PERSONAL DATA PROTECTION POLICY

"TELENAVIS SA"

Introduction

“TELENAVIS SA” since 2000 functions as a trusted Geographical Information Systems Business Solutions Provider serving customers in the logistics sector, telecom operator markets, retail and FMCG, and in the government sector. The company also participates in many EU Research & Development projects along with Academic and enterprise partners. TELENAVIS is a trustworthy technology services provider for prominent organizations. Based on our extensive business expertise, we develop innovative software solutions, which we combine with versatile services in order to drive long term growth & operational excellence of our customers. www.telenavis.com

Regulation 2016/679 enshrines the rights of natural persons (data subjects) with regard to the processing of their personal data, while at the same time imposes specific obligations on those handling personal information (data controllers).

The specific policy outlines the basic rules and procedures to be followed by the Company for the protection of personal data in order to ensure its compliance with the European Commission’s General Personal Data Protection Policy (GDPR).

  • Purpose

The purpose of this document is to give guidelines to Company Executives (Administration Personnel) on how to deal with privacy issues in a single and comprehensible manner.

  • Scope

This document concerns the processing of personal data of the recipients of the Company’s services and of third parties-traders of the Company.

  • Type of Access

The total of company’s employees, our clients and our web site visitors have free access to the herein document.

  • Policy
  • General Principles

The following principles focus on the issue of personal data protection:

  • Legality, objectivity and transparency during processing
  • Restriction of the purpose of the processing
  • Minimize the data being processed
  • Accuracy and update of the data being processed
  • Integrity and confidentiality during processing
  • Restriction of retention / storage period
  • Collection & Processing of Personal Data

“Personal data” definition equals to all the information or the combination of information that could identify directly (i.e. your name) or indirectly (i.e. unique identity card number) a particular person. This means that personal data include details such as email address/ home address/mobile phone number, usernames, profile photos, personal preferences and purchasing habits, financial information, and social welfare information).

The collection of personal data occurs by both the Data Subjects itself and the Third Parties. The herein data may be provided to our Company directly from you (for example, when you contact us through the contact form on our web site while requesting our services), or be collected by the Company (e.g. using cookies in order to understand how you use our site), or be received by third parties, external partners or Company customers.

The Company only collects personal data that is necessary in order to meet its requirements for the provision of its services. Where additional, optional information is requested, data subjects are being informed at this same time of data collection.

In particular, in order for the Company to operate and provide its services, it receives from its Customers personal data such as:

  • Name and Surname
  • Contact phone
  • Passport Number/ Identity Card Number
  • Date of Birth

If you choose to sign up or log in to the Company’s website using a third unique sign-on service that testifies to your identity and connects your login information to social media (e.g., LinkedIn, Facebook, Google+ or Twitter) with the Company, any information or content needed to sign up for or log in, for which you have given the social media provider permission to share with us, such as your name and your email address, is being collected. The collection of other information may depend on the privacy settings you have set up with your social media provider, so please study the privacy statement or privacy policy of the relevant service.

  • Purpose of collecting and processing personal data

The Company may collect the above personal data for the following indicative purposes:

We process your personal data for a specific purpose and only process the personal data which is necessary and relevant to achieving that purpose.

In particular, we process personal data for the following purposes always in accordance with the nature of our collaboration as well as applicable legislation and regulations:

  • perform our contractual obligations towards you or to take pre-contractual steps at your request and/or consent;
  • manage our suppliers and subcontractors;
  • monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
  • manage our IT resources, including infrastructure management and business continuity;
  • preserve the firm’s economic interests;
  • ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
  • archiving and record-keeping;
  • billing and invoicing; and
  • any other purposes imposed by law and authorities.
  • Legitimacy of Processing

The legal basis for the processing of personal data consists from:

  • The proper and lawful execution of the contracts concluded by the Company for the provision of its services.
  • Compliance of the Company with the legal obligation derived from the applicable national or Community legislation.
  • The consent of the Data Subject. In this case, the given consent is specific, explicit, and clear and refers to one or more specific purposes, provided that the processing is not based on any of the above-mentioned 1 to 3 legal bases.
  • The pursuit of a legitimate interest of the Company.
  • Assignment of a Data Subject

In cases where the processing of personal data is based on your consent (consent form), a copy of it with all the information contained therein is kept as evidence of its granting and for convenience in case that revocation is requested. This copy is being kept in a secure place in our premises and only the Controller is available to access it. Consent is granted for clear and distinct processing purposes, which have been acknowledged in advance, and you have been fully aware of them when you grant it.

In this case, you have the right to withdraw your consent at any time, and the said revocation does not affect the legality of the processing based on a prior to its revocation consent. The

revocation shall be effected with a relevant document submitted in writing or electronically to the Company and is valid from the date of its submission.

  • Disclosure of Third-Party Data – Recipients

The Company may have contracts with third parties – external partners in order to provide its services. Personal data may be shared with them so that the project is implemented. The processing of personal data undertaken by third parties in the framework of this cooperation is effected on behalf of the Company, namely acting as executors or further processors.

The Company aims to use only those processors who provide sufficient assurance that appropriate technical and organizational measures will be applied; in such a manner that the processing meets the requirements of the GDPR and the current legislative and regulatory framework and that the protection of the customer’s rights is ensured.

The above award occurs via a written contract signed between the Company and the processor, which binds the latter towards the Company and determines, at least, among other things, the subject matter and duration of processing, the nature and the purpose of processing, the type of personal data that they receive from the Company and the categories of data subjects to which they belong, as well as the responsibilities and rights of the Company.

In addition, personal data may be communicated to State Authorities and Agencies if required by a specific legal provision of National or Community legislation.

  • Securing Personal Data

The Company applies appropriate technical and organizational measures designed to implement the data protection principles at the time of processing means determination as well as at the moment of processing, which meet on a permanent basis the requirements of GDPR and protect the rights of their clients as data subjects.

Such measures are:

  • Minimizing the data processed, i.e. the Company collects and processes only the personal data strictly necessary for processing,
  • Restrict access to data only to persons who need it for the proper and lawful execution of the duties / tasks assigned to them and only to the extent that the access is necessary,
  • Continuous testing and controlling of the processing of personal data and organizational and technical measures implemented adequacy,
  • Direct possibility to exercise rights of data subjects through appropriate forms,
  • Personal Data of Minors

The processing of personal data concerning minors occurs under the strict condition of parents’ or holders’ of parental responsibility prior consent, according to the specific provisions of the legislation currently in force.

  • Transfers of Personal Data to Third Countries within and Outside the EU

The Company transmits personal data to a third country or an international organization only after full update of the Data Subject and procurement of the relevant Consent.

  • Time of Conservation, Destruction of Data

Your personal data is retained only within a reasonable period required for the purpose of its partial processing.

Where the processing of your personal data is based on a legal obligation, the period of retention of such data is determined in accordance with the requirements of the legislation, the length of time during which the competent authorities may carry out controls, the prescribed limitation periods of rights and claims, as well as your own legitimate interests.

Where processing is based on the legitimate interests of the Company, the retention period of the data is determined by the need of each processing purpose and of a reasonable period of time to ensure the effectiveness, traceability and documentation of the processes.

In cases where your personal data is processed on the basis of your consent, the retention period is determined by the possibility of withdrawing it. Once you revoke your consent, your personal information will also be deleted.

Once the maintaining period of personal data that is required by the Company expires, personal data is destroyed. Personal data are effectively destroyed by both electronic and physical records, either through total deletion from the Company’s server or destruction of documents.

  • Rights of Data Subjects

Under the current legislation on the protection of personal data, you have certain rights as ‘data subjects’. We list your rights below.

  • Right of Access – You have the right to access the personal data of yours that we handle and be informed. You also have the right to receive some information about how we process personal data.
  • Right of Rectification – You have the right to correct your inaccurate personal data and fill in where incomplete. Please note that we may not be able to correct inaccurate personal data you have given us, for example, due to the rules of the airline companies, and that any correction may be charged.
  • Right to Delete – Under certain circumstances, you are entitled to delete your personal data. This is the so-called “right to oblivion”. Please note that this is not an absolute right, as we may have legal or valid reasons to maintain your personal data.
  • Right of Process Limitation – Under certain circumstances, you are entitled to restrict the way we use your personal data. This right means that your data is being processed by us and is therefore subject to restrictions and therefore we can store it but we cannot use it or process it further.
  • Right to Data Portability – You are entitled to receive your personal data (or to send your personal data directly to another data controller). This is only valid in case of data you have provided and the processing is based on a contract or your consent and this processing is done by automated means.
  • Right to submit complaint to the Supervisory Authority – You have the right to contact the Personal Data Protection Authority and file a complaint about the data protection practices followed by the Company.

To exercise your above-mentioned rights, you can contact the Company to send you the appropriate form / application. The Company must respond to your request within 2 months deadline.

  • Basic Definitions & Acronyms

«Personal Data»: every information concerning identified or identifiable natural person («data subject»); the identifiable natural person is the one whose identity can be determined directly or indirectly.

«Processor»: the natural or legal person who processes personal on behalf of the Processing Controller.

«Procession»: every collection, recording, organization, alteration, structure, storage, alteration, recovery, seeking information, use, transmission, limitation or deletion of personal data that the Company obtained or will obtain in the future both at the period of transaction relations with the customers as well as in the framework of update that the Company acquires from third, natural or legal parties or public entities during the exercise of theirs or Company’s legal rights.

“Recipient” means a natural or legal person, a public authority, a service or another agency to which personal data are disclosed, whether it is a third party or not.

«Limitation of procession»: the acknowledgment of saved personal data aiming the limitation of their future processing.

«Consent of the data subject»: every indication of will, free, specific, definitive and in full awareness, to which the customer of the Company declares his agreement via written consent or definitive positive act concerning the procession of its personal data.

«Third Party»: every natural or legal person, public authority, service or entity, excluding the customer, the officer of processing, the executor of the processing and all individuals that under direct supervision of the officer of processing, or of the executor of processing, are authorized to process personal data

«Procession Officer»: the legal person that derives the purposes and the type of personal data procession. For the current Policy’s purposes, Procession Officer is considered the company.

«Subject of data»: any identified or identifiable natural person whose personal data is under procession. For the purposes of the current Policy, as data subject are considered the customers of the Company.