Our top priority is to respect your privacy and ensure the management, protection and security of your personal data. Our company “ARCHEIOTHIKI S.A.” (hereinafter referred to as “Archeiothiki” or “our Company” or “us/our(s)”) has established this Personal Data Protection Policy (hereinafter referred to as the “Data Protection Policy” or the “Policy”), which should be read as an undivided text and an integral part of the Cookies Policy.
1. Target audience of this Policy
This Policy is addressed to you if you are:
- Users of our Website,
- Potential and former Customers of our Company,
- Potential, existing and former Suppliers of our Company,
- Visitors to the Archeiothiki’s facilities (inspectors, partners, representatives of Customers/Suppliers, etc.)
- Third parties, whose data we may collect and process in the context of our services (e.g., employees of our customers or our partner companies, our customers’ lawyers, etc.).
2. What is the purpose of this Policy?
2.1. This Policy is a Personal Data Protection Policy which aims to describe the way we process your personal data when you use our website or when we communicate with you, in accordance with the General Data Protection Regulation (EU) 679/2016 (hereinafter “GDPR” or “General Regulation”), the respective Greek legislation on the protection of personal data, as well as the decisions and instructions of the competent European bodies (hereinafter “applicable Legislation on Personal Data”).
2.2. Moreover, this Policy serves the purpose of providing Public Information about the processing of third parties’ personal data in accordance with article 14 (5) of the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), as well as article 32 (2) of Law 4624/2019.
3. What is the role of Archeiothiki in the processing of personal data?
3.1. The company ARCHEIOTHIKI S.A., based in Athens, 1 Loukianou St, Postcode 10675 tel. +30 2105270410, email: firstname.lastname@example.org, is the Controller for the processing of your data as Users of the Website while you navigate it. In addition, Archeiothiki may be the Controller, e.g., during the processing of the personal data of visitors to its facilities, as well as for the provision of support services (excluding archive storage and management services), as well as for all the processing purposes which are analysed in the table in point 6.
3.2. There are also situations in which Archeiothiki operates as a Processor or a Sub-processor (such as at the pre-contractual stage with its potential Customers, while performing contracts with its Customers, in its dealing with its suppliers – subcontractors, when processing third party data, etc.).
Email: email@example.com (For the attention of the DPO)
post: Rikia area, Postcode 193 00, Aspropyrgos – Greece (For the attention of the DPO)
4. What personal data do we process and how?
- Your personal data include any information that allows, either on their own or in combination with others, your unique identification, according to the applicable Personal Data Legislation. Completely anonymous data and any information which is not structured in a file are not considered personal data (e.g., oral information in the context of your visit to our facilities).
- We process your personal data for any action which is performed on personal data or on sets of personal data, with or without the use of automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- We primarily deal with legal entities, whose data do not constitute personal data in principle, other than their email address (e.g., company@… gr), pursuant to Law 3471/2006. In that case, the information owned by a legal entity (either sole proprietorship or single-person limited liability undertaking or partnership (e.g., General partnership) or Private Company) and the name of the partner/shareholder which appears in the company name, may be considered personal data. In addition, if your name appears in your professional e-mail (e.g., firstname.lastname@example.org) then this is considered your personal data. Furthermore, if you are a member of a Board of Directors of a company or other governing body of a legal entity or a shareholder in a company, we may process your personal data as part of our services.
- We process personal data when you navigate our Website and when you fill in the contact form posted on it, when you express interest in becoming our Partner and fill in our contact form, during your visit to our company facilities and during Archeiothiki’s operation for the provision of its services.
- By way of example, we may collect and process the following types of personal data (hereinafter referred to as “Personal Data“):
- Identity Data: name, surname
- Identification Data: authorisation, power of attorney, articles of association, username, password
- Job title/role data in the company
- Communication data: email address, phone number
- Address Data: work postal address (street, number, postal code)
- Contact form message data through the Archeiothiki website
- Device and software data: IP address, browser type and version, operating system
- Financial/payment data: bank account numbers
- Tax data: the tax data you issue, VAT, withholding taxes
- Image data: your image collected via CCTV (further details can be found in the text of the Level B Update posted at central points of the Archeiothiki facilities)
- Visit data: date, time and purpose of the visit
- Data by means of Cookies, to which a detailed reference is made in the Cookies Policy.
- Please Note: Archeiothiki declares that, when hosting and/or managing documents and other electronic files and general information included in the Archive Material, it is not aware of, does not check and is not required to be aware of or check the subject matter of the documents and/or their content, or the type, condition and value of the documents or other elements that constitute the archive material (documents, information or other details).
5. How do we collect your personal data?
We collect your personal data from you, by automated means and/or from third parties.
From you, when:
- you fill in our Website’s “Contact Form”
- you contact us in order to send you a price quote
- we are exploring a potential collaboration with you and you fill in the respective contact form
- you send us your invoices
- you give us your business card
- we work with you and you give us your details as our supplier
By automated means, when:
- cookies are installed on your computer through our website
- you visit our website through your browser
- we collect image data via CCTV. You may obtain additional information from the Level B Update which is posted at central points of the Archeiothiki facilities,
- you participate by answering questionnaires sent to you by Archeiothiki, through platforms that we use as tools for our internal organisation.
From third parties, when:
- you are an Authorised user to access the digital platforms we use as tools to provide our services
- you work for our customers or suppliers and we need to contact you as part of the performance of our contract with them or when providing them with IT support, accounting support, human resources management
- we provide our services to our customers and their personal data are contained in their files,
- you interact with us on social media on your own initiative.
6. What is the purpose and legal basis of each processing?
The following table summarises the processing purposes, the data that we collect and process by purpose and the corresponding legal basis:
|Purpose of processing
|Individual processing purposes
|Legal basis of processing
Website navigation and communication by filling in the details on the contact form
|We process your data:
(a) in order to handle the communication requests you voluntarily submit to us through the contact form available on our Website;
(b) to communicate with you following your request through the contact form pursuant to the above;
(c) when you opt to install Cookies for the purposes described in the Cookies Policy of our website.
(Email), phone number
Contact form message data:
The contact form available on the Website includes a field where you can optionally fill in your message to Archeiothiki.
We encourage you to only provide us with information which is strictly necessary for your communication with Archeiothiki and to not include in your message, indicatively but not limited to, specific categories of personal data or any other information that is not absolutely necessary for the purpose of communicating with the Company.
We cannot (and have no obligation to) verify the legality of the content of your message and Archeiothiki will not be held liable if the content of your message is illegal and/or if you provide us with personal data which are either unrelated or exceed what is absolutely necessary for the purpose of communicating with you.
|Your consent to the processing of your personal data for the purpose of processing your request through the contact form and communicating with you.
In addition, we process your personal data when you opt to install cookies via the cookie banner on our website.
You may withdraw your consent at any time by contacting Archeiothiki through the contact details referred to above, in point 3.2.
It is hereby clarified that your communication request does not constitute a subscription to a newsletter database.
Contact – information for the provision of Archeiothiki’s services
|We process your data with the purpose of:
– contacting you in order to inform you about Archeiothiki’s services,
– sending you NDAs, Letters of Intent, draft contracts at the pre-contractual stage between us.
(Email), phone number
Job title/role data in the company
|Fulfilment of Archeiothiki’s contractual obligations at a pre-contractual stage
We will contact you when you express interest on being informed about the services we provide and during the negotiation period prior to the execution of the contract between us based on the fulfilment of Archeiothiki’s contractual obligations at a pre-contractual stage.
|We keep a record of our former customers in order to:
A) meet the obligations of our company in response to tax audits, B) to lodge, defend and refute any claims
Their email address and phone number
A) Compliance with legal obligations
We only keep a record of the personal data necessary to comply with our legal obligations in the event of a tax audit of Archeiothiki.
B) Legitimate interest
Archeiothiki has a legitimate interest in keeping a record for establishing, supporting, or defending legal claims. The company’s legitimate interest has been fairly balanced against your privacy without compromising your fundamental rights and freedoms.
Potential, active and former
Fulfilment of obligations and communication
|We will process your personal data in the course of Archeiothiki’s business operation in order to:
A) – contact you when you have provided us with your contact details or when you fill in the corresponding contact form which is posted on our website, as well as during the negotiation, effective term and termination of our contract,
– communicate with your employees while you provide your services,
– fulfil our contractual obligations (your payment, etc.).
B) – keep a record of your financial data in the event of a tax audit and to meet our obligations arising from tax legislation,
– create and maintain a processing file in accordance with the provisions of the GDPR
C) – keep a record as evidence for the exercise, defence or rebuttal of legal claims
Email, phone number
Activity data on platforms:
username (email), IP Address, User Agent (browser, version, operating system), Timestamp (date, time).
The tax data you issue, VAT, withholding taxes
|A) Fulfilment of Archeiothiki’s contractual obligations at a pre-contractual stage
We will process your personal data when negotiating the cooperation between us, when receiving your services, and
B) Archeiothiki’s compliance with its legal obligations
While providing its services, Archeiothiki must comply with its legal obligations in accordance with applicable legislation (e.g., tax laws, data protection legislation, etc.)
C) Legitimate interest
We keep a record of your data as evidence for proving and defending Archeiothiki’s legal rights in the context of resolving our disputes.
Archeiothiki’s legitimate interest has been fairly balanced against your privacy without compromising your fundamental rights and freedoms.
|We process your personal data during your visit to our facilities in order to:
– record your details in the visitors log when you enter Archeiothiki’s facilities
– comply with security measures through the use of CCTV at Archeiothiki’s facilities
Your name and surname
Job title/role data in the company, purpose of visit
which are collected through the installed CCTV system and according to the “B Level Update” posted on each facility equipped with such a system.
Archeiothiki, as part of its archive material storage and management services with high security requirements, as well as its obligation to enforce security measures and protect personal data, has a legitimate interest in keeping a record of visitors in order to be able to know the persons who entered Archeiothiki’s facilities, as well as to process the image/video data collected during the CCTV operation in the facilities of Archeiothiki.
Third party data processing in the provision of services
|We will process your personal data while providing our services when:
– your data are included in our customers’ archive material units when we provide archive storage and management services (physical or electronic) without having access to it based on our customers’ statements alone (see note in paragraph 4.6 above), or we may have access to but we do not become aware of or control their content ()
– your details are included in our customer files, which must be accessible to us when providing our other support services (e.g., IT support, accounting support, human resource management).
|Identity Data: (full name) that you provide us, when you fill in the contact form on the Website
Job title/role data in the company
Communication data: (email address and your phone number) which you provide us
Data, which according to our customers’ statement (see note in paragraph 4.6. above) are included in their archive material.
In the context of fulfilling our contractual obligations with our partner company, we process your personal data based on Archeiothiki’s legitimate interest. Archeiothiki’s legitimate interest has been fairly balanced against your privacy without compromising your fundamental rights and freedoms.
7. How long do we retain your personal data?
7.1. We will retain your personal data for as long as you continue to interact with us and for as long such data are necessary to fulfil the processing purposes described herein. In determining the retention time of your personal data, we take into account the nature of your data, the amount, the purpose of its processing, their security, observing the principle of minimisation, provided that the legitimate interest of Archeiothiki is not affected and/or there is no legal obligation to retain your information according to the above.
7.2. According to the role you have when you interact with us or work with us or when we process your data in the context of fulfilling our contractual obligations:
– if you are a User of our Website, we keep your data for a period of one (1) year from the moment you last interacted with us;
– if you are a Potential Customer or a Potential Supplier and you have provided/sent us your business card, we will keep your data for a period of five (5) years;
– if you are a Former Customer we will keep your data for the reasons described above for a period of five (5) to ten (10) years in accordance with current tax legislation;
– if you are a Visitor to our facilities, we will keep your visit data for the reasons described above for a period of up to five (5) years. image data of you collected via CCTV are kept for a short period of time, according to the Level B Update in force each time, which is posted at central points of the Archeiothiki facilities;
– if you are an active or former Supplier, we will keep your data for as long as our contract with you is valid, for the reasons described above, for a period of five (5) to ten (10) years in accordance with current tax legislation;
– if you are a Third Party, we will keep your personal data for as long as our contract with our customers or suppliers is valid.
7.3. Furthermore, we retain your personal data for our legal coverage in the event of a dispute related to the use of the Website (e.g. regarding your message) and for the management of any legal claims by Archeiothiki, as well as for the processing covering this Policy (e.g., extra-judicial disputes, any disputes and litigation before the competent courts and/or prosecution and/or other authorities), for the period during which any liability for the processing may arise, in accordance with the applicable law at any relevant time.
7.4. In any event, as long as we retain your data, such information is securely stored, in accordance with the security measures set forth in Article 10 below.
8. Who are the third recipients of your data?
8.1. The processing of your personal data will be primarily carried out on the premises of our Company by persons who are authorised to process personal data and who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. We take appropriate measures so that only authorised persons process the minimum amount of your personal data required for the fulfilment of the purpose of processing (on a need to know basis).
8.2. Where necessary for Archeiothiki to cooperate with third parties in order to provide its services in the best possible way and to operate as a commercial undertaking, our Company selects persons or third partners with relevant professional qualifications, who provide appropriate safeguards in terms of technical knowledge and personal integrity to ensure the privacy and the security and protection of data from accidental or unauthorised destruction, loss, tampering, dissemination. Our Company, through the respective contractual obligations with the shareholders, members of the administrative staff, as well as its external associates and processors or joint controllers, implements all necessary contractual, technical and organisational security measures to protect and ensure the privacy, confidentiality and integrity of the Personal Data.
8.3. Furthermore, as a Controller, our Company cooperates with third parties who act as Processors with Archeiothiki, with whom it has signed the required data processing agreements (DPAs) and for which it has ensured that they observe the guarantees of Personal Data secure processing in accordance with the GDPR and applicable Greek legislation. Moreover, Archeiothiki may transmit your personal data to third party recipients as separate Processors, whether required by law (e.g., public services or legal authorities) or in the context of fulfilling its contractual obligations toward its customers or based on its legitimate interest in the context of its sound administration and operation.
8.4. For the smooth and uninterrupted operation of the Website, Archeiothiki works with third parties who gain access only to such data as is absolutely necessary for the functional and technical organisation of our Website, the optimisation of the User experience, your submission of a contact form to Archeiothiki etc. By way of example, our partners include the company that provides technical support and hosts the Website, etc.
8.5. In addition, Archeiothiki cooperates with third companies in order to be able to provide integrated solutions to its customers and to offer its services in the best possible and flexible manner to its customers. In this context, it collaborates with digital platforms.
8.6. In particular, your personal data may be disclosed to the following categories of recipients:
– Public services (e.g., Tax Office, etc.) or State Authorities.
– Third parties providing services to us, such as IT companies, database hosting companies, system development, support and maintenance companies, telecommunications companies, special software vendors, lawyers, etc.
– Customers of the company, on whose behalf you use the Digital Platforms as Authorised Users, for the purpose of demonstrating the mandates or carrying out audits provided for in the Contract.
– Third parties who carry out audits on us in the context of our regulatory obligations, customer relationships or obligations arising from applicable law or standards with which our Company complies.
8.8. Finally, we may need to provide personal data to law enforcement authorities in order to comply with a legal obligation or a court order.
9. Transfer of data to third countries
9.1. Personal Data of Customers/Representatives/Authorised Users collected by Archeiothiki, are collected, stored and processed in our Company’s facilities (Greece), as well as in the Information Systems Hosting services provider (Greece), on whose servers they are transmitted from the Platform, for back-up purposes only.
9.2. Archeiothiki generally retains your personal data mainly within the European Economic Area (EEA). However, if such data transfer is required, Archeiothiki shall take all possible measures to ensure your data are safe, as within the EU/EEA or transmitted to a country on the basis of an adequacy decision and in accordance with this Policy and relevant legislation on Personal Data.
9.3. Following the developments in the transfer of personal data to third countries (such as the UK) for the provision of services to its Customers, Archeiothiki has taken, where possible, the appropriate contractual, technical and organisational measures, namely: It has signed the appropriate Data Processing Agreements (DPAs), signed the Standard Contractual Clauses (SCCs) and conducted the Transfer Impact Assessments (TIAs) required for data transfers to non-EEA third countries (e.g., USA). The DPIAs text, relating to Archeiothiki’s collaborators to which data are transmitted, is available and you can access it upon request to the Data Protection Officer, using the contact details mentioned above in point 3.3. In addition, for the transfer of your personal data to the USA, it ensures, where possible, that appropriate technical measures are applied (such as pseudonymisation, anonymisation or encryption), in such a way that persons cannot be identified as data subjects by third party recipients.
9.4. It should be noted that Archeiothiki will update the current Policy, in order to cover the cross-border data transfer and the relevant safeguards for the privacy of Customers/Representatives and Authorised Users while providing its services, if required and based on legislative developments.
9.5. When transmitting your personal data, in accordance with the above, we constantly ensure the highest possible level of security. Therefore, your data will only be transmitted to service providers and cooperating companies, which have been carefully selected and shall be bound by a prior agreement.
10. What are your rights and what are the procedures for exercising them?
- You can exercise your rights by submitting a specific request using the DPO contact email. The table below sets out your rights as well as the relevant explanation and the conditions for exercising them:
|WHAT IS IT?
|of access (article 15)
|You have the right to request:
-confirmation that Archeiothiki processes your personal data
-access to your data processed by it
-information about their processing, such as: what data are available to us, why we use them, to whom we transfer them, whether we transfer them to third countries and if so, how we protect them, their retention period, what are your rights regarding your data, how can you lodge a complaint, where we collected your data from in the event that we did not collect them directly from you
|of rectification (article 16)
|You have the right to ask our company to rectify or update any false or inaccurate data of yours. If you exercise this right, Archeiothiki shall be entitled to verify the accuracy of your data before rectifying them and is under an obligation to inform the recipient to whom your personal data were disclosed, unless this proves impossible or entails a disproportionate effort.
|of erasure (article 17)
|You have the right to request the erasure of your data when:
a) you have withdrawn your consent on which the processing is based;
b) they are no longer needed for the purposes for which they were collected;
c) you find that they are otherwise or illegally processed;
d) you are opposed to the processing.
Archeiothiki reserves the right to refuse the exercise of the above right if the processing of data is necessary:
a) for the purpose for which they have been collected,
b) for compliance with a legal obligation,
c) for the establishment, exercise or defence of legal claims.
Erasure, when the above conditions are met, will be universal and complete.
|To the restriction of processing (article 18)
|You have the right to restrict the processing by Archeiothiki, i.e. to have Archeiothiki retain but not use your personal data when:
a) their accuracy is contested, so that you may verify their accuracy;
b) the processing is unlawful but you do not wish to erase them,
c) the processing of the data is no longer necessary for the purposes for which they were collected, but Archeiothiki still needs them for the establishment, exercise, defence or rebuttal of legal claims;
d) you object to their processing and await the verification of the result of the assessment of Archeiothiki’s legitimate interest, i.e. whether our legitimate reasons prevail over your own legitimate claims
|To data portability (article 20)
|You have the right to ask Archeiothiki to provide you with your personal data in a structured form or you may request that they be transferred directly to another controller (e.g., another employer). As a prerequisite, consent must have been given to the provision of data or in the context of the execution of the contract between us and also that the data are kept by automated means and not in printed form. An additional prerequisite is that the data have been provided by you.
|To object (article 21)
|You have the right to object at any time to any processing of your personal data whose legal basis is a) the legitimate interest, b) the fulfilment of a duty, c) profiling. If you exercise this right, our company will have to prove compelling and legitimate reasons that override your rights and freedoms, or it will have to prove that it needs to continue processing your data to establish, exercise, or support legal claims.
|Withdrawal of consent
|You have the right to withdraw your consent where the consent is provided as a basis for processing. Your may withdraw your consent freely and at any time upon your request to the DPO using their contact details or in any other way you have been informed upon receipt of your consent. Withdrawal of consent shall apply to the future.
|Right to human intervention (article 22).
|Our Company does not make decisions using a technical means evaluating personal aspects relating to you and its decision is based solely on automated processing and produces legal effects concerning you or similarly significantly affects you. Nor does it create your profile through automated personal data processing. Archeiothiki hereby informs you that you have also have this right.
|Supervisory authority/Alternative forms of dispute resolution
|Should you consider that we have not complied with a request you have made to Archeiothiki in accordance with this Policy, you are entitled to submit your grievance or complaint to the local supervisory authority regarding the processing of your personal data. In Greece, the supervisory authority for data protection is the Personal Data Protection Authority –www.dpa.gr/
However, since our top priority is to protect your privacy, we encourage you to contact us for any issue or grievance you may have regarding the processing of your personal data and any other matter related to this Policy, using the contact details referred to in point 3.1 above, as well as with the DPO appointed by our company.
In addition, we suggest that you proceed to Alternative Dispute Resolution – Mediation as a more flexible means of resolving disputes between us.
- We respect the confidentiality of all files, which contain personal data and we reserve the right to ask you for proof of identity if you submit a request to exercise your rights in relation to these files.
- We will not charge you for exercising your rights in relation to your personal data, unless, as required by law, your request for access to information is unfounded or excessive, in which case we have the right to charge a reasonable fee under specific conditions. In any case, we will inform you of any charges before carrying out your request.
- Our goal is to respond to any valid requests within one (1) month of receiving them at the latest, unless it is particularly complex or you have submitted a large number of requests. We will inform you if we are going to need more than one (1) month for the reasons listed above.
11. The security of your data
11.1. Archeiothiki implements all necessary technical and organisational security measures for the protection and safeguarding of the privacy of your personal data and their protection against accidental or unauthorised destruction/loss/tampering, prohibited dissemination or access and any other form of improper processing (e.g., Firewalls, Access rights control, domain controller, LAN segmentation, antivirus, partially encrypted information).
11.2. The information you provide to Archeiothiki is processed exclusively by specially authorised personnel under the Archeiothiki’s control and instructions, as well as the recipients of the personal data when necessary. For the processing, Archeiothiki appoints persons with the relevant professional qualifications to provide appropriate safeguards in terms of technical knowledge and personal integrity, to ensure the privacy of personal data. Archeiothiki, through the respective contractual commitments and its associates, implements all necessary security measures for protecting and ensuring the privacy, confidentiality and integrity of the personal data. In any case, the security of personal data in the Website’s environment is subject to factors beyond the Archeiothiki’s sphere of control, as well as factors relating to technical or other network failures not controlled by Archeiothiki, or reasons of force majeure or unforeseeable circumstances.
12. Applicable Law
Any dispute arising from the use of this Website shall be subject to the exclusive jurisdiction of the Greek courts.
13. Amendments to this Policy
Last updated: 14/07/2021