verinso@verinso.gr

(+30) 211 1877200

Mon - Fri: 08:30 - 16:30

verinso@verinso.gr

(+30) 211 1877200

Mon - Fri: 08:30 - 16:30

Facebook LinkedIn

verinso@verinso.gr

(+30) 211 1877200

Mon - Fri: 08:30 - 16:30

Facebook LinkedIn
Facebook LinkedIn

Data Protection and Privacy Policy

1. Introduction

In its day-to-day business operations, VERSATILE INFRASTRUCTURE SOLUTIONS OOD (Greek Branch) (VERINSO) uses data relating to identified individuals such as:

  • Existing, former and prospective employees or outsource partners with a labor or collaboration agreement
  • Suppliers
  • Customers
  • Users of its websites


The purpose of this policy is to describe the relevant legislation and present the steps that VERINSO follows to ensure its compliance with it.

This control applies to all systems, people and processes of the company, including members of management, directors, employees, customers, suppliers, partners, subcontractors and other third parties who have access to VERINSO systems.

The following policies and procedures are related to this document:

  • Personal Data Mapping Process
  • Information Security Incident Response Process
  • Roles, Competencies in relation to the General Data Protection Regulation
  • Keeping Records and Protection Policy
2. Privacy Policy and Personal Data Protection Policy

The General Data Protection Regulation 679/2016 (also known as GDPR) is one of the most important pieces of legislation underlying the framework under which VERINSO performs data processing activities. In the event of a violation of the Regulation, which is designed to protect the personal data of those in the European Union, it is likely that significant fines will be imposed. It is VERINSO's policy to ensure that compliance with the GDPR and other relevant legislation is clear and can be documented at all times.

There are a total of 26 definitions in the GDPR, of which the most basic are listed below:

Personal data is defined as:
any person identifying or identifying an individual ("data subject person"); an identifiable individual is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, online identity identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual.

"Processing" is defined as:
means any transaction or set of operations carried out with or without the use of automated means of personal data or sets of personal data such as collection, registration, organization, structure, storage, adaptation or alteration, search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, limitation, erasure or destruction.
combination, restriction, erasure or destruction.

"controller" means:
an individual or legal entity, a public authority, a service or another body which, alone or jointly with others, determines the purposes and the manner in which personal data are processed; where the purposes and manner of such processing are defined by the law of the European Union or the law of a Member State, the processor or the specific criteria for his appointment may be provided for by European Union law or the law of a Member State.

1. Personal Data should:

(a) be subject a fair and lawful processing in a transparent manner vis-à-vis the data subject person ("righteousness, objectivity and transparency"),

(b) be collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes; further processing for purposes of archiving in the public interest or for purposes of scientific or historical research or statistical purposes is not considered to be incompatible with the original objectives under Article 89 (1) ("purpose limitation"),

(c) be appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"),

(d) be accurate and, where necessary, updated, all reasonable steps must be taken to immediately delete or correct personal data which are inaccurate with the purposes of the processing ("accuracy"),

(e) be retained in a form which permits identification of data subject persons only for the time required for the processing of personal data; personal data may be stored for longer periods if personal data are processed for purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1), and provided that the appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject person ('storage period limitation') are applied,

(f) processed in such a way as to guarantee the appropriate security of personal data, including the protection against unauthorized or unlawful processing and accidental loss, destruction or deterioration, using appropriate technical or organizational measures ("integrity and confidentiality ").

2. The processor shall be responsible and able to demonstrate compliance with paragraph 1 ("accountability").

VERINSO ensures that it complies with all these principles, both in current processing and when introducing new processing methods, such as new information systems.

The data subject person has significant rights with respect to the Regulation. These include:

  1. The right to information
  2. The right of access
  3. The right of correction
  4. The right of deletion
  5. The right to limit the processing
  6. The right to data portability
  7.  The right to objection
  8. . Rights related to automated decision making for the individual and profile training.

    Each of the rights of individuals is supported by appropriate company procedures. These procedures ensure that the necessary actions take place within the timeframes indicated in the GDPR.

These schedules are presented in Table 1.

Request of Data Subject
Time schedule

The right to information

At the time the data is collected (if it is collected by the data subject person) or within one month (if not collected by the data subject person)

The right of access

A month

The right of correction

A month

The right of deletion

Without undue delay

The right to limit the processing

Without undue delay

The right to data portability

A month

The right to objection

At the time of receipt of an objection

Rights related to automated decision-making and profiling.

It is not defined

Request of Data Subject
Time schedule

The right to information

At the time the data is collected (if it is collected by the data subject person) or within one month (if not collected by the data subject person)

The right of access

A month

The right of correction

A month

The right of deletion

Without undue delay

 

The right to limit
the processing

Without undue delay

The right to data portability
data

A month

 The right to objection

 

At the time of receipt of an objection

Rights related to
automated decision-making and profile formation.

 

It is not defined

Request of Data Subject
Time schedule

 

 

 

 


The right to information

At the time the data is collected (if it is collected by the data subject person) or within one month (if not collected by the data subject person)

 The right of access

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A month

 The right
of correction





















A month

 
The right of deletion


Without undue delay

 The right to limit
the processing

 
Without undue delay

The right to data portability
data

 

A month


The right to objection

 
At the time of receipt of an objection

Rights related to
automated decision-making and profile formation.

 

It is not defined

Unless it is not necessary for reasons permitted by the GDPR, the data subject person must have clear consent to the collection and processing of his data. In the case of children under the age of 16, consent must be given by the parent / guardian. Data subject persons must be informed for their rights - in relation to their personal data - such as the right to deletion, at the time their consent is obtained. Information regarding the rights of the subject persons must be easily accessible, free of charge, and written in a clear manner. If the collection of personal data is not directly from the data subject person, then this information must be given within a reasonable time after the data is acquired and certainly no later than one month
If the collection of personal data is not done directly from the data subject, then this information must be given within a reasonable time after the data was obtained and certainly not later than one month.

VERINSO has adopted the principle of data protection at the design stage and ensures that when designing any new system - or significant modification of an existing - that collects or processes personal data, due consideration will be given to information security and protection issues personal data, including one or more data protection impact assessments.
personal nature, due care will be taken in information security and personal data protection issues, including the conduct of one or more data protection impact assessments
data.

The impact assessment on data protection includes:

  • How personal data is processed and for what purposes.
  • Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose (or purposes).
  • Assessment of the risks to which individuals are exposed due to the processing of their personal data.
  • The choice of measures that are necessary to address the identified risks and demonstrate compliance with the legislation.


The use of techniques such as data minimization and pseudonymization is considered where appropriate and possible to apply.

The transfer of personal data outside the European Union, where necessary, is carefully considered before transmission takes place to ensure that it is carried out in accordance with the framework set by the GDPR. This depends in part on the European Commission's judgment and on the adequacy of security applied to personal data in the country that accepts the data and can change over time.
This depends in part on the judgment of the European Commission, as well as on the adequacy of the security applied to personal data in the country that will receive the data, and may change over time.

Within the GDPR, the appointment of a Data Protection Officer (DPO) is required if the organization is a public authority, performs large-scale processing or processes highly sensitive data categories on a large scale. The Data Protection Officer must possess the appropriate level of knowledge and may come from either the organization itself or be an external partner. Based on these criteria, at VERINSO we believe that it is necessary to designate a Data Protection Officer.
Based on these criteria, we consider it necessary to appoint a Data Protection Officer at VERINSO.

It It is VERINSO's policy to inform everyone who is required, in the event of a violation or suspicion of a violation, of personal data in a fair and proportionate manner. In alignment with the GDPR, when it becomes known that a violation has occurred which is likely to endanger the rights and freedoms of individuals, the Personal Data Protection Authority will be informed within 72 hours. This will be done in accordance with the VERINSO Information Security
VERINSO Information Security Incident Management Process.
Under the GDPR, the corresponding Authority for Personal Data Protection (APIS) is empowered to impose a range of fines of up to 4 percent of annual global turnover or twenty million euros, whichever is the greater, for violation of the Rule

The following steps have been taken to ensure that VERINSO complies with the principle of accountability of the GDPR:

  • The legal basis for the processing of personal data is clear and unambiguous.
  • Define a Data Protection Officer with the authority to protect the data within the organization.
  • All staff involved in managing personal data understands its responsibilities to follow best data protection practices.
  • All staff has been trained in data protection.
  • Compliance obligations are met.
  • There are paths available through which data subjects who wish to exercise their rights to their personal data have this possibility.
  • Regular reviews of procedures relating to personal data are e carried out.
  • Data protection already in design is adopted for all new systems and processes or significant changes to existing ones.
  • The document describing the actions that take place in one processing is recorded:

    1. The name of the organization and related details
    2. The purposes of processing personal data
    3. The categories of individuals and personal data being processed
    4. The categories of recipients of personal data
    5. The agreements and mechanisms on the basis of which transfers of personal data to countries outside the European Union are made, including details of the measures taken
    6. Time to maintain personal data
    7. The appropriate technical and organizational measures that have been implemented.

These actions will be inspected on a regular basis as part of the privacy review process.