The Company is committed to protecting personal data and avoiding its improper use. This policy creates a standard for processing personal data, and it applies to all employees, management, vendors, customers, acting for and on behalf of the Company. Moreover, it applies to personal information that we collect, store and transmit, process and retain. The Company shall take all appropriate technical measures to guarantee that the processing of personal data is compliant with this policy and the legal provisions. Questions regarding this policy, and the lawful processing of personal data can be addressed to the following contact details: firstname.lastname@example.org
This policy is in accordance with European Union Regulation 2016/679.
We will process your personal data if there is a legal basis to do so. Examples of legal basis are:
✓ Written consent from you.
✓ Our legitimate interest to use your personal data.
✓ Legal compliance purposes.
Personal data is information that can be related to an individual. Examples are the name and contact details, address, e-mail etc.
Sensitive personal data is data on: religion, ideological, political views, health, genetic or biometric information, the racial and ethnic origin.
Profiling is any form of automated processing of personal data consisting of the use of personal data in order to evaluate certain personal aspects relating to an individual.
Data subject is a physical person to whom personal data relates.
Data processing is any activity and operation performed on personal data.
Data file means any structured set of personal data which are accessible in such a way as to make it possible to deduce the person in question from the data.
Disclosure means making personal data accessible.
Data Protection Impact Assessment is the systematic process for identifying, evaluating and documenting the risks and impact of personal data processing activities to the rights of individuals.
Data controller is the legal person who decides and determines the purpose, content and procedure of processing personal data.
Data processor is the physical or legal person that processes personal data as instructed by the data controller.
2.3.1 Data processing principles
For compliance purposes with the applicable law, the company must collect, process and store personal information in accordance with the following data protection principles.
18.104.22.168 Lawful and fair processing
Personal data may only be processed fairly and lawfully. Every data processor must ensure compliance with this policy and the relevant laws and regulations.
22.214.171.124 Processing based on Consent
Before personal data may be processed, the data subject must be duly informed about each purpose of processing operation carried out by the controller. Consequently the data subject must actively give a recorded statement / consent. The data subject may withdraw his/her consent at any time by contacting the DPO of our Company.
126.96.36.199 Purpose of processing
Personal data may only be processed for the purpose indicated at the time of collection. Some of the main purposes for which we use your personal data are:
✓ Complying with legal requirements.
✓ For management and administrative purposes.
✓ Improvement of website, products and services.
188.8.131.52 Adequate and not excessive processing
Personal data shall be adequate and not excessive in relation to the purpose for which it is processed.
184.108.40.206 Accuracy and quality of data
In case your personal information has changed, you are encouraged to contact the DPO for communication regarding data protection issues of the Company as soon as possible in order to update any personal data.
220.127.116.11 Data storage and retention
Personal data will be stored for as long as it is required to fulfil the purpose for which the data was collected and processed. We will review the retention period of the data we hold and delete it securely, when there is no longer a legal, business or customer need for it to be retained.
18.104.22.168 Disclosure to third parties
A third party data processor acting on behalf of the company, shall contractually agree to process personal data in accordance with this policy. The terms of this policy shall be included by reference in the relevant contracts. Furthermore the Company will have the right to audit the third party data processor for the adequacy of the relevant used controls.
22.214.171.124 Cross-border disclosure of personal data
The company operates within and outside the European Union, consequently data may need to be stored outside the European Union, or the company many need to send your personal data for legal compliance purposes abroad.
Personal data may only be disclosed abroad (outside the EU) if the foreign law provides for an adequate level of data protection. In case the foreign law does not provide an adequate level of data protection, personal data may only be transferred to such country if the data subject has explicitly consented to the transfer.
The Company shall take appropriate personnel, technical and organizational measures to minimize the risk of accidental or intentional breach, destruction, or loss of personal data.
2.3.2 Data Protection Impact Assessment (DPIA)
The Company will ensure that a DPIA is conducted whenever a planned processing activity may pose a high risk to the data subject’s rights and freedoms. Where the DPIA results in the conclusion that there is a high risk for data subjects, the supervisory authority must be notified and its view on adequate measures to reduce the risks must be obtained.
2.3.3 Data subjects’ rights
All individuals who are subject of personal data held by the company have the right to obtain information from the company about the processing of their personal data. In particular, data subjects may exercise their rights in terms of access, rectification, erasure, restriction, data portability in a structured, commonly used and machine-readable format, objection and/or prevention of automated decision making of their personal data.
Any request must be in writing while a reply to such a request can be expected within one (1) month. There is no fee for requests.
The Company shall provide the data subject in written with a copy of information held by the Company concerning him or her, containing:
a) the purposes of the processing,
b) the type of personal data being processed,
c) information on the retention period,
d) the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning them or to object to such processing,
e) the right to lodge a complaint with the supervisory authority,
f) details of a planned cross-border transfer.
2.3.4 Records of processing activities
The company shall maintain a record of all processing activities under its responsibility that containing personal data. The record shall include the following minimum information:
a) name and contact details of the data controller,
b) name and contact details of the data protection officer,
c) purpose of processing,
d) description of categories of data subjects,
e) description of categories of personal data being processed,
f) description of categories of data recipients,
g) description of cross-border data transfer,
h) a general description of the technical and organizational security measures, where possible.
2.3.5 Training and raising awareness
The Company is responsible for ensuring that every employee is trained in data protection and data security matters.
a) Technical and organizational measures must be taken to ensure systematic and secure management of personal data,
b) Data processing systems must be aimed at collecting as few personal data as necessary,
c) In case of anonymizing the data, personal data must be rendered anonymous,
d) Where personal data cannot be anonymized, security measures appropriate to the nature of the data must be taken, such as pseudonymization, encryption, or access restriction,
e) Access to personal data shall be granted according to the “need-to-know” principle,
f) Data processing systems must be adequately protected from unauthorized access,
g) Data subjects must be provided with transparent, user-friendly and effective means of control concerning their personal data.
Data processing systems must be setup in a way that the strictest privacy settings apply automatically.
More extensive processing of personal data is only permitted if the data subject gives its explicit consent to extended processing.
The Company is responsible for the lawfull processing of personal data and compliance with data protection and data security requirements as set out in this policy or pursuant to applicable law.
2.5.2 Data processor
The data processor is responsible for processing personal data according to the instructions received from the data controller. Furthermore, the data processor is responsible for notifying the data controller of a data protection breach without delay and specifically within 24 hours.
The potential penalties and damages resulting from a data protection infringement are serious for both the person committing the violation and for the company. Any violation of this data protection policy may result in regulatory penalties.
2.6.1 Data breach recording
The Data Protection Officer systematically documents disclosed breaches and evaluates the reasons for the breaches. Furthermore, he initiates further required measures to remedy the situation and to prevent breaches from recurring.
2.6.2 Data breach notification
The Company must notify a data breach to the Greek Data Protection Authority within 72 hours after becoming aware of it.
Furthermore, if the personal data breach is likely to result in a high risk to the data subject’s rights and freedoms the data subject must be informed without delay.