JOIN OUR NEWSLETTER
CODE OF CONDUCT FOR THE PROTECTION OF PERSONAL DATA IN THEIR PROCESSING WITHIN THE COMPANY A. SPYROPOULOS AND CO.
Introduction: The protection of the personal data of natural and / or legal persons, especially the management of personal data of customers, and employees of A. Spiropoulos & Co. is a primary concern of all of its companies.
In this context, A. Spiropoulos and SIA OE adopt a Code of Conduct for the Protection of the Rights of Individuals in the processing of their personal data in accordance with the applicable national and Community legislation.
The present Code of Conduct is a declaration of principles and values regarding the processing of personal data, it is complementary to the current legislation and is binding on all members of A. Spiropoulos and SIA OE, wherever they are active. Following is the Code of Ethics for the Protection of the Rights of the Individual in the processing of personal data within the company A. Spiropoulos and Co.
Article 1: Subject of the Code.
The purpose of this Code is to ensure a high and equable level of protection of the personal data of the subjects within the company A. Spiropoulos and SIA OE through the application of the national and Community provisions on the protection of personal data.
Article 2: Legal nature of the Code of Conduct - Linking the Code with national and Community legislation
2.1. This Code of Conduct sets out the general guidelines for the processing of personal data within A. Spiropoulos and Co. Ltd., is binding on all companies that are related or in any way related to A. Spiropoulos and Co. O. E and comes into force by posting it on the official site of the respective company by its administration and its signature and approval by the Board of Directors or in the case by the latter.
2.2. This Code is applicable in conjunction with the applicable national and Community legislation (2016/679 EU) for the collection, processing and use of the personal data of all individuals, in particular the personal data of customers and employees of A. Spiropoulos and Co. .
2.3. Its companies related to A. Spiropoulos and Co. Ltd. will process the personal data and will disclose it to the Public Authorities, when required, in accordance with the conditions laid down by the national law of the country governing the operation of each of the Group's companies, in particular the Greek authorities.
Article 3: Transparency of Data Processing
Natural or legal persons to whom personal data (hereinafter referred to as "data subjects" within the meaning of Article 28 herein) have access should have access to information concerning the processing of their personal data through appropriate means of information, in particular through the posting of this Code on the official site of the company.
Article 4: Subject of information and access of the subject
4.1. Data subjects have the right to know whether personal data concerning them are or have been processed.
4.2. The subject must be informed in an appropriate and clear manner and include the following:
4.2.1 The identity and contact details of the controller.
4.2.2 Personal data relating to the subject and their origin.
4.2.3 The purpose and intent of collecting, processing and / or using personal data. The information should include what data are recorded and / or processed, for what purpose and for what time.
4.2.4 The method of processing and in case of transmission to third parties, the recipient, the purpose and the degree of transmission.
4.2.5 The provisions of this Code to protect the rights of the subject.
4.3. The relevant information should be made available to the applicant in an understandable form and within a reasonable time. Generally, the relevant information will be given in writing.
4.4. Data subjects may request and receive from the Editor the information related to the processing of their personal data, and the person responsible must respond in writing in an understandable and uninterrupted manner, or within a reasonable time as defined by the relevant legislation.
4.5. Where this is permissible under national law, the company may charge an amount to provide the relevant information.
Article 5: Availability of the information
The update should be available to the subjects when the data is collected for the first time and thereafter whenever requested.
Article 6: Requirements for legal processing - Consent of the subject
6.1. The processing of personal data is only allowed when the subject gives his / her personal consent. For the purposes of this Article, consent must have the following characteristics:
6.1.1 The consent of the subject should be ensured at the latest at the beginning of the collection, processing or use of personal data.
6.1.2 Consent should be given expressly and voluntarily, in a form appropriate to the circumstances.
6.1.3 Consent should be given after informing the data subject about the purpose of the processing, recipients or categories of recipients of the personal data, as well as the identity of the controller or the processor.
6.2. The consent of the subject can be revoked at any time without retroactive effect.
6.3. Exceptionally, data may be processed without the consent of the subject when the processing is necessary for the performance of a contract to which the contracting party is a data subject or where there is a relevant legal provision of national or Community law permitting the processing of personal data without the prior consent of the subject.
Article 7: Personal data will not be used for purposes other than those for which they were originally collected.
Article 8: Use of personal data to promote products / services
8.1. The use of personal data of customers to promote products and / or services will be done in accordance with national and Community law.
8.2. Data subjects have the right to object to the responsible company for the use of their data for the purpose of marketing its products and services.
8.3. The companies of the Group are obliged to inform the subjects about their right and the manner and procedure for exercising this right, if so requested by the Subject.
Article 9: Specific Categories of Personal Data
The collection and processing of sensitive personal data is prohibited unless the subject has expressly consented to it or the processing is permitted without the consent of the subject under applicable national or Community legislation. In addition, sensitive personal data may be processed if such processing is necessary to meet the obligations of the responsible company arising from labor law, provided this is permitted by applicable national law.
Article 10: Principles of Data Quality
10.1. Group companies should take all reasonable steps to ensure that the personal data they process are accurate and, where necessary, updated (data quality).
10.2. The company and all related companies should also take all necessary measures to ensure that data inaccurate or incomplete are deleted or corrected.
10.3. Personal data should be appropriate, relevant to the subject and not excessive in relation to the specific purpose for which it is used (data economy). Data should be collected only for specified, explicit and legitimate purposes upon request and processed for compatibility for these purposes (measured data usage).
10.4. Personal data should be retained by the group companies in a form that allows identification of the subjects only during the period required to achieve the purposes of collection and further processing. At the end of this Term, the company will destroy or delete the identification data of the data subjects (anonymisation).
Anonymization should be done in such a way that the true identity of the subjects can not be revealed, or can only be revealed with disproportionate effort.
Article 11: Data File
The principles of data processing, in particular data economy and measured use, should be taken into account when creating data files. The creation of such records will be consistent with national law. A record will be kept in this case fully in line with the principles of Regulation (2016/679 EU).
Article 12: Transmission of data to third parties
The transfer of personal data to a third party is prohibited unless the data subject has explicitly given its consent or if the transfer is necessary for the performance of a contract between the subject and the responsible company or where national law permits the transmission of personal data.
Article 13: Responsibility
When personal data is transferred to a third party that is not a public authority, the company that originally had collected the personal data should work with the third party to ensure that personal data is legally processed.
Indicatively, the Processing Manager should ensure that the necessary data protection and security measures are provided or will be discussed and agreed with the addressee. Where agreements with organizations in countries without adequate data protection standards are concluded, satisfactory safeguards must be ensured with regard to the protection of the data of the individual and the exercise of the rights attaching thereto without reservation as to the prior authorization with the competent authority, the requirement of national legislation.
Article 14: Data Processing by Subcontractors
14.1. When a company uses the services of a contractor or processor, the relevant written agreement should include terms with regard to the lawful processing of personal data by the contractor. These terms will include the company's (the data controlling) instructions for the type and manner of data processing, the purpose of the processing, and the technical and organizational measures required to protect the data.
14.2 The subcontractor should not use the personal data communicated to him under his contractual relationship with the responsible company without his prior consent.
14.3.The privacy and the legal treatment of personal data should be taken into account when selecting subcontractors.
Article 15: Checks on the level of protection
Internal controls on the processing of personal data should be carried out regularly to review the effectiveness of the applicable data protection measures. Such audits will be conducted internally by the Data Security Officer, or by other organizational units of each company, which is responsible for internal control.
Article 16: Technical, Organizational and Employee-related Measures
16.1. At the beginning of their employment and then every year, the employees of the companies will sign relevant circulars of confidentiality and compliance with the company's procedures concerning the protection of the personal data of clients and employees.
16.2. The internal procedures of each company should include appropriate organizational and technical measures to ensure the legitimate processing of the subject's personal data. As a minimum, these procedures should ensure the following:
16.2.1. Prevent unauthorized persons from accessing data processing systems through which personal data are processed or used (Physical Access Control).
16.2.2. Ensure that data processing systems can not be used by unauthorized persons (Denial of Access control).
16.2.3. Ensure that persons authorized to use data-processing systems have access only to the data for which they have been authorized and that personal data can not, during or after processing or use, be read, copied, altered or shifted by unauthorized persons (data access control).
16.2.4. Ensure that personal data can not be read, copied, altered or shifted by an unauthorized person during electronic transmission or during the transfer or recording of data and that it is possible to examine and verify whether personal data has been transferred through data transmission equipment (data transmission control).
16.2.5. Ensure that it is possible to examine and verify retrospectively whether and by whom personal data were entered into the data processing systems and whether they were altered or shifted (data entry control).
16.2.6. Ensure that personal data processed by subcontractors are processed only in accordance with the employer's instructions (subcontractor control).
16.2.7. Ensure that personal data is protected against accidental destruction or loss (check availability).
Article 17: Rights of Subjects
Each subject has the right to ask questions regarding the application of this Code of Conduct to the responsible company and the rights referred to in Articles 4, 18 and 19 hereof.
Article 18: Right of objection / Right to delete data
18.1. The data subject may at any time object to the responsible company for the processing of his or her personal data.
18.2. The objections will be addressed to the Data Security Officer or the responsible company or the person specifically authorized and should contain a request for a specific action, such as correction, temporary non-utilization, commitment, non-transmission, deletion.
18.3. The right of objection is valid even if the subject provided in a previous case his / her consent to the use of his / her data
18.4. Legal requests for deletion of personal data will be met immediately. These claims are mainly legitimate if there is no longer a legitimate reason for processing such data. The periods of retention of personal data, set by the national law of each company, will be respected.
Article 19: Right of Correction
The data subject may at any time request in writing that his or her personal data be corrected by the responsible company to the extent that they are incomplete and / or incorrect.
Article 20: Right to clarification and comment
20.1. If a data subject claims that his rights have been infringed in the form of the unlawful processing of his data, and in particular in the event of a breach of the Code of Conduct, the competent companies will provide clarification of the case without undue delay and within the time limit set by the applicable law. In this case, they will cooperate closely and give each other mutual access to all the information necessary to ascertain the facts of the case.
20.2. The company's information security department, which is more directly related to the case, should coordinate communication with the subject.
Article 21: Exercise of Subjects' Rights
Subjects of personal data should not be discriminated against due to the fact that they have exercised the abovementioned rights.
Article 22: Data Processing Responsibility
22.1. Companies should ensure compliance with data protection legislation and the provisions of this Code of Conduct.
22.2. The Personal Data Protection Officer of each company should be informed, without undue delay, of any violation (including suspected breach) of the privacy laws and this Code of Conduct.
In case of incidents involving more than one company, the Person responsible for the Security of Personal Data should also be informed.
22.3. The Personal Data Security Officer of each company should be informed of any changes to the legal framework that is relevant to the protection of personal data.
22.4. The Company's Personal Data Security Officers should coordinate their actions within the policy of safeguarding the personal data of the Group.
Article 23: Coordination by the Privacy Officer
23.1. The person responsible for the Safety Data Company A. Spyropoulos and Co will coordinate the actions of those responsible for the security of personal data in cases of generalized cases of violation of the protection of personal data settings, which endanger purpose of this Code of Conduct.
23.2. It is the duty of the Privacy Officer to develop and develop the policy of A. Spiropoulos and Co. OE on issues of protection of personal data. In order to achieve this goal, Data Protection Officers should cooperate.
Article 24: Supervisory and consultation tasks
24.1. The person responsible for the Safety Data Company A. Spyropoulos and Co is responsible for recording the compliance with national and international law on the protection of personal data, and with this Code of Conduct.
24.2. Personal Data Protection Officers will examine on site all processing methods, including the use of personal data.
Article 25: Employee Training and Commitment
A. Spiropoulos and SIA OE provide appropriate training programs and procedures for the training of their employees with regard to the lawful processing of personal data and the implementation of this Code of Conduct.
Article 26: Cooperation with Supervisory Authorities
A. Spiropoulos and Co. Ltd. agrees to respond to requests and to comply with the instructions of the competent supervisory authorities responsible for overseeing the application of national legislation on the protection of personal data.
Article 27: Definitions
A. Spyropoulos and Co. OE:
The Company A. Spiropoulos and Co. SA and all the companies in which the above participates directly or indirectly in more than 50% or each company that it controls or its members are members of another company with more than 50%. Responsible or responsible Company: The company determines the purposes and means of processing the personal data of customers, employees, and members.
Data subject: The natural or legal persons to whom the data relate and whose identity is known or can be ascertained by the responsible company in which the subject is a customer or an employee or member.
Personal data: Any information addressed to the data subject. Personal data are not considered as personal data, but aggregated data from which the data subjects can no longer be identified.
Sensitive personal data: Every data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union or relating to health or sexual life, criminal charges or convictions, as well as participation in relevant the above-mentioned person compounds.
Processing of Personal Data or edit: Any operation or set of operations which is performed on personal data, such as collection, recording, organization, preservation, storage, modification, export, use, transmission, dissemination or otherwise making available, alignment or combination, interconnection, freezing , deletion, destruction.
Consent of the data subject: Any free, explicit and specific statement of intent, expressed in a clear and fully aware manner, by which the data subject, after being informed, accepts the processing of personal data they concern it. This information shall include, at least for the purposes of the processing, the data or categories of data concerned by the processing, recipients or categories of recipients of the personal data, as well as the name, address and address of the controller and any his representative. Consent can be revoked at any time, with no retroactive effect.
Addressee of the data: Any natural or legal person, public authority or service or any other organization to which the data is disclosed, whether or not a third party.
Third: Any natural or legal person, public authority or service, or any other organization, other than the data subject, the controller and the persons authorized to process personal data if they are acting under the authority of or under the control of of the Processing Manager.
Editor: Anyone who determines the purpose and manner of processing of personal data, such as a natural or legal person, a public authority or a service. Where the purpose and method of processing are determined by law or regulation of national or Community law, the controller or the specific criteria on the basis of which his choice is made shall be determined, respectively, by national or Community law.
Processing: Any person processing personal data on behalf of the controller, such as a natural or legal person, public authority or service, or any other organization.
Personal data file: any structured set of personal data that is accessible according to specific criteria.