Personal Data Protection Policy
ESA SECURITY SOLUTIONS SA PRIVATE SECURITY SERVICES COMPANY
ESA SECURITY SOLUTIONS SA (ESA) is today the leading Greek company providing integrated security services with a long-standing presence and international recognition.
ESA conducts its business activities in accordance with privacy principles, as we believe these demonstrate our unwavering commitment to ethical and responsible practices. We recognize that innovation and new technologies lead to constant changes in terms of risks, our responsibility to our supplier and employee customers, and legislation, and therefore we follow our privacy responsibility standards, which we adapt in a timely manner in response to such changes.
This Policy sets out our standards for the management and protection of Personal Data by or on behalf of ESA that originates, directly or indirectly, from any country in the European Union and is transferred to any other country, including transfers between countries in the European Union. They apply to our activities in each country, which includes information about individuals for each activity we conduct in each of our subsidiaries and each sector, including research, manufacturing, commercial activities, corporate support, and data transfers necessary to conduct the above activities, including, but not limited to:
- Promotional and marketing activities: evaluating markets for our products / advertising, marketing, selling, distributing, and delivering our products / communicating with our customers and other end users of our services / sponsoring and running events / evaluating and encouraging our partners to support our services and activities / complying with relevant legal, regulatory, or ethical requirements.
- Corporate support: recruiting, hiring, managing, developing, communicating with, and compensating employees / providing benefits to employees and their dependent family members / conducting performance and talent evaluations of employees / providing training and other educational and developmental programs / conducting disciplinary proceedings and managing employee complaints / managing concerns about ethics and privacy / conducting investigations / managing and securing our physical and virtual assets and infrastructure / procuring and paying for products and services / meeting our environmental, health and safety as well as corporate responsibility commitments / communicating with the media / and complying with relevant legal, regulatory or ethical requirements.
This Policy also applies to all natural persons whose data we process, including, but not limited to, customers, prospective, current, and former employees and their dependents, ethics committee members, partners, investors and shareholders, government officials and other stakeholders.
All ESA Employees and its Management Members have important responsibilities regarding privacy protection.
We recognize that unintentional errors and misjudgment about data protection can cause risks to individuals’ privacy and risks to ESA’s reputation, processes and compliance. Each ESA employee, and other individuals who process data for ESA, are responsible for understanding and complying with their obligations to this Policy and existing laws.
Our Values and Standards on Privacy
We comply with our values about privacy in everything we do that involves people, including how we apply our privacy standards. The four privacy values include:
Respect
We try hard to respect the perspectives and interests of individuals and communities and to be fair and transparent in how we use and share information about them.
Trust
We know that trust is vital to our success, so we work hard to build and maintain the trust of customers, employees and other stakeholders in respecting and protecting information about them.
Preventing harm
We understand that the misuse of information related to individuals can create harm to the individuals concerned, and so we strive to prevent physical, financial, reputational or other privacy-related harm.
Compliance
We strive hard to comply with the spirit and regulations of privacy protection in a manner that demonstrates consistency and operational adequacy for our business operations globally.
1. We integrate our privacy standards into all activities, processes, technologies, and relationships with third parties that use Personal Data. We design privacy controls in our processes and technologies that are consistent with our values and privacy standards and with applicable law. The 8 privacy principles described below summarize our privacy standards and the basic requirements for high-level processing, activities, and their supporting technologies.
| Principle of privacy | Our Key Commitments |
|---|---|
| 1. Necessity – Before collecting, using, or sharing Personal Data, we determine and record the specific, legitimate business purpose for which it is necessary. | We determine and record the length of time for which Personal Data is needed for these specified business purposes. We do not collect, use, or share more Personal Data than necessary, or retain Personal Data in an identifiable form for longer than is necessary for these specified business purposes. We anonymize data when business requirements make it necessary to disclose information about the activity or process for which the Personal Data was collected. We do not collect, use, or share more Personal Data than is necessary, or retain Personal Data in an identifiable form for longer than is necessary for these specified business purposes. We anonymize data when business requirements make it necessary to disclose information about the activity or process. |
| 2. Proprietary – We do not process Personal Data in ways that are unlawful for the individuals to whom the data relates. | We determine whether the proposed collection, use or other processing of Personal Data poses a risk of actual or imminent harm to individuals, in accordance with the privacy principle for data processing operations classified as “high risk”. If the nature of the data, categories of individuals or the activity contains an inherent risk of actual or undefined harm to individuals, we ensure that the risk of harm does not outweigh the corresponding benefits to those individuals or our mission which is to protect human lives as well as property from any risk. Where the risk is inversely proportional to the benefits to persons, we process Sensitive or Personal Data only with the unambiguous consent of the persons or as required or expressly permitted by existing laws./li> We document our risk analysis and design any required mechanisms to obtain and record evidence of consent to assistive technologies. |
| 3. Transparency – We do not process Personal Data in ways or for purposes that are not transparent. | All persons whose Personal Data are subject to processing under this Policy will be entitled to a copy of this Policy. We will make copies of this Policy available online at www.esasecurity.gr . The Data Protection Officer will provide digital and/or physical copies of this Policy upon request at the addresses listed below.When Personal Data is collected directly from individuals, we will notify them through a clear, conspicuous, and easily accessible privacy notice or similar means before we collect the information about (1) the corporate entity or entities responsible for the processing, (2) the type of data that will be collected; (3) the purposes for which it will be used; (4) to whom it will be disclosed, including any requirements to disclose Personal Data following lawful requests by government authorities; (5) how long it will be retained; (6) how individuals can ask questions, raise concerns or exercise their rights with respect to the data; and (7) the electronic link to this Policy, where possible and appropriate.When Personal Data is collected from other sources, before the data is obtained, we verify in writing that the data provider has informed individuals of the ways and purposes for which ESA intends to use the information. If written verification cannot be obtained from the provider, we only use anonymous data, or before we use Personal Data, we inform affected individuals through a privacy notice or similar means of (1) the corporate entity or entities responsible for the processing, (2) the type of data to be collected, (3) the purposes for which it will be used, (4) to whom it will be disclosed, including any requirements to disclose Personal Data following lawful requests by government authorities; (5) how long it will be retained; (6) how individuals can ask questions, raise concerns or exercise their rights regarding the data; and (7) the electronic link to this Policy, where possible and appropriate. We ensure that third parties who support the activity or processing of personal data do not process the data in ways that are inconsistent with what has been disclosed to the data subjects (data subjects), through privacy notice or other verifiable means, about how we and others who work for us will use the data. |
| 4. Restriction of Purpose – We only use Personal Data in accordance with the principles of Necessity and Transparency. | If new reasonable business purposes are identified for Personal Data already collected, we ensure that either the new business purpose (including a substantially similar purpose) is compatible with the purpose as described in the privacy notice or other transparency mechanism previously provided to the individual, or we obtain the individual’s consent to the new use of their Personal Data. We do not apply the above principle to anonymous data or where we use Personal Data solely for historical and scientific research purposes and (1) an Ethics Review Board, or other competent reviewer, has determined that the risk of such use to the privacy or other rights of individuals is acceptable and (2) there is respect for existing law. |
| 5. Quality of Data – We keep Personal Data accurate, whole, and up-to-date, and in accordance with its intended use. | We ensure that periodic data checking mechanisms are built into the supporting technologies to validate the accuracy of the data in relation to the source and the information systems in which the personal data is held. We ensure that Sensitive Data is validated as accurate and up to date before its use, evaluation, analysis, reporting or other processing that risks breaching provisions for the persons concerned if inaccurate or untimely data is used. When changes occur, the data is validated as accurate and up to date. We ensure that Sensitive Data is validated as accurate and up to date before its use, evaluation, analysis, reporting or other processing that risks breaching provisions for the persons concerned if inaccurate or untimely data is used. When changes occur, the data is validated as accurate and up to date. |
| 6. Security – We incorporate layers of security to protect Personal Data and Sensitive Data from loss, misuse, and unauthorized access, disclosure, or destruction. | We have implemented a comprehensive information security program and apply security controls that are based on the sensitivity of the information and the magnitude of the risk of the activity, considering the best practices of modern technology and the cost of implementation. Our operational security policies include, but are not limited to, business continuity and disaster recovery standards, identity and access management, information classification, information security incident management, network access control, physical security, and risk management. |
| 7. Transfer of Data – We are responsible for maintaining the privacy of Personal Data when it is transferred to or from other organizations or across national borders. | (1) We only transfer Personal Data or allow it to be processed by third parties if the following conditions are met, and we are responsible for ensuring that the third parties we work with meet these conditions: If the role of the third party is to process Personal Data for or on behalf of ESA, before the third party receives the Personal Data, we: (1) complete a legal privacy due diligence to assess the privacy practices and risks associated with these third parties; (2) obtain assurances through a written contract from these third parties that they will process Personal Data in accordance with ESA’s instructions, and in accordance with this Policy, including, without limitation, the set of 8 Privacy Principles and other standards set forth in this Policy and existing Law, and will promptly inform ESA of any Privacy Incident, including any failure to comply with the standards set out in this Policy and existing legislation, or Security Incident, and will cooperate in the timely remediation of any documented Incident and address individual rights as set out in Section 2 below, and that they will allow our company to audit and monitor their practices during processing for compliance with these requirements. In addition, if the third-party processes Personal Data originating from a country or territory with legislation that restricts the transfer of Personal Data, we will ensure that the transfer to the third party meets the conditions for cross-border transfer described in Section 2 below. If the third party’s role is to provide Personal Data to ESA, before we obtain the Personal Data from the third party, we will ensure that the Transparency requirements for the collection of Personal Data from another party are met. If the third party’s role is to obtain data from our company for processing that is not specifically under our company’s control, before we deliver the data to the third party, we ensure that the data has been anonymized, and we obtain written assurances from the third party that it will use the data only for the business purposes specified by the agreement and in accordance with existing legislation, and that it will not attempt to reverse the data anonymization process. (2) We transfer Personal Data across borders by or on behalf of our company in accordance with this Policy. We will apply this Policy to transfers of Personal Data from any other country or territory with laws restricting the transfer of Personal Data. |
| 8. Legally Permissible – We process Personal Data only if it meets the requirements of applicable law. | While the other 7 privacy principles, as well as the Individual Rights requirements described below, are intended to ensure that the requirements for most privacy and data protection laws applicable to our industry around the world are met, in some countries we need to meet additional requirements, including, but not limited to: Where required, we will obtain specific forms of consent for the processing of specific Personal Data, where required by national law. Where required, we will further limit the retention periods for Personal Data. Where required, we will enter into agreements that include specific contractual clauses, including agreements for cross-border data transfers to third parties. Where required, we will disclose Personal Data at the request of public authorities, including to meet requests related to national security or security authorities. In the event of a conflict between this Policy and existing national legislation, the text that provides more protection to individuals will prevail. |
2. We will respond in a timely manner to requests regarding individual rights to access, rectify, amend, or delete Personal Data or object to the processing of Personal Data.
- Access, Correction and Deletion – Based on Greek Law, individuals (data subjects) have the right to access Personal Data relating to them, and to correct, amend or delete Personal Data that is inaccurate, incomplete, or outdated. We will approve all requests by individuals (data subjects) for access, correction, and deletion of Personal Data. If a request for access, rectification or erasure is defined by existing Legislation that provides greater protection for individuals (data subjects), we will ensure that the additional requirements based on Legislation are met.
- Choice – Consistent with the privacy principles of “Respect” and “Trust”, we approve individual requests to object to the processing of Personal Data, including, but not limited to, choosing not to participate in programs or activities in which individuals have previously agreed to participate, the processing of Personal Data about them for direct marketing purposes for communications targeted to them and based on Personal Data, and for any evaluation or decision making related to them.
- Except where prohibited by law, we may deny an election where a particular application may impede the company’s ability to: (1) comply with the Law or an ethical obligation, including where we are required to disclose personal information in response to lawful requests by public authorities because of security or national security requirements; (2) investigate, defend or seek legal claims; and (3) enter into contracts, manage relationships, or perform other permitted business activities consistent with the Transparency and Purpose Limitation Principles and entered into on the basis of the data of individuals associated with them. Within fifteen business days of any decision to deny a request for selection in accordance with this Policy, we will record and communicate the decision to the applicant.
3. We will promptly respond to and manage all privacy-related inquiries, complaints, concerns and any Privacy Incident or Security Incident.
- Any individual whose Personal Data we process within the scope of this Policy may ask questions, make complaints, or raise concerns to ESA at any time, including requesting a list of all ESA subsidiaries subject to this Policy. We expect that our employees, and other individuals working on behalf of ESA, will provide timely notice if they have reason to believe that an applicable law may prevent them from complying with this Policy. Any question, complaint, or concern from an individual (data subject), or any notice from an employee or other person working on behalf of ESA, should be directed to the Data Protection Officer:
- by email: dpo@esasecurity.gr
- by fax: 214-1001499
- by mail: Data Protection Officer ESA SECURITY SOLUTIONS, 9th km National Road of Thessaloniki – N. Moudania, Pylea
- ESA employees and partners are required to promptly inform the Data Protection Officer of any questions, complaints, or concerns about our privacy practices.
- The Privacy Officer will review and investigate, or cooperate with the Legal Department to investigate, all inquiries, complaints or concerns related to our privacy practices, whether received directly from our employees or from other individuals or third parties, including, but not limited to, regulatory agencies, compliance officers or other governmental authorities. We will respond to the person or entity that raised the question, complaint, or concern to our ESA within thirty (30) calendar days unless a law or requestor/third party requires a response in a shorter period of time or unless circumstances, such as a parallel government investigation, require a longer period of time. I n that case, the person (data subject) or requester/third party will be notified in writing as soon as the general nature of the circumstances contributing to the delay allows.
- The Data Protection Officer, in cooperation with the Legal Service, will cooperate with the Supervisory Authority (Data Protection Authority) in the context of any inspection, audit or investigation.
- For complaints that cannot be resolved between ESA and the complainant, ESA has agreed to participate in the following dispute resolution processes to investigate and resolve complaints about disputes relating to this Policy.
- to the courts or data protection authority of the European Union country from which their Personal Data was transferred; or
- Greek courts or the Greek Personal Data Protection Authority (www.dpa.gr).
- ESA will respond to the person or entity that raised the question, complaint, or concern to ESA within thirty (30) calendar days unless a Law or applicant/third party requires a response in a shorter period of time or unless circumstances require a longer period of time, in which case the person or third party will be notified in writing.
- Please be advised that you have the right to complain to the Data Protection Authority ( DPA) about issues relating to the processing of your personal data or if you believe that your data protection rights have been infringed. For the competence of the Authority and how to lodge a complaint, you can visit the Authority’s website ( www.dpa.gr My Rights – Complaint to the Authority ) or contact the Authority for the Protection of Personal Data ( DPAA) , Kifissia Avenue number 1-3 phone 2106475600 – Fax 2106475628 email contact@dpa.gr
- Ανωνυμοποίηση. Η μεταβολή, αποκοπή, εξάλειψη ή άλλος περιορισμός ή μετατροπή των Προσωπικών Δεδομένων ώστε να καταστεί αδύνατη η χρήση τους για αναγνώριση, εντοπισμό ή επικοινωνία με το άτομο.
- Νομοθεσία. Όλοι οι νόμοι, κανόνες, ρυθμίσεις και εντολές γνωμοδοτήσεων που έχουν την ισχύ νόμου σε οποιαδήποτε χώρα δρα η εταιρία μας ή στην οποία τα Προσωπικά Δεδομένα υπόκεινται επεξεργασία από ή για λογαριασμό της εταιρίας μας.
- Η Εταιρία ESA SECURITY SOLUTIONS AE ,είναι Υπεύθυνος Επεξεργασίας σύμφωνα με την έννοια του άρθρου 4 του Γενικού Κανονισμού Προσωπικών Δεδομένων .
- Personal Data. All data about a recognized or unrecognized individual, including data that identifies the individual or that could be used to identify, locate, track, or communicate with them. Personal Data equally includes information for direct identification such as name, identification number, or unique job title, and information for indirect identification such as date of birth, unique mobile or portable identification number, phone number, and encoded data.
- Privacy Incident.. The breach or violation of this Policy or a privacy or data protection law and includes a Security Incident. The determination of whether a privacy incident has occurred and whether it has physical substance will be made by the Data Protection Officer and the Legal/Compliance Department.
- Processing. The execution of any process or sequence of processes on data related to individuals, with or without automated means, including but not limited to collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, evaluation, analysis, reporting, distribution, disclosure, and dissemination, transmission, provision, alignment, combination, blocking, erasure, deletion, wiping, or destruction.
- Security Incident. Unauthorized access by an unauthorized person to Personal Data or disclosure to an unauthorized person of Personal Data, or the reasonable suspicion by our company that this has occurred. Access to Personal Data by or on behalf of our company without the intention to violate this Policy does not constitute a Security Incident, provided that the specific Personal Data was used and disclosed only as allowed by this Policy.
- Sensitive Data. Any type of data related to individuals that inherently carries a risk of potential harm to individuals, including data defined by law as sensitive, including but not limited to data related to health, heredity, race, national origin, religion, political or philosophical beliefs or convictions, criminal records, precise geographic location information, bank account numbers, state-issued identification numbers, minors, sexual life, relationships with labor unions, security, social security, and other employment or government benefits.
- Third Party. Any legal entity, organization, or person that does not belong to our company, or for which our company does not have an audit interest, or who does not work for our company. Unless explicitly stated by this Policy, no subsidiary or division of our company is required to meet the requirements of a third party under this Policy, as all subsidiaries and divisions of our company are required to process data related to individuals in accordance with this Policy, including cases where one of the subsidiaries of our company supports one or more subsidiaries of our company during processing.