1.1 Scope of this General Data Protection Policy is to comply with the European General Data Protection Regulation EU 2016/679 (“GDPR”) in every case of processing of Personal Data of natural persons.“Personal Data” means information that relates to an identified or identifiable living individual and is held either on computer or in other electronic or automatically Processable form or in a paper filing system.“Processing” means collecting, storing, analysing, using, disclosing, archiving, deleting or doing absolutely nothing with Personal Data.
“Personal Data” means information that relates to an identified or identifiable living individual and is held either on computer or in other electronic or automatically Processable form or in a paper filing system.
“Processing” means collecting, storing, analysing, using, disclosing, archiving, deleting or doing absolutely nothing with Personal Data.
1.2 Company processes in the course of its business Personal Data regarding its own employees, freelancers, suppliers, customers and other individuals (referred to in this policy as Data Subjects).
2. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
The Company process personal data in compliance with this policy and the following principles:The Company process personal data in compliance with this policy and the following principles:
-only if the employees and the other Data Subjects are informed of the processing and their rights prior thereto
-only if Data has been processed in a way which is legal, fair and according to the principle of proportionality.
– Data must be kept up-to-date, accurate and secure and must be retained for no longer that necessary.
For the processing of Sensitive Personal Data and the data transfer outside the EU the dispositions mentioned in the present shall apply.
2.1 The Company, and the other persons with which it co-operates in the course of its business and wider operations, will only Process Personal Data fairly and for specific and explicit purposes of the legitimate interests that it pursues or the Processing does not prejudice the privacy of the affected Data Subjects or, if the prejudice is minimal.
The processing may also be based either on Subject’s consent or be based on the Law, or in fulfilment of a legal obligation.
2.2 Company will not Process Personal Data which is irrelevant or inadequate or go beyond what is necessary given the purposes of the Processing, unless with the Data Subject’s Consent. Company keeps up-to-date the Personal Data, which is not in force.
3. SENSITIVE PERSONAL DATA
3.1 The Company processes sensitive personal data only in accordance with the Law. Sensitive Personal Data is the data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic and biometric data of a living individual, or referring to its health, sex life or sexual orientation and relating to criminal convictions and offences or related security measures.
3.2 Stricter controls, such as anonymisation need to be adopted when processing Sensitive Personal Data in case the Data Subject may sustain extensive prejudice from a breach of its privacy. The Company processes sensitive data if:
3.2.1 the Data Subject has given its explicit Consent
3.2.2 the Processing is necessary for the purposes of performing obligations or exercising specific rights under employment and social security and social welfare laws,
3.2.3 the Sensitive Personal Data has been intentionally made public by the Data Subject
3.2.4 the Processing is in accordance with the Law and Necessary to protect the Data Subject’s (or another person’s) “vital interests” (where this is a matter of life or death) and the Data Subject is physically or legally incapable of giving consent.the Processing is in accordance with the Law and Necessary to protect the Data Subject’s (or another person’s) “vital interests” (where this is a matter of life or death) and the Data Subject is physically or legally incapable of giving consent.
4.1 The Company informs Data Subjects regarding the process of their personal data. The notice needs to take place before the beginning of the Processing of their Personal Data (or if it takes place later, the soonest possible from the time of the activation of this policy). The information is to be provided in written, using simple and clear language.
4.2 Note the following points:
4.2.1 Data Subjects, employees of the Company, have been informed for the processing of their Personal Data, as well of as their right of access to their Personal Data, or to lodge complaints with the Data Protection Authority. They are also to be informed of any new processing system which may be added or replace the previous one, to the extent this changes the kind or the extent of the processing.
4.2.2 The Company collects Personal Data of is employees directly from the employees. If the relevant Personal Data is collected by Company directly from the Data Subject, but from a third party, then the employees have to be informed, unless such collection is obvious to the Data Subject. Likewise, the employees need to be informed when the collection of their Personal Data is entirely optional and not in fulfilment of the employment purposes.
4.2.3 For the information of any third natural person, (ie. Customers, suppliers, visitors), non employees of the Company, the Company maintains in its website a relevant post, which contains information about the Processing- no sensitive- Personal Data.
4.2.4 In case the Data Subject asks to be informed on the Processing of its Personal Data by the Company, the Company has the right to deny to give said information in the cases mentioned in by the Law, or if it the disclosure is not mandated by the Law.
5.1 When the basis for the Processing of Personal Data is the Data Subject’s consent (ie. Processing of Sensitive Personal Data or Data transfer outside of EU) is required a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which the Data Subject by statement or a clear affirmative action (such as ticking a box), signifies agreement to the Processing of its Personal Data. Mere failure to respond does not amount to Consent.
5.2 Consent can be withdrawn at any time. Company does not rely on Consent where Processing is not genuinely optional from the perspective of the Data Subject. For this reason, the lawful basis for the processing of Personal Data for HR purposes should not be the Data Subject’s Consent. It is acknowledged that Consent for employment purposes is not freely given and therefore an alternative basis should be relied upon: for example compliance with legal obligations, performance of the employment contract and legitimate HR, compliance and business interests.
5.3 Explicit consent will be required in order to collect and process Sensitive Personal Data if no other alternative basis is available.
5.3.1 Consent is requested in an intelligible and easily accessible form, using clear and plain language while making sure that the Data Subject understands, when it grants consent, that it is free to withhold the requested Consent without suffering any adverse consequence, and that the Consent can be withdrawn at any time, by information provided by direct means.
5.3.2 if Consent is given in written form, and the relevant document also concerns other matters, it needs to be certain that the consent is clearly distinguishable from the other matters; and
5.3.3 make sure that Company may at any time document the consent given.
5.4 Where explicit Consent is required, the Company will need to explain in specific terms the nature of the Processing to be carried out and the Personal Data to be Processed, as well as providing all the information set out in Article 13 of the GDPR and in Annex 1; the Data Subject will in such instances need to make an explicit written statement (or expressly agree to a clear statement provided by Company) agreeing that the Processing may proceed.
5.5 The Company will ensure the compliance with the above principles in any case of International Data Transfer.
6. RETENTION AND DESTRUCTION
The Company is required to know and in some instances provided by the law, maintain records of the processing activities. The Processing Archive contains the elements which are referred to the Annex 2.The Company is required to know and in some instances provided by the law, maintain records of the processing activities. The Processing Archive contains the elements which are referred to the Annex 2.
Subject to applicable law, Company will delete or anonymise or restrict/discontinue the processing of Personal Data when it is no longer necessary, in accordance with the law or the Personal Data Retention Policy. In case records containing Personal Data are retained in accordance with applicable law and the present policy, the employees who are responsible for such data should regularly review them and delete Personal Data (or records containing them) which are no longer required, for example by deleting emails from email folders.Subject to applicable law, Company will delete or anonymise or restrict/discontinue the processing of Personal Data when it is no longer necessary, in accordance with the law or the Personal Data Retention Policy. In case records containing Personal Data are retained in accordance with applicable law and the present policy, the employees who are responsible for such data should regularly review them and delete Personal Data (or records containing them) which are no longer required, for example by deleting emails from email folders.
7. DATA SECURITY AND THIRD PARTY CONTRACTS
7.1 Company will have technical and organisational security measures in place to protect all Personal Data that it Processes in accordance with its security policies.
7.2 Where Company outsources the Processing of Personal Data to any third party service provider it will:
7.2.1 conduct appropriate due diligence on the technical and organisational security arrangements that the service provider will have in place to protect such Personal Data;
7.2.2 ensure that the arrangement is governed by a written agreement setting the obligations of the service provider as described in Annex 2 to this Policy; and
7.2.3 take reasonable steps (for example by exercising audit rights and/or making enquiries of the service provider) to ensure that the security measures required of the service provider are in place in practice over time during the life of the relevant Processing arrangement.
7.3 Contracts with third parties service providers include specific terms as well as the right to conduct audits.
7.4 The Company is obliged to report certain breaches of security affecting Personal Data to competent data protection authorities, and in some circumstances it is obliged to also inform the affected Data Subjects. An employee who becomes aware of or suspects such a breach should report the breach to the Data Protection Coordinator, in order for the Company to comply with its legal obligations and, in general to investigate and respond to the apparent breach.
For video monitoring the dispositions of Annex 3 shall apply.
8. DATA SUBJECT’S RIGHTS
8.1 Data Subjects have the right:
8.1.1 to be provided with a copy of the Personal Data that Company holds about them, with certain related information;
8.1.2 to require the Company, without undue delay, to update or correct any inaccurate Personal Data, to complete any incomplete Personal Data, concerning them;
8.1.3 to require Company to stop processing their Personal Data for direct marketing Purposes; and
8.1.4 to object to the processing of their Personal Data in general.
8.2 Data Subjects may also have legal rights, including in certain circumstances:
8.2.1 to require Company, without undue delay, to delete their Personal Data;
8.2.2 to temporarily or permanently “restrict” (i.e. suspend) Company’s processing of their Personal Data, so that it can only continue subject to very tight restrictions; and
8.2.3 to require Personal Data which they have provided to Company, and which is processed based on their consent or for the performance of a contract in which they are parties to, to be accessible to them, or to an alternative service provider.
8.3 If Company receives a communication from any Data Subject asking to exercise any of these rights, that communication should be handled in accordance with the Data Subject’s Access Request process.
9. AUTOMATED DECISION-MAKING- ADOPTION OF MEASURES (INCLUDING PROFILING) INTERNATIONAL DATA TRANSFER
9.1 Company will only Transfer Personal Data outside the EU:
9.1.1 where the Transfer is made to a country or other territory which has been assessed by the European Commission as ensuring an adequate level of Personal Data protection;
9.1.2 where the Data Subjects have given their explicit Consent to the transfer; or
9.1.3 where the transfer is compliant with the GDPR and other applicable laws.where the transfer is compliant with the GDPR and other applicable laws.
9.2 Company will not use Processing Systems to take decisions producing legal effects concerning living individuals, or otherwise significantly affecting them, based solely on automated Processing of Personal Data, unless it is in compliance with the GDPR and other applicable laws.
10. COMPLIANCE WITH THIS POLICY
All legal or natural persons processing Personal Data on behalf of or in the name of the Company, including freelancers and employees, must comply with this policy and report any existing or possible breach Data Protection Coordinator of the Company. Failure to comply with this policy is a serious matter which may give rise to disciplinary sanctions, even dismissal. All legal or natural persons processing Personal Data on behalf of or in the name of the Company, including freelancers and employees, must comply with this policy and report any existing or possible breach Data Protection Coordinator of the Company. Failure to comply with this policy is a serious matter which may give rise to disciplinary sanctions, even dismissal.
Moreover, any employee and manager of any department of the Company informs the Data Protection Coordinator on any new processing of Personal Data, in order to maintain an updated archive of processes at all times. Moreover, any employee and manager of any department of the Company informs the Data Protection Coordinator on any new processing of Personal Data, in order to maintain an updated archive of processes at all times.
11. THE DATA PROTECTION COORDINATOR
The Company has appointed a data protection Coordinator, in order to supervise the compliance with the GDPR and to respond to Data Subjects’ questions/requests/complaints.
The Data Protection Coordinator may keep the files which are necessary to prove the Company’s compliance with the GDPR (processing file, consent forms, access requests’ forms etc).The Data Protection Coordinator may keep the files which are necessary to prove the Company’s compliance with the GDPR (processing file, consent forms, access requests’ forms etc).
12. CO-OPERATION WITH DATA PROTECTION AUTHORITIES
The Company is obliged to co-operate with the competent data protection authorities during the performance of its works. Any communication received from a competent data protection authority should be passed on to the Data Protection Coordinator as soon as is reasonably practicable.
INFORMATION TO BE PROVIDED TO DATA SUBJECTS
According to the article 13 of GDPR the information referred to this Policy is:
1. The identity and contact details of the Company’s assigns controlling the Processing of the relevant Personal Data;
2. Where relevant, the contact details of the Data Protection Officer of the Company’s partner;
3. The purposes for which the Company’s partner intends to Process the Personal Data;
4. The legal basis for the Processing (for example legitimate interest,consent);
5. Where the Processing is based on legitimate interest, the relevant legitimate interest pursued by Company or another person assigned by the Company to justify the Processing;
6. Where the Company is not collecting the Personal Data directly from the Data Subject but from a third party, the categories of Personal Data collected and the sources from which they are collected;
7. Any intended recipients or categories of recipient of the Personal Data (this means recipients outside Company, such as third party service providers);
8. Where applicable, the fact that the Company intends to Transfer the Personal Data to a country or territory outside the European Region, together with information as to:
8.1.1 whether the relevant country has been determined by the European Commission to ensure an adequate level of protection for Personal Data; and
8.2 where this is not the case, and if Company justifies Transferring the Personal Data to that country or territory on the basis that it has put in place adequate safeguards to protect the Transferred Personal Data (for example, an appropriate data transfer agreement), the nature of those safeguards and that a copy can be obtained from the Data Protection Coordinator;
9. The time period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that time period;
10. The existence of the legal right to request from Company access, correction, deletion or restriction of processing of Personal Data concerning the Data Subjects or to object to the processing as well as the right to data portability and that these rights can be exercised by contacting the Data Protection Coordinator;
11. That the Data Subjects can, if they so wish, lodge a complaint about the Company’s processing of its Personal Data with the competent national or regional data protection authority;
12. Where the Company is collecting the Personal Data directly from the Data Subjects, whether provision of the requested Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract and whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide it; and
13. Detailed information about any automated decision-making techniques which may be used and, where applicable, the rights of the individuals to object to the adoption of any automatic decision affecting them.
PROCESSING ACTIVITY FILES AND RECORDS
Α. Activity Files
1. The Company keeps all the categories of processing activities, for which Company is responsible in file. This archive includes the following information:
a) Name or title and the contact information of the Controller and if this is the case any joint controller and responsible for data protection
b) The processing purposes
c) All the recipient categories, who receive or may receive personal data, including recipients in third countries or international organizations
d) Description of the data subject’s categories and the categories of personal data.
e) Where applicable, profiling
f) Where applicable, all the categories of transferred personal data to any third country or to any international organization
g) Reference to the basis of applicable Law, including personal data transfers
h) if feasible, the expected deadlines for the delete of different categories of personal data
i) if feasible, general description of the technical and organizational security measures, which the Company adopts in order to comply with the Law.
2. The Company keeps all the categories of processing activities, for which Company is responsible in file. This archive includes the following information:
a) Name and contact information of the processor or the processors, each controller for whom the processor is acting and if the case may be the head of data protection
b) The processing categories which are conducted on behalf of each controller
c) if pertinent, the personal data transfers to a third country or an international organization, including information of said third country or international organization, if expressly mandated by the Controller
d) if possible, a general description of the technical and organizational safety measures adopted by the Company.d) if possible, a general description of the technical and organizational safety measures adopted by the Company.
3. All the files that are referred to paragraph 1 and 2 exist in writing, otherwise in soft copy,
1. The Controller and the Processor maintain as a minimum records of the following automated processing via the automatic processing systems: collection, modification, information searching, sharing, including the transfer, mix and deletion.
2. The records of information search and their disclosure should be performed in way, that it is possible to determine justification, the date and the time that he actions mentioned in paragraph 1 took place, and if possible, the identification of individuals participating therein and especially the identity of the person who searched information or disclosed personal data, as well as the identity of the recipients of said personal data.
3. The Controller takes into consideration the requirements of paragraphs 1 and 2 already during the planning of the mentioned processing activities and the relevant systems and procedures.
4. Without prejudice to any procedural rules, these records are to be used exclusively for the verification of the process legality, the performance of internal audit by the Controller or the processor, assurance on the integrity and the safety of the personal data, including also in the frame of criminal procedures.
5. The Controller and the Processor maintain at the disposal of the relevant supervising authority all these records upon request.
All the systems that are installed on a permanent basis or function without interruption or in regular intervals and have the possibility of receiving or/and broadcasting picture signal and/or sound from that location to a limited number of screen projectors and/or recording machines operated by the company or on behalf of the company, are regulated by the following rules.
1. The Data should not be kept not longer than the time period that is necessary in view of the intended purpose of process. As long as no occurrence falling under the intended purpose results from the recording of sound or picture data, either stored or received in real time, said data has to be destroyed within fifteen (15) calendar days at the latest, notwithstanding any special dispositions of the applicable laws, which applies to special categories of Controllers. In case of an occurrence relevant to the scope of the processing, the Company is permitted to maintain the recordings of the specific occurrence, in a separate file for three (3) months. During the above time period, the Company is able to maintain such data for longer time period only in special cases where the occurrence requires further investigation.
2. Data Transfer to third parties of data from video monitoring system is permissible in the following cases: a) Only after previous consent of the Data Subject. b) Exceptional, transfer is allowed without consent following special justified request of a third part, when Data is necessary to be used as proof for the justification, filing or support of legal claims or a punishable act and which may contribute to the investigation of the facts or the identification of the perpetrators. It is not considered a transfer to third parts the transfer of personal data to the competent judicial, public prosecution and police authorities, which they request the latter in the framework of the exercise of their duties according to the law.
3. The Company is obliged to adopt the appropriate organizational and technical measures for the privacy and the safety of the Data as well as for the protection from any illegal or unlawful processing, such as the access control or secure transfer.
4. Before a person enters the range of the video monitoring system, the Company is obliged to inform, using the appropriate means, in each case, in an obvious and clear way, that he/she is about to enter a space, where CCTV is in operation and provides information on the scope of the processing, the nature of the used system, the place of installation and the range and the time period of keeping said data.
5. Without prejudice to the dispositions of article 15 of the GDPR, when a data subject exercises their right of access to the picture or sound data kept by the Controller, the latter has the obligation to provide within fifteen (15) days from request submission a copy from the segment of the picture, where the Data Subject is requested or a printed series of segments from the recorded pictures or to inform the interested person in writing within the same time frame, that the relevant segment of the recording is no longer maintained. Alternatively, if the data subject consents, the Company may simply display, the mentioned segment. For this purpose, the data subject has to indicate the exact time and location it entered the range of the cameras.
6. When the Company provides an image copy, it is obligated to cover the image of third parties by appropriate technical means, in case it is possible to violate their right to privacy life, unless this concerns a mere display.
7. Data collected by closed-circuit television (CCTV), are not allowed to be used as sole criteria for the assessment of the behavior and the efficiency of the employees.
8. The transfer of Video-monitoring data outside EU may take place only under the prerequisites of the Law.
RULES FOR THE USE OF COMMUNICATION AND IT MEANS DURING WORK
1. The data collection and processing, which include the use of the means of communication in the work area or in relation thereto, such as telecommunication, email or internet use, is permissible provided it is absolutely necessary for the protection of individuals or property, the organization and audit of the work or turnover assigned to the employees, including the relevant audit expenses. The stored and processed data have to be limited only to what is strictly necessary for the achievement of the above mentioned purposes.
2. Collected and processed personal data may not be used for other purposes, unless this is done in fulfillment of legal obligations or in fulfillment of an overriding legal interest of the Company-employer as Controller, or of another employee, especially when documenting the need to verify behavior expressly forbidden by the rules of the work/employment relationship or by the work regulations and it is not possible to be substantiated by more subtle means.
3. Employees must be informed in writing and individually of the data collection and process according the previous paragraphs, the methods’ basic technical features, the people to whom said data is transmitted or may be transmitted and the employees’ rights. Personal data which resulting from the personal data processing according to the previous paragraphs may not be used by the employer against employee in relation to the employment, in the event that he/she has not previously been informed according to the above.
4. The Company- employer, as Controller, has designed and implemented a regulation for the use of communication and electronic means of processing which employees use in the work areas or for the works’ purposes or which have been provided to them by the employer.
5. The means that the Company provides to the employee for the performance of his/her work such as: furniture, laptop, cell phone, screen etc. belong to the Employer, or in the event of leasing, the Employer is authorized user (for example car leasing). The Employee has not the right to keep copies of personal data, to which he/she has access, for personal use or for use of unauthorized third parties.
6. The Company does not allow the storage of personal emails or files of the employee which are not related or necessary for the performance of his/her work. In case such files exist, the Employee is responsible for their immediate deletion and in any case for their segregation from other files which belong to the Company. It is explicitly forbidden sending personal emails from the email account created by the Employer, with Company’s trade name for business communication purposes. For personal communications, the Employee may use the Employer’s free wifi using his/hers personal email account through his/her smart phone.
7. The employee is responsible for the safety of the employer’s property, including the property of third parties, provided to the Employee for the performance of his/her duties, as well as during the use of Employer’s technical and organizational infrastructure (product and software).7. The employee is responsible for the safety of the employer’s property, including the property of third parties, provided to the Employee for the performance of his/her duties, as well as during the use of Employer’s technical and organizational infrastructure (product and software).After the termination or expiration of the present for any reason whatsoever, the Employee returns to the Employer’s authorized representative all the means that the Employer provided during the employment period.