‘Personal data’ means any information relating to an identified or identifiable natural person (‘Data Subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Special categories of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning the sex life or sexual orientation.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, alignment, restriction or erasure;
“Consent” of the Data Subject means any indication of free, specific, express and fully informed intent, by which the Data Subject expresses that it agrees, by a declaration or by a clear affirmative action, that his personal data may constitute the subject of processing.
“Controller” means the natural or legal person, or public authority, the service or another body which, alone or jointly with others, determines the purposes and manner of the processing of personal data.
‘Processor’ means a natural or legal person, a public authority, an agency or other body which processes personal data on behalf of the Controller.
“Recipient” means the natural or legal person, or public authority, the service or another body to which the personal data are disclosed, regardless if they involve a third party or not.
“Third party” means any natural or legal person, the public authority, the service or body other than the Data Subject, the Controller, the Processor and persons who are under the direct supervision of the Controller or of the Processor, are authorized to process personal data.
The Company respects and protects the privacy of the Data Subjects and applies the appropriate technical and organisational measures in order to ensure that the Personal Data Processing is carried out in full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.4.2016 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”) and with the implementing Law 4624/2019 of the GDPR in Greece (hereinafter the GDPR and Law 4624/2019 jointly referred to as the “Applicable Legislation”)
3. SCOPE OF IMPLEMENTATION
The purpose of this Policy is to establish principles and rules in order to ensure that the Company, when acting as a Controller, collects, processes and stores the Personal Data in compliance with Applicable Legislation as well as with the current legal and regulatory framework.
This Policy applies to all the Personal Data processed by the Company which acts as a Controller of the following categories of Data Subjects:
• work candidates and employees.
• future, existing and former customers.
• suppliers (contractors, consultants, partners etc).
Whenever the Company acts as Processor it shall ensure and process Personal Data in accordance with the instructions of the Data Controller, it shall provide sufficient assurances for the application of appropriate technical and organisational measures, in such a way that the Processing meets the requirements of the GDPR and the protection of the Data Subject’s rights is ensured and shall also ensure that the Personal Data Processing by the Company, which acts as Processor, is governed by a contract with the Controller, with content that complies with Article 28 of the GDPR.
4. POLICY OBJECTIVES
This policy primarily ensures that the Company:
• Complies with the applicable legislation and is able to demonstrate such compliance.
• Protects individual rights and freedoms of Data subjects.
• Is protected from the risks of Personal Data violation.
5. GENERAL GUIDELINES
• Only the executives and employees who process these data shall have access to the Personal Data which are managed by the Company for the purpose of fulfilling their responsibilities.
• The Company shall provide all executives and employees with the required training so that they are informed and able to understand their responsibilities in relation to the Personal Data that they are processing.
• Executives and employees must comply with this Policy, as well as with all related policies and procedures, in order to ensure the safety and the lawful Processing of Personal Data.
6. CORPORATE PRINCIPLES
The Company has adopted the following principles which govern the collection, use, retention, transmission, communication and destruction of Personal Data.
6.1 Fair and Transparent Processing
The Company processes Personal Data in a legitimate and transparent manner in relation to the Data Subjects (“principle of legality, objectivity and transparency”).
This means that the Company informs the Data Subjects with respect to the performed Processing of the Personal Data (transparency). This Processing is compatible with the information given to the Data Subject (objectivity) and is carried out for one of the purposes which are set forth in the GDPR (legality).
6.2 Limitation of the Purpose of Data Processing
The Company processes Personal Data which are collected for specific purposes and which are not further processed in a manner incompatible with the connected purposes, unless the subject has given relevant Consent.
In pursuing its business activity, the Company collects and processes Personal Data mainly for the following purposes:
• For the performance of a contract in which the Data Subjects are contracting parties or in order to take steps, at the request of the Data Subjects, prior to the conclusion of a contract.
• To comply with the requirements of the legal and regulatory framework.
• In order to serve its legitimate interests, to the extent that they do not infringe the interests or fundamental rights and freedoms of the Data Subjects.
6.3 Minimization of the Data
The Personal Data processed by the Company are adequate, relevant and limited to the extent that is necessary for the purposes for which they are Processed. The Company does not store Personal Data exceptthose which are required for the purpose of processing.
6.4 Data security
The Company shall take appropriate organisational and technical measures to adequately protect Personal Data from loss or abuse and shall maintain a Corporate Policy and Safety Procedures (F&A “Corporate Information Security Policy & Procedures” Version 1.6). FA – Corporate Information Security Policy Procedures_v1 6 15 2 2019.pdf
6.5 Data Accuracy
• The Company ensures, to the possible extent, that the data, which are kept by it, are “accurate” and “updated”.
• The Company has established the appropriate mechanisms so that Data Subjects are able to update their data easily and quickly.
7. DATA COLLECTION – INFORMATION OF DATA SUBJECTS
Personal Data are collected by the Data Subject.
The Company shall ensure during the collection of the data that the Data Subject is immediately informed, by providing access to this Policy and according to the category of the Subjects which relates to the corresponding Subjects’ Information Forms below, in accordance with the Subjects’ Information Management Procedure which it has Subjects’ Information Management Procedure.docx
Information sheet for work candidates Information of work candidates.docx
Information sheet for Employees Information of Employees.docx
Customers’ Information sheet Customer Information.docx
Suppliers’ Information sheet Suppliers’ Information.docx
Visitors’ Information sheet Visitors’ Information.docx
7.1 Consent of the Data subject
In the event that the Company collects Personal Data with the consent of the Data Subject, in order for the Company to obtain a legal basis for their processing, it follows the Consent Obtaining Procedure which has been adopted by it. Consent Obtaining Procedure.docx
8. DATA PROCESSING
8.1 Terms of Processing
The Company processes Personal Data if at least one of the following terms – legal bases is applicable:
• The Data Subject has consented to the processing of its personal data for one or more specific processing purposes.
• Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
• Data processing is necessary for compliance with a legal obligation to which the Company is subject;
• Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require Protection of Personal Data, in particular, where the Data Subject is a child.
8.2 Special Data Categories
The Company processes Special categories of data, only in specific and limited cases, in particular with regard to the health data of its employees. Such data of the employees shall be processed for the purpose of fulfilling the obligations which are provided for by employment laws, social insurance or social protection legislation.
9. DATA RETENSION
In accordance with the Applicable Legislation, the Company is obliged to minimize the retention period of Personal Data. These data shall be kept in a form which allows the identification of the Data Subjects only for the period which is required for the purposes for which they are collected or processed.
The data retention period shall be established on a case-by-case basis, taking into account the purposes of Personal Data collecting and processing. The Company’s obligation regarding the Data retention results from the national law or/and the relevant regulations or/and from contracts and the obligations to employees and other partners or suppliers of products or services.
10. DATA SUBJECTS’ RIGHTS
The Company operates as Controller in compliance with the requirements of the Applicable Legislation, more specifically with respect to the management and the fulfillment of the rights of natural persons.
The Company has established a process for the management of the Subjects’ requests for exercising their rights and also a request registration file is kept, with the main purpose of informing and facilitating the exercise of these rights by the Data Subjects.
In detail, every Data Subject may exercise the following rights:
10. 1 Right of Information
All natural persons for whom the Company collects and processes their personal data have the right to be informed about:
• The categories of their personal data kept by the Company and the purpose of keeping them.
• How they can gain access to their data.
• The procedures followed by the Company in order to ensure compliance with its data protection obligations.
10. 2 Right to rectification
Data Subjects have the right to request the Company to rectify or complete their incorrect, misleading, outdated or incomplete personal data. Provided that the procedure for confirming the identity of the applicant is carried out, the Company shall appropriately amend the data of the subject for which a request for rectification has been filed. Subsequently, the Company confirms to the applicant that the relevant amendment has been conducted in accordance with the information which was submitted to the Company.
10.3 Right to erasure
Data Subjects have the right to request the Company to delete or remove any Personal Data which are kept by the Company. In case the subject’s data have been transmitted to Processors who process these data, then they must also delete them accordingly.
The Company is obliged to delete the Personal Data when one of the following cases applies:
• Personal Data are no longer necessary for the purposes for which they were collected or otherwise processed.
• The Data Subject revokes its consent and there is no other legal basis for their processing.
• The Data Subject opposes to the processing which is conducted on the basis of the Company’s legitimate interests and there are no other exigent legitimate grounds for continuing to be processed.
• Personal data have been unlawfully processed.
The Company has the right to refuse deletion to the extent that the processing is necessary:
• For compliance with a legal obligation which imposes the processing.
• For the establishment, exercise or support of legal claims.
10.4 Right to object
The Data Subject has the right to deny at any time the processing of personal data:
• For reasons related to its specific situation.
• Whenever personal data are processed for reasons of direct marketing.
• Whenever personal data are processed for scientific or historical research or for statistical purposes.
In order to decide whether or not to approve an objection, the Company shall examine if a legal framework exists for the continuation of processing. The legal framework for the continuation of processing takes precedence over the rights and freedoms of the data subject or if it is required for the establishment, exercise or defence of legal claims. Where such reasons do not exist, processing must cease immediately.
10. 5 Data Portability Right
Upon request and provided that the relevant requirements which are established by the Regulation are complied with, the Data Subject shall have the right to obtain a copy of its data in a structured form. The Data Subject may also request that its data are transferred directly to another organisation. In this case, the data are transferred free of charge.
11. DATA TRANSFERS OUTSIDE EU
In the cases of cross-border transfer of personal data to a non-EU country, the Company shall maintain a process of cross-border transmission of personal data outside the EU in order to ensure the legality of the transfer. Non-EU Cross-Border Data Transfer Process.docx
The Company proceeds to the transfer of Personal Data to a third country if there is an adequacy decision (Article 45 GDPR) or appropriate guarantees through the conclusion of standard contractual clauses (Article 46 GDPR).
12. VIOLATION REPORTS
Every employee of the Company, who has reasonable indications that a breach in the systems or/ and in personal data has taken place, shall immediately notify the competent employee or the external consultant who has been appointed by the Company, by including a detailed description of these indications.
The competent employee or external consultant shall investigate all reported incidents in order to confirm whether a personal data breach has been noted. In case of confirmation of the breach of Personal Data, the person responsible shall follow the personal data infringement Communication Procedure of the Company. Procedure for the Notification of Infringement.docx
13. PERSONNEL TRAINING
All staff members of the Company must possess the necessary skills and knowledge in order to carry out their duties and be familiar with compliance issues, as they are provided for by the Applicable Legislation. The training and education of staff shall ensure the continuous updating and the early notification of the obligations concerning the application of the regulatory provisions about data protection and also apply the changes that may be have been performed.
Significant revisions to this Policy shall be communicated to the Company’s employees through the competent staff management officer.