PERSONAL DATA PROTECTION POLICY

1. Purpose and scope

The company INGROUP is committed to the protection of personal data and to the avoidance of personal data misuse.

This policy applies to all the company’s employees, agents and contractors, as well as to third parties and establishes a minimum standard for the processing of personal data within the Company and therefore determines the functions.

2. Content

   1. Legal basis

This policy is in line with the E.U. General Data Protection Regulation (GDPR) and the Greek Law no. 2472/1997 (Government Gazette issue number 50/ Fascicule A/ 10.4.1997) for the protection of the individual from the processing of personal data, as amended and currently in force, as well as with the secondary legislation/ Opinions/ Decisions issued by the Hellenic Data Protection Authority and with any relevant sectoral legislation.

1. 2. Definitions

As personal data is understood the information that may relate to a person. Such data are considered as personal when the person to whom they relate may be identified.

As special categories of personal data (also known as sensitive personal date) are understood the data in respect of:

1. religious, philosophical or political trade union beliefs or activities;

2. as well as genetic or biometric data, data health, private life or racial or ethnic origin, the person’s sexual life or sexual orientation;

3. prosecution of criminal offences and sanctions.

As personality profile is understood the collection of data allowing the assessment of a person’s characteristics and therefore of important aspects of his/ her personality.

An example: The personality profile may consist in the collection of data combining various information such as social contacts, political and personal views, financial situation, state of health as other information regarding the data subject so that to form a broad picture in respect of the latter.

As data subject is understood the natural persons to whom personal data refer.

As data processing is understood any activity concerning personal data irrespective of the means used or the procedure as for instance the collection, storage, use, review, disclosure, archiving, projection and destruction of personal data.

As data file is understood any stock of personal data which is structures in a way allowing the removal of the person in question from the data. For example. Any information technology tool comprising personal data.

As sharing is understood the access to personal data, for example by allowing the access, the transfer or disclosure.

The assessment of the impact to privacy is a systematic procedure for the detection, assessment and documentation of the risks and consequences of the personal data processing activities.

As Data Controller is understood the legal person which makes decisions on the purpose, the content and the procedure of the personal data processing,

As Data Processor is understood the natural or legal person which is processing the personal data pursuant to the instructions of the Data Controller.

As Data Protection Officer is understood the person who is responsible for the coordination of the protection of personal data within the company INGROUP. The Data Protection Officer provides advise in respect of the personal data processing activities and monitors the compliance of employees with the company’s data protection policy.

1. 3. General obligations in the processing of personal data

      1. Principles of data processing

Any person who is processing personal data must comply with the following principles.

1. 1. 1. 1. Lawfulness of processing

The personal data may be subject only to lawful processing. The Data Processor must ensure compliance with this policy and the relevant laws and regulations.

1. 1. 1. 2. Consent

Prior to the personal data processing the subject of the personal data should have been duly informed and have consented thereto actively by his/ her own will. The consent may be given expressly or tacitly, as for example by providing personal data to the Data Controller. Although the provision of a written consent is not required it is advisable to obtain a written consent and authorized recordings so that the existence of such consent is evidenced (for example before the courts and the authorities). The data subject may withdraw his/ her consent at all times.

No consent shall be required in the following cases:

1. If the data subject has made his/ her personal data publicly accessible, as for example information given to a newspaper or to public telephone directories and he/ she has not barred the processing thereof;

2. For the performance of an agreement in which the data subject is a party;

3. So that measures are adopted upon the request of the data subject before the entering into of an agreement;

4. For the compliance with the obligations of the Data Controller as defined by law;

5. For the protection of the vital interests of the data subject or of another natural person;

6. For the fulfilment of a duty carried out for the general interest or in performing public power assigned to INGROUP.

7. If the legal interests pursued by INGROUP or any third party prevail over those of the data subject, unless the fundamental rights and the freedoms of the data subject take precedence over the prevailing interests in question. In case of doubt, please contact INGROUP’s Data Controller.

1. 1. 1. 3. Information duty

The data subject needs sufficient knowledge of the personal data collected and of the purpose of the relevant processing before giving his/ her consent.

The data subject must be informed at least as regards:

1. The identity of the Data Controller (in most cases);

2. The contact details of the Data Controller;

3. The kind of personal data that are subject to processing;

4. The purpose of the processing;

5. INGROUP’s legal interest for the processing of personal data on a case-by-case basis;

6. The categories of the recipient of the data if there is to be a sharing;

7. The details of any trans-border transfer that may be provided;

8. The period of retention of the data or the criteria used for the determination thereof;

9. Whether an automated decision making is applied and the importance of the processing for the data subject;

10. Guidelines relating to the rights of the data subject;

1. 1. 1. 4. Purpose of the processing

The personal data may be subject to processing only for the purpose declared at the time of collection or for the purpose prescribed by law. As regards consent, please refer also to Clause 2.3.1.2.

The processing of personal data must be carried out in good faith and the data so collected or stored should be necessary for the fulfilment of the processing’s purpose.

Each person who is processing data is responsible for ensuring that processing is lawful and in accordance with the purpose for which the data were collected.

1. 1. 1. 5. Personnel records

The records of the personnel and personal data regarding INGROUP’s employees are classified as “confidential” information.

INGROUP’s employees may check their personal records and ask for information regarding personal data concerning the same. The application for information or control may be submitted either orally or in writing.

1. 1. 1. 6. Data quality

Each person who is processing personal data must ensure that data are correct and complete.

INGROUP must adopt all reasonable technical and organizational measures to ensure that any personal data that are wrong or incomplete will be corrected or destroyed.

1. 1. 1. 7. Assessment of the impact to privacy

Each person who is processing personal data must make an assessment of the impact to privacy, each time that the processing schedule may put at high risk the rights and freedoms of the data subject.

The purpose of the impact’s assessment is to evaluate and mitigate the risks against data’s privacy. The assessment must be carried out before the commencement of the high-risk processing activities.

The high-risk processing activities include:

1. A systematic and extensive assessment of the subject’s personal data. In particular, if the personal data are subject to an automated processing, if the processing comprises the creation of a personality profile and if the decisions affecting the rights and obligations oof the data subject are based on such assessment;

2. The processing of sensitive personal data in a large scale;

3. A systematic and large-scale monitoring of a publicly accessible space, for example, the use of a television system monitoring a public space.

The assessment of the impact to privacy must be duly documented and carried out with the assistance of the Data Protection Officer. When the assessment of the impact to privacy leads to the conclusion that there is a high risk for the data subjects, then the supervising authority must be informed and give its opinion regarding the appropriate measures for the reduction of risks.

1. 1. 1. 8. Disclosure to third parties

The personal data are disclosed to third parties only when this is necessary. The personal data are made anonymous on a case-by-case basis.

The Data Processor acting for the account of INGROUP, for example a contractor or a service provider, must contractually agree to process the personal data in accordance with this policy. The terms of this policy must be included by reference in the relevant contracts.

1. 1. 1. 9. Cross-border personal data sharing

The personal data may ne transferred abroad only when the foreign law provides for an adequate level of data protection. In the event that the foreign law does not provide an adequate level of data protection, then the personal data may only be transferred to such country of the data subject has expressly consented to the transfer or of the data protection is provided for by the relevant data transfer agreement.

INGROUP shall employ the appropriate staff and adopt the technical and organisational measures required for the minimisation of the risk of unintentional or intentional infringement, destruction or loss of the personal data.

More particularly, INGROUP shall adopt protection measures for the protection of personal data against non-authorised access and processing. To that effect the technological innovations shall be taken into account and safety procedures adapted to the processing’s specificities shall be determined.

1. 1. 1. 10. Data storage and retention

The personal data are stored only if this is required for the fulfilment of the purpose for which the data have been collected. The conditions of the storage and the data storage periods are set out in INGROUP’s Data Retention Policy.

1. 1. 2. Rights of the data subject

Each data subject shall have the following rights according to the General Data Protection Regulation (GDPR):

1. The right of information;

2. The right of access;

3. The right to rectification;

4. The right to erasure;

5. The right to restrict processing;

6. The right to data portability;

7. The right to object;

8. The right not to be subject to a decision based solely on automated processing.

The employees of INGROUP shall comply with the data subject’s application for access and, if required, shall seek advise from the Data Protection Officer. For further information regarding the content of each right please refer to INGROUP’s Data Subject Applications Handling Policy.

1. 1. 3. Data infringement recording

Any breach of this policy as well as of the relevant laws and regulations on data protection constitutes an infringement of personal data. Such breaches include the unlawful destruction, loss, alteration, non-authorised disclosure as well as the processing of data for any purposes other than those declared upon collection.

The person who detects an infringement of personal data must take the appropriate measures for the personal data protection from further effects and to promptly report the infringement to the Data Protection Officer.

The Data Protection Officer shall systematically document the infringements that have been notified and assess the reasons for such infringements. Moreover, the Data Protection Officer adopts further the requisite measures for the restoration of the situation and the prevention of repeated infringements.

1. 1. 4. Data infringement notification

INGROUP must notify the infringement of data to the relevant supervising authority within 72 hours as from the moment it shall become aware of the same.

Furthermore, in the event that it is likely that the infringement of personal data lead to a high risk for the rights and freedoms of the data subjects, the latter must be promptly informed. For further information please refer to INGROUP’s Data Infringement Management Policy.

1. 1. 5. Data records documentation

INGROUP shall keep a list of all databases and files containing personal data. The list shall include at least the following information:

1. The name and surname and the contact details of the Data Processor and of any other party being jointly responsible for the processing of data;

2. The name and surname and the contact details of the Data Protection Officer;

3. The description of the database or the file;

4. The purpose of the database or the file;

5. The description of the categories of personal data subject to processing, e.g. address, information relating to health etc.;

6. The description of the categories of the data subjects;

7. The description of the categories of receivers of the data to whom the latter have been disclosed or are to be disclosed including the receivers in third countries;

8. The description of the trans-border transfer of data;

9. The prescribed time-limits for the erasure of the various data categories, where this is practicable;

10. A general description if the technical and organisational safety measures, where this is practicable.

The data files are classified depending on their need for protection. The data files with special protection need, such as collections containing sensitive personal data or personality profiles, should be deposited in separate files, be labelled accordingly and be subject to an assessment of impact to privacy as defined in Clause 2.3.1.7.

1. 1. 6. Education and awareness

Each INGROUP employee dealing with personal data is trained in data protection and data safety issues. Upon the commencement of his/ her employment with INGROUP the employee receives a first update and subsequently relevant training sessions take place in regular intervals.

1. 4. Obligations for the development of systems and new business procedures

The data protection is an integral part of INGROUP’s technological development and organizational structure. As a consequence, in the assessment of existing business procedures and the data processing systems or in the introduction of new ones the following principles should be taken into account:

2.4.1 Assessment of the impact to privacy for new processing activities

The assessment of the impact to privacy must be carried out each time that are introduced new technologies or data processing activities that may lead to high-risk personal data processing.

The details of the assessment of the impact to privacy are set out in Clause 2.3.1.7 of this Policy.

2.4.2 Principles of privacy protection by design

When new data processing systems are introduced, the Data Protection Officer must ensure a high standard of data protection. More specifically, each new system and procedure must comply with the following principles:

1. Technical and organizational measures must be adopted in order to ensure the systematic and safe management of the personal data life cycle from collection to processing and to erasure.

2. The data processing systems should aim at collecting as few as possible personal data for the fulfilment of the purpose for which such data have been collected.

3. Where the anonymisation of data does not impair the purpose of the data processing, such personal data must be made anonymous so that the data subject may not be identified anymore.

4. In case the personal data cannot be made anonymous, then safety measures adapted to the data’s nature must be adopted, such as pseudonymisation, encryption or access limitation.

5. The access to personal data is granted pursuant to the “need-to-know” principle which means that personal data are only made accessible to those persons who require it in order to fulfil the roles and duties assigned to them.

6. The systematic quality control of personal data must be part of the data’s life cycle management so that to ensure data of high quality. More particularly, procedures for the detection and rectification of false or incomplete personal data should be established.

7. The data processing systems must be adequately protected against non-authorised access by means of technical and organisational measures.

8. The data subjects should have at their disposal transparent, user-friendly and efficient means of control in respect of their personal data.

1. 4. 3. Principles of privacy protection by default

The data processing systems should be regulated so that the strictest secrecy arrangements apply automatically, i.e., by default.

The extensive personal data processing is only authorised if the data subject chooses or agrees upon a lower level of safety, e.g., by substituting him/ herself the secrecy arrangements in a website, a computer tool or anything similar for a less restrictive choice and therefore agrees upon an extensive processing (“opt-in”).

2.5 Functions

2.5.1 Data Controller

The Data Controller who is expected in most cases to be INGROUP is responsible for the correct processing of data and the compliance with the data protection and data safety requirements as the same are defined in this Policy or pursuant to the applicable laws. More specifically:

1. for the compliance with the principles of “privacy protection by design” and of “privacy protection by default” in the development of new data processing activities;

2. for the proper attribution of the data subject’s rights;

3. for the carrying out of the assessment of the impact to privacy for the processing of personal data with the assistant of the Data Protection Officer;

4. for the appointment of the Data Processor;

5. for the notification of a breach of the data to the supervising authority and to the data subject (as the case may be).

2.5.2 Data Processor

The Data Processor is responsible for the processing of personal data pursuant to the instructions given by the Data Controller. Moreover, the Data Processor is responsible for notifying promptly the Data Controller of any data protection breach.

The Data Processor must be contractually bound that any contractor who may be assigned the data processing shall abide by the same instructions given by the Data Controller.

2.5.3 Data Protection Officer

The Data Protection Officer is responsible for the coordination of personal data protection. More particularly, the Data Protection Officer:

1. is monitoring in an independent manner the company’s compliance with applicable laws and regulations on data protection;

2. is monitoring in an independent manner and applying future explicative communications of the European Union Commission relating to the implementation of the provisions of the GDPR;

3. is supporting the Executive Management in securing compliance with data protection;

4. is monitoring in an independent manner compliance with this Policy on a regular basis;

5. keeps the list of databases and the list of the infringements of data protection;

6. is monitoring and assists in the assessment of the impact to privacy;

7. is responsible for answering to requests for information by data subjects;

8. is responsible for developing an educational view regarding awareness in respect of data protection and advising the staff that is processing data and especially INGROUP’s employees in terms of their obligations regarding processing;

9. is acting as a liaison of the supervising authorities in matters relating to data processing and cooperates with the authorities in respect of any other issue.

The Data Protection Officer regularly submits to the Executive Management a report relating to his/ her work and to the status of the data protection.

2.5.4 Executive Management

INGROUP’s executive management is responsible for the application of this Policy and for making the requisite staff and financial resources available. INGROUP’s Directors have to apply this Policy in their field of responsibility and to ensure that the employees and all individuals and entities for which they are responsible, and they are aware, they acknowledge and abide by the requirements of this Policy and they have undergone the appropriate training in order to adequately fulfill such duty.

2.6 Breach of the data protection Policy

The sanctions, if any, and the damage caused by the breach of data protection are serious both for the person who commits the breach and for INGROUP.

Any breach of this data protection Policy may entail disciplinary proceedings and even dismissal. The breach of obligations imposed by laws or regulations may be reported to external authorities and result in penal, civil or regulatory sanctions.