The D GROUP Group makes every effort to comply with the legislation relating to the Protection of Personal Data in the sector in which it operates. This Policy sets out the basic principles by which the D GROUP Group processes the personal data of customers, employees, suppliers, partners, and other persons. This Policy applies to the D GROUP Group and to its directly or indirectly controlled subsidiary companies based in Greece. All employees, whether on permanent or fixed-term contracts, as well as all subcontractors working on behalf of the D GROUP Group, are bound by this Policy.
The following are the key definitions of the terms used in this document, as set out in Article 4 of the General Data Protection Regulation, in order to familiarize the data subject with the terminology of the Regulation:
Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data: Personal data which, by their nature, are particularly sensitive in relation to fundamental rights and freedoms and merit special protection, as the context of their processing could create significant risks to fundamental rights and freedoms. This personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Authority: the Hellenic Data Protection Authority.
The D GROUP Group, as controller, strictly observes the data protection principles set out in Article 5 of the General Data Protection Regulation.
The D GROUP Group processes personal data lawfully, fairly, and transparently towards data subjects.
Personal data is collected only for specified, explicit and legitimate purposes and is not processed for any other purpose.
The D GROUP Group keeps data subjects’ personal data accurate and ensures that it is limited to what is necessary in relation to the purposes of processing. At the same time, it applies appropriate technical measures in order to achieve these objectives.
The personal data held by the D GROUP Group is accurate and kept up to date. Steps are taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified within a reasonable time.
Personal data is retained for no longer than is necessary for the purposes for which the D GROUP Group processes it.
Taking into account the state of the art and other available security measures, the cost of implementation, and the likelihood and severity of risks to personal data, the D GROUP Group uses appropriate technical or organisational measures for the processing of Personal Data, in a manner that ensures appropriate security of personal data and its protection against accidental destruction, loss, damage, or unauthorised or unlawful processing.
The D GROUP Group bears responsibility for, and is able to demonstrate, compliance with the General Data Protection Regulation to the competent Data Protection Authority.
Prior to the collection of personal data, or at the time of its collection, for any processing activity undertaken by the D GROUP Group — including but not limited to the sale of products, services, or marketing activities — the D GROUP Group is responsible for providing data subjects with appropriate information, specifically information about the types of personal data collected, the purposes of processing, the methods of processing, the rights of data subjects in relation to their personal data, the retention period, any international data transfers, whether personal data is shared with third parties in the context of cooperation, as well as the D GROUP Group’s security measures for the protection of personal data. This information is provided through the Privacy Notice.
Where the collection of personal data has consent of the data subject as its legal basis, the D GROUP Group is responsible for ensuring that data subjects give their consent freely, through a positive act, explicitly, and with full awareness of the content of the text to which they are consenting. The D GROUP Group provides data subjects with the ability to withdraw their consent at any time. Where personal data of children under the age of 16 is collected, the D GROUP Group ensures that parental consent has been obtained prior to collection. The processing of personal data must be carried out only for the purpose for which it was originally collected. Where the D GROUP Group wishes to process collected personal data for another purpose, it must seek the consent of the data subjects in an explicit and specific documented manner. Any such request must state the original purpose for which the data was collected, as well as the new or additional purpose(s).
The D GROUP Group makes every effort to ensure that the amount of personal data it collects is kept to a minimum. If personal data is collected from a third party, the D GROUP Group ensures that such data is collected lawfully.
Where the D GROUP Group uses a third-party supplier or business partner to whom it entrusts the processing of personal data on its behalf, it ensures that the processor will provide appropriate security and data protection measures in order to address the potential associated risks.
The D GROUP Group makes every effort to ensure that its suppliers or business partners process personal data only for the performance of their contractual obligations towards the D GROUP Group, always in accordance with its instructions and for no other purpose.
The D GROUP Group, as Controller, is responsible for providing data subjects with a mechanism to access their personal data, which will also allow them to review, correct, delete, or transfer it.
Data Subjects have the right to receive, upon request, a copy of the data they have provided to the D GROUP Group in a structured format, and to transmit that data to another controller. The D GROUP Group is responsible for ensuring that such requests are processed within one month, provided that such requests are not manifestly unfounded. In exercising the right to data portability, the data subject has the right to request the direct transmission of personal data from one controller to another, where this is technically feasible.
Upon request, Data Subjects have the right to request that the D GROUP Group erase their personal data. The D GROUP Group will promptly take the necessary steps (including technical measures) to satisfy the request and will also ensure the same from any third parties that use or process personal data on its behalf.
The data subject has the right to object at any time to the processing of personal data concerning them, including profiling.
Upon request, Data Subjects have the right to request that the D GROUP Group restrict the processing of their data in accordance with Article 18(1)(a)-(d) of the General Data Protection Regulation (EU) 2016/679.
Data Subjects exercise their rights, as well as the withdrawal of their consent, by submitting a written request to the D GROUP Group. The Data Subject may also freely withdraw their consent without affecting the lawfulness of processing based on such consent before its withdrawal. This is done by sending a written request/letter or email to: info@dgroup.edu.gr
The Controller of the data subject’s personal data is the D GROUP Group, based in Athens, 98-100 Akadimias Street, 10677.
Data subjects may also contact the Hellenic Data Protection Authority at: www.dpa.gr, email: contact@dpa.gr, telephone: 210 6475600, Address: 1-3 Kifisias Avenue, 115 23, Athens.
When the D GROUP Group becomes aware of a potential or actual personal data breach, it will immediately conduct an internal investigation and take appropriate remedial measures within a reasonable time, in accordance with the Personal Data Breach Policy. Where there is a risk to the rights and freedoms of data subjects, the D GROUP Group must notify the Authority of the breach without undue delay and, in any event, within 72 hours.
If you have any further questions or require any clarification regarding the processing of your personal data by the D GROUP Group, please contact us and our Group will be pleased to assist you promptly.