Statement by the Data Controller “On the Protection of Personal Data”
Increasing economic and scientific collaborations as well as the mutual provision of data processing services have resulted in the exchange of personal data, a trend that is reinforced by the ever-increasing use of modern telecommunication media. For these reasons, it is necessary to process data with care. The Data Controller declares that compliance with the principles governing data protection for the processing of such data is its purpose as it is committed to respecting the individual rights and privacy of individuals. The Data Controller handles personal data with special care and always in accordance with EU Regulation 2016/679 ,the applicable National Law and applicable legislation. For the purposes of this Directive, the following definitions shall apply:
Data Subject: any natural person whose personal data are processed by or on behalf of the Company
Personal Data: any information in relation to an identified or identifiable natural person which relates to his or her physical, physiological, psychological, emotional or economic condition, cultural or social identity.
Processing: processing of personal data (‘processing’) means any operation or set of operations which is performed on personal data, such as, but not limited to, collection, recording, storage, alteration, analysis, use, association, blocking (blocking), erasure or destruction
1. Data Controller
The data controller is the orthodontic specialist ELENI MERETI, based in Alexandroupolis, street, Alexandroupolis, Greece. Mazaraki 11, with VAT number 119296031 D.O.Y. Alexandroupolis, and e mail: info@orthodontikos-alexandroupoli.gr
2.The Data we process
With your consent, we process the following ordinary and sensitive personal data that you provide when you interact with the Website (https://www.orthodontikos-alexandroupoli.gr/) and use the services and functions it provides. This data includes in particular your first and last name, contact details, address and the content of your specific requests, updates or reports as well as additional data that the Data Controller may obtain, including from third parties, in the course of conducting its business (“Data”). In order to enable us to fulfil requests you submit via the contact form and/or provide updates on adverse actions, it is necessary for you to consent to the processing of the data marked with an asterisk (*). Without this mandatory data or your consent we cannot proceed any further. Conversely, the information requested in fields not marked with an asterisk and your consent to receive informative material is optional and failure to provide it has no consequence. In any case, even without your prior consent, the Data Controller may process your data in order to comply with legal obligations under laws, regulations and EU law, to exercise rights in legal proceedings, to pursue its own legitimate interests and in all cases provided for in Articles 6 and 9 of the GDPR Regulation, as the case may be. The processing is carried out both by computer and in paper form and always entails the application of the security measures provided for by the applicable legislation.
3.Why and how we process your data
Data is processed for the following purposes:
- to handle the requests you submit with the “Form”, to subsequently contact you or to provide you with information through it. The legal basis for processing personal data for this purpose is your consent (Article 6(1)(a) and Article 9(2)(a) of the GDPR) and the performance of the contract to which you are a party as data subject;
- to manage reports of adverse actions submitted via the Website or Forms. The legal basis for processing for these purposes is your consent (Articles 6(1)(a) and 9(2)(a) of the GDPR), as well as the pursuit of any public interest (Article 9(2)(i) of the GDPR) and legal obligations;
in addition, but only with your voluntary consent which is the legal basis for the processing in accordance with Article 6(1)(a) of the GDPR:
- To receive promotional material (direct marketing) from us.
To receive promotional material (direct marketing) from us. By ticking the appropriate boxes you agree to the processing of your data for these purposes. Your data may in any case be processed, even without your consent, in order to comply with laws, regulations, EU law (Article 6(1)(c) of the GDPR Regulation, to obtain statistics on the use of the Website and its proper functioning (Article 6(1)(f) of the Regulation). Personal data are entered into the Controller’s IT system in full compliance with data protection legislation, including security and confidentiality profiles, and are based on principles of good practice, lawfulness and transparency with regard to processing. Data shall be stored for as long as strictly necessary to achieve the purposes for which they were collected. In all cases, the criterion used to determine this period shall be based on compliance with the time limits laid down by law and the principles of data minimisation, storage limitation and rational management of records. All your data will be processed in paper or automated means, ensuring in each case an appropriate level of security and confidentiality.
4.Principles applicable to processing
We are allowed to process your personal data in order to provide personalized services, based on the law (Article 6(1b) of Regulation (EU) 2016/679) and the relevant National Implementing Law. Your personal data will not be used for any other purposes other than those described in the Statement, unless we obtain your prior permission, or unless required or permitted by law. Personal data is processed in a manner compatible with the purpose for which it was collected. The principle of proportionality applies when processing personal data. Among other things, it creates an obligation not to collect personal data unnecessarily. Personal data used should be accurate and up to date. Personal data used which are no longer accurate and complete should be corrected or deleted. Except in cases where there is a legal obligation to retain it for a longer period of time, personal data shall not be kept for longer than is necessary for the purposes for which it was collected or processed. The processing of personal data is carried out in accordance with the principles of good faith. This means that data subjects can rely on data processors to show due care in all aspects of data processing. Data subjects whose personal data have been processed will be informed accordingly, if they so request. In particular, they have the right to be informed of the purposes for which their data are being processed, the type of data concerned and the identity of the data recipients. Where necessary, data subjects also have the right to request the rectification, non-transmission or erasure of their data. The above rights may be limited only if such limitation is provided for by law. This applies in particular when carrying out scientific research. In particular, personal data are protected against unauthorised disclosure and any unlawful processing. The measures put in place ensure a level of security appropriate to the nature of the data to be protected and the risks that may arise from their processing. The controller is responsible for compliance and implementation of EU Regulation 2016/679 and the National Implementing Law.
Our employees involved in the processing of personal data are appropriately informed and trained. The procedures for third party processing of personal data by agreement will be set out in writing, having ensured that the third party processes personal data in a secure manner and that it is in compliance with the principles set out in this Statement and the GDPR EU. Where the third party is deemed unable to ensure a satisfactory level of security of personal data, we will terminate the partnership.
5.People who have access to the data
The Data shall be processed by electronic and manual means in accordance with the procedures and practices related to the aforementioned purposes and shall be accessible to the Controller’s staff authorised to process Personal Data and supervisors and in particular to employees belonging to the following categories: technical staff, Information Security and Network Security staff and administrative staff as well as other staff members who have to process the data. The Data may also be disclosed to countries outside the European Union (“Third Countries”): i) to institutions, authorities, public bodies for institutional purposes; ii) to professionals, independent consultants – whether working individually or collectively – and other third parties and providers who provide the Data Controller with commercial, professional or technical services required for the operation of the Website (e.g. provision of IT and Cloud Computing services) for the purposes mentioned above and in support of the DPA; iii) to the Data Controller; iv) to the Data Controller’s own staff and other third parties and providers who provide the Data Controller with commercial, professional or technical services required for the operation of the Website (e.g. provision of IT and Cloud Computing services) for the purposes mentioned above and in support of the DPA. The mentioned recipients receive only the data necessary for their respective functions and duly undertake to process them only for the purposes mentioned above and in accordance with data protection laws. The Data may also be disclosed to the other lawful recipients identified from time to time by applicable laws. With the exception of the above, the Data will not be communicated to third parties, natural or legal persons, who do not perform tasks of a commercial, professional or technical nature for the Controller and will not be disseminated. The persons receiving the Data will process it, as the case may be, as Data Controllers, Processors or persons authorised to process the personal data for the purposes indicated above and in accordance with the applicable data protection legislation. With regard to the transfer of data outside the EU, even to countries whose laws do not guarantee the same level of protection of personal data privacy as provided by EU law, the Controller informs that the transfer will in any case be carried out in accordance with the methods allowed by the GDPR, such as on the basis of the user’s consent, on the basis of standard contractual clauses approved by the European Commission, by selecting parties participating in international programmes for the protection of personal data, and by using the standard contractual clauses approved by the European Commission.
6.Your rights
If you so wish, you may request at any time to exercise your rights under Articles 15-22 of the GDPR Regulation, to be informed about your personal data held by us, the recipients, the purpose of their retention and processing and their modification, rectification or erasure, by sending an e-mail to the addresses shown above, from the contact e-mail address you have provided, by filling in the application form that may be provided to you, by filling in the corresponding application form. You also have the right to review the personal data we hold and, in general, to exercise any right provided for by the legislation on the protection of personal data. The personal data that you disclose to the Data Controller through this website, either at the time of your registration or at a later stage, are collected and used and processed in accordance with the applicable provisions on the protection of personal data of the new European General Data Protection Regulation (EU) 2016/679.
You retain the following rights in detail:
- Right to be informed about your personal data: At your request, we will provide you with information about the personal data we hold about you.
- Right to correct and complete your personal data: We will provide you with information about the personal data we hold about you: Where you notify us, we will correct any inaccurate personal data relating to you. We will complete incomplete data if you notify us, provided that such data is necessary for the purposes of processing your data.
- Right to have your personal data deleted: Upon your request, we will delete the personal data we hold about you. However, some data will only be deleted after a specified retention period, for example because in some cases we are legally obliged to retain the data, or because the data is required to fulfil our contractual obligations to you.
- Right to block your personal data: In certain cases provided by law, we will block your data if you ask us to do so. Further processing of blocked data is only carried out to a very limited extent.
- Right to withdraw your consent: You may at any time withdraw your consent to the processing of your personal data in the future. The lawfulness of the processing of your data remains unaffected by this action, up to the point of withdrawal of your consent.
- Your right to object to the processing of your data: You may at any time object to the processing of your personal data in the future if we process your data on the basis of one of the legal grounds provided for in Article 6 (1e or 1f) of Regulation (EU) 2016/679. If you object, we will stop processing your data, provided that there are no legitimate grounds for further processing. The processing of your data for advertising purposes does not constitute a legitimate ground.
7.Security of Personal Data
The Data Controller applies specific technical and organisational security procedures in order to protect personal data and information from loss, misuse, alteration or destruction. Our partners who support us in the operation of this website also comply with these provisions. The Data Controller shall make every reasonable effort to keep the personal data collected only for the period for which it is needed for the purpose for which it was collected or until it is requested to be deleted (if sooner), unless it continues to keep it in accordance with the applicable law.
8.Revisions of the Declaration
We reserve the right to amend or revise this Statement periodically, at its sole discretion. If changes are made, the Processor will record the date of the amendment or revision on this Statement and the updated Statement will be effective for you as of that date. We encourage you to review this Statement from time to time to consider whether there are any changes to the way we handle your personal data.
This is a Statement of Compliance with the requirements set out in EU Regulation 2016/679 and the National Implementing Law.
June 2023