Personal Data Protection Policy

1. Introduction

Our company «EVERTECH KATASKEUASTIKI MONOPROSOPI IDIOTIKI KEFALAIOUCHIKI ETAIREIA», which was its registered office in Athens, at 20 Kanari St., with general commercial registry number 134398601000 (“Evertech” or Data Controller”) undertakes to process personal data responsibly and in compliance with applicable data protection laws. European data protection laws and regulations require the Company to process the personal data it collects and processes in a fair and lawful manner. Failure to do so may result in civil or criminal liability for the Company, or fines and compensation payments may be imposed. To this end, the Company implements this Personal Data Protection Policy.

1. Purpose – Scope of application

The purpose of this policy is to determine the minimum requirements for the processing of personal data and to define the relevant responsibilities. This policy concerns all employees and independent associates of the company, especially those who process personal data of third parties (e.g. employees or clients), as well as any cooperating third parties.

This policy has been created in compliance with the European General Data Protection Regulation (2016/ 679/EU) ("GDPR") in relation to the protection of natural persons with regard to the processing of personal data and the free movement of such data, and with the relevant domestic legislation that may be issued in the context of the implementation of the GDPR, the relevant directives, decisions, and regulations that may be issued by the Hellenic Data Protection Authority (HDPA) in this context, as well as any other legislation or regulatory framework on the Protection of Personal Data that amends, revises or replaces any of the aforementioned laws and regulations.

1. Definitions

For a better understanding of this policy, certain terms of the concepts used herein are explained below:

• “Personal Data”: Any information which identifies or may lead to the identification of a living natural person. Indicatively, as personal data are considered: identification details (full name, identity number, address and contact details, email, etc.), education, profession (work experience, work behaviour, etc.), financial situation (income, assets, etc.), family status, interests.
• “Sensitive Data (Special Categories of Personal Data)”: Any information relating to the racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership of a natural person, as well as genetic data, biometric data, data concerning health, data concerning sexual life or sexual orientation and data relating to pending matters of the natural person with justice (criminal record).
• «Data Subject»: The natural person to whom the personal data relate. The GDPR does not apply to legal persons (companies).
• “Employees”: This term includes candidate employees, existing employees, associates under independent services agreements, employees under any employment status, volunteers, trainees and apprentices.
• “Processing of Data”: Any operation or set of operations performed on personal data or on sets of personal data, regardless of the way in which it is carried out, such as collection, registration, organization, structuring, storage, adaptation, alteration, retrieval, use, transmission or any other form of disposal, correlation, combination, restriction, erasure or destruction.
• “Data Controller”: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and the means of the processing of personal data.
• “Data Processor”: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  The other terms have the meaning attributed to them in the GDPR, which is accessible on the internet at the website of the Hellenic Data Protection Authority (dpa.gr).

1. Responsibilities – Liabilities

The executives and the management of the Company are mainly responsible for the application of this policy.

The employees of the Company who handle personal data of third parties (e.g. employees or clients of the Company) are equally responsible for the understanding and the observance of this policy, according to article 10 below. To this end, they must carefully read and understand this policy, since any violation of it may harm the rights and freedoms of the data subjects.

 

Any external associates (third parties) who act as processors on behalf of the Company are responsible for the processing of personal data in accordance with the provisions of this policy and always according to the instructions they receive from the Company.

1. Principles of Personal Data Protection and Rights

Anyone who processes Personal Data on behalf of the company is obliged to comply with the following principles of good practice. Personal Data must:

• be subject to lawful and fair processing in a transparent manner;
• be collected only for specified, explicit and legitimate purposes;
• be processed only when they are adequate, relevant and processing is limited to what is necessary for the purposes of the processing;

• be accurate and corrected or erased without delay if it is found that they are inaccurate;
• be stored only for as long as required for the processing; and
• be stored securely and in a manner that protects them from unauthorized or unlawful processing and accidental loss, destruction or damage.

In addition, Personal Data must not be transferred outside the country of origin without ensuring that adequate protection exists. In particular:

5.1          The principle of lawfulness, fairness and transparency of processing

Personal data are processed in a lawful and transparent manner. Every natural or legal person that processes personal data must ensure its compliance with this policy and the relevant laws and regulations.

When the processing is based on consent, before the processing of personal data, the data subject must be properly informed and give his/her consent freely, in a clear and distinct manner. Consent may be given expressly or implicitly, e.g. by the provision of personal data to the controller. Consent does not necessarily have to be written, however, in order for it to be proven (e.g. before courts and authorities), written consent is recommended. The data subject should be able to withdraw his/her consent at any time and the withdrawal of consent should be as easy as the giving of it.

Consent is not required when:

• the processing is necessary for the performance of a contract to which the data subject is a party (e.g. processing of data in the context of performance of the employment contract),
• the processing is necessary for compliance with a legal obligation of the controller (e.g. disclosure of personal details of an employee for registration in social security institutions),
• the processing is necessary for the safeguarding of the vital interest of the data subject or of another natural person,
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company,
• the processing is necessary for the purposes of the legitimate interests pursued by the Company. An exception is the case where against these interests prevails the interest or the fundamental rights and freedoms of the data subject which require the protection of personal data, especially if the data subject is a child,
• if the data subject has generally given access to his/her personal data, e.g. information made available in newspapers or telephone directories or in intra-company platforms used by the company and for which he/she has not prohibited their processing if the data subject has generally given access to his/her personal data, e.g. information made available in newspapers or telephone directories or in intra-company platforms used by the company and for which he/she has not prohibited their processing,

The Company must provide adequate information to the data subject in a concise, transparent, and understandable manner regarding the personal data collected and the purpose of its processing

5.2          The principle of purpose limitation

Personal data are processed only for the purpose which was declared at the time of collection and are not further processed in a manner incompatible with those purposes. An exception is the further processing for purposes of archiving in the public interest, for purposes of scientific or historical research or for statistical purposes.

5.3          The principle of data minimization

The data collected must be adequate, relevant and limited to what is necessary for the purposes of processing.

5.4          The principle of accuracy of data

The personal data processed must be accurate and, when necessary, kept up to date. The Company takes all reasonable measures for the immediate erasure or correction of personal data which are found to be inaccurate, in relation to the purposes of the processing.

5.5          The principle of limitation of storage period

Personal data are stored and maintained in a form which permits the identification of data subjects only for the period required for the fulfillment of the purpose for which they were collected. An exception is the storage for longer periods, provided that the personal data are processed for purposes of archiving in the public interest, for purposes of scientific or historical research or for statistical purposes or for the defense of the legitimate interests of the Company.

5.6          The principle of integrity and confidentiality of data

Personal data are processed in a manner which guarantees their appropriate security, including protection against unauthorised or unlawful processing and accidental loss as well as destruction or damage.

1. Why does Evertech process Personal Data?

Evertech mainly processes Personal Data (a) of the employees it employs, (b) of its associates who provide services to the Company under an independent services contract and (c) of its clients.

In the context of employment, Evertech collects certain personal data about its employees or, in general, its independent associates. Personal Data are collected and used for a variety of reasons, including, for example, the payment of salaries and additional benefits, the payment of contractual fees, their insurance, their social security and compliance with the applicable labour and tax legislation. More information on the categories, the types and the purposes of processing of the personal data of employees and independent associates can be found in the “INFORMATION FORM REGARDING THE PROCESSING OF PERSONAL DATA OF EMPLOYEES AND INDEPENDENT ASSOCIATES” of the Company.

In addition, Evertech collects and processes Personal Data of its clients in the context required for the fulfillment of the obligations it has undertaken towards them. For example, it may collect identification details (e.g. copies of IDs, home or work addresses, profession), contact details (e.g. email, telephones), tax details (e.g. Unified property tax certificates), assets (e.g. copies of E9 forms), for the purpose of signing contracts and agreements with them, communication with public authorities and in general for the provision to clients of the services requested by them.

In general, the Company collects and processes Personal Data for one of the following three reasons:

• to meet the obligations it has undertaken under contracts with the Data Subjects, i.e. for the purpose of performance of the contract;
• for the fulfillment of its legal obligations (for example, its obligations towards state authorities such as tax authorities and social security institutions); or
• to safeguard its legitimate interests.

In certain cases, the Company may request explicit consent for the collection and processing of Personal Data.

1. For how long does Evertech retain Personal Data?

The Company retains Personal Data only for the period required for the purpose for which they were originally collected or which is necessary for the processing, unless the applicable legislation specifically provides for a longer retention period (e.g. according to tax laws or legislation relating to health and safety). Please refer to “Appendix A” of this policy.

1. Rights of the Data Subjects

According to the law, the Data Subjects have certain rights, which are summarised in “Appendix B” of this policy. Within the framework that the Company acts as Controller, these rights must be disclosed in a transparent and comprehensible manner to the data subjects.

1. Procedure of access request by the Data Subject

In case a data subject sends you, or you otherwise receive, an access request or any other request from a Data Subject, you are obliged to forward it within 24 hours to the email addresses anna@evertech.gr and alex@evertech.gr for its further processing and handling.

1. Obligations of employees and associates

The Company tries to maintain Personal Data in such a way so that they are accurate, complete and updated. However, individuals/employees/associates have the obligation to assist the Company to keep this Personal Data updated and current and to advise the Company of any significant changes.

Certain employees or associates of the company may have access to Personal Data of other persons, including clients or colleagues, during the time of employment or professional collaboration with Evertech. In this case, the Company relies on these individuals to assist in fulfilling the obligations of data protection towards its employees, associates and clients.

Individuals who have access to Personal Data are obliged:

• to process only the data for which they are authorised to have access and only for the purposes for which they are authorised accordingly,
• not to disclose data to other persons (inside or outside the company) except only to persons who have the appropriate authorisation in this respect,
• to keep the data secure (for example, by complying with the rules regarding access to facilities, access to computers, including password/PIN protection, and secure storage and destruction of documents),
• not to remove Personal Data or devices containing Personal Data or that can be used for access to Personal Data, from the Company’s premises without the appropriate security measures (such as, for example, encryption or password protection) having been taken to ensure the security of the data and the device,
• not to store Personal Data on local disks or on personal devices used for work purposes, and
• to report data breaches, which they have been aware of, by following the procedure analysed below.

1. DataBreaches

In the event that you become aware of or are notified of a personal data breach, you must report it immediately, and no later than 24 hours after becoming aware of it, by any appropriate means, to the member of the management to whom you report and simultaneously send an e-mail with the subject “Personal data breach”, stating the relevant details to the email addresses anna@evertech.gr and alex@evertech.gr. Please note that the law stipulates that any personal data breach must be reported to the competent supervisory authority within 72 hours. Therefore, it is essential that the company be notified immediately so that it can comply with the requirements of the law.

1. Violation of policy

The potential penalties and damages resulting from a violation of this policy are serious for both the person committing the violation and the Company. Violation of this policy may result in criminal, civil, administrative, or regulatory sanctions/penalties, such significant fines, criminal penalties, audits by competent supervisory authorities, claims for damages, legal and administrative costs for defending cases, etc.

The enforcement of this policy is the responsibility of each department and compliance with it is the responsibility of each employee or associate individually. Compliance with this policy is achieved through the use of appropriate control mechanisms, which include, but are not limited to, on-site inspections, internal and external audits, and feedback from individual departments.

AppendixA

Record Retention Schedule

Type of document	Time period for which information must be retained
Payroll documents and tax data
Tax return forms and tax records	20 years According to the Tax Procedure Code, company, books and records must be kept for at least 5 years. Exceptionally, in cases of tax evasion lodged complaints, the retention period is 20 years. It is considered good practice to keep these documents for a period of 20 years from the end of the period to which each document relates, in order to support any tax dispute that may arise during that period.
Salary and payroll records	10 years
Records of payments of statutory sickness, maternity benefits, etc.	10 years
Employee documents
Employee records	10 years from termination of the contractual relationship
Recruitment records (scoring, applications, etc)	6 months or 2 years in the event that the candidate has given their consent

Appendix Β

Rights of Data Subjects

Right to Access	Data subjects have the right to obtain confirmation from the Company as to whether the Company processes Personal Data concerning them. This right includes the right to access such Personal Data, the right to receive a copy thereof free of charge (with the exception of any repetitive or excessive requests), and the right to provide the data subject with a description of the main features of the processing applied in relation to the Personal Data, as well as the following information: (i) the purposes of the said processing, (ii) the relevant categories of Personal Data, (iii) the recipients or categories of recipients of the Personal Data, in particular those located in third countries outside the EU, (iv) the envisaged retention period, and if this is not possible, the criteria used to determine it, (v) the existence of the right to submit a request for rectification or erasure of Personal Data, as well as the existence of the right to object to the processing or to submit a request for restriction of processing, (vi) the right to lodge a complaint with a supervisory authority, (vii) information regarding any third-party source of origin of the Personal Data, in case the data were not collected directly from the data subject, and (viii) the existence, the rationale, the significance and the consequences of any automated decision-making, including profiling. In the event that Personal Data are transferred outside the EU, data subjects shall be informed about the appropriate safeguards relating to such transfer.
Right to Rectification	Data subjects have the right to request from the Company, without undue delay, the correction/rectification of inaccurate, incomplete, or outdated Personal Data concerning them.
Right to Erasure	Data subjects have the right to request from the Company without undue delay the erasure of their Personal Data if one of the following grounds applies: (i)  such Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) the data subject withdraws the consent on which the processing is based, and there are no other legal basis for the processing, (iii) the data subject objects to the processing as provided below, (iv) the Personal Data have been unlawfully processed, (v) the Personal Data must be erased in order to comply with a legal obligation under Union law or the law of a Member State. The Company may refuse the erasure of Personal Data if the processing of such data is necessary for: (i) the exercise of the right of freedom of expression and the right to information, (ii) compliance with a legal obligation which requires processing under Union law or the law of a Member State or for the performance of a task carried out in the public interest, (iii) reasons of public interest in the area of public health, for scientific or historical research purposes or for statistical purposes, or (iv) the establishment, exercise or defence of legal claims.
Right to Restriction of Processing	Data subjects have the right to restrict the processing of their Personal Data in the following cases: (i) When the data subject claims that the Personal Data processed by the Company is inaccurate (the restriction is granted for a period of time that allows the Company to verify the accuracy thereof), (ii) When the processing appears to be unlawful and the data subject opposes the erasure and instead requests the restriction of the use of their Personal Data, (iii) When the Company no longer needs such Personal Data for the purposes of processing, but such Personal Data are necessary for the data subject for the establishment, exercise or defence of legal claims, and (iv) When the data subject raises objections to the processing, whilst the verification of whether the Company’s legitimate grounds override those of the data subject is still pending. When the data subject has obtained the restriction of the processing of their Personal Data from the Company, they shall be informed by the Company before the lifting of the said restriction.
Right to Object	In general, data subjects have the right to object, at any time and for reasons related to their particular situation, to the processing of their Personal Data, specifically with regard to those data whose legal basis for processing is the protection of the Company’s legitimate interests and not those whose legal basis is the fulfilment of the Company’s legal obligations or the performance of obligations arising from a contract. Provided that such objection is justified, the Company shall no longer process the said Personal Data, unless it demonstrates compelling and legitimate grounds for the processing which override the interests of the data subject. Without prejudice to the legal obligations applicable to unsolicited commercial communications, where Personal Data are processed on behalf of the Company for the purposes of direct marketing and the data subject expresses concern regarding the processing of such data, data subjects have the right, at any time, without providing any reason and free of charge, to request to be excluded from receiving direct marketing material and, in general, to object to the processing of their Personal Data for marketing purposes, including profiling. The Company shall comply with any such relevant request from the data subject who does not wish to receive advertising or promotional material and shall no longer process their Personal Data for direct marketing purposes.
Right to Data Portability	Where the processing is based on the consent of the data subject or on their employment agreement, and such processing is carried out by automated means, the data subject has the right to request from the Company: (i) to be informed of the Personal Data concerning them, in a structured, commonly used and machine-readable format, so that they may subsequently transmit such Personal Data to another controller, or (ii) to have such Personal Data transmitted directly to the other controller, where technically feasible.
Right to Withdraw Consent	Where the processing of Personal Data is based on the consent of the data subject, the data subject has the right to withdraw such consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal.
Right to Lodge a Complaint	Data subjects have the right to lodge a complaint with the competent supervisory authority, which is the Hellenic Data Protection Authority (HDPA). For more information on the HDPA, including guidance for data subjects on their rights under the law, please refer to www.dpa.gr.