2. Protection of Personal Data
The Single Member Private Capital Company with the trade name “CONIFY MONOPROSOPI IKE” places the protection of the personal data of its customers, staff and external collaborators as its highest priority, complying with the applicable legislation of the Data Protection Authority (Law 4624/2019) which applies to personal data databases, as well as the European General Regulation for the Protection of Personal Data (2016/679). At the same time, it is committed to their full and faithful implementation, taking the appropriate technical and organizational measures. In this context, the Company has taken the necessary, appropriate and legally prescribed technical measures that ensure the protection of personal data during their collection, storage, management and transmission. The full contact details of the company, as the Data Controller, are: CONIFY MONOPROSOPI IKE, Lavrion Technological and Cultural Park, 1, Lavrion Ave., email: firstname.lastname@example.org.
3. Purpose and Basic Principles
The Personal Data Protection Policy of the company and the processing of personal data based on it, which the Company carries out, is based on the following data protection principles:
- Legality, objectivity, and transparency during processing, as personal data processing takes place in a lawful, fair, and transparent manner.
- Limitation of the purpose of processing, as the collection of personal data is sufficient, relevant, and limited to what is strictly necessary for the purpose for which they are processed.
- Minimization of the data under processing, as the collection of personal data will only take place for strictly defined, clear, and lawful purposes and will not be further processed in a manner incompatible with the aforementioned purposes.
- Accuracy and updating of personal data under processing, as every reasonable step should be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Integrity and confidentiality during processing, as all personal data will remain confidential and stored in a manner that ensures appropriate security, while they will not be shared, distributed or disclosed to third parties, except when absolutely necessary to provide services for them, after an agreement.
- Limitation of retention/storage time of personal data, as personal data are kept in an appropriate form, which allows identification of the data subject for no longer than is absolutely necessary for the purposes for which the personal data are processed.
- Right and ability of data subjects to access, correct, or delete their data, or restrict processing, or object to processing, as well as the right to data portability, in accordance with the detailed provisions set out below.
- Compliance with the current national and international legislative and regulatory framework.
The Company controls, reviews, and updates periodically, and whenever deemed necessary, this Policy, taking into consideration and fully respecting the relevant legislative and regulatory framework in force at any given time. This policy applies to all business operations and activities of the Company, as well as to all external partners and clients related to them.
4. Legislative and Regulatory framework
The Company adopts and implements this Policy in its capacity as Data Controller, in order to comply with the provisions of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Directive 2016/680/EU, as well as Law 4624/2019, including decisions, guidelines, circulars, opinions, and in general any acts issued by the Data Protection Authority.
Recipient: The natural or legal person, public authority, service or other organization with whom personal data is shared, whether third party or not.
“Personal data”: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, date of birth, address, email address, telephone number, etc. Personal data includes all types of information that are directly or indirectly attributable to the data subject, such as names, dates of birth, addresses, email addresses, telephone numbers, etc
“Processor”: The natural or legal person who processes personal data on behalf of the data controller.
“Processing”: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data that have been collected or will be collected by the company, both in the context of its commercial relations with customers and in the context of the information it receives from third parties, natural or legal persons or entities.
“Profile Building”: any form of automated processing of personal data, which involves the use of personal data to evaluate certain personal aspects of a natural person.
“Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Processing limitation”: the marking of stored personal data with the aim of limiting their processing in the future.
“Consent” of the client and/or the employee: any indication of freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Third party”: any natural or legal person, public authority, agency or body other than the data subject, the data controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
“Data controller”: The legal entity that determines the purposes and means of processing personal data. For the purposes of this Policy, the data controller is considered to be the Single-Member Private Capital Company (S.M.P.C.), “CONIFY S.M.P.C.”
“Data subject”: Any identified or identifiable natural person to whom the processed personal data relates. For the purposes of this Policy, data subjects are considered to be customers (students and their parents), and/or employees of the Company, and/or third-party external collaborators, researchers, providers, and suppliers.
6. Lawfulness of Processing / Contract & Provision of Consent
CONIFY SINGLE MEMBER PRIVATE CAPITAL COMPANY collects and processes personal data of its customers in order to properly and legally provide the service requested by them. Specifically, the company may collect and process the following data for the completion of the aforementioned service provision:
- Identification data, (e.g. name, surname, date of birth, ID card/passport number, tax identification number, tax office).
- Contact data, (e.g. email address/residential address, correspondence address, telephone/fax numbers).
- Payment data, (e.g. bank accounts, IBAN).
The company collects and processes personal data that are absolutely necessary to implement the proper provision of its services, and exclusively for the purposes of the relevant transactional-contractual relationship. Specifically, our company collects and processes personal data of its customers that are highly necessary, based on the applicable legislation for issuing a legal receipt of payment.
- Under this specific and restrictive framework, the personal data that the company may collect and process for the completion of the aforementioned provision of its services are precisely the following:
- Identification data (e.g. name, surname, date of birth, ID/passport number, VAT number, tax office).
- Contact data (e.g. email address/residential address, correspondence, telephone/fax numbers).
- Payment data (e.g. bank accounts, IBAN).
- The purpose of processing our customers’ personal data is to provide proper and lawful services that constitute the business-corporate object and statutory purpose of the company, while the legal basis for the aforementioned processing is the contractual relationship under Article 6 (1)(b) GDPR and the declared consent under Article 9 (2)(a) GDPR. Failure to provide or withdraw the required personal data of our customers will result in the non-establishment or cancellation of the contract, as it will become impossible for the company to operate and perform the said contract (such as issuing a legal proof of payment, etc.).
- The above-mentioned documents are never moved outside the company’s headquarters, and… (the rest of the text is missing).
In case our company collects, stores and processes personal data of our customers for additional and different purposes than those already communicated, specifically for statistical or marketing purposes, the legal basis for processing constitutes their explicit and specific (additional) consent, which will be requested from them before the above-mentioned processing procedure takes place, according to Article 9 (2a) of the GDPR. In any case, we fully inform our customers that they have the right to access their personal data, the right to correct any inaccurate data, the right to delete data, the right to limit their processing, the right to object to data processing (etc., see in detail in Chapter 13), and finally, even the right to revoke their given consent at any time, without, of course, affecting the lawfulness of the processing based on the consent before its withdrawal.
7. Obligation of prior information
In the case where the processing of data by the Company is based on the relevant consent of the natural person, the Company ensures, prior to obtaining the required specific, explicit and written consent, to inform the subject of personal data, at least, about the following:
i. its status as Data Controller,
ii. the contact details of the Company,
iii. the type of personal data being processed,
iv. the purpose(s) of the processing,
v. the legal basis for the processing,
vi. the categories of potential recipients of the data,
vii. the retention period of the data,
viii. the rights of the natural person – data subject with respect to their rights under processing.
8. Source of information Data under processing
The company processes personal data of its customers, as mentioned above, which:
i. have been or will be submitted by the customers themselves or their legal representatives and are absolutely necessary for the initiation, maintenance, and execution of their contractual relationships with the company, existing or future,
ii. are received or become known to it by third parties, natural or legal persons, or public authorities, provided that they are absolutely necessary either for the achievement of the legal interests of the company or a third party, or for the fulfillment of its duties carried out for the promotion of scientific-research purposes and/or for the protection of public interest,
iii. come from publicly accessible sources or archives, to the extent that they are absolutely necessary for the purposes of processing.
The personal data under processing provided must be complete and accurate and must be carefully updated by the customers themselves, immediately in any case of change, or whenever it is deemed necessary or appropriate by the company for the maintenance of their transactional relationships or for its compliance with its obligations arising from the current legislative and regulatory framework.
The Company, in compliance with the current legislative and regulatory framework, collects, maintains and processes personal data, which are absolutely necessary according to the applicable legislation, limited to the minimum required for the purposes for which they are processed.
9. Special categories of data
The Company does not process sensitive personal data of natural persons and data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership in a trade union, nor genetic or biometric data for the purpose of identifying the customer or data concerning the customer’s health or sex life or sexual orientation.
10. Recipients of Personal Data
Personal data will not be shared with third parties, except where such sharing is absolutely necessary for the provision of our services. For this reason, the Company may transmit personal data (PD) to third parties, who are designated as Processors, for the purpose of serving contractual or transactional obligations towards natural persons subject to personal data, which it manages. This processing is fully and specifically determined by a written contract or any other form of agreement, which clearly expresses that the Processor will process personal data only in accordance with the instructions of the data controller and in accordance with the applicable regulatory and legal framework for the protection of personal data.
In addition, the Single-Member Private Capital Company (SMPC) “CONIFY SMPC” may disclose personal data in the context of data processing to: a) Supervisory and Regulatory Authorities (e.g. Labor Inspection, Insurance Funds, Manpower Employment Organization, etc.), b) lawyers, c) public/judicial authorities, and/or d) wherever required by law, when it is requested to disclose personal information under specific and defined conditions in response to lawful requests from the above for the fulfillment of legal requirements. It may also disclose personal information if required by law, as well as comply with a summons or other legal process, when it believes in good faith that disclosure is extremely necessary to protect its rights, the security of its clients, or the security of others, investigate fraud, or respond to a government request.
11. Retention of Personal Data
The processing of personal data concerning the customers of the company, who provide their personal information, will take place exclusively for the intended and lawful purpose for which they are collected, i.e. for the completion of the contractual relationship and for as long as it is required to perform the contract and exercise the mutual claims arising from it, as well as for the company’s compliance with legislative and regulatory requirements. Therefore, they will be kept in the company’s absolutely protected and secure file only for the time strictly necessary for this purpose and will be deleted thereafter. However, data will be kept beyond this period for purely statistical and fully anonymized purposes. Access to personal data is strictly limited to the company’s staff, in accordance with the above and for the above-mentioned purposes only. The above time limits do not apply in the case of judicial disputes, in which case the envisaged data retention period is extended until the issuance of an irrevocable judicial decision. The same thing happens with the users of the website, who want to benefit from our services and voluntarily submit information to us, to whom they may be asked to provide personal data in order for the company to operate and improve its operation and the services it provides.
12. Data Protection Impact Assessment
In case the Company, taking into account the nature, scope, context, and purposes of the processing, determines that it is likely to result in a high risk to the rights and freedoms of data subjects, it carries out an assessment of the impact of the planned processing operations on the protection of personal data, which includes all the elements set out in Article 35 of the GDPR. The aforementioned impact assessment is deemed necessary in cases of systematic and extensive evaluation of personal aspects, including automated processing, such as profiling, on which legal effects are based concerning customers or significantly affecting them. Impact assessment, according to the above, is carried out in every case of the use of new technologies or the adoption/performance of data processing operations that may entail high risks to the rights and freedoms of data subjects. If deemed necessary and primarily when the risk posed by processing actions changes, the Company carries out a reassessment in order to assess whether the processing of personal data is being carried out in accordance with the impact assessment regarding data protection.
13. Rights of natural persons, as subjects of personal data
Natural persons, as the subjects of processing of personal data and of any information that the Company has collected at any time and processes, have the following rights:
- The right to be informed and have access to the personal data that concern them and to receive information about them, including their origin, the purposes of their processing, the recipients or categories of recipients, and the period of their storage.
- The right to rectify inaccurate personal data and complete incomplete data that are kept. To assist the company in updating their personal data, we advise users-customers to inform the company in a timely and valid manner of any changes or deviations.
- Right to erasure of personal data, subject to the Company’s obligations and lawful rights to retain them for a required, limited, and specific period of time, under the current legislative and regulatory framework, as well as in cases where some of this data must be retained for tax reasons, such as if we have invoiced for a service, in which case their details must remain in our accounting program and in the files of the accounting office that serves us.
- Right to restriction of processing of personal data, if their accuracy is disputed, their processing is unlawful, or the purpose of processing no longer exists, and provided that there is no legitimate reason for retaining them.
- Right to data portability to another data controller, provided that the processing is based on the consent of the data subject and is carried out by automated means. The exercise of this right is subject to the reservation of the Company’s legal rights and obligations to retain and fulfill its legal duty to the public interest.
- Right to object to the processing of personal data concerning them for reasons related to their particular situation, in cases where the data is processed to fulfill a task carried out in the public interest or for the purposes of the legitimate interests pursued by the Company or a third party.
- Right to receive a copy, as natural persons, as subjects of personal data processing, have the right to request from the company a copy of the data we hold about them, in a commonly used structured format.
The above requests of the data subjects regarding their personal data and the exercise of their rights are submitted in writing to the email address http://conify.gr or to the registered office of the Company in Lavrio, Attica, specifically at the offices of the company located in the Technological Cultural Park of Lavrio, on Lavrio Avenue, which is the space that houses and operates the Single-Member Private Capital Company (SMPC) “CONIFY SMPC”.
In case one of the aforementioned rights is exercised, the Company will take all possible measures for its immediate satisfaction within thirty (30) calendar days from the receipt of the relevant request, informing in writing about its satisfaction or the reasons that prevent it. This request, submitted by employees, will be kept in the company’s archives for three (3) years, and submitted by customers, will be kept in the company’s archives for five (5) years. In any case, the data subjects, whose personal data are processed by the Company, have the right to contact the Personal Data Protection Authority either in writing (Athens, Kifisias St., no. 1-3, ext. . 11523), or electronically (www.dpa.gr), in order to submit a complaint in case of violation of their rights or in general violation of the legislation on personal data protection
14. Security of Personal Data
14.1. Security of processing
The Company has taken appropriate technical and organizational measures to ensure confidentiality and for the legal observance, processing, protection and secure storage of personal data from any illegal or unlawful processing, accidental or unlawful or unlawful destruction, loss, alteration , alteration, prohibited or unauthorized dissemination, disclosure or access and against all other illegal forms of processing, as specifically provided for in current legislation. These measures are reviewed and updated whenever deemed necessary. Questions and information about the security of personal data can be addressed at any time to the company, as Personal Data Controller. The Company, therefore, implements appropriate technical and organizational measures, in order to ensure on a permanent basis the required level of security in relation to personal data. In this context, the Company, in particular:
1. has adopted and implements on a permanent basis Policy and procedures for maintaining confidentiality and ensuring the integrity, availability and reliability of processing systems and services;
2. regularly tests, assesses and evaluates the effectiveness of technical and organizational measures to ensure the security of processing, taking into account in particular risks arising from accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data that transmitted, stored or otherwise processed;
3. ensures that any natural person who acts under its supervision and has access to personal data, processes them only within the limits of the relevant mandate given to them by the Company and under the terms and conditions that the Company has expressly set.
14.2. Breach of personal data
Any violation of this Policy, as well as the legislative and regulatory framework currently in force for personal data and their protection, and, in general, any breach of security that leads to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed constitutes a personal data breach. In the event of a personal data breach, the Company shall notify the Personal Data Protection Authority without delay and, if possible, within 72 hours of becoming aware of the fact, of the personal data breach, unless the breach is unlikely to cause risk to the rights and freedoms of data subjects. In addition, in the event of a data breach, the Company takes all necessary measures and takes all necessary actions to limit it, not extend it and immediately restore it. The data breaches that are noted, recorded and fully evaluated in terms of causes that caused them, stating the facts connected to them, their consequences and the measures taken to restore them. When the breach of personal data may put the rights and freedoms of the data subjects at high risk, the Company immediately announces the breach of personal data to them, as specifically defined in the GDPR.
15. Company Obligations
15.1. Privacy by design
The Company effectively implements, both at the time of determining the means of data processing, and at the time of processing, appropriate technical and organizational measures, designed to implement data protection principles, which it ensures that they meet on a permanent basis the requirements of the GDPR and to protect the rights of the subjects of personal data. In this context, during the collection, maintenance and processing of data, the following principles are applied, in accordance with the initially mentioned above:
• Minimization of the data being processed, as the Company collects and processes only the personal data that is highly necessary for the purposes of the processing,
• Legality, objectivity and transparency,
• Accuracy and updating of the personal data being processed,
• Limiting access to personal data only to the persons who need it for the proper and lawful performance of the obligations/tasks assigned to them and only to the extent and to the extent that access is necessary,
• Tests and checks on a permanent basis regarding the adequacy of personal data processing procedures and the organizational and technical measures applied,
• Adoption of simple, easy and effective procedures for the data subjects to exercise their data-related rights that they retain.
15.2. Privacy by default
The Company implements appropriate technical and organizational measures to ensure that by default only the personal data necessary for the purpose of the processing are processed. The above obligation covers all the personal data collected, the degree of their processing, the time of custody / retention and storage and their accessibility. Extension of the processing is possible only after the prior specific, express and written relative (additional) consent of the customer, as defined above.
15.3. Activities archive
The Company, as the Controller, keeps a record of the processing activities for which it is responsible, which includes the following information: a) the name and contact details of the Company and its representatives, b) the purposes of the processing, c) description of the categories of data subjects and the categories of personal data, d) the categories of recipients to whom the personal data is to be disclosed or has been disclosed, e) where possible, the prescribed deadlines for deletion of the various categories of data, f) where possible, a general description of the technical and organizational security measures it has adopted and applies.
15.4. Personnel training