Commited to privacy issues

1. The right of access to information/update

   You have the right to request and receive clear, direct and easily understood information about how we process your personal data.

2. The right of access

   You have the right to access your personal data for free, except in the following cases, where there may be a reasonable charge of covering the cost of the Company’s and/or the Group’s administrative expenses:

   • manifestly unfounded or excessive /consecutive requests in particular or additional copies containing the same information
   • Additional copies of the same information

3. The right to rectification

   You have the right to request the rectification of your personal data if they are inaccurate or incomplete.

4. The right to erasure

   You have the right to request the deletion or removal of your personal data when it is no longer necessary for the purpose which they were originally collected for or there is no legitimate reason to continue processing them. The right to erasure is not an absolute right under data protection law, if there is a specific legal obligation or other legitimate reason for your personal data to be retained by the Company and/or the Group.

5. The right to restrict processing

   In certain cases, you have the right to restrict or terminate further processing of your personal data. In cases where processing has been restricted, your personal data remain saved, without being subjected to further processing.

6. The right to data portability

   You have the right to request a copy of your personal data file being processed, submitted to us in a structured and commonly used format machine-readable and forward the data to another data controller.

7. The right to object

   You have the right to object at any time and for reasons relating to your particular situation involving personal data processing, unless the Company and/or the Group demonstrate imperative and legitimate reasons for the processing.

8. Rights on automated individual decision-making and profiling

   The Company and the Group do not make automated individual decision-making, including profiling.

Note: This Policy has entered into force on 382 / 20.06.2012 Management Decision

Table of Contents

1. Introduction
2. Objective.
3. Data Collection and Processing
4. Data collection sources
5. Processing objectives
6. Legal Basis
7. Retention period
8. Information Security
9. Data transfer to third parties
10. Your subject data rights
11. HELPE group data protection officer contact details
12. Definitions

1. Introduction

This Privacy Notice is provided for the following companies:

Data processing controller contact details are as follows:

(Hereafter referred to as "We", the "Group", the "Company", the "Controller")

2. Objective

This notification describes our practices with regard to personal data processing, i.e. the collection, entry, organization, structure, storage, adaptation or alteration, retrieval, search, use, disclosure by transmission, dissemination or any other form of availability, association or combination, restriction, deletion or destruction of your personal data in compliance with Data Protection Regulation.

Personal data confidentiality and protection is of utmost importance therefore effort is made to continuously comply with the National and European Legal and Regulatory Frameworks for personal data protection. Reference is made to third party participants so as to include collaborators, providers, and other third-party members as described in the Definitions section under the entry “third-party”.

 The Company reserves the right to modify and update this notice whenever it is deemed necessary, and the changes will take effect upon their notification to you, either by e-mail or by posting them on the Internet or by any other means the Company deems appropriate.

In the event that the terms of your cooperation with the Company are governed by more specific terms regarding personal data protection, these terms will apply in conjunction with these present terms. In the event of any conflict between the two, the specific terms of use concerning each specific service will prevail.

3. Collected Data

During the procedures concerning the Company’s selection of suppliers and associates as well as in the context of the Company's cooperation with them, the Company collects personal data about its partners, legal representatives, employees, subcontractors, partners’ contact persons - its agents, any authorized representatives, agents, and other persons with whom the Company comes into contact, or persons who may have access to and / or provide work / services on the Company’s premises during the cooperation. If you belong to any of the above, depending on the specific circumstances and the applicable legal provisions, the Company may collect all or some of the following information about you:

• Name and surname
• Age
• Contact information
• Training information 
• Work experience
• Curriculum vitae
• Copies of identification documents, Tax Identification Number and other information related to the fulfillment of tax and other administrative obligations
• Bank account details
• Details of your contractual relationship or your cooperation with the Company and details about fees
• Details that are submitted in the context of tender procedures, evaluation procedures or outsourced assignments to suppliers
• Information about your hours worked at the Company and the licenses granted to you if you provide a service or perform work at the Company's premises for one of the Company’s partners or suppliers 
• Health related data in the event that you are involved in an accident at the Company's premises when providing your services, or if it is necessary to certify your suitability for the provision of these services in the context of our cooperation
• Upon entering the company’s premises, data is collected (i.e. ID number, passport number) as well as the date and time of the entry and exit. An entry card is also issued through which your movements are recorded on our premises
• Additional information you share with us (i.e. third-party letters of recommendation, curriculum vitae)

Some of the above details are necessary in order for us to fulfill our contractual obligations that we have towards you. For example, your Tax ID is required by Law. Other data are required to ensure for the smooth operation of our contractual relationship or overall cooperation. Depending on the type of personal data and the basis on which we rely on the processing of that data, if you refuse to provide us with this data, we may not be able to fulfill our contractual obligations or cooperate and in some extreme cases it may not be possible to continue working together.

4. Personal data collection sources

Personal data collection is mainly done as follows:

(α) By the individual

The company is in need of acquiring certain personal data within the framework of cooperative work with the individual so as to fulfill all obligations in connection with you and third parties. Personal data is collected in a variety of ways and include:

• Fillingincorporateforms
• Professional card exchange
• Ιdentification data (ID card number, passport number) including date and time of arrival and departure from company facilities
• By phone through documentation forwarding
• Digital communication via e-mail, website

(β) from other sources

Also, the company may receive personal data from other sources. These sources include various third parties who have worked in the past with the group or company, public sources (official government gazette, general commercial registry, professional guidelines) concerning entries in relation to individual professional activity.

(γ) Automatically received personal data

Automated collection of personal data may include:

Communication through servers or company devices including email text messaging, date and time of arrival and departure from various company facilities, through personalized magnetic cards.  Audio visual aids (including date and time) of arrival in an area where closed circuit television is installed (CCTV).

From you

The Company needs to know certain information about you in the context of our co-operation in order to fulfill its contractual obligations towards you, as well as its obligations towards third parties. There are a number of ways you share information with us, including:

• Filling in various corporate forms
• Exchanging business cards
• Identity information (e.g., ID number, passport number) as well as the date and time of your entry and exit upon entry (and exit) at the Company's premises
• Via phone
• Through documents you send to the Company
• Through electronic communication (e-mail, website)

From other sources

We also receive personal data about you from other sources. These sources include third parties with whom you have previously collaborated who have recommended you to the Company, the limited liability company risk checking system company - TERESIAS S.A., ICAP, public sources (Government Gazette, GEMI, Industry Guides) where there is public information regarding your professional activity.

Automatically received personal data

Your automatically collected personal data includes:

• Audiovisual material (including date and time) entering an area where a CCTV system operates.
• Dates and hours of access to the Company's facilities using personalized magnetic cards.

5. Processing objectives

The Company collects and processes your personal data, listed above, for the following purposes:

• fulfilling our contractual obligations and work smoothly with one another
• ensuringlegalcompliance
• managing business risks
• for tax purposes, pricing and provisional services
• for protection security
• protecting the Company's property (facilities, infrastructure, equipment, etc.) improving group and company cooperation between departments and for seamless efficient and effective communication in company and group collaboration general speaking.as well as seamless efficient and effective communication among its collaborators, providers and other third parties
• evaluating collaborators, providers and other third parties
• monitoring compliance in group practices and processes initiating, implementing and supporting the company’s legal claims 

The Company collects and processes its affiliates’ personal data solely for the aforementioned purposes and only to the extent strictly necessary to effectively serve those purposes. These data are always concise, relevant and not more than required for the purposes as set out above are accurate and, where appropriate, are subject to consultation.

6. Legal Basis

There are several ways in which the Company lawfully processes its affiliates’ personal data; each processing performed by the Company is in accordance with at least one of the following legal bases:

Processing is necessary if the Company is to fulfill its contractual obligations

In order to be able to fulfill its contractual obligations of the Company vis-à-vis you and to monitor the fulfillment of the contractual obligations of its associates, the Legal Basis on which the Company lawfully processes the data of its associates is Article 6, 1 (b) of the GDPR, where it is foreseen that the Company may process data if "processing is necessary for the performance of a contract to which the data subject is a party".

Processing is necessary in order for the Company to comply with its legal obligations

Apart from its contractual obligations, the Company also has to comply with various obligations arising from the current legal framework. In accordance with Article 6 (1) (c) of the GDPR, the Company may process personal data when the processing is "necessary if it is to comply with its legal obligation".

Processing is necessary for the Company to serve its legitimate interests

Pursuant to Article 6 (1) (f) of the GDPR, the Company may process personal data when such processing is "necessary for the purposes of the legitimate interests pursued by the Company unless such interests prevail over those interests or the fundamental rights and   freedoms of data subjects that impose the protection of personal data".

The following cases are a non-exhaustive reference to the legitimate interests pursued in order to successfully achieve corporate objectives:

• defending the security and protection of the Company's associates,
• protecting the Company's property and the documentation, securing and enforcement of the Company's legal claims against third parties for damages to its property,
• improving the quality of the Company's collaborations and provision of services and the Company’s unimpeded and effective communication and interaction with its partners,
• monitoring compliance with the Company's practices and procedures, and
• the foundation, exercise or support of the Company’s legal claims. 

You give us your consent to process your personal data

In extremely limited cases, we may seek for your consent with a positive action (opt-in) before we can make specific edits to your data. For example, we may ask for your consent to promote your information to third parties who may be interested in the services you provide or to publish your information in corporate forms.

7. Data transfer to Third Parties

The Company does not in any way transfer the personal data of its affiliates nor does it interconnect its files for any financial or other consideration with any third-party private enterprises, natural or legal persons, public authorities or services or other organizations.

The Company may provide access or forward the personal data of its affiliates and suppliers to:

Third-party service providers who perform various functions (including security and insurance services) and external consultants, associates, lawyers, accountants, auditors, as well as technical and support service providers and IT consultants on behalf of the Company.

Financial institutions: We may exchange data with financial institutions/banks where you hold a bank account in order to process payments.

Other Group companies in the context of centralized procurement management via the Group's competent supply department.

The processing of your personal data by our above-mentioned affiliates is under our control and is conducted only at our command and is subject to the same privacy policy or a policy providing, the same level of protection (at the least).

Furthermore, the Company transfers your data under its regulatory obligations to:

Tax, Audit and other Public Authorities when we believe in good faith that the Law or other regulatory act obliges us to provide access or forward such data.

Competent law enforcement authorities: We may disclose your data to the Police and other competent law enforcement authorities or administrative authorities, if required by the law or by any other lawful enforceable act or order.

Any data transfer to third countries outside the European Economic Area (i.e. outside the EU Member States, Norway, Iceland and Liechtenstein) will only be made in compliance with the data protection legislative framework and only when adequate safeguards are in place to protect your data.

If the Company is merged or acquired by another company in the future, your personal data may be disclosed as part of the merger or the acquisition of the Company.

8. Information Security

How the Company processes personal data is conducted in a way that ensures its confidentiality. In particular, it is carried out solely by authorized Company personnel while all appropriate organizational and technical measures are taken to ensure data security as well as to protect data from any accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, or any other form of unfair processing.

9. Storage

The company’s third-party personal data are stored in servers that are within Greek boundaries and are not transmitted to third world countries (outside EU/ΕΕΑ).

Countries part of the European Economic Areas are regarded as providing the same degree of personal data protection as that of Greece. In the event that the company transmits personal data that of collaborators, providers or other third-party members outside the European Economic Area, it is required to disclose its collaborators, providers and other third-party members, the purpose of the transmission and guarantee personal data protection when they are being transmitted

10. Retention period

The Company will maintain personal data in accordance with the applicable law and only for as long as it is required to fulfil the purposes as set forth in Sections 5 and 6 or for the time period required by law or for the purposes of the Company defending itself against possible legal action from those in the pursuit of claims against it.

11. Data subject rights

One of the basic principles of the General Data Protection Regulation is natural person protection rights, as far as personal data protection processing is concerned. Within this framework the company’s third-party members have a set of rights associated with the processing of personal data.  To be more specific and in accordance with the General Data Protection Regulation the individual has the right to:

• Receive personal data concerning you the individual given to the company in a structured, widely used and machine-readable format and also be notified about the processing of your personal data.
• Request access to your personal data (widely known as “requesting data subject access”}. This gives you the right to receive a copy of your personal data which is retained by the company and check that they are legally being processed. (“The Right to Access Information).
• Request rectification of your personal data. This enables you to rectify any incomplete or inaccurate data in your personal data company file (The Right to Rectification).
• Request deletion of your personal data. This enables you to request for all your personal data to be deleted. It enables you to ask the company to delete or destroy your personal data for there is no valid reason to continue processing it.  The right to erasure is not absolute to the extent where there is a specific legal obligation or other legal reason for maintaining your personal data within the company and/or the group (The Right to Erasure).
• At any given time, you may object to processing your personal data on grounds relating to your particular situation, except in case the company is able to present compelling legitimate grounds for processing that prevail over your interests, rights freedom or when processing is done for establishing exercising or supporting legal claims that of the company. Consequently, exercising this right in certain instances may affect the ability to fulfil obligations that stem from our standard relationship or in extreme cases they may hinder our collaboration (The right to object).
• Request the restriction of personal data processing (in certain cases). This enables you to file a company request for instance, to stop processing your personal data.  This actually means that we are able to save the data even though we are unable to further process it except if the company has your consent or unless processing is important either for establishing, exercising or supporting company legal claims either for another person’s rights protection or on grounds of public interests (The right to restrict processing).
• Data portability right: You have the right to request that your personal data be forwarded to other controllers. In practice this means that you can transfer the information we hold for you to any third party. In order to serve this right, we will provide you with data in a structured, commonly used and machine-readable format so that you can transfer your data to another controller. Alternatively, we can send the data directly for you. The right to portability applies to (a) data we process automatically (i.e., without any human intervention), (b) personal data provided by you, and (c) personal data processed as a result of your consent, or processing that is necessary for the performance of a contract.
• Withdraw your consent at any time without affecting the legality of processing on the basis of your consent prior to withdrawal by contacting us via email to [email protected] (The right to withdraw consent).
• File a complaint to the Hellenic Data Protection Authority. Contact the Hellenic Data Protection Authority as follows:

(1) Postal Address:  Hellenic Data Protection Authority     

Office:1-3 Kifissias Boulevard

Postal Code  115 23, Athens,

(2) Telephone: +30-210 6475600,

(3) Fax: +30-210 6475628,

(4)Email: [email protected]  (The right to make a complaint)

Should you have any inquiries please contact us:

For further information regarding the aforementioned rights and inquiries concerning this privacy notice you can contact the Company or Group in the following email address: [email protected]

12. Contact details for the Data Protection Officer for the HELPE Group

Do you have any further questions? Contact us

If you have any questions about this Notice, please contact us by e-mail or telephone using the details of the Personal Data Officer provided above.

13. Definitions

• “General Data Protection Regulation ("GDPR")”- the European Union regulation aimed at harmonizing European legislation on the protection of personal data. The regulation will apply from 25 May 2018, and any reference thereto shall be construed to include national implementing legislation.
• “Personal data”: means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is someone whose identity can be ascertained, directly or indirectly, in particular by reference to an identifying identifier such as a name, ID number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that person.
• “Sensitive personal data”: means personal data which contain information on racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, physical and mental health, genetic and biometric data, data relating to gender or sexual orientation, and information on criminal convictions and offenses. Because of the nature of sensitive personal data, the legislation is much more rigorous about how these data should be processed. The Company processes sensitive personal data only in accordance with the law.
• "Affiliates": Natural persons or legal entities with whom the Company may maintain any business relationship or contractual relationship or partnership.
• "Processing": means any act or set of operations carried out with or without the use of automated means on personal data or personal data sets, such as the collection, registration, organization, structuring, storage, adaptation or change, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, erasure or destruction.
• “Controller”: means a natural or legal person, a public authority, a service or another body which, alone or jointly with others, defines the purposes and the manner in which personal data are processed; when the purposes and manner of processing the law of the Union or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State.
• “Limitation of processing”: means the labeling of stored personal data in order to limit its processing in the future.
• “Violation of personal data”: means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.