Privacy Policy
Application Declaration
The implementation of the General Data Protection Regulation (G.D.P.R.) is a priority for "ECOPAPER PRINTING S.A.".
Data Controller:
- Name: ECOPAPER PRINTING S.A.
- V.A.T. Νumber: 099870370
- Address: THESI EVGENIOU VOULGAREOS 18, ATHINAION / ATTICA, 11636
- Contact number: +30 210- 9424085
- Εmail: info@ecopaper.gr
"ECOPAPER PRINTING S.A." accepts personal data: Any information relating to an identified or identifiable natural person alive. For example, this information includes name, home address, I.D. number, Internet Protocol (I.P.) code, information about their health and insurance capacity, employment status, and more.
Special categories data, such as health, racial or ethnic origin, trade union activity, etc., receive special protection.
The rules apply when collecting, using, and storing personal data digitally or in hard copy through a structured filing system.
This policy is in line with the E.U. General Data Protection Regulation. (GDPR), and opinions/decisions issued by the Hellenic Data Protection Authority.
Definitions
- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- ‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘Restriction of processing’ means the marking of stored personal data to limit their processing in the future.
- ‘Filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis,
- ‘Controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- ‘Processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
- ‘Recipient’ means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry by Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.
- ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
- ‘Consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- 'Special categories data' means personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union affiliation, as well as the processing of genetic, biometric data for the data relating to health or data relating to the natural sexual life or sexual orientation of a person.
Categories of Personal Data Collected
In the context of its activities and its regular operation, "ECOPAPER PRINTING S.A." may collect personal data of both its customers or associates, as well as its employees, as well as its associates in general, as well as other natural persons with whom it trades, in the context of its operation.
Depending on the form and purpose of processing per service, "ECOPAPER PRINTING S.A." may collect and process personal data, such as the following:
Clients |
Customer data, if they are natural persons or legal representatives of legal entities. These may include:
- Identity and demographic data (e.g., full name, father's name, etc.),
- Tax Information (VAT number, Tax Office)
- Contact information (e.g., landline – mobile phone, postal address, email, etc.),
- Company name
- Financial data (e.g., IBAN, Bank Accounts, Debts, etc.
- Other relevant data
|
Suppliers/Contractors
|
Supplier data of "ECOPAPER PRINTING S.A." in the case of natural persons or legal representatives/representatives of legal persons. These may include:
- Identity and demographic data (e.g., full name, father's name, etc.),
- Contact information (e.g., registered office address, telephone, email, etc.),
- Business information
- Contracts
- Account balances
- Bank Accounts
- Other relevant information
|
Data of other Natural Persons
|
Data of other natural persons visiting the "ECOPAPER PRINTING S.A." infrastructure or collaborating with it.
|
Employees (active and not)/ Candidate Employees
|
Data of employees of "ECOPAPER PRINTING S.A." under any employment relationship, and data of former and prospective employees, which are kept to operate their employment relationship with "ECOPAPER PRINTING S.A." These may include:
- Identity and demographic data (e.g., full name, father's name, etc.),
- Insurance details (e.g., AMKA and other Social Security Institution Registry data if required),
- Contact details (e.g., postal address, telephone, email, etc.),
- C.V.s,
- Health data (e.g., medical certificates and opinions, etc.),
- Financial data (e.g., bank accounts, etc.),
- Marital status data (e.g., certificates and certificates, number and details of children, etc.)
|
Purposes and Legal Bases of Processing
"ECOPAPER PRINTING S.A." may collect and process the personal data of the individuals mentioned in the above paragraph who use its services and products. In principle, "ECOPAPER PRINTING S.A." may collect and process personal data for the following purposes with the corresponding legal processing bases:
The collection, processing, cross-checking, and transmission of data of the Tax, Insurance, and Labor Administration exclusively for the support and operation of the framework of its responsibilities.
|
- Processing is necessary for compliance with a legal obligation [art. 6 §1 case c) GDPR] and/or
- for the purposes of the legitimate interests [art. 6 §1 case f) GDPR]
|
The collection and processing of the necessary data of employees and/or candidate employees and associates for the proper service of existing employment or cooperation relationships or the examination of possible future collaboration.
|
-
Compliance with a legal obligation [art. 6 §1 case c) GDPR] and/or
-
Processing in the context of the conclusion of a contract [art. 6 §1 case b) GDPR] and/or
-
for the purposes of the legitimate interests [art. 6 §1 case f) GDPR] and/or
-
Necessary for the purposes of carrying out the obligations and exercising of the rights of the Controller or the data subject in labor law and social protection [art. 9 §2 case b) GDPR]
|
The provision of products and services
|
-
Processing in the context of a contract [art. 6 §1 case b) GDPR] and/or
-
Processing is necessary for the purposes of the legitimate interests [art. 6 §1 case f) GDPR]
|
The collection and processing of image data using a camera circuit.
|
-
Protection of persons and goods by Directive 1/2011 of the Hellenic Data Protection Authority
-
Processing is necessary for the purposes of the legitimate interests [art. 6 §1 case f) GDPR]
|
For any other form of processing, "ECOPAPER PRINTING S.A." requests exceptional written, accessible, and informed consent of the subjects before the commencement of processing, if required.
|
The reference to more than one legal basis for processing does not mean that "ECOPAPER PRINTING S.A." changes them (lawful basis swapping), undermining the rights of data subjects, but that there are cases where more than one legal basis for processing is applicable.
Finally, "ECOPAPER PRINTING S.A." does not use as its primary basis for processing the consent of the data subjects (whether it is simple data or special categories), recognizing the inherent imbalance that exists in its relationship with the data subjects and accordance with the recommendations of its Working Group No.29 (now the European Data Protection Board). However, and exceptionally, for a few cases where additional service is provided to the subjects (i.e., beyond the legally provided ones), consent is used to a limited extent as a legal basis for processing and only then.
Transmission/Disclosure of data to third parties
The personal data collected may be disclosed or transmitted to third parties if this is required for the fulfillment of obligations by law or is necessary for the fulfillment of our services, provided in compliance with the guarantees of the relevant legislation. We may assign natural or legal persons to do some of our services. Only the personal data necessary to fulfill the assigned services are transmitted to these entities, which are committed to our Company regarding the confidentiality and safe processing of Personal Data.
"ECOPAPER PRINTING S.A." does not transfer your data to third countries outside the European Economic Area.
Rights of Natural Persons
"ECOPAPER PRINTING S.A." recognizes the rights of natural persons regarding the protection of their personal data. Thus, natural persons have the right to:
- They are informed about the processing of personal data.
- They gain access to their personal data.
- Request the correction of incorrect, inaccurate, or incomplete personal data.
- They request the erasure of personal data when they are no longer needed or if the processing is unlawful. Since Article 6(1)(c) GDPR applies as the lawful basis of processing to most processing operations, the right to erasure is limited and will be considered case-by-case under legal conditions. Besides, according to Recital 4 of the GDPR, the right to protect personal data is not absolute; its function in society must be assessed and weighed against other fundamental rights by the principle of proportionality.
- Object to processing personal data for reasons related to their unique situation, subject to art.21 par.6 GDPR.
- They submit a request to restrict the processing of personal data in specific cases.
- File a complaint with the Hellenic Data Protection Authority (1-3 Kifissias Avenue, 11523 Ampelokipi, tel. 210.647.5600, www.dpa.gr) or with the supervisory authority of the E.U. Member State where they reside or work or with the supervisory authority of the place of the alleged infringement.
Communication of Natural Persons
The above rights, as well as any right regarding personal data, are exercised upon written request submitted at any point accessible to the public or through electronic communication by sending a message to info@ecopaper.gr and examined by the Contact Person for Personal Data Issues.
Principles of processing
"ECOPAPER PRINTING S.A." accepts the basic principles governing the processing of personal data. According to article 5 of GDPR, personal data shall be:
- Processed lawfully, fairly, and transparently about the data subject ('lawfulness, fairness and transparency').
-
Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).
-
Adequate, relevant, and limited to what is necessary for the purposes for which they are processed ('data minimization').
-
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
-
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).
-
Processed to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ('integrity and confidentiality).
Record of processing activities
ECOPAPER PRINTING S.A." keeps a record of the processing activities for which it is responsible. That record contains all of the following information:
-
the name and contact details of the Controller and, where applicable, of the joint Controller, the Controller's representative and the data protection officer;
- the purposes of the processing,
- a description of the categories of data subjects and categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Protection of personal data
Considering the nature, scope, context, and purposes of the processing, as well as the risks of varying probability of occurrence and severity for the rights and freedoms of natural persons, "ECOPAPER PRINTING S.A." implements appropriate technical and organizational measures to ensure and be able to prove that the processing is carried out by the GDPR, adopting and implementing a holistic personal data security policy.
During the assessment of the appropriate level of security by "ECOPAPER PRINTING S.A.," account shall be taken of the risks arising from processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.
To prevent a personal data breach, "ECOPAPER PRINTING S.A." as the Data Controller, has adopted and applied a policy against attacks on the information systems it owns and manages, as well as a specific policy for the management of any incidents of personal data breach.
Staff training
"ECOPAPER PRINTING S.A." accepts that protecting personal data presupposes the awareness of its human resources regarding safeguarding personal data. To this end, it agrees with adopting and implementing the principle of orientation of appropriate education by using Fair Information Practices (FIP), which encapsulate a set of standards governing the collection and use of personal data and addressing privacy and accuracy issues. "ECOPAPER PRINTING S.A." seeks to raise awareness of its human resources of basic concepts of personal data protection.
Notification Regarding the Processing of personal data through Social Media
"ECOPAPER PRINTING S.A." has a account on Facebook.
In the above Social Network, our company processes personal data (such as your username and photo) to provide information about our activities and services and additional ways of communication.
In any case, we declare that we do not know and are not responsible for whether the Social Network further processes personal data, whether it has additional processing purposes, whether it carries out transfers to third countries, whether it uses Processors and sub-Processors, whether it profiles and how it carries out the processing of personal data as a whole.
Before providing any consent, we recommend that you consult the privacy policy of this Social Network. If, by your actions, you upload your photos to our page on the above Network or additional personal data, you are responsible for this processing. Due to the particular ease of sharing pictures and other personal data on Social Media, we recommend using them in consideration of the potential risks arising from their publication.
Our company does not and cannot exercise influence and control over the nature and extent of personal data collected and maintained by social media platforms as a condition or result of their use and bears no responsibility for collecting and processing of personal data. For more information on the purposes of collection and further processing and use of personal data by social media platforms, as well as on the rights and available settings to protect your privacy and personal data, please consult the privacy policy of the respective social networking platform.
Obligations of Suppliers
Our suppliers are considered Processors unless otherwise specified using a particular provision or other legal text that is not part of this policy.
The Processor's choice of technical means or solutions for individual parts of this processing, which informs the Controller, accordingly, does not make the aforementioned Controller.
However, suppose the Processor determines the purposes and means of processing in violation of this and the legislation. In that case, it is considered a Controller for the specific processing and bears the relevant responsibility for any damage caused by it.
Processing is fulfilling the terms of the commercial agreement between the 2 parties.
The legal basis for processing is fulfilling a contract by Article 6 (1) (b) of EU Regulation 679/2016.
The Processor will carry out individual operations processing of personal data [indicatively: access, but not search, not transfer, not dissemination, not alteration, not deletion unless ordered to do so by the Controller] for fulfilling obligations for the general purpose of fulfilling other commercial conditions.
In other words, the Processor carries out the above processing operations, which arise directly and closely related to the nature of its contractual duties and not to others, by the Controller's suggestions/instructions/directions.
The Processor is obliged to refrain from processing the data for purposes other than the above and to use them in any way for different purposes.
Processor’s processing operations are mainly automated but also non-automated.
Duration of processing: The Processor's processing takes place for the duration of the contract with the Controller and in case of its legal extension.
The Processor declares and assures that it can carry out the above processing operations per the requirements of the G.D.P.R. and other legislation, applying all necessary technical and organizational measures to protect personal data and the subjects' rights.
The Processor declares and warrants that:
a) Complies with their obligations arising from the General Personal Data Protection Legislation.
b) He will remain compliant throughout the Agreement and in case of any extension of its time.
The Processor is obliged to:
-
process personal data only based on the instructions of the Controller, observing the principles of processing as well as a relevant processing file by Article 30 of the G.D.P.R., which files and updates in any case of change in the information it mandatorily contains.
-
not to disclose, communicate, or provide access to the personal data processed by him and the Controller to any third party, not to assign processing to a third party sub-Processor or servant without prior written permission of the Controller, subject to notification to him of a binding order or decision by a supervisory, state, tax or judicial authority, which he is obliged to disclose immediately and in writing to the Controller.
-
immediately implement appropriate technical and organizational measures depending on the type of risk caused by the processing, plan and implement proven technical measures of confidentiality and secrecy on behalf of its staff, security procedures, and protection of personal data from accidental or unlawful destruction, deletion or accidental loss, alteration, unauthorized disclosure, use or access and any other unlawful form of processing.
-
do not make unnecessary reproductions of personal data physically or electronically.
-
implements the obligations, incorporating the principles of privacy by design and privacy by default at every processing stage.
-
accept compliance audits (G.D.P.R. compliance audits) from the competent Personal Data Protection Authority and the Controller about its obligations here.
-
assists the Controller in fulfilling the latter's obligation to respond to the statutory requests of data subjects and immediately notify him of any requests submitted without voluntarily satisfying them.
-
informs the Controller immediately if, in his opinion, an order violates the G.D.P.R. or any other regulatory or legislative provision on data protection.
-
informs the Controller by any appropriate means immediately and in any case within 24 hours of any event (initial information) that has led or may lead to a breach of confidentiality and data, regardless of whether he is responsible for it or not, providing the Controller with sufficient information to enable him to comply with the requirements for the notification of personal data breaches to a supervisory authority and/or to data subjects Data. After initial notification, the Processor shall prepare a breach report, which should describe:
-
The nature of the personal data breach, the type and cause of the breach;
-
The date and time it were noted or located;
-
Describes the paper files or electronic filing systems/software/databases concerned;