(PERSONAL DATA PROTECTION POLICY)
- Purpose, Scope
Universal Certification Solutions – (UNICERT), hereinafter referred to as “UNICERT“, makes every effort to comply with the legislation concerning the Protection of Personal Data in the field of activity. This Policy sets out the basic principles by which UNICERT processes the personal data of customers, employees, suppliers, partners and other persons. This Policy applies to UNICERT and its directly or indirectly controlled subsidiaries in Greece. All employees working under a part-temporary or permanent contract, as well as all subcontractors working on behalf of UNICERT, are bound by this Policy.
- Basic Definitions
The following are the basic definitions of the terms used in this document, as set out in Article 4 of the General Data Protection Regulation, in order to familiarize the data subject with the terminology of the Regulation:
Personal Data: any information concerning an identified or identifiable natural person (‘data subject’); the identifiable natural person is anyone, whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as name, ID number, location data, online identity or one or more of the factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person,
Special Categories Personal data: Data that are inherently sensitive to fundamental rights and freedoms need special protection, as processing them could pose significant risks to fundamental rights and freedoms. These personal data include data that reveal racial or ethnic origin, political, religious or philosophical beliefs or participation in a trade union, as well as the processing of genetic and biometric data for a person’s indisputable identification, which relate to health or to a person’s sexual life or orientation.
Data controller: the natural or legal person, public authority, service or other entity that, alone or in conjunction with others, determines the purposes and method of processing personal data
Processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller
Processing: any operation or series of operations performed with or without the use of automated means, on personal data or personal data sets, such as the collection, registration, organization, structure, storage, adjustment or alteration, the retrieval, information search, use, disclosure, dissemination or any other form of distribution, association or combination, restriction, deletion or destruction.
Authority: The Data Protection Authority
- Basic Principles for the Processing of Personal Data
UNICERT, as a controller, strictly adheres to the data protection principles set out in Article 5 of the General Data Protection Regulation.
- Legality, Objectivity and Transparency
UNICERT processes personal data legally, objectively and transparently against data subjects.
- Purpose Limitation
Personal data is collected for special, clear and legitimate purposes only and is not processed for any other purpose.
- Data minimisation
UNICERT maintains the accurate personal data of the subjects and ensures that their compliance is limited to what is necessary for processing purposes. At the same time, it shall apply the appropriate technical measures to achieve the above objectives.
The personal data retained by UNICERT is accurate and up to date. Measures shall be taken to ensure that inaccurate personal data with respect to the purposes for which they are processed are deleted or corrected in a reasonable time.
- Restriction of the Storage Period
Personal data shall be kept for a period not exceeding the necessary one for the purposes for which UNICERT processes it.
- Integrity and confidentiality
Taking into account the technological level and other security measures available, the cost of implementation, and the likelihood and severity of risks to personal data, UNICERT uses appropriate technical or organizational measures to process the Personal Data in a manner that guarantees adequate security of personal data and their protection against accidental destruction, loss, damage, unauthorized or illegal processing.
UNICERT is responsible and is able to demonstrate compliance with the General Data Protection Regulation to the competent Data Protection Authority.
- Privacy Notice, Consent and Rights of Data Subjects
- Notice to the Data Subjects
Prior to collecting personal data for any processing activity undertaken by UNICERT, including the sale of marketing products, services or activities, UNICERT is responsible for providing appropriate information to data subjects and in particular, more information on the types of personal data collected, the purposes of the processing, the methods of processing, the rights of the data subjects in relation to personal data, the registration period, any international data transfers, if personal data is provided in cooperation with third parties, and UNICERT‘s security measures for the protection of them. This information is provided through the Privacy Notice.
- Consent – Free consent withdrawal
When the collection of personal data is subject to the consent of the data subject, UNICERT is responsible for ensuring that data subjects give their consent freely, in a positive manner, explicitly and fully aware of the content of the document in which they are consenting. UNICERT enables data subjects to withdraw their consent at any time. Where the collection of personal data of children under 16 takes place, UNICERT shall ensure that Parent consent has been obtained prior to collection. The processing of personal data should only take place for the purpose for which they were originally collected. If UNICERT wishes to process collected personal data for another purpose, it must seek the consent of the data subjects in an explicit and specific manner. Any such request must include the original purpose for which the data was collected, as well as the new or additional purpose(s).
UNICERT makes every effort to ensure that the number of personal data it collects is as minimum as possible. If personal data is collected by a third party, UNICERT ensures that they are legally collected.
- UNICERT’s relationship with Third Parties
In cases where UNICERT uses a third-party supplier or trade partner that it entrusts to process personal data on its behalf, it ensures that the processor performs appropriate security and data protection measures to address any potential related risks. UNICERT makes every effort to ensure that its suppliers or trade partners process personal data solely for the purpose of fulfilling their contractual obligations to UNICERT, always in accordance with its instructions and for no other purpose.
- Data Subjects Access Rights
UNICERT as a Processor is responsible for providing data subjects with a mechanism for accessing their personal data, which will allow them to further review, correct, delete or transfer them.
- Data Portability
Data Subjects have the right, upon request, to receive a copy of the data they have provided to UNICERT in a structured format and to transfer them to another controller. UNICERT is responsible for ensuring that such requests are processed within one month, provided that they are not manifestly unfounded. During the enforcement of the right to data portability, the data subject has the right to request the direct transmission of personal data from one controller to another, if this is technically feasible.
- Right to be Forgotten
Upon request, Data Subjects have the right to ask UNICERT to delete their personal data. UNICERT will immediately take the necessary actions (including technical actions) to satisfy the request and will obtain the same from any third parties, who use or process personal data on its behalf.
- Right to object
The Data Subject has the right to object at any time to the processing of personal data relating to him, including profile training.
- Right to restriction of processing
Upon request, Data Subjects have the right to ask UNICERT to restrict the processing of their data in accordance with Article 18 § 1 a-d of the General Data Protection Regulation (EU) 2016/679.
- Conditions for exercising the Data Subjects Rights and Consent Withdrawal
The Data Subject shall exercise their rights and withdraw their consent by submitting a written request to UNICERT. The Data Subject may also freely withdraw their consent without encrouching the legality of the processing based on it until the time of its withdrawal.
- Response to Violation of Personal Data Cases
If you continue to have any questions or need any clarification regarding the processing of your personal data by UNICERT, you can contact us and UNICERT will be happy to assist you immediately.