(Issue Date: April 15, 2019)
DATA PROTECTION MANAGEMENT SYSTEM
P.C. 11362, Athens Attica
Holds all rights and obligations reserved for such capacity under the General Data Protection Regulation (GDPR 2016/679) for processing personal data through the Website.
Data Protection Officer:
Rrothesi has created a robust information governance system as to process personal data in the course of office operational and corporate activities, remaining at the forefront of information security and data privacy developments, diligently adhering to prevailing laws and regulations, policies and procedures. Appropriate technical and organizational measures have been implemented to mitigate, to the extent possible, the risk left unattained, taking into consideration privacy risk and data protection impact assessments. All personal data are:
Processed lawfully, fairly and in a transparent manner;
Collected for specified purposes;
Classified, stored as per the corporate retention limits and securely purged;
Accurate and, where necessary, kept up-to-date;
Recorded and available for data subjects and any competent, supervisory Authority;
Processed with integrity and confidentiality while ensuring their availability, on demand, by applying the appropriate technical and information technology measures and controls.
Privacy culture is promoted through learning and awareness sessions within Prothesi
MAJOR AREAS OF PERSONAL DATA PROCESSING
Tender and contract management
Accounting and claim management
Document control and database management
Data subjects rights handling
PURPOSE AND SCOPE OF PROCESSING
Prothesi processes the required and relevant personal data, per case of processing, as to:
Implement statutory obligations related to civil aviation safety and security
Provide services to customers
Provide on line information, communication and electronic services
Within each context of processing, Prothesi informs the involved physical persons for the entire personal data lifecycle.
Personal data is collected from various sources:
Provided by the individual, as a prerequisite for the provision of a service or voluntarily on a communication basis
When using our mobile applications, visiting our corporate website
From state authorities and/ or other organizations that share data, within the scope of official authority or business legitimate interest.
SECURITY OF PROCESSING
Prothesi acknowledges and respects the importance of data subject’s privacy and commits to safeguard the availability, integrity and confidentiality of the personal data, under processing. The objective is to protect data against unauthorized access, unlawful processing, misuse, alteration, accidental loss, destruction or damage. To this extent, a series of corporate policies and procedures provide specific guidance and promote the security awareness across all operational and corporate processes.
Organizational and technical measures have been implemented to safeguard all databases physically and electronically. All data are classified and retained for predefined time periods, as set by the corporate documents and records retention policy. Our staff is properly trained on their data processing accountabilities while there is restricted access to physical storage. Technical measures may include firewalls, intrusion detection and prevention systems, unique and complex passwords, and encryption.
We share personal data with selected business partners who process data jointly or on our behalf providing sufficient guarantees – within the scope of data processing agreements – to implement appropriate technical and organizational measures in such a manner that processing meets the GDPR requirements and ensure the protection of rights of the data subjects. In certain cases, mainly for cloud storage purposes, data may be transferred to countries outside the EU, based on contractual clauses that ensure that this takes place in accordance with the relevant GDPR requirements.
DATA SUBJECT CHOICES and RIGHTS
Prothesi provides to data subjects the choice to revoke their initially provided consent, for Prothesi’s marketing activities by changing their preferences for receiving advertising and promotional correspondence. Moreover, in cases where data subjects create personal accounts for managing the information provided to Prothesi (e.g. CV submission), Prothesi offers the ability to access their information and make updates or delete their data and their account, accordingly.
Data subjects willing to exercise their rights, as provided by the GDPR, are requested to contact Prothesi’s Data Protection Officer – as presented above in this Policy – who diligently will handle each request.
Right to access data:
Refers to access to data subject’s personal data and the following information:
Purpose(s) of processing
Categories of personal data processed
Recipients to whom the data is disclosed, within and outside EU
Data retention period
Sources of collection, if data is not obtained by the data subject.
Right to rectify data:
Refers to correction/amendment of inaccurate/ incomplete data.
Right to be forgotten:
Applies in one of the following cases:
Data has been unlawfully processed
Data is no longer necessary in relation to the purposes initially collected or otherwise processed
The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.
Right to restrict processing:
Applies in one of the following cases:
The data subject contests the accuracy of the personal data
Data has been unlawfully processed and data subject opposes the data erasure and requests the restriction of their use instead.
Right to data portability:
Applies under certain circumstances and solely where technically feasible and refers to the personal data transmission to another Data Controller in a structured, commonly used and machine-readable format.
Right to object processing:
Applies on grounds of each request, in particular.
The exercise of any of the above rights is subject to applicable regulatory or operational restrictions that Prothesi may confront.
Data subjects have the right to lodge a complaint with the Hellenic Data Protection Authority (DPA) at www.dpa.gr, if they consider that Prothesi’s processing of their personal data infringes the GDPR. Furthermore, data subjects have the right to an effective judicial remedy, in case they believe that their rights under the GDPR have been infringed as a result of Prothesi’s data processing.