1. Purposes, Range
UCERT strives to comply with the laws and legislations regarding General Data Protection Regulation (GDPR) in its field. This Policy sets the basic principles under which UCERT processes the personal data of its customers, employees, suppliers, partners, and other persons. This Policy is applied by UCERT, as well as its direct and indirect subsidiaries based in Greece. All employees, both with open-ended and temporary contracts, as well as all the contractors working for UCERT are bound by this Policy.
2. Basic definitions
The following are the basic definitions for the terms that are used in this document, as cited by Article 4 of the General Data Protection Regulation, in order for the subject of the data to familiarize itself with the terminology of the Regulation:
Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data, special categories: Personal data which are inherently sensitive in relation to foundational rights and liberties, require special protection since their processing framework could create severe dangers for said foundational rights and liberties. Such Personal Data, include personal information revealing their racial or national orientation, political views, religious or philosophical convictions or their participation in trade unions, as well as the processing of genetic data, biometric data in order to provide undeniable proof of identity, data concerning health issues or data concerning the sexual life of the natural person or its sexual identity.
Controller: the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Authority: Hellenic Data Protection Authority.
3. Basic principles concerning the Processing of Personal Data
UCERT as the controller strictly adheres to the principles, defined by Article 5 of General Data Protection Regulation.
3.1 Lawfulness, Fairness and Transparency
UCERT processes the data lawfully, fairly and in a transparent manner in relation to the data subjects.
3.2 Purpose Limitation
Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3.3 Data Minimization
UCERT ensures that personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
All personal data processed by UCERT shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
3.5 Storage Limitation
Personal Data shall be kept for no longer than is necessary for the purposes for which the personal data are processed by UCERT.
3.6 Integrity and Confidentiality
By taking into consideration the technological level and other available security measures, the cost of application as well as the possibility and severity of threats for Personal Data, UCERT uses appropriate technical and organizational measures to process Personal Data, in a manner that ensures appropriate security of the Personal Data, as well as protection against accidental loss, destruction or damage and against unauthorized or unlawful processing.
UCERT bears the responsibility and is capable of proving its compliance to the General Data Protection Regulation to the Hellenic Data Protection Authority.
4. Privacy Notification, Consent and Data Subject Rights
4.1 Notification to the Data Subject
Before or during the collection of Personal Data, for any processing action undertaken by UCERT, including, but not limited to, sales of products, marketing services or activities, UCERT bears the responsibility to provide the necessary information to the Data Subject and more specifically, the type of the Personal Data being collected, the purpose of the processing, the means of processing,
the rights of the Data Subject concerning their Personal Data, the period for which the Personal Data will be stored, potential international transfer of the Personal Data, potential sharing of the Personal Data with a collaborating third party, as well as the safety measure applied by UCERT to ensure the protection of the Personal Data. This information is provided via Privacy Notification.
4.2 Consent – Right to Revoke
When the collection of Personal Data is legally based on the consent of the Data Subject, UCERT is responsible to ensure that the Data Subjects offer their consent willingly, positively, explicitly and after fully comprehending the content of the document they consent to. UCERT provides the Data Subjects with the right to revoke their consent whenever they want. In case of collecting Personal Data of children under the age of 16, UCERT ensures that parental consent has been given before the collection begins. The processing of Personal Dara must occur only for the purpose they were initially collected. In case UCERT wishes to process the Personal Data collected for a different purpose, it must procure the consent of the Data Subjects with and explicit and specific written manner. Any such application form must include the initial purpose for collecting the data, as well as the new or additional purpose(s).
UCERT strives to ensure that it collects the bare minimum amount of Personal Data. If the Personal Data are collected by a third party, UCERT ensures that all data are collected through legal means.
4.4 UCERT and Third Parties
In case UCERT uses a third-party supplier or trade partner, to whom it assigns the processing of the Personal Data on its account, ensures that the processor will provide the appropriate safety and protection measures, to counter all potential relative dangers. UCERT strives to ensure that the suppliers or trade partners process the Personal Data solely for their conventional responsibilities towards UCERT, always in accordance with its guidelines and for no other purpose.
4.5 Right of Access by the Data Subject
UCERT as the Controller, is responsible for providing the Data Subjects with an access mechanism to the Personal Data, which will allow them to review, correct, delete, or transfer them.
4.6 Right to Data Portability
The Data Subject shall have the right to receive a copy of the personal data concerning them, which they have provided to UCERT, in a structured format and have the right to transmit those data to another controller. UCERT is responsible to ensure that such applications are processed within a month, under the condition that the request is not obviously unfounded. In exercising their right to data portability the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
4.7 Right to Erasure (Right to be Forgotten)
By submitting a formal request, Data Subjects have the right to petition UCERT for the erasure of their Personal Data. UCERT will take the appropriate actions (including technical ones) to satisfy
the request and ensure the same from potential third parties that are using or processing Personal Data on its account.
4.8 Right to Object
The Data Subject has the right to object the processing of their Personal Data at any time, including profiling.
4.9 Right to Restriction of Processing
By submitting a formal request, Data Subjects have the right to request the restriction of their data processing from UCERT, according to article 18 § 1 a-d of the General Data Protection Regulation (EU) 2016/679.
4.10 Exercising all the Rights of the Data Subject and Revoking of Consent
The exercising of all the rights of the Data Subject, as well as revoking of consent, occurs through a written request addressed to UCERT. The Data Subject may also proceed to revoking of consent, without diminishing the lawfulness of the processing before the revoke of consent. By sending a written request or email in the address: firstname.lastname@example.org
Controller of the Personal Data of the Data subject is UCERT, based in Athens, Rethymnou 1Α, Postal Code 106 82.
Also, Data Subjects can address the Hellenic Data Protection Authority via the following means:
5. Responding to Personal Data Breach Incidents
When UCERT is notified for a potential or occurring Personal Data Breach, they will immediately conduct an internal investigation and, in a timely manner, apply the appropriate actions to restore any damage according to the Personal Data Breach Policy. When the rights and liberties of the Data Subjects are in imminent danger, UCERT has to announce the security breach to the Authority immediately and under any circumstances, within 72 hours.
If you have any further questions or need any clarification concerning the processing of your Personal Data by UCERT, you can contact us and UCERT will be happy to assist you.