1. Institutional data protection framework
   

   The General Data Protection Regulation (EU) 2016/679 (GDPR) and Law 4624/2019 constitute the legal framework, which governs the processing of personal data and ensures the protection of the rights and freedoms of natural persons when their data is subject to processing. The purpose, among other things, is to ensure that any processing of personal data takes place with the knowledge of the natural persons concerned and as long as all the principles and conditions of legality established by the GDPR and applicable national legislation are met.

2. Definitions
   

   2.1. Personal Data or Data of a Personal Character: It is any information with which a natural person (data subject) can be directly or indirectly identified. Such information is e.g. name, identity number, VAT number, AMKA, postal address, telephone number or e-mail, car registration number, location data, the image of the person captured via CCTV or online identifiers. Also, personal data can be one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of a natural person if through them the natural person can be identified. The details of legal entities are not personal data and are not protected by the relevant legislation.

   2.2. Special categories of personal data: These are personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or membership in trade unions, genetic data, biometric data that aim to uniquely identify a natural person, health related data or data related to sex life or sexual orientation.

3. General Principles

3.1. The Company undertakes not to process special categories of data, apart from health data, as long as there is a relevant legal obligation and always taking the appropriate technical and organizational measures for the security of this data and access to it only by specially authorized competent persons who are bound by duty confidentiality and secrecy.

3.2. Executives, staff as well as other external partners or any third parties who cooperate or perform work on our behalf, who have access within the framework of their responsibilities and duties to personal data that are the subject of processing in the context of legal activities are expected to have read, understood and comply with this Policy.

4. Data Processing

4.1 The processing of personal data is carried out in accordance with the principles of personal data protection and are as follows:

(a) Personal data is processed lawfully, legitimately and transparently (principle of legality, objectivity and transparency).

(b) Personal data are collected only for specified, explicit, clear and legal purposes and are not processed in a way that is incompatible with or in excess of these purposes (principle of purpose limitation).

(c) The personal data collected are appropriate, relevant and limited to what is absolutely necessary, for the purposes for which they are collected, kept and processed (data minimization principle).

(d) Personal data is accurate and up-to-date and every effort is made to delete or correct it without delay (principle of accuracy).

(e) The personal data are kept in a form that allows the identification of the data subject and only for as long as is necessary for the purposes of the processing (principle of the limitation of the storage period).

(f) Personal data are processed in a way that guarantees their necessary security and their protection against unauthorized or illegal access, disclosure, loss, destruction or damage (principle of integrity and confidentiality).

5. Data Security

5.1. All officers and employees are responsible for ensuring that personal data is kept secure and is not disclosed or transmitted to any third party unless the third party is authorized to receive and process such information in the context of (a) lawful activities and provided has entered into a corresponding confidentiality agreement or (b) there is a relevant statutory or court-ordered legal obligation.

5.2. Executives and staff have access to personal data according to the needs of their duties and responsibilities and the access rights they have been given.

5.3. The Company implements appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the purpose of the processing are processed (data protection by default).