HERACLES PACKAGING COMPANY SA collects, processes and protects the personal data of its employees and prospective employees in full compliance with existing legislation and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of fundamental rights and freedoms of natural persons with regard to their right to the protection of their personal data (General Regulation on Data Protection, hereinafter referred to as “the GDPR”).
This Employee Privacy and Processing Policy (hereinafter referred to as “the Policy”) describes how we collect, process and maintain personal information about you and your employment relationship with the Company at the CV / application stage, during the hiring, employment and termination of our employment relationship, as well as the purpose of the collection and processing of your personal data by HERACLES PACKAGING COMPANY SA, as well as to explain your rights and choices regarding this data, providing all the necessary information to you under Articles 12 and 13 of the GDPR.
This Policy applies only to personal data collected and processed in the context of an individual’s employment relationship with our company and does not apply to any other collection and processing of personal data, which may be carried out by HERACLES PACKAGING COMPANY SA, in the context of other relationships – collaborations with natural persons and / or in the context of other processing activities in which it carries out.
The Policy applies to all current, former and future employees of HERACLES PACKAGING COMPANY SA.
The Policy also covers prospective employees in our company, who submit a CV or recruitment application to seek cooperation.
If personal data is collected concerning dependent members of our employees for legal purposes (benefits, allowances, medical care), the Policy also covers such natural persons.
For the purposes of this Policy:
“Personal data“ means any information relating to an identifiable or identifiable natural person (“data subject”); ID number, location data, online ID or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the individual concerned;
“Specific categories of personal data“ means personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs or trade union affiliation, and the processing of genetic, biometric data for the purpose of, data relating to health or data relating to the sexual life of a natural person or sexual orientation;
“Health data“ means personal data relating to the physical or mental health of a natural person, including the provision of health care services, disclosing information relating to his or her state of health;
“Processing“ means any operation or sequence of operations performed with or without the use of automated means, on personal data or on personal data sets, such as collection, registration, organization, structure, storage, adaptation or change, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction;
“Controller” means a natural or legal person, public authority, service or other entity which, alone or in conjunction with others, determines the purposes and manner of processing personal data when the purposes and manner of such processing are specified by the law of the Union or the law of a Member State, the controller or the specific criteria for his appointment may be laid down by the law of the Union or the law of a Member State;
“Processor” means a natural or legal person, public authority, department or other body which processes personal data on behalf of the controller;
“Consent” of the data subject” means any indication of will, free, specific, express and fully aware, by which the data subject expresses his or her consent, by declaration or clear positive action, to the processing of personal data concern it,
“Breach of personal data“ means breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed;
“Employee“ means the employee of HERACLES PACKAGING COMPANY SA with any employment relationship (regardless of whether it is part-time or full-time) or a project or service contract regardless of the validity of the contract, job applicants and former employees.
“HERACLES PACKAGING COMPANY SA “, based in Glyfada, Attica, 85 Vouliagmenis Ave., p.c 16674 (contact phone: 210- 9690310, fax: 210-9607376, e mail: firstname.lastname@example.org).
III. Collection and processing of the employee’s personal data
The personal data of the employees that can be processed by HERACLES PACKAGING COMPANY SA are in principle the usual personal data that may be provided by the prospective employees in the company when they apply for employment, including the information which at his discretion the respective candidate indicates in his CV. In addition, the personal data to be processed includes those that our company collects directly from its employees during the recruitment and / or during and for the needs of the employment relationship.
In this context, special categories of personal data, in particular health data may be provided to HERACLES PACKAGING COMPANY SA.
A. The personal data collected by the data subject himself, i.e. the respective prospective employee, before his recruitment and during his application for recruitment by our company, (may be) are: Name, date of birth, marital status, previous service, studies, contact telephone or other contact details, as well as any other information that the subject himself mentions in his Curriculum Vitae.
B. The personal data collected by the employee during the recruitment process, for its completion but also during the employment relationship, in addition to the above, (may) be:
|Identification data||Name, surname of mother and father, Date of birth, Place of birth, Identity Card Number (ID) and copy of Identity Card, VAT number, Tax Office, copy of tax return,|
|Contact Data||Home address, Contact telephone or other contact details|
|Payment Data, Financial Data and Payroll||BANK, Bank account number and IBAN, salaries paid, any bonuses or advanced payments or voluntary provisions|
|Marital Status Data||married / unmarried, presence or absence of children, date of birth, any protected members|
|Social Security Data||date of first registration with an insurance company and copies of public documents proving the above data|
|Vocational training data||Studies, previous service, copies of diplomas and letters of recommendation|
|Data of specific categories of Article 9 of the GDPR (i.e. which reveal racial or ethnic origin, political views, religious or philosophical beliefs or membership in a trade union, as well as processing of genetic data, biometric data for the purpose of indisputable identification of persons, data relating to health or data relating to the sexual life of a natural person or sexual orientation) * are processed only if required by the relevant legislation||Citizenship, gender, health data|
IV. Processing purpose
The collection and processing of personal data of employees by HERACLES PACKAGING COMPANY SA is done in accordance with existing legislation, in full compliance with GDPR and with full respect for the principles governing processing by law, in order to ensure security and confidentiality.
Our company collects and processes personal data of employees, as detailed in the above, which are intended to serve specific purposes, always in the context of the employment relationship, before, during and possibly after its expiration.
In particular, the purpose of collecting the above personal data is:
A) the recruitment of staff of HERACLES PACKAGING COMPANY SA, i.e. the evaluation of candidates by reviewing their qualifications for the examination of their suitability in relation to the position for which their CV is submitted or the relevant recruitment application;
B) the creation of a database of potential future employees. In other words, employees’ CVs or recruitment applications are collected in order to maintain their data in the database of HERACLES PACKAGING COMPANY SA for the examination of their qualifications and the reference to them in case of need for recruitment of employees in the future;
C) the employment contract and the monitoring of the employment relationship of the employees, i.e. the engagement with their promotion, their employment status, evaluation, payroll and compliance with the obligations of the law.
V. Lawfulness of processing
HERACLES PACKAGING COMPANY SA collects and processes personal data of its employees and prospective employees, to the extent that this processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; in accordance with article 6 par. 1 point b of the GDPR.
In addition, we collect and process personal data, as controllers, in case it is necessary to comply with a legal obligation according to article 6 par. 1 item c of the GDPR, such as e.g. compliance with obligations arising for the employer from the Labor Legislation and the Law of Social Security and Social Protection.
Where appropriate, it is possible that the data subject has consented to the processing of his personal data for one or more specific purposes, in accordance with article 6 par. 1 item a of the GDPR, such as e.g. for the inclusion of his CV in a database of HERACLES PACKAGING COMPANY SA for future reference.
Furthermore, in some cases, the processing of personal data is necessary for the purposes of the legitimate interests pursued by HERACLES PACKAGING COMPANY SA as a controller, according to article 6 par f e.g. the security of our staff and facilities, the defense of the interests and legal assets of our company, the establishment, support or exercise of legal claims of our company and the exercise of its rights under the framework of labor and insurance law.
HERACLES PACKAGING COMPANY SA collects and processes special categories of personal data, especially data related to the health of employees:
a) when the processing is necessary for the execution of the obligations and the exercise of its specific rights as a controller or the individual employee as a data subject, in the field of labor law and social security and social protection law, according to article 9 par. 2 part b of the GDPR.
b) when the treatment is necessary for the purposes of preventive or occupational medicine (eg Law 3850/2010), for the assessment of the working
capacity of the employee, medical diagnosis, in accordance with article 9 par.2 part h of the GDPR.
c) in any other case when it is allowed in accordance with the relevant legislation.
VI. Receipt and transmission of personal data
The personal data of employees and prospective employees of HERACLES PACKAGING COMPANY SA are processed by the staff of the Human Resources Department and the staff of the Accounting Department of our company, the heads and heads of each Department of the company, to which the employees belong, the members of the Management of the company.
In addition, recipients of personal data are the public services and authorities to which they are notified according to the provisions of the current legislation and in accordance with the respective obligations of HERACLES PACKAGING COMPANY SA as an employer.
HERACLES PACKAGING COMPANY SA may be obliged to disclose to third parties, such as government and judicial authorities, certain personal data of its employee, always in accordance with existing legislation, as well as for the establishment, support or exercise of legal claims against an employee and protection her rights from the employment relationship.
Furthermore, HERACLES PACKAGING COMPANY SA may on a case by case basis disclose personal data of its employees to cooperating third parties, such as e.g. personnel management software providers, Equipment & Facilities Management software providers – CMMS.
In any case, HERACLES PACKAGING COMPANY SA ensures that there are adequate guarantees for the secure processing of this data by third parties. Contracting partners acting as controllers for the Employer will be subject to contractual obligations, which will be established to ensure that the Employee’s data is processed in accordance with the Employer’s instructions only and that they use adequate measures to protect the confidentiality and security of the data.
Some recipients of Employee data may be located in countries outside the Union where the same level of protection of personal data is not guaranteed. In the context of these transfers, we implement appropriate mechanisms for the protection of the Employee’s personal data, including agreements on personal data based on standard contractual clauses approved by the European Commission.
HERACLES PACKAGING COMPANY SA in no case does it trade and as a rule does not transfer personal data of its employees to countries outside the Union or international organizations and undertakes an obligation to fully inform the data subject in advance, in case it intends to do so. In the event of a merger and / or acquisition of the company, the personal data of the employees may be disclosed to the respective third parties, upon clear information for this purpose.
VII. Personal data protection measures
HERACLES PACKAGING COMPANY SA maintains the appropriate technical and organizational measures to ensure the confidentiality and integrity of your personal data and to protect them from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to them and to prevent any other unlawful processing.
For this purpose, our company, among other things, stores any documents that state the personal data of employees in locked cabinets and / or has defined specific and secure data storage environments with encryption software, to which access is restricted to the absolutely necessary persons and is controlled using passwords.
The integrity of the data and the limited access to them exclusively by the authorized and competent persons of the company act as a guide for each individual processing activity, to which the personal data are submitted. HERACLES PACKAGING COMPANY SA has implemented specific policies for the protection of personal data, which we manage as a Controller, including the data of our employees, and has established procedures for dealing with any incidents of personal data breaches.
HERACLES PACKAGING COMPANY SA takes care of the continuous training of the personnel responsible for the processing of data, which acts only after explicit authorization for this purpose and always in accordance with the instructions of the company.
VIII. Personal data breach
The Company takes all appropriate technical or organizational measures to deal with incidents of personal data breach, in order to prevent incidents of harm to individuals, such as loss of control over their Personal Data or restriction of their rights, discrimination, misuse or interception of identity, financial loss, unlawful removal of the pseudonym, damage to reputation, loss of confidentiality of Personal Data protected by professional secrecy or other significant economic or social disadvantage for the individual concerned.
Notification to the supervisory authority
As soon as HERACLES PACKAGING COMPANY SA becomes aware that a personal data breach has occurred, we notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless we are able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.
Communication to the Data Subject
HERACLES PACKAGING COMPANY SA should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.
The communication to the data subject shall not be required if any of the following conditions are met:
(a) HERACLES PACKAGING COMPANY SA. has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
(b) HERACLES PACKAGING COMPANY SA. has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
IX. Place of keeping personal data
The personal data are kept (a) in physical form in special folders stored securely in cabinets and (b) on servers of HERACLES PACKAGING COMPANY SA. The place of observance in both cases is the headquarters (85 Vouliagmenis Ave., Glyfada) and / or the premises of the Company’s factory (2nd km Giannitsa-Axos).
X. Time of keeping personal data
HERACLES PACKAGING COMPANY SA maintains and processes personal data, according to the GDPR, for as long as and to the extent required for the performance of the employment contract and in accordance with applicable law. Upon termination of the employment contract in any way, HERACLES PACKAGING COMPANY SA will retain the personal data of the employee only for as long as required by the applicable labor, insurance and tax legislation and until the end of any pending legal actions between the parties.
Upon expiration of the retention period, your personal data are destroyed by the files and information systems of HERACLES PACKAGING COMPANY SA or are anonymized.
HERACLES PACKAGING COMPANY SA retains the personal data of the candidate employee for the period necessary to fulfill the purposes of processing and in any case for a period not exceeding one (1) year from the receipt of the application or CV. In case of rejection or non-selection of a candidate, the personal data of the candidate employee are automatically deleted within six (6) months from the end of the selection process, unless otherwise provided by law.
If the candidate has clearly and freely consented to this, they are stored for three (3) years from their receipt by HERACLES PACKAGING COMPANY SA (eg to re-evaluate his application when α job opens).
At the end of the retention period, your personal data is destroyed by our company’s files and information systems.
XI. Employees rights
A) Right to information: You have the right to know what personal data we collect about you, so that you first understand how and why we collect and process your personal data.
B) Right of access to the data concerning you and if they are processed by HERACLES PACKAGING COMPANY SA, as Controller, the purposes and the legal basis of the processing, the categories of data and the recipients or the categories of these recipients (according to Article 15 of the General Data Protection Regulation).
C) Right to rectification of inaccurate personal data as well as the right to have incomplete personal data completed (according to article 16 of the General Data Protection Regulation).
D) Right to erasure (right to be forgotten) of personal data concerning you without undue delay (according to article 17 of the General Data Protection Regulation).
E) Right to restriction of processing of your personal data if, as a result, the accuracy of the processing is contested, the processing is unlawful, or we as controller no longer need the personal data and provided that there is no legal reason for their retention (according to Article 18 of General Data Protection Regulation).
F) Right to data portability, you shall have the right to receive your personal data, which you have provided to HERACLES PACKAGING COMPANY SA, as controller, in a structured, commonly used and machine-readable format and transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This right does not apply necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in to HERACLES PACKAGING COMPANY SA (according to article 20 of the General Data Protection Regulation).
G) Right to object on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 par.1 of GDPR, including profiling based on those provisions (in accordance with Articles 21-22 of the General Data Protection Regulation).
H) Right to withdraw your consent at any time in case processing has as its legal basis your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
(I) Right to lodge a complaint with a supervisory authority. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority (Personal Data Protection Authority) in case you consider that the processing of personal data relating to you infringes GDPR (in accordance with Article 77 of the General Data Protection Regulation). For more information you can visit the website www.dpa.gr., Postal Address: 1-3 Kifissias Avenue, PC 115 23, Athens, Call Center: +30 210 6475600, Fax: +30 210 6475628, E-mail: email@example.com or firstname.lastname@example.org
The exercise of the above rights is done exclusively in writing by submitting a relevant application to the postal or electronic contact address of our company.
Our company responds without delay and in any case within one (1) month from the receipt of your request.
Upon your information, this deadline may be extended by two (2) months, if required, taking into account the complexity of the request and the number of requests.
Refusal of HERACLES PACKAGING COMPANY SA or unjustified delay in satisfying your requests in the exercise of your rights, as well as any general violation of the relevant framework regarding the collection, storage, processing and protection of your personal data, gives you the right to appeal to the Personal Data Protection Authority, as the competent supervisory authority for the implementation of the GDPR.
Where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, HERACLES PACKAGING COMPANY SA may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
XII. Contact info
The subjects of personal data, which are mentioned in this Policy, can contact our company for possible questions, comments, etc. regarding the Policy to exercise any of the above rights, to submit a relevant request or to request access to and / or rectification of their personal information.
HERACLES PACKAGING COMPANY SA
85 Vouliagmenis Avenue, 16674, Glyfada, Attica, Greece.
Phone: +30 210 9690310
XIII. Amendment and update to this policy
HERACLES PACKAGING COMPANY SA reserves the right to modify and / or update this Policy at any time, whenever deemed necessary. In case of updating and / or substantial changes herein, it will be notified to the interested parties, in the way that our company deems appropriate and more effective, always with a view to ensuring thorough and clear prior information of employees and / or obtaining consent where required, and the “update date” hereof will be modified accordingly.