1. Purpose & Objectives
SARONIS S.A. makes every effort to comply with the legislation related to the Protection of Personal Data in the sectors in which it operates. This Policy sets out the basic principles by which SARONIS S.A. processes the personal data of customers, employees, suppliers, partners and other persons. This Policy applies to SARONIS S.A. and its directly or indirectly controlled subsidiary companies based in Greece. All employees, with an indefinite or fixed-term relationship, as well as all subcontractors working on behalf of SARONIS S.A. are bound by this Policy.
2. Basic Definitions
The following are the basic definitions of the terms used in this document, as set out in Article 4 of the General Data Protection Regulation, in order for the data subject to familiarize himself with the terminology of the Regulation:
Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identification element such as a name, an identification number, to location data, an online identifier or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Personal Data of special categories: Personal data which are by nature particularly sensitive in relation to fundamental rights and freedoms need special protection, as the context of their processing could create significant risks for fundamental rights and freedoms. This personal data includes personal data revealing the origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of unmistakable personal identification, health-related data or data concerning a natural person’s sex life or sexual orientation.
Responsible for processing: the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data.
Person performing the processing: the natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.
Processing: any act or series of acts carried out with or without the use of automated means, on personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval , information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
Principle: The Authority for the Protection of Personal Data
3. Basic principles concerning the Processing of Personal Data
SARONIS S.A. as data controller strictly adheres to the data protection principles defined in article 5 of the General Data Protection Regulation.
3.1. Legitimacy, Objectivity and Transparency
SARONIS S.A. processes personal data legally, objectively and transparently towards the data subjects.
3.2. Purpose Limitation
Personal data is collected only for specific, explicit and legitimate purposes and is not processed for any other purpose.
3.3. Data minimization
SARONIS S.A. maintains the accurate personal data of the subjects and ensures that their compliance is limited to what is necessary in relation to the processing purposes. At the same time, it applies the appropriate technical measures in order to achieve the above objectives.
3.4. Accuracy
The personal data maintained by SARONIS S.A. is accurate and up-to-date. Actions are taken to ensure that personal data that are inaccurate, in relation to the purposes for which they are processed, are deleted or corrected in a reasonable time.
3.5. Limitation of Storage Period
Personal data is retained for a period of 3 years, after which it is automatically deleted.
3.6. Integrity and confidentiality
Taking into account the technological level and other available security measures, the cost of implementation, as well as the probability and severity of the risks to personal data, SARONIS S.A. uses appropriate technical or organizational measures for the processing of Personal Data, in a way that guarantees the appropriate security of personal data and their protection against accidental destruction, loss, damage, unauthorized or illegal processing.
3.7. Accountability
SARONIS S.A. bears the responsibility and is able to demonstrate compliance with the General Data Protection Regulation to the competent Personal Data Protection Authority.
4. Privacy Notice, Consent and Rights of Data Subjects
4.1. Notice to Data Subjects
Before collecting personal data or during its collection for any processing activity undertaken by SARONIS S.A., including but not limited to the sale of products, services or marketing activities, SARONIS S.A. is responsible for providing appropriate information to the data subjects and more specifically, information on the types of personal data collected, the purposes of the processing, the processing methods, the rights of the data subjects in relation to their personal data, the registration period, any international data transfers, if personal data is given in the context of cooperation to third parties, as well as the security measures of SARONIS S.A. for the protection of personal data. This information is provided through the Privacy Notice.
4.2. Consent – Free withdrawal thereof
When the collection of personal data has as a legal basis the consent of the data subject, SARONIS S.A. is responsible for ensuring that the data subjects provide their consent freely, with a positive action, expressly and in full knowledge of the content of the text in which they consent to. SARONIS S.A. provides the data subjects with the possibility to withdraw their consent at any time. Where personal data of children under 16 years of age is collected, SARONIS S.A. ensures that the Parent’s consent has been given before the collection. Personal data must be processed only for the purpose for which it was originally collected. In the event that SARONIS S.A. wishes to process collected personal data for another purpose, it must seek the consent of the data subjects in an explicit and specific document. Any such request must contain the original purpose for which the data was collected, as well as the new or additional purpose(s).
4.3. Collection
SARONIS S.A. makes every effort so that the amount of personal data it collects is the minimum possible. If personal data is collected by a third party, SARONIS S.A. ensures that this data is collected legally.
4.4. Relationship of SARONIS SA with Third Parties
In cases where SARONIS S.A. uses a third-party supplier or business partner whom it entrusts to process personal data on its behalf, it ensures that the processor will provide the appropriate security and protection measures for personal data in order to address possible associated risks. SARONIS S.A. makes every effort to ensure that its suppliers or commercial partners process personal data only to fulfill their contractual obligations towards SARONIS S.A., always in accordance with its instructions and for no other purpose.
4.5. Access Rights of Data Subjects
SARONIS S.A. as the Processor is responsible for providing the data subjects with a mechanism to access their personal data, which will also allow them to review, correct, delete or transfer it.
4.6. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they have provided to SARONIS S.A. in a structured format and to transfer this data to another controller. SARONIS S.A. is responsible for ensuring that these requests are processed within one month, provided that these requests are not manifestly unfounded. When exercising the right to data portability, the data subject has the right to request the direct transmission of personal data from one controller to another, if this is technically possible.
4.7. Right to be Forgotten
Upon request, Data Subjects have the right to ask SARONIS S.A. to delete their personal data. SARONIS S.A. will immediately take the required actions (including technical actions) to satisfy the request and will ensure the same from any third parties that use or process personal data on its behalf.
4.8. Right to object
The Data Subject has the right to object at any time to the processing of personal data concerning him, including profiling.
4.9. Right to restriction of processing
Upon request, Data Subjects have the right to ask SARONIS S.A. to limit the processing of their data in accordance with Article 18 § 1 a-d of the General Data Protection Regulation (EU) 2016/679.
4.10. How to exercise all rights of Data Subjects and withdraw their consent
The Data Subject exercises his rights as well as the revocation of his consent by written application to the company SARONIS S.A.. The data subject may also freely withdraw their consent without affecting the lawfulness of the processing based on it until its withdrawal by sending a written request/letter or email to: [email protected].
The person responsible for processing personal data for SARONIS SA is Spiridon Maziotis, to whom you can address any relevant request concerning your data at the email address [email protected].
Also, the subject may contact the Personal Data Protection Authority at the following details www. dpa.gr, email: [email protected], contact phone: 210 6475600, Address: Kifisias Avenue 1-3, P.C. 115 23, Athens
5. Response to Personal Data Breach Incidents
When SARONIS S.A. is informed of a potential or actual personal data breach, it will immediately conduct an internal audit and take appropriate remedial measures in a reasonable time, in accordance with the Personal Data Breach Policy. When there is a risk to the rights and freedoms of the data subjects, SARONIS S.A. must notify the incident of violation to the Authority without delay and in any case, within 72 hours.
6. Communication
If you continue to have any questions or need any clarification regarding the processing of your personal data by SARONIS S.A. you can contact us and SARONIS S.A. will be happy to serve you immediately.
Data Protection Officer
You can contact the data protection officer of SARONIS S.A., Spiridon Maziotis, at [email protected] for issues concerning the processing of your personal data.
Information on the processing of personal data through a video surveillance system
Data Controller:
Ypodeigma EPE, Kifisias 1–3, 115 23, Athens, tel. +30 210 5555555
Purpose of processing and legal basis:
We use a surveillance system for the purpose of protecting individuals and property. The processing is necessary for the purposes of the legitimate interests pursued by us as the data controller (Article 6(1)(f) GDPR).
Assessment of legitimate interests:
Our legitimate interest lies in the need to protect our premises and the property located therein from unlawful acts, such as theft. The same applies to ensuring the safety of life, physical integrity, health, and property of our staff and of third parties who are lawfully present in the monitored area. We collect image data only and limit recording to areas where we have assessed an increased likelihood of unlawful acts (e.g. theft), such as our cash registers and entrance, without focusing on areas where the private life of individuals whose images are recorded could be excessively restricted, including their right to the protection of personal data.
Recipients:
The recorded material is accessible only to our competent/authorized personnel responsible for site security. The material is not disclosed to third parties, except in the following cases:
(a) to competent judicial, prosecutorial, and police authorities when it contains information necessary for the investigation of a criminal offense involving persons or property of the data controller;
(b) to competent judicial, prosecutorial, and police authorities when they lawfully request data in the exercise of their duties; and
(c) to the victim or perpetrator of a criminal offense, when the data may constitute evidence of the offense.
Retention period:
We retain the data for seven (7) days, after which they are automatically deleted. If, within this period, we identify an incident, we isolate the relevant portion of the video and retain it for up to one (1) additional month for the purpose of investigating the incident and initiating legal proceedings to protect our legitimate interests. If the incident concerns a third party, we retain the video for up to three (3) additional months.
Rights of data subjects:
Data subjects have the following rights:
Right of access: You have the right to know whether we process your image and, if so, to receive a copy of it.
Right to restriction: You have the right to request the restriction of processing, for example, not to delete data you consider necessary for the establishment, exercise, or defense of legal claims.
Right to object: You have the right to object to the processing.
Right to erasure: You have the right to request the deletion of your data.
You may exercise your rights by sending an email to [email protected], by letter to our postal address, or by submitting your request in person at the store address. To examine a request related to your image, you will need to indicate approximately when you were within the cameras’ range and provide an image of yourself to assist us in locating your data and masking the data of third parties appearing in the footage. Alternatively, you may visit our premises so that we can show you the images in which you appear. Please note that exercising the right to object or the right to erasure does not entail immediate deletion of data or modification of processing. In all cases, we will respond in detail as soon as possible, within the time limits set by the GDPR.
Right to lodge a complaint:
If you believe that the processing of your personal data violates Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority.
The competent supervisory authority in Greece is the Hellenic Data Protection Authority, Kifisias 1–3, 115 23, Athens, https://www.dpa.gr/, tel. +30 210 6475600.
