Personal Data Protection Policy
ORIZOR SINGLE MEMBER S.A.
Scope of the Personal Data Protection Policy
ORIZOR SINGLE MEMBER S.A. (hereinafter referred to as the “company”) ensures the security of your personal data and adopts the appropriate technical and organizational measures to protect them in accordance with the national and EU legislation in force from time to time and in particular the General Data Protection Regulation (EU) 2016/679, the applicable national legislation, as well as the Decisions, Directives and Opinions of the Personal Data Protection Authority.
This Policy is valid and applicable at the Company’s headquarters and in the digital environment related to its activity, on the Company’s official website https://orizor.com/
The contact details of the company, which is the Controller of your data, are as follows:
Name: “ORIZOR SINGLE MEMBER S.A.”
Mailing Address: 63 Anaxagora Str., Tavros 17778, Attica
Email address: firstname.lastname@example.org
For the purposes of this Policy, the following terms are interpreted as follows:
“Personal Data“: any information relating to an identified or identifiable natural person (“data subject”:); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as the processing of genetic data, biometric data for the purposes of positive identification, data concerning health or data concerning the sex life of a natural person or sexual orientation.
“Genetic Data” means personal data relating to the genetic characteristics of a natural person inherited or acquired, resulting in particular from the analysis of a biological sample of that natural person, which provides unique information about the physiology or health of that natural person,
“Biometric Data” means personal data which results from specific technical processing associated to physical, biological or behavioural characteristics of a natural person, which allows or confirms the unambiguous identification of that natural person, such as facial images or fingerprint data,
“Data Concerning Health” means personal data relating to the physical or mental condition of a natural person, including the provision of healthcare services, which reveals information about the state of health of that person,
“Processing” means any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller” means the natural person or legal entity, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.
“Processor” means the natural person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller.
“Data Subject“ means the natural person whose personal data is processed, e.g. customers, employees, etc.
“Recipient” means the natural person or legal entity, public authority, agency or other body to whom the personal data is disclosed, whether or not a third party. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member-State law, shall not be considered as recipients; the processing of such data by those public authorities shall be carried out in accordance with the applicable data protection rules, depending on the purposes of the processing,
“Third Party” means any natural person or legal entity, public authority, agency or body, with the exception of the data subject, the controller, the processor and persons who, under the direct supervision of the controller or processor, are authorised to process personal data,
“Consent” of the data subject means any freely given, specific, explicit and informed indication of his or her free will, by which the data subject signifies his or her agreement to the processing of personal data relating to him or her by a statement or explicit affirmative action.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
“Anonymisation” means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject.
“Pseudonymisation” means the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject, without the use of supplementary information, provided that such supplementary information is kept separately and subject to technical and organisational measures to ensure that it cannot be attributed to an identified or identifiable natural person.
“Existing Legislation” means the respective national and EU legislation on personal data protection and in particular the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), the Greek Law 4624/2019, as applicable, as well as the Decisions, Directives and Opinions of the Greek Data Protection Authority.
General Principles for the Processing of Personal Data
The company collects and processes your personal data in accordance with the following processing principles:
Legitimacy, objectivity, transparency: The company lawfully collects and processes your personal data in a transparent manner.
Restriction of purpose: The company processes your personal data only for specified, explicit and legitimate purposes.
Data minimisation: The company adopts the appropriate technical and organisational measures so that the personal data it processes, is suitable, relevant and limited to the absolutely necessary for the purposes for which such data is processed.
Accuracy: The company ensures that the personal data it retains and processes is always accurate and up to date.
Limitation of the retention period: The company does not retain personal data for a longer period than is required by the purposes pursuant to which such data was collected and processed. However, the company may retain it for a longer period if the processing of such data is necessary:
(a) for compliance with a legal obligation that requires processing under a provision of law;
(b) for the performance of a task carried out for public interest;
(c) for reasons of public interest;
(d) for archiving purposes in the public interest or for statistical purposes, after taking the appropriate technical and organisational measures, including pseudonymisation and only if these purposes cannot be served by anonymisation of the data; and
(e) for the establishment, exercise or support of legal claims.
Integrity and confidentiality: The company ensures that your personal data is collected and processed in a secure manner, using appropriate technical and organisational means to protect it against any unauthorised or unlawful processing and accidental loss, destruction or damage.
Personal Data we Collect
The company collects and processes your personal data only if it is strictly necessary, required and appropriate to attain its intended purposes. In particular, personal data we collect and process is summarised briefly as follows:
– Identity data (i.e. full name, father’s name, mother’s name, date of birth-age, spouse’s name, gender, ID card number, passport number, VAT/TIN number, occupation or employer (company/organisation) by which you are employed and so on),
– contact details (i.e. postal address, landline and mobile phone, e-mail) for communication between us, possibly for sending you details of properties you may be interested in or for sending you our company’s newsletters and flyers about the services provided, news and offers,
– data relating to requests you have submitted to exercise your rights or your complaints,
– data of prospective employees of our company contained in the attached CVs or relevant forms (i.e. first name, surname, contact details, education, work experience etc.),
– data of employees in our company such as: first name, surname, father’s name, mother’s name, gender, date of birth, home address, telephone (landline/mobile), email (company/personal), nationality, marital status, number of children, birth certificates or family certificates, ID Card details, VAT/TIN Number, competent Tax Office, IBAN, educational qualifications, professional certifications, certificates of military service, training courses, diplomas, previous experience, date of recruitment, payroll data, allowances, evaluation reports, etc.
– data of suppliers and partners of the company, such as full name, father’s name, gender, date of birth, home address, telephone (landline/mobile), email (company/personal), ID number, passport number, VAT/TIN number, competent Tax Office, IBAN, professional certificates, educational qualifications, as well as any further data that may be required by national legislation (e.g. tax legislation).
How Personal Data is collected
The collection of personal data is carried out by both physical and electronic means on a case-by-case basis, including but not limited to:
When filling in various forms or during our electronic communication,
When using our call centre or our website to schedule a meeting or receive another service,
When providing our services to you following information you provide to us,
When you file an application to work for us,
When you are hired as an employee of our company,
When you contract as a partner/supplier with our company.
Purposes and lawful basis for processing your personal data
The personal data collected by our company is used for the following processing purposes, namely:
– For the provision of property management services, for leasing or renting of real estate, for property viewing service, for maintaining and updating the file, etc.
The lawful basis for the processing of such data is:
(a) your explicit consent to the processing of the aforementioned data;
(b) the necessity of processing your data for the purposes of providing a property management service;
(c) the necessity of processing for the performance of our obligations and the exercise of our or your specific rights in the field of labour law and social security and social protection law or for the performance of a task carried out in the public interest;
(d) the necessity of processing your data for the protection of your vital interests. We will never process your personal data if any of the above legal bases does not exist and we have not obtained your explicit consent beforehand, after informing you of the purpose of the processing in question.
– For the compliance of the company with its legal obligations, such as for example, compliance with legislation regarding brokerage contracts or compliance with tax, insurance legislation, etc. The lawful basis of processing in this case is the company’s compliance with its legal obligations.
To send newsletters about the company’s news, for commercial communication about our products and services, so that you are informed about the company’s innovations, products, and offers. The lawful basis for processing in this case is your prior explicit consent.
– For the – after prior identification – communication between us and the management of your requests, whether related to data protection issues or the quality of your service. The legitimate basis for processing in this case is the legitimate interest of the company and/or the company’s compliance with its legal obligations under the Existing Legislation.
– For the extraction of statistical data, following the anonymisation of your data. The lawful basis for processing in this case is the necessity for the extraction of statistical data.
– For the lawful conclusion and performance of agreements concluded by the company with third parties. The lawful basis of processing in this case is the necessity to process your data in the context of the performance of contractual obligations or during the pre-contractual stage.
In order for the company to be able to recruit staff or even contract with external associates. The lawful basis for processing in this case is: (a) the necessity of processing the data in question in the context of the performance of our contractual obligations or during the pre-contractual stage and (b) the necessity of processing for the performance of our obligations and the exercise of our or your specific rights in the field of labour law and social security and social protection law or for the performance of a task carried out in the public interest.
Personal Data Sharing
The company may share the above personal data with:
Third parties to whom it has entrusted the processing of personal data on its behalf. In particular, the company may share your personal data with partners belonging to its network, who act on its behalf either independently, contractually bound to the company to provide independent services (e.g. to partners), and/or to third party affiliated Companies that process your personal data on behalf of the company. In any case, the third parties to whom data of the subjects may be transmitted are contractually bound to the company to ensure the confidentiality obligation as well as all obligations provided for by the Existing Legislation. In all the above cases, the company, defining the individual elements of the processing, signs specific contracts with the third parties to whom it entrusts the performance of specific processing activities, ensuring that the processing is carried out in accordance with Existing Legislation. These third parties contractually undertake with the company that they will process your personal data only for the specific and contractually defined purposes and will not forward/ or disclose it to third parties, unless required by law.
To judicial and prosecutorial authorities, as well as other public authorities (e.g. tax authorities, etc.) in the exercise of their duties on their own initiative or at the request of a third party claiming a legitimate interest and in accordance with the legal procedures.
Personal Data Retention Period
The personal data collected by the company is kept for a predetermined and limited period of time, depending on the purpose of processing, after which the data is deleted and/or securely destroyed, unless a different retention period is provided for or permitted by applicable legislation.
The retention period for your data is defined indicatively on the basis of certain specific criteria and on a case-by-case basis. Indicatively:
(a) Your personal data is mandatorily kept for the entire contractual period or for the period required by the purpose of processing and/or by the applicable legal framework. At the end of this retention period, data shall be kept in accordance with the applicable legal framework for the period provided for by the termination of the transactional relationship or for as long as required to defend the company’s rights before a Court of law or other competent authority. We keep the applications with attached CVs that you send us for a period two (2) years, in order to evaluate them for a certain position and after two years, we securely destroy or delete them.
(b) Where processing is imposed as an obligation, by provisions of the applicable legal framework, your personal data will be stored for at least as long as required by the relevant provisions.
(c) For the purposes of marketing activities and in any other case where the processing is based on your consent, your personal data will be kept until your consent is withdrawn, without prejudice to the lawfulness of the processing based on your consent, up to that point in time prior to its withdrawal. In order to withdraw consent, you must submit a request to the company’s Data Protection Officer (DPO) (see below for his/her contact details). Alternatively and for the purposes of marketing of products and services, you can also use the unsubscribe options by clicking on the corresponding link in our electronic communications. For as long as your email address remains in our database, you will receive periodic email updates from us.
(d) The data we collect when you submit a request, as well as the relevant file in which such data is recorded, are retained for the period of time required by the purpose of the processing.
Security of Personal Data
Taking into account the latest developments, the implementation costs and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood of occurrence and severity for the rights and freedoms of users from the processing, the company adopts the necessary technical and organisational measures to protect your personal data. Although no method of transmission over the Internet or method of electronic storage is completely secure, the company adopts all necessary digital data security measures (antivirus, firewall, etc.).
Data Protection Impact Assessment (DPIA)
Where a processing operation is likely to present a high risk to the rights and freedoms of natural persons, the company shall carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data (“impact assessment”). An impact assessment is a process designed to describe the processing, assess its necessity and proportionality and assist in risk management by evaluating and defining measures to address the risks. It is not required for every form of processing, but only in cases where a form of processing is considered high risk. In the context of the impact assessment, the nature, scope, overall context and purposes of the processing are taken into account in order to assess whether a risk is likely to occur, as well as its seriousness for the rights and freedoms of the data subjects.
The company may decide to carry out an impact assessment for processing, even if it is not considered mandatory under the Existing Legislation.
In particular, an impact assessment is required in all cases where the processing “is likely to result in a high risk to the rights and freedoms of individuals”. Such cases include, but are not limited to:
– cases of systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing (including profiling) and on which decisions are based which produce legitimate effects concerning/affecting the natural person data subject;
– cases of large-scale processing of special categories of data (sensitive data);
– cases of systematic processing of personal data.
Personal Data Breach
In case an incident of breach takes place, the company follows a specific procedure for handling incidents of breach of security of your personal data. In the event that you become aware or suspect that a breach of your personal data may have taken place, please notify us without delay at email@example.com.
The company ensures that it is able to promptly respond to your requests to exercise your rights in accordance with the Existing Legislation. These rights are as follows:
(a) Right to withdraw consent:
In cases where the processing is based solely on your prior consent, e.g. for the purposes of marketing activities, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent in the period prior to its withdrawal.
(b) Right of access and information:
You have the right to be informed of your data that we process and to verify the lawfulness of the processing. You have the right to access the data and to obtain additional information about the processing, the particulars of the persons to whom we transmit it or for what purpose we process it. With regard to the file, access to the records at any time is provided for, as well as the possibility to download copies of the file free of charge.
(c) Right of rectification:
You have the right to complete, correct, update or modify your personal data.
(d) Right of erasure (right to oblivion):
You have the right to submit a request to have your personal data deleted, unless there is a legitimate reason for the company to retain it further.
(e) Right to restrict processing:
You have the right to request restriction of processing of your personal data in the following cases:
(1) When you question the accuracy of the personal data and until verification
(2) When you object to the deletion of personal data and request restriction of use instead of deletion
(3) When the personal data is no longer necessary for us, but is nevertheless necessary for you to establish, exercise and support legal claims, and
(4) When you object to the processing and until verification that there are legitimate grounds for which you object
(f) Right to object to processing and right to object to automated individual decision-making, including profiling:
You have the right to object at any time to the collection and processing of your personal data where, as described above, it is necessary for legitimate interests we pursue as a company, as well as to processing for direct marketing and profiling purposes. Please note, however, that the company “does not engage in automated decision making”.
(g) Right to portability:
You have the right to receive, free of charge upon identification, your personal data in a structured, commonly used and machine-readable format (pdf, word, etc.). You also have the right to ask us, if technically feasible, to transmit the data directly to another controller. This right applies to data that you have provided to us and that is processed by automated means on the basis of your consent or in performance of a relevant contract.
In case you exercise any of the rights mentioned below, the company will reply to you within one (1) month from the receipt and identification of your request. This period may be extended by two (2) more months, if necessary, taking into account the complexity of the request and the number of requests. In this case, the company will provide you with information on this extension within one (1) month of receipt of the request and the reasons for the delay. If the request is submitted by electronic means, you will be informed in the same manner, unless you request otherwise. If your request is manifestly unfounded or excessive, in particular because of its repetitive nature, the company may make compliance with it subject to the payment of a reasonable fee or refuse to respond to the request.
Right of appeal to the Data Protection Authority
If you have any complaint regarding this policy or any personal data protection issues, if we do not satisfy your request, you may contact the Greek Data Protection Authority via the following link: www.dpa.gr or address it at the following contact details: 1-3 Kifissia Avenue, P.C. 115 23, Athens, +30 210 6475600, +30 210 6475628, firstname.lastname@example.org.
Contact details of the Data Protection Officer (DPO)
For the exercise of all the above rights, as well as for any issue related to the processing of your personal data, you can contact the DPO at email@example.com or at 2111028111 (contact hours 9 a.m. to 5 p.m.).
Updates to the Personal Data Protection Policy
This Personal Data Protection Policy may be amended/ revised in the future. We therefore recommend that you refer to the updated from time to time version of this Policy, for adequate information.