PURPOSE

The purpose of this Policy is to define and formulate the general framework and the basic principles established and applied by our Company under the name “VITEX SA”,   based in Aspropyrgos, Attica, location “Imeros Topos” (hereinafter to be referred to as the “Company”) concerning the processing of personal data (hereinafter to be referred to as “personal data”), their confidentiality, integrity and availability.

1 FIELD OF APPLICATION

This Policy applies to all of the personal data that the Company processes during the course of its activities (see also 3.3 below).

2 ACCOUNTABLE FOR THE IMPLEMENTATION OF THIS POLICY ARE:

• Company Management
• Data Protection Officer (DPO)
• All Company staff
• All partners who manage and / or have access to personal data

3 OBJECT

3.1 In general

The Company acknowledges and respects the importance of the personal data it processes in its activities and has therefore fully adapted its policy to the requirements of the General Personal Data Protection Regulation 2016/679 / EC (hereinafter referred to as the “GDPR”).

Through this Policy the Company:

• Informs employees, associates and traders with it in what capacity, for what purpose and on what legal basis it processes personal data, the concept of which is specified below,

• Identifies the categories of personal data, the sources of personal data (when personal data are not collected from the individual) and the criteria for determining the period of retention of personal data,

• informs the subjects of any third party or third country transfers of personal data concerning them,

• informs about the ability of individuals to contact the Company for any matter relating to the processing of their personal data, the ability to exercise with respect to their personal data the rights of access, rectification and, as the case may be, erasure, restriction and opposing the processing, as well as the right of such persons to denounce any violation of their rights relating to their personal data to the Data Protection Authority,

• defines the principles governing the Company’s compliance with the civil protection and the security of the personal data.

For further questions or queries or a copy of the present, and for anyone wishing to exercise any of the rights related to their personal data, the person concerned may contact the Company’s Data Protection Officer, a service which has been assigned and provided by AQS Business Consultant Company, “ADVANCED QUALITY SERVICES LTD” (Tirnavos and Sarantaporou 1A, Agios Stefanos Attica), by phone 2106216997 and email dpo@vitex.gr.

3.2 Data Controller

Name “VITEX SA,”

Address Aspropyrgos of Attica, Imeros Place, PO 139, T.K. 19300

Phone – Fax 2105589400 – 2105597859

Email info@vitex.gr

3.3 Who collects personal data?

This Policy refers to the collection of personal data by the Company in the development of its business activity, which consists mainly in the industrial production and marketing of building paints, insulating materials, integrated systems of external thermal insulation and marine colors in the Greek and international market, including its presence on websites, platforms and third party applications based on the terms of use of each site.

3.4 How are personal data collected?

We may collect personal data from various sources, such as:

• directly from the subjects for one of the following reasons:

1. Information you give us when concluding, developing and resolving the contractual relationship between us.

2. Information you give us when you participate in our Company’s training sessions.

3. Information you give us when you contact us or submit your request.

4. Information you give us when you subscribe to our newsletter.

• indirectly, from other sources and on the basis of our legitimate interest, in the following cases:

1. Information we obtain in the event of a credit check of the subjects who deal with us on terms of credit provision, provided that the relevant legal procedure envisaged is respected.

2. Data collected from our CCTV system at our Company’s external facilities to protect the Company and third parties from offenses against life and property.

• we receive and store specific kinds of personal data online whenever anyone interacts with us when we use cookies and tracking technologies under the conditions set by applicable law, as well as when the browser used by the internet user has access to our websites or our listings as well as other content displayed by or on behalf of the Company on third party websites. Please note that when you visit any of our Company’s sites we simply collect data related to your interaction with the site and the installation of cookies (see in detail the corresponding Cookies Policy posted on each Company’s proprietary website). Third-party websites generally apply their own privacy statements and our own terms of use which we recommend you read before using these sites. We clarify that the official sites owned by our Company today are: www.vitex.gr, www.vitextherm.gr, www.hermes-ins.gr, www.eumaria.com.

3.5 What personal data are collected?

 ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Due to the nature and nature of the aforementioned activity, our Company mainly collects the following personal data per category of subjects:

• Employees: personal data and data that refer only to their employment relationship with the Company, including, but not limited to, identity and communication data, financial data and any health data of their own or additional family members, provided that the latter are necessary for the compliance of the Company with the applicable employment and social security and social protection law (ie: name, address, telephone, email, identity / passport, E1, VAT certificate, IKA and AMKA registry number, bank account number for payroll, medical reports, medical or hospital papers or other documents provided by the Law, such as a certificate from the OAED for maternity leave for a period of seven months, etc.).

• Candidates for recruitment: personal data and data referring to their evaluation as candidates and their recruitment procedures by the Company, including, but not limited to, identity and communication details, as well as details of the CVs of the candidates (ie indicative Curriculum vitae, name, address, phone, email, photo, experience, specialty, competence, education)

• Company counterparties (customers, prospective customers and in general persons who communicate with the Company): personal data and data referring to our existing contractual relationship, where it exists or is used to communicate the Company with the above persons, including, but not limited to, identification and communication details, transaction data as well as financial information related to the Company’s performance of its legal obligations (ie, indicatively: head office, telephone, e-mail, VAT number, bank account number, and so on).

• Affiliates (third parties, suppliers and other affiliates in general): personal data and data that refer to our existing contractual relationship, including, but not limited to, identification and communication details, transaction data and any financial information relating to the Company’s performance of its statutory obligations (ie, name, address, telephone, e-mail, VAT number, bank account number, etc.).

• Trainees: The personal data of the persons participating in the training sessions organized by the Company, including, but not limited to, identity and communication data, elements of the contractual relationship of the Company with the participants (ie: name, VAT number, employment contract, when the participant is an employee of the Company and so on).

• Recipients of “newsletter” and other updates: personal data of subjects interested in being informed about the products and actions of the Company, including, but not limited to, identity and communication details, information on the type of professional activity they exercise, information on any the Company’s earlier trading relationship with them.

• Inbound and outbound persons recorded by our CCTV system inside our company’s premises: personal data related to the identification and time of entry of the persons entering the Company’s premises, as well as to the recording of the image of these persons in the context of the legal operation of a closed circuit video surveillance (CCTV) in the outdoors of our premises and at the entrance gate, for security of persons and goods.

We note that we do NOT collect specific categories of personal data, in addition to any health data mentioned in this Policy, such as race, ethnic origin, religion, sexual orientation or genetic biometrics, etc. which constitute special categories of data and enjoy additional protection under the GDPR.

3.6 Particularly regarding children’s personal data

Children’s personal data may be collected exceptionally in the context of the employment relationship of our employees with our Company and solely for the purpose of complying with the Company’s obligations under applicable employment and social security and social protection law (such as obtaining a birth certificate or marital status certificate). Please note that the above information is provided with the consent or explicit notification of the child’s parental responsibility.

3.7 What is the purpose of processing personal data?

The purpose of personal data processing varies according to the relationship between the Company and the underlying personal data. Particularly:

• Employees’ personal data are provided to the Company for the purpose of concluding, executing or terminating the corresponding employment / cooperation agreement. In addition, the employee’s personal data for attendance, absences, hours of attendance, permits, medical evidence of sick leave are kept for the purpose of granting leave, including sickness, while personal data related to employee performance are provided by the heads of the individual departments the purpose of staff evaluation by the Company.

• The personal data of candidate employees are provided to the Company during the stages of selection and evaluation of candidates and in particular they are sent to the relevant Department of the Company and its Administration, for the purpose of informing the Company, evaluation, interviews, etc. during the recruitment and co-operation process.

• The personal data of customers, associates, trainees, and other Company’s counterparties is provided to it for the purpose of concluding and developing the corresponding contractual relationship, our compliance with our statutory contractual obligations and, where applicable, us with the above subjects at their request.

• The personal data of the “newsletter” recipients is provided to the Company with their explicit consent and is used to communicate with them for the purpose of informing about our actions or promoting our products.

• The surveillance of the entrance as well as the other external facilities of the Company is also executed with CCTV image capture cameras. Any entrant (employee or visitor) on our external premises is informed in an appropriate, prominent and understandable way (signs) of his entry into a closed-loop TV room for security and protection of persons, property and critical infrastructure and other law.

3.8 What is the legal basis for processing?

The collection and processing of the above subjects for the purposes described above is based on:

• Article 6 par. 1 b: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

This basis is the legal basis for the processing of the above personal data of employees, associates and traders in general with the organization with which they have a contractual relationship, in the fulfillment of the purposes related to the conclusion of the contract, the execution management of employee recruitment and retirement, card management – licensing – staff payroll, management of personnel training, management of personnel evaluation and management and so on.

• Article 6 par. 1 c: processing is necessary for compliance with a legal obligation to which the controller is subject;

On this basis, we rely on our compliance with our statutory obligations in our capacity as employer or contractor, the payment of our employees and associates, the maintenance of medical records of employees, the announcement of the recruitment of employees to the competent bodies (Labor Inspection, EFCA etc) and so on.

• Article 9 par. 2b: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

and Article 9 par. 2 h: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 Article 9 (3) is processed by a professional subject to the obligation of confidentiality under the law of Greece as a Member State and in particular Article 18 para 3 N 3850/2010 stipulating that the medical practitioner has the obligation to observe medical and business secrecy

On this basis as an additional prerequisite for the basis of Article 6, we rely on, on the one hand, to collect medical documents, as we have a legal duty – a medical practitioner who collects and maintains the medical history of our employees and the results of medical examinations. The medical practitioner has a statutory duty of confidentiality, and our business has taken appropriate security measures to prevent access to these data by an unauthorized employee or third party.

• Article 6 par. 1f: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data,

In particular, on this basis, we rely on maintaining a closed-circuit television system only in the entrance areas of our installations and outdoors around our facilities. The legitimate interest of the Company is to protect the Company’s premises, to safeguard its assets (materials and materials), to ensure the safety of the employees’ personnel, to control and block access to the premises of persons unrelated to its operations. It is underlined that the processing of these data is absolutely necessary can not be achieved by any other milder means, it is only for the above mentioned safety purposes and is not used as a criterion for assessing the behavior and profitability of the employees. In any case, the data will be used once their accuracy has been confirmed.

• Article 6 (1) (a) GDPR: the data subject has consented to the processing of his or her personal data for one or more specific purposes,

On this basis, we rely for our newsletter, for which we receive explicit consent from the subjects after they have been fully informed.

3.9 Profiling

The Company does not use personal data to create a “profile” within the meaning of the GDPR.

3.10 Transfer of personal data to third parties: Who can be notified?

The Company does not normally disclose personal data to third parties except in the following cases. Particularly:

• Personal data of the employees are transferred to the respective co-operating Bank for the purpose of payroll.

• Employee medical data is forwarded to the Company’s medical practitioner, who has signed a contract that binds him in his / her capacity as processor for the confidentiality, security, integrity and availability of the personal data.

• Personal data of subjects visiting our Company’s social media pages are transmitted, as appropriate, to the individual advertiser associated with the Company for promotional and / or promotional purposes.

• Personal data may be forwarded to an external partner of the Company, which has been contracted to provide technical support for our IT systems.

We note that our associates have access only to those personal data that are necessary for the performance of their contractual obligations and are prohibited from using them for any other purpose. In addition, they have previously committed themselves to our Company for their relevant obligations regarding the non-use of personal data for a purpose other than processing, confidentiality and general compliance with the GDPR in their capacity as ” Performing the Edit “.

3.11 For how long is personal data retained?

The retention time of personal data depends primarily on the purpose of the processing, and their mere retention is a processing act, which is allowed only if it is governed by the principles of processing. After the retention period, the personal data are deleted with care of our Company. Particularly:

• Candidates’ data are compiled on a mailserver and fileserver electronically, accessible by the HR Department and Company Management for a period of six (6) months from the completion of the recruitment process. The retention is due to a possible reassessment of the candidates by the Company.

• Employees’ personal data, are kept in a physical file and fileserver by the HR Department, for as long as the employment relationship lasts. After the termination of the employment relationship for any reason, the relevant information is retained for a maximum of twenty (20) years (indicative limitation period for any relevant legal claims), during which any legal processing case, such as a case of claiming a civil nature of rights or investigating a criminal offense where a worker is likely to be involved, a case of tax audit, etc. The above applies also to employee asset data, access to electronic and physical files and work fields and corporate mobile phones for the purpose of performing the employment contract. They also apply to personal data concerning the granting of leave to employees (presence, absences, hours of attendance, permits, medical evidence of sick leave) and staff assessment.

• The personal data of our clients and associates are kept in a physical file and in a fileserver by our Financial Management Department for as long as our contractual relationship lasts. After the termination of the contractual relationship, the relevant information is retained for a maximum of twenty (20) years (indicative limitation period for any relevant resulting legal claims), such as e.g. in civil cases or in the investigation of any criminal offense, tax audit, etc.

• Personal data of workers and visitors that are collected from our closed-circuit video surveillance system operating on the external premises, including the entrance, are kept for fifteen (15) days on a CCTV recorder, period which is subject to more specific provisions of the legislation applicable to particular categories of data controllers. In case of any incident related to the purpose of the processing, the controller is allowed to keep the recordings in which the incident has been recorded in a separate file for three (3) months. Exceptionally, the controller may keep this data for a longer period if the event requires further investigation. In the latter case, the controller is under an obligation to inform the competent authority of the length of time needed to keep those downloads.

3.12 What are the rights of the subject of personal data?

The processing of your personal data is also associated with your respective rights, which, subject to any provisions limiting the exercise thereof, are:

• The right to information. You have the right to receive clear, transparent and comprehensible information about how we use the personal data and what your rights are. To this end, we provide you with the information in this Policy and we urge you to contact our Company and / or DPO of our Company (see the above contact details, see clause 3.1) for any additional clarifications.

• The right to access and rectification. You have the right to access, correct and update your personal data at any time.

• The right of data portability. The personal data you have given us is portable. This means they can be moved, copied or transferred electronically.

• The right to erasure. If you revoke your consent for processing at any time, you have the right to request that you delete your personal data.

• The right to restrict the processing. You have the right to restrict the processing of your personal data.

• The right to withdraw consent. If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time by contacting us with the information provided in this document.

• The right to object exists for processing for the purpose of direct marketing (eg informative e-mails).

• Rights related to automated decision making. You have the right not to be subject to a decision based solely on automated processing and having legal or other significant consequences for you. Specifically, you have the right:

• interfering with human intervention,
• expressing your point of view,
• get an explanation for the decision that came up after an evaluation, and
• to challenge this decision.

In the event that you exercise any of your rights, we will take all reasonable measures to satisfy your request within a reasonable time and at the latest within one (1) month of the identification of your submitted request, informing you in writing of the satisfaction of your request or the reasons why you may impede the exercise of the right in question or the satisfaction of one or more of your rights under the GDPR. Please note that in some cases it may not be possible to meet your relevant requests, such as when the fulfillment of the right is contrary to a legal obligation or impedes a contractual legal basis for processing your data.

However, if you believe that there occurs any violation of your rights or legal obligations regarding your personal data, and provided that you have previously contacted the Data Protection Officer of the Company (DPO) for that matter and have exercised your respective rights vis-à-vis the Company without receiving a response within one (1) month (extending the deadline to two (2) months in the case of a complex request), or you believe that the response you received from the Company is not satisfactory your issue has not been resolved, you may file a complaint with the appropriate local supervisory authority, namely the Personal Data Protection Authority, 1-3 Kifissias Avenue, TK 115 23 Athens, email: complaints@dpa.gr, fax 2106475628.

3.13 How are personal data protected?

The Company has made every effort to take appropriate organizational and technical measures to protect your personal data from misuse, interference, loss, unauthorized access, modification or disclosure. Measures implemented include the use of appropriate technical systems for access control, technical security of information and ensuring that personal data are encrypted, nicknamed and rendered anonymous where this is necessary and feasible.

Access to your personal data is only allowed to relevant employees and authorized associates of the Company and such access is necessary to support our Company’s activity and is subject to strict contractual confidentiality obligations when assigned and processed by third parties.

3.14 How can I contact the Company?

You can contact us: a) in the address of our headquarters, in Aspropyrgos, Attiki, location “Imeros Topos”, P.C. 19300, P.Ο. Box 139 or b) by phone 210-5589400 or c) by e-mail: info@vitex.gr  and/or dpo@vitex.gr.

3.15 Updating this Policy

This Policy will be reviewed if necessary to adapt to any legislative changes in order to meet the needs of the subject of the personal data and any changes in our Company’s products, services and internal processes. Every change will be published on our Company’s corresponding official website with a review of the latest information listed at the top of the Privacy Policy.-