Privacy notice

Trans Adriatic Pipeline AG (hereinafter “TAP” or “we” or “us” or “the Company”) is the responsible party for the processing of personal data collected through the website www.tap-ag.com (hereinafter the “Website”) and the operation of the Security Information & Event Monitoring (hereinafter “SIEM”) solution and of the HSE Management Services tools as per the applicable data protection laws, in particular the revised Swiss Federal Act on Data Protection (DPA) and – if applicable to your personal data - the European General Data Protection Regulation EU Regulation 2016/679 (GDPR) and its corresponding data protection legislation in Italy (Legislative Decree no. 196/2003, as subsequently amended and supplemented) and Greece (Law 4624/2019) and Albanian law no. 9887, dated 10.03.2008 “On personal data protection”. We have our registered domicile at Lindenstrasse 2, 6340 Baar, Switzerland. For any inquiries regarding our use of your personal data you may contact us by letter, phone (+41 41 747 3400), fax (+41 41 747 3401) or e-mail us at DPO@tap-ag.com.

We only process your personal data if this is necessary in the course of our activities, such as if the processing is necessary to provide a functional website, to provide you with content and information on our activities or to address a relevant request or application submitted by you. The processing of personal data only takes place after we have obtained your prior consent or when the processing of your personal data is permitted by law.

Your data is protected against unauthorized access according to appropriate technology standards and through a role and authorization concept.

We process your data on a certain legal basis, as described below. If a basis on which we process your personal information is no longer relevant then we shall cease processing your data. If the basis changes and, if required by law, we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information. We set out the relevant legal basis for each processing activity in the relevant sections below.

The duration of processing depends on the specific processing activity. As a general rule, we only store your personal data for as long as necessary to serve the purpose of the processing and we delete personal data as soon as such purpose ceases to apply. The applicable retention periods for the specific processing activities are set out below.

Furthermore, personal data may be stored if this has been provided for by the applicable law (for example for bookkeeping or mandatory archiving purposes). The data will also be deleted if a storage period prescribed by the applicable law expires, unless there is a need for further storage of the data.

Every time you visit our website, our system automatically collects data and information about the computer system you used to access our website.

The following data is collected:

• Browser information (type and version)
• Operating system
• Your internet service provider
• Your IP address
• Date and time of access
• Websites from which your system reaches our website
• Websites accessed by the user's system via our website
• The data is also stored in the log files of our system. This data is not stored together with any of your other personal data that you may submit voluntarily in other sections of the website as described below.

The processing of data collected when visiting our website is performed on the basis of our legitimate interest to provide and maintain a well-functioning and user-friendly website which includes information about TAP.

The data is stored in log files to ensure the functionality of the website. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. 

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, deletion occurs after 28 days at the latest.

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is accessed again. We use cookies to make our website more user-friendly and to enable an analysis of your surfing behaviour. Please see more information here.  

We process your personal data when you subscribe to receive media releases from us. When registering for media releases, the data from the input mask is transmitted to us. You are asked to enter the following data when registering for our media releases:

• Title
• First name
• Last name
• Email address
• Company
• Position (optional)
• Country (optional)

We use this data to provide you with our media releases.

The processing of your data for the subscription and receipt of the media release is performed on the basis of your consent as well as our legitimate interest in keeping our contacts up to date on news relating to our company. In the course of the registration process, your consent is obtained for the processing of the data and reference is made to this Privacy Notice. The data will be used exclusively for sending media releases. 

You may withdraw your consent for the abovementioned data processing at any time. You can cancel your subscription to the media releases at any time. For this purpose, there is a corresponding unsubscribe link in every media release. Upon cancellation of your subscription we will delete your personal data within 7 days from your un-subscription and cease to send you media releases.

The collection of this personal data as part of the registration process serves to keep files of people interested in our newsfeed and updating them relevantly as well as to prevent misuse of the services or the e-mail address used. Some of the optional information, if inserted is useful to us for certain urgent situations or to understand your background regarding your relationship with us.

Your data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. Your data will therefore be stored for as long as your subscription to the media release is active.

Additionally, by clicking the box you are consenting to the delivery by us of your personal data to any third parties necessary for the processing according to the designated purpose for addressing your request to receive our media releases.

Any personal data inserted in the electronic recruiting platform (hereinafter the “e-Recruiting Tool/HRMS”) and the Applicant Account created are being processed according to the law. For more details of how your personal data is being processed, please see our dedicated privacy notice available once you have created an Applicant Account here. 

Any personal data, relevant to your specific grievance which you insert to the system when submitting a grievance notification with TAP using our grievance notification tool (hereinafter “Grievance Tool”) and filling in the relevant grievance form online or when submitting a grievance through a call or email, are used only in connection with the processing of your grievance notification and are processed according to the applicable law.

When using the Grievance Mechanism/Tool, some personal data may be processed by TAP, such as:

• Identification data, e.g. name, surname, gender, age, profession, IP address;
• Contact data, e.g. home address, email/ mailing address, phone number/ fax;
• Property data, e.g. status as owner or renter of the property, data for identifying the property;
• Any other information or details of ownership, certain events and dates, which you provide within the grievance form, within the supporting documentation or at any meeting with the Company;
• Bank account number (where applicable).

Greece and Albania

TAP has an obligation to establish local independent grievance redress mechanisms and address complaints in a timely, impartial and transparent manner on the basis of relevant Host Government Agreements (HGA’s) signed with TAP’s hosting countries and ratified with relevant laws (Law 4217/2013 HGA between the Hellenic Republic and TAP AG and Law No. 116/2013, dated 15 April 2013 on the approval of the Albanian HGA). Hence, as per the provision of article 6 (1c) of GDPR the processing is necessary for the compliance with the abovementioned legal obligation to which TAP is subject.

In the course of the grievance submission process, reference is made to this Privacy Notice. You may revoke your grievance at any time, so in case we receive such written grievance revocation request from you, we will delete your personal data and cease with the investigation and potential resolution of your grievance.

Italy

When using the Grievance Tool, you consent to the processing of your submitted data by TAP. In the course of the grievance submission process, your consent is obtained for the processing of the data. In particular, you can find the relevant consent form in the specific privacy notice for the Grievance Tool. You may revoke your consent and grievance at any time, in which case we will delete your data and cease with the investigation and potential resolution of your grievance.

The Company processes your personal data (as further described below) for the purposes of filing, investigating, responding and potentially resolving the grievance submitted by you or on your behalf (“Grievance Purposes”).

Any refusal to provide such personal data for such purposes could result in the complete or partial failure to provide the requested services.

Personal data will be stored only for the time necessary to achieve the purposes for which they are collected as set out above and, more specifically, with regards to:

• Grievance and Legitimate interest Purposes, the Company will collect, store and process your data for as long as this is necessary for the investigation into the grievance and for a further period of 10 years. If there is a pending legal dispute at the end of the above period of time, data will be collected, stored and processed until the end of the dispute with a final judicial decision. If applicable laws and regulations require the Company to keep the relevant records longer, the longer term provided by the relevant law and/or regulation shall apply;
• Law Purposes, for the duration prescribed for each type of personal data by the relevant laws.            

You may contact us via the e-mail addresses and phone/fax numbers published on our website. In this case any personal data transmitted in your e-mail will be processed accordingly in line with applicable law. Your personal data will not be forwarded to any third party without your prior consent.

Legal basis for the processing is the legitimate interest of our company to establish and maintain contact, keep running business as usual and respond to incoming enquiries. You may ask for your data to be deleted at any time.

The processing of the personal data serves the purpose of establishing and maintaining contact as well as running business as usual. The other personal data processed during the sending process serve to prevent misuse of the enquiries e-mail address/section and to ensure the security of our information technology systems.

We will delete your personal data as soon as they are no longer required for such purpose.  You may ask us at any time by e-mail or letter to no longer use such personal data and request their deletion.

Project Affected People / people involved in land matters and related stakeholders

During the construction and operation of the Trans Adriatic Pipeline, the company Trans Adriatic Pipeline AG (TAP AG) has acquired / acquires Relevant Rights over the Project Land as necessary to carry out the Project Activities (capitalised words are used as defined in Greek law 4217/2013, which ratifies the Host Government Agreement between the Hellenic Republic and Trans Adriatic Pipeline AG).

Whilst compiling the relevant database of people affected by the Project (mainly in relation to land matters) and prior to the GDPR entering into force, TAP AG created the Project Affected Management System (PAMS) and the Land Management System (LMS). These systems store all geographic information of affected parcels and all information on land related (e.g. ownership) rights, compensation payable per land right, executed payments and contact details (billing addresses, email addresses and phone numbers) of Project Affected People (PAP).

This Privacy Notice extract includes information on the processing of such data following the entry into force of the GDPR.

TAP AG collects personal data, as these are shared by the PAPs, in several ways, such as by phone (verbally), on a hard-copy application form (paper form), or from public data sources (e.g. Greek government). Your data is included in the PAMS and LMS, used on certain occasions, in accordance with the purpose described herein and stored in PAMS and LMS for any future purposes, as described herein.

Your personal data may also be collected by our contractors Makedoniki S.A., KMOP Family and Childcare Centre, or shared with:

• ENY Law firm, BONATTI J&P AVAX S.R.L.), GAIA Epicheirein S.A., DESFA S.A., TreeFERT J/V MTC MAKEDONIKI- EVANGELOS GKLAVAKIS for the purpose of processing land matters in accordance with TAP AG’s activities or for transitional support matters / projects implemented by TAP AG, or
• other contractors of TAP AG, such as communications companies, for the purpose of disseminating information related to the operation of the Trans Adriatic Pipeline.

Personal data included in PAMS and LMS and processed in accordance with this Privacy Notice extract: PAP Data (PAP Type (owner or user), Gender, First/ Last/ Father’s name, Address, Birth date, Phone Number, email address, postal/mail address, bank account, etc.).

The installation of the pipeline for the implementation of the TAP project as well as its operation and maintenance requires access to the relevant land. It is in TAP AG’s legitimate interest to collect and keep records of land details and relevant people involved (such as PAP). This is necessary in order to efficiently perform and complete the land access process necessary for the pipeline installation and the implementation of the TAP project including its safe and secure operation.

Contact has been established with PAPs (prior to the entry into force of the GDPR) in the context of land rights acquisition on the basis of the Company’s legal obligations: in particular Greek law 4001/2011 “for the functioning of the energy markets of electricity and natural gas, for research, production and transmission networks of hydro-carbons and other provisions”. This law, in combination with TAP AG’s permitting as an Independent Natural Gas System, Greek law 4217/2013, which ratifies the Host Government Agreement between the Hellenic Republic and Trans Adriatic Pipeline AG, Albanian Law 116/2013, which ratifies the Host Government Agreement between the Republic of Albania and Trans Adriatic Pipeline AG, and other specific legal provisions, establish the procedure for land access for the purposes of the pipeline installation in view of the development and completion of the TAP project, which is a project of national importance and in the national and public interest of the Hellenic Republic. It is also noted that a number of PAPs have signed relevant agreements with TAP AG in the context of TAP AG’s negotiation procedure of land rights acquisition as per TAP AG’s obligations deriving from applicable legislation.

In view of the above, TAP AG, as the established and licensed Transmission System Operator of the Trans Adriatic Pipeline, TAP AG is responsible for the construction and operation of the Trans Adriatic Pipeline, and in particular the safe and secure operation of the pipeline, has a legitimate interest to share basic information as regards the pipeline operation with local people, living or owning land close to areas, where the pipeline passes, or related stakeholders / people, who should be informed, as considered necessary by TAP AG , given their proximity to / relationship  with the pipeline.  

Furthermore, TAP AG may use the data described in this Privacy Notice extract for various reasons related to land matters, such as for the support of local people, to resume farming/cultivating activities following completion of construction and reinstatement. This may occur in the context of TAP AG’s Livelihood Assistance and Transitional Support program (LATS) or outside of this context where it is in the legitimate interest of TAP AG to provide necessary support to people affected by the pipeline construction in the context of land reinstatement and transition to operations of the Trans Adriatic Pipeline.

Additionally, the data described this Privacy Notice extract continues to be used for any other land related purposes in places, where construction is not finished yet or in cases, where land matters are not concluded. This includes the cases of active construction locations, drafting and signing of land exit protocols, accelerating judicial recognition for compensation beneficiaries, or coordination / communication for an entry (by a TAP AG Contractor) on the land parcels during the operations phase of the Trans Adriatic Pipeline for monitoring, inspection, repair needs and others. 

TAP AG will collect, store and process your data during the pipeline’s construction and operation. If there is any pending legal dispute at the end of the above-mentioned period of time, data will be collected, stored and processed until the end of the dispute with a final judicial decision.  

TAP will process the personal data you provide in order to conduct its commercial activities and in relation to the TAP Network Code, market test and registration process for becoming a registered party to the TAP transportation system, stakeholder forums and in relation to TAP’s template Gas Transportation Agreement (GTA).

The personal data you provide includes your name, e-mail address, address, telephone and fax numbers, company name, job title and signature as submitted in the response to TAP’s public consultation regarding proposed amendments to TAP Network Code, the registration forms to any market test and in the registration form annexed to TAP’s Network Code (becoming a registered party to the TAP transportation system) and part of the template GTA.

We process your personal data on the basis of TAP's legitimate interests. More specifically, this enables TAP:

• to establish and run the relevant stakeholder forum, question and answer sessions and to respond to any queries during those sessions;
• to comply with (i) the relevant regulatory framework (on the basis of which the TAP Network Code and registration process were developed), as well as (ii) TAP’s Network Code (¶ 22(7) and the registration form annexed to TAP’s Network Code - becoming a registered party on the TAP transportation system and part of the template GTA); and
• to comply with the regulatory requirements for the organisation and performance of public consultations regarding proposed amendments to the TAP Network Code.

We process this personal data to establish and maintain contact with any stakeholder who:

(i) registers to attend question and answer sessions organised by TAP in relation to the TAP Network Code, and addresses clarification requests to TAP on the TAP Network Code and on the registration process during these sessions;

(ii) participates in the market test for a planned expansion to the TAP transportation system, as set out in supplementary data protection information provided to participants in the market test (published on TAP corporate website in the market test section);

(iii) is interested in becoming a member of TAP’s stakeholders forum;

(iv) is interested in becoming a registered party and shipper on the TAP transportation system for the purpose of TAP’s Network Code and the template GTA; and

(v) is interested in participating and providing responses in the public consultations regarding proposed amendments to the TAP Network Code.

We will delete your personal data as soon as it is no longer required for such purpose. You may ask us at any time by e-mail or letter to cease the processing of such personal data and request its deletion.

The SIEM solution is a tool to monitor the stability and cyber security of the IT infrastructure, devices and resources of TAP, to detect and handle cyber security incidents and protect confidentiality of TAP’s confidential and commercially sensitive information from unauthorised access or disclosure.

The SIEM solution is strictly used for the monitoring of security events on TAP's networks and in no way used for the monitoring of employees' and / or third parties' behaviour unless this contributes to a security incident putting TAP's infrastructure at risk.

Access to information collected by SIEM is strictly limited and monitored by TAP cyber security specialist. Authorised security operations centre personnel of InfoGuard AG, TAP’s third party SIEM provider, will have access to security alert information processed by SIEM, but may only access SIEM information under the explicit authorisation of TAP IT personnel for the investigation of incidents.  TAP IT personnel will process information collected by SIEM only for the investigation of security events and similar cyber incidents.  Access to SIEM information is regularly monitored by TAP’s cyber security specialist.

TAP implements appropriate security measures to ensure the security of the information processed through the SIEM solution, in accordance with TAP’s policies and applicable laws.

SIEM collects the following data whenever you use the TAP network:

• Information in relation to your use of the TAP network through the firewalls.
• Information in relation to your login to TAP applications.
• Information in relation to your use of TAP applications including Excel, Word, Outlook, etc.
• Information in relation to your use of emails on the TAP network (limited to email recipient, email sender, email subject titles, and email attachment names). Email content and attachments are not collected.
• Names of documents viewed (headers only)
• Names of files downloaded
• Information in relation to the websites you visit using the TAP network or TAP devices, [including the type of browser, operating system, access times, pages viewed, URLs clicked on, IP addresses, and browser activity].
• Information in relation to virus infections, other malware, and cyber incidents affecting your use of the TAP network or a TAP device.

SIEM does not intentionally process special categories of personal data.

The processing of data collected using SIEM is performed on the basis of TAP's legitimate business interests to have relevant measures and safeguards in place in order to protect TAP’s business, integrity, reputation and assets, and for legal, regulatory and risk management purposes, including establishing, exercising or defending legal claims.

The purpose of processing SIEM information is to detect and to handle cyber-security incidents, including to analyse cyber-security incidents and carry out mitigating actions. The purpose is not to monitor or profile users and actual content data, such as the contents of e-mails, files, forms, databases, etc., are not processed, edited or recorded.

SIEM logs are maintained for a period of 6 months in order to investigate any security incident detected up to this time period into the past. After this period the SIEM log data is erased and no longer accessible.

The HSE Management Services tool (HMS tool) is the electronic version of TAP’s QHSE management system (and it is called ‘Agora’). It reflects the specific HSE, social and cultural requirements and risks as part of TAP’s operations. The HMS tool is the primary tool used to follow the interaction between TAP and its contractors in relation to the activities at TAP sites, and more specifically:

• registration of HSE documents and certifications of individuals for entering the TAP sites;
• managing and reporting incidents.

The HMS tool collects the following personal data whenever it is used:

• Name, telephone numbers, address
• Identification details (ID Number)
• Professional position
• Email
• Supporting training materials and certifications pertaining to the activity to be performed.

The processing of personal data collected using the HMS tool is performed on the basis of the implementation of TAP’s QHSE MS. This TAP QHSE MS consists of several policies and procedures that govern TAP facilities and activities in view of aligning with the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018. Additionally, TAP QHSE MS has been put in place based on international and project standards. Due to the nature of the Company’s profile, safety is a core value for TAP, ensuring precautionary measures are in place to mitigate inherent business risks. Therefore, very high standards have been implemented to ensure that the possibility of an incident is very low, in ALARP level (As low as Practically Possible), as described in relevant TAP policies and procedures, such as the TAP QHSE Policy and the QHSE Management System Manual. To this end, it is in TAP’s legitimate interest to implement this tool and register relevant HSE documents and certifications of people entering TAP sites. This will minimise the possibility of unsafe acts or/and activities being performed by people who have not been properly trained, putting people’s health and safety, the environment, the company’s assets and reputation at risk.

The purpose of processing personal information is so that relevant data is inserted in the HMS tool and stored to document individuals’ certifications. This ensures that relevant competent people are entering TAP sites and performing relevant activities, minimising the risks of unsafe conditions. The use of the HMS tool aims to promote transparency and security. The purpose is not to monitor or profile users as no other decision or evaluation of users is based on this registration on the Agora system. The HMS tool simply ensures that an individual has the certified competence to perform the defined or recorded activity. No automated decision-making takes place in relation to this processing.

The processing of personal data will last as long as the contract with each TAP contractor is in place. This is because personnel of TAP contractors will be required to be on site for as long as this contract is valid. Afterwards, personal data is erased from the HMS tool. 

Contractors of TAP, employers of individuals, who access the HMS tool and insert the personal data on behalf of those individuals.

Limited number of TAP contractors’ representatives, indicatively:

• Global Holdings 2000 S.L.
• DESFA S.A.
• Snam S.p.A.
• AGSco
• Honeywell
• Siemens A.G.

The processing and storage of your personal data is carried out within the European Economic Area (EEA). We may transfer or disclose the personal data we collect to our third-party service providers such as our third-party SIEM provider. When we transfer personal data, we do so for the purposes described above under “Purpose of the processing” in each applicable section.

It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us, and to flow those same obligations down to their sub-processors. TAP’s third party SIEM provider is covered under a signed non-disclosure agreement and a data processing agreement.

SIEM logs and information may also be extracted and shared with legal authorities when requested by those authorities.

Your data may be delivered and processed in third countries from time to time. This can be for instance in Italy, Greece and in countries, which provide adequate protection on the basis of respective adequacy decisions of the European Commission, such as Switzerland. In any other case (such as Albania), should an international transfer occur, we use safeguards with respect to your personal data, such as data protection clauses in our contracts with data processors to ensure that processing activities in third countries are compliant with the strict requirements of Swiss law and the GDPR.

Information collected from SIEM is stored in TAP’s central SIEM solution which is hosted in Switzerland by TAP’s third party SIEM provider. 

 Not applicable.

You acknowledge hereby that:

You have been informed that you have the right to withdraw your consent at any time, as well as the consequences of such a withdrawal. This does not apply to SIEM processing since TAP does not rely on consent as its legal basis for processing SIEM data.

Moreover, you have been informed regarding the following rights, as established and under the conditions prescribed in the General Data Protection Regulation (EU 679/2016) and the national legislation in force. More precisely:

• you have the right of access to your personal data collected, stored and processed by us.
• you have the right to request the rectification of inaccurate or outdated personal data concerning yourself and the completion of incomplete data concerning yourself.
• you have the right to request the erasure of personal data concerning yourself from our archives, if their processing is not essential for the purposes for which they have been collected.
• you have the right to request the restriction of processing your data when one of the following applies: (i) in case you contest their accuracy for a period enabling the Company to verify the accuracy of this data, (ii) the data is not needed by the Company further for processing but you may need it for the establishment, exercise or defense of legal claims, (iii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of the data use instead and (iv) you objected to processing pending the verification whether the legitimate grounds of the Company override yours.
• you have the right to receive personal data concerning yourself, which you have provided to us, in a structured, commonly used and machine-readable format.
• for the cases that the processing of your data is based on our legitimate interest to perform an activity, as described in the separate sections above, you have the right to object to the processing on grounds relevant to your case.

Exercising the above rights or for any other issue or question regarding the above, you can address us, without any cost, by letter (Lindenstrasse 2, 6340 Baar, Switzerland), phone (+41 41 747 3400), fax (+41 41 747 3401) or e-mail at DPO@tap-ag.com.

In any case you have a complaint, you have the right to address the competent Data Protection Authority.

In case of exercising one of the abovementioned rights, the Company will take any possible measure in order to investigate the request and address this right within thirty (30) days starting from the receipt of the relevant application, notifying you in written form on the satisfaction of your request or the reasons which prevent its exercise. You will also be notified in case the handling of your request requires more than the abovementioned thirty (30) days. We will process your request as long as you provide us with verification of your identity along with your request.