ΕΕ 679/2016 regulation establishes rules concerning the protection of individuals against processing their personal data and rules concerning the free circulation of personal data. Moreover, this regulation protects the fundamental rights and freedoms of individuals and particularly the right to protect their personal data.

By applying the ΕΕ 679/2016 regulation, the company in certain circumstances acts as a Process Controller while in others as a Performer of Process, in accordance with the relevant definitions in Article 4 of the above regulation.

By applying the ΕΕ 679/2016 regulation, the company has designated a Data Protection Officer who has all responsibilities set by the above regulation. This designation is known to the Supervisory Authority.

The collection of personal data is carried out in accordance with defined principles abiding to Article 5 of the ΕΕ 679/2016 regulation. In particular, Personal Data (PD):
a) are submitted to a lawful and fair process in a transparent manner related to the data subject (“legality, objectivity and transparency”),
b) are collected for specific, clear, and legal purposes. They are not submitted to further processing in a way incompatible with those purposes.
c) are appropriate, relevant, and limited to what is necessary for the purposes for which are submitted to process (“data minimization”).
d) are accurate and, when necessary, updated; all reasonable measures must be taken to immediately delete or correct personal data that are inaccurate related to the purposes of the processing (“accuracy”),
e) are kept in a format that allows the PD subjects only for the time needed for processing purposes.
f) are submitted to processing in a way that guarantees their indicated safety, including their protection from unauthorized or illegal treatment and accidental loss, destruction or corruption, by using proper techniques or organizational measures (“integrity and confidentiality”).

The company is obliged and committed to adhere strictly to the following conditions, in accordance with Article 6 of the ΕΕ 679/2016 regulation during the processing of PD:
a) the PD subject has consented to their processing for one or more specific purposes.
b) processing is necessary to execute a contract of which the subject is a part or to take measures at the subject’s request before signing the contract.
c) Processing is necessary to comply with a legal obligation of the company.
d) Processing is necessary to safeguard the vital interest of the Subject or other individual.
e) Processing is necessary for fulfilling a duty executed in the public interest or in the exercise of public authority assigned to the company.
f) processing is necessary for the purposes of the legal interests pursued by the company or by a third party, unless if instead of these interests are overpowered by interests or fundamental rights and freedoms of the subject that impose PD protection, especially if the PD subject is a child.

No consent is required from the PD subject for processing data related and necessary for completing legal actions. Consent is typically required for data that do not result from required legal procedures.

The company, when acting as a Process Controller is collecting and processing specific personal data in accordance with the demands of the ΕΕ 679/2016 regulation and the relevant agreements with the Process Controllers, while keeping the needed Processing Activity Records Αρχεία Δραστηριοτήτων under this regulation.

The company commits itself to protect and safeguard the Subjects rights under Articles 12-23 of the ΕΕ 679/2016 regulation. Thus, all Subjects have the ability to submit a properly justified request to the company, based on the 679/2016 regulation for exercising their rights mentioned in the Articles 12-23 of that regulation.

For Personal Data Leakage Events, the Data Protection Authority must be immediately notified in accordance with Regulation (EU) 679/2016.

Within the context of information security and in personal data protection particular, the company implements defined organizational and technical measures. Specifically, it applies:
• Organizational measures in the form of procedures, authorizations and role assignments
• Physical security measures against both natural and environmental hazards
• Logical Access Security Measures for Information & Communication Systems that manage and process information
• Internal and external communication security measures
• Operational security measures concerning backups, use of mobile media, tackling malicious attacks, installation and changes of software and processes
• Security measures for the supply of materials, products and services

As part of implementing the information security management system and by applying the relevant standards, demands and legislation, the company applies appropriate risk management methodologies, that include:
• Risk identification and analysis
• Risk evaluation
• Risk management
• Monitoring, reviewing and controlling the performance of the information security management system.

In the context of risk management, a risk assessment is carried out of key objectives related to the protection and security of information, and in particular personal data, in terms of their integrity, confidentiality and availability.

When identifying, analysing and evaluating risks, all forms of data are taken into account, including event logs, results of technical controls and vulnerability tests.

The company is responsible for evaluating and reviewing the performance of the processes, policies and measures taken to protect personal data, in order to constantly improve their protection and security.

In particular, regarding information security and including Personal Data, the company sets specific objectives that relate to individual risk levels and reduce them through the implementation of defined risk actions.