PERSONAL DATA PROTECTION DECLARATION OF MARFIN INVESTMENT GROUP
Update on Personal Data Processing
MARFIN INVESTMENT GROUP (henceforth, "Company") states that for the purpose of exercise of its entrepreneurial activities, proceeds to the processing of personal data of natural persons (such as business partners, suppliers, its shareholders, potential employees, indicatively speaking), according to effective national legislation, European Regulation 2016/679 for the protection of natural persons against processing of personal data and for the free movement of such data (General Data Protection Regulation, henceforth "Regulation") as is currently effective.
The Company is committed to the respect and effective protection of your personal data. It is for this reason that we undertake the appropriate measures to protect the personal data we process and to secure that their processing, both by the Company itself and by third parties who process personal data, is always done according to the commitments posed by the legal framework. In this frame, we seriously take under consideration that you are efficiently updated on your personal data.
This Declaration of Personal Data Protection describes the personal data that the Company collects for you, how we use and protect your personal data and the choices you have in relation to the way we use such data.
What is regulation GDPR
General Data Protection Regulation (GDPR) is the new regulatory framework of European Union (ΕU) in the area of personal data protection. The scope of the law is the establishment of the conditions for the processing of personal data, for the purpose of protecting the rights and liberties of natural persons and in particular the right of personal data protection.
Personal Data: any information referring to an identified or identifiable natural person and of which the identity can be verified directly or indirectly.
Special Categories of Personal Data ("Sensitive Personal Data"): data of personal character revealing race or national origin, political beliefs, religious or philosophical beliefs or participation in a union, as well as genetic data, biometric data, data relating to health or sexual life or sexual orientation of the natural person.
Data Subject: the identified or identifiable natural person to whom Personal Data or/and Sensitive Personal Data refer.
Processing: any act or set of operations carried out with or without the use of automated means in personal data or in sets of personal data such as the collection, registration, organization, structuring, storage, adaptation or alteration, the search, use, disclosure by transmission, dissemination or any other form of disposition, association or combination, restriction, erasure or destruction.
Controller: for the purposes of this policy, Controllers are the Companies of the Group that separately or jointly define the aims and the processing manner of Personal Data.
Processor: the natural or legal person, public authority, agency or other private body that processes Personal Data for the Controller.
Consent: any indication of the free, specific, explicit and in full knowledge will of the Data subject, by which the Data Subject expresses that it agrees, by declaration or with a clear positive action, that the Personal Data relating to it are processed.
Personal Data Violation: a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored or otherwise processed.
1. Which categories of Personal Data the Company processes for you
Communication Data. The Company collects communication data (email, phone number). These data are collected in a variety of ways: they are posted on the Company's contact form at http://www.marfininvestmentgroup.com/gr/default.aspx, at the initiative of those who ask for information about share transfers and generally investment information on the initiative of those submitting CV or natural persons who send their personal data for having provided a service to the Company. For the sake of security of the Company's physical persons, materials and other facilities, we record the name of the visitors who enter the Company's premises to perform projects and so on.
Your Curriculum Vitae. Education, employment history and any information you choose to submit through the CV submission process. Data from executive search consultancy companies, as well as from publicly available sources, such as information posted on publicly accessible websites, social media profiles, and public search engine information, where this information is relevant and convenient to your assessment for the placement you are applying for.
Billing information from suppliers that are natural persons, i.e. home/ headquarters address, VAT number / tax code.
Bank Account Number of suppliers for payment of their fees.
Video. Recording from our CCTV and security cameras to prevent malicious actions
Registration of Shareholder. Registration according to the law and Regulation of the System of Intangible Assets (SIA) in the files of SIA, where an Investors Entry is created, the name and surname and father’s name of the shareholder, the details of his identification certificate, date of birth, nationality, tax information (article 4 of the SIA), as well as the number and type of shares that holds. Register on the Web site, of the IP address of your provider, of the website or other source of the Internet from which you have arrived at the Company's Web site, of the date and duration of your visit.
2. How we collect your personal data
- When you contact us directly through our website, by phone (either by calling or by sms) or by e-mail (email).
- When the Company collects your personal data from your resume you send either to email@example.com or in any other way.
- When the Company wishes to provide a service, it collects the suppliers' personal data through the service invoices they provide for the payment of their remuneration.
- When you visit our premises.
3. Why we process your personal data
The Company processes your personal data for one or more of the following purposes:
- Information about our activities and consequently the fulfillment of our contractual obligations in this context.
- To communicate with you about requests you submit.
- For statistical or historical reasons.
- For the security of physical persons, materials and facilities of the Company through the recording of CCTV and security cameras of visits of third parties such as visitors, contractors during their visit to the Company's premises, the granting of access cards to the premises of the Company. By using special security systems (hardware, software) to detect and prevent malicious actions.
- For the recruitment process of qualified and suitable personnel for the purposes of our business activity.
- For compliance with a statutory obligation such as regulatory compliance for tax purposes (with the law on Societe Anonyms), disclosure of transactions by liable persons in the Stock Exchange, management of claims for compensation, management of court cases, etc., for shareholders for the processing of their personal data in accordance with the law on Societe Anonyms, Laws 2396/1996 and 3756/2009, the Rules for the Operation of the Dematerialized Securities System (hereinafter referred to as the "SIA Regulation") and any other relevant legislation or regulation for the purposes specified in those instruments.
4. Legal basis for processing of your personal data
The legal reasons for the processing of Personal Data by the Company are:
- The conclusion and execution of a written or otherwise negotiated contract.
- Compliance with national and/or European legislation.
- Preserving and protecting your legitimate interests as well as ours. Thus, we use closed CCTV and security cameras in order to protect the security of individuals, materials and other facilities of the Company, and for the same reason we record the details of visitors, contractors that enter the premises of the Company to perform projects and so on and give them access cards at the Company's premises.
- The consent that you provide under the specific conditions set out in the legal framework.
- The specific disclosure by the Data Subject.
5. Duration of preservation of your personal data
Your personal data will be retained for as long as it is necessary to fulfill the purposes for which it was collected, including for the fulfillment of any legal or accounting requirements. In determining the appropriate period of personal data retention, we take into account the quantity, nature and degree of sensitivity of personal data, the potential risk of harm due to unauthorized use or disclosure of your personal data, the purposes for which we process your personal information data and whether we can fulfill these purposes by other means and by the applicable legal requirements. In some cases your personal data may be anonymized so that it can no longer be associated with you, so we have the right to use this information without notice.
Our general policy is to maintain your personal data in order to pursue the above-mentioned processing purposes and to comply with applicable legal obligations. The data storage time is decided on the basis of the following specific criteria, as appropriate:
- When processing is imposed as a requirement under provisions of the applicable legal framework, your personal data will be stored for as long as required by the relevant provisions.
- The data entered by the interested investors in the communication form with the Company is stored for as long as it is required by the content and nature of the query.
- For update and information purposes, your personal data is retained until your consent is withdrawn. This can be done by you at any time. Recalling of consent does not affect the legality of consent-based processing in the period before its revocation.
- If you accept the offer for work in the Company, your Personal Data will be retained on the basis of the Employee Data Processing Notice, which is communicated to all Employees.
- CVs, for which a record is kept for future use, are stored for a period of twenty-four (24) months.
All recipients have access to only those of your Personal Data that are strictly necessary for the fulfillment of the purposes and duties or services they have undertaken to the Company. The Company transfers personal data to third parties to whom it assigns the processing personal data for its behalf. Specifically, the Company has contracted technical information support for its suppliers, staff and the information base for the share register in IT companies.
Your personal data may be accessed by third parties that provide the Company with services related to your recruitment and evaluation of your application, by companies hosting or supporting IT systems, recruitment support applications or HR systems, etc. Within the Company, your Personal Information will be disclosed to and will be accessed by only the relevant persons who need to be aware of it for management or for the decision to recruit, the human resources department, the system administrators, and other support groups (such as the IT and the Economic Department) and, of course, the heads of the relevant departments in the search for candidates for a job. In this context, the Company's Human Resources Department can assess your resume and your suitability for position filling.
In any case, access to unauthorized persons, including the Company's workforce, in your personal data is forbidden.
Where we provide your Personal Information to third parties, we do so given that these third parties agree to comply with the provisions of the General Data Protection Regulation (GDPR). Any company in which the Company will disclose your personal data under a Service Agreement will process your personal data in its capacity as processors solely for the purpose and for the account of and on behalf of the Company.
If you participate in a general meeting of shareholders, then according to the effective legislation on Societe Anonymes and the laws of the capital market, third parties may see your personal data in the table of the shareholders. In addition, we transfer your data to recipients who have the right to process your data at their own risk. This includes public authorities, including the Securities and Exchange Commission, the General Commercial Registry (GEMI) and the Athens Stock Exchange in order to fulfill statutory obligations.
In any case, the Company for any reason does not sell or otherwise transfer or disclose your personal data to anyone other than the above mentioned, except in the context of compliance with legal or tax obligations, in the execution of an order of the public authorities and in the context of exercise by our Company's rights before the judicial authorities.
7. Transfer of personal data outside the European Union
The Personal Data collected by the Company from you is not transferred or processed outside the European Union.
8. Guarantees for the security of your personal data
The Company shall implement appropriate technical and organizational measures aimed at the safe processing of personal data and the prevention of accidental loss or destruction and unauthorized and / or illegal access to it, use, modification or disclosure thereof. In any case, the way in which the internet operates and the fact that it is free to anyone is a fact that cannot guarantee that unauthorized third parties will never be able to violate the applicable technical and organizational measures by gaining access and possibly using personal data for unauthorized and / or unfair purposes.
When you grant us your personal data, we take steps to ensure that they are kept secure. In order to protect your personal data, we take physical, technical and organizational protection measures. We update and control the security technology we use on a sustained basis. We restrict access to your personal data to those employees only who need to know this data in order to provide benefits or services to you. In addition, we educate employees about the importance of confidentiality and the maintenance of privacy and security of your personal data. Among other things, we have implemented the following technical and organizational measures and procedures to protect your personal data from any loss, alteration, illegal processing or change:
- detecting and managing security breaches·
- use of servers located in rooms with limited access and subject to regular checks·
- use of information systems and programs for computers that are installed in a way that minimizes the use of personal data and / or user authentication data·
- adoption of individual procedures for the preservation of personal data and their safe deletion / destruction·
- access to “need-to-know” systems and databases.
The management of databases and the processing of personal data will always be within the scope of the processing purposes set and in accordance with the applicable law on the protection of personal data.
9. Your rights
Any natural person whose Personal Data is processed by the Company may exercise the following rights in accordance with the terms and more specific provisions of the Regulation (ΕΕ) 2016/679:
Right of Access. You are entitled to know and verify the legitimacy of the processing. In connection with this right, you are entitled to receive from the Company information about your personal data that we process and information regarding its processing, such as its purposes, the recipients and the period of maintenance (Article 15 of the Regulation 679/2016). Under this right, you are entitled to request the Company to provide you free of charge with a copy of your personal data that is processed. In the event that the claims are recurrent and manifestly unfounded, the Company reserves the right to set a reasonable fee in accordance with Article 12 § 5a of Regulation.
Right of Rectification. You are entitled to request the rectification of any inaccuracies or the completion of any incomplete information, which the Company will proceed immediately without undue delay (Article 16 of Regulation 679/2016). The Company is committed to immediately inform third parties - recipients to whom your Data has been made public (Article 19 of Regulation 679/2016).
Right of Erasure ("right to be forgotten") .You are entitled to request the erasure of your personal data as long as there is no legal obligation to comply with their preservation or you oppose their processing, having a legitimate interest in it (Article 17 of Regulation 679/2016). In some cases (such as, for example, where there is a contract, the obligation to process personal data required by law, public interest), this right is subject to specific restrictions or does not exist as the case may be. The Company will proceed with erasure without undue delay upon your request under the conditions laid down in the applicable Greek and European legislation on the Protection of Personal Data. The Company is committed to immediately inform third parties - recipients to whom your Data has been made public (Article 19 of Regulation 679/2016).
Right of Objection. You are entitled to oppose the processing of your personal data when there is a legitimate interest under the terms and provisions of Article 21 of Regulation 679/2016.
Right of Withdrawal of Consent. In cases where we process your personal data based on your consent, you are at any time entitled to withdraw your consent or change the degree of consent you have granted without that affecting the legitimacy of the processing for the period prior to withdrawal of your consent.
Portability Right. You are entitled to receive your personal data in a structured, commonly used and machine readable format, as well as you have the right to ask for such data to be forwarded to other controllers (Article 20 of Regulation 679/2016).
Right to Restriction. You are entitled to request the suspension of the processing of personal data concerning you: (a) when you dispute the accuracy of your personal data and until it is verified, (b) when you object to the deletion of personal data and you are requesting, instead of its deletiong, the restriction of its use, c) when personal data are not needed for processing purposes, it is nevertheless necessary for the foundation, exercise, support of legal claims, and (d) when you object to the processing and until it is verified that there are legitimate reasons that concern us and supersede the reasons for which you oppose the processing (Article 18 of Regulation 679/2016).
Right to lodge a complaint. You are entitled to contact the relevant Greek independent authority, the Personal Data Protection Authority, in the event of your data being processed unlawfully (http://www.dpa.gr/). Call Center: +30 210 6475600, Fax: +30 210 6475628, E-mail: firstname.lastname@example.org.
If you exercise any of these rights, the Company will respond within one month, unless your request is highly complex or there are a number of similar requests. In any case, the Company is committed to inform you in detail of any breach incident if it is likely to put your rights and freedoms at a high risk, as well as the measures to be taken to address it.
10. Personal Data of Minors
The site http://www.marfininvestmentgroup.com/gr/default.aspx is targeted at adult audiences (such as investors and people looking for information about the Company). The Company does not knowingly process the personal data of minors under the age of 16. Once the Company has been notified of the disclosure of online personal data to a person under the age of 16 without the consent of the parent or the person that exercises parental custody, the Company will take appropriate steps to delete such data from its databases and secure non-use of data.
11. Links to other websites
Our site may contain links to sites managed by the Company or to third-party websites. We provide these links for your convenience, but we do not review, monitor or monitor the privacy practices of sites managed by third parties. In the event that you choose to connect to any third party's website through any links, hyperlinks, banners that may be contained on the Site, the Company and any other company member of the Group have no responsibility for the terms of management and protection of personal data those third parties. In addition, this privacy statement applies only to the Company. We are not responsible for the performance of third-party sites or for the business transactions you make with them. Therefore, we suggest that whenever you follow a link from this site to someone else, even to a site managed by the Company, read carefully the privacy statements of those sites.
12. Contact details of Managing Director & Responsible Protection
The Controller is the anonymous Company under the name "MARFIN INVESTMENT GROUP HOLDINGS S.A.", with headquarters in the Municipality of Kifissia, 67 Thisseos Ave. 14671, as legally represented. You may contact the Company for any questions or inquiries regarding your Personal Data and their processing, as well as to exercise any of your stated rights at: email: email@example.com, tel.: 210 3504000, website: www.marfininvestmentgroup.com. You can contact the DPO for any matter concerning the processing of your Personal Data by sending an email to firstname.lastname@example.org.
13. Publication Information - Changes and Updates
The Company reserves the right to modify and update this Statement at any time, for any reason, without notice to you, except posting the updated Statement on its website. Please check your website regularly to update your current Privacy Statement which is in effect, and specifically before providing any new personal information.
Any change to this Statement will be immediately posted here.