Data Protection policy

 PERSONAL DATA CONFIDENTIALITY AND SECURITY POLICY

This Personal Data Confidentiality and Security Policy is applied by the Société Anonyme under the name CITY CONTACT SMLLC (Hereinafter the “Company”)

I. Introduction, Content & Scope

 

Ι.1.             Introduction

The Company commits on the one hand to maintain confidentiality and the security of Personal Data (PD) collected in the course of its activities and, on the other hand, to comply with the applicable laws and regulations on the processing of PD, including Sensitive Data.

This policy aims to ensure that personal data is handled in accordance with:

  • National legislation
  • The General Regulation on the Protection of Personal Data and the generally applicable European legislation on the protection of natural persons as regards the processing of personal data and the free movement thereof

 

The Company, acting as data controller and/or as data processor, ensures that this policy will be updated and will be communicated by any appropriate means both to its employees, as well as to third parties doing business with it.

 

Ι.2.             Content

In the context of its activities, the Company processes personal data and vows to process them in accordance with the applicable laws and regulations on the protection of PD. For that purpose, the Company has adopted and implements various policies and procedures for the lawful processing of personal data, by ensuring PD confidentiality and the security, and for the protection of the rights of the Data Subject.

This policy summarizes all the procedures and principles governing the lawful processing of personal data in order to ensure compliance with the laws and regulations on the protection of personal Data within the Company.

The contents of this policy include the following:

  • The principles governing the protection of personal data, with which the Company is required to comply
  • The organizational and technical security measures that the Company should take
  • The policies for ensuring compliance with applicable law
  • Personal Data Transmission policy
  • Personal Data Retention Policy
  • Consent Policy
  • Policy for the protection of the Subject’s rights
  • Policy for dealing with a personal data breach
  • Appendices

 

 

Ι.3.             Scope

This policy is binding, it is implemented by all departments of the Company and its branches and relates to each activity in the context of which personal data are collected, stored and used.

According to the definition of personal data, as per below, the personal data may pertain to employees of the Company, natural persons connected in any way with the Company as associates, and to Company suppliers and customers.

 

II. Definitions & Principles governing personal data processing

 ΙΙ.1.           Definitions

Here are the definitions of all the terms appearing in capital letters in the policies and procedures followed by the Company.

1)   “Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is a person whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier, such as a name, an ID number, location data, an online ID or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person,

2)   “Processing”: any action or number of actions carried out with or without the use of automated means, involving personal data or personal data sets, such as collection, registration, organization, structure, storage, adaptation or change, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of transmission, association or combination, restriction, deletion or destruction,

3)   “Restriction of Processing”: the labeling of stored personal data in order to limit its processing in the future,

4)   “Creating a Profile”: any form of automated processing of personal data consisting in the use of personal data for the assessment of certain personal aspects of a natural person, in particular for the analysis or prediction of aspects relating to performance at work, the economic situation, health, personal preferences, interests, reliability, behavior, position or the movements of that natural person,

5)   “Pseudonymization”: the processing of personal data in such a way that data can no longer be attributed to a particular data subject without the use of supplementary information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that it cannot be attributed to an identified or identifiable natural person,

6)   “Archiving System”: any structured set of personal data accessible with the use of specific criteria, whether this set is centralized or decentralized or built on an operational or geographical basis,

7)   “Controller”: the natural or legal person, the public authority, the service or another body which, alone or in conjunction with others, determines the purposes and the manner that personal data are processed; where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for the appointment thereof may be specified in Union law or the law of a Member State,

8)   “Processor”: the natural or legal person, the public authority, the service or another entity processing personal data on behalf of the controller,

9)   Recipient”: the natural or legal person, the public authority, the service or other entity, to which personal data are disclosed, whether that is a third party or not. However, public authorities likely to receive personal data in the context of a specific investigation in accordance with Union law or the law of a Member State are not considered as recipients; the processing of such data by such public authorities shall be carried out in accordance with the applicable data protection rules depending on the purposes of the processing,

10)   “Third party”: any natural or a legal person, public authority, service or body other than the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, are authorized to process personal data,

11)   Consent” of the data subject: any indication of will, free, specific, explicit and in full awareness, by which the data subject agrees by way of a statement or with affirmative action, that his/her personal data be processed,

12)   “Personal data breach”: the security breach that leads to accidental or illegal destruction, loss, change, unauthorized disclosure or access to personal data that has been transmitted, stored or otherwise processed,

13)   “Health data”: personal data related to physical or mental health of a natural person, including the provision of health care services, and which reveal information about the state of his health,

14) “Supervisory Authority”: an independent public authority set up in accordance with Article 51 of the Regulation,

15)   “Regulation”, “General Regulation”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

 

ΙΙ.2.           Principles governing personal data processing

According to the General Data Protection Regulation, the Company as Controller, but also when acting as Processor, is required to apply data protection principles throughout the processing of the data.

 

  1. The personal data shall be processed legally, fairly and transparently as regards the Data Subject.
  2. The personal data shall be collected for specified, clear and lawful purposes.
  3. The personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.
  4. The personal data shall be accurate and, where necessary, updated.
  5. The personal data shall be kept in a form that permits the identification of the Data Subjects for no longer than necessary for the purposes for which the personal data are processed.
  6. The personal data shall be processed in a way so that their appropriate security is ensured.

 

III. Security measures

 

The security measures that the Company must take to ensure the correctness and lawful processing of personal data, fall into the following three main categories:

 

ΙΙΙ.1.          Organizational security measures

ΙΙΙ.1.Α.        Security Officer – Controller

The Company must appoint a Security Officer and a Data Protection Officer, who will be in charge of supervising and monitoring the implementation of the policies and safety measures adopted by the Company for the protection of PD.

The Data Protection Officer of the Company is responsible for PD confidentiality and security issues and plays a key role in preserving the Company’s compliance as regards data protection obligations.

This means, among other things, that the Data Protection Officer of the Company:

  • Is the only point of contact for issues related to the Data Subject, including the exercise of the rights of the Data Subjects.
  • Monitors compliance with the General Data Protection Regulation [advice on Data Protection Impact Assessment (DPIA), coordination with relevant groups on PD confidentiality and security].
  • Raises awareness among the staff involved in data processing and trains them.
  • Acts as a contact point for the Data Protection Authority.
  • Participates in discussions/meetings within the Company on issues related to the management/processing of personal data.
  • Meets regularly with each department of the Company, to discuss personal data security issues.
  • Makes the necessary notifications in case of personal data breaches.
  • Ensures the issuance of the personal data destruction certificate.
  • Handles the complaints filed by Data Subjects.
  • Refers directly to the Company’s Management.

 ΙΙΙ.1.C.        Management of information goods

ΙΙΙ.1.C.i. Management of physical and electronic record

Physical records containing personal data (sensitive or not) should be stored in cabinets or other key locks, which will be kept by the employee authorized, in accordance with the Organizational Chart, to have access to such records. A copy of the key will be kept by the Data Protection Officer. For security reasons, a copy of the physical file will also be kept in electronic form.

Electronic files containing personal data (sensitive or not) will be stored on the Company’s servers and appropriately authorized employees as per the Company’s Organizational Chart will have access to them. These records will be accessed with a username and password, which will be unique to each of the employees with access to the records.

III.1.C.ii. Classification of information

The data must be classified depending on its type (sensitive or not) and criticality. The management of physical and electronic files containing personal data shall be carried out as described above, regardless of their classification.

III.1.C.iii. Movement of information goods

Where equipment (such as a computer or a USB) with personal data is transferred outside the Company’s premises, this action must be recorded (date and time of exit, person using the equipment, return of the equipment) and be subject to the approval of either the legal representative of the Company or the Data Protection Officer and, if the latter is absent, to the approval of the Security Officer.

 

III.1.D.        Processors

III.1.D.i. Recording

The Company is required to keep a list of all processors who handle personal data on its behalf within or outside its premises.

III.1.D.ii. Written assignment

In the event that the Company assigns data processing to a processor, within the meaning of the relevant provisions of the Regulation, the assignment must be in writing and prescribe that the processor should carry out the processing only by order of the Company and that the other obligations detailed in Article 28 of the Regulation are undertaken by the processor.

Written assignments-contracts must contain a minimum description of the personal data,the purpose, location and mode/process of processing, the level of services that the processor must achieve (in terms of security and data quality), as well as the obligations of the processor, as referred to in Article 28 of the Regulation.

III.1.D.iii. Security measures mandatory for processors

The processor has to take the appropriate organizational and technical measures for the safe keeping and processing of the personal data, in accordance with this Company Policy. The Company must ensure that the processor complies with the policies adopted by the Company for the protection of personal data in so far as it concerns the processor.

Rights of access to the Company’s systems are granted to the processor’s staff only when it is necessary for the fulfillment of their contractual obligations. The minimum required authorizations should be granted, which in turn should be abolished upon expiry of the contractual obligation.

III.1.D.iv. Place of processing

The possibility to carry out the maintenance/upgrading of personal data equipment at the Company’s premises, where practical and appropriate, should always be considered.

When processing is carried out outside the Company’s facilities, the Company must ensure that the processor provides a level of security at least equivalent to that set forth in this Policy.

ΙΙΙ.1.Ε.        Destruction of data and storage media

Before destroying forms or electronic files containing personal data, appropriate steps should be taken to ensure the complete and permanent deletion of such data, so as to exclude further unlawful and unfair processing, such as any form of communication thereof to third parties. More specifically, at least the provisions of Directive 1/2005 of the Data Protection Authority on the safe destruction of personal data should be complied with after the expiry of the period required for satisfying the purpose of processing. Secure ways of destroying data involve any set of procedures and measures which, once implemented, the data subjects cannot be identified and the destruction caused is irreversible, i.e. it is not possible to recover the data after the destruction by technical or other means.

The Data Protection Officer is required to implement appropriate mechanisms to control the proper compliance with the Company’s destruction process. The inspection will be entrusted to Company employees authorized specifically for this purpose.

If the destruction of data is performed on behalf of the Company by a person not dependent on it (processor), the Company is required to make the related assignment only in writing. The awarding contract should specify the measures to be applied by the processor for the safe transfer of the data to the site of destruction, the site of destruction, any interim storage sites, the mode of destruction, as well as the maximum time allowed from the date of delivery of the data by the Company to the processor until their final destruction. Also, the awarding contract should specify any additional suggestions by the Company regarding technical and organizational destruction measures, as well as the exact details of any third parties (subcontractors) who are to perform, in part or in whole, the destruction of the data on behalf of the processor. Also, it must be ensured that the Company has the power to dispose and control the data until it they are permanently destroyed. Hence, the processor must keep separately any data to be destroyed which pertains to the Company, with which the processor signs a relevant contract. The processor must be able to apply the appropriate technical and organizational means for the safe destruction of the data, and to have planned a destruction and destruction control process similar to that of the Company. Natural persons - employees of the processor carrying out the destruction must be specifically bound by the confidentiality of the processing.

The Company may apply inter alia the following data destruction measures:

(a) shredding of documents by authorized Company employees, with the use of specialized in-house document shredders, (b) pulping/recycling of documents, (c) incineration of the data substrate material.

After the destruction of data, a Data Destruction Protocol should be drafted, containing at least the following information: (a) date of destruction of the data,(b) a description of the data destroyed, (c) method of destruction, (d) the name of the Company employee responsible for the destruction, (e) the person who carried out the destruction (if the destruction is assigned to a processor).

To safely destroy electronic data, it is not enough to simply delete them (e.g. with the “DELETE” command), as this deletes only the reference to the data, while the data itself may be recoverable with the use of specific software.

The indicated way of safely destroying the data stored in rewritable media (e.g. hard disks, floppy disks, rewritable DVDs and CDs) is to alter the data by replacing them with random characters (overwrite). This alteration may be achieved with the use of special programs (fileerasers, fileshredders, filepulveritizers). In the case of daily data destruction, an alternative mode of destruction is the formatting of the substrate material.

In the case of a planned destruction of all data, an alternative way of destruction (for data of paramount significance) is also the natural destruction of the substrate material itself (e.g. by crushing, pulverization, incineration, subject to specific provisions on special waste management / environmental protection).

The destruction of the data also includes the destruction of all the backup that the Company keeps, where practical and technically feasible.

A scheduled data destruction must be accompanied by a Data Destruction Protocol, as outlined above.

The Data Protection Officer must train the Company’s employees with regard to the procedure and methods of destroying personal data.

III.1.I.         Overview – Review – Efficiency Rating

This policy and the procedures it involves are subject to regular revisions to ensure that they are properly implemented and fully in line with the legislation in force. Indicatively, they may be amended in cases where significant changes occur in at least one of the following: (a) the organizational structure of the Company, (b) information systems, (c) safety requirements, (d) technological developments, (e) the nature and/or processing of personal data. The policy and the procedures provided herein may also be altered following an internal or external audit which finds inadequate and/or ineffective security measures, or following a security breach incident.

The Security Officer, together with the Data Protection Officer, is responsible for making the necessary updates/revisions to this policy and the procedures contained herein, which will enter into force following a written approval by the Company’s management.

The Company should conduct an annual assessment of the level of effectiveness to determine whether the policies and procedures applied ensure the appropriate level of protection required by the Regulation.

This effectiveness assessment will be coordinated by the Company, with the support of the heads of the Company’s departments and the Data Protection Officer.

 

 

What they say about us!!