PROTECTION POLICY OF PERSONAL DATA

(PRIVACY POLICY)

1. Object of the personal data protection policy

Elisabeth Psarra’s company, based in Eleftheria – Kordelio, Thessaloniki, at 59 A. Papandreou Street, guarantees the respect of the private privacy of the individuals who trade with it, as well as the protection of their personal data, whether they are kept in digital or printed form. form, inside or outside its premises. For this reason, within the framework of the current national and Union legal framework governing the protection of personal data, in particular the European Union General Data Protection Regulation 2016/679 EU (hereinafter “the Regulation”) and Law 4624/2019, the company communicates this legal, reasonable and transparent personal data protection policy, in order to provide individuals (“data subjects”) with sufficient information about the personal data, which it collects and processes during the provision of its services to the public.

This privacy policy applies to all installations and / or digital environments and applications developed and supported by the company. and / or belong to the business. and are related to its activity (indicatively: (www. https://optikapsarraelsa.gr/).

The complete details of the company are:

Psarra Elissavet based in Eleftheria – Kordelio, Thessaloniki, at A. Papandreou Street no. 59

Email: elsa.opto@yahoo.gr

Contact telephone: 2310770216

The object of this Policy is to define the basic principles and rules according to which the company collects, stores and generally processes personal data, as defined by national and EU legislation for the protection of personal data and in particular the Regulation.

2. Definitions

For the purposes of the present, the following concepts are understood as follows:

Personal DataAny information relating to an identifiable or identifiable natural person (“data subject”); ID number, position data, online ID or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Specific categories of personal dataPersonal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs or trade union affiliation, as well as the processing of genetic, biometric data for the purpose of unambiguous identification relating to health or data relating to the sexual life of a natural person or to sexual orientation.
ProcessingAny operation or sequence of operations performed with or without the use of automated means, on personal data or on personal data sets, such as collection, registration, organization, structure, storage, adaptation or modification, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
AnonymizationThe processing of personal data in such a way that the data can no longer be attributed to a specific data subject.
AliasingThe processing of personal data in such a way that the data can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that it can not be attributed to an identified or identifiable natural person.
ProcessorThe natural or legal person, public authority, service or other entity which, alone or jointly with others, determines the purposes and manner of processing personal data; where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be laid down in Union law or in the law of a Member State.
Performer of the ProcessingThe natural or legal person, public authority, service or other entity that processes personal data on behalf of the controller.
ConsentOf the data subject: any indication of will, free, specific, explicit and fully aware, by which the data subject expresses that he agrees, with a statement or a clear positive action, to process the personal data concerning him.
Violation of Personal DataViolation of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
  
Current legislationThe provisions of the current Greek, Union or other Legislation to which the company belongs and define, directly or indirectly, issues of protection of personal data, such as: Law 4624/2019 on the protection of the individual from the processing of personal data, such as Law 3471/2006 on the protection of personal data and privacy in the field of electronic communications and amendment of Law 2472/1997, as in force, Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on the protection of privacy in electronic communications) as amended, General Regulation 2016/679 (EU) of the European Parliament and of the Council Council for the Protection of Individuals with regard to the Processing of Personal Data and for the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation, GCC)

3. General Principles of Personal Data Processing

When performing any data processing, the company takes care to comply with the general principles established by the Regulation on the lawful processing of Data:

(i) Legitimacy, objectivity, transparency: The company ensures that this data is collected and processed legally, in a transparent manner in relation to the data subject. And the consent of the subject, when required, is always obtained freely.

(ii) Limitation of the purpose: The company ensures that the data is collected for defined, explicit and legal purposes and is not subjected to further processing in a manner incompatible with these purposes (StE 1616/2012).

(iii) Data minimization: The company collects only personal data that is appropriate, relevant and limited to what is strictly necessary for the purposes for which it is processed and does not collect any more data.

(iv) Accuracy: The company makes the necessary efforts so that the personal data it maintains and processes is always accurate and up to date. In any case, the subject can request at any time correction of his data by the company.

(v) Limitation of the storage period: The company does not keep the personal data it collects for a period longer than required by the purposes for which it was collected and processed. Specifically, depending on the processing, the data is deleted after a predetermined period of time. The company has recorded this period in its business file and the times are always in accordance with the Directives of the European Council, the law and the recommendations of the European Data Protection Authorities. However, it is possible to keep them for a longer period of time if the processing of this data is necessary:

  1. for the observance of a legal obligation that imposes the processing carried out according to a provision of law. Retention times in this case are predetermined by the company.
  2. for the performance of a duty performed in the public interest. Retention times in this case are predetermined by the company.
  3. for reasons of public interest. Retention times in this case are predetermined by the company.
  4. for the establishment, exercise or support of legal claims. In the event of a dispute with the data subject, the company retains the data until the end of the enforcement procedure, otherwise the end of this deadline and in any case until the issuance of an irrevocable court decision.

(vi) Integrity and confidentiality: The company ensures that personal data is processed in a way that guarantees its appropriate security, including protection against unauthorized or illegal processing and accidental loss, destruction or deterioration, using appropriate techniques. or organizational measures. These organizational measures are briefly described below in Chapter 19 “Technical and organizational measures taken”.

4. Purposes and Legal Basis of Processing

The company, in the context of its operation, collects and processes personal data for the following purposes with the respective legal processing bases:

No PURPOSE OF PROCESSINGLEGAL BASIS
1Execution of contractual obligations of the company regarding customers, suppliers, third parties.Compliance with a legal obligation [art. 6§1 par. C) GKPD] and / or Execution of contract [art. 6 §1 per. B) GKPD], where it exists
2The fulfillment of legal obligations of the company regarding the State (eg payment of taxes, contributions, provision of explanations for legal obligations of the company).Compliance with a legal obligation [art. 6 §1 par. C) GKPD] and / or Execution of duty in the public interest [art. 6 §1 approx. E) ΓΚΠΔ]
3Execution of legal and contractual obligations with the existing staff of the company (eg payment of salary, insurance contributions, etc.)Compliance with a legal obligation [art. 6§1 par. C) GKPD] and / or Execution of contract [art. 6 §1 par. B) GPD], where there is and / or Execution of duty in the public interest [art. 6 §1 approx. E) ΓΚΠΔ]
4Judicial pursuit of claims– Serving the vital interests of the company (art. 6§1 case d GKPD)
6The collection and processing of video data using closed circuit cameras (CCTV), for security reasons– Serving vital company interests (art. 6§1 approx. D)

For any other form of processing, the company seeks the specific and explicit consent of the subjects prior to the start of processing, if required.

5. Categories of Personal Data collected

       The company in the context of the above activities and normal operation, may collect personal data of both individuals or professionals who use its services – products, and its employees, as well as its partners in general, but also other natural persons with whom it trades in the context of its activities.

Depending on the form and purpose of processing per segment, the company may collect and process personal data, such as the following:

CATEGORIES OF SUBJECTSDATA CATEGORIES
CLIENTSIdentity and demographics (eg name, etc.), Contact details (eg phone, Email, etc.), Medical data (ophthalmologist prescriptions, etc.) Image details (e.g. face shots from the CCTV system)
VISITORS Image details (e.g. face shots from the CCTV system)
        SUPPLIERSIdentification information (eg name, patronymic, etc.), Contact information (eg postal address, telephone, e-mail, fax, etc.), Financial information (eg bank accounts, number tax register, etc.), Image details (eg CCTV system downloads)
      EMPLOYEESIdentification and demographic information (eg name, patronymic, etc.), Contact information (eg postal address, telephone, Email, fax, etc.), Financial information (eg bank accounts, number tax record, salary, etc.), Image details (eg photographs or photographs of a person via CCTV system) , Marital status)

 

In exceptional cases, this data may not always belong to directly traders with the company but also to third parties (eg members of the employee’s family. Who benefit from the compulsory insurance of the parent fund as a protected member).

Image data: The company may collect, store and process image data through video surveillance systems (CCTV), where they are applied, for the purpose of protecting the security of its facilities, complying with the specifications and deadlines provided by national and EU legislation for audio and video data storage.

The company can collect personal data both in paper form and in electronic form through internet / digital platforms and applications (eg via e-mail).

6.  Retention Time of Personal Data

The company stores and processes data for predetermined time periods. The data is then deleted either through an automated deletion process, or by the responsible employee per department of the company for their deletion.

The company retains the data it collects for five years from their collection or in case of a contract from the expiration of the contract. The following cases are excluded:

  1. Data collected via CCTV system, within 15 days of recording.
  2. Data concerning the employment contract of the employees, 20 years from the expiration of the contract.
  3. Data related to tax data and compliance with the relevant legislation, 20 years from their issuance.
  4. Any data used in a legal dispute of the company, until the end of the pending trial and the execution procedure in case a legal aid is exercised by or against the company, otherwise for a time equal to the statute of limitations of the company’s claim.

7. Special Categories of Personal Data

The company may collect and process data belonging to specific categories of personal data (“sensitive data”), such as health data, in order to meet its legal obligations, as a Responsible Processor (eg as an employer). ). If such processing requires consent, the company has taken care to obtain the free consent of the subject.

8. Data of minors

In principle, it is not the company’s policy to seek or obtain information directly from minors (ie persons under 18 years of age), either directly or indirectly through third parties, except in cases involving necessary information. insurance and health data necessary to obtain the legal benefits of their employees – parents (eg parental leave, allowances and other benefits, etc.).

However, as it is impossible to always check the age of people entering or using the company’s websites and online applications, parents and guardians of minors are advised to contact the company immediately if they find any unauthorized disclosure of data by minors. for whom they are responsible, in order to exercise respectively the rights granted to them, if this is possible and permitted by law.

9. Internet Technologies

The company collects only the necessary information related to the fulfillment of the processing purposes and the general traffic to its website, such as the web protocol address (IP address) and the type of browser used by the visitor, cookies, invisible pixels and web beacons to get information about browsing them. Further, relevant information is reflected in the Cookies Policy of the company.

When managing requests from our electronic forms, the completion of personal data is requested, which are limited to what is absolutely necessary for the management and service of the contractual relationship with the company.

 

10. Disclaimer for Third Party Websites

On the business website, links may be provided or provided in the future that further redirect the user to third party websites. The company does not control these third party websites and is not responsible for the content posted on them or any further links that appear on them. The company is not responsible for the privacy practices of third parties or for the content of third party websites.

11. Data Transmission / Access

The company may transmit data to third parties and / or allow access to them (legal or natural persons) acting as executors and / or sub-executors of the processing, to support its operation (eg specialized technical assistance and support for the development of applications, processing of CCTV circuit data by a Security company, etc.) and the service of its purposes.

The company may transmit the above data to third parties and / or allow classified access by third parties to it, when this is provided by existing legislation, in accordance with the guarantees provided by it. In such cases, it must adequately inform the data subjects before making such a transfer, if required for the minimum statutory information, namely the identity of the controller, the purpose of the data collection, the identity of the recipient and the rights of the subject.

The company does not transmit data outside the European Union (EU) or the European Economic Area (EEA). In the event of a transfer to a country outside the European Union (EU) or the European Economic Area (EEA), the undertaking must check whether:

The Commission has issued an adequacy decision for the third country to which the transfer will take place.

The appropriate guarantees are observed in accordance with the Regulation for the transmission of this data.

In the event that the above conditions are not met, transmission to a third country outside the EU or EEA is prohibited and the company may not transfer personal data to it, unless one of the special derogations provided for in the Regulation applies (eg explicit consent of the subject and informing him about the risks involved in the transmission, the transmission is necessary for the execution of a contract at the request of the subject, there are reasons of public interest, it is necessary to support legal claims and vital interests of the subjects and so on). .

12. Data Retention Period

The personal data collected by the company are kept for a predetermined and limited period of time, depending on the purpose of the processing, after which the data are deleted from its files, unless otherwise provided or permitted by applicable law. The predetermined retention times of each category of data are recorded in the Company’s Activity File, as it has a legal obligation and are available to the competent Personal Data Protection Supervisory Authority in case of control.

13. Personal Data Subject Rights

The company ensures and takes appropriate measures so that data subjects can exercise the rights recognized to them by national and EU law regarding the collection and processing of personal data concerning them. These rights are as follows:

In this context, the company must inform the data subjects about their above rights and facilitate their exercise. In particular, it must inform them of the procedure that they can follow in order to exercise these, ie to specify the information that they must indicate in their application, the person to whom they will address it, the deadline within which they will be informed of the outcome their request, as well as the possibility to appeal to the supervisory authority (APDPH).

THE COMPANY may refuse to comply in whole or in part with a request received from the data subject only when this possibility is provided for by Regulation or national law. THE COMPANY provides the data subject with information on the processing operations following the relevant request submitted to him within one (1) month from the receipt of the request and the identification of the subject. This deadline may be extended by a further two months, if required, if the request is complex or there are a large number of requests. In this case, the COMPANY is obliged, within one month from the receipt of the request, to inform the data subject about the delay, as well as the reasons for it. Within the above period of time, it also informs the data subject of any refusal to satisfy, in whole or in part, the submitted request, as well as of the reasons for the refusal.

If the data subject submits the request by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject requests otherwise.

If the data subject ‘s request is manifestly unfounded or excessive, in particular because of its recurring nature, the COMPANY may make its satisfaction conditional on the payment of a reasonable fee or refuse to respond to the request.

In the event that the COMPANY processes personal data on a case-by-case basis in the future as the processor, then it will immediately forward the relevant requests to the controller, who is responsible for their examination and satisfaction.

 

14. Data Protection Officer (DPO) – Legal Advisor

The company is not obliged to appoint a Data Protection Officer (hereinafter DPO). The communication for personal data issues will be done directly in contact with the company – controller, in the contact details, which are written at the beginning of the present:

The company has outsourced the task of compliance and guidance on the implementation of the Regulation under a relevant service contract. The company has ensured that it has proven experience and knowledge in matters of personal data protection, in particular with regard to applicable law, organizational-technical issues and good practices consistent with the protection of such data.

In any case, the legal adviser is an independent advisory body, which can also perform other duties, but these can not create a conflict of interests or responsibilities. Such a conflict arises, in particular, when the other tasks oblige him or her to define the means and purposes of one or more processing of personal data.

(a) Informs and advises the management of the company as well as the employees who process personal data about their obligations arising from the legislation on personal data protection.

(b) Monitor the compliance of the company with personal data protection legislation and with any company policy directly or indirectly relating to the protection of personal data, including the delegation of responsibilities, awareness and training of employees involved in processing operations, and related controls. To do this, do at least the following:

1) Has delivered a file of processing forms (Activity File) that contains all the processing of personal data, in which the company performs or is involved in any way, as well as a file of violations of personal data (File of Violations).

2) Carries out periodic audits of the company’s activities, in order to determine whether and to what extent the above legislation and policies are complied with, at the request of the Company’s Management, especially in cases of modification of the above records.

3) Proposes solutions, procedures and good practices that contribute to maintaining a high level of compliance of the company with the above legislation and policies.

4) Παρέχει συμβουλές αναφορικά με την ανάγκη διενέργειας εκτίμησης αντικτύπου (DPIA), για την προετοιμασία της και διεξάγει την υλοποίησή της.

5) Maintains communication with the heads of the company’s departments for any issue related to the protection of personal data.

6) Assists the company in matters of information and training of employees, but also of its associates, regarding issues of personal data, existing legislation, compliance requirements, good practices and so on.

7) Evaluates the risks that can be created for the company and for the rights and interests of data subjects by the various forms of processing of personal data, which it proceeds to.

In the performance of his duties, the legal advisor is obliged to act conscientiously and professionally, to comply with the laws and regulations and the policies of the company and in particular the obligation of confidentiality to the company.

15. Right of Appeal to the Authority for the Protection of Personal Data

          Data subjects have the right to appeal to the Personal Data Protection Authority (“APDPX”) for issues related to the processing of their personal data. For the competence of the Authority and the way of submitting a complaint, detailed information is provided on the website of APDPH (http://www.dpa.gr à My rights à Submitting a complaint).

16. Data Protection Impact Assessment (DPIA)

When a type of processing may pose a high risk to the rights and freedoms of individuals, the enterprise shall, prior to processing, carry out an assessment of the effects of the planned processing operations on the protection of personal data (“impact assessment”). Impact assessment is a process designed to describe the treatment, assess its necessity and proportionality, and assist in risk management by evaluating and defining measures to address them. It is not required for every form of treatment, but only in cases where a form of treatment is considered high risk. The impact assessment takes into account the nature, extent, general context and objectives of the treatment in order to assess whether a risk is likely to occur, as well as its seriousness for the rights and freedoms of the subjects. The model for conducting the impact assessment report is the one proposed by the French supervisory authority (CNIL), which is universally accepted.

The company may decide to carry out an impact assessment for processing, even if this is not considered mandatory by existing legislation. In addition, it is not required to compile a separate impact assessment for each form of processing, but may include in a impact assessment a set of similar processing operations, which involve similarly high risks.

The Regulation sets out the framework within which an impact assessment is required. In particular, it is required in all cases where the processing “may pose a high risk to the rights and freedoms of individuals”. These include:

The responsibility and decisive responsibility for conducting or not conducting an impact assessment rests with the company, however, the DPO provides advice and guidance on the following issues:

  1. The need or expediency of conducting such an assessment.
  2. The best methodology for conducting this assessment.
  3. The technical and organizational measures, as well as any other guarantees, which must be provided by the company in order to minimize the risks to the rights and interests of the underlying data.
  4. Evaluation of an assessment already carried out on data protection and its conclusions, in particular as regards the company ‘s compliance with the requirements of existing legislation.

The company, when conducting the impact assessment, must determine the appropriate procedures and methodologies that best meet its requirements. The impact assessment must contain at least the following elements:

When assessing the impact of a processing operation, compliance with an existing code of conduct, any certifications, and binding company rules should be considered, as they may be evidence that the company has selected and taken the appropriate compliance measures.

The method of impact assessment is carried out by the company, with the participation of many stakeholders of the organization and revolves around four axes:

  1. Defining the framework for processing personal data.
  2. Identification of existing and planned controls.
  3. Risk assessment for the rights and freedoms of subjects.
  4. Decide whether or not to comply with protection principles and review.

When, after conducting the impact assessment, the company finds that the mitigation / avoidance / risk transfer measures are not sufficient to reduce the risks to an acceptable level, it should contact the APDPH for consultation.

In more detail, in each case of designing a form of processing that involves high risk, the company follows the following steps:

(a) Selects an impact assessment methodology that meets the requirements of the law. Specifically, the methodology is proposed by the French Data Protection Authority CNIL

(b) Submit the impact assessment report to the competent supervisory authority (if required – if required by national law. At this point in time this is not required).

(c) Seek the opinion of the supervisory authority in the event that adequate measures are not in place to mitigate the high risk (when the residual risk is too high).

(d) Regularly review the impact assessment and the processing involved, at least when the risk of the processing operation changes. It also reviews the impact assessment if the way and process of processing changes.

(e) Is able to document the decisions taken.

17. Breach of Personal Data

“Breach of personal data” is defined by the Regulation as breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, disclosure or access of personal data collected, stored or processed in any way by the business.

The company applies a specific procedure for handling incidents of breach of personal data security.

A breach of personal data can occur in many circumstances, some of which are:

For the characterization of an incident as a breach of personal data it does not matter whether it occurred as a result of deceit, negligence, act, omission, accidental or unforeseen event.

In the event that the company or any employee or associate perceives or suspects that a breach of personal data may have occurred, it shall without delay inform the head of the department in which the breach took place and he in turn shall contact the controller. The incident is also recorded with all its identifying data in the Register of Violations kept by the company.

The company then evaluates the announcement, conducting further investigation, in particular regarding the need for mandatory notification of the incident to the competent authority for protection of personal data (APDP) and / or data subjects and submits proposals for the actions to be taken.

The notification to the supervisory authority includes the following elements:

In any case and if the notification to the competent authority of data protection is mandatory, the company carries out it within 72 hours from the time when it was first noticed by this violation of personal data, as is clear from the law and the Regulation. In case the notification is made after 72 hours, it is accompanied by a justification of the delay.

If the breach of personal data may pose a high risk (indicatively if it is sensitive data or simple data that the leak can cause great damage eg leak VAT, leak of financial data of the subject) the rights and freedoms of individuals , the company must immediately report this breach, not only to the supervisory authority, but also to the data subject.

In the event that the company processes data as the executor of the processing, it notifies the controller without delay and does not make any notifications.

The company takes all possible measures to be informed in a timely manner of any violations of the file, in which it is responsible for processing, but the processing is done by a third party, performing the processing. A summary of the incident of personal data breach that includes the facts and evidence that substantiate the breach, its consequences and the actions taken by the company are recorded in the file of breaches of personal data kept by the company.

18. Personnel training

The company ensures that the staff involved in the collection and processing of personal data is adequately informed and trained, taking into account the advice and suggestions of the legal advisor and in general the available methods of training and information, in order to select the most appropriate occasion, namely:

  1. To define the purposes of training and awareness of its staff.
  2. To identify the appropriate educational public among its employees.
  3. To complete informative suggestions for training in personal data law, both at the level of department heads and at the level of employees. The action plan is indicated in each working group, in accordance with the tasks of the action, so that the staff remains informed and sensitized.
  4. Make sure to provide forms with technical instructions to its employees.
  5. Take care of the regular evaluation and updating of the educational campaign.

19. Technical and Organizational Data Protection Measures Taken

The company has taken the following security measures to protect the data it processes:

1. Take measures for the security of the information system and the data held in it:

2. Continuous training and awareness of staff on issues of personal data protection, by organizing information days and seminars but also by issuing advisory forms with instructions from the heads of departments, in consultation with a legal advisor.

3. Keeping all the necessary documents (Activity File, Registry of Violations, etc.) related to data protection.

4. Carrying out processing assessments for any high-risk processing, in order to ensure the security of the data and in particular the processing of the data through a CCTV system

5. The physical file now has classified access and this is kept in locked ports.

The company reserves the right to modify the security measures taken at its discretion, always with the aim of ensuring the maximum possible security in the processing of data.

20. Update of the Personal Data Protection Policy

The company may modify this Personal Data Protection Policy from time to time for reasons of compliance with regulatory changes or in order to meet the needs of its operation and its legal obligations. Updates of this Personal Data Protection Policy will be posted on the company website (www.optikapsarraelsa.gr) with a date indication, so that it is known which is the most recent update.

Date of last update 22-10-2021