Privacy Policy

This policy is in accordance with European Union Regulation 2016/679.

We will process your personal data if there is a legal basis to do so. Examples of legal basis are:

✓ Written consent from you.

✓ Our legitimate interest to use your personal data.

✓ Legal compliance purposes.

Personal data is information that can be related to an individual. Examples are the name and contact details, address, e-mail etc.

Sensitive personal data is data on: religion, ideological, political views, health, genetic or biometric information, the racial and ethnic origin.

Profiling is any form of automated processing of personal data consisting of the use of personal data in order to evaluate certain personal aspects relating to an individual.

Data subject is a physical person to whom personal data relates.

Data processing is any activity and operation performed on personal data.

Data file means any structured set of personal data which are accessible in such a way as to make it possible to deduce the person in question from the data.

Disclosure means making personal data accessible.

Data Protection Impact Assessment is the systematic process for identifying, evaluating and documenting the risks and impact of personal data processing activities to the rights of individuals.

Data controller is the legal person who decides and determines the purpose, content and procedure of processing personal data.

Data processor is the physical or legal person that processes personal data as instructed by the data controller.

2.3.1 Data processing principles
For compliance purposes with the applicable law, the company must collect, process and store personal information in accordance with the following data protection principles. 

2.3.1.1 Lawful and fair processing
Personal data may only be processed fairly and lawfully. Every data processor must ensure compliance with this policy and the relevant laws and regulations.

2.3.1.2 Processing based on Consent
Before personal data may be processed, the data subject must be duly informed about each purpose of processing operation carried out by the controller. Consequently the data subject must actively give a recorded statement / consent. The data subject may withdraw his/her consent at any time by contacting the DPO of our Company.

2.3.1.3 Purpose of processing
Personal data may only be processed for the purpose indicated at the time of collection. Some of the main purposes for which we use your personal data are:
✓ Complying with legal requirements.
✓ For management and administrative purposes.
✓ Improvement of website, products and services.

2.3.1.4 Adequate and not excessive processing
Personal data shall be adequate and not excessive in relation to the purpose for which it is processed.

2.3.1.5 Accuracy and quality of data
In case your personal information has changed, you are encouraged to contact the DPO for communication regarding data protection issues of the Company as soon as possible in order to update any personal data.

2.3.1.6 Data storage and retention
Personal data will be stored for as long as it is required to fulfil the purpose for which the data was collected and processed. We will review the retention period of the data we hold and delete it securely, when there is no longer a legal, business or customer need for it to be retained.

2.3.1.7 Disclosure to third parties
A third party data processor acting on behalf of the company, shall contractually agree to process personal data in accordance with this policy. The terms of this policy shall be included by reference in the relevant contracts. Furthermore the Company will have the right to audit the third party data processor for the adequacy of the relevant used controls.

2.3.1.8 Cross-border disclosure of personal data
The company operates within and outside the European Union, consequently data may need to be stored outside the European Union, or the company many need to send your personal data for legal compliance purposes abroad.
Personal data may only be disclosed abroad (outside the EU) if the foreign law provides for an adequate level of data protection. In case the foreign law does not provide an adequate level of data protection, personal data may only be transferred to such country if the data subject has explicitly consented to the transfer.
The Company shall take appropriate personnel, technical and organizational measures to minimize the risk of accidental or intentional breach, destruction, or loss of personal data.

2.3.2 Data Protection Impact Assessment (DPIA)
The Company will ensure that a DPIA is conducted whenever a planned processing activity may pose a high risk to the data subject’s rights and freedoms. Where the DPIA results in the conclusion that there is a high risk for data subjects, the supervisory authority must be notified and its view on adequate measures to reduce the risks must be obtained.

2.3.3 Data subjects’ rights
All individuals who are subject of personal data held by the company have the right to obtain information from the company about the processing of their personal data. In particular, data subjects may exercise their rights in terms of access, rectification, erasure, restriction, data portability in a structured, commonly used and machine-readable format, objection and/or prevention of automated decision making of their personal data.
Any request must be in writing while a reply to such a request can be expected within one (1) month. There is no fee for requests.
The Company shall provide the data subject in written with a copy of information held by the Company concerning him or her, containing:
a) the purposes of the processing,
b) the type of personal data being processed,
c) information on the retention period,
d) the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning them or to object to such processing,
e) the right to lodge a complaint with the supervisory authority,
f) details of a planned cross-border transfer.

2.3.4 Records of processing activities
The company shall maintain a record of all processing activities under its responsibility that containing personal data. The record shall include the following minimum information:
a) name and contact details of the data controller,
b) name and contact details of the data protection officer,
c) purpose of processing,
d) description of categories of data subjects,
e) description of categories of personal data being processed,
f) description of categories of data recipients,
g) description of cross-border data transfer,
h) a general description of the technical and organizational security measures, where possible.

2.3.5 Training and raising awareness
The Company is responsible for ensuring that every employee is trained in data protection and data security matters.

Data processing systems must be setup in a way that the strictest privacy settings apply automatically.
More extensive processing of personal data is only permitted if the data subject gives its explicit consent to extended processing.

The potential penalties and damages resulting from a data protection infringement are serious for both the person committing the violation and for the company. Any violation of this data protection policy may result in regulatory penalties.

2.6.1 Data breach recording 
The Data Protection Officer systematically documents disclosed breaches and evaluates the reasons for the breaches. Furthermore, he initiates further required measures to remedy the situation and to prevent breaches from recurring.

2.6.2 Data breach notification
The Company must notify a data breach to the Greek Data Protection Authority within 72 hours after becoming aware of it.
Furthermore, if the personal data breach is likely to result in a high risk to the data subject’s rights and freedoms the data subject must be informed without delay.