S & K EISAGOGIKI

Policy number: POL-1

Policy name:POL-1-PERSONAL DATA PROTECTION POLICY

Policy Date:10/10/2017

Policy version: 2nd edition

Policy validity period: until revised

Policy saved/published:10.10.2018

Communication of the policy: this policy is posted on the company’s website and all employees are informed accordingly.

Policy revision: 1

Policy author: Stefanos Economou, lawyer, certified DPO

Policy Review: Sotirios Papaioannou

Policy approval: Valasia Papaioannou


CONTENTS

PURPOSE

SCOPE

SHORTCUTS

DEFINITIONS

BASIC PRINCIPLES FOLLOWED BY THE COMPANY WHEN PROCESSING PERSONAL DATA

SUBJECT’S CONSENT

SENSITIVE DATA

RIGHTS OF THE SUBJECT

TAKING ORGANIZATIONAL AND TECHNICAL MEASURES

THE COMPANY’S CONTRACTS WITH THIRD PARTIES PROCESSING PERSONAL DATA ON ITS BEHALF.

NOTIFICATION OF A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY AND TO THE SUBJECT.

PERSON RESPONSIBLE FOR PERSONAL DATA PROTECTION ISSUES IN THE COMPANY

DATA PROTECTION OFFICER

PROCESSING OF EMPLOYEES’ PERSONAL DATA

PROCESSING OF SUPPLIERS’ – PARTNERS’ PERSONAL DATA 

PROCESSING OF CUSTOMERS’ PERSONAL DATA

SECURITY CAMERAS

TRAININGS

DATA RETENTION

POLICY REVIEW


PURPOSE

The purpose of this policy is to establish rules and procedures as well as to adopt the necessary organizational and technical measures to protect the personal data of individuals processed by the company in accordance with EU Regulation 2016/679.


SCOPE

This policy applies to all employees of the company and to all personal data processed by the company or third parties performing this processing.


SHORTCUTS

PD: Personal Data or Personal Data

GDPR: General Data Protection Regulation EU 2016/679.

Personal Data Protection Authority: Personal Data Protection Authority


DEFINITIONS

For the implementation of this policy by the company, the following concepts have the following meaning:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors  that fit to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3) “restriction of processing”: means the marking of stored personal data with the aim of restricting their processing in the future,

4) “filing system”: means any structured set of personal data which is accessible on the basis of specific criteria, whether that set is centralised or decentralised or distributed on a functional or geographical basis;

5) “controller”: is the natural person or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; the company is the controller for this policy;

6) “processor” means the natural person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller;

7) ‘recipient’ means the natural person or legal entity, public authority, agency or other body to which personal data are disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as recipients;

8) “third party” means any natural person or legal entity, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, are authorised to process personal data;

9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;

10) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person, as resulting, in particular, from an analysis of a biological sample of that natural person and which provide unique information concerning the physiology or health of that natural person;

11) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, biological or behavioural characteristics of a natural person and which allow or confirm the unambiguous identification of that natural person, such as facial images or dactyloscopic data;

12) ‘data concerning health’ means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, and which reveal information about his or her state of health;

13) “enterprise”: a natural person or legal entity carrying out an economic activity, regardless of its legal form, including partnerships or associations regularly carrying out an economic activity, for the purposes of this policy, an enterprise means the enterprise whose name appears on the first page of this policy,

14) “business group” means a controlling business and the businesses controlled by it;

15) ‘binding corporate rules’ means the personal data protection policies followed by a controller or processor, established on the territory of a Member State, for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a business group, or a group of companies engaged in a common economic activity;

16) “supervisory authority”: an independent public authority established by a Member State in accordance with Article 51 of the GDPR, which is for Greece the Personal Data Protection Authority.


BASIC PRINCIPLES FOLLOWED BY THE COMPANY WHEN PROCESSING PERSONAL DATA

1) Compliance with laws:

The company will comply with the GDPR, the relevant law issued by the Greek state, as well as any decisions and recommendations of the Data Protection Authority.

2) Respect for the subject’s rights:

The company respects the subject’s rights as analyzed below and is committed to taking all necessary organizational and technical measures to safeguard and facilitate the exercise of these rights.

3/ Lawfulness of processing – accountability:

The company will only process data lawfully. The personal data processed by the company follows the following principles:

  1. a) processed lawfully and fairly in a transparent manner in relation to the data subject (‘lawfulness, objectivity and transparency’);
    b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; 
  2. c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    d) accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate, in relation to the purposes of the processing, are erased or rectified without delay (‘accuracy’);
    e) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed; (‘storage limitation period’);
    f ) processed in a manner which ensures appropriate security of the personal data, including protection against unauthorised or unlawful access and accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

3a. The company is responsible and must be able to demonstrate compliance with the above (“accountability”). For this purpose, it has adopted this policy and is taking all necessary measures to document the lawful processing of personal data.

3b. The company shall only process data if at least one of the following conditions applies:

  1. a) the data subject has consented to the processing of his or her personal data for one or more specific purposes,
    b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject’s request prior to entering into a contract, 
  2. c) the processing is necessary for compliance with a legal obligation of the controller, d) the processing is necessary to protect the vital interests of the data subject or of another natural person, 
  3. e) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.


SUBJECT’S CONSENT

Conditions and procedure for obtaining the subject’s consent:

Where processing is based on consent, the company must be able to demonstrate that the data subject has consented to the processing of personal data. For this reason, the company will keep a record in electronic or written form of all consents it receives.
If the data subject’s consent is given in the context of a written statement that also covers other matters, the request for consent shall be presented by the company in a manner that is clearly distinguishable from the other matters, in an eligible and easily accessible form, using clear and simple language.
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Before giving consent, the data subject shall be informed thereof. Withdrawing consent is as easy as giving it. The company has adapted the
cookie policy for accessing its website accordingly .
The company has adjusted its telephone communication with customers whose personal data it processes.


SENSITIVE DATA

The company does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of unambiguously identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Exceptionally, the company keeps health data of the company’s personnel or minor children of the personnel (sickness certificates to justify absences or for other work needs such as assessment of capacity for work, names and ages of minor children of personnel for calculating benefits, etc. ) that they provide to it for the proper execution of the employment contract and the processing is necessary for the performance of the obligations and the exercise of specific rights of the controller or the data subject in the field of labor law and social security and social protection law in accordance with article 9 par. 2 subs. b and h of the GDPR.

If, nevertheless, it becomes necessary for the company to process sensitive personal data, then this will only take place if the conditions of the GDPR are met.


SUBJECT’S RIGHTS 


DATA SUBJECT REQUESTS

The company provides the data subject with information about the processing carried out and satisfies his/her requests based on the subject’s rights upon request without delay and in any case within one month of receipt of the request. Relevant requests may be submitted by e-mail to the following e-mail address : info@sk-group.gr of the company and/or info@elo.gr of the company’s DPO.

The above deadline may be extended by two more months, if necessary, taking into account the complexity of the request and the number of requests.

The company informs the data subject of such extension within one month of receipt of the request, as well as of the reasons for the delay. If the data subject submits the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject requests otherwise.

The information provided in accordance with Articles 13 and 14 of the GDPR and any notification as well as all actions taken in accordance with Articles 15 to 22 and Article 34 of the GDPR are provided free of charge to the data subject. If the data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the company shall either:

  1. a) Impose the payment of a reasonable fee, taking into account the administrative costs of providing the information or the notification or carrying out the requested action, or
    b) Refuse to comply with the request.


Information provided by the company when personal data is collected from the data subject

When personal data concerning a data subject are collected from the data subject, the company, upon receiving the personal data, provides the data subject with all of the following information:
a) the identity and contact details of the controller and, where applicable, of the controller’s representative, 

  1. b) the contact details of the data protection officer, where applicable,
  2. c) the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing,
    d) if the processing is based on Article 6 par. 1 (f) of the GDPR, the legitimate interests pursued by the controller or by a third party,
    e) the recipients or categories of recipients of the personal data, if any,
  3. f) where applicable, the intention of the controller to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47 or the second subparagraph of Article 49 par. 1 of the GDPR, a reference to the appropriate or suitable safeguards and the means to obtain a copy of them or to where they were made
    In addition to the information referred to in paragraph 1, the controller, when receiving personal data, provides the data subject with the following additional information necessary to ensure fair and transparent processing: 
  4. a) the period for which the personal data will be stored or, where that is not possible, the criteria determining that period;
    b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or the right to object to processing, as well as the right to data
    portability; 
  5. c) where the processing is based on point (a) of Article 6 par. (1) or point (a) of Article 9 par. (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; 
  6. d) the right to submit a complaint to a supervisory authority;
  7. e) whether the provision of personal data is a legal or contractual obligation or a requirement for entering into a contract, and whether the data subject is obliged to provide the personal data and what the possible consequences of not providing such data would be,
    f) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in such cases, important information regarding the logic followed, as well as the significance and the expected consequences of such processing for the data
    When the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, he/she provides the data subject, prior to such further processing, with information about that purpose and any other necessary information, as referred to in paragraph 2. Paragraphs 1, 2 and 3 do not apply, when and to the extent that the data subject already has the information,

Access right of the data subject

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, when it happens, the right of access to the personal data and to the following information:
a) the purposes of the processing,

  1. b) the relevant categories of personal data,
  2. c) the recipients or categories of recipients to whom the personal data have been or are to be disclosed, in particular recipients in third countries or international organisations,
  3. d) if possible, the period for which the personal data will be stored or, where this is not possible, the criteria determining that period;
  4. e) the existence of the right to request the controller to correct or erase personal data or to restrict the processing of personal data concerning the data subject or to object to such processing,

f ) the right to submit a complaint to a supervisory authority,

  1. g) any available information on the personal data’s origin, when the personal data are not collected from the data subject, 
  2. h) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) and, at least in those cases, important information regarding the logic followed, as well as the significance and the expected consequences of such processing for the data subject.

When personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards in accordance with Article 46 concerning the transfer. The company does not carry out data transfers to third countries.
The controller provides a copy of the personal data processed. For additional copies that may be requested by the data subject, the controller may charge a reasonable fee for administrative costs. If the data subject makes the request by electronic means and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format. The right to obtain a copy referred to in paragraph 3 does not adversely affect the rights and freedoms of others.

Right to correction

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of a supplementary statement.

Right to erasure (“right to be forgotten”)

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller is obliged to erase personal data without undue delay where one of the following reasons occurs:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 

(b) the data subject withdraws consent on which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) and there is no other legal basis for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no compelling and legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21(2); 

(d) the personal data have been processed unlawfully;

(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
(f ) the personal data have been collected in connection with the offering of information society services referred to in Article 8(1).
When the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, he/she, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that the data subject has requested the erasure by them of any links to those data or of copies or replications of those personal data. Paragraphs 1 and 2 do not apply to the extent that processing is necessary: 

(a) for the exercise of the right to freedom of expression and the right to information; (b) for the compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority assigned to the controller, 

  1. c) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i), as well as Article 9(3) of the GDPR, 
  2. d) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) of the GDPR, if the right referred to in paragraph 1 is likely to render impossible or substantially impair the achievement of the purposes of such processing, or 
  3. e) for the establishment, exercise or defence of legal claims.


Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing where one of the following occurs:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests, instead, the restriction of their use; 

  1. c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
  2. d) the data subject objects to processing pursuant to Article 21(1), pending the verification whether the legitimate grounds of the controller override those of the data subject. When processing has been restricted in accordance with paragraph 1, those personal data, except for storage, are processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or legal entity or for reasons of important public interest of the Union or of a Member State. The data subject who has obtained the restriction of processing in accordance with paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Notification obligation regarding the rectification or erasure of personal data or restriction of processing

The controller announces any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller informs the data subject of those recipients if the data subject requests so.

Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the company, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without objection from the controller to whom the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and 

  1. b) the processing is carried out by automated means.

When exercising the right to data portability in accordance with paragraph 1, the data subject has the right to request the direct transmission of personal data from one controller to another, where technically feasible.
The right referred to in paragraph 1 of this Article is exercised subject to the provisions of Article 17 of the GDPR. This right does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority assigned to the controller. 

The right referred to in paragraph 1 does not adversely affect the rights and freedoms of others.

Right to object

The data subject has the right to object, for reasons relating to his or her particular situation, at any time, to processing of his/her personal data which is based on point (e) or (f ) of Article 6 (1), including profiling based on those provisions. The controller does no longer process the personal data unless the controller demonstrates compelling and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of his/her personal data for such marketing, including profiling, if it is related to such direct marketing. Where the data subjects object to processing for direct marketing purposes, the personal data are no longer been processed for such purposes. At the latest when the data subject is first contacted, the right referred to in paragraphs 1 and 2 shall be expressly stated to the data subject and shall be clearly stated and separate from any other information. 

In the context of the use of information society services and subject to the provisions of the Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. 

When personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89 paragraph 1 of the GDPR, the data subject has the right to object, for reasons relating to his or her particular situation, to the processing of his/her personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated individual decision-making, including profiling

The company does not proceed in automated individual decision-making and/or profiling. In the event that it does so in the future, the requirements of the GDPR will be met.



TAKING ORGANIZATIONAL AND TECHNICAL MEASURES

Data protection by design and by definition

The company, taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and freedoms of natural persons from the processing, implements and will effectively implement, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures, such as data minimization, keeping them in specially locked areas, access to computers only with passwords, mandatory confidentiality by its employees and the integration of the necessary guarantees in the processing in a way that meets the requirements of this Regulation and protects the rights of data subjects.
The company takes appropriate technical and organizational measures to ensure that, by definition, only personal data that are necessary for the respective purpose of the processing are processed. This obligation applies to the scope of personal data collected, the extent of their processing, the storage period and their accessibility. In particular, these measures ensure that, by definition, personal data are not made accessible without the intervention of the individual to an indefinite number of individuals.


PROCESSING OF PERSONAL DATA BY THE COMPANY AS <<PROCESSOR>> ON BEHALF OF OTHER COMPANIES.

The company processes personal data on behalf of other companies (e.g. mobile phone companies, Natural Gas) within the framework of contracts between them for the promotion of these companies’ services through telephone calls or for the provision of services to their customers.

For this purpose, the company signs contracts regarding the processing of the personal data of these businesses in accordance with the GDPR.

The Company undertakes to always process this data in accordance with the instructions of the Controller but will not obey to illegal instructions and orders.

The Company does not hire another processor without prior specific or general written permission from the company on whose behalf it processes its data.

The Company undertakes that as a processor it will process personal data in accordance with the relevant contracts it will sign with the Data Controllers which will determine the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the data controller and will provide in particular that the processor:

  1. a) processes personal data only on the basis of recorded instructions from the controller, including regarding the transfer of personal data to a third country or an international organisation, unless required to do so by Union law or the law of the Member State to which the processor is subject; in such a case, the processor informs the controller of that legal requirement prior to the processing, unless that law prohibits such information for overriding reasons of public interest;
    b) ensures that persons authorised to process the personal data have undertaken a  commitment to confidentiality or are subject to an appropriate regulatory obligation of confidentiality; 
  2. c) takes all necessary measures pursuant to Article 32 of the GDPR;
  3. d) complies with the conditions mentioned above for the recruitment of another processor,
  4. e) takes into account the nature of the processing and assistσ the controller with appropriate technical and organisational measures, to the extent possible, to fulfil the controller’s obligation to respond to requests for the exercise of the data subject’s rights provided for in Chapter III;
    f) assists the controller in ensuring compliance with the obligations arising from Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the processor;
    g) erases or returns, at the controller’s choice, all personal data to the controller after the end of the processing services and erases existing copies, unless Union or Member State law requires the storage of the personal data; 
  5. h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allows and facilitates audits, including inspections, carried out by the controller or by another controller authorized by the controller.

With regard to point (a) of the first subparagraph, the company will immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or national data protection provisions.

(i) When the processor hires another processor to carry out specific processing activities on behalf of the controller, the same obligations regarding data protection as those laid down in the contract or other legal act between the controller and the processor, as provided above, will be imposed on that other processor by means of a contract or other legal act in accordance with Union or Member State law, in particular so as to provide sufficient assurances that appropriate technical and organisational measures will be implemented, so that the processing will meet the requirements of this Regulation. When the other processor fails to meet its data protection obligations, the  first processor remains fully liable to the controller for the fulfilment of the obligations of the other processor.


TELEPHONE CALLS TO PROMOTE PRODUCTS AND SERVICES

The Company makes telephone calls in a non-automated manner to customers of companies that entrust it with the promotion of their products and services.

The Company will proceed with the above in accordance with the existing instructions of the Personal Data Protection Authority and the General Personal Data Regulation.

The Company takes care not to call subjects who have declared, in accordance with article 11, paragraph 2 of law 3471/2006, to the provider of the publicly available service that they generally do not wish to receive promotional calls.

It also takes care to create a record of customers that it has contacted and who stated that they do not wish to be called again so that it does not call them.

Contracts of the company with third parties processing personal data on its behalf UNDER ITS SUPERVISION.

1/ The company has assigned certain tasks – responsibilities to third parties who are not its employees in the form of external collaboration. In the context of the execution of these tasks – responsibilities, the collaborator processes the company’s personal data or personal data of another Data Controller that the Company has undertaken to perform the processing on its behalf.

2/ The company has selected and will select the above companies in the future after having received sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of the GDPR regulation and ensures the protection of the rights of the data subject, by signing relevant safeguard contractual terms.

3/ In accordance with these relevant contractual safeguards that the company has signed and will sign with all processors of personal data on its behalf, the processor does not hire another processor without the prior specific or general written permission of the company. In the case of general written permission, the processor informs the controller of any intended changes concerning the addition or replacement of other processors, thereby providing the company with the opportunity to object to such changes.

4/ The company undertakes that the relevant contractual terms, that it will oblige the processors to accept, will determine the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller, and will provide in particular that the processor:

  1. a) processes personal data only on the basis of recorded instructions from the controller, including regarding the transfer of personal data to a third country or an international organisation, unless required to do so by Union law or the law of the Member State to which the processor is subject; in such a case, the processor informs the controller of that legal requirement prior to the processing, unless that law prohibits such information for overriding reasons of public interest;
    b) ensures that persons authorised to process the personal data have undertaken a confidentiality undertaking or are subject to an appropriate regulatory obligation of confidentiality; 
  2. c) takes all necessary measures pursuant to Article 32 of the GDPR;
  3. d) complies with the conditions mentioned above for the recruitment of another processor,
  4. e) take into account the nature of the processing and assist the controller with appropriate technical and organisational measures, to the extent possible, to fulfil the controller’s obligation to respond to requests for the exercise of the data subject’s rights provided for in Chapter III;
    f ) assist the controller in ensuring compliance with the obligations arising from Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the processor;
    g) at the controller’s choice, erase or return all personal data to the controller after the end of the processing services and erase existing copies, unless Union or Member State law requires the storage of the personal data;
    h) make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow and facilitate audits, including inspections, carried out by the controller or by another controller authorized by the controller.

With regard to point (a) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or national data protection provisions.

  1. i) Where the processor engages another processor to carry out specific processing activities on behalf of the controller, the same obligations regarding data protection as those laid down in the contract or other legal act between the controller and the processor, as provided for above, shall be imposed on that other processor by means of a contract or other legal act in accordance with Union or Member State law, in particular to provide sufficient assurances that appropriate technical and organisational measures will be implemented so that the processing will meet the requirements of this Regulation. Where the other processor fails to meet its data protection obligations, the original processor shall remain fully liable to the controller for the fulfilment of the obligations of the other processor.


PERSONAL DATA BREACH NOTIFICATION

Notification of a Personal Data Breach to the Supervisory Authority.

In the event of a personal data breach, the Data Protection Officer and the designated DPO of the company in accordance with the following shall notify the personal data breach to the Data Protection Authority without delay and, if possible, within 72 hours of becoming aware of the fact, unless the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.
Where the undertaking acts as a processor on behalf of another undertaking, it shall also inform the Data Protection Officer of the other undertaking without undue delay upon becoming aware of a personal data breach. The notification referred to in paragraph 1 shall at least: 

  1. a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data files affected,
    b) state the name and contact details of the data protection officer or other point of contact from whom further information can be obtained, 
  2. c) describe the potential consequences of the personal data breach,
  3. d) describes the measures taken or proposed to be taken by the controller to address the personal data breach, as well as, where appropriate, measures to mitigate its possible adverse
    In the event that and to the extent that it is not possible to provide the information simultaneously, it may be provided gradually without undue delay. The controller shall document each personal data breach, consisting of the facts relating to the personal data breach, the consequences and the corrective measures taken so that such documentation allows the supervisory authority to verify compliance with this article. For this purpose, the Company shall keep a breach register with all the above required information.

Notification of a personal data breach to the data subject

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject referred to in paragraph 1 of this Article shall clearly describe the nature of the personal data breach and shall contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: 

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures have been applied to the personal data affected by the breach, in particular measures which render the personal data unintelligible to those who are not authorised to access them, such as encryption; 

(b) the controller has subsequently taken measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to occur; 

(c) it involves disproportionate effort. In that case, a public communication shall be made instead or a similar measure shall be taken by which data subjects are informed in an equally effective manner. 

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority may, having examined the likelihood of a high risk resulting from the personal data breach, require the controller to do so or may decide that any of the conditions referred to in paragraph 3 are met.


DATA PROTECTION OFFICER

The company is not legally obliged to appoint a Data Protection Officer because it does not fall under the cases defined by law.

Nevertheless, the company voluntarily appoints Stefanogiannis Economou, Lawyer, resident of Glyfada, 16 Pandoras Street, as Data Protection Officer in accordance with the provisions of the GDPR.

The contact details of the above data protection officer are as follows: tel . 2107231630 email info@elo.gr and will be included in all company communications to third parties so that they know who to contact for personal data protection issues.

The Company has notified the above appointment to the Personal Data Protection Authority.

Position of the data protection officer

According to the GDPR:

The Data Protection Officer shall be involved, in a timely manner, in all matters relating to the protection of personal data.
The company shall support the data protection officer in carrying out the tasks referred to in Article 39 of the GDPR and below in this policy by providing the necessary resources for the performance of those tasks and access to personal data and processing operations, as well as the resources necessary to maintain his expertise .
The controller and the processor shall ensure that the data protection officer does not receive instructions to carry out those tasks. He shall not be dismissed or penalised by the controller or the processor for having performed his tasks. The data protection officer shall be directly accountable to the highest management level of the controller or processor. Data subjects may contact the data protection officer on any matter relating to the processing of their personal data and on the exercise of their rights under this Regulation. The data protection officer shall be bound by the obligation of secrecy or confidentiality in relation to the performance of his or her tasks, in accordance with Union or Member State law. The data protection officer may also perform other tasks and obligations. The controller or processor shall ensure that such tasks and obligations do not give rise to a conflict of interests.

Duties of the data protection officer

The data protection officer shall have the following tasks:
(a) inform and advise the undertaking or processor and the employees who process the data on their obligations under the GDPR and other Union or Member State provisions on data protection; 

(b) monitor compliance with this Regulation, with other Union or Member State provisions on data protection and with the policies of the controller or processor in relation to the protection of personal data, including the delegation of responsibilities, awareness-raising and training of employees involved in processing operations, and relevant controls; 

(c) provide advice, where requested, on the data protection impact assessment and monitor its implementation in accordance with Article 35 of the GDPR; 

(d) cooperate with the supervisory authority; 

(e) act as a contact point for the supervisory authority on issues relating to processing, including prior consultation referred to in Article 36 of the GDPR, and shall consult, as appropriate, on any other matter. 

When performing his/her tasks, the data protection officer shall take due account of the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.



PROCESSING OF EMPLOYEES’ PERSONAL DATA

The company processes employee data to the extent that this is necessary and required for the execution of the employment contract.

The Company has informed its employees about this processing.

Use of company phones.

The company provides its employees with the individual use of a landline or mobile phone. The company has taken the appropriate measures and has given the appropriate instructions to the telephone company with which it collaborates so that the last three (3) digits of employees’ calls are not recorded for reasons of personal data protection.

It is understood that this rule does not apply in the event that employees make customer calls for the company’s needs from the company phones dedicated for this purpose.

e- mail

The use of e-mail messages from company accounts is permitted for work purposes only. The company does not control the content of messages that have a specific recipient and are received in the individual account it has granted to the employee, without the employee’s prior written consent.

The use of personal e- mails for corporate purposes is prohibited.

Internet

The company does not carry out preventive and general collection of employees’ internet usage data. Exceptionally, limited collection of internet visits is permitted to avoid visits to specific websites, e.g. pornographic content. If the company carries out such collection, it must inform employees in advance.


SECURITY CAMERAS

The company has installed security cameras to protect the premises and the safety of the company’s premises and people. These cameras are not used to monitor employees within these premises, and any data collected through a video surveillance system will not be used as the sole criteria for evaluating employees’ behavior and performance.

The cameras monitor specific areas of the company, such as the entrance, cash storage areas, warehouses, and electromechanical installation areas, and focus on the asset they are protecting and not on the employee areas.

The camera’s angle is such that it focuses as little as possible on the faces of customers and employees, and shots with as wide an angle of view as possible are preferred. In any case, the operation of cameras in toilets and areas where store employees work and are not accessible to the public is not permitted and is prohibited.

Recording data from the cameras is automatically deleted after 15 days.


TRAININGS

The company is being cited for informing its employees about personal data protection issues and training its employees involved in processing personal data on lawful processing and the requirements of the GDPR.

Training will take place once a year for employees involved in processing and once every two years for others.

Training can be done using printed or audiovisual materials.


DATA RETENTION – RETENTION PLAN

The company retains the data for as long as necessary to achieve the purpose of the processing or for as long as necessary to comply with its legal obligations.

Specifically:

Employee data is kept for 20 years from their departure from the company since IKA and other competent authorities have the right to conduct audits for this period of time and because employees’ claims against the company for unjust enrichment are time-barred after 20 years.

After the employment contract ends, the data is stored in a place that is not accessible by any employee of the company without special authorization.

The data of candidate employees is kept for one (1) year from the date they submitted it unless they are hired or there is no interest in hiring. For the retention of their data for a longer period, the company will obtain their written consent.

The data of suppliers/partners/customers is kept for as long as is absolutely necessary for the execution of the contracts between them and the proof of the rights and obligations of each party until their relevant statute of limitations.

The data that the company receives as processor from the Controller are kept for as long as is strictly necessary for the execution of any contracts between them and the proof of the rights and obligations of each party until their relevant limitation period. In any case, the company deletes or returns such data in accordance with the instructions of the Controller and in accordance with the relevant contract for the processing of such data signed between the company as processor and the Controller.


POLICY REVISIONS

This policy will be reviewed at least once a year and revised if necessary, so that it responds to legal requirements, the decisions of the Personal Data Protection Authority, developments in the field of personal data and the developments and activities of the company.