(a) Personal Data (Personal Data):
Any information concerning an identified or identifiable natural person (data subject). The identifiable natural person is that of which the identity may be ascertained, directly or indirectly, in particular by reference to an identity, such as name, identity number, location data, online identity or one or more of the factors specific to physical, physiological, genetic, psychological, economic, or the social identity of that natural person.
Any act or series of acts performed with or without the use of automated means, on personal data or personal data sets, such as the collection, registration, organization, structure, storage, adjustment or alteration, retrieval , search for information, use, disclosure, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction,
The natural or legal person, public authority, agency or other body which, alone or in conjunction with others, determines the purposes and manner of processing personal data; where the purposes and manner of such processing are determined by its law. Union law or the law of a Member State, the controller or the specific criteria for his appointment may be laid down in Union law or the law of a Member State.
d) Perform the Processing:
Any natural or legal person, public authority, service or other body that processes personal data on behalf of the controller.
e) Data Subject:
The natural person to whom the data relate and whose identity is known or can be ascertained, directly or indirectly, on the basis of an identity number or
on the basis of specific elements that characterize its existence in terms of physical, biological, mental, economic, cultural, political or social.
f) Data Subject's consent:
The free, specific, explicit and fully aware statement / acceptance of the data subject, with which he / she agrees as the business processes his / her personal data.
The process by which personal data is irrevocably stripped of all identifiers and can no longer be linked to the natural person to whom it relates. When this happens, they are no longer considered personal data.
Replacing data with a designation, code, or similar artificial means of identification, in order to protect the individual from any identification. Data that has been used by aliases is still considered as Personal Data.
2. PROCESSING AND PROCESSING DIRECTOR For the purposes of Regulation (EU) 2016/679 on General Data Protection Regulation (GDPR), Data Processing Officer . 15, T.K. 15669, tel: 6941485597 e-mail: , with business details: Studio Level 11, Marni 11, 10433, Athens, hereinafter referred to as "the Business" and Executing any natural or legal person processes personal data for business account.
3. TYPE OF PERSONAL DATA COLLECTED BY CATEGORIES OF PERSONS The enterprise may collect the following data, by category of data subject:
a) Clients: full name, contact details (postal and / or email address, contact telephone, fax), photographic material, event details of possible cooperation between us, invoices
b) Personnel and external partners: Full name, last name, first name, ID, nationality, date of birth, place of birth, telephone, postal and / or email address, marital status, number of children protected, ID. .Y., AMKA, insurance details, previous service, any alien's work permit or residence number, CV, bank account details (for remittance purposes).
c) Candidates for cooperation: Full name, postal or email address, contact telephone, fax, resume.
4. PURPOSES OF COLLECTING PERSONAL DATA BY PERSONS CATEGORY
The company gathers Personal Personals for the following purposes:
Data of the categories mentioned
a) Clients: For the optimal operation and service of the contract and cooperation concluded.
Where applicable and only with the consent of the data subject, for promotional purposes.
In particular, following information and consent, an enterprise may use:
of the subject, h
(a) the email address of the data subject for promotional purposes; and
b) photographic material showing the customer (or his child) on the company's official website and on social media Facebook (https://www.facebook.com/YannisAntypasPhotography) and Instagram (https: / /www.instagram.com/yannisantypasphotography/), provided that no personal data is affected, with information referring to the data subject (eg name, property, etc.).
b) Personnel and partners: For the contract and cooperation concluded.optimum operation.
c) Candidates for cooperation: To consider possible cooperation based on the criteria of the respective position.
5. WAYS OF COLLECTING PERSONAL DATA
The above persons (data subjects) provide the Personal Data to the enterprise: a) either by filling out a form, b) or by electronic means (e-mail, website, c) disclosure to it.
Upon disclosure of their data to the enterprise, the above persons shall be informed of the processing intended for their collection and where appropriate (eg collection of photographic material of minor children of clients) they shall indicate in writing (always after being informed) the consent for the upper treatment, which they may at any time withdraw. If a consent is revoked, any personal data collected is deleted (unless otherwise required by applicable law), and communication with such persons is terminated.
6. LEGAL BASIS FOR THE PROCESSING OF COLLECTED PERSONAL DATA The Company collects the above Personal Data only if it has a legitimate reason for processing it.
In any case, the processing will be based on one of the following legal bases:
(a) the performance of a contract to which the data subject is a party or to take action at his request prior to the conclusion of the contract; editing his e-mail address for promotional purposes or choosing to post photographic material depicting himself (and / or his child) on specific business websites similarly for promotional scams.
It is understood that the subject may withdraw such consent at any time 7
at the moment, in accordance with this policy, (c) the legal obligations of the enterprise; (d) the legitimate interest of the enterprise;
7. PERSONAL DATA NOTIFICATIONS
Access to the Personal Data is strictly necessary for the Company's staff, which is committed to maintaining confidentiality and any affiliated companies or third party service providers that process such data as Executing the Processing on behalf of and in accordance with its business .
In particular, the Company may share the above Data with third-party service providers that process personal data on its behalf, for example, for the distribution of e-mail and the management of promotions. In this case, the company will enter into agreements that oblige third-party providers to implement appropriate technical and organizational measures to protect your personal data.
8. DURATION OF STORAGE
We retain your Personal Data as necessary to fulfill the purposes set forth in this policy (unless a longer retention period is required by applicable law).
In particular, your statement of consent to send a newsletter shall be kept for as long as the newsletter has been sent to you by the business and in any event not more than six months after the termination of the newsletter.
The collected photographic material is retained for a maximum of two (2) years from its receipt.
At the end of this retention period, your data will be completely or anonymously deleted (for example by pooling with other data, so that it can be used in an unrecognizable way for statistical analysis and business planning).
9. SAFETY LEVEL OF COLLECTED DATA
The company applies the provisions of the new Regulation (EU) 2016/679 on Personal Data Protection (GDPR) strictly and takes the appropriate technical, organizational and administrative measures to ensure the protection of personal data.
data that is processed by accidental or unauthorized destruction, accidental loss, tampering, prohibited dissemination or access or any other form of improper processing. All personal data in electronic form is safely stored and additionally protected through the use of appropriate access controls. Documents in hard copy and electronically containing personal data are destroyed in an inaccessible format where required.
The enterprise shall enter into confidentiality clauses with its employees and associates (either in the form of a contract or by signing with them an additional statement of confidentiality) in relation to the data contained therein, in the performance of the tasks which it entrusts to them. execution of a relevant contract.
10. LEGALAND JUST COLLECTION AND USE THIS STAFF DATA In particular, all employees and associates of a business must:
- collect and use personal data only after providing a legitimate justification.
- notify data subjects of how their personal data will be used BEFORE collecting or otherwise accessing personal data.
- collect only the personal data which is strictly necessary for the purpose of processing.
- use the personal data only for the specific processing purpose for which they were collected, as described in the relevant Information and Consent Form.
- Use personal data in ways that do not have a negative impact on the Data Subject unless otherwise processed or used expressly by law.
- Where possible and appropriate, they use anonymization and pseudonymization techniques for Personal Data (eg "Special Class of Personal Data") that require increased protection. 9
11. PERSONAL DATA MANAGEMENT AND PRIVACY MANAGEMENT Responsible personal data management is required to safeguard the right to privacy and to comply with Personal Data Protection legislation.
- Keep personal data accurate and up to date throughout the Information Cycle (from collection to deletion).
- Protect personal data so that it is not shared with others who have no valid legitimate reason for accessing the information.
- Comply with the company's Information Security Policies and processes when processing personal data.
- Prevent incorrect use of personal data for purposes that are incompatible with the original purpose for which they were collected.
- Ensure the traceability of Personal Data throughout their lifecycle.
- Keep the Personal Data strictly for the period of time necessary for the purpose for which it was collected as specified by law.
- Be informed about the data retention and destruction policy and any specific timeframes for personal data retention.
- They mention
any breach of Personal Data by the Data Protection Officer via the email address:
12. RIGHTS OF THE DATA SUBJECT
The rights of the subjects of the data collected with respect to the Data Controller are as follows:
a) Right of access to information
The above persons have the right to ask the data controller to confirm if they are processing any of their personal data. 10
If this is the case, they have the right to ask the data controller to provide the following information:
(i) the purpose of processing personal data.
(ii) the categories of personal data being processed.
(iii) the recipients or categories of recipients to whom the personal data are or will be disclosed.
(iv) the intended period of storage of personal data or, in the absence of accurate information, the criteria for determining the storage period.
the right to delete or correct personal data, the right to limit the processing of data by the data controller, and the right to withdraw the consent statement for the processing of such data.
(vi) the existence of a right of complaint to the supervisory authority.
(vii) any information available at the source of any personal data not collected by the data subject.
(viii) the existence of automated individual decisions, including the development of profiles in accordance with Articles 22 (1) and (4) of the General Data Protection Regulation, and where appropriate, important information on the logic followed, the range and desired results of data processing for the data subject.
Data subjects also have the right to request information on whether their personal data were transmitted to a third country or to an international organization. In this context, they may request information on the adequate safeguards provided for in Article 46 of the General Data Protection Regulation on the transmission of data.
(b) Right of correction 11
Data subjects have the right to ask the data controller to correct or supplement their data if they are incorrect or incomplete. The data controller must correct the data without undue delay.
(c) Right to limit the processing of data Data subjects have the right to impose restrictions on the processing of their personal data when one of the following applies:
(i) the accuracy of personal data is called into question by those persons for a period of time that allows the controller to verify the accuracy of the data.
(ii) processing is illegal and these persons oppose the deletion of their personal data and demand that their use be restricted instead.
(iii) the controller no longer needs personal data for the purpose of processing, but such data is required by the data subject to establish, exercise or support legal claims; or
(iv) these persons have objected to the processing of their data in accordance with Rule 21 (1) of the above Regulation and no decision has yet been taken as to whether the data controller's legitimate interests take precedence over their own. their.
If there is a restriction on the processing of their personal data, such data - other than their safekeeping - may be processed only with the consent of their subjects, in order to assert, exercise or defend their legitimate interests, protect the rights of another natural or legal person or in the public interest of the European Union or of a Member State. 12
If the restriction on processing data is changed under the conditions mentioned, the data subjects will be informed by the data controller before the restriction is lifted.
d) Deletion right i) Obligation to delete data
The data subjects may request the data controller to delete their personal data immediately and the data controller shall be required to delete it immediately provided that any of the following reasons are true:
(1) If their personal data are no longer required for the purpose for which they were collected or processed.
(2) If they withdraw their consent to process data in accordance with Article 6 (1) (a) or Article 9 (2) (a) of the General Data Protection Regulation and no longer exist legally database for data processing.
(3) If they disagree on the processing of data in accordance with Article 21 (1) of the General Data Protection Regulation and there are no overriding legal interests in the processing of data, or if they disagree on the processing of data in accordance with Article 21 (2) of the General Data Protection Regulation.
(4) If processing. personally their data were object illegal
(5) If the deletion of their personal data is necessary in order to fulfill a legally required obligation under EU law or the law of the Member State governing the data controller. 13
(6) If their personal data were collected in relation to services provided by the information society, in accordance with Article 8 (1) of the General Data Protection Regulation.
ii) Further disclosure to third parties If the data controller has disclosed the personal data of the above persons and is obliged to delete them in accordance with Article 17 (1) of the CPC, he shall be obliged to take into account the available technological means and implementation costs, to take adequate measures, including those of a technical nature, to inform data controllers who process such personal data of the fact that data subjects have have requested the deletion of all links to such personal data, as well as copies or reproductions of such personal data.
iii) Exceptions These persons have no right to erase their data insofar as their processing is required:
(1) for the exercise of the right to freedom of expression and freedom of information.
(2) fulfilling a legally foreseeable obligation requiring the processing of data in accordance with European Union law or the law of the Member State governing the data controller, or for performing a function in the public interest or for the exercise of public interest; public authority vested in the data controller.
(3) for reasons of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3) of the General Data Protection Regulation
(4) for the purposes of archiving for the public interest, for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1) of 14
General Data Protection Regulation, insofar as the right referred to in part (a) is expected to make it impossible to achieve the objectives of the data processing or significantly delay it, or
(5) for the purpose of asserting, pursuing or defending legal interests. (e) The right to data portability
The rights holder has the right to receive his personal data provided to the data controller in a structured, customary and mechanically readable form. It also has the right to transmit such data to another data controller without any interference by the data controller to whom his personal data was originally provided, provided that:
(i) the processing of data is based on consensus as defined in Article 6 (1) (a) or Article 9 (2) (a) of the General Data Protection Regulation, or under a contract in accordance with Article 6 (1) (b) the General Data Protection Regulation, and
(ii) processing is carried out with the help of automated processes.
When exercising the above right, the data subject shall also be entitled to transfer his personal data from one data controller to another, provided that this is technically feasible. This should not endanger the rights and freedoms of third parties.
The right to data portability does not apply in the case of data processing necessary for the performance of a public interest function or the exercise of public authority conferred on the data controller.
f) Right to object The right holder has the right at any time to oppose the processing of his personal data under Article 6 (1) (e) or (f) of the General Data Protection Regulation for reasons of 15
stemming from his personal circumstances. The same is true for profiling, based on the same provisions.
The data controller shall then discontinue the processing of such personal data unless it can prove that there are serious legal interests in the processing of data that override the interests, rights and freedoms of the entity, or if the processing serves its purpose, pursuing or defending legal interests.
Where personal data is processed for direct advertising purposes, the rights holder has the right at any time to object to the processing of his personal data for direct advertising purposes.
Such personal data will no longer be processed for direct advertising purposes, provided that the subject relies on the relative opposition to the processing of personal data for direct advertising purposes.
In the context of the use of information society services and, by way of derogation from Directive 2002/58 / EC, the rights holder may exercise his right of opposition through automated procedures using technical specifications.
g) Right of withdrawal of the consent statement The data subject has the right to withdraw a consent statement he or she has already given, under the data protection law. The withdrawal of the consent shall be without prejudice to the legality of the processing of the data made prior to the withdrawal.
h) Automated individual decisions, including profile compilation The data subject has the right not to be subject to a decision based solely on automated processing, including profile compilation, which has a legal or consequential consequence. This shall not apply if the decision:
(1) is necessary for the conclusion or execution of a contract between it and a data controller
(2) provided for by the law of the European Union or of the Member State governing the data controller and which also provides for appropriate measures to safeguard the data subject's rights, freedoms and interests, or
(3) is based on the explicit consent of the data subject.
However, decisions shall not be based on specific categories of personal data in accordance with Article 9 (1) of the General Data Protection Regulation, unless Article 9 (2) (a) or (g) applies and has been appropriately taken. measures to safeguard the data subject's rights, freedoms and interests.
In the cases referred to in points (1) and (3), the data controller shall take appropriate measures to safeguard the data subject's rights, freedoms and interests, at least the right of human intervention by the person responsible. data processing in order to express his point of view and to challenge the decision.
(i) Right to lodge a complaint with the Supervisory Authority The right holder, if he or she considers that the processing of his / her personal data violates the General Data Protection Regulation, has the right to appeal to the Data Protection Authority.
For the Authority's remit and how to file a complaint, you can visit its website (www.dpa.gr> My Rights> Complaint), where detailed information is available.
The Authority before which a complaint is lodged shall inform the complainant of the course and outcome of the complaint, including the possibility of imposing judicial remedies in accordance with Article 78 of the General Data Protection Regulation.
If the rights holder wishes to file an objection against the collection, processing or use of his data by the enterprise in accordance with the terms herein, either by category or for individual measures, he may send us his objection by e-mail to: by mail to: 11 Marni Street 10433 Athens, Greece
13. IMPLEMENTATION - RESPONSIBILITY Partners and employees must be familiar with this Policy and any other business documents related to the protection of personal data.
14. VIOLATION OF THIS POLICY
Violations of this policy may result in disciplinary or other penalties, including termination or termination of the contract of cooperation with third-party natural or legal persons.
15. UPDATES OF THIS POLICY
We may update this policy from time to time to reflect changes in the way we process personal data (e.g., if we implement new systems or procedures that involve new uses of personal data) or to clarify information we have included in this policy. . The changes we make will be in accordance with applicable data protection legislation.
We recommend that data subjects seek the updates of this policy at any time, and in any event, the business will inform them directly of changes to this policy or the way we use their personal data when we are legally obliged to do so.