Privacy Statement
EPD Engineering Services (hereinafter the "Company") is strongly committed to privacy issues, and this privacy statement details our approach on such issues. We publish this Notice in accordance with Article 13 of the General Data Protection Regulation to inform you about the use of your personal data.
If you have any questions regarding this Notice and the way your personal data are processed, please contact us to the following email: privacy @ ep-d.gr
Security
The Company collect, maintain and process your personal data in a manner that ensures their protection. Specifically, your personal data are processed solely by specifically authorized personnel or by suppliers of the Company which are bound towards the Company with the same obligations regarding your personal data protection, while all appropriate organizational and technical measures are in place for data security and protection against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access and any other form of illicit processing.
Email Communication
The Company handles email communication with maximum security using Tutanota . For more information read Appendix 1
Data retention
The personal data that you submit in our website are kept only for as long as it is required for the purposes for which were collected or as required by law.
Data subject rights
This section presents your rights with respect to your personal data. These rights are subject to certain exceptions, reservations or limitations.
Please submit your requests responsibly. The Company will respond as soon as possible and in any case within one month of receipt of the request. If the examination of your request will require more time, you will be informed in this respect. To exercise your rights, please contact at email: privacy @ ep-d.gr
The Company shall ensure that you exercise the following rights uninterruptedly:
1. Right of information/update
You have the right to request and receive clear, transparent and easily understandable information about how we process your personal data.
2.Right of access
You have the right to access your personal data for free, except in the following cases, where there may be a reasonable charge to cover the administrative expenses of the Company :
• Manifestly Unfounded or excessive in particular because of their repetitive character
• Additional copies of the same information
3.Right to Rectification
You have the right to request the correction of your personal data if their inaccurate or incomplete.
4. Right to Erasure
You have the right to request the deletion or removal of your personal data when it is no longer necessary for the purposes collected or there is no legitimate reason to continue processing them. The right to erasure is incomplete, if there is a specific legal obligation or other legal reason for keeping your personal data by the Company.
5. Right to Restriction of Processing
In some cases, you have the right to restrict or terminate further processing of your personal data. In cases where processing has been restricted, your personal data remain stored, without being subject to further processing.
6. Right to Data Portability
You have the right to request your personal information, which you have provided us, structured and commonly used format readable by machines and forward that data to another data controller.
7. Right to Object
You have the right to object at any time and for reasons related to your particular situation to the processing of your personal data, unless the Company demonstrate imperative and legitimate reasons for such processing.
8.Rights on automated individual decision-making and profiling
The Company do not make automated individual decision-making, including profiling.
Withdrawal of consent
We inform you that the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject can withdraw his/her consent by email:privacy @ep-d.gr
Right to complain
For any further information in relation to your rights or in case to complain can contact to the Hellenic Data Protection Authority (HDPA), phone number: +30-210 6475600, site: http://www.dpa.gr/
Modifications to the present Privacy Statement
Our goal is to review and to update this Privacy Statement, so as to comply with the relevant legislative and regulatory requirements and provide at the same time the optimum personal data protection. Any further update will be shared through this site.
Latest Update: March 30, 2022
Definitions
Personal Data: any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as name, phone number, email, ID number, VAT registration number.
Special Categories of Personal Data (Sensitive Personal Data): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
Data Subject: the identified or identifiable natural person to whom the Personal Data or/and the Sensitive Personal Data are referring to.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller: for the purposes of the present Privacy Statement, the data controllers are the group of companies which separately or jointly define the purposes and the means of personal data processing.
Processor: means a person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller.
Consent: any freely given, specific, informed and unambiguous indication of the data subject's will, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Appendix 1 Technical and Organizational Measures
System administrators are hereinafter referred to as "DevOps". The following Technical and Organizational Measures have been implemented:
1. Entrance control: All systems are located in ISO 27001 certified data centers in Germany. Only DevOps are granted access to the physical systems.
1. Entrance control: All systems are located in ISO 27001 certified data centers in Germany. Only DevOps are granted access to the physical systems.
2. Authentication access control: User access is secured with strong password protection according to the internal Password Policy or public key access control as well as second factor authentication (e.g. YubiKey). User access is managed by DevOps.
3. Authorization access control: Data records are secured with role based permissions. Permissions are managed by DevOps.
4. Data medium control: All hard discs containing personal data are encrypted. File permissions are allocated to DevOps users/roles as well as application users/roles to make sure no unauthorized access to files is allowed from logged in users and processes.
5. Transfer control: Transfer of personal data to other parties is being logged. Logs include the user/process that initiated the input, the type of personal data and the timestamp. The logs are kept for 6 months.
6. Input control: Input of new and updated as well as deletion of personal data is logged. Logs include the user/process that initiated the input, the type of personal data and the timestamp. The logs are kept for 6 months.
7. Transport control: Transport of personal data from and to the system are secured with strong SSL and/or end-to-end encryption.
8. Confidentiality: Personal data is stored end-to-end encrypted wherever possible.
9. Restoration control: All systems have a second network interface with access for DevOps only. This interface allows access even if the main interface is blocked. Components of the system can be restarted in case of error conditions. A DDOS mitigation service is automatically activated if a DDOS attack occurs that makes the system inaccessible.
10. Reliability: DevOps monitor all systems and are notified if any component of the system fails to be able to bring it up again immediately.
11. Data integrity: Automatic error correction on data mediums and also on database level make sure that data integrity is guaranteed. Additionally the integrity of end-to-end encrypted personal data is guaranteed through MACs during encryption and decryption.
12. Instruction control: NI employees are aware of the purposes of processing and regularly complete an internal security awareness program. (Sub)processors are instructed by written contracts.
13. Availability control: NI systems are located in ISO 27001 certified data centers in Germany which guarantee the physical availability and connection of the systems. NI long-term data is stored as three replicas on different servers or in a RAID system. Backups are created prior to updating critical parts of the system.
14. Separability: Separate processing for personal data is set up as required.
15. Resilience: All systems use highly scalable components that are designed for much higher load than actually needed. All systems are expandable very quickly to continuously allow processing higher loads.