Πρακτική GDPR

The Société Anonyme under the name "ATLANTIS CONSULTING SA", based in Thessaloniki (Steliou Kazantzidi 47, PC 57001, Pylea), VAT number 082926167, as data officer (hereinafter referred to as “The Company"), in the framework of the General Data Protection Regulation of the European Union 2016/679, which entered into force on 25.05.2018 (hereinafter referred to as "GDPR"), as applicable at all times, hereby provides information regarding the processing of Personal Data and your rights (hereinafter referred to as "PD"). The GDPR replaces the existing legal framework on the protection of each individual from the processing of PD.

This regulation applies for individuals who maintain any contractual or transactional relationship with the company, in any capacity, such as customers, suppliers, their legal representatives, or legal entities.

The Company, in compliance with the applicable legal status, has taken all necessary steps, applying appropriate technical or organizational measures for the legal maintenance, processing and safe keeping of the PD, and is committed to safeguard and protect by any suitable means of processing PD from loss, leakage, alteration, transmission or any other form of unlawful processing.

The collection and processing of PD depends on the agreed service or assigned project in each individual case, on a case by case contractual relation that connects the Company with the data subject, on the legal obligations imposed by the legislation in force and the subject's consent, as appropriate.

They shall be processed within the clearly defined purposes, based on the principles of legality, objectivity and transparency, limitation of purpose and storage period, data minimization, accuracy, integrity and confidentiality and within the framework of necessity that governs each processing operation. At the same time, technical and organizational security measures in compliance with the above system of principles, as well as periodic review and updating, shall be ensured.

This PD protection statement:

• provides an overview of the purpose, type, process and manner, in which the company collects and processes personal data and informs you of your rights under domestic law and the GDPR.
• addresses to individuals who are existing or potential customers, authorized representatives / agents, legal beneficiaries / individuals of the existing or potential customers or partners or suppliers, potential employees, internal and external partners, as well any other person whose personal data are in our possession in any way, by consent or other legal relation.
• concerns the active relation with the above legal entities / individuals, for the period during which legal effects arise, or, as stated by law in any other case.
• contains information about when your PD will be disclosed / exchanged with other third parties (for example, external partners, service providers, etc.).

In this PD protection statement, references to the provisions of the GDPR are made, with indicative references:

“Personal Data (PD)” means the information related to identifiable individuals (“data subjects”), whose identities can be directly or indirectly identified, particularly by reference to identity data, location data, or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of the individual in question.

"Personal Data processing" means any operation or series of operations performed with or without the use of automated means, such as the collection, registration, organization, structure, storage, adjustment or alteration, retrieval, search for information, use, disclosure, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction of PD.

“Data Protection Officer (DPO)” means the physical or legal person, public authority, agency or other entity that, individually or in conjunction with others, determines the purposes and manner of processing PD - when the purposes and manner of processing it are defined by European Union law or the law of the Member State. The DPO or the specific criteria for his appointment may be laid down by European Union law or the law of the Member State.

1. Information of the Company

"ATLANTIS CONSULTING SA" is a registered private entity, Société Anonyme (SA), based in Thessaloniki and established in 1992. Headquarters address: Steliou Kazantzidi 47, PC 57001 Pylea. e-mail: info@atlantisresearch.gr

Grigorios Kalamakidis has been designated as IFRS of our company and his contact details are: address: 47 Steliou Kazantzidis, PC. 57001, tel .: 2310 531000, ext .: 107, Pylea Thessaloniki and email: info@atlantisresearch.gr

The above postal and email addresses shall accept any written requests, as provided herein, either electronically or in paper form (by the DPO itself or by a person having a signed authorization).

Identification of PD and their Collection Sources

The Company processes PD, submitted by you or your legal representatives that are necessary for the initiation, maintenance and performance of your existing and future contractual and business relationships, depending on the arranged projects or services and their procedures and policies. The PD you provide to the company must be complete and accurate, otherwise updated immediately, with your own due diligence, whenever they change or whenever necessary in the context of your relationship with the Company. Specifically:

We collect and process different types of personal data that we receive from our existing/potential customers or third parties (in person, through their representatives or through alternative communication channels, such as our website), in the context of a business or other legal relation with them.

Also, in the context of the contract with employees and external partners, we collect personal data necessary to initiate and enforce the contract as required by law.

If you are a prospective client or counterparty (e.g. prospective supplier, affiliate, subcontractor, etc.) legal or authorized representative of an individual/legal entity who is a prospective client, the relevant PD we collect include: name, surname, contact information (telephone, email), IDs, bank account information, VAT, qualifications of education, licenses and other professional certificates, extended CV.

The collection and processing of the above PD is appropriate, based on the principles of necessity and proportionality, for initialization, execution and maintenance of a contractual or transactional relationship between us. In this context, your possible objection to the provision or processing of your PD, may result in the inability to start or continue your relationship with the company.

2a. Specific categories of PD

The Company does not process any specific category of PD. Consequently, no data related to your racial or ethnic origin, your political beliefs, your religious or philosophical beliefs, your affiliation with any organizations, your genetic or biometric data, health or sex-related information or data, are processed to identify you as an individual, unless explicit consent has been given for that purpose. The Company does not process PD on children or other sensitive groups.

3. PD Provision Obligation

In order to be able to pursue a business or other partnership relationship with you, you must provide your PD to the Company, which is a prerequisite for starting and executing a business relationship and fulfilling our contractual obligations, as required by law.

You must therefore provide to the Company all the necessary details of your ID / passport and other details required by the contract, your address, your VAT and Social Security number, as well as your telephone number and e-mail address, that are necessary to be included in the contract and perform it properly.

4. Legal Base of PD

As mentioned before, we are committed to protect your privacy and handle your data in an open and transparent manner and, as a result, process your PD in accordance with the principles of GDPR and domestic law, for one or more of the following reasons:

A. For the initiation and execution of a contract

We process PD that you provide to the Company in the framework of our contractual relationships, for as long as required for serving, supporting and monitoring the contract by the law (tax, insurance, labor and other kinds of legislation).

B. For legal obligation compliance

We process PD as part of our legal obligations arising from applicable laws (tax, insurance, labor, etc.) and regulatory / legal requirements.

C. For protecting legitimate interests

We process personal data in order to safeguard the legitimate interests pursued by the Company or third parties. There is a legitimate interest when we have a reasonable business or commercial reason for using your information or for protecting the Company’s property, reputation, professionalism and preventing criminal acts against them.

In any case, however, the fundamental rights of the entities are safeguarded and treated, as far as possible, in accordance with the principles of the GDPR and with respect to necessity and proportionality.

Examples of such activities are:

• Creating legal claims and preparing our defense in litigation.
• The means and procedures we use to ensure the security of information systems, the prevention of possible criminal activity, the security of assets, access controls and anti-infringement measures.
• Installation of surveillance systems (video surveillance system), e.g. to prevent crime and protect our property.
• Measures for managing businesses and for further development products and services.
• Risk management of the Company.

D. After you consent

Once you have explicitly given us your legal consent to processing (except for the reasons set above that derive from the contractual binding relation), the legality of this processing is based on that consent. You have the right to withdraw your consent at any time, in accordance with the law regulations, by submitting a written request to the postal or electronic address of the controller. However, any processing of personal data prior to the receipt of your recall shall not be affected, and the request shall not be required to comply with it if there is another overriding legal reason.

4A. Processing Purposes

The processing of your PD concerns:

• Serving, supporting and monitoring your business and contractual relationships with the company, fulfilling its obligations as responsible and exercising of its legal contractual rights.
• The registration, recording, organization and realization of all kinds of requests and complaints to the Company, which are submitted either in writing, electronically or orally (by telephone through our call center), for establishing business or contractual relations and for protecting them.
• Upgrading of the services provided by the company and its affiliates, under legal conditions.
• Fulfillment of the legal obligations of the company arising from the applicable legal and regulatory framework (e.g. tax or insurance provisions).
• Protecting the legal interests of the company, including but not limited to: litigating its legal claims before competent judicial authorities or other out-of-court or alternative litigation bodies, preventing prosecutions, evaluating and optimizing security procedures and procedures, operational risks, physical security and the protection of persons, property and property.

5. PD Recipients

When performing our contractual and legal / regulatory obligations, your personal data may be disclosed to various parts of the company or service providers or suppliers that need the data, in accordance with their respective contractual / regulatory framework, against which the necessary precautions have been taken to protect and process your data lawfully, under the supervision of the legal representative. All third parties to which PD are disclosed will respect the principle of confidentiality and will operate in accordance with data protection following the domestic law and the principles of the GDPR. Likewise, all processors assigned by us to process PD on our behalf are bound by a contract to comply with the provisions of the GDPR.

Under the above circumstances, the recipients of PD may be:

• Legal entities, which the DPO has partially or fully entrusted the processing of PD on its behalf and have a confidentiality commitment with the Company, or have a contractual relationship that specifies the purpose and the duration of the processing, the type of PD to be processed, and the rights of the company, under a regulatory obligation to maintain confidentiality, such as, the associate accounting firm of the Company.
• Transfer that is required for the commencement or execution of a business or contractual relationship in the event of non-performance of its obligations (e.g. transfer to associate lawyers, law firms, bailiffs, notaries, engineers).
• Partner companies, partners, subcontractors that help us effectively deliver our services to our clients in the context of legally exercising contractual rights and fulfilling legal obligations.
• Affiliate companies for the promotion of company services through them, under the lawful conditions.
• Judicial authorities
• Companies of online transmission and storage, online and cloud service providers.
• Transmission or disclosure of any applicable legislative or regulatory framework or judicial decision.

6. Transmission of PD to a third countries or international organizations

The Company does not transmit PD to third countries or international organizations. (However, in any case, the transmission of PD which are submitted or have the intention to be processed shall be made only under the GDPR principles, as specified in Articles 44-49 and in any case shall take place by obtaining such consent, or when the transmission is necessary for the conclusion or execution of a contract, or for reasons of public interest, or for exercising and supporting legal claims).

Automated Decision Making and Profiling

While carrying out our activities we do not use an automated process for making decisions for creating a business/contractual relationship. However, if we may automatically process some of your data for the purpose of evaluating certain information (profiling - eg qualifications), in order to conclude or execute a contract with you or where permitted by Union law or a Member State or with your express consent. In such cases, the competent natural person of our company is involved in the decision making process and you are given all legal intervention rights.

8. PD processing & Profile creation for Direct Marketing purposes

We may process your PD to inform you of our products, services and offers that may be interesting to you/your business and serve your needs, in accordance with the definitions of law.

The PD we process consist of information you provide solely for informative and communication purposes. Profiling is not used for providing targeted product marketing information, meaning that we do not automatically process your data for evaluating certain personal information.

The Company may use your PD to promote our products and services only if you express your consent for it, or, if there is a corresponding legitimate interest in some cases, under applicable law.

You have the right to object or limit the processing of your PD at any time, for marketing, informative or communication purposes by contacting us at info@atlantisresearch.gr and submitting your written request.

PD compliance time

The Company will keep your PD for as long as we have a business or other legal relationship, or for as long as your lawful consent requires, or for as long as the tax and other laws of the state requires, or for as long as exercising our legal rights require, or for as long as the Company serves legitimate interests, or to the extent required by the Data Protection Authority instructions [as an individual or a representative/beneficiary of a legal entity].

10. Your Data Protection Rights

You have the following rights regarding the PD the Company holds, which you may exercise by submitting your written requests to the DPO by email or post office, using the relevant forms:

• Right of Access (Article 15, GDPR): You have the right to access PD that concerns you, their processing by the DPO and its purpose, the categories of PD and the categories of their recipients. This enables you to e.g. receive a copy of the PD we hold about you and verify that we process it legally.
• Right of Correction (Article 16, GDPR): You have the right to request the correction of inaccurate data or to fill in any missing PD the Company holds.
• Right of Erasure (Article 17, GDPR): You have the right to request the deletion of your PD [known as the "right to be forgotten"]. This allows you to request that we delete your PD when there is no reason to continue processing it, or it is not necessary for the purpose which the Company collected it, or there is no other legal basis for processing it, in accordance with the applicable laws and regulations.
• Right of Restriction (Article 18, GDPR): You have the right to apply for a restriction on the processing of PD that concerns you, if its accuracy is disputed, the processing is illegal, or if the purpose of the processing is missing under is no legitimate reason.
• Right to Object (Article 21, GDPR): You have the right to oppose the processing of your PD, for reasons related to your particular situation, in case the processing of your PD is assigned to the DPO in the exercise of public authority, or for third parties purposes. If you submit a complaint, the Company will no longer process your PD, unless we can prove compelling legitimate reasons for processing that override your rights.

• Right to Withdraw Consent (Article 7, GDPR): You have the right to withdraw or limit your consent to the processing of your PD at any time. Please note that any revocation of consent does not affect the legality of the consent-based treatment before it is withdrawn or revoked by you.
• Right to data portability (Article 20, GDPR): You have the right to request the portability of your data to another DPO, provided that it is based on your consent and is carried out by automated means. The enjoyment of this right is subject to the legal rights and obligations of the DPO to maintain the GDPR and to perform its duties towards public interest.

11. Exercising rights and complaint submission

or the exercise of your rights, any complaints regarding the GDPR shall be submitted to the email or postal address of the DPO, or in person at the Company (or via a third party, having a signed authorization). Special forms are available at the Company's headquarters upon request. Our company responds to your requests free of charge, without undue delay, within one month of their receipt, except in special cases, where the deadline may be extended by another two months, given the complexity or volume of requests. In the latter case, the Company shall inform you for the extension and the reasons of the delay within one month of receipt of the request. If the DPO finds your request unfounded or excessive, he has the right to charge a reasonable fee for its processing, taking into account the costs of it, or even refuse to comply. In the event that your request cannot be satisfied, the Company shall inform you without delay of the relevant reasons, and of your right to submit a complaint through the supervisory authority for GDPR, the latest within one month of its receipt (Personal Data Protection Authority (PDPA: Kifissias Avenue 1-3, PC: 11523, Athens, tel: 210-64.75.600, e-mail: contact@dpa.gr), where you have the right to submit a complaint if you believe that the PD that concerns you are not being processed in accordance with the applicable laws and regulations, but also for your right to appeal to the judicial authorities.