automatically.

Automatic Control and Blocking of Technologies

The consent management system is designed to block by default the loading of non-essential cookies, third-party scripts, and embedded services until the user provides valid consent.
Only after relevant selection are corresponding analysis, multimedia, or marketing technologies activated.
In this way, the risk of processing personal data without a legal basis is minimized.

Recording and Documentation of Consent

Decisions of consent or rejection are recorded in a pseudonymized manner and include, to the extent technically necessary and permissible:

• date and time of selection,
• selected cookie categories,
• a technical consent identifier.
• This recording serves exclusively to prove compliance with Article 7 paragraph 1 of the GDPR and is not used for other purposes.

Storage Duration and Renewal of Consent

The consent selection is stored for a limited period, not exceeding 12 months, unless the user modifies or deletes it earlier.
In case of substantial changes to technologies used or processing purposes, consent is requested anew.

Legal Basis

Consent management is based on:

• user consent pursuant to Article 6 para. 1
  (a) GDPR,
• application of the ePrivacy Directive (2002/58/EC), as applicable, regarding storage or access to information on the user’s device.

Continuous Update

Consent settings and the list of used cookies and technologies are checked and updated regularly.
The current and full overview is available at any time via the website’s “Cookie Settings“.
For any question regarding consent management or data protection, users can contact us via the official website contact details.

8. Web Analysis & Reach Measurement

For the continuous improvement of our online presence and understanding the use of our content, we use web analysis and reach measurement tools.
In this context, anonymous or pseudonymized information is collected regarding user interaction with the website, such as frequency of access to specific content, dwell time on pages, and traffic sources.
Analysis is carried out exclusively for the purpose of optimizing the content, structure, and technical performance of the website and not for identifying individual users.

Google Analytics (with IP Anonymization)

The website uses the Google Analytics web analysis service, provided by Google LLC (United States of America).
Google Analytics uses technologies such as cookies to analyze website usage.
The IP anonymization function has been activated, resulting in user IP addresses being truncated within the European Union or the European Economic Area before any further processing.
In this way, direct identification of natural persons is generally excluded.
Processing takes place exclusively based on explicit user consent pursuant to Article 6 para. 1(a) GDPR.
Activation of the service is technically controlled via the website’s consent management system and takes place only after relevant user selection.
Consent may be withdrawn at any time, with immediate deactivation of analysis.
Data transmission to servers outside the European Union takes place only provided Chapter V GDPR conditions are met, notably via appropriate guarantees, such as Standard Contractual Clauses of the European Commission or other legal safeguard mechanisms.
More information regarding data protection by Google is available in the company’s official information.

Future Analysis Tools

Depending on technical needs or offer evolution, other privacy-respecting analysis tools (such as Matomo, Bing-Microsoft, or Plausible) may be used in the future.
In any case, their use will be strictly in accordance with the applicable legal framework and, where required, upon consent.
The respective active list of tools is stated in cookie settings or the relevant annex of this policy.

Rights and Control

Users can withdraw their consent for web analysis at any time via cookie settings.
Furthermore, they can use technical means or browser settings to restrict tracking.

9. Online Marketing and Remarketing

Within the framework of promoting our content, increasing reach, and evaluating advertising effectiveness, we may use online marketing and remarketing/retargeting technologies.
These technologies allow displaying content or advertising messages on third-party platforms and measuring user interaction with them, without aiming at direct identification of natural persons.
Use of online marketing tools takes place exclusively upon prior explicit user consent, pursuant to Article 6 para.
1(a) GDPR and provisions of the ePrivacy Directive (2002/58/EC).
Consent may be withdrawn at any time via cookie settings, with immediate deactivation of relevant technologies.

Marketing Platforms Used

In this context, depending on respective campaigns, technologies and pixels from the following providers may be used:

Google Ads / Google Remarketing (Google LLC)
for displaying ads and measuring conversions on Google services.

Meta Pixel (Meta Platforms Ireland Ltd.)
for measuring ad effectiveness and creating audiences on services like Facebook and Instagram.

TikTok Pixel (TikTok Technology Limited)
for analyzing user interaction with advertising content on TikTok.

LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company)
for evaluating professional campaigns and measuring conversions on LinkedIn.
Other platforms such as Pinterest or Microsoft Advertising, provided they are activated within specific advertising campaigns.
These providers act, as applicable, as independent controllers or joint controllers, according to their own data protection terms.

Mode of Operation

The above technologies use cookies or similar identifiers to record interactions, such as page visits or general actions (e.g., accessing content).
This data can be used to create aggregated statistics, display relevant content, and optimize advertising campaigns.
Activation and execution of relevant technologies takes place technically only after user consent via the website’s consent management system.

Data Transmission to Third Countries

Use of online marketing services may entail data transmission to third countries, particularly the United States of America.
These transmissions take place only provided Chapter V GDPR conditions are met and appropriate guarantees apply, such as Standard Contractual Clauses of the European Commission or other legal mechanisms.
More information regarding data processing and international transfers is provided in the respective providers’ data protection declarations.

Control and Rights

Users can prevent the use of online marketing tools at any time by withdrawing their consent in cookie settings.
Furthermore, respective platform providers offer additional setting and opt-out capabilities via their own services.

10. Use of Personal Data for Direct Communication and Information Purposes

Processing of personal data for direct communication and information purposes takes place exclusively based on users’ prior explicit consent.
The purpose of this communication is to provide information regarding content, services, actions, or updates related to grland website activity.
Data are used only for the purpose for which consent was provided and are not transmitted to third parties for independent commercial exploitation.
Technical processing may be carried out by contractually bound service providers acting on our instructions and adhering to data protection law requirements.

Communication Channels

Direct communication may take place, depending on user choice and consent, via:

• email (e.g., newsletters, notifications),
• messaging services or direct messages via social media platforms,
• telephone or written communication (e.g., SMS), in limited cases,
• postal mail.

Use of each channel takes place only provided clear and documented consent exists.

Legal Basis and Consent Procedure

Data processing for direct communication purposes is based on Article 6 para. 1(a) GDPR.
Consent is usually provided via a special checkbox during registration for information services or when contacting the website and is documented in accordance with Article 7 GDPR requirements.
Where applicable, a confirmation procedure is used (e.g., email confirmation), to ensure consent is provided by the data subject themselves.

Types of Data That May Be Processed

In the context of direct communication, data such as contact details (e.g., email address or phone number) and communication preferences may be processed.
No profiling or automated decision-making takes place.

Withdrawal of Consent and Deletion

Users can withdraw their consent at any time, with effect for the future and without any charge.
Withdrawal can be performed via the corresponding link in each message, via direct communication, or via available website settings.
After withdrawal, data cease to be used for direct communication purposes and are deleted, unless a legal retention obligation exists.

International Communications and Compliance Standards

In case of using service providers based outside the European Union, Chapter V GDPR requirements and appropriate guarantees for data transmission apply.
Direct communication practices align with internationally recognized privacy protection and anti-spam standards.

11. Newsletter and Email Communication

The grland website provides the option to subscribe to information communications via email.
Through these, subscribed users receive updates regarding content, actions, services, or other information connected to website operation and activity.
Sending information communications takes place exclusively based on prior explicit user consent and does not occur without their active choice.

Registration and Consent Procedure

Registration is voluntary, and a confirmation procedure is applied to ensure consent is provided by the data subject themselves.
After submitting contact details, a confirmation message is sent, through which registration is completed.
Registration may also result from direct communication (e.g., at events or upon request), but is always documented with a corresponding confirmation procedure.
For reasons of proving consent, technical data such as registration time and source may be recorded, to the extent necessary and permissible.

Legal Basis

Data processing for sending information communications is based on Article 6 para. 1(a) GDPR.
Consent may be withdrawn at any time, with effect for the future.

Content of Information Communications

Information communications may include information of a journalistic or informative nature, announcements regarding website activity, invitations to actions or events, as well as information directly related to content and services provided.
Provided relevant consent is given, basic statistical elements (e.g., open rates) may be used to improve communication quality and readability.
No profiling or automated decision-making takes place.

Withdrawal of Consent and Deletion

Users can unsubscribe from information communications at any time, without justification.
Withdrawal can be performed via a relevant link in each message or by direct communication.
After withdrawal, data cease to be used for the specific purpose and are deleted, unless a legal retention obligation exists.
Service Providers and International Transfers

For the technical sending of information communications, specialized service providers may be used, acting under contract and according to our instructions.
In case of data transfer outside the European Union, Chapter V GDPR requirements and appropriate guarantees apply.

12. Communication via Forms or Email

When users contact us via grland website contact forms or directly via email, data transmitted to us are processed exclusively for the purpose of managing and responding to the specific request.
Processing is carried out with absolute confidentiality and in accordance with General Data Protection Regulation (GDPR) requirements.
Data are not used for other purposes, such as marketing or promotion, unless the user has provided explicit and separate consent.
Each communication is treated as an individual request and evaluated within the absolutely necessary context.

Contact Forms and Technical Tools

To facilitate communication, various form tools and plugins integrated into the content management system (WordPress) are used.
Depending on the page and function, the following may be used:

• WPForms
• Contact Form 7
• Elementor Form Widget
• Forminator

These tools allow secure submission of requests, such as general inquiries, partnership requests, quote requests, or communication for journalistic and news matters.
Data submitted via forms are temporarily stored in the website system (CMS) and technically transmitted to our email accounts for request processing.

Email Services

Sending and receiving emails is carried out via reliable email service providers operating under contractual commitments and according to data protection standards.
Depending on technical infrastructure, the following may be used:

• Zoho
• Brevo (formerly Sendinblue)
• getwemail.io
• other email providers, depending on system configuration

These providers act as processors and do not use data for their own purposes.

Processed Data

In the context of communication via forms or email, the following personal data may be processed:

• name and surname,
• email address,
• phone number,
• postal address (if declared),
• subject and content of the request,
• free text message,
• additional elements chosen by the user to share (e.g., attachments or field selections).

Providing this data is voluntary.
However, without certain basic details (such as email), processing the request might not be possible.

Anti-Spam Measures and Technical Security

To protect the website and users from abusive or automated use of forms, technical and organizational security measures are applied.
These include, depending on the form:

• Google reCAPTCHA (v2 / v3)
• Akismet Anti-Spam (Automattic Inc.)
• honeypot techniques and behavioral checks

These mechanisms analyze technical characteristics, such as completion times, input patterns, IP address, and device signals, exclusively for recognizing malicious or automated submissions.
When using certain services, technical data transmission to servers outside the European Union (e.g., USA) may occur.
These transmissions take place only provided Chapter V GDPR conditions are met and appropriate guarantees apply, such as Standard Contractual Clauses.

Legal Basis for Processing

Processing of communication data is based, per case, on the following legal bases:

• Article 6 para. 1
  (b) GDPR, when communication concerns pre-contractual measures or service requests,
• Article 6 para. 1
  (a) GDPR, when explicit consent is provided for specific use,
• Article 6 para. 1
  (f) GDPR, when legitimate interest exists for effective communication, user service, and protection against abuse.

Storage Duration

Communication data are retained only for as long as necessary to process the request and any related questions.
Upon completion of communication, data are deleted, unless a legal retention obligation or documented legitimate interest exists.

Rights of Data Subjects

Users have the right at any time to access, rectify, erase, or restrict processing of their data, in accordance with GDPR provisions.
To exercise these rights, they can contact us via the official website contact details.

13. Hosting and Content Delivery Networks (CDN)

The grland website operates on professional and scalable hosting infrastructure, providing the necessary technical basis for the stable, secure, and efficient provision of our online services.
Hosting and infrastructure management are carried out with availability, resilience to attacks, data protection, and seamless user access from around the world in mind.
To ensure high performance, protection against technical threats, and fast content delivery regardless of geographic location, both classic hosting services and Content Delivery Networks (CDNs) are used.

Hosting Providers

Technical hosting and operation of the website is carried out via selected professional hosting providers meeting high security and compliance standards:

• STRATO AG, Pascalstraße 10, 10587 Berlin
• IONOS SE, Elgendorfer Str.
  57, 56410 Montabaur
• Namecheap Inc., 4600 East Washington Street, Phoenix, AZ 85034, USA

Server management is carried out centrally via the Plesk platform, allowing controlled infrastructure handling, security monitoring, and access rights management.
Hosting providers offer, among others, the following technical and organizational protection measures:

• encryption of all connections via SSL/TLS,
• caching and load balancing mechanisms at server level,
• regular and automated backups,
• strict rights management and access controls,
• continuous system monitoring, event logging, and suspicious activity detection,
• timely software updates and security patches.

Use of Content Delivery Networks (CDN)

To optimize global delivery of content such as images, multimedia files, style sheets, and JavaScript files, we use CDN services.
CDNs cache content copies on distributed servers (edge servers) in various geographic regions to reduce load time and increase website reliability and resilience.
In this context, for purely technical reasons, data such as the following may be processed:

• device IP address,
• access time and duration,
• browser and device information,
• referral data,
• technical security and performance data.

This processing is carried out exclusively for content delivery purposes, protection against attacks, error analysis, and technical operation optimization.

Security and Protection Functions

Hosting and CDN services incorporate advanced security mechanisms, including indicatively:

• DDoS protection,
• filters and firewall rules at network and application levels,
• mechanisms for limiting and blocking suspicious traffic,
• geographic access control (Geo-IP) where required,
• data encryption during transit,
• access logging and traceability systems.

These measures aim to ensure website availability and protect both infrastructure and user data.

Log Files and Temporary Data Storage

During website operation, log files are created, including technical information such as IP address, date and time of access, browser type, and operating system.
This data is used exclusively for:

• ensuring technical stability,
• analyzing errors and malfunctions,
• prevention and investigation of security incidents.

Log files are retained for a limited period, typically up to 30 days, and are then automatically deleted, unless further storage is required to investigate a security incident.

International Data Transfers

Certain hosting or CDN providers may operate infrastructure or have access to data from countries outside the European Union, particularly the United States.
In these cases, data transfer takes place only providing Chapter V GDPR conditions are met.
Data protection is ensured via appropriate guarantees, such as Standard Contractual Clauses (SCC) of the European Commission, as well as Data Processing Agreements with all external providers.

Legal Basis

Data processing in the context of hosting and CDN usage is based on Article 6 para. 1
(f) GDPR. Our legitimate interest consists in ensuring technically sound, secure, and reliable website operation, as well as protection against abuse and attacks.

14. Social Media Plugins & Presence on Social Networks

The grland website uses plugins, buttons, and embedded social network elements (hereinafter “social plugins” or “social widgets”), allowing users to interact with social platform content directly from our pages, such as sharing, “liking,” commenting, or following our official accounts.
Integration of these social elements is primarily carried out via Elementor widgets, acting as a technical interface between the website and respective social networks.

Embedded Social Networks

Depending on the page and content, social plugins from the following platforms may be used:

• Facebook (Meta Platforms Ireland Ltd.)
• Instagram
• YouTube (Google Ireland Ltd.)
• TikTok (TikTok Technology Ltd.)
• X (formerly Twitter)
• LinkedIn
• Pinterest

These specific platforms operate as independent service providers and process data according to their own privacy policies and terms of use.

Technical Operation and Data Transfer

Upon visiting a page containing a social plugin, it is technically possible for a connection to be established between your browser and the respective social network provider’s servers.
This may happen either directly or after your interaction with the plugin (e.g., clicking a button).
In this context, technical data may be transferred and processed, such as:

• your device’s IP address,
• browser and operating system information,
• date and time of access,
• URL of the visited page,
• technical interaction data (e.g., button clicks).

This processing takes place by the respective social network provider and may occur in states within or outside the European Union (e.g., Ireland, United States, Singapore).

Connection with User Accounts

If you are simultaneously logged into your account on a social network, the platform provider may associate your visit to our website with your personal profile.
Actions such as “Like,” “Share,” “Follow,” or comments are attributed directly to your respective account and stored by the platform.
This association is carried out exclusively by the respective social network platform and is beyond our control.

Cookies, Pixels, and Tracking Technologies

Many social plugins use cookies, pixels, or similar recognition technologies for statistical analysis, reach measurement, security, and advertising optimization purposes.
Exact methods, storage duration, and individual processing purposes are determined exclusively by the respective providers and described in their privacy policies.
Activation of social plugins based on cookies takes place only provided relevant consent has been granted via the website’s consent management mechanism.

Joint Controllership (Article 26 GDPR)

For certain integrations and notably for operating official pages (fan pages) on social networks, joint controllership may exist between the website administrator and the platform provider, pursuant to Article 26 GDPR.
A characteristic example is Meta (Facebook / Instagram), for which the relevant Page Controller Addendum applies.
In this context, primary responsibility for data processing, infrastructure operation, and system security lies with the platform provider.
Our responsibility is limited to informing users and lawfully integrating social functions into the website.

Presence and Activity on Social Networks

Apart from embedded plugins, we maintain official accounts and pages on various social networks, through which we publish content, updates, and news, as well as communicate with the public.
Visit and interaction with these pages are subject exclusively to the terms of use and privacy policies of the respective platforms.
We do not have full control over data processing carried out there.

Comments, Interactions, and User Content

In case commenting or interaction functions via social accounts are used, published content (e.g., comments, reactions, profile image) becomes visible according to the respective platform’s settings and is processed by it.
Our website does not have full control over further use or dissemination of this content by social platforms.

Legal Bases for Processing

Data processing regarding social plugins and presences is based, per case, on the following legal bases:

• Article 6 para.
  1(a) GDPR, providing consent is required and has been granted,
• Article 6 para. 1
  (f) GDPR, for our legitimate interest in information, communication, and increasing reach,
• Article 26 GDPR, in cases of joint controllership.

Practical Instructions for Users

Users can restrict data collection by social plugins, inter alia by:

• logging out of social network accounts before visiting,
• adjusting cookie settings,
• using tracker blocking functions in the browser,
• checking privacy settings on the platforms themselves.

For detailed information regarding data processing, direct reference to the respective providers’ privacy policies is recommended.

15. External Resources and Web Fonts

For the uniform, functional, and aesthetically consistent presentation of our content, the grland website uses web fonts, libraries, and other technical resources.
These resources contribute to optimizing readability, layout, and overall user experience.
Depending on technical implementation, fonts and these resources may be loaded either locally from our own servers or via external Content Delivery Networks (CDN).
Providers of Fonts and External Resources

Depending on the page, theme, or active plugins, the following providers may be used:

• Google Fonts (Google Ireland Ltd.)
• Bunny Fonts (BunnyWay d.o.o.)
• Cloudflare CDN
• Adobe Fonts (Typekit)
• Font Squirrel and other free font or CDN providers

The above providers operate as independent controllers and are governed by their own data protection policies.

Font Integration Methods

Font integration is carried out in one of the following ways:

Local Hosting (Self-hosted)

In this case, fonts are stored and loaded exclusively from our server.
No connection to external font providers takes place, and generally, no personal data are transmitted to third parties.

Loading via External Servers (CDN)

In certain cases, fonts or technical resources are loaded directly from provider networks (e.g., Google, Cloudflare, BunnyCDN).
In this context, technical data such as IP address, browser and device information may be transmitted to the respective provider.

Case Law and Legal Assessment

According to the case law of Landgericht München I (judgment of 20.01.2022, Az. 3 O 17493/20), loading Google Fonts via external servers without prior user consent may constitute unlawful transfer of personal data, specifically the IP address.
For this reason, we attach particular importance to compliance with GDPR requirements and European case law, prioritizing local font hosting where technically feasible.

Potential Data Transfer to Third Countries

When using external font providers or CDNs, data transfer to countries outside the European Union, particularly the United States, cannot be excluded.
These transfers take place, if applicable, based on Standard Contractual Clauses (SCC) of the European Commission, pursuant to Article 46 GDPR.
Despite these measures, it is noted that an equivalent level of data protection may not exist in third countries.

Technical and Organizational Protection Measures

We make continuous efforts to:

• host fonts locally where possible,
• minimize external resource loading,
• regularly check themes, plugins, and widgets for unwanted external calls,
• adapt settings according to recent case law and technical developments.

However, in complex WordPress installations, the possibility that individual third-party elements (e.g., plugins or embedded widgets) load external resources without direct technical intervention capability cannot be fully ruled out.
In such cases, we take all reasonable technical and organizational measures to reduce data transfer and transparently inform users.

Control via Consent Mechanism

Loading external fonts and resources that are not strictly necessary may depend on user consent via the consent management mechanism.
Due to the technical nature of certain resources, full deactivation of external fonts may only be possible to a limited extent.
If it is found that, despite consent refusal, external resources continue to load, users can contact us to examine and rectify the issue.

Legal Basis for Processing

For locally hosted fonts

No personal data transmission takes place; therefore, no separate legal basis is required.
For fonts and resources via external CDNs

Processing takes place, as a rule, based on explicit user consent pursuant to Article 6 para.
1(a) GDPR. In exceptional cases, it may be based on Article 6 para. 1
(f) GDPR, following careful balancing of interests.

16. Gravatar, Avatars, and Comments Function

The grland website provides visitors with the ability to participate in public dialogue by submitting comments on articles, blog posts, or selected pages.
This function serves the exchange of opinions, freedom of expression, and interactive information, while simultaneously being subject to specific rules of data protection, security, and abuse prevention.
Processing of personal data in the context of comments takes place exclusively to the extent absolutely necessary for comment system operation, technical security, and website protection from abusive use.
Data Processed During Comment Submission

When submitting a comment, the following data are processed – depending on form configuration:

• the name or pseudonym you declare,
• your email address,
• the IP address from which the comment was submitted,
• date and time of submission,
• the content of the comment itself.

The email address is not published and is used exclusively for internal purposes (e.g., notifications, abuse check).
The IP address is temporarily stored for reasons of security, technical analysis, and prevention of spam, hate speech, or attacks.
The legal basis for processing is Article 6 para. 1
(f) GDPR, as legitimate interest exists for ensuring functionality, security, and quality of public dialogue.

Use of Gravatar Service

To display avatar images next to comments, we use the Gravatar service by Automattic Inc., USA.
If you use an email address registered with Gravatar, upon submitting the comment, a pseudonymized hash value (MD5) of the email address is generated and transmitted to Automattic servers to check if an associated avatar image exists.
The email address is not transmitted in plain text. If no avatar exists, the default comment system image appears.
This processing may take place on servers outside the EU (notably in the USA) and is based on Standard Contractual Clauses (SCC) pursuant to Article 46 GDPR.
Despite these measures, it is noted that access by US authorities to data cannot be fully excluded.

Protection Against Spam, Abuse, and Attacks

To maintain comment function quality and security, protection mechanisms against spam and malicious actions are used, such as:

• automated comment analysis for suspicious patterns,
• honeypot techniques,
• IP and User-Agent filters,
• submission time checks.

Depending on the plugin used, technical data such as IP, timestamp, and comment content may be processed exclusively for security and abuse prevention purposes.

Retention and Deletion of Comments

Comments remain stored on the website unless their deletion is requested or they violate usage rules, legislation, or ethics.
Users can request rectification or deletion of their comments, provided no overriding legal retention obligation exists.

17. Blog, Reviews, and User Generated Content (UGC)

The grland website operates as a news and journalistic media outlet and provides, beyond editorial content, the possibility for users to participate with comments, reviews, and opinions (User Generated Content – UGC).
These functions aim to enhance transparency, pluralism, and feedback, without substituting editorial responsibility or journalistic control.

User Comments and Reviews

Users can, depending on the page, submit:

• written comments or opinions,
• reviews with a rating system (e.g., stars),
• simple reactions or preference declarations.

These submissions are generally publicly visible and published with the declared name or pseudonym.
The email address is used exclusively for internal purposes and does not appear publicly.
We reserve the right to prior or ex-post moderation, as well as removal of content that is illegal, offensive, misleading, or contrary to usage terms.

Integration of External Review Services

For reasons of transparency and completeness, we may integrate external reviews or third-party provider widgets.
Upon loading these elements, a direct connection to respective provider servers is established, and technical data (e.g., IP, device info) may be transferred.
Integration of external reviews takes place only upon consent, if required, via the consent management mechanism.

Content Liability and User Rights

Content submitted by users is their exclusive responsibility.
Grland does not automatically adopt opinions expressed in comments or reviews.
Users retain the right of access, rectification, and deletion of their personal data, according to GDPR, provided no overriding legal or journalistic obligations exist.

Legal Basis for Processing

• Article 6 para. 1(f) GDPR: legitimate interest for public dialogue, security, and content quality
• Article 6 para.
  1(a) GDPR: consent, where required (notably for external embeds)

Important Notice to Users

It is recommended not to publish personal, sensitive, or confidential data in comments or reviews.
Comment content is publicly accessible and can be reproduced by third parties.

18. User Accounts & Registration

Our website provides, in specific cases, the possibility to create a personal user account.
Registration and account use take place exclusively when necessary for providing specific services, such as indicatively managing orders, subscriptions, access to protected content, or providing personalized functions.
User account management is carried out via established and technically secure WordPress plugins, specifically via:

• WooCommerce
• WP User Manager
• MemberPress

These plugins are used exclusively for functional purposes and comply with basic security and data protection requirements.

Purpose and Scope of Data Processing

During user account creation and management, only absolutely necessary personal data are collected and processed, depending on the type of service provided.
These data may include:

• name and surname,
• email address,
• username,
• password (stored exclusively in encrypted and salted form),
• phone number (if requested optionally),
• professional status or job title (optionally),
• billing or delivery details, exclusively in case of orders or transactions.

Processing of this data is necessary for:

• user identification,
• secure provision of requested services,
• execution of contractual or pre-contractual obligations,
• technical and administrative account support.

Use and Functionality of User Account

Upon successful registration, the user gains access to a personal management environment (Dashboard), through which they can manage their personal data
and relevant services. Indicatively, the ability is provided to:

• update contact details,
• manage orders, subscriptions, or access rights,
• adjust communication and notification settings,
• exercise rights arising from data protection legislation.

Communication between the user’s browser and our systems takes place exclusively via encrypted SSL/TLS connections.
It is noted that during registration, a Double-Opt-In process is not mandatorily applied, unless required by the specific service.
Submission of the registration form is considered an explicit declaration of will for data processing in the context of account use.

Password and Access Security

Passwords are never stored in readable form.
Modern encryption and salting hashing methods are used, according to WordPress security standards.
The website administrator does not have technical capability to read passwords.
Users bear responsibility for choosing a strong password and managing it securely.
Optionally, additional security measures may be activated in the future, such as two-factor authentication (2FA).

Account Deletion and Storage Duration

Users can at any time:

• modify their personal data,
• request deletion of their account.

Deletion is performed either via the user interface or upon contact with the controller.
After deletion, personal data are removed from active systems, unless further storage is required by legal obligations (e.g., tax or accounting obligations in case of transactions).

Legal Basis for Processing

Processing of user account data is carried out based on:

• Article 6 para. 1
  (b) GDPR (performance of contract or pre-contractual measures),
• Article 6 para. 1(a) GDPR (consent, where required),
• Article 6 para. 1
  (f) GDPR (legitimate interest for secure and functional service provision).

19. Audio and Video Conferencing

For purposes of communication, coordination, provision of consulting services, online meetings, or presentations, we use various audio and video conferencing platforms.
Use of these services occurs upon individual agreement and free choice of the participant.
Participation in an online conference is always voluntary. Before each session, participants are informed about the platform to be used and basic data processing parameters.

Participation and Technical Implementation

Participation can take place:

• via personal invitation link,
• via calendar or booking tool,
• via embedded environment (iframe or plugin), if supported.

Use of these services is not mandatory and can be replaced by alternative means of communication.

Data Processed in Conference Context

Depending on platform and settings, the following may be processed:

• identification details (name, email),
• profile image,
• audio and video data,
• chat content,
• screen or file sharing data,
• technical metadata (IP, timestamps, device information).

Activation of camera, microphone, or screen sharing always remains at the user’s discretion.

Recording and Storage of Sessions

Recording of online sessions takes place only upon prior, explicit notification and consent of all participants.
Silent or automatic recording never takes place.

Recordings are stored:

• either locally on secure systems,
• or in certified cloud environments of respective providers.
• Access is limited exclusively to authorized persons and only for the stated purpose.

Data Transfer to Third Countries

Many platforms used operate internationally and may process data outside the European Union.
This transfer takes place exclusively based on:

• Standard Contractual Clauses (SCC),
• appropriate technical and organizational measures.

Despite these measures, it is noted that access by third-country authorities to data cannot be fully excluded.

Legal Basis for Processing

Data processing in the context of audio and video conferencing is based on:

• Article 6 para. 1
  (b) GDPR (performance of contract or communication),
• Article 6 para. 1
  (a) GDPR (consent, notably for recordings),
• Article 6 para. 1
  (f) GDPR (legitimate interest for effective communication).

20. Google Services

On our website we use, where deemed technically and functionally necessary, various services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Depending on the specific service and nature of processing, certain data may be further processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google operates as an independent data controller or, in some cases, as a processor acting on instructions.
Use of these services is carried out exclusively with respect to principles of necessity, data minimization, and transparency.
Official Google Data Protection Declaration: https://policies.google.com/privacy

General Information on Data Transfer to Third Countries

Use of Google services may entail data transfer to servers outside the European Union, notably in the United States.
This transfer takes place based on Standard Contractual Clauses (SCC) of the European Commission, pursuant to Article 46 para.
2(c) of the GDPR. We explicitly point out that, according to Court of Justice of the European Union case law (Schrems II decision), access by US authorities to data cannot be fully excluded.
For this reason, we use Google services only upon consent, where required, and with technical restriction measures (e.g., IP anonymization, consent-based loading).

Google Analytics

We use Google Analytics as a web analysis tool, exclusively for pseudonymized evaluation of our website usage.
Google Analytics allows us to understand aggregately how our content is used, which pages are viewed most frequently, and how user experience is improved.
In this context:

• cookies are placed on your device,
• usage data are collected (e.g., page visits, dwell time, technical characteristics),
• data are transmitted to Google servers.

We have activated the IP anonymization function (anonymizeIP), so your IP address is truncated within the EU or EEA before any further processing.
Only in exceptional cases is the full IP transferred to the USA and truncated there.
Use of Google Analytics takes place exclusively after explicit consent via the consent banner.
Without consent, Google Analytics is not activated.

Legal Basis:

• Article 6 para. 1(a) GDPR
• § 25 para.
  1 TTDSG

More information:
https://support.google.com/analytics/answer/6004245

Google Ads (including Remarketing & Conversion Tracking)

For online advertising purposes and measuring campaign effectiveness, we use Google Ads services, including:

• Conversion Tracking,
• Remarketing / Retargeting.

In this context, cookies or similar technologies may be placed and pseudonymized data collected, such as:

• interactions with ads,
• visits to specific pages,
• success of actions (e.g., form submission).

These data do not include directly identifiable elements, but may be linked to a Google account, if you are logged into one.
Use of Google Ads takes place only upon your prior consent via the consent management system.
Legal Basis:

• Article 6 para. 1(a) GDPR
• § 25 para.
  1 TTDSG

More information:
https://ads.google.com/

Google Tag Manager

Google Tag Manager is used exclusively as a script management and organization tool (tags), such as Google Analytics, Google Ads, or other pixels.
Tag Manager itself:

• does not store cookies,
• does not process personal data,
• functions only as a technical triggering mechanism for other services.

Activation of individual tags takes place exclusively according to user consent choices.
More information:
https://tagmanager.google.com/

Google Fonts

For uniform font display we use Google Fonts.
Preferably, fonts:

• are hosted locally (self-hosted) on our servers,
• do not cause data transfer to Google.

In exceptional cases, where external loading via Google CDN is required, your IP address may be transmitted to Google.
According to German court case law (judgment 20.01.2022), this is permitted only upon prior consent.
Legal Basis (in case of CDN): Article 6 para. 1
(a) GDPR

Google Maps

To display maps and location information we use Google Maps, integrated via iFrame or API.
Upon loading the map:

• IP address is transmitted,
• technical device data are collected,
• cookies may be stored by Google.

Display of maps takes place only after active consent via the consent banner.
Legal Basis: Article 6 para. 1(a) GDPR – § 25 para.
1 TTDSG

Google reCAPTCHA

To protect our forms from abuse, spam, and automated attacks, we use Google reCAPTCHA.
reCAPTCHA analyzes technical signals, such as:

• mouse movements,
• temporal patterns,
• IP address,
• browser information.

This processing takes place for security reasons and is considered technically necessary for protecting our systems.
Legal Basis: Article 6 para. 1(f) GDPR (legitimate interest for security)

More information:
https://www.google.com/recaptcha/about/

Google Search Console

We use Google Search Console exclusively for technical optimization and monitoring our presence in search engines.
Search Console:

• provides only aggregated and anonymous data,
• does not allow visitor identification,
• does not place cookies on our website.

No processing of user personal data by us takes place via this service.

Google My Business

In certain cases, we integrate information or reviews from Google My Business.
Upon loading such content:

• IP address is transmitted to Google,
• Google’s data protection policies apply exclusively.

Display takes place, where required, only upon consent.

YouTube (video integration)

To display videos we use YouTube, a service of Google.
Upon loading an embedded video:

• IP address is transmitted,
• cookies may be placed,
• visit may be associated with Google account, if logged in.

Where technically feasible, we use enhanced privacy mode, so cookies are placed only during playback.
Legal Basis: Article 6 para. 1(a) GDPR

21. Outbound Link Tracking and External References

Our website includes links to external third-party websites at various points.
These links are used for journalistic, informational, documentary, or commercial purposes, such as citing sources, providing additional information, referencing official documents, or redirecting to partner services.
By selecting an external link, you leave our website and are transferred to the respective third-party provider’s environment.
From that point onwards, the terms of use and data protection policies of the respective website apply exclusively.

Outbound Link Tracking

For reasons of statistical analysis, content optimization, and evaluating our website usability, we use outbound link tracking techniques.
This tracking allows us to understand which external topics, sources, or references present increased interest for our readers.
Outbound link tracking does not aim to identify individual users, nor to create personal profiles.
In this context, depending on consent setting, the following tools may be used:

• Google Analytics (Event Tracking) – recording click events on external URLs
• Google Tag Manager – technical implementation and event trigger control
• WP Statistics – local, anonymous statistical recording
• Matomo (self-hosted or cloud, if used)
• UTM parameters in URLs, e.g.,
  for newsletters or campaigns

Processed Data and Limitations

In the context of outbound link tracking, exclusively pseudonymized or aggregated data are processed, such as:

• date and time of click,
• referrer page,
• destination URL (without third-party website content),
• technical browser information,
• optionally UTM parameters (source, medium, campaign).
• The following do NOT take place:
• association with name, email, or user account,
• creation of behavioral profiles,
• tracking beyond the exit click from our website.

Legal Basis for Processing

Processing takes place, depending on the tool, based on:

• Article 6 para.
  1(f) GDPR – legitimate interest for improving journalistic quality, content structure, and user experience, or
• Article 6 para.
  1(a) GDPR in conjunction with § 25 TTDSG, providing tracking is based on cookies or similar technologies and requires consent.

Activation of tools based on cookies takes place exclusively via the consent management mechanism.

Affiliate Links and Commercial References

In case an outbound link constitutes an affiliate link or contains commercial benefit for our website, this is marked clearly and recognizably (e.g., “advertising link,” “affiliate,” or equivalent marking).
Transactions, tracking technologies, and data processing after transferring to the partner website take place exclusively under the responsibility of the third-party provider.

Disclaimer for External Content

We have no influence on content, structure, availability, or data protection practices of external websites we link to.
Liability for content and lawful data processing rests exclusively with the respective administrator of the external website.
At the time of linking, external pages were checked for evident legal violations.
Permanent or continuous control of external link content is not technically or legally feasible without specific indications of violation.
In case a legal violation becomes known to us, the corresponding link will be removed immediately.

User Rights and Options

Users can at any time:

• restrict or deactivate outbound link tracking via cookie settings,
• use tracker blocking tools in their browser,
• consciously choose if they wish to follow an external link.
• External links are marked, where feasible, with visual or textual indication as external references.

22. Third-Party Widgets without Active JavaScript

In certain parts of our website, content, functions, or interactive elements of third-party providers are integrated, which are technically capable of loading in the browser even without activated JavaScript.
These are so-called non-script widgets, iframe integrations, as well as passive loading techniques (e.g., tracking images or server-side requests).
These integrations allow basic functionality of specific elements – such as forms, reviews, or informational widgets – even when the user has restricted cookie usage or deactivated JavaScript execution in their browser.
Indicative Examples of Such Integrations

In this context, among others, the following may be used:

• embedded newsletter subscription forms from providers like Mailchimp, Zoho Campaigns/Forms, Brevo (Sendinblue), or getwemail.io,
• iframes with external content (e.g., review widgets, informational embeds),
• invisible pixels or tracking images,
• buttons, forms, or UI elements loaded via external CSS or server-side requests.

Technical implementation of these elements may differ depending on provider, plugin, or theme and does not always rely on cookies or JavaScript.

Potential Data Processing Without Active Interaction

Even without active JavaScript and without accepting cookies, loading such embedded elements may lead to automatic communication between your browser and third-party provider servers.
In this context, it is technically possible to process, notably:

• visitor IP address,
• technical browser data (User-Agent, language, screen resolution),
• date and time of access,
• referrer URL,
• in certain cases technical characteristics allowing browser fingerprinting,
• in case of pixels or forms: basic interaction data (e.g., load, submission).

This processing can occur passively, i.e., without requiring active user action (such as clicking or form submission).

Particular Importance: Third-Party Newsletter Forms

Particular attention is required for embedded newsletter subscription forms from third-party providers, such as Mailchimp, Zoho, Brevo, or getwemail.io.
These forms are often integrated:

• via iframe,
• via server-side loading,
• via image-pixel or hybrid techniques.

In these cases, IP address and – upon submission – email address can be transferred directly to the respective provider, even if the user has not accepted cookies.
Especially when provider servers are located outside the European Union, this processing acquires increased legal weight.

Legal Assessment and Basis for Processing

Integration of third-party widgets without active JavaScript takes place only upon careful balancing of interests.
The legal basis may be:

Article 6 para. 1(f) GDPR (legitimate interest), e.g.
for basic functionality, providing information, or simplifying registrations,

provided:

• no extensive tracking takes place,
• no user profiles are created,
• and processing is limited to absolutely technically necessary.

For integrations involving tracking, statistical analysis, marketing, or transfer to third countries, use takes place only upon explicit consent pursuant to:

Article 6 para.
1(a) GDPR and § 25 TTDSG, provided applicable.
Consent is provided via consent banner or clear notification directly on the respective widget.

Control Limitations and Transparency

We explicitly point out that, at a technical level, it is not always possible to fully control data processing by third-party providers when content is loaded directly from their own servers (e.g., via iframe, images, or server-side requests).
For this reason:

• we select providers with documented GDPR compliance,
• we regularly check integrations,
• and we transparently inform our users.

For detailed information regarding type, scope, and purpose of data processing, respective third-party provider data protection declarations apply.

Note and Recommendation to Users

Even with deactivated JavaScript or restricted cookies, basic data transfer is technically possible upon loading external elements.
For increased privacy protection, we recommend:

• regular check of browser privacy settings,
• use of tools like NoScript, uBlock Origin, or similar,
• conscious use of external forms and embedded services.

23. Third-Party Access to Personal Data & Order Processing

Processing of personal data collected via our website is carried out in a strictly controlled manner and limited exclusively to authorized internal persons or carefully selected external service providers.
This access is granted only to the extent absolutely necessary for technical operation, security, maintenance, and provision of our services.
In all cases, GDPR basic principles apply, and specifically:

• principle of data minimization,
• principle of purpose limitation,
• and principle of integrity and confidentiality.

Internal Access – Webdesign meister

Technical management, maintenance, development, and website security is carried out by Webdesign Meister

WebDesign Meister acts in this context as a Data Processor pursuant to Article 28 GDPR.
Within its technical duties, it may have access to:

• CMS databases (WordPress),
• server and hosting settings,
• contact forms and technical logs,
• backup and security systems.

This access:

• is strictly limited to absolutely necessary,
• is performed only by authorized persons,
• is recorded technically where feasible,
• is protected via modern security measures (SSL/TLS, role-based access, strong passwords, firewalls).

Potential Access by External Service Providers

In the context of technical infrastructure and website operation, indirect or technical access to data may exist from the following providers:

Website Hosting &
Server Infrastructure

• STRATO AG – https://www.strato.de/datenschutz/
• IONOS SE – https://www.ionos.de/terms-gtc/datenschutzerklaerung/
• Namecheap Inc. – https://www.namecheap.com/legal/general/privacy-policy/
• Plesk (server management platform) – https://www.plesk.com/legal/

These providers may, in the context of operation or maintenance, have technical access to hosting data (e.g., logs, databases, backups), without processing them for their own purposes.

Content Delivery Networks (CDN)

• Cloudflare Inc. – https://www.cloudflare.com/privacypolicy/
• BunnyCDN (BunnyWay d.o.o.) – https://bunny.net/privacy/
• Litespeed – https://www.litespeedtech.com/company/privacy-policy

CDNs are used for performance and security reasons and may process technical data (e.g., IP, timestamps, headers) exclusively for service provision purposes.
Email & Communication Services

• Zoho – https://www.zoho.com/privacy.html
• Amazon SES (AWS) – https://aws.amazon.com/privacy/
• Microsoft Outlook / Office 365 – https://www.microsoft.com/privacy

Statistical Analysis & Security

• Google Analytics – https://policies.google.com/privacy
• Microsoft Bing – https://www.microsoft.com/en-us/privacy/privacystatement

Access by these providers is strictly limited to technically necessary and implies no independent use or commercial exploitation of data.

Data Processing Agreements (DPA)

With external service providers acting as processors, conclusion of Data Processing Agreements (DPA) pursuant to Article 28 GDPR is provided.
These agreements regulate notably:

• subject and duration of processing,
• type of data and categories of subjects,
• technical and organizational security measures,
• confidentiality and security obligations,
• procedures in case of data breach incidents.

Transparency Note:

At the time of this declaration, formal DPAs may not yet have been concluded with all mentioned providers.
We are in continuous process of reviewing, updating, and concluding required agreements, aiming at full compliance with applicable data protection law.
This does NOT constitute a violation, but a realistic and permissible situation, provided:

• processing is limited to necessary,
• no data misuse occurs,
• and intermediate technical protection measures are taken.

Access Control & Least Privilege Principle

All accesses to personal data:

• are checked regularly,
• are documented,
• are limited to the absolutely necessary level (“least privilege principle”).

No universal access is granted to any provider or person.
Each access is linked to specific role and duty.

International Data Transfer

Some mentioned providers operate servers outside the European Union (notably in USA).
In these cases, data transfer takes place exclusively based on:

Standard Contractual Clauses (SCC) of the European Commission pursuant to Article 46 GDPR, and upon Transfer Impact Assessment, where required.
In this way, an equivalent level of data protection is ensured as far as possible.

24. Rights of Data Subjects

As a data subject, you have, pursuant to Articles 15 to 21 of the General Data Protection Regulation (GDPR), extensive rights regarding processing of your personal data.
These rights aim to ensure transparency, control, and protection of your privacy.
Exercise of your rights is free of charge and can be performed at any time.

Summary of your rights

Right of Access (Article 15 GDPR)

You have the right to receive information regarding:

• whether we process your personal data,
• the type of data we process,
• processing purposes,
• recipients or categories of recipients,
• storage duration or criteria determining it,
• data origin (if not collected directly from you).

Right to Rectification (Article 16 GDPR)

You have the right to request rectification of inaccurate personal data or completion of incomplete details without undue delay.
Right to Erasure (Article 17 GDPR – “Right to be Forgotten”)

You can request erasure of your personal data, notably when:

• data are no longer necessary for the purpose they were collected,
• you withdrew your consent,
• processing took place unlawfully.

This right does not apply if overriding legal obligations exist (e.g., retention obligations under tax or commercial law).

Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of processing, for example when:

• data accuracy is contested,
• processing is unlawful, but you do not wish erasure,
• data are needed to support legal claims.

Right to Data Portability (Article 20 GDPR)

You have the right to receive personal data you provided to us in a structured, commonly used, and machine-readable format and, where technically feasible, to transmit them to another controller.

Right to Object (Article 21 GDPR)

You can object at any time to processing of your personal data based on legitimate interest.
In case of processing for direct advertising purposes, objection applies immediately and without balancing of interests.

Right to Withdrawal of Consent (Article 7 para. 3 GDPR)

You have the right to withdraw your consent at any time, with effect for the future.

Exercise of your rights

To exercise your rights, an informal notification suffices via:

website contact form or email.
For security reasons, we reserve the right to verify your identity before providing information or implementing requests.
Response to your request is usually provided within 30 days.
In complex cases, the deadline may be extended up to 90 days, pursuant to Article 12 para. 3 GDPR.

25. Withdrawal of your consent for data processing

You can withdraw your consent for personal data processing at any time, without justification.
Withdrawal applies only to future processing and does not affect lawfulness of processing carried out until the moment of withdrawal.

Withdrawal Methods

Cookies & Tracking Technologies

Via “Cookie Settings” link in website footer, you can modify or withdraw your consent at any time.

Newsletters & Email Marketing

Via “Unsubscribe” link in each email or by relevant notification via email.

Other Services (forms, accounts, comments)

Withdrawal is performed via email. It is recommended to state specific processing purpose for faster service.
In case of legal retention obligations, data are strictly restricted and not used for other purposes.

26. Right to lodge a complaint with supervisory data protection authority

If you consider that processing of your personal data violates the General Data Protection Regulation (EU 2016/679 – GDPR) or applicable Greek legislation (Law 4624/2019), you have the right to lodge a complaint with a competent supervisory data protection authority.

Competent Supervisory Authority for our company (GREECE)

Hellenic Data Protection Authority (HDPA)
1–3 Kifissias Ave.
115 23 Athens, Greece
Telephone: +30 210 6475600
E-mail: contact@dpa.gr

Website: https://www.dpa.gr

The Hellenic Data Protection Authority is the exclusively competent supervisory authority for supervising application of data protection legislation in Greece.

Alternative Supervisory Authorities within EU

Pursuant to Article 77 GDPR, you also have the right to lodge a complaint with any other supervisory authority of a European Union member state, notably:

• at your habitual residence,
• at your place of work,
• or at the place of the alleged infringement.

List of all European supervisory authorities:
https://edpb.europa.eu/about-edpb/board/members_en

Complaint Procedure

Lodging a complaint:

• is informal and free of charge,
• does not require legal representation,
• can be performed electronically or in writing.

For faster and more effective processing of your complaint, it is recommended to state:

• data processing or incident concerning the complaint,
• timeframe during which it took place,
• any prior communication or actions
  you have performed towards us.

The competent supervisory authority will inform you about progress and outcome of the procedure.
Right to lodge a complaint applies independently and in parallel with any other administrative or judicial remedy.

27. Online Dispute Resolution (OS platform)

The European Commission PROVIDES an Online Dispute Resolution (ODR) platform, available at: LINK

This platform operates as a central contact point for out-of-court resolution of disputes arising from online sales or service contracts between consumers and businesses based in the European Union.
Goal of OS platform is to facilitate communication between consumer and business and, if possible, achieve an amicable, out-of-court solution without resorting to courts.

Our obligation for information and participation

Pursuant to Regulation (EU) No.
524/2013, businesses offering goods or services online are obliged to inform consumers about existence of OS platform and provide relevant link.
We are generally willing to participate in out-of-court dispute resolution procedure, providing:

this is required by applicable legislation or arises from obligation to participate in recognized consumer dispute resolution body (e.g., professional chamber or institutional organization).
Participation in such procedure may be mandatory or voluntary, depending on dispute type and applicable law.

What is consumer dispute resolution committee?

A consumer dispute resolution body is an independent and neutral body, attempting to resolve disputes between consumers and businesses:

• without court procedure,
• in simple and low-cost manner,
• within reasonable timeframe.
• This procedure does not replace courts, but can precede them or function complementarily.

How to proceed in case of dispute

If you have any complaint or dispute regarding our website or services, we recommend contacting us first directly via email, to seek immediate and practical solution.
Alternatively, you can submit request via European Union Online Dispute Resolution platform:LINK

Note

Use of OS platform is free for consumer and can be performed before resorting to court procedure.
Please note that:

• OS platform concerns exclusively consumer disputes (B2C),
• does not apply to purely business relations (B2B),
• not all services or content forms fall within its scope.

28. Storage Duration & Criteria for Determining Storage Periods

We process and store personal data only for as long as necessary for respective processing purpose or as required by legal retention obligations.
Storage takes place according to principles of data minimization and storage limitation, as provided in Article 5 GDPR.

Principles Regarding Storage Duration

Storage duration is determined based on:

• processing purpose,
• nature of data,
• applicable legal and tax obligations,
• any contractual requirements.

After fulfillment of purpose, data:

are permanently deleted or blocked from any further processing until expiration of legal deadline.

Indicative Storage Periods

Inquiries via contact forms or email

Up to 12 months after communication completion, provided no further cooperation or legal obligation arises.

Comments, reviews, and public content

Storage for indefinite period, unless deletion is requested or removal reasons exist (e.g., law violation).

Server Log Files (Server Logs, CDN, Plesk)

Storage up to 30 days, with automatic deletion or anonymization.

Statistical Data

Anonymized data up to 12 months.

User Accounts (WooCommerce, WP User Manager)

As long as account remains active.
After deletion, data are removed unless further retention is required.

Newsletter Data & Marketing

Until consent withdrawal or deletion by user.

Backups

Retained temporarily and replaced cyclically.
Not used for other purposes.

Note to Users

You can request rectification or erasure of your data at any time.
If immediate erasure is not legally possible, data are completely blocked from any other use and permanently deleted after mandatory period expiration.

Transparency and Continuous Review

We regularly check:

• necessity of storage,
• retention periods,
• technical and organizational protection measures,
• to ensure data are not stored without reason.

29. Technical and Organizational Measures (TOM)

Pursuant to Article 32 of General Data Protection Regulation (GDPR), we take appropriate Technical and Organizational Measures (TOM), to ensure security level appropriate to risk, taking into account:

• state of the art,
• implementation cost,
• nature, scope, context, and purposes of processing,
• as well as probability and severity of risks for rights and freedoms of natural persons.

Technical Measures

SSL/TLS Encryption

Website operates exclusively via HTTPS with valid SSL/TLS certificate.
All data transferred between browser and server are encrypted.

Access Restriction and Control

Administrative and technical system access is permitted exclusively to authorized persons of WebDesign Meister (LINK) and protected via strong authentication mechanisms.

User & Role Management

Access to data and functions is role-based (role-based access control).
Each user has access only to data absolutely necessary for their task.

Server & Network Security

Server is protected via firewall, secure settings, IP restrictions, and intrusion detection systems.
Furthermore, DDoS protection services via Cloudflare are used.

Malware Protection

Server and WordPress environment are regularly checked for malware and suspicious activity via recognized security tools (e.g., Wordfence or equivalent).

Backups

Regular backups are created, stored in secure, external environment and used exclusively for restoration purposes in case of technical problem or data loss.

Spam and Automated Attack Protection

Technical measures such as honeypots, bot detection mechanisms, and form protection systems are used to ensure service integrity.

Logging and System Monitoring

Server access and operation are recorded via server logs and hosting provider tools.
Furthermore, at WordPress level, critical administrative actions are recorded for security and audit reasons.

Password Encryption

Passwords are stored exclusively in encrypted and salted form according to applicable security standards.

Regular Updates

Operating system, WordPress, plugins, and themes are updated regularly to address known security gaps.

Organizational Measures Confidentiality and Authorization

Access to personal data is granted only to authorized persons bound by confidentiality obligation.

Internal Procedures and Training

Defined internal procedures exist for personal data management.
Persons involved in processing are informed and trained regularly regarding data protection.

Breach Incident Management

In case of data breach, predefined procedure is followed, including:

• immediate assessment and containment of incident,
• documentation of facts,
• notification to competent supervisory authority within 72 hours, if required,
• notification of data subjects pursuant to Articles 33 and 34 GDPR.

Privacy by Design & Privacy by Default

Systems and procedures are designed from outset with data protection and processing minimization in mind.

Accountability

All technical and organizational measures are documented internally, so compliance with GDPR can be proven whenever requested.

30. Profiling and Automated Decision-Making

During use of our website, automated processing of personal data may take place to limited extent, including so-called “profiling,” exclusively for functional, statistical, and user experience improvement purposes.
Said processing does not lead to automated decision-making producing legal effects or significantly affecting you in similar way, within meaning of Article 22 General Data Protection Regulation (GDPR).

What is meant by “profiling”

Profiling means any form of automated processing of personal data aiming to analyze or predict aspects concerning preferences, interests, or behavior of a user on internet.
On this website, any profiling:

• takes place only at pseudonymized or anonymous level,
• is not combined with data allowing direct person identification,
• and is used exclusively for optimizing functionality, structure, and content presentation.

Automated Processes and Content Personalization

Within website operation context, automated processes may be activated such as:

• displaying suggested articles or thematic sections based on previous visits or reading behavior,
• adapting language, layout, or content appearance according to technical information (e.g., browser settings),
• displaying dynamic elements (e.g., banners or notifications) depending on cookie consent or geographic indication at country level.

These processes do not
have legal force, do not affect your rights or obligations, and do not lead to exclusion, rejection, evaluation, or classification of persons.

Explicit Disclaimer of Automated Decision-Making

We do not perform:

• automated person evaluation,
• user scoring,
• creation of high-risk psychographic or behavioral profiles,
• automated decisions without human intervention.

Any tools like cookie-based advertising, traffic statistical analysis, or remarketing operate supportively and under human control, falling outside scope of Article 22 GDPR.

User Rights (Article 22 GDPR)

You have at any time right:

• not to be subject to decision based solely on automated processing,
• to request human intervention,
• to express point of view or contest relevant processing, if you consider it affects you.

Transparency and Human Control

All automated website functions:

• are designed based on proportionality principle,
• are subject to human supervision,
• and are never used to detriment of user rights or freedoms.
• For any clarification or exercise of rights, you can contact us directly.

31. Data Transfer to Third Countries and Third Parties

Our company is based and operates in Greece, and personal data processing is governed primarily by:

• General Data Protection Regulation (EU) 2016/679 (GDPR),
• Greek data protection legislation (Law 4624/2019),
• and applicable Greek and Union law.

General Principles of Data Transfer

In context of website operation and provided services, transfer of personal data may take place – in limited cases:

• to third-party service providers,
• or to countries outside European Union (third countries).

This transfer takes place only when absolutely necessary for operation, security, or optimization of services
and only under strict legal conditions.

Indicative Third Countries and Services

Providers may be based in third countries (notably United States of America) such as:

• analysis, hosting, CDN, or communication services,
• video, advertising, or email sending platforms.

Their use takes place only provided conditions of Articles 44 et seq.
GDPR are met.

Legal Basis and Protection Mechanisms

Each data transfer to third country is based on one or more of following mechanisms:

Standard Contractual Clauses (SCC) of European Commission pursuant to Article 46 GDPR,

• supplementary technical and organizational measures, such as encryption, pseudonymization, data minimization, and access restriction,
• exceptions of Article 49 GDPR, only in special cases (e.g., explicit consent or necessity for contract performance).

Important Warning regarding Third Countries

We explicitly point out that in certain third countries, notably USA:

• level of protection equivalent to EU may not exist,
• possibility of access by state authorities based on national legislation (e.g., CLOUD Act) may exist,
• and
  exercise of your rights might be limited.

For this reason:

• we minimize transfers to minimum,
• regularly evaluate providers,
• and adapt protection measures according to case law developments and European supervisory authority guidelines.

Right to Information

You have right to request at any time:

• information regarding if and how your data are transferred to third countries,
• copy of applied protection mechanisms (e.g.
  SCC),
• and additional clarifications on relevant risks.

32. Live Chat Systems & Communication via Messenger Services

For direct, fast, and effective communication with visitors, readers, and clients, we use live chat systems as well as instant messenger services.
Through these channels, you can submit questions, request support, clarifications, or information in real time or asynchronously.
Use of these services is optional and performed on user initiative.

Systems and Services Used

• Live Chat Platforms
• Zoho SalesIQ
• Zoom
• Crisp
• WP Live Chat
• Tawk.to
• Calendly (in cases of communication or appointment scheduling)

Above services are integrated via widget, script, or iframe and allow direct communication with our team.

Messenger Services

• WhatsApp Business
• Facebook Messenger
• Instagram Direct Messages (DM)
• Viber
• Telegram

Furthermore, you can always contact us via email or phone, without using third-party platforms.

Types of Data Processed

In context of communication via live chat or messenger, following data may be processed:

• name or pseudonym (if voluntarily declared),
• content of conversation and messages,
• date and time of communication,
• technical metadata (e.g., device type, browser),
• IP address or general geographic indication (depending on service).

Providing this data is done voluntarily by user upon initiating communication.

Processing Purpose

Processing of data via chat and messenger takes place exclusively for:

• answering queries,
• providing support or information,
• managing client or partner requests,
• improving communication and service quality,
• documenting repetitive requests.

No automated person evaluation takes place nor use of conversations for decisions with legal effects.

Legal Basis for Processing

Processing is based on:

• Article 6 para. 1
  (b) GDPR, when communication relates to pre-contractual or contractual requests,
• Article 6 para. 1
  (f) GDPR, due to legitimate interest for direct communication, service, and documentation.

In cases of connection with marketing or analysis tools (e.g., remarketing via Meta or Google), processing takes place only upon explicit consent via consent banner (Article 6 para. 1(a) GDPR).
Storage, Archiving & Conversation Evaluation

Conversations may:

• be stored temporarily in live chat system,
• be sent as email for documentation reasons,
• be integrated into CRM or support system.

Storage takes place only for as long as necessary for communication purpose and according to data minimization principles.
Anonymous statistical evaluation may take place (e.g., response time, request frequency), without personal identification.

Security & Data Transfer to Third Countries

Certain messenger and chat providers may process data outside EU (e.g., USA).
In these cases:

• Standard Contractual Clauses (SCC) are applied,
• technical measures are taken (encryption, access restriction),
• use is limited to absolutely necessary.

In services like WhatsApp, Viber, or Telegram, end-to-end encryption applies; however, we do not fully control processing by providers themselves.

Important Recommendation to Users

Please:

• do not send sensitive data (e.g., passwords, payment details, Tax ID),
• use email or phone communication for issues of increased confidentiality.
• You can at any time request access, rectification, or deletion of your conversation data.

33. Legal Notice & Transparency Link

Our website features a link to legal details (Imprint / Identity).
Legal details are hosted on separate, autonomous page, accessible from every point of website and every device (desktop, tablet, mobile).
Obligation to provide legal details is based on:

• General Data Protection Regulation (EU) 2016/679,
• Greek Law 4624/2019,
• legislation on information society and e-commerce,
• as well as principles of transparency and user information.

Content of Legal Details

Page “Identity” includes, indicatively:

• full company name and headquarters,
• legal representative,
• contact details (email, phone),
• supervisory authority details (where required),
• person responsible for content,
• references to privacy policies and terms of use.

Accessibility & Legal Certainty

Link:

• is available with one click,
• remains accessible even without cookies or JavaScript.

In this way:

• full transparency is ensured,
• user trust is strengthened,
• and legal obligations of business are fully covered.

34. Partner Widgets & Integrations

On our website, partner widgets and integrations are used at selected points.
These are functional or interactive elements provided by third-party providers and integrated into our page content to provide additional services, information, or commercial capabilities.
These integrations may concern journalistic content, information services, commercial partnerships, reviews, bookings, or affiliate programs.
Their use aims to improve user experience, information transparency, and, in some cases, financing media operation.

Indicative Integration Examples

On our website, depending on content and page topic, the following may appear:

• booking or service comparison forms,
• price or availability widgets (e.g., travel, consumer, or commercial platforms),
• partner banners, referral links, and ad spaces,
• experience and service review widgets (e.g., review platforms),
• shopping or affiliate program widgets,
• event, coupon, or third-party offer widgets.

Specific integrations differentiate dynamically and do not necessarily appear on all pages.

Data Processing upon Widget Loading

Upon loading or displaying a partner widget, technical connection to respective provider servers may take place.
In this context, technical data may be processed, even without active interaction by user, such as:

• IP address,
• browser and device information,
• operating system,
• referrer URL,
• access time.

In many cases, partners use cookies, pixels, or similar technologies to track clicks, bookings, or purchases (affiliate tracking, conversion tracking).
This processing takes place exclusively by respective partner and is governed by their own data protection policy.

Legal Basis for Processing

Integration and use of partner widgets takes place with distinct legal basis, depending on nature of integration:

Technically or Functionally Necessary Integrations

Processing is based on Article 6 para.
1(f) GDPR (legitimate interest), notably for proper website operation, provision of information, and improving user experience.

Integrations with Tracking, Analysis, or Commercial Purpose

Processing takes place exclusively after prior, explicit user consent pursuant to Article 6 para.
1(a) GDPR, via consent management tool (cookie banner).
Without consent, corresponding widgets do not load or load only in inactive/static form, where technically feasible.

Partnership Marking & Commercial Transparency

All cases where our website might receive financial benefit (e.g., commission, fee, sponsorship) from collaborating providers are marked clearly and understandably, such as:

• “advertisement,”
• “sponsored content,”
• “partner link,”
• “affiliate link.”

This marking appears directly in content or at prominent spot near widget, according to transparency principles and journalistic ethics.

Liability and Website Role

Our website operates as publisher and integrates third-party content without controlling further data processing by partners.
For this reason:

• we bear no liability for content, availability, or data protection practices of third parties,
• we have no access to data collected directly by partner widgets,
• we cannot influence storage duration or data use by partners.

Users are invited to inform themselves directly from data protection declarations of respective providers, to which we refer where feasible.

Important Information for Users

Use of partner widgets may entail data transfer to third countries (e.g., outside EU).
If required, this takes place based on Standard Contractual Clauses (SCC) or other legal mechanisms pursuant to Articles 44 et seq. GDPR.
You can control or restrict loading of such integrations:

• via cookie consent settings,
• via your browser settings,
• with tracker blocker tools.

35. Data Processing by Processors (Article 28 GDPR)

For provision, technical support, and smooth operation of our services, we cooperate with selected external service providers, who process personal data exclusively on our behalf and according to our explicit instructions (“Processors”).
This cooperation is necessary, among others, for:

• website hosting and operation,
• sending emails and newsletters,
• creating backups,
• technical support and system security,
• traffic and technical error analysis.

Data Processing Agreements (DPA)

With all processors, Data Processing Agreements are concluded pursuant to Article 28 GDPR.
These agreements regulate notably:

• subject, duration, and purpose of processing,
• types of personal data and categories of subjects,
• implementation of appropriate technical and organizational security measures (TOM),
• confidentiality obligation,
• support of data subject rights,
• deletion or return of data after cooperation expiration,
• audit and inspection rights.

Indicative Processors

Depending on website function and services, the following providers may be used, indicatively and not restrictively:

• STRATO, IONOS, Namecheap (hosting),
• Cloudflare, BunnyCDN (content delivery networks),
• Zoho, Mailchimp, Brevo (email & newsletters),
• Amazon SES (email sending),
• WebDesign Meister (website technical management and support),
• as well as IT, security, and backup service providers.

Access by these providers to personal data is strictly limited to absolutely necessary.

Transparency & User Rights

You can at any time request information regarding:

• processors we use,
• basic protection measures applied.

Provision of information is done according to GDPR provisions and Law
4624/2019.

36. Amendments to this Data Protection Policy

We reserve the right to modify or update this data protection policy at any time, notably:

• in case of legislation changes,
• in case of technical or organizational changes to website,
• in case of introducing new services or data processing tools.

Respective applicable version is available on website and valid from moment of publication.
In case of substantial changes affecting user rights, clear notification will be provided and, where required, consent will be requested anew (e.g., for new cookies or new processing forms).
Failure to inform user about potential changes does not negate validity of respective updated policy.
Document Status: Last update date is listed at end of this data protection policy.

37. Legal Bases of this Data Protection Policy

This data protection policy relies on applicable Union and Greek legal framework regarding personal data protection, electronic services, and internet transparency.
It constitutes foundation on which all data collection, processing, storage, and transfer procedures carried out via this website are based.

European Legislation

General Data Protection Regulation (EU 2016/679 – GDPR)

Notably following articles apply:

• Article 6 GDPR – Lawfulness of processing
  (consent, contract performance, legal obligation, vital interest protection, legitimate interest)
• Article 7 GDPR – Conditions for and withdrawal of consent
• Articles 12–23 GDPR – Rights of data subjects
  (information, access, rectification, erasure, restriction, objection, portability)
• Article 13 GDPR – Information obligation during data collection
• Article 22 GDPR – Automated individual decision-making and profiling
• Article 28 GDPR – Processing by processors
  (data processing agreements with third-party providers)
• Article 32 GDPR – Technical and organizational security measures (TOM)
• Articles 44 et seq. GDPR – Data transfer to third countries
  (including standard contractual clauses – SCC)
• Article 77 GDPR – Right to lodge complaint with supervisory authority
• Regulation (EU) 524/2013 – Online consumer dispute resolution (ODR platform)

Law 4624/2019

Application of GDPR in Greek legal order and implementation measures of Regulation (EU) 2016/679.

Law 3471/2006 (as applicable)

Protection of personal data in electronic communications sector (cookies, similar technologies, direct communication).

Law 4070/2012 & related provisions

Regulations for electronic communication services and online services. Greek legislation on transparency and internet service providers, as applicable (obligation to provide controller details, clear provider identification, legal information accessibility).

Tax and Commercial Legislation

Legal obligations to retain business and tax data for specified periods, where required.

Data Protection & Information Security Practices

This policy also takes into account:

• use of cookies and similar technologies based on consent or legitimate interest,
• application of Consent Management mechanisms,
• use of analysis, security, and communication tools complying with GDPR,
• application of technical and organizational security measures (SSL/TLS encryption, access restrictions, backups, firewalls),
• contractual safeguarding of data processing by third parties (Article 28 GDPR contracts),
• transparent user information regarding third-party providers and data transfers.

User Rights & Transparency

This policy ensures:

• full and clear user information regarding their rights pursuant to Articles 15–21 GDPR,
• possibility to withdraw consent at any time (Article 7 GDPR),
• right to lodge complaint with competent Greek supervisory authority (Hellenic Data Protection Authority – HDPA),
• existence of distinct, accessible, and updated “Legal Details” and “Data Protection Policy” pages.

Above legal bases constitute complete foundation of all procedures and measures described in this data protection policy and ensure compliance with Union and Greek personal data protection law.

39. Tools & Technologies Used – Summary Overview

Following information is provided in context of full transparency towards all users, visitors, and partners of our website.
This website uses, and may use in future, modern technologies, tools, plugins, and third-party provider services, aiming to ensure reliable, secure, functional, and user-friendly online environment.
These technologies serve, among others, correct technical website operation, performance optimization, security enhancement, communication with users, statistical analysis, content display, as well as compliance with legal and regulatory obligations pursuant to General Data Protection Regulation (EU 2016/679 – GDPR) and Greek legislation (Law 4624/2019).
Use of individual tools takes place upon balancing of interests, respecting data minimization principle and, where required, only after prior user consent.
Certain technologies are used exclusively for technical purposes, while others for interaction, communication, analysis, marketing, or security.
Entirety of tools used may be modified or updated in context of technical improvements or operational needs.

Actually Active Services, Tools, and Technologies

Domain Infrastructure & Servers

• STRATO – LINK
• IONOS – LINK
• Apache Web Server – LINK
• Plesk – LINK
• Let’s Encrypt – LINK
• Bunny CDN – LINK

Website Platform

• WordPress (Automattic Inc.) – LINK
• Elementor – LINK
• CookiFirst (Cookie & Consent Management) – LINK
• Rank Math (SEO) – LINK
• WP Rocket (Caching & Performance) – LINK
• Ad Inserter – LINK
• Foxiz Theme – LINK
• GRland Plugin – LINK
• Polylang – LINK
• Instant Images – LINK
• MemberPress – LINK

Communication Services

• Zoho E-Mail – LINK
• Amazon SES – LINK

Specific use of above tools may differentiate depending on functionality, user behavior, and respective legal requirements.
Data processing takes place always based on one of provided legal bases of Article 6 para.
1 GDPR (consent, contract performance, legitimate interest, or legal obligation).
For all third-party providers acting as processors, conclusion of data processing agreements (Article 28 GDPR) is pursued, while appropriate technical and organizational measures are taken to ensure compliance.
Certain tools may transfer data to third countries (e.g., USA).
In these cases, appropriate guarantees are applied, such as standard contractual clauses (SCC), pursuant to Articles 44 et seq. GDPR.
Detailed information regarding purposes, storage duration, objection rights, and consent withdrawal are described in respective chapters of this data protection policy.
For technical or functional clarifications, you can contact responsible development company: WebDesign Meister
E-mail: info@webdesignmeister.de

Contact

For any question regarding sensitive data processing or exercising your rights, you can contact us using contact details mentioned herein and in website legal details.
Last update: 27/12/2025