PERSONAL DATA PRIVACY AND MANAGEMENT POLICY
360 GROUP S.A., a company based at 3, Rue du Purgatoire, Geneva, Switzerland, organized and existing under the laws of the Successfully Confederation, herein after mentioned as the Company, having regard to:
Ι. the provisions of Law 2472/1997 for the Protection of Persons from Personal Data Processing, as this law stands after amendments,
ΙΙ. the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (G.D.P.R.), with direct and binding effect from May 25, 2018 onwards,
ΙΙΙ. its declared will to protect the personal data of all the natural person interacting with the Company, as well as its obligation to comply with the provisions of standing legislation on personal data protection,
informs you that the purpose of this Policy is to display in a concise manner the basic principles and concepts of the legislation in force from May 25, 2018 AND to notify for the framework within the Company processes personal data.
1. The General Data Protection Regulation
1.1 The G.D.P.R. provisions apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The G.D.P.R. provisions apply also to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.
1.2 “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3 “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.4 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
1.5 “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2. Processing Purposes
Processing activity of your personal data, known to the Company after your actions, is carried out by the Company, according to G.D.P.R. provisions, for the following purposes:
a) for the accomplishment/execution of your trade affairs with the Company, including, but not limited to, service delivery, communication and information exchange before, during and after trade transactions, issue of any kind of tax documents and returns or invoices,
b) for your identification in case you submit a complaint or a request to the Company, as well as for the Company’s facilitation to handle and to answer your complaint or request,
c) for your information and supply with promotional and advertising material, printed or electronic, concerning Company’s commercial activities.
3. Lawfulness and bases of processing
3.1 Processing activity of your personal data, known to the Company after your actions, is carried out by the Company, according to G.D.P.R. provisions, following your consent and/or for the performance of a trade agreement regulating your trade relationship with the Company, in order for the Company to be able to identify you as its counterparty, to execute your order, to issue all invoices or tax documents and to communicate with you before, during and after the term of your trade relationship with the Company
3.2 In relation with the above, the Company further notifies you that in the latter case, providing the Company with your personal data you enables your trade relationship with the Company to take place. Your denial to provide your personal data to the Company and to consent to their processing by the Company will result in the Company’s inability to identify you as a customer and to proceed to a trade relationship with you.
4. Rights of data subject
4.1 Notwithstanding any special G.D.P.R provisions, processing activity of your personal data, known to the Company after your actions, carried out by the Company, according to G.D.P.R. provisions, DOES NOT CANCEL your right to submit to the Company a request concerning information, access, rectification or erasure of the personal data you have provided to the Company or your right to submit to the Company a request to restrict or even to oppose processing of your personal data by the Company. Your request should be clear and straightforward in order for the Company to be able to ensure the certainty of your identity as well as acknowledge the meaning of its content. Additionally, your request should be submitted to the Company in writing and in such a manner to ensure the certainty of the submission date.
4.2 If the above mentioned conditions about the submission of your request are met, the Company shall provide you with all necessary information, without any delay and at the latest within one (1) month of the receipt of your request. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of the requests. The Company shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, the information shall be provided to you by electronic means where possible, unless you requested otherwise.
4.3 If the Company does not take action on your request, the Company shall inform you without delay and at the latest within one (1) month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Information provided to you by the Company shall be provided free of charge. In case, though, that your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on your requests. The Company shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
5. Personal Data Retention
5.1 Notwithstanding any special G.D.P.R provisions, standing national laws, including the provisions of tax laws and regulations, your personal data provided to the Company shall be stored and retained by the Company for the term of your trade relationship with the Company and up until both parties’ obligations to one another are fulfilled.
5.2 After the termination of this period, the Company shall continue storage and retention of your personal data for more than a month’s period from the expiration of the time limit you shall have to exercise any right concerning Company’s services’ or products’ defects. Additionally, the Company shall continue storage and retention of your personal data for as long as court’s proceedings may last between you and the Company and up until an irrevocable court decision is issued over these proceedings.
5.3 Notwithstanding any special G.D.P.R provisions, standing national laws, including the provisions of tax laws and regulations in which case the retention period is set to ten (10) years, the termination of the above mentioned retention periods shall be followed by the destruction or erasure of your personal data. You shall also have the option of delivery of your personal data by the Company to you only in a manner that you will specify after a written communication with the Company.
6. Transfer of Personal Data
6.1 The Company is obliged to inform you on its intention to transfer your personal data to a third country or an international organization, as well as for the existence or the absence of an adequacy decision of the European Commission or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), to inform you about the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
6.2 In accordance with the aforementioned obligation, the Company informs you that your personal data may be transferred to the Successfully Confederation, where the Company’s central offices and its headquarters are situated. The Swiss Confederation is one of those countries that the European Commission has issued a relevant adequacy decision for the protection of personal data.
7. Consent Withdrawal
7.1 You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
7.2 You can withdraw your consent by submitting a clear and straightforward request in order for the Company to be able to ensure the certainty of your identity as well as acknowledge the meaning of its content. Additionally, your request should be submitted to the Company in writing and in such a manner to ensure the certainty of the submission date. You should be aware though, that withdrawal may result in the consequences mentioned in term 3.
8. Article 22 G.D.P.D. provision
8.1 Article 22, par. 1 of the G.D.P.R. states that “…The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her…”. Article 22, par. 2 of the G.D.P.R. states that “…Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent…”. Considering the above, when you provide your personal data to the Company based either on your consent and/or for the performance of a trade agreement regulating your trade relationship with the Company, the Company reserves itself the right to decide for the execution of this trade agreement by analyzing and evaluating certain aspects such as the volume of previous transactions and your behavior and reliability as a buyer in these transactions.
8.2 When you provide your personal data to the Company in the context of a request or a complaint submission, the Company is committed to abide by the provision of Article 22, par. 1 of the G.D.P.R..
9. The Company as a Controller
9.1 In compliance with the provisions of the G.D.P.R., the Company shall be regarded as a Controller. Therefore any request you may have concerning your personal data should be addressed to the Company.
9.2 When processing, in the meaning of the G.D.P.R. provisions, your personal data, the Company collaborates and makes use of third parties’ products and services. These third parties shall be herein after be referred to as “Processors”. In order to do so, the Company has received by the Processors sufficient guarantees that Processors implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the G.D.P.R. and ensure the protection of the rights of the data subject. Furthermore, the Company has already either signed with the Processors a Controller – Processor Agreement or accepted relevant Terms of Use of the products or services it uses.
9.3 As already mentioned in term 4 of this Agreement, you have always the right to be informed by the Company for the actions that the Company has taken in order to Comply with standing legislation on data protection.
10. Severability
If any part of this Policy is for any reason found to be in contrast with the provisions of standing national or european legislation, it is only this part that should be considered as invalid and unenforceable.
11. Dispute Resolution
If any disagreement concerning the interpretation or the application of this Policy cannot be resolved with an amicable settlement or following the competent authority’s intervention or suggestion, this Policy shall for all purposes be governed by and interpreted in accordance with the laws of the Hellenic Republic and the Regulations of the European Union. In the latter case the dispute shall be settled by the competent Courts of the city of Thessaloniki.
12. Law
Issues that are not addressed by this Policy are to be governed by and interpreted in accordance with the laws of the Hellenic Republic and the Regulations of the European Union.
13. Waiver
Any failure by either party to strictly enforce any provision of this Policy will not be a waiver of that provision or any further default.
14. Amendments/Modifications
The Company reserves itself the right to modify this Policy whenever this is judged by the Company as necessary. Any amendment or modification of this Policy shall be posted on the Company’s website and shall be communicated with any appropriate means. You are advised to be regularly visit the Company’s website in order to be kept informed.
15. Communication
Your communication with the Company regarding your personal data that you have provided to the Company should be addressed at the Company’s Data Protection Officer.
A) Company Name: 360 GROUP SA
B) HQ and communication address: Geneva, Rue du Purgatoire 4
C) Tel. : 0041 22 591 79 92
D) Email address: info@360groupsa.com
E) Website: 360groupsa.com
F) Legal Representative: Gregory Lanaras
G) Data Protection Officer: Kontokostas Athanasios, communication address: 10, Themistokli Sofouli st.,Thessaloniki, Greece, tel.: +302310417174, email address: dp@360groupsa.com