Privacy and Personal Data Protection Policy
In its daily activities, DOUBIA S.A. uses a variety of data relating to identified individuals, including data related to:
The purpose of this policy is to describe the relevant legislation and to present the steps that DOUBIA S.A. follows to ensure its compliance with it.
This control applies to all systems, people and processes of DOUBIA S.A. including board members, service managers, employees, customers, suppliers, vendors, partners, subcontractors and other third parties who have access to DOUBIA S.A. systems.
The General Data Protection Regulation 679/2016 (GDPR) is one of the most important pieces of legislation, which determines the way in which Doubia S.A. performs activities related to data processing. In the event of a breach of the GDPR, which is designed to protect the personal data of everyone in the European Union, significant fines are likely to be imposed. It is the policy of DOUBIA SA to ensure that compliance with the GDPR and other relevant legislation is clear and can be demonstrated at any time.
A total of 26 definitions are contained in the GDPR, of which the most relevant definitions for this policy are listed below:
Personal Data is defined as:
any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
‘Processing’ is defined as:
any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“‘Controller of processing” means:
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be provided for by Union or Member State law.
There are some basic principles on which the GDPR is based.
These are set out below:
(a) submitted lawfully and fairly in a transparent manner in relation to the data subject (“lawfulness, objectivity and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest or scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (“purpose limitation”),
(c) are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”),
(d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure the prompt erasure or rectification of personal data which are inaccurate in relation to the purposes of the processing (“accuracy”),
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, provided that the personal data will be processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1) and provided that the appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject are implemented (‘storage period limitation’),
(f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
Doubia SA must ensure that it complies with all these principles, both in its current processing operations and when introducing new processing methods, such as new information systems.
The data subject also has rights in relation to the GDPR. These include:
Each of the rights of natural persons is supported by appropriate procedures of Doubia S.A. These procedures ensure that the necessary actions take place within the timeframes indicated in the GDPR.
These schedules are presented in Table 1.
Request of the Data Subject |
Timetable |
The right to information |
At the time the data are collected (if collected by the data subject) or within one month (if not collected by the data subject)
|
The right of access |
One month |
The right to rectification |
One month |
The right of deletion |
Without undue delay |
The right to restriction of processing
|
Without undue delay |
The right to data portability |
One month |
The right to object
|
At the time of receiving an objection |
Rights related to automated decision-making about the individual and profiling. |
Not Defined |
TABLE 1 – TIMETABLES FOR DATA SUBJECTS’ REQUESTS
Unless necessary for reasons permitted by the GDPR, explicit consent must be obtained from the data subject for the collection and processing of its data. In the case of children under the age of 16, parental/guardian consent must be obtained. Data subjects must be informed of their rights – in relation to their personal data – such as the right to consent, at the time when their consent is obtained. Information concerning the rights of data subjects should be easily accessible, free of charge, and written in a clear manner.
If the personal data is not collected directly from the data subject, then this information should be provided within a reasonable period of time after the data is obtained and certainly not later than one month.
DOUBIA S.A. has adopted the principle of data protection from the design stage and will ensure that the definition and design of all new or significantly modified systems that collect or process personal data will take due consideration of information security and data protection issues, including the carrying out of one or more data protection impact assessments (DPIAs).
The data protection impact assessment includes:
Transfers of personal data outside the European Union should be carefully examined before the transfer takes place, in order to ensure that it is done in accordance with the framework set by the GDPR. This depends in part on the judgment of the European Commission, as well as on the adequacy of the security applied to the personal data in the country receiving the data, which may change over time.
International data transfers within organisations should be subject to legally binding agreements that provide rights to the data subjects.
The GDPR requires the appointment of a Data Protection Officer (DPO) if the organisation is a public authority, performs large-scale processing or processes particularly sensitive categories of data on a large scale. The DPO must have an appropriate level of knowledge and may either come from within the organisation or be an external partner.
Based on these criteria, we consider that the appointment of a Data Protection Officer is not necessary in DOUBIA S.A..
It is the policy of DOUBIA S.A. to inform all those required in the event of a breach involving personal data in a fair and proportionate manner. In line with the GDPR, when it is known that a breach has taken place that is likely to result in the rights and freedoms of individuals being compromised, the Personal Data Protection Authority (PDPA) will be informed within 72 hours. This will be done in accordance with DOUBIA SA’s Information Security Incident Management Procedure.
Under the GDPR, the respective PDPA has the authority to impose a range of fines of up to 4 percent of annual global turnover or twenty million euros, whichever is greater, for a breach of the Regulation.
The following actions have been taken to ensure that Doubia SA complies in all cases with the accountability principle of the GDPR:
These actions will be reviewed on a regular basis as part of the Privacy Program management review process.
Contact line: 800 500 1800
toll-free
Doubia Chalkidikis
63037, Doubia
Contact Phone:
+30 23710 92000
Email: info@doubia.gr
G.E.MI. 122004157000