1. Purpose & Objectives
APOPSI S.A. makes every effort to comply with the legislation related to the Protection of Personal Data in the sectors in which it operates. This Policy sets out the basic principles by which APOPSI S.A. processes the personal data of customers, employees, suppliers, partners and other persons. This Policy applies to APOPSI S.A. and its directly or indirectly controlled subsidiary companies based in Greece. All employees, with an indefinite or fixed-term relationship, as well as all subcontractors working on behalf of APOPSI S.A. are bound by this Policy.
2. Basic Definitions
The following are the basic definitions of the terms used in this document, as set out in Article 4 of the General Data Protection Regulation, in order for the data subject to familiarize himself with the terminology of the Regulation:
Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identification element such as a name, an identification number, to location data, an online identifier or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Personal Data of special categories: Personal data which are by nature particularly sensitive in relation to fundamental rights and freedoms need special protection, as the context of their processing could create significant risks for fundamental rights and freedoms. This personal data includes personal data revealing the origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of unmistakable personal identification, health-related data or data concerning a natural person’s sex life or sexual orientation.
Responsible for processing: the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data.
Person performing the processing: the natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.
Processing: any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval , information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
Principle: The Authority for the Protection of Personal Data
3. Basic principles concerning the Processing of Personal Data
APOPSI S.A. as data controller strictly adheres to the data protection principles defined in article 5 of the General Data Protection Regulation.
3.1. Legitimacy, Objectivity and Transparency
APOPSI S.A. processes personal data legally, objectively and transparently towards the data subjects.
3.2. Purpose Limitation
Personal data is collected only for specific, explicit and legitimate purposes and is not processed for any other purpose.
3.3. Data minimization
APOPSI S.A. maintains the accurate personal data of the subjects and ensures that their compliance is limited to what is necessary in relation to the processing purposes. At the same time, it applies the appropriate technical measures in order to achieve the above objectives.
The personal data maintained by APOPSI S.A. is accurate and up-to-date. Actions are taken to ensure that personal data that are inaccurate, in relation to the purposes for which they are processed, are deleted or corrected in a reasonable time.
3.5. Limitation of Storage Period
Personal data is kept for a time no longer than is necessary for the purposes for which APOPSI S.A. processes it.
3.6. Integrity and confidentiality
Taking into account the technological level and other available security measures, the cost of implementation, as well as the probability and severity of the risks to personal data, APOPSIS S.A. uses appropriate technical or organizational measures for the processing of Personal Data, in a way that guarantees the appropriate security of personal data and their protection against accidental destruction, loss, damage, unauthorized or illegal processing.
APOPSI S.A. bears the responsibility and is able to demonstrate compliance with the General Data Protection Regulation to the competent Personal Data Protection Authority.
4. Privacy Notice, Consent and Rights of Data Subjects
4.1. Notice to Data Subjects
Before collecting personal data or during its collection for any processing activity undertaken by APOPSI S.A., including but not limited to the sale of products, services or marketing activities, APOPSI S.A. is responsible for providing appropriate information to the data subjects and more specifically, information on the types of personal data collected, the purposes of the processing, the processing methods, the rights of the data subjects in relation to their personal data, the registration period, any international data transfers, if personal data is given in the context of cooperation to third parties, as well as the security measures of APOPSI S.A. for the protection of personal data. This information is provided through the Privacy Notice.
4.2. Consent – Free withdrawal thereof
When the collection of personal data has as a legal basis the consent of the data subject, APOPSI S.A. is responsible for ensuring that the data subjects provide their consent freely, with a positive action, expressly and in full knowledge of the content of the text in which they consent to. APOPSI S.A. provides the data subjects with the possibility to withdraw their consent at any time. Where personal data of children under 16 years of age is collected, APOPSI S.A. ensures that the Parent’s consent has been given before the collection. Personal data must be processed only for the purpose for which it was originally collected. In the event that APOPSIS S.A. wishes to process collected personal data for another purpose, it must seek the consent of the data subjects in an explicit and specific document. Any such request must contain the original purpose for which the data was collected, as well as the new or additional purpose(s).
APOPSI S.A. makes every effort so that the amount of personal data it collects is the minimum possible. If personal data is collected by a third party, APOPSIS S.A. ensures that this data is collected legally.
4.4. Relationship of APOPSI SA with Third Parties
In cases where APOPSI S.A. uses a third-party supplier or business partner whom it entrusts to process personal data on its behalf, it ensures that the processor will provide the appropriate security and protection measures for personal data in order to address possible associated risks. APOPSI S.A. makes every effort to ensure that its suppliers or commercial partners process personal data only to fulfill their contractual obligations towards APOPSI S.A., always in accordance with its instructions and for no other purpose.
4.5. Access Rights of Data Subjects
APOPSIS S.A. as the Processor is responsible for providing the data subjects with a mechanism to access their personal data, which will also allow them to review, correct, delete or transfer it.
4.6. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they have provided to APOPSI S.A. in a structured format and to transfer this data to another controller. APOPSI S.A. is responsible for ensuring that these requests are processed within one month, provided that these requests are not manifestly unfounded. When exercising the right to data portability, the data subject has the right to request the direct transmission of personal data from one controller to another, if this is technically possible.
4.7. Right to be Forgotten
Upon request, Data Subjects have the right to ask APOPSI S.A. to delete their personal data. APOPSI S.A. will immediately take the required actions (including technical actions) to satisfy the request and will ensure the same from any third parties that use or process personal data on its behalf.
4.8. Right to object
The Data Subject has the right to object at any time to the processing of personal data concerning him, including profiling.
4.9. Right to restriction of processing
Upon request, Data Subjects have the right to ask APOPSI S.A. to limit the processing of their data in accordance with Article 18 § 1 a-d of the General Data Protection Regulation (EU) 2016/679.
4.10. How to exercise all rights of Data Subjects and withdraw their consent
The Data Subject exercises his rights as well as the revocation of his consent by written application to the company APOPSI S.A.. The Data Subject may also freely withdraw his consent without affecting the legality of the processing based on it until its withdrawal. By sending a written request/letter or email to: [email protected].
The person responsible for processing the personal data of the subject is APOPSI S.A. with headquarters at Antipliarchou P. Vlachakou 38-40, 185 45.
Also, the subject may contact the Personal Data Protection Authority at the following details www. dpa.gr, email: [email protected], contact phone: 210 6475600, Address: Kifisias Avenue 1-3, P.C. 115 23, Athena
5. Response to Personal Data Breach Incidents
When APOPSIS S.A. is informed of a potential or actual personal data breach, it will immediately conduct an internal audit and take appropriate remedial measures in a reasonable time, in accordance with the Personal Data Breach Policy. When there is a risk to the rights and freedoms of the data subjects, APOPSI S.A. must notify the incident of violation to the Authority without delay and in any case, within 72 hours.
If you continue to have any questions or need any clarification regarding the processing of your personal data by APOPSI S.A. you can contact us and APOPSI S.A. will be happy to serve you immediately.
Data Protection Officer
You can contact the data protection officer of APOPSI S.A. for personal data processing issues concerning you by e-mail at the e-mail address: [email protected]