With this Policy, the Hellenic Recovery Recycling Corporation (hereinafter “the Company”), in its capacity as Data Controller, aims to inform you, as part of its commitment to be transparent on how it uses and generally processes your personal data, the measures it has taken to keep your personal data secure, as well as your rights, in compliance with the applicable regulatory framework for the protection of personal data.

Which categories of personal data do we process and for what purpose?

Our Company only collects and processes data that is necessary for the achievement of the following defined legitimate and special purposes and provided that it has the required legal basis. Specifically:

CATEGORIES OF DATAPURPOSE OF PROCESSINGLEGAL BASIS
Personal Identifiers
(e.g., Name)
Evaluation of potential job candidatesCompany’s legitimate interest
Contact Details
(e.g., phone number)
Experience, education, work experience data (e.g., certificates of studies, seminars)
Personal Identifiers
(e.g., Name)
Communication with you after the submission of comments, complaints, etc.Company’s legitimate interest
Contact Details
(e.g., phone number, email)
Contact Details
(e.g., email)
Informative material of our Company that is sent to interested parties.Consent
Contact Details (e.g., email)Informative material of our Company that is sent to partners.Company’s legitimate interest
Cookies– Proper functioning and management of our web page,
– Investigation into and resolution of technical issues (e.g., bugs),
– Security or investigation of possible fraud or other breach of our web page’s terms of use.
Company’s legitimate interest
Personal Identifiers
(e.g., name)
Compliance with the requirements that are imposed by the relevant
legislative and regulatory framework and the supervisory requirements,
as well as the decisions by authorities or courts
Legal Obligation
Contact Details
(e.g., phone number)
Financial Information
(e.g., IBAN)
Tax and Social Security Identifiers
(e.g., TFN, AMKA)
Personal Identifiers
(e.g., name)
Drafting and execution of contract with you and generally
ensuring their smooth operation and that fulfilment of your contractual obligations
Contract execution
Contact Details
(e.g., phone number, address)
Financial Information
(e.g., IBAN)
Tax Identifiers (e.g., TFN)
Personal Identifiers (e.g., Name)Promotion of the Company’s work and activitiesConsent
Photo
Personal Identifiers
(e.g., Name)
Communication with you for an understanding of your degree of satisfaction
from our services
Company’s legitimate interest
Contact Details
(e.g., phone number)
Personal Identifiers
(e.g., Name)
Service, management and satisfaction of your requestsCompany’s legitimate interest
Contact Details
(e.g., phone number, email)

The Company processes your data in order to achieve the above legitimate interests and only if these do not override your rights and freedoms

If you would like to learn more regarding the Company’s policy on the cookies used in our web page, please press the “COOKIES” link.

Who can we collect data from?

In the context of fulfilling the above purposes of processing, we collect information, which you provide to us, or we obtain from publicly available sources, including social networks, or are provided to us by third-parties (natural or legal persons), such as job search and recruiting companies, telephone service providers (e.g., call centre), market research companies, promotion companies, as well as tender and event organisation and management companies.

Who do we share your data with?

Other than our employees, subject to taking the appropriate technical and organisational measures, as well as the adhering to the duty of confidentiality and secrecy, our Company may share your data with third parties/recipients (natural or legal persons), such as:

•Companies providing consultancy and auditing services,

•Database management companies,

•Companies providing postal services, application development, maintenance, configuration services, email services, internet hosting services,

•Market research companies,

•Promotion companies,

•Companies providing secretarial support,

•Tender and event organisation and management companies,

•Supervisory, auditing, regulatory, judicial, municipal, public and/or other authorities and agencies,

•Financial institutions

In any event, the Company warrants that it will not transmit, share, transfer, etc. your data to third parties for any purpose or use other than what is explicitly disclosed in this Policy. Nevertheless, we reserve the right to share information that concerns you, if we are obligated by law or if this is required by the competent supervisory, auditing, independent, judicial, public and/or other authorities.

Moreover, the Company does not transmit your data to countries outside the European Economic Area (EEA). Should such a need arise in the future, we promise to inform you immediately and to take all the necessary measures to ensure that protection of your personal data.

How long do we retain your data?

The Company retains your data for as long as the purposes, for which they were collected and mentioned above, remain in force.

The Company may retain your data even after the fulfilment of the above collection and processing purposes, in the following restrictive circumstances:

•If a provision of the law legally obligates the Company.

•For use before any audit authority, within the statute of limitation.

•If required for the proper organisation and operation of the Company

•Until the limitation of actions to protect our Company’s rights and legitimate interests before any court of law or other public authority.

•If there is an administrative or court dispute, which is directly or indirectly related to your data, until the issuance of the court’s final decision.

At the end of the retention time, the Company ensures for the safe destruction of your data from our paper and other electronic records in compliance with the applicable data retention policy.

What are your rights?

Right of access: You have the right to obtain information about the processing of your data (e.g., the purposes of the processing; the categories of personal data; the recipients; the retention period, etc.).

Right to rectification: You have the right to request the rectification or supplementation of your data.

Right to erasure: You have the right to request the erasure of all or part of your data (e.g., data are no longer necessary in relation to the purposes for which they were collected, etc.).

Right to restriction: In some case you have the right to request the restriction of processing of your personal data (e.g., if you exercise the right to rectification and until the accuracy of the personal data is verified).

Right to data portability: You have the right to receive a copy of your personal data and to reuse or share these for your purposes.

Right to object: You have the right, at any time, to object to the processing of data which, as described above, is necessary for the purposes of our legitimate interests.

•Right to withdraw consent: When data processing is based on your consent, you have the right, at any time, to request its withdrawal. Upon withdrawing your consent, we will stop processing your data for the purpose or purposes for which it had initially been collected, unless we have another legal basis to act legally. It should be noted that withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

How can you exercise your rights?

If you would like to exercise one of the above rights, you can send an email to [email protected].

If you submit a request to exercise your rights, the Company will respond to this request within one (1) month of its submission. Having regard to the complexity of the request and the number of requests being processed, this deadline can be extended by another two (2) months, upon prior notice.

Our response to this request is provided free of charge. However, if your request is unfounded, excessive or repetitive, we may impose a reasonable fee after notifying you, or refuse to respond to your request.

If you believe that your rights have in any way been breached, you have the right to lodge a complaint to the competent supervisory authority:

Hellenic Data Protection Authority

Postal Address: 1-3 Kifissia Avenue, 115 23, Athens

Call Centre: +30-210 6475600

Fax: +30-210 6475628

E-mail: [email protected]

How do we protect your data?

The Company implements an information security management system to safeguard their privacy, the security of personal data processing and their protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to and any other unlawful processing. Indicatively, the Company uses malware applications (e.g., Firewall, WAS, etc.) and access code protection mechanisms (e.g., encryption), pursuant to international market standards to safeguard the confidentiality and integrity of your personal data. However, you are responsible for ensuring that your device is adequately secured and protected against malware (e.g., Trojan, viruses, etc.).

You should be aware that without adequate security measures (e.g., secure browser settings, updated antivirus software, effective Firewall, non-use of software from questionable sources, etc.) you risk your data and access codes being disclosed to unauthorised third-parties.

What else should you know?

•Our Company does not implement automated individual decision-making, including profiling.

•The Company does not collect nor does it obtain access via its web page to special categories (“sensitive”) personal data or data relating to convictions or offences. The visitor is obligated to refrain from providing such data that refers to him/herself or third parties. Adversely, the data will be deleted as soon as it comes to our attention. The Company shall not be liable to visitors or third parties for the provision and/or processing of such data that is due to acts or omissions in violation of the above obligation.

•Our web page may contain links to other websites, which are controlled by third parties and by the Company. This Policy does not apply to these websites and we recommend that your visit them directly for information about their personal data protection policy.

•If you would like information about the new General Data Protection Regulation (2016/679), press here.

•We may amend this Policy from time to time so that it always complies with legal requirements and how we conduct our business. If we decide to replace or make significant changes to the Policy, we will inform you accordingly via to this website. For information about the most recent version of the Policy, please visit this page regularly.

How can you contact us?

If you have any questions or complaints regarding this Policy, you can contact us as follows:

DATA CONTROLLER:

Hellenic Recovery Recycling Corporation

5 Chimaras St, Maroussi, 15125

Tel.: 2108010962-3, email: [email protected]

Definitions

“personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“data controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“recipient”: a natural or legal person, public authority, agency or another, to which the personal data are disclosed, whether a third party or not.

“third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the personal data relating to him or her becoming a processing object;