1. Purposes, Range
Speak Out strives to comply with the laws and legislations regarding General Data Protection Regulation (GDPR) in its field. This Policy sets the basic principles under which Speak Out processes the personal data of its customers, employees, suppliers, partners, and other persons. This Policy is applied by Speak Out, as well as its direct and indirect subsidiaries based in Greece. All employees, both with open-ended and temporary contracts, as well as all the contractors working for Speak Out are bound by this Policy.
2. Basic definitions
The following are the basic definitions for the terms that are used in this document, as cited by Article 4 of the General Data Protection Regulation, in order for the subject of the data to familiarize itself with the terminology of the Regulation:
Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data, special categories: Personal data which are inherently sensitive in relation to foundational rights and liberties, require special protection since their processing framework could create severe dangers for said foundational rights and liberties. Such Personal Data, include personal information revealing their racial or national orientation, political views, religious or philosophical convictions or their participation in trade unions, as well as the processing of genetic data, biometric data in order to provide undeniable proof of identity, data concerning health issues or data concerning the sexual life of the natural person or its sexual identity.
Controller: the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Authority: Hellenic Data Protection Authority.
3. Basic principles concerning the Processing of Personal Data
Speak Out as the controller strictly adheres to the principles, defined by Article 5 of General Data Protection Regulation.
3.1 Lawfulness, Fairness and Transparency
Speak Out processes the data lawfully, fairly and in a transparent manner in relation to the data subjects.
3.2 Purpose Limitation
Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3.3 Data Minimization
Speak Out ensures that personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
All personal data processed by Speak Out shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
3.5 Storage Limitation
Personal Data shall be kept for no longer than is necessary for the purposes for which the personal data are processed by Speak Out.
3.6 Integrity and Confidentiality
By taking into consideration the technological level and other available security measures, the cost of application as well as the possibility and severity of threats for Personal Data, Speak Out uses appropriate technical and organizational measures to process Personal Data, in a manner that ensures appropriate security of the Personal Data, as well as protection against accidental loss, destruction or damage and against unauthorized or unlawful processing.
Speak Out bears the responsibility and is capable of proving its compliance to the General Data Protection Regulation to the Hellenic Data Protection Authority.
4. Privacy Notification, Consent and Data Subject Rights
4.1 Notification to the Data Subject
Before or during the collection of Personal Data, for any processing action undertaken by Speak Out, including, but not limited to, sales of products, marketing services or activities, Speak Out bears the responsibility to provide the necessary information to the Data Subject and more specifically, the type of the Personal Data being collected, the purpose of the processing, the means of processing,
the rights of the Data Subject concerning their Personal Data, the period for which the Personal Data will be stored, potential international transfer of the Personal Data, potential sharing of the Personal Data with a collaborating third party, as well as the safety measure applied by Speak Out to ensure the protection of the Personal Data. This information is provided via Privacy Notification.
4.2 Consent – Right to Revoke
When the collection of Personal Data is legally based on the consent of the Data Subject, Speak Out is responsible to ensure that the Data Subjects offer their consent willingly, positively, explicitly and after fully comprehending the content of the document they consent to. Speak Out provides the Data Subjects with the right to revoke their consent whenever they want. In case of collecting Personal Data of children under the age of 16, Speak Out ensures that parental consent has been given before the collection begins. The processing of Personal Dara must occur only for the purpose they were initially collected. In case Speak Out wishes to process the Personal Data collected for a different purpose, it must procure the consent of the Data Subjects with and explicit and specific written manner. Any such application form must include the initial purpose for collecting the data, as well as the new or additional purpose(s).
Speak Out strives to ensure that it collects the bare minimum amount of Personal Data. If the Personal Data are collected by a third party, Speak Out ensures that all data are collected through legal means.
4.4 Speak Out and Third Parties
In case Speak Out uses a third-party supplier or trade partner, to whom it assigns the processing of the Personal Data on its account, ensures that the processor will provide the appropriate safety and protection measures, to counter all potential relative dangers. Speak Out strives to ensure that the suppliers or trade partners process the Personal Data solely for their conventional responsibilities towards Speak Out, always in accordance with its guidelines and for no other purpose.
4.5 Right of Access by the Data Subject
Speak Out as the Controller, is responsible for providing the Data Subjects with an access mechanism to the Personal Data, which will allow them to review, correct, delete, or transfer them.
4.6 Right to Data Portability
The Data Subject shall have the right to receive a copy of the personal data concerning them, which they have provided to Speak Out, in a structured format and have the right to transmit those data to another controller. Speak Out is responsible to ensure that such applications are processed within a month, under the condition that the request is not obviously unfounded. In exercising their right to data portability the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
4.7 Right to Erasure (Right to be Forgotten)
By submitting a formal request, Data Subjects have the right to petition Speak Out for the erasure of their Personal Data. Speak Out will take the appropriate actions (including technical ones) to satisfy
the request and ensure the same from potential third parties that are using or processing Personal Data on its account.
4.8 Right to Object
The Data Subject has the right to object the processing of their Personal Data at any time, including profiling.
4.9 Right to Restriction of Processing
By submitting a formal request, Data Subjects have the right to request the restriction of their data processing from Speak Out, according to article 18 § 1 a-d of the General Data Protection Regulation (EU) 2016/679.
4.10 Exercising all the Rights of the Data Subject and Revoking of Consent
The exercising of all the rights of the Data Subject, as well as revoking of consent, occurs through a written request addressed to Speak Out. The Data Subject may also proceed to revoking of consent, without diminishing the lawfulness of the processing before the revoke of consent. By sending a written request or email in the address: firstname.lastname@example.org
Controller of the Personal Data of the Data subject is Speak Out, based in Hydra’s Harbor Hydra island 18040, Greece.
Also, Data Subjects can address the Hellenic Data Protection Authority via the following means:
5. Responding to Personal Data Breach Incidents
When Speak Out is notified for a potential or occurring Personal Data Breach, they will immediately conduct an internal investigation and, in a timely manner, apply the appropriate actions to restore any damage according to the Personal Data Breach Policy. When the rights and liberties of the Data Subjects are in imminent danger, Speak Out has to announce the security breach to the Authority immediately and under any circumstances, within 72 hours.
If you have any further questions or need any clarification concerning the processing of your Personal Data by Speak Out, you can contact us and Speak Out will be happy to assist you.