Privacy and Personal Data Protection Policy
Table of contents
List of Tables
In its daily operations, Hellenic Dairies S.A. uses a wealth of data, related to identified individuals, included data related to:
The purpose of this policy is to describe the relevant legislation and to present the steps, followed by Hellenic Dairies S.A., to ensure its compliance with it.
This audit is conducted on all the systems, the people and the procedures of Hellenic Dairies S.A., also including the members of the board of directors, the service officers, the employees, the customers, the suppliers, the collaborators, the subcontractors, and other third parties, who have access to the systems of Hellenic Dairies S.A..
The General Data Protection Regulation 679/2016 (GDPR) is one of the most important pieces of the legislation, which specifies the way in which Hellenic Dairies S.A. performs operations related to data processing. In the case of breach of GDPR, which is designed to protect the personal data of all those residents in the European Union, significant fines are likely to be imposed. It is Hellenic Dairies S.A. policy to ensure that compliance with GDPR and other relevant legislation is clear and can be proved at any time.
GDPR includes 26 definitions in total, the most basic of which, related to the specific policy, are cited below:
Personal Data is defined as:
any information related to an identified or identifiable natural person (“data subject”); the identifiable natural person is the one that can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.
”processing” is defined as:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; Where the purposes and the means of this processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by the Union law or by Member State law.
There are some basic principles on which GDPR is based.
These are listed below:
Hellenic Dairies S.A. must ensure compliance with these principles, both at current processing and at introducing new processing methods, such as new information systems.
The data subject shall also have rights, with regard to GDPR. These include:
Each of the rights of the natural persons shall be supported by appropriate procedures by Hellenic Dairies S.A.. These procedures ensure that the required actions are made in the framework of the timelines, suggested in GDPR.
These timelines are presented in Table 1.
|Data Subject’s Requests||Timeline|
|Right to information||The moment the data is collected (insofar as it is collected by the data subject) or within a month (insofar as it is not collected by the data subject)|
|Right to access||One month|
|Right to rectification||One month|
|Right to erasure||Without undue delay|
|Right to restriction of processing||Without undue delay|
|Right to data portability||One month|
|Right to object||Upon receiving an objection|
|Rights related to automated decision-making, including profiling.||Not specified|
Unless required for reasons permitted by GDPR, explicit consent should be obtained by the data subject for the collection and processing of his data. In the case of children under 16, consent should be obtained by the parent / guardian. The data subjects must be informed about their rights –in relation to their personal data – such as the right to consent, the time their consent is received. The information, which concerns the rights of the data subjects, must be easily accessible, free of charge, and written in a clear way.
If the collection of personal data is not performed directly by the data subject, then this information is given within a reasonable time after obtaining the data, and certainly, no later than a one-month period.
Hellenic Dairies S.A. has adopted the principle of data protection by design and shall ensure that the definition and design of all the new or the significantly modified systems, which collect or process personal data, shall give due consideration on issues of information security and personal data protection, including carrying out one or more data protection impact assessments (Impact Assessments – DPIAs).
The data protection impact assessment includes:
The use of techniques such as data minimalization and pseudonymization must be taken into consideration in cases where their implementation is appropriate and feasible.
Transfer of personal data outside the European Union must be carefully considered and before the transfer takes place, in order to ensure that it is done in accordance with the framework, which has been stipulated by GDPR. This partially depends on the judgment of the European Commission, as well as on the adequacy of security, which is implemented regarding the personal data in the country that will receive the data and may be altered over time.
The international transfer of data within organizations must be subjected to legally binding agreements, which grant rights to the data subjects.
In the framework of GDPR, the assignment of a Data Protection Officer (DPO) is required, in the case that the organisation is a public authority, it performs large scale processing, or processes particularly sensitive data categories on a large scale. The DPO must possess the appropriate level of knowledge and may either come from the same organisation or be an external partner.
On the basis of these criteria, we consider that the assignment of a Data Protection Officer is not required at Hellenic Dairies S.A.
It is a policy of Hellenic Dairies S.A. to inform all those required, in the case of breach, related to personal data, in a fair and respective manner. In line with GDPR, when it becomes known that a breach, which might result in jeopardizing the rights and freedoms of the persons, has taken place, the Hellenic Data Protection Authority (HDPA) shall be informed within 72 hours. This will be performed in accordance with the Information Security Incident Management Procedure of Hellenic Dairies S.A..
Under GDPR, the respective HDPA shall be authorised to impose a range of fines up to 4 per cent of the annual worldwide turnover or twenty million euros, whichever of the two is larger, for breach of the Regulation.
The following actions have been taken to ensure that Hellenic Dairies S.A. shall comply, in any case, with the accountability principle of GDPR:
These actions shall be inspected on a regular basis, as part of the management inspection procedure of the Personal Data Protection Program.