2.1. Legal Basis
This policy is in accordance with the EU General Data Protection Regulation (GDPR) and Greek law 2472/1997 (Government Gazette Bulletin 50/A’/10.4.1997) and Greek law 4624/2019 (Government Gazette Bulletin 137/A’/29.8.2019) on protection of individual from processing of personal data, as amended and in force, as well as any secondary legislation/Opinions/Decisions issued by the Greek Data Protection Authority and any sectoral related legislation ;
Personal data is information that can be related to an individual. Data is considered personal, if the person it concerns can be identified.
Special categories of data (also known as sensitive personal data) is data on:
a) religious, philosophical, political or trade union-related views or activities,
b) health, genetic or biometric information, the intimate sphere or the racial and ethnic origin, data concerning a natural person’s sex life or sexual orientation
c) criminal proceedings and sanctions,
Personality profile is a collection of data that permits an assessment of a person’s characteristics and thus of important aspects of his/her personality.
Example: A personality profile might be a collection of data where various information such as a data subject’s social contacts, political and personal views, financial status, health situation, and other information is combined in order to provide a broad view on the data subject.
Data subject is a natural person to which personal data relates.
Data processing is any activity involving personal data, irrespective of the means applied and the procedure, e.g. the collection, storage, use, revision, disclosure, archiving, viewing and destruction of personal data.
Data file means any stock of personal data that is structured in such a way as to make it possible to deduce the person in question from the data. E.g. any IT tool containing personal data.
Disclosure means making personal data accessible, for example by permitting access, transmission, or publication.
Privacy impact assessment is a systematic process for identifying, evaluating and documenting the risks and impact of personal data processing activities.
Data controller is the legal person who decides on the purpose, content and procedure of processing personal data.
Data processor is a natural or legal person that processes personal data as instructed by the data controller.
2.3. General obligations when processing personal data
2.3.1. Data processing principles
Every person processing personal data shall comply with the following principles.
220.127.116.11. Lawful processing
Personal data may only be processed lawfully. Every data processor shall ensure compliance with this policy and the relevant laws and regulations.
Before personal data may be processed, the data subject must be duly informed, and voluntarily and actively give its consent. Consent can be given explicitly or implicitly, e.g. by providing personal data to the data controller. Consent does not necessarily need to be in writing, however, in order to evidence consent (e.g. towards courts and authorities), written consent or permissible audio recordings are advisable. The data subject may withdraw its consent at any time.
No consent is required in the following cases:
a) if the data subject has made its personal data generally accessible, e.g. information provided in a newspaper or public white or yellow pages, and has not prohibited its processing,
b) for the performance of a contract to which the data subject is party,
c) in order to take steps at the data subject’s request prior to entering into a contract,
d) for compliance with legal obligations of the data controller,
e) in order to protect the vital interests of the data subject or another natural person,
f) for the performance of a task carried out in the public interest or in the exercise of official authority vested in XXX,
g) if the legitimate interests pursued by XXX or a third party prevail over those of the data subject, except where such prevailing interests are overridden by fundamental rights and freedoms of the data subject; In case of doubt, contact XXX’s DPO.
18.104.22.168. Information duty
The data subject requires adequate knowledge of the personal data being collected and its purpose of processing, before giving its consent.
As a minimum, the data subject must be informed about:
a) identity of the data controller, i.e. XXX (in most cases),
b) contact details of the DPO,
c) type of personal data being processed,
d) purpose of the processing,
e) XXX’s legitimate interest in processing the personal data, if applicable,
f) categories of the data recipient if a disclosure is planned,
g) details of a planned cross-border transfer,
h) retention period for the data or the criteria used to set it,
i) whether automated decision taking is applied and its significance of the processing for the data subject,
j) instructions on the data subject’s rights.
22.214.171.124. Purpose of processing
Personal data may only be processed for the purpose indicated at the time of collection, or for the purpose, or provided for by law. See also section 126.96.36.199 regarding consent.
Personal data processing must be carried out in good faith and the data collected, or stored must be necessary to fulfil the purpose of the processing.
Any person processing data is responsible to ensure the processing is lawful and consistent with the purpose for which the data has been collected.
188.8.131.52. Personnel files
The personnel file and personal data regarding XXX’s employees are classified as “confidential” information.
XXX employees can inspect their personnel file and request information about other personal data pertaining to them. A request for information or inspection can be submitted verbally or in writing.
184.108.40.206. Data quality
Any person processing personal data shall ensure that the data is correct and complete.
XXX shall take all reasonable technical and organizational measures to ensure that personal data that is incorrect or incomplete is either corrected or destroyed.
220.127.116.11. Privacy impact assessment
Any person processing personal data shall conduct a privacy impact assessment, whenever the planned processing activity may pose a high risk to the data subject’s rights and freedoms.
The purpose of the impact assessment is to evaluate and mitigate the risks to data privacy. The assessment must be carried out before any high risk processing activities are commenced.
High risk processing activities include:
a) systematic and extensive evaluation of a data subject’s personal aspects. In particular, if the personal data is processed automatically, if the processing includes personality profiling, and if decisions which affect the data subject’s rights and duties are based on this evaluation,
b) processing of sensitive personal data on a large scale,
c) systematic and large scale monitoring of a publicly accessible area, e.g. video monitoring of a public area.
The privacy impact assessment shall be properly documented and carried out with the assistance of the data protection officer. Where the privacy impact assessment results in the conclusion that there is a high risk for data subjects, the supervisory authority must be notified and its view on adequate measures to reduce the risks must be obtained.
18.104.22.168. Disclosure to third parties
Personal data shall only be disclosed to third parties if necessary. Personal data shall be anonymized, if appropriate.
A third party data processor on behalf of XXX e.g. a contractor or service provider, shall contractually agree to process personal data in accordance with this policy. The terms of this policy shall be included by reference in the relevant contracts.
22.214.171.124 Cross-border disclosure of personal data
Personal data may only be disclosed abroad if the foreign law provides for an adequate level of data protection. In case the foreign law does not provide an adequate level of data protection, personal data may only be transferred to such country if either the data subject has explicitly consented to the transfer, or if data protection is provided for by an adequate data transfer agreement.
XXX shall take appropriate personnel, technical and organizational measures to minimize the risk of accidental or intentional breach, destruction, or loss of personal data.
Particularly, XXX shall take safeguards to protect personal data from unauthorized access and processing. Thereby, technological innovations shall be taken into consideration, and security procedures appropriate to the specific features of processing shall be established.
126.96.36.199 Αποθήκευση και διατήρηση δεδομένων
Personal data shall only be stored for as long as it is required to fulfil the purpose for which the data was collected. The particulars of data storage and retention periods are set out in XXX’s Data Retention Policy.
2.3.2 Data subject’s rights
Every data subject has the following rights pursuant to GDPR:
a) The right to be informed,
b) The right of access,
c) The right to rectification,
d) The right to erasure,
e) The right to restrict processing,
f) The right to data portability,
g) The right to object,
h) Rights in relation to automated decision making and profiling.
XXX’s employees shall honour any data subject’s access request and, if required, seek advice from the DPO. For more information on the content of each right please see XXX’s Handling of Data Subjects’ Requests Policy.
2.3.3 Data breach recording
Any infringement of this policy, the relevant data protection laws and regulations constitutes a personal data breach. Exemplary incidents are unlawful destruction, loss, alteration, unauthorized disclosure as well as processing data without consent, or for other purposes than indicated at the moment of collection.
The person who discovers a personal data breach shall take appropriate measures in order to protect the personal data from further impact and report the breach to the DPO without delay.
The DPO systematically documents disclosed breaches and evaluates the reasons for the breaches. Furthermore, the DPO initiates further required measures to remedy the situation and to prevent breaches from recurring. For more information please see XXX Data Breach Management Policy.
2.3.4 Data breach notification
XXX must notify a data breach to the appropriate supervisory authority within 72 hours after becoming aware of it.
Furthermore, if the personal data breach is likely to result in a high risk to the data subject’s rights and freedoms the data subject must be informed without delay. For more information please see XXX Data Breach Management Policy.
2.3.5 Documentation of data files
XXX shall keep a list of all databases and files containing personal data. The list shall include the following minimum information:
a) name and contact details of the data controller and any joint data controller,
b) name and contact details of the DPO,
c) description of database or file,
d) purpose of database or file,
e) description of categories of personal data being processed, e.g. address, health information, etc.,
f) description of categories of data subjects,
g) description of categories of data recipients, to whom the personal data has been or will be disclosed, including recipients in third countries,
h) description of cross-border data transfer,
i) the envisaged time limits for erasure of the different categories of data, where possible,
j) a general description of the technical and organizational security measures, where possible,
k) the details of data transfers outside the EU.
The data files shall be classified according to their need for protection. Data files with a special need for protection, such as collections containing sensitive personal data or personality profiles, must be filed in separate folders, marked accordingly and are subject to a privacy impact assessment as set out in section 188.8.131.52.
2.3.6 Training and raising awareness
Every XXX employee shall be trained in data protection and data security matters. A first training session shall follow upon starting employment with XXX and subsequent trainings shall follow at regular intervals.
2.4 Obligations for developing systems and new business processes
Data protection is an integral part of the technological development and the organizational structure of XXX. Thus, the following principles must be taken into account when current business process or data processing systems are evaluated, or when new ones are introduced.
2.4.1 Privacy impact assessment for new processing activities
A privacy impact assessment must be conducted whenever new data processing technologies or activities are introduced that are likely to result in high risk personal data processing.
The details of the privacy impact assessment are set out in section 184.108.40.206 of this policy.
2.4.2 Privacy by design principles
When new data processing systems are introduced, the responsible person must ensure a high standard of data protection. Particularly, any new systems and processes must comply with the following principles:
a) Technical and organizational measures must be taken to ensure systematic and secure life cycle management of personal data from collection to processing to deletion.
b) Data processing systems must be aimed at collecting as few personal data as necessary to fulfil the purpose for which the data was collected.
c) Where anonymizing the data does not inhibit with the data processing purpose, personal data must be rendered anonymous in a way that the data subject is no longer identifiable.
d) Where personal data cannot be anonymized, security measures appropriate to the nature of the data must be taken, such as pseudonymization, encryption, or access restriction.
e) Access to personal data shall be granted according to the “need-to-know” principle, meaning that personal data shall only be made accessible to those persons who require it to perform their assigned roles and responsibilities.
f) Systematic quality checking of personal data must be part of data life cycle management to ensure high data quality. In particular, processes must be established to detect and correct false or incomplete personal data.
g) Data processing systems must be adequately protected from unauthorized access through technical and organizational measures.
h) Data subjects must be provided with transparent, user-friendly and effective means of control concerning their personal data.
2.4.3 2.4.3 Privacy by default principles
Data processing systems must be setup in a way that the strictest privacy settings apply automatically, i.e. by default.
More extensive processing of personal data is only permitted if the data subject choses or agrees to a lower level of protection, e.g. by manually changing privacy settings on a website, IT tool or similar to a less restrictive option and thus gives its explicit consent to extended processing (“opt-in”).
2.5.1 Data controller
The data controller, which is expected to be in most cases XXX, is responsible for the correct processing of personal data and compliance with data protection and data security requirements as set out in this policy or pursuant to applicable law. In particular, for:
a) the observance of the “privacy by design” and “privacy by default” principles when developing new data processing activities,
b) the correct allocation of data subject’s rights,
c) the conducting of privacy impact assessments for personal data processing with assistance of the data protection officer,
d) appoint a data processor,
e) the notification of a personal data breach to the supervisory authority and the data subject (if applicable).
2.5.2 Data processor
The data processor is responsible for processing personal data according to the instructions received from the data controller. Furthermore, the data processor is responsible for notifying the data controller of a data protection breach without undue delay.
The data processor must contractually grant that any eventual sub-contractor instructed to perform the data processing, complies with the same instructions received from the data controller.
2.5.3 Data Protection Office
The Data Protection Office (DPO) is responsible for coordinating data protection. It shall be consisted of representatives from the IT department, the Legal department and the Business Units. The DPO shall:
a) monitor the company’s accordance with applicable data protection laws and regulations,
b) monitor and implement future explanatory materials from the European Union Commission with regard to the execution of the GDPR provisions,
c) support executive management in ensuring legal compliance within data protection,
d) monitor compliance with this policy on a regular basis,
e) maintain the list of databases and the list of breaches of data protection,
f) monitor and assist in privacy impact assessments,
g) be responsible for replying to data subject’s requests for information,
h) be responsible for creating a training concept to raise data protection awareness and advise personnel processing data, in particular XXX employees, of their data processing obligations,
i) act as contact point for supervisory authorities on issues related to the processing of personal data, as well as cooperate with authorities in any other matter.
2.5.4 Executive management
The executive management of XXX is responsible for implementing this policy and shall provide the necessary personnel and financial resources. XXX’s managers are required to enforce the policy in their area of responsibility and ensure that employees, individuals, and entities for which they are responsible, are aware of, understand, and adhere to the requirements of this policy, and are appropriately trained to fully discharge this responsibility.
2.6 Breach of data protection policy
The potential penalties and damages resulting from a data protection infringement are serious for both the person committing the violation and for XXX.
Any violation of this data protection policy may result in disciplinary action up to and including dismissal. Violations of legal or regulatory obligations may be reported to external authorities, and may result in criminal, civil or regulatory penalties.
Late version: 1 October 2019