- Who is accountable for your data? Where shall you address for the exercise of your rights?
1.1. Controller of your Data is the SA company under the name ‘ALUMIL ALUMINIUM INDUSTRY SA’, seated in the Industrial Area of Stavrochori-Kilkis as legally represented, with the following telephone number 2341079300 and e-mail address firstname.lastname@example.org (‘the Company’)
1.2. The above Controller Company has appointed a Data Protection Officer with contact e-mail email@example.com. In the above e-mail address of the Data Protection Officer, you can address all requests for exercising all of your below mentioned rights (under 3.1 -3.7)
- Company’s general principles regarding the transparent information.
2.1. Any piece of information that is provided with the present and any other information that may be asked in the future, is provided free of charge, subject to the requirement not to be repeated, excessive or manifestly unjustified (see under 2.3).
2.2. For each of the above-mentioned rights that you exercise, the Company will reply within one (1) month from the receipt of the request or in the case of objective difficulties, complexity of the request or the number of requests, the Company shall respond, within a maximum period of three (3) months in total, either by accomplishing your request or by justifiably refusing to perform what you have requested for legitimate reasons expressly specified in General Data Protection Regulation 679/2016.
2.3. In the event that the Company considers that one of your above mentioned rights is being exercised manifestly unjustified or the request is excessive or (to a greater extent) has a repetitive character, it is entitled, on one hand, to charge you with a reasonable fee in order to provide further information (which in principle is free of charge) and, on the other hand, to refuse to respond to the request.
2.4. In case where the Company has reasonable doubts as for your identity when you submit a request for exercising one of your above rights, it may ask you to provide further information, necessary for confirming your identity, before the processing of your request.
2.5. In the event that the Company delays beyond the reasonable period of time to respond to your request, and in any other occasion where you consider that any of your rights is being violated, or the Company doesn’t comply with its Obligations regarding the retention of your Data, you have the right to submit a complaint to the supervisory authority (Hellenic Data Protection Authority, Athens, Kifisias 1-3, P.C. 115 23, Athens, firstname.lastname@example.org, +30-210 6475600).
2.6. You reserve the right to withdraw your previously (possibly) given consent at any time by submitting a relevant written request to the e-mail address of the Data Protection Officer email@example.com (see 1.2)
- Which are your rights in relation to the Personal Data that you provided us with?
3.1. Right to be informed
You reserve the right to request information in relation to the personal data which we have received from you and we maintain for one or more purposes, as described below under clauses A to D. The present text constitutes in its entirety a manual of basic awareness and understanding of the philosophy of the regulatory framework that runs through the protection of your personal data. Update, further explanation, and clarifications as for this text can be provided to you, following your request for the exercise of your right to be informed. (see how in 1.2)
3.2. Right to access
You reserve the right to request from our Company access to your information that we maintain and confirmation as to whether they are being processed, and more specifically, information about the purposes of the processing, the categories of personal data, the recipients or the categories of recipients, the period for which the data will be stored and processed, the right to lodge a complaint with the Hellenic Data Protection Authority, any available information about the origin of the data, if the data have not been obtained from you, the existence or not of automated decision-making including profiling and the related methodology, safeguards about the policy we follow when transfers to third countries are being carried out, and a copy of the personal date being kept and processed. (see how in 1.2)
3.3. Right to rectification
You reserve the right to request from our Company rectification of your data, in case any of the data that we have the right to process has been altered or incorrectly submitted. (see how in 1.2)
3.4. Right to erasure
You reserve the right to request from our Company the complete or partial erasure of your data that we are entitled to store and process, either because they are no longer necessary for the purposes for which they were collected, either because you withdraw your consent, or because your data were collected for a purpose that you consider illegal. Our Company, within a reasonable period of time (no more than one month, and under circumstances, if there is difficulty, no more than three months in total) shall reply to you by confirming the complete or partial erasure of your data or the inability to erase some data, if any law or the performance of a task carried out in the public interest, or the right of freedom of expression and information, or the exercise or defence of any legal claim requires their maintenance. In such a case, on one hand, you have the right to lodge a complaint with the Hellenic Data Protection Authority, and on the other hand, the right to an effective judicial remedy. (see how in 1.2)
3.5. Right to restriction
You reserve the right to request from our Company to restrict the processing of your data, in terms of quantity, time or in relation to the purpose of their processing, and more specifically (a) either because you contest the accuracy of your data and for as long as the Company needs in order to verify its accuracy, (b) either because you consider the processing to be illegal, and instead of the erasure of the data you opt for its restriction, (c) either because its use from the Company is no longer needed, however, you don’t wish its erasure since their preservation shall serve for some juridical claim, (d) or, in case where you have objections to the processing of the data and until it is verified that your rights as a Data Subject are overriding the Company’s legitimate grounds for processing (see how in 1.2).
3.6. Right to portability
You reserve the right to receive the personal data you have provided us with, in a structured, commonly used and machine-readable format, as well as the right to transfer them further without objection, given that the processing is being carried out on the grounds of your consent. In the context of the exercise of this right, you may also request direct transfer from the Company to the third entity without your own intervention.
The present right is exercised, subject to the conditions of erasure, as described above (under 3.4) and its exercise shall not adversely affect the rights and freedoms of others.
3.7. Right to object
3.7.1 You reserve the right to object to the use of your personal data for the purpose of direct marketing purposes and specially to profiling related to this direct marketing. (see how in 1.2)
3.7.2 There is no such right in the case of Potential Employees and visitors of the Company’s establishments, as this Data are not transferred to the Marketing department and they do not undergo such treatment.
- Is there any possibility that you Data are transferred somewhere else?
There is no provision that your Data shall be transferred to any organization outside the Company itself and its subsidiaries, with the exception of (a) the service providers for our Company’s electronic systems and networks – and for the sole purpose of the performance on their behalf of the contract to support our Company and (b) the competent tax authorities within the framework of our mandatory compliance with the tax legislation and to the extent (and given) that it is necessary.
We assure you that the Company shall take any technical and organisational data protection means and shall make only the optimum, minimum and absolutely necessary use and processing of your Data, as defined by the law, and strictly and exclusively for the purpose for which you have provided them to us.
Specific provisions regarding the individual categories of Personal Data Subjects, that apply cumulatively with the above general provisions of the Policy.
(A) RECΙPIENTS OF COMMUNICATION
A.1. Purpose: The receipt, processing and preservation of your Data that were given exclusively in the framework of communication, is executed for the sole purpose of your briefing about our Company’s products and actions. The entirety of your Data are kept only for this purpose and they undergo processing only from the Marketing Department of our Company.
A.2. Legitimate Basis of the Processing: Your consent to the processing of your Data, in order to fulfil the above mentioned relevant purposes, constitutes the legitimate basis of this processing, in accordance with Article 6(1)(a) of the Regulation on the protection of personal data.
A.3. Data Retention Period: In order to fulfil the above mention purpose of the processing, namely your briefing about our products and actions, we consider it reasonable and necessary to store your relevant Data for a period of three (3) years. After three years from the time you provided your consent, the relevant Data shall be deleted, unless you provide us anew with your consent under the above conditions.
(B) CUSTOMERS – SUPPLIERS and POTENTIAL CUSTOMERS – SUPPLIERS
B.1. Nature – Legitimate Basis:
(a) during the pre-contractual phase and specially in case of filling in an electronic contact form on our website, or direct sending e-mail, or communication by telephone, or filling in a hardcopy document (in this way you provide us with your full name/e-mail address or/and telephone number or/and Address or/and profession or/and our products that you are interested in), purpose of the processing is the evaluation of a possible transaction with the Company and legitimate basis the service of the Company’s legitimate interest to pursue its commercial purposes, responding to the requested communication to investigate the possible transaction with you.
(b) In case that a transaction with the Company is realized, the Data that you have provided us with during the pre-contractual phase (as well as all that you shall provide us with in the framework of our transaction) shall be processed for the purpose of implementing the contract between us and of our compliance with tax legislation. In this case, legitimate basis of the processing is the performance of the contract between us and our compliance with the legislation (Article 6(1)(b) and (c) of the Regulation on the protection of personal data).
B.2. Data Retention Period.
We shall keep the above under B.1.(a) Data for five (5) years and afterwards we shall erase them. Regarding the above under B.1.(b) Data, shall be reserved for as long as it is necessary according to tax legislation.
(C) VISITORS OF OUR COMPANY’S ESTABLISHMENTS
The receipt, processing and preservation of your Data that refer to your identity and the time spent in our Company’s establishments, takes place in favor of the sole purpose of security and protection of the people in the Company’s establishments (e.g. employees, visitors) as much as the Company’s general equipment (for example building, electronic etc.)
C.2 Legitimate Basis of the Processing
The processing is necessary for the purposes of the legitimate interests we pursue as a controller (article 6 para. 1. (f) GDPR) or/and within the framework of our mandatory compliance with the legislation and to the extent (and given) that it is necessary. Our legal interest is the need to protect our premises and the materials in it from illegal actions, such as theft. We also need to ensure life safety, physical integrity, health as well as the property of our staff and of third parties legally located in the area under surveillance. We only collect image data and limit the surveillance to places where we have previously assessed that there is an increased possibility of perpetration of illegal actions e.g. theft, for instance, in the entrance, without focusing on places where privacy of the persons being photographed may be severely restricted, including their right to respect of their personal data.
C.3. Recipients: The material held is accessible only by our competent / authorized personnel who are in charge of security of the premises. This material shall not be disclosed to third parties, except in the following cases: (a) to the competent judicial, prosecutorial and police authorities when it contains information necessary to investigate a criminal offense involving persons or property of the controller; (b) to the competent judicial, prosecutorial and police authorities when lawfully requesting data in the performance of their duties, and (c) to the victim or perpetrator of a criminal offense, in the case of data which may constitute evidence of the offense.
C.4. Data Retention Period: We keep the cctv material for seven (7) days, after which they are automatically deleted. In the event that during this period we find an incident, we isolate part of the video and keep it for another (1) month, in order to investigate the incident and initiate legal proceedings to defend our legal interests, while if the incident concerns third parties, we will keep the video for up to three (3) more months.
(D) VISITORS THROUGH SHOWROMS AND EXPOSITIONS
D.2 Legitimate Basis of the Processing: The processing is based on your consent according to art. 6 par. 1a GDPR.
D.3. Data Retention Period: In order to fulfil the above mention purpose of the processing, we consider it reasonable and necessary to store your relevant Data for a period of three (3) years unless otherwise specified in national and European legislation or in case of prior withdrawal your consent.