Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Personal Data Protection Policy

This Personal Data Protection Policy (hereafter “Policy”) refers to the personal information collected, processed and used by “STELIOS KANAKIS S.A.” (here after “Company” or “We”) with registered offices at Acharnes Attica (4 Anemonis str.) and branch at Thessaloniki, Sindos Industrial Area (Zone C – P.O. Box 1055)

 

 

Introduction

Our Company processes personal data as an employer, prospective employer, supplier of products and services, for marketing related purposes and in the course of its operations and its standard business as a supplier for raw materials for confectionery, bakery and ice-cream.

It also processes personal information when co-operating with third parties / business partners and with respect to the visits to its website (more information on the process through the website available at: https://stelioskanakis.gr/en/terms-of-use).

 

Legal Framework 

This Policy complies with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), as in force, and with all applicable laws and regulations currently in force in Greece, including all applicable EU and national legislation, as well as derivative law / opinions / decisions issued by the Greek Data Protection Authority (“DPA”).

 

Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly. Different information which may, if gathered together, lead to the identification of a particular person, are also considered as personal data. Personal data that have been anonymized, pseudonymized or cryptographed, but may be used for re-identification of a natural person, maintain their nature as personal data and fall within the scope the GDPR. Any data rendered anonymous in such a manner that the data subject is not or no longer identifiable is not considered personal data. Data are indeed anonymous in this sense, when anonymization is irreversible.

Special categories of personal data” also referred to as “sensitive data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or health status, social welfare, sexual orientation or activity, criminal convictions and offences, or participation in related associations or entities.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The GDPR grant protection to personal data irrespective of the technology used for their processing. It is technologically neutral and applies to both automated and manual processing, as long as the data is organized according to specific criteria (e.g. alphabetical order). The way that data is stored (e.g. in an information system, via video-surveillance or in written form) is irrelevant. Personal data are subject to the requirements of the GDPR.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Data subject” means an identified or identifiable natural person, residing in the EU, whose personal data is processed and kept by the “controller”.

“Recipient” means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the provisions European Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. Specifically:  to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Data file” means a stock of personal data structured in a manner permitting the identification of a natural person (e.g. any information technology tool or application containing personal data).

“Transmission” means granting access to personal data in any way, manner, or form (e.g. by permitting access, dissemination or publication).

“Data protection impact assessment” means a systematic process for the identification, assessment and documentation of the hazards and consequences of personal data processing acts.

“Third Country” means any country not providing adequate protection of personal data, as stipulated in the GDPR.

                                            

Which data we process

We process personal data which include but are not limited to:

  • Information referring to the name, tax registration number – tax office, social security number, birth date and place, gender, contact details (full address, email address, phone number), passport, visas and ID numbers, bank details, driver’s license number etc. of our employees, name and tax registration number of their spouses, date of birth and other data evidenced by birth certificates of children and, in general, all information needed for the execution of a contract of employment;
  • Information referring to the name, mailing address, telephone numbers and other details and information may be included in an application (such as pictures/photographs, educational qualifications, professional certifications and employment references) of job applicants;
  • Information referring to the name, surname, tax registration number – tax office, ID number, operation accounting number, country of registration, job title and role/function, mailing address (country, town, city, street etc.), phone number, email address etc. of our suppliers (in case of natural persons – individual enterprises) and those of their representatives and/or contact persons (in case of legal entities);
  • Information referring to the name, surname, tax registration number – tax office, ID number, operation accounting number, country of registration, job title and role/function, mailing address (country, town, city, street etc.), phone number, email address etc. of our service providers/contractors (in case of natural persons – individual enterprises) or their representatives and/or contact persons (in case of legal entities);
  • Information referring to the name and surname, tax registration number – tax office, operation accounting number, country of registration, job title and role/function mailing address (country, town, city, street etc.), phone number, email address etc. of our clients (in case of natural persons – individual enterprises) or their representatives and/or contact persons (in case of legal entities);
  • Information referring to the name and surname, birth date, gender, home address/work address, phone number, email address, job title and role/function, years of service, employer’s details, education and professional experience, tax registration number and tax office of participants in seminars and demonstrations of the Company;
  • Information about the IP address, browser type and Internet Service Provider, websites visited, URL referred, date-time-duration of the visit, data extracted and files downloaded etc. of our website visitors.

 

Special categories of data (“sensitive personal data”)

Where necessary, we may keep information relating to a subject’s health, which could include reasons for absence and /or accident reports, as well as health exams results, medical reports and other health related data and records, as is the case with our personnel, within the framework of the Company’s obligation to have an occupational doctor in place and for the execution of a contract of employment and for reasons of sick pay or leave, etc. and/or group insurance policy, etc.

This information is used in order to comply with our health and safety and occupational health obligations, as well as to prevent professional danger, including in order to consider how an employee’s health affects the ability to work and fulfil the respective employment obligations.

We may also collect this kind of information (e.g. food sensitivities or allergies) for those participating in our seminars and demonstrations, with the purpose to protect and safeguard their life and physical integrity.

All above data and any other data that constitutes special category of data are lawfully collected and processed by the Company and, unless this is not authorized or required by law or such information is required to protect the subject in an emergency, we obtain the subject’s explicit consent.

 

Where we collect personal data from

The Company collects personal information:

  • Directly from the data subject, as is the case with job applicants, employees, clients’ representatives and suppliers’ contact persons etc.;
  • From internal sources, i.e. from the several departments of the Company and/or from the Company’s branch in Thessaloniki and/or from our employees (i.e. when someone recommends to us a job applicant or client or supplier etc.);
  • From third parties (including agents, intermediaries, suppliers, business partners, advisors of the Company etc.);
  • From publicly accessible sources, such as trade and business registers, other sector’s sources (publications, media, catalogues etc.), within the framework of exhibitions, internet sources, directories or newspapers etc.

 

 

 

 

 

 

 

Why we process personal data

Personal data is processed by our Company as necessary for the performance of our core business. In particular and as the case may be:

  • We process our employees’ and their spouses and children’s personal data in order to fulfil our contractual obligations towards them within the framework of the employment agreement executed between us (i.e. for reasons of wages and social security contributions payment etc.), as well as to comply with legal requirements (i.e. announcement to the authorities, social security payments etc.);
  • We process job applicants’ personal data in order to assess their applications and evaluate their overall qualifications and ability to work for us, having eventually prompt consent thereof, in which case they – either directly or through an agency or otherwise in question – have delivered their resume to our Company;
  • We process our suppliers’ (in case of natural persons) or (in case of legal entities) their representatives’ and contact persons’ personal data, in order to meet our contractual and legal obligations towards them, within the framework of the supply or services or other commercial agreements executed between us (for reasons of payment, invoicing, delivery of products etc.);
  • We process our clients’ (in case of natural persons) or (in case of companies) their representatives’ and contact persons’ personal data, in order to comply with our obligations arising by the business relationship therewith (for reasons of invoicing processing, delivery of products, payment etc.);
  • We process our contractors’ and service providers’ (in case of natural persons) or their representatives’ and contact persons’ personal data, in order to execute the contracting-services agreements (for reasons of invoicing, payment etc.);
  • We process the personal data of those participating in seminars and demonstrations, in order to comply with our contractual obligations towards them (i.e. for reasons of adjusting/customizing the relevant program, invoicing etc.), and occasionally for the protection and safety of their life and physical integrity during the seminars (as is the case when we collect information regarding food allergies etc.).

 

Without such data, the Company may not be in the position to conclude contracts with suppliers and customers, continue the employee-employer relationship and/or the contractors’ agreements etc., as the case may be.

In the cases where the processing is made to fulfill contractual obligations, the purpose of personal data processing is determined by the contract in place with the data subject, whereas in the case where the processing is dictated by law or regulation, the purpose thereof is usually related to provisions of commercial, industrial, trade or tax authorities and bodies or to serve authorities’ control purposes.

In certain cases, we need to process personal data to pursue our legitimate business interests, for example to prevent fraud, security breaches or potential crimes, for administrative purposes or to protect the Company’s assets and to improve our efficiency (as is the case with our CCTV systems, personal data required for clients’ complaints handling etc.).

Where this is the case, we try to never process a subject’s data where these interests are overridden by the subject’s own interests and we only use methods and technologies which are absolutely necessary, proportionate and implemented in the least intrusive manner, by appropriate means that ensure a balance with the subject’s fundamental rights and freedoms.

We also sometimes process personal data upon the subject’s consent (as is the case with those of our employees who consent to the processing of their personal data when voluntarily entering a group insurance policy or with those of our clients who have consented to our sending them newsletters, etc.).

In such cases the data subject may withdraw consent at any time, such withdrawal not affecting, though, the data processing up to the date of the withdrawal.

 

Monitoring / CCTV surveillance / E-mail correspondence

While on the premises of our Company, a data subject is in certain cases monitored through the use of CCTV system, recording persons’ (visitors’, employees’, clients’ or suppliers’, associates etc.) images, for reasons relating to the subject’s personal safety and integrity and as precautionary/preventive measures against crimes or other possible dangers to the subject and to the Company (i.e. to protect the Company’s assets, equipment etc. from theft.

In addition, employees may be granted with use of corporate equipment (e.g. laptops, tablets, mobile devices, etc.), which may be able to be tracked, via pre-installed GPS tracking system. In such cases, the employees provide their consent regarding the data that may be stored or otherwise kept in such equipment as well as for transmission of such data (name, surname, geolocation etc.) to third party companies (e.g. the company repairing or otherwise technically supporting the above equipment).

It might also be that an employee is granted with the use of a corporate car, which might be able to be tracked using GPS tracking system. In such case, the employees provide their consent for their geographical location via the GPS, for further forwarding it to the company that supplies, technically supports or otherwise operates the GPS tracking system and/or to the company leasing or otherwise providing the Company with the above vehicle, as well as to the vehicle maintenance / repair service provider.

Any personal data (name, address, title/position, contact details) we send and/or receive in our e-mail or other electronic correspondence is processed in compliance with the GDPR and any other applicable law or regulation.

Our Company uses the personal data contained therein and any attachments thereto lawfully, fairly and in a transparent manner; for specified, explicit and legitimate purposes; and the correspondence recipients are duly informed that they have all rights provided for by respective legislation.

 

Principles regarding the processing of personal data___________________________________

Kanakis S.A. ensures that every person handling or processing personal data adheres to the following principles:

  • lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes, made clear to the data subject upon collection of data and not for undefined purposes.
  • data minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. They will not be further processed in a manner that is incompatible with those purposes.
  • accuracy: personal data shall be accurate and, where necessary, kept up to date, having regard to the purposes for which they are processed, and are rectified without delay.
  • storage limitation: personal data shall not be kept for longer than is necessary for the purposes for which the personal data was collected or is processed.
  • integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

 

Lawful processing________________________

Kanakis S.A. as the controller, collects and processes personal data in a lawful manner. If the data is processed by a third party, this processor shall ensure compliance with this Policy and applicable laws and regulations. Processing shall be lawful only if and to the extent that at least one of the following applies (legal basis):

  1. a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. b) processing is necessary for the performance of a contract to which the data subject is party or in order to take measures upon the request of the data subject prior to entering into a contract;
  3. c) processing is necessary for compliance with a legal obligation to which the controller is subject (in accordance with the provisions of EU or domestic law);
  4. d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (in accordance with the provisions of EU or domestic law ;
  6. f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

Consent________________________________

Kanakis S.A. ensures that, when the processing of personal data is based on consent, the data subject is informed and consents freely and willingly, prior to any procession. To demonstrate consent, the organization uses written declaration or lawful recording of telephone calls. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Consent is not required in the following circumstances:

  1. a) for the performance of a contract to which the data subject is party;
  2. b) in order to take measures upon the request of the data subject prior to entering into a contract;
  3. c) for compliance with a legal obligation to which the controller is subject;
  4. d) in order to protect the vital interests of the data subject or of another natural person;
  5. e) if the legitimate interests pursued by the controller or by a third party override the interests or fundamental rights and freedoms of the data subject.

(In the above cases, consent does not constitute the legal basis of the procession – if in doubt, please contact the organization DPO).

 

 

 

Automated decision making and profiling

The Company does not use automated decision making for procedures that have legal implications or similarly significant impact on the data subjects and our decisions are made upon human reviewing.

We do not proceed to profiling within the meaning of the applicable personal data legislation.

 

For how long we retain personal data

Personal data is retained for no more than it is necessary for the purposes for which it is processed for.

When we process personal data based on the data subject’s consent, the processing is made for as long as the consent remains valid and until such time it is withdrawn thereby.

 

Who has access to personal data processed

Personal data is disclosed only to Company’s authorized personnel.

We may also disclose personal data to competent authorities, if and insofar this disclosure is mandatory under applicable law (for example: disclosure to tax authorities and to internal or external auditors).

We also disclose personal data to our external consultants, training services providers, business associates and professional advisors (such as lawyers and accountants), as well as to other third parties, if we are legally compelled to do so or where we need to comply with our contractual obligations towards the data subject, (i.e. where we may need to pass on certain information to our insurance associates in case of an accident occurring to an employee-driver).

Our IT structure providers (e.g. software supporting companies etc.) co-operating banks or other financial institutions for credit and account handling etc., as well as our logistics providers (for products delivery to clients etc.), may also have access to personal data.

In all such cases, we provide access where appropriate and only in accordance with applicable laws and we try to ensure that such third parties have undertaken appropriate data processing obligations to ensure the security and confidentiality of the subjects’ data.

This is only where an adequate level of protection is ensured or where we have in place safeguards (e.g. using standard contractual terms), or upon explicit consent of the data subject.

In view of continuous development and expansion of our business, we may be involved in mergers and/or acquisitions with other entities, in which cases it is typical to have personal data entailed in the financial and legal due diligence.

The Company ensures the confidentiality and security of personal data processed with respect to such transactions, by accordingly implementing, in all such cases, personal data protective provisions and/or other safeguards such as non-disclosure obligations and data protection agreements etc..

 

When we assign data processing

Where the Company relies on a third-party data processor, to execute personal data processing on its behalf, we choose one who provides adequate security level and measures and undertake reasonable steps to ensure compliance of the data processor with such measures, binding ourselves with it with respective data processing agreements.

 

Future use and update

If in the future we intend to process personal data for a purpose other than that which it has been collected for, we will inform the subject of that purpose and any other relevant information if such purpose is not compatible with the initial, to the extent permitted by law.

 

Data subject’s rights

If and to the extent we process a subject’s personal data based on his/her consent, the subject may withdraw consent and request us to stop using and/or disclosing such personal data for any or all of the purposes for which consent has been granted to the Company.

A data subject is also entitled to request access to his/her personal data, i.e. provision of a copy thereof and/or respective information on his/her personal data processed by the Company. The subject may also request rectification of any inaccurate personal data or supplementation thereof, erasure or restriction of processing, as the case may be and under the legal prerequisites thereof. He/she also has the right to object to our Company’s processing, if and as the case may be, as well as to receive the data in machine-readable format.

To proceed to submitting the respective applications, as well as for any further query or clarification needed by the data subjects, they may address the Company directly by mail to 4 Anemonis str., 13678 Acharnes, Attica and/or by tel. to +30 210 2419700 and/or by fax to 210 2462433 and/or  by email to  info@stelioskanakis.gr.

The Company acts on such requests free of charge, without undue delay and in any event within one (1) month from receipt of the request. If, however, the request is complicated or there is a large number of requests, the Company will inform the applicants for extension thereof and, in the event that any requests are manifestly unfounded or excessive, for example because of their repetitive character, the Company may either charge a reasonable fee, considering its administrative costs for taking the action requested, or refuse to act on the request.

In the case where any data subject believes his/her personal data protection is breached by the Company, he/she may file a respective complaint before the competent Data Protection Authority (ΑΠΔΠΧ / www.dpa.gr / 1-3 Kifissias Avenue, P.C. 115 23, Athens / tel.: +30 210 6475600 / fax: + 30 210 6475628 / e-mail: contact@dpa.gr).

 

Documentation of a personal data breach_____

Any infringement of this Policy, relevant legislation and regulations constitutes a personal data breach (indicatively: unlawful destruction, loss, alteration, unauthorized disclosure, processing without consent or for purposes other than those indicated at the time of collection).

The person who discovers the personal data breach shall take appropriate measures and apply the necessary procedures to protect personal data from further abuse and shall report the breach to the Company in its role as a “Controller” with no delay. The Company, fulfilling its role as a “Controller” shall document systematically any personal data breach reported, assess the breach and take any further measures required to remedy the breach and prevent its reoccurrence.

 

 

 

 

 

Data Protection Officer____________________

Kanakis S.A. is not obligated to appoint a Data Protection Officer (DPO), due to the nature and field of its activity. However, the Company, as “Controller”, closely and regularly monitors its compliance with the relevant laws and regulations regarding data protection, follows and applies any explanatory documents issued by the European Commission, the European Data Protection Board (former Data Protection Working Party of Article 29) and the national supervisory authority responsible for the application and execution of GDPR provisions, ensures its compliance with the relevant applicable data protection laws, monitors closely the upholding of this Policy, ensures the proper keeping of record regarding processing activities and any other such record and catalogue which includes the documentation of its compliance, conducts an impact assessment on the use of personal data wherever necessary, manages and responds to the requests for information made by the subject of the data, provides the proper awareness of its personnel with regards to the protection of data and counseling about data processing and obligations. The Company cooperates with the supervisory authorities on matters related to the processing of personal data and cooperates with the authorities on every other matter.

 

 

Changes to this Policy

We reserve the right to make changes to this Policy from time to time.

Regularly reviewing our website ensures that a data subject is always aware of the updated version.

If we make material changes to this Policy, we will promptly provide notification via prominent notice on our website or to the relevant data subjects’ category.

 

CLOSE
top
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.