This Policy aims to ensure that VOUTSADAKIS SA (hereinafter "the Company") complies with the applicable legislation (EU General Regulation 2016/679 - GDPR), regulatory framework and best practices for the protection of individuals with regard to processing of personal data by or on behalf of the Company.

Its faithful application aims to:

  • Safeguard the reputation and prestige of the Company by taking all necessary due diligence measures to effectively protect the personal data it manages
  • Avoid the imposition of penalties, fines and prosecutions on the part of supervisory authorities that may result from the unintentional failure to comply with the legislative framework.
  • Protect the Company from unfounded complaints by subjects of data processing for which it acts as the data processing party
  • Compliance of the Company's personnel with the requirements of legal and regulatory frameworks and to review of the operation of all its Units with regard to Personal Data Management.

0. Scope of Application

This Policy applies to all private individuals whose data is processed by the Company, including but not limited to customers, prospective, current and former employees and their affiliates, partners, shareholders, affiliates and other stakeholders.

1. Basic Concepts - Definitions

3.1. Personal Data

All data regarding identified or identifiable individuals, including data that identifies an individual or could be used to identify, detect, monitor or communicate with him. This Personal Data may include, but is not limited to, direct or indirect identification information such as names, ID numbers, work addresses, home addresses, emails, telephone numbers, dates of birth, etc.

3.2. Processing authority

The private or legal entity, service or other body that determines the purpose and manner of processing personal data. For the purposes of the present policy, the processing authority is the Company.

3.3. Processing party

The individual or legal entity, public authority, agency or other entity that processes personal data on behalf of the processing authority.

3.4. Recipients

The individual or legal entity, service or other body to whom personal data is disclosed.

3.5. Processing

The execution of any process or series of processes on the data of individuals, with or without automated means, including but not limited to, collecting, recording, organizing, storing, accessing, adapting, converting, retrieving, consulting, evaluating, analyzing, reporting, distributing, disclosing, dispersing, transmitting, disposing of, aligning, combining, obstructing, deleting, erasing or destroying.

3.6. Sensitive personal data

Any type of data that contains an inherent risk of causing harm to individuals, including but not limited to data related to health, race, ethnic origin, religion, political or philosophical beliefs, criminal record, accurate geographic location information, banking or other financial accounts, government-issued registration numbers, minors, sexual preferences, labor union affiliations, security, social security and other employer or government benefits.

3.7. Third parties

Any organization not affiliated with the Company or a person not working in the Company

3.8. Data security breach

Any security breach that results in accidental or unlawful destruction, loss, tampering, unauthorized disclosure, or that allows unauthorized access to third-party personal data that has been transferred, stored or otherwise processed.

2. General Principles

The processing of personal data is carried out in accordance with the following principles:

4.1. Necessity Principle

The processing of Personal Data occurs after a specific and legitimate business purpose for which it is necessary has been defined and recorded.

4.2. Transparency

The methods used and purposes of data processing are always fully transparent. In order to fulfil this obligation, the Company takes all necessary measures to inform the subjects of the data it processes.

4.3. Legality

The processing of personal data is performed in a manner which is fair to the subjects of data processing and with the provision that it is always subject to one of the following legal prerequisites:

  • The subject of the data processing has provided consent
  • Processing is required to implement a contract
  • Processing is necessary to comply with a legal obligation of the Company as the processing authority
  • Processing is necessary to perform a task which is in the public interest
  • Processing is necessary for the purposes of legitimate interests of the Company.

4.4. Data Quality

Personal data that is maintained is accurate, complete, up-to-date and always in accordance with the usage that is desired and has been agreed upon by the subject.

4.5. Security

The Company, as the processing authority, undertakes all necessary measures and implements safeguards to protect personal and sensitive data processed from possible loss, unauthorized access, misuse, loss or destruction.

3. Information towards subjects of data processing

The Company undertakes all necessary measures to inform the subjects of data processing that their personal data is processed in accordance with applicable data protection laws (General Data Protection Regulation) and the Company's Privacy Policy, by any means available (electronic, via mail, via the Press). Specifically, these updates include information regarding:

  • The categories of personal data being processed
  • The purposes and methods of data processing
  • The recipients of personal data
  • Their rights arising from the General Data Protection Regulation as subjects of data processing

4. Management of Requests by Subjects of Data Processing

The Company is obligated to respond promptly (within 30 calendar days) to Data Subject (ESAs) requests for the data it processes. The following requests are indicative:

  • Requests for access
  • Requests for corrections
  • Opposition requests
  • Requests for deletion
  • Requests for portability

The answer to ESAs shall be given in a concise, transparent, comprehensible and easily accessible format, using clear and simple language, in written or other (including digital) media.

5. Data Breach Management

In the event of a data security breach, the Company shall undertake all necessary measures and shall comply with the procedures for:

  • identifying and categorizing the breach
  • the containment of damage
  • data recovery (where technically feasible)
  • damage assessment, by evaluating the potential adverse effects of the security breach on the subjects of data processing.

The Data Processing Manager is responsible for informing the ASCPS within 72 hours of discovery of a security breach if necessary.

6. Retention, Review and Destruction of Documents and Records

Documents and records containing the respective rights and obligations of both the Company and the Client, as provided for in the Service Contracts or under the terms under which the Company provides services to the Client, shall be maintained, at minimum, throughout the duration of the relationship with the Client. The formats of these documents and records are indicatively, but not exclusively, as follows:

  • Meeting books and calendars
  • Optical recordings
  • Contracts and Variations of Contracts
  • Digital files
  • E-mails
  • Handwritten notes
  • Invoices
  • Correspondence
  • Workflow files including user or client files
  • Audited subjects
  • Recorded telephone conversations

9.1. Document retention principles

Records are retained in a medium that allows the information to be stored in a way accessible for future review

9.2. Duration of Retention

Records and/or documents described above will be retained for the time period defined by applicable national and European law or customary practice.

9.3. Destruction of Documents and Files

Document destruction must be effective, permanent and carried out by appropriate means (e.g. recycling, shredding, incineration, etc.).

The Company follows a specific policy of destroying documents and records, ensuring in all cases that the following requirements are met:

  • Assessment of the nature and content of the document
  • That the duration of retention of documents is in accordance the Company's obligations under national and Community law or customary practice
  • Compliance with the obligations of the General Regulation of Personal Data
  • Retention of documents that serve as evidence before the Judicial Authorities
  • Indication of the date, method and approval of document destruction where appropriate
  • Compliance with the document / file destruction protocol.