GENERAL DATA PROTECTION REGULATION
Compliance with the requirements of the 2016/679 (EU) General Data Protection Regulation (hereinafter referred to as GDPR) and the 4624/2019 National Law is a priority for ‘DATA RESEARCH AND CONSULTING SA’ (hereinafter referred to as ‘Data Consultants’).
In General
Personal data is defined as any information relating to an identified or identifiable physical living person. This information includes the first name/surname, home address, identity card number, contact number, email, IP address or health information.
Some sensitive information, such as data concerning health, racial or ethnic origin, political views and sexual orientation receive special protection and are handled with greater care, always in relation to the protection of the privacy of the data subjects.
This legal framework comes in effect when any data processing, such as the collection, use and storage of personal data, takes place either electronically or in the form of a hard copy through a structured archiving system on all occasions.
Principles governing personal data processing. Data Consultants adhere to the basic principles governing personal data processing
- Personal data as defined in Article 5 of the GDPR are subject to lawful and legitimate processing in a transparent manner in relation to the data subject (‘legality, objectivity and transparency’).
- In addition, personal data is collected for specified, explicit and legitimate purposes and does not undergo further processing irrelevant to those purposes. Further processing for the purposes of scientific or historic research or statistical purposes shall not be considered irrelevant to the original purposes in accordance with the 89 (1) Article for the ‘limitation of purpose’.
- Personal Data collected by Data Consultants is always appropriate, relevant and limited to what is deemed as necessary for the purposes for which it is processed (‘data minimisation’). In addition, it is accurate and when necessary it gets updated. Data Consultants ensures that all reasonable steps are taken to promptly delete or correct personal data which is inaccurate in relation to the purposes of the processing (‘accuracy principle’).
- Additionally, the collected personal data is kept in a format that allows for the identification of data subjects only for a required period for the purposes of personal data processing. Personal data may be stored for longer periods, provided that it is processed only for archiving purposes in the public interest, for scientific or historic research purposes or for statistical purposes, in accordance with the 89 (1) Article and if applicable to the appropriate technical and organisational measures required by the GDPR to safeguard the data subject’s rights and freedom (' limitation of the storage period '). Data Consultants in particular is obliged to maintain a file with the personal data of researchers, telephone research respondents, external collaborators, institution employees and collaborating municipalities, employees of municipalities or citizens, events speaker/participants, research /competition participants, call centre employees, the beneficiaries of our associates for whom Data Consultants operates as the Processing Executioner, potential associates from abroad, employees of the company, prospective employees of the company for as long as it is required in the performance of its duties, for the smooth execution of work, for proper execution of employment contracts with its employees, and for as long as it is necessary for the establishment, exercise or support of legal claims.
- At last, personal data shall be processed in a manner that guarantees its appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or deterioration, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Personal Data that is collected
In most cases, Data Consultants is Data Processor of personal data of the subjects that it collects and processes. In more detail, in order to provide its services in the best possible way, it collects the following information:
- Telephone Survey respondents: First name/Surname, contact number, responses to political research, income, place of residence, level of education (article 6 par.1.a’ of the GDPR)
- External Partners: First name/Surname, address, email, VAT number, contact number, curriculum vitae, marital status, National Insurance number, invoice or project contract as proof of experience, degrees, individual insurance account certification, printing of business register data from GIS (article 6 par. 1.b '& f' of the GDPR)
- Personal data of participants in competitions of ideas (article 6 par. 1.a’ of the GDPR)
- Event speakers: First name/Surname, email, contact number, video recording/screenshot (article 6 par. 1.a’ & b’ of the GDPR)
- Beneficiary details for who Data Consultants operates as the Data Controller according to the instructions and on behalf of our partners / Data Processor (article 6 par. 1.a’ & b’ of the GDPR)
- Appointment scheduling: First name/Surname, contact number, email, registration number, procedure. In this case, Data Consultants is the Executor of the Processing on behalf of the respective partner / Data Processor.
- Listed parties interested in telephone communication: First name/Surname, contact number, address, capacity (article 6 par. 1 par. a’ of the GDPR)
- Potential foreign partners: First name/Surname, contact number, email, address, name of employer (article 6 par. 1 par. a’ of the GDPR)
- Company employees: First name/Surname, contact number, email, address, marital status, National Insurance number, ID number, Insurance Registration Number, VAT number, total payroll costs, degrees, foreign language certificates, statements from the Hellenic Labour Inspectorate (SEPE), diplomas, foreign language certification articles, photos for website use (article 6 par. 1 par. a’& b’ of the GDPR)
- Prospective employees of the company: First name/Surname, degrees, CVs, previous work experience, place of residence, contact number and email (article 6 par. 1 par. a’& b’ of the GDPR)
- Newsletter recipient list: First name/Surname, contact number, email, body/company, sector/department (article 6 par. 1 par. a’ of the GDPR)
Personal Data Retention Period
Data Consultants retains your personal data for the provision of appropriate services for as long as it is necessary for the execution or implementation of the projects undertaken and the provision of appropriate services, a potential period of up to 20 years, according to the respective legislation. After this period, we delete your personal data, following secure and approved destruction procedures.
In exceptional cases, our Company maintains your personal data for a period of more than 20 years, only if this is deemed as necessary for serving its legal interests, such as to defend or establish its legal claims.
Technical and Organisational Protection Measures
Data Consultants implements appropriate technical and organisational measures in order to ensure and be able to demonstrate that processing is carried out in accordance with the National and European framework for data protection.
Given the costs and nature of implementation, the scope, context and purposes of processing as well as the likelihood and severity risks of the rights and freedoms of individuals, Data Consultants has taken the following steps in order to ensure an appropriate level of risk protection, including:
- The pseudonymization and encryption of personal data,
- The ability to ensure the confidentiality, integrity, availability and reliability of the processing systems and services on a continuous basis,
- The ability to restore access availability to personal data in a timely manner in the case of a physical or technical event,
- The process of regular testing, evaluation and assessment of the effectiveness of technical and organisational measures ensuring the safety of processing.
During the assessment of the appropriate level of security by Data Consultants, particular attention is paid to risks arising from processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or submitted or which underwent any other way of processing.
In the event of a personal data breach (Article 33 of the GDPR), Data Consultants, as the DPO, will promptly notify if possible within 72 hours of becoming aware of the breach the responsible supervisory authority under Article 55, unless the personal data breach is likely to pose a threat to the rights and freedoms of individuals. When notice to the responsible Data Protection Authority is not given within 72 hours, it will be accompanied by a delay justification.
Subjects’ personal Data Recipients
Data Consultants discloses the personal data of the subjects it processes into three different categories of recipients:
- To third parties in collaboration
Data Consultants maintains external collaborations with third parties including: inspectors, Contracting Authorities (in case the Company organises seminars / events on behalf of the respective Contracting Authority), Hospital Managers, Transport Managers (as for the data processed), External Accountants, Contracting entities, Public Law Legal Entities, Legal Entities (Chambers, Municipalities, Regions, sectoral bodies) following our company’s legal obligation.
All the Data Consultants partners process personal data on its behalf, under strong contractual commitments and have been selected on the basis of the effective implementation of a high level of security measures regarding the protection of personal data. - To third parties not in collaboration
Data Consultants discloses the personal data of the subjects it processes to third party recipients (with whom it does not collaborate) only in the following cases:- In case the interest of the subject needs to be defended (i.e., that of Ministries, Organizations, Municipalities, Regions, Social Welfare Centres and in general of the Public Sector and its bodies)
- For reasons of safeguarding their vital interests
- If required by a specific legislative provision
- In case of a formal court or police decision, or a prosecutor's order after weighing the rights and legal goods protected by the Constitution and the law
- To third parties upon written request of the subject:
It is clarified that Data Consultants does not bear any responsibility for the above processing of your personal data by third parties, in case the notification is made at your request.
The rights of data subjects
Data Consultants recognizes the rights of the subjects regarding the protection of their personal data. Thus, data subjects retain the right to:
- To be informed about the processing of personal data and to gain access to the personal data of their concern (‘right of access’)
- To request the correction of incorrect, inaccurate or incomplete personal data of their concern (‘right of correction’)
- To request the deletion of personal data when it is no longer necessary or if the processing is illegal (‘right of deletion’ or ‘right to be forgotten’).
- To oppose to the processing of personal data for reasons relating to their particular situation (‘right of objection’)
- To submit a request for the restriction of the personal data processing in specific cases (‘right to restrict the processing’)
- To receive personal data in a commonly used, machine-readable format and send it to another controller (‘data portability right’)
- To submit a request regarding the decisions which are based on automated processing and on personal data, to be made by individuals and not just computers,
- To denounce to the GDPR Authority which is the responsible Supervising Authority in Greece
The right to the protection of personal data is not an absolute right and needs to be evaluated in relation to its operation in society and weighed against other fundamental rights, in accordance with the principle of proportionality. It is implemented across the EU regardless of the place where the data processing happens and the base of Data Consultants.
Data Consultants will respond to any requests of the subjects with regards to practicing the above rights within one month from receipt and if further time is required this deadline can be extended by two months as an exception.
In order to practice any of the above rights, identification of the subject through an official legal document or via a legally signed authorisation with an original signature is required for Data Consultants to ensure the integrity and confidentiality of the data.
In case a data subject requires further clarifications or information regarding their above rights, Data Consultants whose details are listed below, may be contacted.
Responsible Persons
We inform you that for any issue concerning the security of your data you can contact the Data Protection Officer appointed by Data Consultants by phone at: +30210 6819236, and by email to:dpo@dataconsultants.gr
You have the right to appeal to the Personal Data Protection Authority for issues relating to the processing of your personal data. For the responsibility of the Authority and the way of making a complaint you can visit their website at www.dpa.gr / My rights / Submitting a complaint to find detailed information. However, we would be very happy if you could give us the opportunity to resolve any of your complaints as soon as possible before denouncing to the Personal Data Protection Authority.
The above terms as well as any amendments thereto are governed by and complemented by the Greek Law, the European Union Law and relevant international treaties. If any provisions of the above terms become contrary to the Law they will automatically cease to be valid and get removed without affecting the validity of the other terms in any way.