Privacy Policy

Privacy Policy

Application Statement

EQA Hellas S.A. has adopted, installed and applies the requirements of the General Data Protection Regulation (GDPR).

In addition, with the Directives and Regulations of the GDPR, it has adopted, installed, and implements a Quality Manual with the corresponding Quality Policy.

The Privacy Policy and the Quality Policy state:

1. the management’s commitment,
2. the responsibilities and roles,
3. the constant commitment to improvement,
4. the quality objectives.

In particular, our Company applies legal specializations according to the geographical and substantive scope of the processing it carries out.

Implementing the General Data Protection Regulation (G.D.P.R.) is a priority for EQA Hellas A.E., as protecting your personal data is important to us.

Terms and Definitions

1. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. ‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. ‘Restriction of processing’ means the marking of stored personal data to limit their processing in the future.
4. ‘Filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis,
5. ‘Controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
6. ‘Processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
7. ‘Recipient’ means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry by Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.
8. ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
9. ‘Consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
10. ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
11. ‘Special categories data’ means personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union affiliation, as well as the processing of genetic, biometric data for the data relating to health or data relating to the natural sexual life or sexual orientation of a person.

Categories of Personal Data Collected

In the context of its activities and its regular operation, EQA Hellas S.A. may collect the personal data from its customers, its associates, its employees, as well as other natural persons with whom it trades in the context of its operation. Depending on the means and purpose of processing, EQA Hellas S.A may collect and process personal data, such as the following: 

CATEGORIES OF DATA SUBJECTS	CATEGORIES OF DATA
Clients	Client data, whether natural persons or legal representatives of legal persons. These may include: Identity and demographics (e.g., name, patronymic, etc.)Contact information (e.g., postal address, telephone, Email, etc.)Professional informationOrdersAccount balances Bank Accounts Other relevant information
Clients’ employees	Customer employee data in the context of inspection-certification activities. These may include: First and Last NameAge,Position,DutiesCurriculum VitaeOther relevant information
Suppliers / Contractors	The data of the company’s suppliers, in the case of natural persons or legal representatives of legal persons. These may include: Identity and demographics (e.g., name, patronymic, etc.)Contact information (e.g., postal address, telephone, Email, etc.)Professional informationAccount balances Bank AccountsOther relevant information
Data of other natural persons	Data of other natural persons visiting EQA Hellas S.A. infrastructures. or collaborate with her.
Employees (Active or Not) / Candidate Employees	Data of the company’s employees, under any employment relationship, and data of former and prospective employees, which are kept in official files or any other services to operate their employment relationship with the legal entity. These may include:   Identity and demographics (e.g., name, patronymic, etc.)Insurance details (e.g., AMKA and other Social Security Authority details if required)Contact details (e.g., postal address, telephone, Email, etc.)CV’sHealth data (e.g., medical certificates and opinions, blood donation data, etc.)Financial data (e.g., bank accounts, tax returns, statement of assets, etc.)Marital status details (e.g., certificates and certificates, number and details of children, etc.)

Table 1. The categories of Data Subjects and their data

Purposes and Legal Basis of Processing

EQA Hellas S.A. may collect and process the personal data of customers and other natural persons mentioned in the above paragraph who make use of the services and products provided. In principle, EQA Hellas S.A. may collect and process personal data for the following purposes with the corresponding legal processing bases:

PURPOSE OF PROCESSING	LEGAL BASIS
The collection, processing, cross-referencing, and transmission of data of the Tax, Insurance, and Labor Administration exclusively for the support and operation of the framework of their responsibilities	Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or Processing is necessary for the execution of obligations and the exercise of the rights of the data controller or the data subject in the field of labor law and social protection [art. 9 §2 case. b) GDPR.] and/orProcessing is necessary for the purposes of the legitimate interests [αρθ. 6 §1 case. f) GDPR]
The collection and processing of the necessary data of employees and / or prospective employees and associates for the proper service of existing employment or cooperation relationships or the consideration of possible future cooperation	Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or Processing is necessary for the execution of obligations and the exercise of the rights of the data controller or the data subject in the field of labor law and social protection [art. 9 §2 case. b) GDPR.] and/orProcessing is necessary for the purposes of the legitimate interests [αρθ. 6 §1 case. f) GDPR]
Provision of products and services EQA Hellas S.A.	Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. b) GDPR] and/or Processing is necessary for the purposes of the legitimate interests [αρθ. 6 §1 case. f) Γ.Κ.Π.Δ.]
For any other form of processing, JOLTIE P.C. requests special written, free, and after prior informed consent of the subjects before the start of the processing, if required.

Table 2. The main purposes and legal bases of processing

The reference to more than one legal basis of processing does not mean that EQA Hellas S.A. performs lawful basis swapping, undermining the rights of data subjects, but that there are cases where more than one legal basis of processing is applicable.

Recipients of your Personal Data

Recipients of your personal data are our representatives and/or subcontractors supporting, promoting, and executing our business relationship. As a rule, EQA Hellas S.A. does not transfer your personal data to third parties except when required by the Legal / Regulatory framework or when we act as “intermediaries”. The above transfer takes place to the extent necessary for our services. Such third parties may be official Supervisory/Government Bodies (e.g., Hellenic Accreditation System (ESYD), Hellenic Data Protection Authority, etc.) and/or when we are required to comply with legislation/regulations for Certification/Training Bodies and/or to prevent the carrying out of illegal actions (e.g. fraud, insult, insult to personality, etc.). against the company or our customers.

In addition, our partners/representatives/subcontractors have agreed and contractually committed to the following:

1. to observe confidentiality, and bind their personnel with the corresponding obligations,
2. not to transfer personal data to third parties without our written permission,
3. to take organizational and technical Data security measures,
4. to notify us of any incident involving personal data breach,
5. to delete and/or return personal data given to them upon the termination of our contract and
6. to comply with the legal framework of personal data, particularly the General Data Protection Regulation (GDPR).

Finally, access to your personal data is given to the necessary staff of EQA Hellas SA, who are committed to maintaining confidentiality.

Rights of Data Subjects

Data subjects have the right to:

1. Be informed about the processing of their personal data.
2. Gain access to the personal data concerning them.
3. Request the correction of incorrect, inaccurate, or incomplete personal data.
4. Request the deletion of personal data when it is no longer necessary or if the processing is illegal. If applied as a legal basis for processing Art.6 par.1 case. e ) GDPR (processing for the fulfillment of a duty performed in the public interest or during the exercise of public power and the Art.9 par.2 case b ), g), j) in most of the processes of the JOLTIE P.C. the right of deletion is limited and will be evaluated on a case-by-case basis under strict conditions. According to Art. 4 of the Explanatory Memorandum of the GDPR, the right to personal data protection is not absolute; it must be valued concerning its functioning in society and weighed against other fundamental rights under the principle of proportionality.
5. Oppose personal data processing for reasons related to their unique situation, subject to Art.21 par.6 of GDPR.
6. Apply for a restriction on personal data processing in specific cases.
7. Submit a complaint to the Hellenic Data Protection Authority (1-3 Kifissias Ave., 11523 Ampelokipi, tel. 210.647.5600, www.dpa.gr) or to the supervisory authority of the EU Member State where they reside or work or to the supervisory authority of the place of the alleged infringement.

Communication

The above rights, as well as any right regarding personal data, are exercised following a written request submitted to the company’s premises with headquarters in Chalandri, Kalama Potamou Str. 30, P.N. 15 233, or via electronic communication to [email protected], which is also examined by the company’s Data Protection Officer.

EQA Hellas S.A.  will provide information on action taken on your request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. EQA Hellas S.A.   will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, EQA Hellas S.A. may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request, explaining in any case the reasons in the response you will receive.

If you do not receive a response within the deadline mentioned above or the response you receive is unsatisfactory, or the issue has not been resolved, you can appeal to the Hellenic Data Protection Authority (www.dpa.gr).

Processing principles

EQA Hellas S.A. accepts the basic principles governing the processing of personal data. According to article 5 of GDPR, personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Transfer of Personal Data outside the EEA

EQA Hellas S.A. places contractual restrictions on its partners, who ensure they respect the national and European legislation on personal data. In the context of the services provided, we may need to transfer your information to other countries [basically within and exceptionally outside the European Economic Area (EEA)] based on E.U. adequacy decisions, corporate binding rules, standard contractual agreements, and approved codes of conduct.

Data Retention

We retain your Data for as long as is necessary to fulfill the purpose for which we have collected it unless an extension of this time is required due to legal claims or our legal obligations.

Security of Personal Data

The processing of your Data in any way is permitted only to persons authorized by us, our employees, and partners, exclusively for the purposes mentioned above.

We have taken the necessary and appropriate organizational and technical measures for the security and protection of your Data from any form of accidental or unlawful processing, both at the physical level and at the level of logical security (indicative: physical security procedures, graded data access, protection computer systems, software). These measures are reviewed and amended when deemed necessary.

Links to Third Party Websites

Our website may contain links that lead to other websites of third parties and independent entities, such as e.g. of the Accreditation Bodies, which are operated exclusively by them as well as the company’s social media websites. Therefore, EQA Hellas S.A. is not responsible for these websites’ content, actions, or policies. We urge you to carefully read the applicable data protection policies on the websites you visit.

Automated Decision Making – Profiling

We do not make decisions or create profiles based on automated processing of your Data.  

Staff Training

EQA Hellas S.A. accepts that personal data protection presupposes the awareness of its human resources. In this regard, it accepts adopting and implementing the principle of proper education guidance using Fair Information Practices (FIP), which condense a set of standards governing the collection and use of personal data and addressing privacy issues and accuracy. EQA Hellas S.A. seeks to raise awareness of fundamental concepts of personal data protection on its human resources. Their training focuses on the Fair Information Practices Principles (FIPP), which form the ‘backbone’ of most privacy laws.

Particularly:

1. FIPP on Data Protection – principles regarding the lawfulness and limitation of collecting personal data.
2. FIPP on the Processing and Use of Data – principles regarding the degree of sensitivity of data, limited access to it, confidentiality, the finitude of processing, specificity of the purpose of processing, and its safe conduct.
3. FIPP on the Individual Participation of the Data Subject – principles regarding the rights of data subjects, such as the right of access, the right to rectification in case of inaccurate information, the right to prompt notification of subjects, and securing their lawful consent.
4. FIPP on Data Transfer – principles regarding transferring and disclosing personal data to third parties (legal or natural).
5. FIPP regarding the Accountability of EQA Hellas S.A., principles regarding the privacy policy of EQA Hellas S.A., and the role of the Data Protection Officer in safeguarding data.

Modification

This policy may need to be amended concerning the processing of personal data. Suppose the modification of the terms in question is of such nature and extent that the above data processing terms do not cover it. In that case, EQA Hellas S.A., must make public the new version of the policy.