1. Introduction
1.1 Chronological overview of the General Data Protection Regulation (GDPR)
The 2016 General Data Protection Regulation replaces the 1995 European Data Protection Directive and replaces the legislation of State Members developed in accordance with Directive 95/46 / EC on data protection.
Its purpose is to protect the “rights and liberties” of individuals ( living persons) and to ensure that their personal data is not processed without their knowledge and, if possible, they are processed with person’s consent.
1.2 Definitions used by the organization (according to the GDPR)
Essential field of application (Article 2): The GDPR applies to the full or partial, automated processing of personal data, as well as to the non-automated processing of such data which is or will be included in an archiving system.
Territorial application (Article 3): The GDPR shall apply to all controllers established in the EU (European Union) and shall process the personal data of the data subjects within the same facility. It will also apply to non-EU editors who process personal data in order to provide goods and services or to monitor the behavior of data subjects residing in the EU.
1.3 Definitions of Article 4
Premises: the main premises of the editor in the EU is the place where the editor makes the vital decisions regarding the purpose and means of the data processing activities. The main premises of an editor in the EU is his/her administrative center. If the editor is located outside the EU, he or she must appoint a representative authorized to act on behalf of the editor and represent him or her in the supervisory authorities.
Personal data: any information about an identified or identifiable person (“data subject”). An identifiable person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier, such as name, ID number, position data, linear ID, or one or more of the identifying factors of the physical, physiological, genetic, psychological, economic, cultural or social identity of that person.
Special categories of personal data: personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or participation in trade unions and genetic data processing, biometric data for the sole identification of a person, health data or data on sexual life or the sexual orientation of a person.
Editor-in-Chief: the person or legal entity, public authority, organization or other body which, on its own or together with others, determines the purposes and means of processing personal data; when the purposes and means of such processing determined by the law of the Union or of the State Member, the editor or the special criteria for his appointment may be specified by the law of the Union or of the State Member.
Subject of the data: any living person who is the object of personal data held by the organization.
Process: any work or set of tasks performed on personal data or on personal data sets, either by using automated means or not, such as collection, recording, organizing, configuring, storing, customizing or modifying, retrieving, consulting, usage, sharing by transmission, dissemination or other disposal, alignment or combination, restriction, deletion or destruction.
Profile creation: is any form of automated personal data processing that aims to evaluate certain personal data related to a person or to analyze or predict a person’s performance at work, his financial situation, his location, his health, his personal preferences, reliability or behavior. This definition relates to the right of the data subject to object to the formation of a profile and the right to be informed about the existence of characteristics or measures based on the determination of the profile and the intended consequences of its analysis on the individual.
Personal data breach: breach of security leading to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed. The editor is obliged to report personal data breaches to the supervisory authority when the breach may adversely affect the personal data or confidentiality of the data subject.
Consent of the data subject: means any free, specific, informed and clear indication of the wishes of the data subject with which he, by statement or with clear affirmative action, agrees with the processing of personal data.
Child: The GDPR defines a child as a person under the age of 16, although this may be reduced to 13 by the Member States’ law. The processing of a child’s personal data is legal only if the consent of the parents or guardians has been obtained. In such cases, the editor makes reasonable efforts to verify that the parent who is in charge of the child provides or allows the consent. Greek law defines a child up to 15 years of age as a minor.
Third party: person or legal entity, public authority, organization or body other than the data subject, the editor-in-chief, the processor and people who, under the direct authority of the editor or the processor, have been authorized to process personal data.
Archiving system: any structured set of personal data, which is accessible according to specific criteria, centrally, decentralized or scattered on a functional or geographical basis.
2. Policy statement
2.1 The Board of Directors and the management of the Company, located at 38-40 Ptolemaion Street in Thessaloniki, commit to comply with all relevant EU and State Members laws regarding personal data and the protection of “rights and liberties”and all of the company’s processes comply with the General Data Protection Regulation (GDPR).
2.2 Compliance with the GDPR is described in this policy and in other relevant policies such as the Information Security Policy along with its relevant procedures.
2.3 Everything mentioned in the GDPR and this policy apply to all personal data processing operations of the Company, including those performed on the personal data of customers, employees, suppliers, subcontractors and associates and any other personal data processed by the organization from any source.
2.4 The Company has set objectives for the protection of personal data and therefore ensure the privacy of those involved in the respective process.
2.5 The Administrator is responsible for reviewing the process file annually in the light of any changes in the activities of the Company and any additional requirements identified by assessing the implications for the protection of personal data. This file is available upon request.
2.6 This policy applies to all employees as well as all other stakeholders of the Company, such as customers, suppliers and subcontractors. Any breach of the GDPR will be dealt with in accordance with the Company’s disciplinary policy and may also constitute a criminal offense, in which case the matter will be referred to the competent authorities as soon as possible.
2.7 Associates and any third parties cooperating with the Company who have or may have access to personal data are expected to have read, understood and complied with this policy. No third parties may have access to personal data held by the Company without first entering into a confidentiality agreement. The Company has the right to check the compliance with the agreement.
Δήλωση Πολιτικής
To support compliance with the GDPR, the Management approved and supported the development, implementation, maintenance and continuous improvement of a documented personal information management system (PIMS) for the Company.
All employees of the Company as well as external associates who have access to the personal data processed by the Company, are expected to comply with this policy and with the SDPP that implements this policy. All employees of the Company will receive the appropriate training. The consequences of violating this policy are set out in the Company’s Disciplinary Policy and in contracts and agreements with third parties.
In determining fields of complying with the GDPR, the Company takes into account:
- Any external and internal issues related to the purpose of the Company and affect its ability to achieve the desired results of its PIMS.
- Special needs and expectations of the interested parties related to the implementation of the PIMS.
- Organizational goals and obligations.
- The acceptable risk levels of the Company and
- Any applicable regulatory and / or contractual obligations.
The Company’s objectives for complying with the GDPR:
- Are consistent with this policy
- Are measurable
- Have taken into account the requirements of the GDPR and the results from the risk assessment and treatment
- Να παρακολουθούνται
- Are being monitored
- Are published
In order to achieve these goals, the Company has determined:
- what is going to happen
- what resources will be required
- who will be responsible for the implementation
- when the implementation will be completed
- how will the results be evaluated
3. Responsibilities and roles under the Data Protection Regulation
3.1 Senior management and all those who play a managerial or supervisory role in all of the company’s processes are responsible for developing and encouraging good information management practices in it. Responsibilities are defined in individual job descriptions.
3.2 The Data Manager undertakes the management of personal data in the Company and ensures that compliance with data protection legislation and good practices can be proven. This accountability includes:
3.2.1 Development and implementation of the GDPR as required by this policy and
3.2.2 Security and risk management in relation to policy compliance.
3.3 The Data Manager, who has been selected by the Board of Directors as a properly qualified and experienced person, has been assigned to take responsibility for the Company’s compliance with this policy on a daily basis and, in particular, has a direct responsibility to ensure that the Company complies with the GDPR, in all its processes.
3.4 The Administrator shall be the person to whom both the employees and the third parties request clarification on any aspect of compliance with the protection of personal data.
3.5 Compliance with data protection legislation is the responsibility of all employees of the company who process personal data.
3.6 The Education Policy sets out specific training and awareness requirements in relation to the specific roles of employees.
4. Data protection principles
All personal data processing must be carried out in accordance with the data protection principles set out in Article 5 of the GDPR. The Company’s policies and procedures are designed to ensure compliance with these principles.
4.1 Personal data is processed in a lawful and fair way in a transparent manner in relation to the data subject (legality, objectivity and transparency).
Legal processing: a legal basis must be established before processing personal data, such as granting consent.
For the process to be fair, the editor has specific data of the data subjects, if possible. This applies whether the personal data was obtained directly from the persons to whom the data refers to or from other sources.
The GDPR has increased the requirements of the information that should be available to data subjects, that are covered by the “Transparency” requirement.
Transparency: The GDPR includes rules for providing information on personal data to data subjects in Articles 12, 13 and 14. These are detailed and specific, with an emphasis on understanding and access to confidentiality announcements. The information is communicated to the data subject in an understandable form in clear and simple language.
The specific information provided to the data subject includes at least:
4.1.1 the identity and contact details of the editor and, possibly, the processor,
4.1.2 the contact details of the company,
4.1.3 the purposes of the processing for which the personal data as well as the legal basis for the processing are intended,
4.1.4 the period for which personal data is stored,
4.1.5 the existence of rights of access, correction, deletion or protest in the processing and the conditions (or lack) of the use of these rights, such as whether the legitimacy of the previous processing will be affected,
4.1.6 categories of relevant personal data,
4.1.7 the recipients or categories of recipients of personal data, as the case may be
4.1.8 any further information is necessary to ensure fair processing.
4.2 Personal data is collected only for specific, clear and lawful purposes. The data obtained for defined purposes are not used for purposes other than those officially disclosed to the supervisory authority under the Agency’s GDPR processing register.
4.3 Personal data must be adequate, relevant and limited to what is necessary for processing.
4.3.1 The Manager is responsible for ensuring that the Company does not collect information that is not absolutely necessary for the purpose for which it was acquired.
4.3.2 All data collection forms (electronic or printed), including data collection requirements in new information systems, include a statement of fair processing or connection to the privacy statement and have been approved by the data manager.
4.3.3 The Administrator shall ensure that, on an annual basis, all data collection methods are reviewed by the internal auditor and / or external experts to ensure that the data collected is still adequate, relevant and not excessive.
4.4 Personal data is accurate and up-to-date and any attempt to delete or correct it is made without delay.
4.4.1 The data stored by the data administrator is reviewed and updated as required. No data is retained unless it is reasonable to assume that it is accurate.
4.4.2 The Administrator is responsible for ensuring that all staff are trained in the importance of collecting and retaining specific data.
4.4.3 It is also the responsibility of the data subject to ensure that the data held by the Company is accurate and up to date. Completion of a registration form or application by a data subject will include a statement that the data contained therein is accurate at the date of submission.
4.4.4 Employees and all third parties are obliged to notify the Company of any changes in the circumstances so that their personal files can be updated. It is the responsibility of the Company to ensure that any notification regarding the change of circumstances and the actions taken are recorded.
4.4.5 The Administrator is responsible for ensuring that appropriate procedures and policies are in place for accurate and timely updating of personal data, taking into account the volume of data collected, the speed in which any other relevant factors may change.
4.4.6 At least once a year, the Administrator shall review the retention dates of all personal data processed by the Company, with reference to the inventory of data and will identify any data that is no longer required under the registered purpose. This data will be safely deleted / destroyed in accordance with the relevant Procedure.
4.4.7 The Administrator is responsible for responding to requests for correction by data subjects within one month. This can be extended to an additional two months for complex requests. If the Organization decides not to comply with the request, the Administrator must respond to the data subject to explain his/her reasoning and inform the subject of its right to lodge a complaint to the supervisory authority and request legal actions.
4.4.8 The Administrator is responsible for making the appropriate arrangements, according to which, in the event that third party organizations may have inaccurate or outdated personal data, inform them that the information is inaccurate and should not be used to update any decisions about interested individuals. He is also responsible for passing on any corrections of personal data to third parties when this is required.
4.5 Personal data is stored in such a way that the person to whom the data refers to can only be identified if it is necessary for processing.
4.5.1 When personal data is retained beyond the processing date, it is minimized / encrypted / pseudonymized in order to protect the identity of the person to whom the data refers, in the event of data breach.
4.5.2 Personal data is kept in accordance with the relevant Procedure (Retaining of the Files) and, as soon as its retaining date expires, they are safely destroyed in accordance with this procedure.
4.5.3 The Administrator specifically approves any data retention that exceeds the retention periods specified in the File Maintenance Process and ensures that the justification is clearly identified and meets the requirements of data protection legislation. This approval is in writing.
4.6 Personal data is processed in a way that ensures adequate security. The Administrator has made a risk assessment taking into account all the circumstances of the Company’s audit or processing operations. To determine suitability, the Administrator has considered the extent of possible damage or loss that may be caused on individuals (eg staff or customers) in the event of a breach of security, as well as the potential of damage to the Company’s reputation, including possible loss of customer trust.
When evaluating the appropriate technical measures, the Administrator has considered the following:
- Password protection.
- Automatic computer lock.
- Removal of access rights for USB and other memory media.
- Virus control software and firewalls.
- Role-based access rights, including those assigned to emergency personnel.
- Encrypt devices that leave the premises of organizations, such as laptops.
- Security of local and wider networks.
- Privacy protection technologies such as pseudonymization and de-identification.
When evaluating appropriate organizational measures, the Administrator has considered the following:
- Appropriate levels of education throughout the organization.
- Measures that take into account the reliability of employees (such as reports, etc.).
- The inclusion of data protection in employment contracts.
- Identifying disciplinary action measures for data breaches.
- Monitoring staff compliance with relevant safety standards.
- Physical access checks on electronic and print media.
- Store printed data in closets that can be locked.
- Limiting the use of portable electronic devices outside the workplace.
- Limiting the use of personal devices of employees used in the workplace.
- Adopt clear rules on passwords.
- Creating regular backups of personal data and storing mass media offline.
These checks have been selected based on the identified risks on personal data and the likelihood of harm or risk to individuals whose data is being processed. The Company’s compliance with this principle is contained in the Personal Information Management System (PIMS).
4.7 The editor must be able to demonstrate compliance with the other principles of the GDPR (accountability). The GDPR includes measures promoting accountability and governance. These measures meet the transparency requirements of the GDPR. The principle of accountability in Article 5 (2) requires from the Company to prove that it complies with the principles of the GDPR, solely at its own risk.
The Company demonstrates compliance with data protection principles by implementing data protection policies, implementing codes of conduct, implementing technical and organizational measures, and adopting techniques such as data protection from design, breach notification procedures and incident handling plans.
5. Data subjects’ rights
5.1 The data subjects have the following rights regarding the data processing and the data recorded for them:
5.1.1 To apply for access to the nature of the information contained and to know to which people this information has been disclosed.
5.1.2 To request avoiding process that may cause them harm.
5.1.3 To request blocking on process for marketing purposes.
5.1.4 To ask being informed on the mechanics of the automated decision-making process that will significantly affect them.
5.1.5 To request that no important decisions, that will only affect them through an automated process, are made.
5.1.6 To claim damages if they are harmed by any violation of the GDPR.
5.1.7 To take measures to correct, prohibit, delete, including the right in oblivion or destruction of inaccurate data.
5.1.8 To ask from the supervisory authority to assess whether any provision of the GDPR has been violated.
5.1.9 To request that they be provided with personal data in a structured, widely used and mechanically readable form and the right to transfer that data to another data processor.
5.1.10 To be able to oppose to any automated profile that appears without their consent.
5.2 The Company ensures that the persons to whom the data refers to can use these rights.
5.2.1 Data subjects may submit data access requests and the company will ensure that the response to the data access request complies with the requirements of the GDPR.
5.2.2 Data subjects have the right to lodge complaints to the Company regarding the processing of their personal data, the processing of a request made by a data subject and the appeals from a data subject regarding the manner in which the complaints under the Complaint Procedure were processed.
6. Consent
6.1 The Company understands the meaning of “consent”, which means that a specific, up-to-date and clear indication of the data subject’s wishes has been explicitly and freely given. This clear indication has been made known by a statement or clear affirmative action and shows the subject’s agreement to allow process of its personal data. The data subject may withdraw his consent at any time.
6.2 The Company understands the meaning of “consent”, which means that the data subject has been fully informed of the planned processing and has indicated its agreement, without being pressured. The consent obtained under pressure or misleading information is not a valid basis for processing.
6.3 There must be some active communication between the parties to prove active consent. Consent cannot be reached without communication. The editor should be able to prove that consent has been obtained for the processing.
6.4 For sensitive data, explicit written consent of the data subjects must be provided, unless there is an alternative legitimate basis for processing.
6.5 In most cases, the consent for the processing of personal and sensitive data is systematically obtained by the Company using standard consent documents.
7. Data security
7.1 All employees are responsible for ensuring that the personal data held by the Company and for which they are responsible are securely stored and in no way disclosed to third parties, unless the third party is authorized to receive this information, e.g. in case he has entered into a confidentiality agreement.
7.2 All personal data is accessible only to those who need it to do their work and access is allowed only in accordance with the Access Control Policy. All personal data is treated with the highest security and must be kept:
- in a locked room with controlled access and / or
- in a drawer or in a locker and / or
- if they are computerized, they should be password protected according to the company’s Access Control Policy and / or
- stored on (removable) computer devices that are encrypted according to the Safe Disposal of storage media.
7.3 Measures are taken to ensure that screens and computer terminals are not visible to third parties other than authorized employees of the Agency. All employees are invited to sign a contract before they are given access to organizational information of any kind, which describes in detail the rules regarding their liability for the protection of personal data.
7.4 Non-automatic files may not remain in places where unauthorized personnel may have access and may not be removed from the premises without explicit [written] authorization.
7.5 Personal data may only be deleted or made available in accordance with the file maintenance procedure.
7.6 The processing of personal data outside the Company’s premises poses a potentially greater risk of loss, theft or damage to personal data. The staff is specially authorized to process data outside the Company’s space.
8. Data acknowledgement
8.1 The Company ensures that personal data is not disclosed to third parties without authorization, including family members, friends, government agencies and, under certain conditions, the Police. All employees are cautious when asked to disclose personal data to third parties and should receive special training that allows them to deal effectively with this risk. It is important to keep in mind whether the disclosure of information is relevant and necessary for carrying out of the Organization’s activities.
8.2 All requests for granting data for one of these reasons must be supported by appropriate written work and all such acknowledgements must be specifically approved by the Data Protection Manager / GDPR Owner.
9. Data storage and disposal
9.1 The Company does not store personal data in a form that allows the identification of individuals to whom the data refers to, for a longer period of time than it is necessary, in relation to the purpose for which the data was originally collected.
9.2 The Company may store data for longer periods of time if the personal data is processed solely for archival purposes, for reasons of public interest, scientific or historical research or for statistical purposes, reserving appropriate technical and organizational measures for ensuring the rights and liberties of the data subject.
9.3 The retention period for each category of personal data will be specified in the Complaints Conservation Process along with the criteria used to determine that period.
9.4 Personal data must be securely available in accordance with the sixth principle of the GDPR – to be processed in an appropriate manner in order to maintain its security, thus protecting the “rights and liberties” of the data subjects.
10. Data transfer
All data exports from the European Economic Area (EEA) to countries outside the European Economic Area (referred to as “third countries”) are illegal, unless there is an appropriate “level of protection of the fundamental rights of the subjects’ data”.
The transfer of personal data outside the EEA is prohibited unless one or more of the specified safeguards or exceptions apply, as defined in the GDPR.
The Company does not transfer personal data to “third countries”.
11. Data inventory
11.1 The Company has established a process of data inventory and data flow as part of its approach on dealing with risks and opportunities throughout the GDPR compliance project. The data inventory includes:
- Business processes that use personal data.
- The sources of personal data.
- The volume of people to whom the data refers to.
- The description of each personal data element.
- The process activity.
The Company:
- maintains the inventory of the data categories of the processed personal data,
- documents the purpose that each category of personal data is used for,
- identifies recipients and potential recipients of personal data,
- identifies its own role throughout the data flow,
- lists the basic systems and repositories it uses,
- ensures all data retention and availability requirements.
11.2 The Company is aware of the risks associated with the processing of these types of personal data.
11.2.1 The Company assesses the level of risk for individuals associated with the processing of their personal data.
11.2.2 The Company manages the risks identified by the risk assessment in order to reduce the likelihood of non-compliance with this policy.
11.2.3 When a type of processing, in particular with the use of new technologies and taking into account the nature, frame, scope and purposes of the processing, is likely to lead to a high risk of the rights and liberties of individuals , before conducting the processing, the Company evaluates the effects of the prescribed processing operations on the protection of personal data.
11.2.4 When it is clear that the company is going to start processing personal data that could cause harm and / or anxiety to the data subjects, the decision on whether the company should proceed is forwarded for review to the Data Manager.
11.2.5 The Data Manager, if there are significant concerns, either for possible damage or distress or for the amount of data, forwards the matter to the supervising authority.
The Data Manager is responsible for this document and he is also responsible to ensure that it is reviewed in accordance with the review requirements listed above.
A current version of this document is available to all staff members.