1.PURPOSE
The purpose of this Policy is to define and articulate the general framework and basic principles set and implemented by Mediplan Ltd (hereinafter “Mediplan”) regarding the processing of personal data and the protection of security, confidentiality, integrity, and their availability.
2.FIELD OF APPLICATION
This Policy applies to all personal data managed by Mediplan in the course of its business.
3.POLICY IMPLEMENTANT RESPONSIBLE
Company Management
Data Protection Officer
All Mediplan staff
All partners who manage and / or have access to personal data
4.OBJECT
4.1 In general
Mediplan recognizes and respects the importance of the personal data which it handles in the context of its activity, and for this reason has fully adapted its policy to the requirements of the General Regulation on Personal Data Protection (hereinafter GPA) 2016/679 / EC.
With this statement Mediplan would like to:
- to inform all employees, associates and the traders with it in what capacity, for what purpose and on what legal basis it processes personal data, ie information that can be used in the direct or indirect identification of persons
- identify the categories of data, the data sources (when the data is not provided by the person himself) and the criteria for determining the time period of personal data retention
- inform traders about the transfer of their personal data to third parties or third countries
- to inform the subjects about the possibility to contact our Mediplan for any issue regarding the processing of their personal data, the possibility to exercise regarding their personal data the rights of access, correction and, where appropriate, deletion, restriction and objection processing, as well as the ability of individuals to report any breach of their personal data rights to the Personal Data Protection Authority,
- set out the principles governing Mediplan’s compliance with the relevant privacy policies and security guarantees.
For any question or inquiry, or anyone wishing to obtain a copy of this statement, or wishing to exercise any of the rights relating to his / her personal data, the person concerned may contact the Company by email at gdpr@mediplan.com.gr
3.2 Data Controller
3.3 Who collects personal data?
As part of its business, Mediplan processes the personal data of those who come into contact with it, citizens, partners and third parties, making them responsible for their processing.
3.4 How are personal data collected?
We may collect personal data from various sources, namely:
- Personal data provided to Mediplan directly by the subjects, for one of the following reasons:
- Information that you give us during the conclusion, development and termination of the contractual relationship between us.
- Information you give us when submitting your applications to Mediplan.
- Information you give us during your participation in the various Mediplan activities.
- Information you give us when you contact us or submit a request.
We may also receive personal information indirectly from public services, in which case you will be informed of the origin of your personal data and the purpose for which it was processed.
We also receive and store specific types of personal data whenever anyone interacts with us online, ie when we use cookies and tracking technologies to receive personal data and also the web browser used by the internet user has access to the website or our listings, as well as other content displayed by Mediplan or on its behalf on other sites.
4.5 What personal data are collected?
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Due to the nature of Mediplan’s activities, the Personal Data it collects mainly concerns the following categories of subjects:
- Mediplan employees: ie their personal data and details that are purely related to the employment relationship with Mediplan, which include indicative identity and contact details, financial data as well as health data of the same or additional members related to Mediplan compliance with the employment and insurance legislation.
- Candidates to be hired: ie their personal data and information mentioned in their evaluation as candidates and in the recruitment procedures by Mediplan, which include indicative identity and contact details, as well as details of the candidates’ professional CV.
- Mediplan Partners (suppliers and other partners in general): ie their personal data and information relating to the contractual relationship between us, which includes identifying and contact information, transaction data and financial information related to Mediplan compliance its legal contractual obligations.
- Partners with Mediplan and participants in its activities (citizens, and generally people who communicate with Mediplan): that is, their personal data and information that refer to the contractual relationship between us, where it exists, or that are used to communicate with Mediplan, which include indicative identity and contact information, transaction data and, as the case may be, data related to Mediplan’s compliance with its statutory contractual obligations.
We would like to point out at this point that we do not collect personal data of specific categories, other than the health data mentioned herein, such as personal data relating to race, ethnicity, religion, sexual orientation or genetic biometric data, etc., which are categorized as specific categories of data and receive additional protection in accordance with European data protection legislation.
4.7What is the purpose of processing personal data?
The purpose of the processing is proportional to the respective function performed. Particularly:
- The personal data of the employees are provided to Mediplan for the purpose of concluding, executing or terminating the respective employment / cooperation contract. Also, the personal data of the employees regarding absences, absences, hours of presence, licenses, medical documents of sick leave, are kept for the purpose of granting licenses, including sick leave, while the personal data related to the performance of the employees are provided by the heads of for the purpose of staff evaluation by Mediplan.
- The personal data of the candidate employees, which they themselves provide during the individual stages of selection and evaluation of candidates are disclosed to the respective Mediplan Department and the Management, for the purpose of informing Mediplan, evaluation, interviews, etc. for the recruitment of employees and the conclusion of cooperation.
- The personal data of the associates, citizens, participants in the activities of Mediplan and in general traders with Mediplan, which they themselves provide to Mediplan are collected and processed for the purpose of concluding and developing the contractual relationship between us, our compliance with the our legal contractual obligations, the processing of the request and their case in general and, where appropriate, our communication with them at their request.
4.8 What is the legal basis for processing?
In particular, as the case may be, the legal bases on which we base the processing of your data are the following:
Article 6 par. 1b GCP: Processing necessary for the performance of the contract to which you are a party or for action to be taken at your request prior to the conclusion of the contract.
Article 6 par. 1c GCC: Processing necessary for our compliance with our legal obligation as it arises from Union or National Law.
Article 6 (1e) GCCA: Processing necessary for the performance of a duty performed in the public interest or in the exercise of official authority delegated to Mediplan.
And in terms of specific category data (sensitive):
Article 9 (2b) GIP: When processing is necessary for the performance of the obligations and the exercise of specific rights of the data subjects in the field of social protection, if permitted by EU or domestic law.
Article 9 (2) FFA: When processing is necessary to establish, exercise or support Mediplan legal claims.
Article 9 (2g) GIP: When processing is necessary for reasons of substantial public interest, under the law of the Union or a Member State, which is proportionate to the objective pursued, it respects the substance of the data protection right and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject
Where appropriate:
Regarding data related to criminal convictions and offenses:
Article 10 GBER: Where processing is permitted or required by EU or domestic law
4.9 Profiling
The Company does not use personal data to create a “profile” within the meaning of the GDPR.
4.10 Data Transfer to Third Parties: To whom will my data be disclosed?
Mediplan does not improperly disclose or transfer your personal data to third parties. Therefore, we will not share your data with third parties for marketing purposes.
In some cases we may have a legal obligation to disclose your information. Such a case occurs following a court order or when cooperating with other public authorities and bodies within the European Union under provisions of Union or Home Law.
Mediplan may, therefore, disclose or transmit your data to third parties, provided that the legal requirements are met, in particular where:
– Your Previous Consent as Data Subjects
the
– Legal Obligation to disclose data to Competent State Bodies and Organizations and to the competent Judicial and Prosecutorial Authorities, if requested legally and competently.
4.11 For how long is personal data retained?
The retention time of personal data depends primarily on the purpose of the processing, and their mere storage constitutes an act of processing, which is permitted only if it is governed by the processing authorities. After the retention period the personal data are deleted. Particularly:
Mediplan keeps your personal data for as long as the processing purpose lasts. Upon its expiration, it legally retains your personal data, when necessary, in order to comply with its legal obligation arising from provisions of Union or National Law, as well as in the event that retention becomes necessary for the establishment, exercise or support for Mediplan legal claims. In any case, for further protection of your personal data, you will be informed in advance in writing.
4.12 What are the rights of the subject of personal data?
The processing of your personal data is also linked to your respective rights, which, subject to provisions that may restrict the exercise of these, are:
- Right to information: You have the right to receive clear, transparent and comprehensible information about how we use your personal data and what your rights are. For this purpose, we provide you with the information in this Statement – Protection Policy and we urge you to contact us for any clarifications.
- The right of access: You can request that we correct or supplement your data if it is incomplete or contains inaccuracies.
- The right to correct: You can ask us to correct or supplement your data if it is incomplete or contains inaccuracies
- The right to the portability of your data: You may request that we provide or transfer to a third-party provider in electronic form specific information that you have provided to us.
- The right to delete. In some cases, you can request the deletion of all or part of your data (if, for example, the data is no longer needed for the purposes for which it was collected, etc.).
- The right to restrict processing. You have the right to restrict the processing of your personal data.
- The right to withdraw consent. If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time by contacting us at the information provided herein.
- The right to object: you may object to the processing of your data which is carried out in the pursuit of our legitimate interests, as mentioned above.
- The right to file a complaint to the Personal Data Protection Authority. You have the right to complain directly to your local supervisory authority about how we process your personal data.
- Rights related to automated decision making. You have the right not to be subject to a decision based solely on automated processing that has legal or other significant consequences for you. Specifically, you have the right to:
- interfering with human intervention,
- expressing your point of view,
- get an explanation for the decision that came up after an evaluation, and
- to challenge this decision.
In case of exercise of one of the above rights, we will take every possible measure to satisfy your request within a reasonable time and no later than (1) month from the identification of your request, informing you in writing of the satisfaction of your request. , or the reasons that may prevent the exercise of the relevant right, or the satisfaction of one or more of your rights, in accordance with the General Regulation of Personal Data Protection. Please note that in some cases the satisfaction of your relevant requests may not be possible, such as when the satisfaction of the right is contrary to a legal obligation or conflicts with a contractual legal basis for the processing of your data.
However, if you believe that any of your rights or Mediplan’s legal obligations regarding the protection of Personal Data are being violated and you have previously contacted the Mediplan Data Protection Officer (DPO) about the matter, you have exercised your rights with Mediplan or you have not received a reply within one month (extending the deadline to two months in case of a complex request), or if you consider that the reply you received from Mediplan is unsatisfactory and your issue has not been resolved, you can lodge a complaint with the relevant supervisory authority. Personal Data Protection Authority (email: complaints@dpa.gr)
4.13 How are personal data protected?
We have taken all the appropriate organizational and technical measures to protect your personal data from misuse, tampering, loss, unauthorized access, modification or disclosure. The measures we use include the implementation of appropriate measures in access control, technical security of information as well as ensuring that personal data is encrypted, pseudonymized and made anonymous, where necessary and feasible.
Access to your personal data is allowed only to our competent employees and associates and only if it is necessary to support Mediplan’s activity, and is subject to strict contractual obligations of confidentiality, when assigned and processed by third parties.
4.14 ow can I contact the Company?
You can contact us at the address of our headquarters in Athens, 20 Katehaki Street, PC: 115 25 or at the e-mail address gdpr@mediplan.com.gr or submit a request through the Contact form on our website.
4.15 Updating this Policy
This policy will be revised if necessary to adapt to legislative changes. Any changes will be published with a simultaneous revision of the last update date at the top of this statement – Privacy Policy.
Athens 1/2/2022