Privacy Policy
Our Company strives to conduct its business activities in accordance with privacy principles, as we believe they demonstrate our unwavering commitment to ethical and responsible practices. We recognise that innovation and new technologies are driving constant changes in risks, expectations and legislation, which is why we follow privacy accountability standards and aim to adapt how we implement them in response to these changes in a timely manner.
This Policy sets out our standards for the management and protection of Personal Data by or on behalf of our company, which originates, directly or indirectly, from any country in the European Economic Area (EEA), and Switzerland and is transferred to any other country, including transfers between EEA countries. They apply to our operations in each country, to any activity involving information about individuals that we conduct in each of our subsidiaries and each of our divisions (including any successors to our business), including, but not limited to, research, production, commercial activities, corporate support and data transfers necessary to conduct the above activities, including, but not limited to:
- Research and Manufacturing: initiating, managing and funding research studies / evaluating and engaging researchers, science and ethics committee members and partners to support our research studies and product development / recruiting for research studies / evaluating the safety, efficacy and quality of our products under development and commercially available / meeting our commitments to the safety and quality of our products, including managing and reporting adverse events
- Commercial activities: assessing markets for our products / advertising, marketing, selling, selling, distributing and delivering our products / communicating with our customers and other end users of our products / sponsoring and running events / assessing and encouraging our partners to support our commercial activities / complying with relevant legal, regulatory or ethical requirements.
This Policy also applies to all persons whose data we process, including, but not limited to, customers, prospective, current and former employees and their dependents, ethics committee members, partners, investors and shareholders, government officials and other stakeholders.
All Employees, Management, executives and employees of the Company have substantial responsibilities with regard to the protection of personal data which they must respect.
We recognize that unintentional errors and poor judgment about data protection can cause risks to the privacy of individuals and risks to our Company’s reputation, processes, compliance and finances. Each employee of the Company, and other persons who process data for our company, are responsible for understanding and complying with their obligations under this Policy and existing laws.
Our Values and Standards on Personal Data Protection
We adhere to our Data Protection values in everything we do that involves people, including how we apply our privacy standards. The four principles relating to the protection of personal data include:
Respect
We recognise that privacy concerns are often related to the essential questions of who we are, how we see the world and how we define ourselves. So we try hard to respect the perspectives and interests of individuals and communities and to be fair and transparent in how we use and share information about them.
Trust
We know that trust is vital to our success, so we work hard to build and maintain the trust of customers, employees, patients and other stakeholders to respect and protect their information.
Damage prevention
We understand that the misuse of people-related information can create tangible and intangible harm to individuals, and so we seek to prevent physical, financial, reputational or other privacy-related harm.
Compliance
We have learned that laws and regulations are not always in line with rapid developments in technology, data flows and the associated changes in privacy risks and expectations. So we strive hard to comply with the spirit and regulations of privacy and data protection laws in a way that demonstrates consistency and operational excellence for our business operations globally.
1. We integrate our privacy standards into all activities, processes, technologies and relationships with third parties that use Personal Data. We design privacy controls on our processes and technologies that are consistent with our privacy values and standards and with applicable laws. The 8 principles concerning how we understand and act on personal data entrusted to us by third parties, which are set out below, summarise privacy standards and the basic requirements for high-level processing, activities and their supporting technologies.
Privacy Principle
1. Necessity – Before collecting, using or sharing Personal Data, we determine and record the specific, legitimate business purpose for which it is necessary.
- We determine and record the length of time for which the Personal Data is needed for these specified business purposes.
- We do not collect, use or share more Personal Data than necessary, or retain Personal Data in an identifiable form for longer than necessary for these specified business purposes.
- We anonymise data when business requirements make it necessary for information about the activity or process to be retained for a longer period of time.
- We ensure that these necessary requirements have been incorporated into any supporting technologies and that third parties supporting the activity or processing have been informed.
2. Fairness – We do not process Personal Data in ways that are unfair to the individuals to whom the data relates.
- We determine whether the proposed collection, use or other processing of Personal Data poses a risk of actual or imminent harm to individuals, in accordance with the Harm Prevention Privacy Principle.
- If the nature of the data, types of people or activity involves an inherent risk of actual or undetermined harm to individuals, we ensure that the risk of harm does not outweigh the corresponding benefits to those individuals or our mission to save and improve human lives.
- Where the risk is inversely proportional to the benefits to individuals, we process Sensitive or Personal Data only with the explicit consent of individuals or as required or expressly permitted by existing laws.
- We document the risk analysis and design any required mechanisms to obtain and record evidence of consent to assistive technologies.
3. Transparency – We do not process Personal Data in ways or for purposes that are not transparent.
- All individuals whose Personal Data is processed under this Policy will be entitled to a copy of this Policy. We will make copies of this Policy available on our website. The Data Protection Officer will provide digital and/or physical copies of this Policy upon request at the addresses listed below.
- When Personal Data is collected directly from individuals, we inform them through a clear, conspicuous, and easily accessible privacy notice or similar means before we collect information about (1) the corporate entity or entities responsible for the processing, (2) the type of data to be collected, (3) the purposes for which it will be used, (4) with whom it will be shared, including any requirements to disclose Personal Data following lawful requests by government authorities; (5) how long it will be retained; (6) how individuals can ask questions, raise concerns, or exercise their rights with respect to the data; and (7) the electronic link to this Policy, where possible and appropriate; and (8) the electronic link to this Policy.
- When Personal Data is collected from other sources and not necessarily under our company’s direction, before the data is obtained, we verify in writing that the data provider has informed individuals of the ways and purposes for which the company intends to use the information. If written verification cannot be obtained from the provider, we use only anonymous data, or before we use Personal Data, we inform affected individuals through a privacy notice or similar means of (1) the corporate entity or entities responsible for the processing, (2) the type of data to be collected, (3) the purposes for which it will be used, (4) with whom it will be shared, including any requirements to disclose Personal Data in response to lawful requests by government authorities; (5) how long it will be retained; (6) how individuals can ask questions, raise concerns, or exercise their rights regarding the data; and (7) the electronic link to this Policy, where possible and appropriate.
- We ensure that the necessary transparency mechanisms, including, where possible, mechanisms that support individual rights requests, are built into the supporting technologies, and that third parties supporting the activity or processing do not process individual data in ways that are inconsistent with what individuals have been told, through privacy notice or other verifiable means, about how we and others working for us will use the data.
4. Purpose limitation – We only use Personal Data in accordance with the principles of Necessity and Transparency.
- If new reasonable business purposes are identified for Personal Data already collected, we ensure that either the new business purpose (including a substantially similar purpose) is compatible with the purpose as described in the privacy notice or other transparency mechanism previously provided to the individual, or we obtain the individual’s consent to the new use of their Personal Data.
- We do not apply the above principle to anonymous data or where we use Personal Data solely for the purposes of historical and scientific research and (1) an Ethics Review Board, or other competent reviewer, has determined that the risk of such use to the privacy or other rights of individuals is acceptable and (2) there is respect for existing Law.
- We ensure that purpose limitation restrictions are built into the supporting technologies, including any reporting and downstream data distribution capabilities.
5. Data Quality – We keep Personal Data accurate, whole and up-to-date, and in accordance with its intended use.
- We ensure that periodic data checking mechanisms are built into the supporting technologies to validate the accuracy of the data against the source and downstream systems.
- We ensure that Sensitive Data is validated as accurate and up-to-date before using, evaluating, analysing, reporting or otherwise processing it which risks harming individuals if inaccurate or untimely data is used.
- When changes to Personal Data occur from our company or third parties working for our company, we ensure that these changes are communicated in a timely manner where reasonably possible.
6. Security – We build in safeguards to protect Personal Data and Sensitive Data from loss, misuse, and unauthorized access, disclosure or destruction.
- We have implemented a comprehensive information security program and apply security controls that are based on the sensitivity of the information and the magnitude of the risk of the activity, taking into account the best practices of modern technology and the cost of implementation. Our operational security policies include, but are not limited to, business continuity and disaster recovery standards, identity and access management, information classification, information security incident management, network access control, physical security, and risk management.
7. Transfer of Data – We are responsible for maintaining the security and privacy of Personal Data when it is transferred to or from other organisations or across national borders.
(1 ) We only transfer Personal Data or allow it to be processed by third parties if the following conditions are met, and we are responsible for ensuring that the third parties we cooperate with meet these conditions:
- If the third party’s role is to process Personal Data for or on behalf of our company, before the third party receives the Personal Data, we: (1) complete a legal privacy audit to evaluate the privacy practices and risks associated with such third parties; (2) obtain contractual assurances from such third parties that they will process Personal Data in accordance with our company’s instructions, and in accordance with this Policy, including, without limitation, In addition, if the third party processes Personal Data originating from a country or territory with legislation that restricts the transfer of Personal Data, we will ensure that the transfer to the third party meets the conditions for cross-border transfer described in Section 2 below. Where one of our company’s subsidiaries acts exclusively on behalf of another of our company’s subsidiaries to process Personal Data, and where required by law, those subsidiaries of our company will carry out internal data processing in accordance with Principle 8 of this Policy.
- If the role of the third party is to provide Personal Data to our company, before we obtain the Personal Data from the third party, we ensure that the Transparency requirements for collecting Personal Data from other sources and not specifically under the supervision of our company are met, and we obtain assurances through a contract from the third party that it does not violate any law or the rights of any third party by providing Personal Data to our company.
- If the role of the third party is to obtain data from our company for processing that is not specifically under our company’s control, before we deliver the data to the third party, we ensure that the data has been anonymised, and we obtain written assurances from the third party that it will use the data only for the business purposes specified by the agreement and in accordance with existing legislation, and that it will not attempt to reverse the data anonymisation process.
(2 ) We transfer Personal Data across borders by or on behalf of our company in accordance with this Policy. We will apply this Policy to transfers of Personal Data from any other country or territory with laws restricting the transfer of Personal Data.
8. Legally Permissible – We process Personal Data only if it meets the requirements of applicable law.
- While the other 7 privacy principles, as well as the requirements of the Individual Rights described below, are intended to ensure that we meet the requirements for most privacy and data protection laws applicable to our industry around the world, in some countries we need to meet additional requirements, including, but not limited to:
-
- Where required, we will obtain specific forms of consent to process certain Personal Data, including, but not limited to, approval of processing by labor councils or other employee unions.
- Where required, we will register the processing of Personal Data with the applicable privacy or data protection regulator.
- Where required, we will further limit the data retention periods for Personal Data.
- Where necessary, we will enter into agreements that include specific contract clauses, including agreements for cross-border data transfers to third parties.
- Where required, we will disclose personal data in response to lawful requests from public authorities, including to meet requests related to national security or security authorities.
- In the event of a conflict between this Policy and existing legislation, the standard that provides more protection for individuals will prevail.
2. We will address in a timely manner requests regarding individual rights to access, rectify, amend or delete Personal Data or object to the processing of Personal Data.
- Access, Correction and Deletion – Based on Greek law, individuals have the right to access Personal Data concerning them, and to correct, amend or delete Personal Data that is inaccurate, incomplete or outdated. We will approve all requests by individuals for access, correction and deletion of Personal Data. If a request for access, correction or deletion is defined by existing Legislation that provides greater protection for individuals, we will ensure that the additional requirements based on Legislation are met.
Choice – Consistent with the Privacy Principles of “Respect” and “Trust”, we approve individual requests to object to the processing of Personal Data, including, but not limited to, opting out of participation in programs or activities in which individuals have previously agreed to participate, the processing of Personal Data about them for direct marketing purposes for communications targeted to them that are based on Personal Data, and for any evaluation or
- Except where prohibited by law, we may deny an election where a particular application may impede the company’s ability to: (1) comply with the Law or an ethical obligation, including where we are required to disclose personal information in response to lawful requests by public authorities because of security or national security requirements; (2) investigate, defend or seek legal claims, and (3) enter into contracts, manage relationships, or perform other permitted business activities consistent with the Transparency and Purpose Limitation Principles and entered into based on the data of individuals associated with them. Within fifteen working days of any decision to deny a selection request in accordance with this Policy, we will record and communicate the decision to the applicant.
3. We will respond in a timely manner and escalate all privacy-related questions, complaints, concerns and any Privacy Incident or Security Incident.
o Any individual whose Personal Data we process within the scope of this Policy may ask questions, make complaints or raise concerns to our company at any time, including requesting a list of all our company’s subsidiaries subject to this Policy. We expect that our employees, and other individuals working on behalf of our company, will provide timely notice if they have reason to believe that an applicable law may prevent them from complying with this Policy. Any question, complaint or concern from an Individual, or any notice from an employee or other person working on behalf of our company, should be addressed to the Data Protection Officer, by email or fax.
o Employees and Associates are required to promptly notify the Data Protection Officer of any questions, complaints or concerns about our privacy practices.
o The Privacy Officer will review and investigate, or cooperate with the Compliance Office, Ethics Office or Legal Department to investigate, all inquiries, complaints or concerns related to our privacy practices, whether received directly from our employees or from other individuals or third parties, including, but not limited to, regulatory agencies, compliance officers or other governmental authorities. We will respond to the person or entity that raised the question, complaint or concern to our company within thirty (30) calendar days unless a law or requestor/third party requires a response in a shorter period of time or unless circumstances, such as a parallel government investigation, require a longer period of time. In this case the person or the applicant/third party will be notified in writing as soon as the general nature of the circumstances contributing to the delay allows.
o The Data Protection Officer, in cooperation with the Legal Department and the Compliance Officer will cooperate with the competent Data Protection Authority in the context of a request for any information investigation, inspection or inquiry.
o For complaints that cannot be resolved between our company and the person who made the complaint, our company has agreed to participate in the following dispute resolution processes, investigating and resolving complaints to resolve disputes related to this Policy.
o However, if, at any time, individuals resident in the EEA, or individuals whose Personal Data is subject to EEA Data Protection Legislation and transferred outside the EEA, and whose data is processed in relation to this Policy, have the right, under this Policy, to enforce the conditions of this Policy as an eligible third party, including the right to take legal action to claim damages for the violation of their rights due to this Policy. Individuals residing in the EEZ or individuals whose Personal Data is subject to the EEZ Data Protection Legislation and transferred outside the EEZ (for clarity, including the USA) may have claims under this Policy, from the Company.
- to the courts or data protection authority of the country of the SEZ from which their Personal Data was transferred; or
- to Greek courts or the Greek Data Protection Authority.
- Our company will respond to the person or entity that raised the question, complaint or concern to our company within thirty (30) calendar days unless a law or requestor/third party requires a response in a shorter period of time or unless circumstances require a longer period of time, in which case the person or third party will be notified in writing.
Terms you need to know
- Anonymisation. The alteration, severing, elimination or other restriction or transformation of Personal Data so as to make it impossible to use it to identify, locate or contact the individual.
- Legislation. All laws, rules, regulations and advisory orders having the force of law in any country in which our company operates or in which Personal Data is processed by or on behalf of our company.
- Our company. Our company and its subsidiaries other than joint ventures or JointVentures in which our Company may participate as a Partner
- Personal Data. All data about an identified or unidentified person, including data that identifies the person or that could be used to identify, locate, track or contact the person. Personal Data includes both direct identification information such as name, identification number or unique job title, and indirect identification information such as date of birth, unique mobile or portable identification number, telephone number and coded data.
- Privacy Event. A violation or breach of this Policy or a privacy or data protection law, and includes a Security Incident. The determination of whether a privacy incident has occurred and whether it has physical substance will be made by the Data Protection Officer and the Legal/Compliance Department.
- Processing. The performance of any process or series of processes on data about people, with or without automated means, including, but not limited to, collection, recording, organization, storage, access, adaptation, conversion, retrieval, consultation, use, evaluation, analysis, reporting, distribution, disclosure, and dispersal, transmission, disposal, alignment, combination, interception, deletion, erasure, or destruction.
- Security incident. Access by an unauthorised person to Personal Data or disclosure to an unauthorised person of Personal Data or our reasonable suspicion that this has occurred. Access to Personal Data by or on behalf of our company without the intent to violate this Policy does not constitute a Security Incident, provided that the Personal Data in question was then used and disclosed only as permitted by this Policy.
- Sensitive Data. Any type of data about people that contains an inherent risk of potential harm to individuals, including data defined by law as sensitive, including, but not limited to, data relating to health, heredity, race, national origin, religion, political or philosophical beliefs or convictions, criminal records, precise geographic location information, bank or other financial account numbers, government-issued registration numbers, minors, sexual or reproductive health, or any other data of a personal nature.
- Third Person. Any entity, organisation or person that is not part of our firm, or for whom our firm does not have an audit interest, or who does not work for our firm. Except as expressly set out in this Policy, no subsidiary or division of our company is required to meet the requirements of a third party under this Policy, as all subsidiaries and divisions are required to process data about people in accordance with this Policy, including where one of our company’s subsidiaries supports one or more of our company’s subsidiaries in the processing.
Changes to this Policy
This Policy may be revised from time to time in accordance with the requirements of existing legislation. Whenever this Policy is physically changed, a notice will be posted on our website for 60 days.
Date of entry into force 1.11.2021
Personal Data Protection Policy
Our Company has as a key priority the protection of the personal data it processes and complies continuously with the applicable legislation on the protection of personal data.
We invite you to carefully read this personal data protection policy in order to be adequately informed about our processing of your data when you visit in-the-heart.com
1. General information and controller
The general partnership under the name “TSOKAS NIK.PANAGIOTIS AND SIA LTD”, with the distinctive title TSOKAS MATERIALS, located in Nea Smyrni, 72 Akropoleos Street and Sparta Street, as legally represented (hereinafter referred to as the “Company”), is the controller for the collection, storage and general processing of users’ personal data, as collected and stored through this website.
2.What personal data we collect and how we collect it
We collect and process your personal data as follows:
-Information when you contact us.
If you visit our website and have a question or a comment, you can submit it to our Company by filling in the contact form available on the website. You will be asked to provide your full name, address, telephone number, e-mail address and information about your request/question/observation. We will only use this information to respond to your query/observation. We will record your requests, your questions/observations and our respective responses and any other actions taken to manage your request/contact. All information will be kept for 12 months after your query or complaint is settled or the case is closed.
– Information collected from the use of cookies to ensure the proper functioning of our website.
Our use of your personal data collected through cookies (information about your device, browser, possibly your IP address) allows you to browse and use the features of the website. The information is kept until the browser is closed.
– Information collected from the use of cookies about your visit and use of our website
We collect certain information when you visit our website, such as your IP address, device category, browser and web browser type, clicks and views. We use this personal data as required in the context of our legitimate interests in order to be able to attract more customers and improve the promotion of our services. We retain personal data for a maximum period of 12 months
3.Purposes of processing
α. Response to your request/question/observation: We make every effort to respond to the request/question/observation you submit on your own initiative via the contact form.
Legal basis of the processing: your consent.
b.Information systems support/improvement of services: We use your personal data in order to detect server problems and ensure the proper functioning of our website. The Company uses the personal data of users, which it collects through the website, in order to improve the services already provided or to offer new services to its users/customers.
Legal basis of the processing: The legitimate interest of the Company to ensure the uninterrupted operation of its website and to improve the services provided by it.
δ. Compliance with our legal obligations, such as providing information to public services and authorities (e.g. judicial, administrative authorities)
Legal basis of the processing: Compliance with our legal obligations.
ε. Legal protection of the company: Ensuring the implementation of the terms of use of our website and protection of our legal rights.
Legal basis of processing: the legitimate interest of the Company to ensure the implementation of the terms of use of our website and to protect our legal rights.
Please note that where the legal basis for the processing of your data is your consent (case a), you have the right to withdraw it at any time, but the withdrawal of your consent does not affect the lawfulness of the processing that preceded the withdrawal.
4.Cookies
Much of the information referred to in this Privacy Policy is collected through the use of cookies and similar techniques. Cookies are small text files containing small amounts of information that are downloaded and may be stored on your user device e.g. your smartphone or tablet. These cookies and similar techniques are required to store your account settings, language and country, but also allow us to measure and analyse your behaviour on our website or on third party websites. Where appropriate, your consent to the use of cookies will be requested. To see more information about the cookies we use and how we use them, please see our separate cookie policy.
5. Rights of data users-data subjects
You have the right to access your personal data processed by us or on our behalf. You have the right to correct, delete or restrict the processing (where applicable) of your personal data. You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and in some cases we will, at your request, transfer your data to another controller where technically feasible. You also have the right, in certain circumstances, to demand that we stop processing your personal data, but where there are compelling legitimate grounds, we will continue to process your personal data.
Where you have given consent to our use of your personal data, you have the right to withdraw your consent without this affecting the lawfulness of our processing of that data prior to the withdrawal of your consent.
You can exercise these rights by contacting us by email at …………….. and by submitting a request.
Please be aware that requests that do not meet the requirements set forth by applicable law or Company guidelines may be required to be re-drafted or rejected, and that certain personal data may be exempt from such requests for access, correction and deletion, in accordance with applicable data protection and other laws and regulations.
We will respond to your requests without delay, and in any case within one month of receiving your request. If your request is complex, we will let you know within the month if we need to extend this period.
Finally, if you are not satisfied with our response, you can complain to the Data Protection Authority about the exercise of your rights (www.dpa.gr).
6. Retention of personal data
Users’ personal data are kept exclusively and only for the period of time required to fulfil the purpose for which they were collected, in full compliance with applicable legislation. When the purpose of processing your personal data is completed, they are deleted. The specific retention periods for each of the relevant processing purposes are set out above.
7.How and with whom we share your personal data (recipients of personal data)
Access to your data is available to the Company’s strictly necessary personnel, who are bound by confidentiality, our partner companies and third party service providers, with whom we may share your personal data to help us provide you with services and to manage our website. These third parties are:
- service providers, where required, to provide us with a service and to provide data analysis services (e.g. website hosting, website developers)
In those cases where the Company, as the controller, transfers your data to third party processors, the Company itself determines the individual elements of the processing (method, means, retention period, etc.) and signs a specific contract with the processors to ensure that the processing will be carried out in accordance with the applicable legal framework, that appropriate measures will be taken to protect the confidentiality and security of personal data and that
These third parties may be based in the European Union or in other countries of the European Economic Area or in other parts of the world. When we store personal data outside the EEA, we ensure an appropriate level of protection of the transferred data, in accordance with the General Data Protection Regulation (e.g. by signing standard contractual clauses).
Finally, we may need to provide personal data to public bodies (e.g. tax authorities) or law enforcement agencies in order to comply with a legal obligation or court order.
8.Data security
The Company assures users that it takes all appropriate technical and organizational measures for the security of their personal data, to ensure the confidentiality of their processing and their protection from accidental or unlawful destruction/loss/alteration, unauthorized dissemination or access and any other form of unlawful processing.
All web traffic (file transfer) between this website and your browser is encrypted and transferred via the HTTPS protocol using SSL (Secure Sockets Layer).
Although every effort is made to protect personal data, the Company cannot guarantee the security of the data transmitted through its website, as the transmission of information via the Internet can never be completely secure.
9. Applicable Law
For any dispute arising from the use of this website, the Greek courts will have exclusive jurisdiction.
10. Modifications
This Privacy Policy has been drafted in accordance with the provisions of the General Regulation for the protection of personal data no. 2016/679/EU . If updated, any changes will be posted on this website and will bear a revision date.
11. Contact
For issues relating to the processing of your personal data you can contact us at info@tsokasmateriasl.com.