TERNA ENERGY continues its dynamic growth, targeting 6 gigawatts (GW) of renewable energy capacity by 2029.

SLIDE DOWN


About
-

1. Introduction – General Principles

The company TERNA ENERGY S.M.S.A., A MEMBER OF THE MASDAR GROUP (hereinafter referred to as the “Company”) places primary importance on the protection of the personal data of all natural persons who engage in transactions with it. This Personal Data Protection Policy (hereinafter the “Policy”) is issued in fulfillment of the transparency obligations set out in Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”), in conjunction with Law 4624/2019 and any other applicable legislation.

When processing personal data, the Company faithfully adheres to the following fundamental principles, as set out in Article 5 of the GDPR:

  • Lawfulness, objectivity and transparency: each processing has a specific legal basis and is carried out in a fair and transparent manner.
  • Purpose limitation: data is collected for specified, explicit and legitimate purposes.
  • Data minimization: we only collect the data that is appropriate, relevant, and necessary.
  • Accuracy: data is kept accurate and up-to-date.
  • Storage restriction: the data is not kept in a format that allows identification of the subjects for an indefinite period of time, but we comply with the regulatory guidelines for the minimum necessary storage time.
  • Integrity and confidentiality: The company implements appropriate technical and organizational security measures.
  • Accountability: the Company documents and proves its compliance with the provisions of the legislation.

2. Data Controller

TERNA ENERGY SINGLE PERSON S.A., MEMBER OF THE MASDAR GROUP, VAT NUMBER: 094006030, KEFODE ATTICA

Headquarters: 85 Mesogeion Ave., PC 11526, Athens Tel.: +30 2106968353 and 2106968353  Website: www.terna-energy.com

3. Data Protection Officer (DPO)

In accordance with Article 37 of the GDPR, the Company has appointed a Data Protection Officer (DPO). You can contact him for any issue related to the processing of your personal data and the exercise of your rights as follows:

DPO – Data Protection Officer Address: 85 Mesogeion Ave., PC 11526, Athens Email: dpo@terna-energy.com

4. What Personal Data We Process

Depending on your relationship with the Company, we may process the following categories of data:

4.1 Identity and contact details

  • Full name, father’s name, date of birth
  • Address of residence/registered office, VAT number, ID number or passport number
  • Telephone number, email address
  • AMKA / AMA number (for employment relationships)

4.2 Employment relationship data

  • Education, training, work experience, certificates
  • Details of remuneration, insurance coverage, tax liability
  • Performance evaluations, attendance/absence data

4.3 Financial data

  • Bank account (IBAN) for contractual payment needs
  • Details of the shareholder relationship (name, number of shares, VAT number)

4.4 Data from our website

  • IP address, browser type, pages visited, duration of visit
  • Cookie data (see Section 11)
  • Information you send us through the contact form

4.5 Image/Identification Data

  • Images from closed circuit television (CCTV) in the Company’s premises

4.6 Special categories of data (Art. 9 GDPR)

Exceptionally and only in cases where required by law (e.g. health data for the management of sick leave), we may process special categories of data based on article 9 par. 2 (2) b’ GDPR (performance of obligations in the context of labor law) or after the explicit consent of the subject.

5. Purposes and Lawful Bases of Processing

Each processing activity is based on at least one of the legal bases of Article 6 of the GDPR:

5.1 Performance of a contract – article 6 par. 1 par. b’ GDPR

We process your data for the conclusion and execution of contracts (project, supply, provision of services, work, etc.), in particular:

  • Management of contractual obligations, invoicing, payments
  • Processing of employee or candidate employee applications
  • Communication at the pre-contractual stage and during the drafting of a contract.

5.2 Compliance with legal obligations – Article 6 par. 1 par. c’ GDPR

We process data for our compliance with our company’s obligations arising from the applicable legislation, namely by:

  • Tax and accounting legislation (bookkeeping, issuance of documents)
  • Labor legislation (announcement of recruitment, APD to EFKA, etc.)
  • Corporate legislation – publication of data in the General Commercial Registry (Law 4548/2018 article 12)

5.3 Legitimate interest – Article 6 par. 1 par. f’ GDPR

For the following purposes, the processing is necessary for the legitimate interest of the Company, in any case, which overrides the interests or fundamental rights of the subjects (balancing test):

  • CCTV function for facility, staff and visitor security
  • Fraud prevention/detection, IT security
  • Establishment, exercise or support of legal claims
  • Internal administrative functions of the Group

5.4 Consent – Article 6 par. 1 par. a’ GDPR

In some cases (e.g. sending information material / newsletter, non-mandatory cookies) we ask for your explicit and free consent. Your consent can be revoked at any time without retroactive effect (Art. 7 par. 3 GDPR), after contacting the DPO.

6. Recipients and Data Sharing

The Company does not sell, exchange or lease personal data of the subjects to third parties. We may only share data with the following categories of recipients, always within the legal regulatory framework:

6.1 Processors

Third parties who process data on behalf of the Company (e.g. information systems providers, external accountants, security companies). A Processor Agreement is concluded with these providers  in accordance with Article 28 of the GDPR, which guarantees an equivalent level of protection.

6.2 Independent Controllers

Partners who process data for their own purposes:

  • Banks and financial institutions (for payment processing)
  • Insurance companies (for project and staff insurance coverage)
  • Statutory auditors (for the statutory audit of the company)

6.3 Public authorities

Public authorities, supervisory bodies and judicial/prosecutorial authorities, if required by law or by a court decision.

6.4 Group companies

Subsidiaries and affiliates of the Masdar Group and GEK TERNA to the extent necessary for internal administration purposes, consolidated financial monitoring or provision of common services.

7. Transfer of Data Outside the EEA

In the context of its international activities, the Company may transfer personal data to third countries outside the European Economic Area (EEA). Any such transfer is carried out solely on the basis of one of the following safeguards (Chapter V GDPR):

  • European Commission’s adequacy decision for the country of destination (Article 45 GDPR)
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46 (2) (c) GDPR)
  • Binding Corporate Rules approved by a competent supervisory authority (Art. 47 GDPR)

For more information on the safeguards applicable to specific transfers, you can contact the DPO.

8. Data Retention Time

Personal data are retained only for the period of time necessary to achieve the purpose of the processing or for as long as required by law. In particular:

  • Contractual data: for the duration of the contract and an additional 20 years (general limitation period for civil claims – Article 249 of the Civil Code)
  • Accounting / tax data: 5 years from the closing of the relevant fiscal year (E.L.P., L. 4174/2013)
  • Employee data: for the duration of the employment relationship and an additional 10 years (employment law claims)
  • CCTV footage: 15 days, unless an event was recorded that justifies a longer retention
  • Website contact form data: 12 months from the last interaction or if required for your request
  • Job applicant data (unsuccessful): 12 months from the completion of the recruitment process, unless you provide consent for a longer period
  • Consent-based data: until the withdrawal of your consent or the end of the respective retention purpose.

After the expiration of the above periods, the data is deleted or anonymized with secure procedures.

9. Your Rights

As a data subject, you have the following rights under Articles 15–22 GDPR. You can exercise them by submitting an application to the DPO (electronically or in paper). The Company will respond within a period  of one (1) month, with the possibility of extension up to two (2) months in complex cases (Article 12 par. 3 GDPR). The exercise of rights is free of charge, except for manifestly unfounded or excessive requests.

9.1 Right of access (Art. 15 GDPR)

You have the right to receive confirmation as to whether we are processing your data and, if so, you have the right to request a copy of it together with information about the purposes of the processing, categories, recipients, retention period and your rights.

9.2 Right to rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate or incomplete data of yours.

9.3 Right to erasure / “right to be forgotten” (Art. 17 GDPR)

You have the right to request the deletion of your data if one of the conditions of Article 17 is met, in particular if they are no longer necessary or you have withdrawn your consent. This right does not apply if the processing is necessary for a legal obligation, the exercise of legal claims or for reasons of public interest.

9.4 Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing in special cases (e.g. disputing data accuracy, unlawful processing that you do not want to be deleted, pending legal claims).

9.5 Right to data portability (Art. 20 GDPR)

You have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format, as well as to request their transmission directly to another controller, if this is technically feasible. The right applies to data that we process on the basis of consent or contract by automated means.

9.6 Right to object (Art. 21 GDPR)

You have the right to object at any time to the processing of your data based on legitimate interest (Article 6 par. 1 (f)). The Company is obliged to stop the processing unless it invokes compelling legal reasons that prevail. The right to object to direct marketing is absolute and is exercised without exception.

9.7 Right not to be subject to an automated individual decision (Art. 22 GDPR)

You have the right not to be subject to decisions made solely through automated processing, including profiling, that produce legal effects or significantly affect you. It is noted that during the operation of our website, no purely automated processing decisions are made with legal effects.

9.8 Right to withdraw consent

Where processing is based on your consent, you can freely withdraw it at any time. The withdrawal shall be without prejudice to the lawfulness of the processing carried out prior to it.

10. Right to Complain to the Supervisory Authority

If you consider that the processing of your data violates the GDPR or the applicable legislation, you have the right to lodge a complaint with  the Personal Data Protection Authority (HDPA), which is the competent supervisory authority in Greece (Article 77 GDPR):

HDPA Address: 1–3 Kifisias Str., PC 11523, Athens Tel.: +30 210 6475600   Fax: +30 210 6475628 Email: complaints@dpa.gr   Website: www.dpa.gr

To submit a complaint: Submit a complaint to the Authority | Hellenic Data Protection Authority

Before any complaint, we encourage you to contact our DPO first so that we can seek an amicable settlement of the issue.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve functionality and user experience, in accordance with Directive 2002/58/EC (ePrivacy) and the GDPR.

  • Strictly necessary cookies: necessary for the operation of the website (no consent required)
  • Performance cookies / analytics: for traffic analysis (consent required)
  • Functionality cookies: to store user preferences (consent required)
  • Targeting/advertising cookies: not used by our website

You can manage your cookie preferences through the consent banner that appears on your first visit or from your browser settings. You can revoke or modify your cookie consent at any time. For more information, please refer to our cookie policy.

12. Security of Personal Data

In accordance with Article 32 of the GDPR and the principle of “data protection by design and by default” (Article 25 of the GDPR), the Company implements appropriate technical and organizational measures, including but not limited to:

  • Data encryption in transit and at rest
  • Data pseudonymization where possible
  • Role-Based Access Control
  • Regular tests and evaluations of the effectiveness of security measures
  • Staff training on data protection issues
  • Keeping a Register of Processing Activities (Article 30 GDPR)

In the event of a data breach, the Company will inform the HDPA within 72 hours (Article 33 GDPR) and, if the breach poses a high risk to your rights, will inform you unjustifiably late (Article 34 GDPR).

13. Mandatory or Optional Data Provision

The data we collect in the context of a contract or legal obligation is necessary for the conclusion / performance of the contract or compliance with the law. In case of refusal to provide them, the Company may not be able to fulfill its contractual obligations or comply with legal obligations.

The data we collect on the basis of consent (e.g. newsletter) is provided completely voluntarily. Failure to provide them does not affect your relationship with the Company.

14. Update of this Policy

This Policy is updated as required due to changes in the Company’s legislation or processing activities. Each new version is posted on www.terna-energy.com website  with reference to the date of the last modification. In the event of material changes, we will notify you in an appropriate manner (e.g. by email or a prominent announcement on the website).

Current version: February 2026  

For any queries or requests to exercise rights please contact our DPO: dpo@terna-energy.com