1.Purpose & Objectives
APOPSI S.A. makes every effort to comply with the legislation relating to the Protection of Personal Data in the areas in which it operates. This Policy sets out the basic principles by which APOPSI S.A. processes the personal data of customers, employees, suppliers, partners and other individuals. This Policy applies to APOPSI S.A. and its directly or indirectly controlled subsidiaries based in Greece. All employees, whether permanent or temporary, as well as all subcontractors working on behalf of APOPSI S.A., are bound by this Policy.
2.Key Definitions
The following are the basic definitions of the terms used in this document, as set out in Article 4 of the General Data Protection Regulation, in order for the data subject to become familiar with the terminology of the Regulation:
Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms require specific protection, as the context of their processing could create significant risks to the fundamental rights and freedoms. Such personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
Authority: The Personal Data Protection Authority
3.Basic principles relating to the processing of personal data
APOPSI S.A., as the data controller, strictly adheres to the data protection principles set out in Article 5 of the General Data Protection Regulation.
3.1. Lawfulness, Fairness and Transparency
APOPSI S.A. processes personal data lawfully, fairly and transparently in relation to the data subjects.
3.2. Purpose limitation
Personal data is collected only for specific, explicit and legitimate purposes and is not processed for any other purpose.
3.3. Data Minimization
APOPSI S.A. keeps accurate personal data of data subjects and ensures that its retention is limited to what is necessary in relation to the purposes of processing. At the same time, it implements appropriate technical measures to achieve the above objectives.
3.4. Accuracy
The personal data held by APOPSI S.A. is accurate and up to date. Measures are taken to ensure that personal data that are inaccurate, in relation to the purposes for which they are processed, are erased or rectified within a reasonable time.
3.5. Storage Period Limitation
Personal data is kept for no longer than is necessary for the purposes for which APOPSI S.A. processes it.
3.6. Integrity and Confidentiality
Taking into account the state of the art and other available security measures, the cost of implementation, and the likelihood and severity of risks to personal data, APOPSI S.A. uses appropriate technical or organizational measures for the processing of Personal Data in a manner that guarantees the appropriate security of personal data and their protection against accidental destruction, loss, damage, unauthorized or illegal processing.
3.7. Accountability
APOPSI S.A. is responsible for and is able to demonstrate compliance with the General Data Protection Regulation to the competent Personal Data Protection Authority.
4.Privacy Notice, Consent and Rights of Data Subjects
4.1. Notice to Data Subjects
Prior to the collection of personal data or during its collection for any processing activity undertaken by APOPSI S.A., including but not limited to the sale of products, services or marketing activities, APOPSI S.A. is responsible for providing appropriate information to data subjects, and more specifically, information on the types of personal data collected, the purposes of processing, the methods of processing, the rights of data subjects in relation to their personal data, the registration period, any international data transfers, whether personal data is disclosed to third parties in the context of cooperation, as well as APOPSI S.A.’s security measures for the protection of personal data. This information is provided through the Privacy Notice.
4.2. Consent – Free withdrawal
When the collection of personal data has as its legal basis the consent of the data subject, APOPSI S.A. is responsible for ensuring that data subjects give their consent freely, actively, explicitly and in full awareness of the content of the text to which they consent. APOPSI S.A. provides data subjects with the opportunity to withdraw their consent at any time. Where personal data of children under the age of 16 is collected, APOPSI S.A. ensures that parental consent has been obtained prior to collection. Personal data should only be processed for the purpose for which it was originally collected. If APOPSI S.A. wishes to process collected personal data for another purpose, it must seek the consent of the data subjects in an explicit and specific manner. Any such request must contain the original purpose for which the data was collected, as well as the new or additional purpose(s).
4.3. Collection
APOPSI S.A. makes every effort to ensure that the amount of personal data it collects is kept to a minimum. If personal data is collected from a third party, APOPSI S.A. ensures that such data is collected lawfully.
4.4. Relationship of APOPSI S.A. with Third Parties
In cases where APOPSI S.A. uses a third-party supplier or business partner to process personal data on its behalf, it ensures that the processor provides appropriate security and protection measures for personal data in order to address any potential risks. APOPSI S.A. makes every effort to ensure that its suppliers or commercial partners process personal data only for the purpose of fulfilling their contractual obligations to APOPSI S.A., always in accordance with its instructions and for no other purpose.
4.5. Access Rights of Data Subjects
APOPSI S.A., as the Data Controller, is responsible for providing data subjects with a mechanism for accessing their personal data, which will also allow them to review, correct, delete, or transfer it.
4.6. Data Portability
Data subjects have the right to receive, upon request, a copy of the data they have provided to APOPSI S.A. in a structured format and to transfer this data to another controller. APOPSI S.A. is responsible for ensuring that these requests are processed within one month, provided that such requests are not manifestly unfounded. When exercising the right to data portability, the data subject has the right to request the direct transfer of personal data from one controller to another, where technically feasible.
4.7. Right to be forgotten
Upon request, Data Subjects have the right to request APOPSI S.A. to delete their personal data. APOPSI S.A. will immediately take the necessary steps (including technical measures) to comply with the request and will ensure that any third parties using or processing personal data on its behalf do the same.
4.8. Right to object
The Data Subject has the right to object at any time to the processing of personal data concerning him/her, including profiling.
4.9. Right to restriction of processing
Upon request, Data Subjects have the right to request APOPSI S.A. to restrict the processing of their data in accordance with Article 18 § 1 a-d of the General Data Protection Regulation (EU) 2016/679.
4.10. How to exercise all the rights of Data Subjects and withdraw their consent
Data Subjects may exercise their rights and withdraw their consent by submitting a written request to APOPSI S.A. The Data Subject may also freely withdraw their consent without affecting the lawfulness of the processing based on it until its withdrawal. By sending a written request/letter or email to: [email protected].
The Data Controller of the data subject’s personal data is APOPSI S.A., with registered office at 38-40 Antiploiarchou P. Vlachakou, 185 45.
The data subject may also contact the Personal Data Protection Authority at the following details: www. dpa.gr, email: [email protected], contact telephone number: 210 6475600, Address: 1-3 Kifissias Avenue, Postal Code 115 23, Athens.
5.Response to Personal Data Breaches
When APOPSI S.A. is informed of a potential or actual personal data breach, it will immediately conduct an internal investigation and take appropriate remedial measures within a reasonable time, in accordance with the Personal Data Breach Policy. When there is a risk to the rights and freedoms of data subjects, APOPSI S.A. must notify the Authority of the breach without delay and in any case within 72 hours.
6.Contact
If you still have any questions or need any clarification regarding the processing of your personal data by APOPSI S.A., you can contact us and APOPSI S.A. will be happy to assist you immediately.
Data Protection Officer
You can contact the data protection officer of APOPSI S.A. for issues concerning the processing of your personal data by email at: [email protected]
