PREAMBLE
Our Company, "NGP MUSTAD PACKAGING MONOPROSOPI ANONYMI ETAIREIA" (also referred to as the "Company"), is the Controller of the personal data of the users of this website and ensures that all its business actions are conducted in accordance with the principles of privacy protection, respect for human value, personal data protection, as we believe that these principles demonstrate our unwavering commitment to ethical and responsible practices.
This Policy describes our standards for the management and protection of Personal Data from or on behalf of our Company and applies to every activity we conduct.
This personal data privacy policy is valid and applied to all facilities and/or digital environments and applications, which belong to the Company and are related to its activity.
DEFINITIONS
For the purposes of this Policy, the following terms shall be understood as follows:
- Personal data: Any information concerning an identified or identifiable natural person ("data subject"). An identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors specific to the physical, genetic, psychological, economic, cultural or social identity of the natural person.
- Special categories of personal data or Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of indisputable personal identification, data relating to health or data relating to a natural person's sex life or sexual orientation.
- Processing: Any operation or series of operations carried out with or without the use of automated means, on personal data or sets of personal data, such as collection, registration, organization, correction, storage, adaptation, alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
- Anonymization: Τhe processing of personal data in such a way that the data can no longer be attributed to a specific data subject.
- Pseudonymization: The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that said additional information is kept separate and subject to technical and organizational measures to ensure that it cannot be attributed to an identified or identifiable natural person.
- Controller: The natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing. Where the purposes and manner of such processing are determined by the law of EU or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by EU law or the law of a Member State.
- Processor: The natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.
- Data Protection Officer: The Data Protection Officer (DPO) ensures, in an independent manner, the supervision of the strategy and compliance of the controller and the processor with the provisions of GDPR 2016/679 EU (GDPR) and mediates between different parties (e.g. supervisory authorities, data subjects). His role is advisory (not decisive) and he bears no personal responsibility for non-compliance with the Regulation.
- Consent of the data subject: Any indication of will, free, specific, explicit and fully informed, by which the data subject manifests that he agrees, by statement or by a clear positive action, to be the subject of processing the his/her personal data.
- Personal Data Breach: The breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed.
- Existing legislation: The provisions of the currently existing Greek, EU or other Legislation, to which the Company is subject and which define personal data protection issues.
Personal data controller
For any processing of personal data carried out by the Company or its partners, exclusively for the purposes and in the manner determined by the Company, the Company under the name "NGP MUSTAD PACKAGING MONOPROSOPI ANONYMI ETAIREIA" is considered the Controller. In some cases, the Company may act as a Processor for other legal entities, with whom the Company is contractually bound.
LEGAL FRAMEWORK FOR THE PROTECTION OF PERSONAL DATA
As a Company we collect and process your personal data in accordance with this policy on personal data protection and
- in compliance with the EU Regulation 2016/679,
- the existing Greek legislation on data protection,
- the current legislative framework that governs the operation of businesses,
- the consents we receive.
This policy provides you with the necessary information regarding your rights and obligations and explains how, why and when we collect and process your personal data.
PERSONAL DATA WE COLLECT
The Company, in the context of its activities, may collect personal data of its employees, as well as of its partners in general, as well as other natural persons, with whom it deals and cooperates.
The Company always takes care to collect and process only the personal data that are necessary and relevant for the purposes of processing, as stated below and in order for the Company to comply with its obligations, as they arise from the applicable legislative and regulatory framework, its legal interests and its contractual obligations.
Indicatively, the categories of personal data processed by the Company, whether they regard employees or customers-suppliers-partners or other third parties with whom the Company deals, are the following:
- Demographic information and identification/contact information, such as: first and last name, father’s name, matrimonial name, date of birth, place of birth, gender, nationality, residential address, e-mail address, contact numbers, ID number, Tax Registration Number, SSN number and other numbers of insurance fund registers, health books etc.
- Data related to the education and training of employees or prospective employees, such as CV, high school diploma, diplomas, master's and doctoral degrees, certificates of seminar’s attendance and licenses to practice a profession, data on previous experience or training etc.
- Health data, (including sensitive personal data), such as medical examinations of employees, leaves and medical history, to the extent that this is necessary for the assessment of a candidate or the fulfillment of obligations by the employment contract or provision of law, including obligations for health and safety at work, social security and social protection law, to the extent that this is necessary for the provision of the Company’s services or if there is some other legal basis for the processing, such as the fulfillment of the Company's obligations regarding the Contract or provision of the law.
- Data related to benefits or expenses paid by the Company to its staff, such as e.g. employee expense reports, management of company phones or emails, etc.
- Image data collected from CCTV and security cameras to achieve the protection and safety of natural persons, materials (machinery, electromechanical equipment etc.) and facilities [Cameras are placed in areas where there is an increased risk of accidents or sabotage and their use is done exclusively for security reasons, while relevant signs have been placed in the monitored areas according to the standards and instructions of the relevant Greek Authority of Personal Data Protection.
- Entry - exit registration data at the Company's facilities.
LEGAL BASIS OF PROCESSING
The Company processes personal data that are necessary, in order for the Company to be able to serve its contractual obligations and respond to its legal obligations. The Company processes your personal data transparently in accordance with the principles of lawfulness, proportionality, confidentiality and integrity, purpose limitation and accuracy, specific data retention time and data minimization.
The company, in the context of its operation and for the fulfillment of its objective, receives and processes personal data based on the following legal bases:
- The processing is necessary for the performance of a contract, in which the data subject is a contracting party or to take measures at the request of the data subject prior to the conclusion of a contract (Article 6 / paragraph 1 / point (b) of the GDPR).
- The processing is necessary to comply with a legal obligation of the controller or to establish, exercise and support legal obligations (Article 6 / paragraph 1 / point (c) of the GDPR - Article 9 / paragraph 2, point f).
- Processing is necessary to safeguard the vital interest of the data subject or other natural person (Article 6 / paragraph 1 / point (d) of the GDPR).
- The need to carry out the obligations and exercise specific rights of the controller or the data subject or the data subject in the field of labor law and social security and social protection law (Article 9 / paragraph 2 / item (b) of the GDPR).
- The processing is necessary for the purposes of the legal interests pursued by the controller or a third party (Article 6 / paragraph 1 / point (f) of the GDPR)
- Consent, where required, which is usually obtained through written consent or prior disclosure of personal data by the subject himself/herself.
PURPOSES OF PROCESSING
We collect and store your personal data based on the following legal bases and specifically for:
a. the observance of the contractual agreement with you,
b. our legitimate interest,
c. the retention of data for the purpose of the Company's response to audits by relevant authorities regarding the legality of our procedures,
d. the maintenance of the employee file and its procession in accordance with labor legislation,
e. the establishment, exercise or support of legal claims,
στ. τη συμμόρφωση με έννομη υποχρέωση,
f. the compliance with a legal obligation,
g. the execution of rights and obligations arising from social security law.
h. our legal interest and/or our legal obligation to protect the site as well as the goods located on the site from illegal acts.
In addition, we may share your information with third parties (outside the Company) only if:
- An official court decision has been issued.
- Sharing information with the police can prevent a serious crime.
- You give us express instructions and authorization to do so.
- We must safeguard the legal interests of the company or third parties.
- It is our legal obligation (e.g. tax authorities, insurance funds), after you have first been informed.
- A special legal interest exists following your relevant prior information, after you have received a reasonable deadline for any possible objections to the transmission.
TRANSMISSION OF PERSONAL DATA
We do not share or disclose your personal data without your consent, except for the purposes set out in this policy or where required by law. The Company uses selected partners (acting as "processors" under the GDPR) to provide services and all processors acting on our behalf process your personal data in accordance with the instructions they receive from us, with the appropriate confidentiality and security measures. The main categories of processors with whom we may share your data include:
- Public Social Security Organizations/Social Security/Health Funds,
- Organizations and companies providing information system support services and accounting support.
- External partner Auditors (Internal Auditors, Statutory Auditors, etc.).
- External Legal Advisors.
- External partners and/or consultants to whom the Company entrusts the processing of personal data on its behalf (banks, legal advisors, accountants, insurance companies, mobile phone service providers, car rental companies, etc.), having signed a relevant contract for the processing and protection of personal data.
- Company’s Doctor
- Chief Information Officer
DATA RETENTION TIME
In the Company, we maintain personal data only for a predetermined and limited period depending on the purpose of processing, at the end of which, the personal data are deleted from our databases. Under no circumstances can the retention period be shorter than that required by law (e.g. tax documents, etc.) and data are not deleted for as long as there is a connection with natural persons, e.g. through a contractual relationship and for the period during which any legal claims can be raised.
Furthermore, retention and processing of personal data is also allowed, if the data subject provides his/her consent
.
RIGHTS OF THE DATA SUBJECTS
According to the GDPR, the subject of personal data can exercise the following rights:
(a) The right of access and information, i.e. the subject is entitled to receive information from the Company about the personal data it processes and to receive a copy of them, if he/she so wishes.
(b) The right of rectification, i.e. the subject may request that inaccurate, incomplete data kept regarding him/her be corrected and/or completed.
(c) The right of erasure, i.e. the subject can request the erasure of his/her data, only as long as the Company maintains them without there being a legal basis for processing.
(d) The right to limit processing, only if one of the conditions of article 18 of the GDPR is met.
(e) The right of data portability, i.e. the subject may, under certain conditions, request that his/her data be provided in a structured, commonly used and readable format or request that the data to be transmitted to a third party.
(f) The right to object to the processing, unless there are compelling and legitimate reasons for the processing, which override your interests, rights and freedoms or if the processing is necessary for the establishment, exercise or support of the Company's legal claims.
(g) If the processing is based on your consent, you can withdraw it at any time, however the lawfulness of the processing carried out before the withdrawal of consent is not affected. As an exception, the Company's employees may not refuse the provision and processing of personal data that are legally necessary for the execution of their Contract.
In addition, in the event of exercising one or more of the aforementioned rights to rectification, erasure and limit of processing of your personal data, the relevant requests will also be forwarded to any third-party recipient, to whom the personal data may have been transmitted in the context of the aforementioned processing purposes.
To exercise any of your above rights, you can also contact the Company's Data Protection Officer at email: dpo@ngpmustad.com.
The Company will respond to your request free of charge, without delay and in any case within one month of receiving the request, with the exception of exceptional cases, in which the above deadline can be extended by two more months, if necessary, taking into account the complexity of the request, the volume of material to be processed and/or the number of requests. The Company will inform you of any extension within one month of receiving the request, as well as the regarding reasons for the delay. If it is not possible to satisfy your request, the Company will inform you, without delay and at the latest within one month of receiving the request, of the relevant reasons and of the possibility of submitting a complaint to the Personal Data Protection Authority, as and for your right to appeal before the competent judicial authorities.
CHANGES TO THIS POLICY
This Privacy Policy may be revised occasionally, in accordance with the requirements of current legislation. In the event of any modification of this Policy, the revised version will be posted on the Company's website.
