1. Purpose, ScopeUniversal Certification Solutions - (UNICERT), hereinafter referred to as “UNICERT”, shall use its best efforts in order to comply with the legislation related to Personal Data Protection in its market sector. The current Policy lays down the key principles based on which UNICERT processes the personal data of its customers, employees, suppliers, partners and other persons. This Policy is also applied by UNICERT in its subsidiaries whose head office is in Greece and UNICERT controls them directly or indirectly. All employees, with contracts of indefinite duration or fixed-term contracts, as well as all subcontractors who work for UNICERT are bound by the current Policy.
2. Key DefinitionsThe key definitions of the terms used in the current document follow, as they are laid down in Article 4 of the General Data Protection Regulation (GDPR), so that the data subject will become familiar with the Regulation’s terminology.
Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, especially by reference to an identifier, such as a name, identity card number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Special Categories of Personal Data: Personal data which, essentially, are especially sensitive with respect to fundamental rights and freedoms, require special protection, since the scope of their processing may create important dangers which will affect such fundamental rights and freedoms. Such data include personal data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the undisputed identification of a person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
Controller: A natural or legal person, a public authority, agency or other body which, alone or jointly with others, determines the purposes and the manner of personal data processing.
Processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Processing: every act or series of acts realized with or without the use of automatized means on personal data or on aggregates of personal data, such as the collection, registration, organization, structure, storage, adaptation or modification, recovery, search of information, use, disclosure by forwarding, dissemination or any other form of disposal, correlation or combination, limitation, erasure, or destruction.
Authority: The Authority of Personal Data Protection.
3. Key principles that concern Personal Data ProcessingUNICERT as controller, strictly abides by the principles of data protection which are defined in Article 5 of the General Data Protection Regulation (GDPR).
3.1. Lawfulness, Objectivity and Transparency
UNICERT processes personal data lawfully, objectively, and transparently as far as the data subjects are concerned.
3.2. Purpose Restriction
Private data are collected only for special, explicit, and lawful purposes and they are not processed for any other purpose.
3.3. Data minimization
UNICERT maintains accurate personal data of data subjects and ensures that their maintenance is limited to what is necessary in relation to data processing purposes. At the same time, it applies suitable technical means in order to achieve the above objectives.
The personal data maintained by UNICERT are accurate and updated. Measures are taken to ensure that personal data which are inaccurate with respect to the purpose for which they are processed are erased or corrected within a reasonable time.
3.5. Storage Time Limitation
Personal data are maintained for a time period not greater than necessary for the purpose for which UNICERT processes them.
3.6. Integrity and Confidentiality
Taking into account the technological level and other available safety measures, the cost of application, as well as the probability and gravity of dangers concerning the personal data, UNICERT uses suitable technical or organizational means for personal data processing, in a way that guarantees the proper safety of the personal data and their protection from accidental destruction, loss, damage, and unauthorized or illegal processing.
UNICERT is responsible to prove and can prove its compliance with the General Data Protection Regulation to the competent Authority of Personal Data Protection.
4. Privacy Notice, Consent and Rights of Data Subjects4.1. Notification of Data Subjects
Before the collection of personal data, or during their collection for any processing activity undertaken by UNICERT, including among other things the sale of products, services, or marketing activities, UNICERT is responsible to provide the necessary information to the data subjects and, specifically, information concerning the types of personal data collected, the processing purposes, the processing methods, the rights of the data subjects concerning their personal data, the period of registration, possible international data transfers, if the personal data are given to third parties within the scope of cooperation with them, as well as the security measures taken by UNICERT to protect the personal data. This information is provided by the Privacy Notice.
When the legal base of personal data collection is the consent of the data subject, UNICERT is responsible to ensure that data subjects grant their consent freely, with positive energy, explicitly, with full awareness of the content of the text to which they consent. UNICERT offers to the data subjects the opportunity to withdraw their consent at any time. Whenever a collection of personal data of children less than 16 years old occurs, UNICERT ensures that the Parent has granted his consent before the data collection. Personal data processing must take place only for the purpose for which the data were initially collected. In case that UNICERT wishes to process collected personal data for a different purpose, it must request the consent of the data subjects explicitly, by a specific written statement. Any such request must contain the initial purpose for which the data were collected, as well as the new or additional purpose/purposes.
UNICERT shall use its best efforts to ensure that the number of personal data collected is limited to a minimum. If the personal data are collected by a third party, UNICERT ensures that those data are lawfully collected.
4.4. Relation of UNICERT with Third Parties
In case that UNICERT uses a third party, a supplier or commercial associate to which it assigns the processing of personal data on its behalf, it ensures that the processor will provide all suitable means of safety and protection of personal data in order to cope with all probable relevant dangers. UNICERT shall use its best efforts in order to ensure that its suppliers or commercial associates process personal data only to accomplish their conventional obligations to UNICERT and for no other reason, and always according to its instructions.
4.5. Rights of Access of Data Subjects
UNICERT as the Controller, is responsible to provide to the data subjects a mechanism of access to their personal data that will allow them to revise, correct, erase, or transfer such data.
4.6. Data Portability
Data Subjects have the right to receive, at their own request, a copy of the data which they have submitted to UNICERT in structured form and transfer those data to another controller. UNICERT is responsible to ensure that those applications are dealt with within a month, provided that such demands are not clearly unfounded. During the exercise of his right to data portability, the data subject has the right to request the direct transmission of personal data by one controller to another, if this is technically feasible.
4.7. Right to Erasure
At their own request, Data Subjects have the right to ask UNICERT to erase their personal data. UNICERT will immediately proceed with the required actions (including technical operations) to satisfy the request and will ensure the same behavior from third parties which may use or process personal data on its behalf.
5. Response to Personal Data BreachesWhen UNICERT discovers a potential or actual personal data breach, it will immediately carry out an internal audit and it will take the necessary rectification measures within a reasonable time, according to the Policy of Personal Data Breach. If the rights and liberties of data subjects are threatened, UNICERT must report the breach to the Authorities without delay and, in any case, within the next 72 hours.