POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL INFORMATION
Pursuant to article 13 of the General Data Protection Regulation (679/2016) and the relevant Greek legislation, the policy on the processing and protection of personal data adopted by the company, is the following:
1. DATA CONTROLLER
The Company with trade name EURICOM HELLAS SA is the data controller, with contact telephone number 2311 990 600 and e-mail address firstname.lastname@example.org .
2. DATA PROTECTION OFFICER
Ms TZIVALIDOU FOTINI is the company’s data protection officer. Her contact telephone number is 2311 990 609 and her e-mail address email@example.com .
3. PURPOSE OF PROCESSING OF PERSONAL DATA AND LEGAL BASIS FOR SUCH PROCESSING
The company collects, enters, organizes, keeps, stores, uses, amends, deletes or destroys the personal data of employees and clients, with the objectives: (1) to perform a contract; (2) to comply with a lawful obligation, but also (3) to protect the company’s lawful interests.
In case where the company wishes to proceed with processing for a different objective than those cited above, it must immediately inform the data subject and only after the company has received the subject’s explicit consent/permission it may proceed with processing. In any case, the data subject reserves the right to revoke his/her consent at any time.
Processing for the purpose of the company’s lawful interests, means any processing performed in the context of the company’s operating activities and which cannot be justified by appeal to some legal obligation or is not realized for the execution of the terms of a contract concluded with a natural person.
For example, the company has a lawful interest when processing is performed in the context of customer relations, when it processes personal data for the purposes of direct marketing promotion, for the purposes of the video-surveillance of the company’s facilities aimed at the safety of the personnel but also the company’s goods and property, for the prevention of fraud or to ensure the safety of the network and the information of the information technology system it uses.
In any case, the company does not process special category personal data, which may reveal one’s racial or ethnic origin, political beliefs, religious or philosophical convictions or participation in a union, genetic data, biometric data, data relating to the sexual life and sexual orientation of an individual, or data relating to the subject’s health.
Employee’s personal data are deemed necessary for hiring in compliance with the relevant legislation and the commencement of their collaboration with the company, while customers’ personal data are deemed necessary for the performance of the transaction on each occasion.
Correspondingly, the financial data of employees and customers (Tax Identification Number, Tax Service, etc) are deemed necessary for the performance of the company’s lawful obligations and liabilities (insurance obligations, payroll, tax liabilities, issue of invoices, etc.).
4. WHAT PERSONAL DATA DOES THE COMPANY COLLECT
5. PROCESSING METHODS
For the aforementioned purposes and in compliance with the principles of lawfulness, justice, transparency, accuracy, completeness and always within the limits permitted by the law, personal information are collected longhand and in the presence of the subjects’ at the company’s premises, via fax or by post, addressed to the company.
Only specially trained personnel (those performing the processing) and after explicit competences assign based on the contract concluded to this end with the data controller, can process personal information , in order to ensure proper safety and confidentiality, as well as to avert the risks of loss or destruction and access from unauthorized users.
6. STORAGE – RETENTION TIME FOR PERSONAL DATA
The company retains and stores personal data for a limited period and only for so long as it is necessary in order to attain the pursued objectives.
More specifically, employees’ data will be stored for as long as their work contract is active, but also until the limitation period for any claim expires; while customer data shall be stored for as long as it is required by taxation legislation and only for the period where transactions between customs and the company take place.
After the lapse of the periods above, the subjects’ personal data shall be destroyed and shall not be used towards any end and in any way. Moreover, we assure you that these particular data are not transmitted to any third party, since access to the files that contain personal data is exclusively limited to authorized people, who have assumed the role of those performing the processing.
7. RIGHT TO FILE A REQUEST WITH THE DATA CONTROLLER
The data subject reserves the right to file a request with the data controller to access and rectify or delete the personal data or to restrict the processing of the personal data relating to the subject, or the right to object to processing, as well as the right to data portability (the right of the subject to receive the data relating it from one data controller and transmit them to some other data controller, without objection from data controller to whom the data were initially provided).
8. RIGHT TO LODGE A COMPLAINT BEFORE THE DATA PROTECTION AUTHORITY
Every data subject reserves the right to lodge a complaint before the Data Protection Authority and the right to take actual legal action pursuant to article 47 of the Charter of Fundamental Rights, provided the subject considers that his/her rights are violated, based on the General Data Protection Regulation, or, when the Authority does not follow a complaint through, rejects a complaint in whole or in part, deems it inadmissible, or does not act while it must act in order to protect the data subject’s rights. The complaint is lodged by means of a form which can be found in the Authority’s Internet site (www.dpa.gr).
9. PRINCIPLES ADOPTED BY THE COMPANY WITH RESPECT TO DATA PROCESSING
Every personal data processing by the company adheres to the following principles, thus satisfying the requirements posed by the General Data Protection Regulation and the corresponding national legislative framework. Thus personal data are:
10. DATA SUBJECTS’ RIGHTS
The company has provided for the optimal satisfaction of all of the subjects’ rights, such as:
In any case, the company will facilitate the exercise of the subjects’ rights, save if it is in no position to verify the subject’s identity and always guided by the protection of its personal data. The company shall respond to every request within one month, while this deadline can be extended for two more months, provided it is so required, taking into account the complexity of the request and the number of requests, informing the subject to the extension required, as well as for the reasons of the delay.
11. TRANSMISSION OF PERSONAL INFORMATION TO THIRD PARTIES
Personal data are safely stored and are not transmitted to third parties, unless their disclosure is necessary for the compliance of the company with a legal obligation as such ensues from legislation.
12. ACTIONS BY THE DATA CONTROLLER IN CASE OF DATA BREACH
In case of a breach of personal information (accidental or unlawful destruction, damage or loss of data), the Data Protection Office shall notify the Authority of the breach of personal data without delay and, if possible, within 72 hours from the moment she became aware of the incident, save if it is not possible for said breach to pose a threat to the rights and freedoms of individuals (natural persons). In any case, however, the DPO will evaluate and assess the risk continuously. When the notification of the Authority does not take place within 72 hours, it must be complemented by a justification of the delay.
Respectively, when the personal data breach may pose a high risk for the rights and freedoms of the subjects, then the DPO shall inform without delay also the subjects of the data breach. Such an obligation does not apply, according to the Regulation, when the DPO applied appropriate technical and organizational protection measures and such measures were applied to the personal data affected by the breach, which the DPO then adopted measures ensuring that a high risk for data subjects’ rights and freedoms is no longer possible and, finally, in the case where such notification demands disproportionate effort.
13. PERSONAL DATA PROTECTION
The company has established specific internal roles and competences for the protection and safety of the subjects’ data, in order to attain the maximum possible protection of personal information and information systems.
All of the company’s staff has been trained and sensitized in personal information and safety issues, developing knowledge and skills which allow the immediate detection of threats and the taking of appropriate measures for risk prevention.
The company takes the necessary measures on the technical and organizational level, so as to ensure the integrity, availability and confidentiality of the collected data. In this context, it implements detailed policies and procedures, establishing measures:
With respect to the use of the company’s computers, specialist technologies and processes are utilized to boost the protection of these data against loss or abuse, as well as to protect them against unauthorized access, disclosure, amendment or destruction.
More specifically, users have limited access to the Domain “Euricom”, but also to their terminal, where the access code changes every two (2) months, directly resulting in the inability to change any feature of the terminal, but also to install applications either via some external storage device or from the internet, without the consent of the company’s DPO and the entry of the appropriate code. All files relating to the company shall be stored on the server and access to them shall be classified by departments.
The company’s Internet is protected by a hardware firewall and remote access to the corporate network is only possible via a Virtual Private Network (VPN). In addition to this, the company also has encryption capabilities and more specifically utilizes encryption of removable disc drives. At the same time, connections with users with privileges is only possible through specialized devices and access is limited to authorized individuals only.
Save for all that has been cited above, the company does not permit its employees and customers to bring their personal electronic devices, following a policy for the avoidance of BYOD (Bring Your Own Device). This way, possible attacks via personal devices are averted, and employees are obliged to use only the devices installed in the workplace, which offer the required protection. In addition to this, the company prohibits the syncing of corporate e-mail accounts with the employee’s personal smart phones and the access codes for the corporate Wi-Fi wireless network change every two (2) months.
To this end, should any visitor/use become aware of any illegal, malicious, inappropriate or illicit use of personal data, they assume the obligation to immediately disclose it to the company.
By means of the review process, the company ensures the continuous monitoring of the security level and the taking of appropriate preventive measures. Parallel to this, suitable planning and the assessment of the risk to the information resources, contribute to the safe continuation of operations in cases of the emergence of malfunctions.
The Data Protection Officer of the company monitors all of the procedures and policies, so as for the company to be able to safeguard the data it processes.
Observance of the Policy on Data Protection and Processing constitutes a commitment by the entire human resources and associates of the company.
As the company improves and expands its activities, it will attend to the immediate updating of this policy. It is very important for data subjects to visit the company’s website and receive the latest news, always checking the revision date.