Suppliers’ Personal Data Protection Policy

Data Controller

RIST HELLAS processes its suppliers’ personal data.

We care about the protection of your privacy, and especially of your Personal Data. This policy describes the ways in which we collect, process or eventually disclose the Personal Data of RIST HELLAS suppliers, your rights in this regard, as well as the ways in which you can contact us. The policy is posted on our website, www.rist.gr, and may be updated from time to time. You will be notified of all important changes, and the version in force will be posted on the website.

We assure you that all information pertaining to you is processed only for the purposes specifically stated in this policy.

 

Categories of Data Collected

We process the following categories of personal data from our suppliers (and from their employees, as the case may be): Full name, father’s name, head office address, landline phone number, mobile phone number, email address, Police ID card number, TIN,  PFD, bank account numbers, tax and social security clearance statements, financial data, basic identification data of the legal entities’ representatives.

 

Purposes of Data Processing

We process your personal data for the purposes of drafting, executing, implementing and dissolving the contract between us and in general to manage our contractual relationship, as well as to ensure our Company’s compliance with its legal obligations (Income Tax Code, etc.), and also as the legal basis for the Company’s claims or to counter claims against it before any Court, Authority, etc. In particular, we process your data for the purpose of executing orders, invoicing, and quality control of products/services.

 

Legal Basis for Data Processing

The legal basis for data processing is, as the case may be: (a) The legitimate interest pursued by the Data Controller (our Company’s operation); (b) Compliance with our obligations under the law; (c) Executing (drafting, implementing, dissolving) the contract between us; (d) Your consent. 

 

Disclosure of Personal Data

The Company does not disclose your personal data to third parties; personal data are only processed by authorized company executives under strict confidentiality. By exception, your personal data may be disclosed: (a) To state authorities for the purposes of the Company’s compliance with its legal obligations; (b) To third parties who provide services to the Company, such as human resources services, attorneys/law firms (in instances of judicial or extrajudicial actions regarding the conclusion of contracts and legal claims by or against the Company), financial advisers-accountants, etc.; such persons, acting as processors on behalf of the Company, are bound by guarantees of strict compliance with current personal data legislation (domestic and European); (c) Before the Courts when exercising and defending the Company’s rights.

 

Processing Principles and Protection

Our Company, indicatively but not exhaustively:

  • processes only those personal data that are necessary for the above purposes and only for the above purposes,
  • implements appropriate technical and organizational measures to safeguard personal data (ensuring confidentiality, integrity and availability) by design and by default,
  • has adopted and implements procedures and systems to ensure the confidentiality of personal data processing, as well as the protection of data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all inappropriate forms of processing (e.g. use of access controls and data loss prevention tools),
  • has notified the data subjects (consumers and employees) pursuant to Regulation 2016/679/EE (GDPR),
  • respects the principle of personal data minimization,
  • provides for the exercise and satisfaction of data subjects’ rights,
  • has prepared documents, policies and procedures that demonstrate its compliance according to the principle of accountability (privacy policy, cookies policy, recording personal data types, categories and flow, compiling processing files, etc.), as these are stipulated in the General Data Protection Regulation,
  • has put together a team on personal data protection,
  • implements training and awareness activities for employees regarding personal data protection,
  • amends its contracts with persons processing data on its behalf pursuant to the provisions of article 28 GDPR, for the purpose of enforcing their strict compliance.

 

Data Retention Duration

We retain your personal data for the period of time required by law in each instance, during which time the Independent Authority for Public Revenue (AADE), the Single-Payer Social Security Agency (EFKA), etc. have the right to audit our Company. When the processing of your personal data is no longer necessary, your data is destroyed in a safe and appropriate way.

 

Your Rights and How to Exercise Them

You have the following rights: (a) To be informed about which personal data we collect and process, their origin, the purposes of processing, and the duration of retention (right of access); (b) To request the rectification and/or completion of your personal data, so that it may be correct and complete (right to rectification). You must produce any necessary document that demonstrates the need for rectification or completion; (c) To request the restriction of the processing of your personal data (right to restrict processing); (d) To disallow and/or object to the processing of your personal data that we retain (right to object); (e) To request the transfer of your personal data retained by us to any other controller of your choice (right to data portability); (f) To request the erasure of your personal data from our files (right to be forgotten).

In regard to the exercise of your rights as above, the following is noted:

  • The Company has the right in any case to refuse to satisfy your request for restriction of processing or erasure of your personal data or your objection to processing, if the processing or retention of the data is necessary for the Company to establish the legal basis for, to exercise, or to defend its legal rights or to fulfill its obligations.
  • Exercising your right to portability does not imply the erasure of your data from our files; said erasure is subject to the terms of the immediately precedent paragraph and the conditions of the Regulation.

(g) To file a complaint with the Personal Data Protection Agency (www.dpa.gr), if you believe that your rights are being violated in any way (right to lodge a complaint with a supervisory authority).

 

For any additional information, as well as to exercise your rights as above, please contact us in writing by post to 27 Georgikis Scholis Avenue, 57001 Thessaloniki, or by email at [email protected]. As a rule, your request will be satisfied within one month from receipt.  Information, all announcements and any action included in articles 15 through 22 and 34 GDPR are provided free of charge.

RIST HELLAS shall make every effort to respond to your request(s) within thirty (30) days from when the relevant request(s) is filed. This deadline may be extended for sixty (60) additional days if deemed necessary at the Company’s absolute discretion, taking into consideration the complexity of the request and the total number of requests, and following your timely notification of this.

Please be advised that this policy may be revised from time to time. Any changes will appear here.