What is the GDPR;
The GDPR is a new European Regulation on the protection of Personal Data (EE 2016/679) effective 25 May 2018 for companies that maintain databases, not allowing the use of data collected so far, without the user’s prior consent.
This Policy sets out the collection, use, retention, transfer, disclosure and destruction of Personal Data and seeks to protect the Personal Data and ensure that staff understand the rules governing the use of the Personal Data they access during their work.
In particular, this Policy requires staff to consult the Data Protection Officer (hereinafter referred to as “the DPO”) before commencing any significant new data processing activity to ensure compliance with the requirements.
PRASINI STEGI is committed to conducting its activities in accordance with all applicable Data Protection Laws and Regulations and in accordance with the highest standards of ethics.
The procedures and principles set forth herein must be adhered to at all times by the Company, its employees, its agents, contractors or other parties working on behalf of the Company.
The Company is committed not only to the letter of the law but also to the spirit of the law and attaches great importance to the proper, lawful and equitable management of all Personal Data, respecting the legal rights, privacy and trust of all those with whom it deals.
Policy Author: Theofilos Matsoukas
Date of approval by Management: May 25, 2018
Policy Effective Date: May 25, 2018
Next revision date: June 25, 2018
The following definitions and concepts are used for the purposes of this Policy and as provided for by the GDPR:
For the purposes of this Regulation:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(9) ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data;
(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
(16) ‘main establishment’ means:
(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
(18) ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
(19) ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
(20) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
(21) ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
(22) ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
(a) the controller or processor is established on the territory of the Member State of that supervisory authority;
(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
(c) a complaint has been lodged with that supervisory authority;
(23) ‘cross-border processing’ means either:
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
(24) ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
(25) ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
This Policy applies to the Company, its Employees and its Board of Directors, as well as to the processing of Personal Data by third parties.
Data covered by the GDPR
According to the GDPR, Personal Data includes:
- a) Personal information
- b) Family lifestyle information and details
(c) Education and training
(d) Medical information, including biometric / body data
- e) Job / employment information
(f) Financial data
- g) Contract details (eg goods and services provided to a Data Subject)
(h) Position data, and
- i) Electronic identification, such as Internet Protocol addresses (IP addresses), cookies identifiers, device identifiers etc.
1.1 The GDPR identifies as sensitive the Personal Data which discloses:
(a) Racial or ethnic origin
- b) Political views
- c) Religious and philosophical beliefs
(d) Participation in trade unions
(e) Health or sex life and sexual orientation data, and
(f) Genetic or biometric / somatometric information.
Data Protection Principles
2.1 This Policy is intended to ensure compliance with the Regulation, as well as to determine the best practice of the Company in terms of compliance with the Regulation and to ensure the protection of Personal Data. The Regulation sets out the following principles that the Company must comply with. All Personal Data must:
(a) undergo legal, fair and transparent treatment with respect to the Data Subject;
(b) collected for specific, explicit and legal purposes and not further processed in a manner incompatible with those purposes. Further processing for archiving purposes for reasons of public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes,
(c) they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
(d) they are accurate and, if necessary, kept up to date. All reasonable measures must be taken to ensure that inaccurate Personal Data, taking into account the purposes for which it is processed, is deleted or corrected without delay,
(e) are kept in a form that allows the identification of the Subject Data for a period not exceeding the period necessary for the purposes for which the Personal Data is processed. Personal Data may be retained for longer periods if it is to be processed solely for archiving purposes for reasons of public interest, scientific or historical research or for statistical purposes provided that the appropriate technical and organizational measures required by it are implemented to safeguard the data subject’s rights and freedoms, and
(f) are processed in such a way as to ensure the necessary security of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Theofilos Matsoukas, Data Protection Officer, can be reached by e-mail at (firstname.lastname@example.org) or by phone at (210 2515005).
- The Data Protection Officer shall:
- a) Inform and advise the Company and our employees of their obligation to comply with the GDPR and other data protection laws.
(b) Monitor compliance with the GDPR and other data protection laws, including the management of internal data protection activities, advising on data protection impact assessments, staff training and internal audits.
(c) Acts as the first point of contact for the supervisory authorities and for the persons whose data is processed (employees, customers, etc.).
(d) Perform internal controls on processing activities.
- e) Train all staff members handling Personal Data and ensuring access to further guidance and support.
(f) Submit clear supervisory reports and reports on data protection compliance.
- g) Perform regular audits to monitor and evaluate new processing of Personal Data and to ensure that any notification to the Office of the Information Commissioner (ICO) is updated to reflect any changes to the processing of Personal Data.
- h) Develops and maintains the GDPR procedures
- The Company confirms that the Data Protection Officer operates independently and sufficient resources have been made available for DPOs to be able to fulfill their obligations under the GDPR.
- All staff, through appropriate training and responsible administration, must:
- a) Adhere to all forms of guidance, codes of practice and procedures for the collection and use of Personal Data.
- b) They fully understand the purposes for which the Company uses the Personal Data.
- c) Collect and process appropriate information solely for the purposes for which it is intended to be used by the Company to meet its service needs or legal requirements.
- d) Ensure that information is destroyed (in accordance with the provisions of the law) when it is no longer necessary.
(e) Upon receipt of a request made by a natural person or on behalf of a natural person for information about it, they shall immediately notify their supervisor;
- f) Do not transmit Personal Data outside Greece without the authorization of the Data Protection Officer.
- The Company reserves the right to outsource the role of Data Protection Officer to a third party with full knowledge of the GDPR.
- The Company is required to maintain written internal records for any collection, possession and processing of Personal Data, which shall include the following information:
- a) The name and details of the Company, the Data Protection Officer and any third-party Data Managers.
- b) The purposes for which the Company processes the Personal Data.
- c) Details of the categories of Personal Data that are collected, held and processed by the Company and the categories of Subject Data to which these Personal Data are linked.
- d) The details (and categories) of any third parties who will receive Personal Data from the Company.
- e) Details of any transfers of Personal Data to non-EEA (European Economic Area) countries, including all security mechanisms and safeguards.
(f) Details of the Company’s retention period; and
- g) Detailed descriptions of all technical and organizational measures taken by the Company to ensure the protection of Personal Data.
- The Company also applies measures that meet the principles of data protection by design and data protection by default. Measures could include:
- a) Minimize data.
(b) Ensure transparency to the Subjects and any third parties with the consent of the Subjects.
- c) Providing authorization to monitor processing to the Data Subjects.
(d) Creating and improving security features on an ongoing basis; and
- e) Use Data Protection Impact Assessments where appropriate
For the purposes of this Policy, Sensitive Personal Data will be included in the definition of “Personal Data”.
PRASINI STEGI takes the treatment of your personal data very seriously and for that reason it conforms to Law 2472/97 in force, of the Personal Data Protection Authority, applicable to the personal data bases, as well as to the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR).
PRASINI STEGI commits itself to the full enforcement of the applicable laws and European regulations by taking account of the adoption of the appropriate technical and administrative measures for the protection of personal data.
Browsing our website
You can browse our website without providing any personal information.
PRASINI STEGI collects personal data of its visitors / users, only when they provide them voluntarily.
Specific care is taken for the data collected with the help of cookies files (Read more in our Cookies Policy). Due to frequent and vast changes made in technology, as well as the relevant attempts of the legislature to keep pace with these changes, PRASINI STEGI is bound to inform you on any modification made in its personal data management policy.
If visitors/users object to this policy, they must terminate and avoid browsing the web page.
Data keeping and processing principles
PRASINI STEGI is bound to make every effort in order to safeguard the privacy of your data. Therefore, it may not transfer them to any third party (either a natural or legal person), for any reason whatsoever, except where Law provides otherwise, and exclusively to the competent authorities.
Minor visitors shall have access to our services only upon their parental or guardian consent, while, personal data are submitted by minors, PRASINI STEGI will delete all relevant information.
Visitors/users may, at any time, contact the administrators of the website at email@example.com in order to find out if there is a record of their data, and may change and delete them from the lists, whenever they so wish.
PRASINI STEGI keeps records of the personal data of users solely for financial, taxing and communication reasons. In the context of an ongoing optimisation of the services and information provided, it may process, under strict conditions of confidentiality and anonymity, part or all of the data you have sent for statistical and financial purposes.
The personal data we collect
Information automatically stored –cookies
PRASINI STEGI uses “cookies” only for facilitating the use of our website. Cookies are small data / text files stored by your browser in the hard disk of your computer and are necessary for the use of our website.
Cookies help us, for instance, to determine if you have already visited a page of our site. Cookies may also inform us if you have visited our site in the past or if you are a new visitor.
If you do not wish to have your information collected through cookies, please set the Internet browser accordingly in order to delete all the current cookies from the hard disk of your computer, block all future cookies and receive a warning before a cookie is stored (Read more in our Cookies Policy).
Messages via the contact platform.
You may submit your message in PRASINI STEGI either via the general contact form or through dedicated contact forms which are located in the web pages of the services and/or products.
By submitting your message via any contact form to PRASINI STEGI, you accept these Terms in relation to the use of your personal data (name and e-mail) by PRASINI STEGI.
PRASINI STEGI is bound neither to use this information for marketing purposes nor to transfer them to third parties.
PRASINI STEGI may locate the IP address through which the computer or any other electronic device obtains access to the Internet and, then, to PRASINI STEGI, and such information is processed for statistical purposes.
In cases where the browser seeks authorisation for receiving your location from our website, this data shall be used for providing customised information.
In any event, your may withdraw your permission at any time by changing your browser settings.
If you choose not to give your permission, then, your access to certain services of PRASINI STEGI may not be possible.
Through the appropriate links in the site of PRASINI STEGI, access is provided to third-party sites.
These links have been installed with the sole purpose to facilitate visitors/users during their browsing in the Internet.
Inclusion of a link does not in any way constitute an indication of acceptance or approval of the content of such third-party website.
PRASINI STEGI shall have no liability for the content and the personal data management Policy of the website to which access is provided via the link.
Access by using the links provided to each website takes place under the sole responsibility of the user.
Storage time of your data
Data provided by you will be kept/ stored by us only for the time period required for fulfilling the purpose for which you shared your data with us and in conformation with the underlying legislative provisions.
If you have provided us with your explicit consent to use your personal data for advertising purposes (subscription to the Newsletter), we will use your data to this end until you withdraw your consent.
You may withdraw your consent, at any time, with effect in futurum.
Communication, request for information, consent withdrawal, blocking, erasion
You may, at any time and without cost, to object to the use of your personal data for the future, ask their complete deletion or ask for information about your personal data stored by us or their correction.
You may send an email with your request at firstname.lastname@example.org or use the general contact form on our website.
Personal Data Safety
PRASINI STEGI acknowledges the safety of data and transactions as a major issue, and, for this reason, all the necessary organisational and safety measures are taken, as well as the most appropriate technical mechanisms protecting the content are implemented, with the aim to provide user with the safest possible environment, pursuant to the respective legislative provisions.
PRASINI STEGI protects visitors/users from any interception of data by using the SSL-256 bit encryption method. The encryption applies to all stages and procedures of dealing and sending personal data-information.
Through its designers and administrators, PRASINI STEGI makes every possible effort in order to develop, update and optimise the services provided and the web site, in general.
However, there is always possibility that errors/ malfunctions/ interruptions occur in the content of the website and/or viruses or other malware emerge either from the site or its server.
Updating and modification
The Company reserves the right to amend/ update individual parts of this Policy without having the obligation to previously inform you. Please, always read Personal Data Protection Policy before using our website in order to be informed about the latest version of this Policy in case of any amendments or updates.
I understand and agree that:
- My data will be kept confidential.
- By signing this consent form, I agree to allow competent officials and authorized technical personnel to process the data.
- If I do not agree with all of the above I do not need to sign this consent form for the processing of my personal data.
- Data may be processed for reasons of public interest under EU law or national law.
- I am over 18 years old and have the appropriate ability to sign this consent form.
- For minors, written consent of their parents is needed to process the data.
- I can revoke my consent at any time
- I have the right to file a complaint with the competent Personal Data Protection Authority (www.dpa.gr).
Last update on Privacy and Personal Data Protection Policy: July 2018