Data Security & Privacy Policy
KLEOPAS Business Consultants SA (hereinafter referred to as “KLEOPAS “or” we “or” us “) places great importance on data protection.
The current Policy:
- describes how KLEOPAS, as the processor under the interpretation of the General Data Protection Regulation EU 2016/679 (hereafter referred to as “the Regulation”) collects and processes personal data and other user information;
- describes the security objectives and the corresponding procedures to be followed in order to achieve these objectives;
- describes the basic principles of personal data protection and security applied by KLEOPAS;
- defines KLEOPAS approach regarding the security of information systems and networks and the protection of personal data it holds as a controller.
The policies listed in the current Policy are binding for all KLEOPAS personnel that handles in any way personal data.
- Categories of personal data and processing purposes
1.1 KLEOPAS, in the context of and in order to carry out its legitimate business activity consisting in the provision of tax and accounting services to its customers, processes personal data provided by its customers as follows:
- Collects and processes data that may contain personal data (“Personal Data” or “PD”) for the updating of the accounting records of all kinds in accordance with Greek Tax Provisions.
- Collects and processes Personal Data to fill in tax returns (and all specified forms on a case-by-case basis), for all taxes as determined each time (e.g. taxes on income, inheritance, etc.) of natural persons according to Greek Tax Provisions.
- Collects and processes Personal Data to calculate the payroll for its customers in accordance with Greek Labour Law.
- Processes Personal Data for the purpose of submitting electronic records / statements to the competent government departments.
1.2 Also, KLEOPAS processes Personal Data for the following reasons:
(a) For the purposes of managing its personnel. In this context, the Personal Data of KLEOPAS employees will be processed for all the legitimate reasons concerning their work, as defined in their labour agreement and the applicable labour legislation etc., including, but not limited to, the purpose of calculating remuneration, benefits, annual leave, severance pay and so on.
(b) For promotional and advertising purposes. In this context, KLEOPAS customers’ Personal Data will be processed to promote KLEOPAS existing and future activities, the provision of new services, the communication of promotional activities and so on.
(c) The processing of Personal Data may also take place for any other legitimate reason, especially if requested by a competent supervisory authority.
1.3 Processing of special categories of personal data
In principle, KLEOPAS does not process specific categories of personal data as defined in Article 9 of the Regulation. By way of exemption, KLEOPAS will process the above data only if this is strictly necessary and the subjects of personal data have given their explicit consent and KLEOPAS has received the required permission from the competent supervisory authority as provided for in Article 9 of the Regulation.
- Description of processing procedure
2.1 The processing procedure is analysed in the following stages:
(a) Collection of data described in section 1 above, ie (i) data for their accounting recording (registration) in the legally kept accounting books and data following a relevant meeting with the customer and selection of what data is required; (ii) payroll data following a meeting with the customer and reporting on what data is required; (iii) data to fill in forms relating to the personal taxes of natural persons (indicatively taxes on income, inheritances, etc.), following meeting with the customer and reporting on what data is required.
b) Entry of the following data (all or some) in a software file appropriate for that purpose: Surname, first name, father and mother’s name, date of birth, identity card number, VAT registration no. and tax office, address of residence, family status, number of children, Social Insurance Institute (IKA) number and Social Insurance Registration Number (AMKA), date of recruitment, gross monthly salary, contract of employment, recruitment specialization and any years of service, bank account number and bank holding the natural person’s account, either for payroll or other.
c) Importing the data to the accounting, commercial or payroll software and processing thereof at regular intervals to update the accounting records, payroll calculations and other work required by state regulations to meet KLEOPAS customers’ obligations.
2.2 The processing falls within the framework of KLEOPAS service agreement with the customer.
Also corresponding processing procedures (as mentioned in paragraph 2.1 (a), (b) and (c) as well as anywhere else in this text) apply to KLEOPAS itself with regard to the data of its employees, suppliers and generally of the entities cooperating with it in the course of its professional activity, as appropriate in each category.
2.3 The server with the related operating systems or software operates:
a) Either in a cloud environment where PD are in a safe place, the persons who have access to them are registered and is secured (by codes) so that unauthorized persons have no access to them.
b) Either in a safe area which is not accessible to third parties, having a separate entrance from the other offices and has an electronic code lock, which ensures that unauthorized persons cannot have access to.
The persons authorized with access have signed a relevant obligation to process PD in accordance with the Law and there are General Terms and Conditions for processing the PD that are disclosed by KLEOPAS to all employees.
- Who has access?
Access is available only to authorized users of the accounting and payroll software in accordance with instructions given by KLEOPAS and the relevant labour and privacy contracts signed by them, including customers and executives who have applied for and have received permission by KLEOPAS to access the accounting and payroll software, solely concerning files that relate to them. Access may also be available to third parties, as defined in Section 7 below.
- What kind of processing can they do to the data and for what purposes?
Customer Data Processing is only allowed to make accounting entries, calculate monthly payroll, complete tax returns for all taxes, and export financial data in various forms according to the needs of the company / business – customer.
Also, authorized users under Section 3 have the right to create electronic files and file them with the relevant tax, insurance, labour and other authorities in accordance with Greek Legislation.
- Recording, who processes and when?
All actions by users processing PD in the specific accounting software, tax returns and payroll software are logged according to the parameters of the software used. That is, which user did a specific action, when and where (workstation).
- Ability to link to other files
It is strictly forbidden to mix files with the personal files of each respective user and reproduce them in their workstation (PC). For this reason, a special file for processing accounting, payroll and tax files has been created, which is common to all users, allowing access solely to the users of the respective software of specific customers. Access is only possible by connecting to KLEOPAS secure network. The above are also mentioned in KLEOPAS labour agreements, signed with its employees, as well as in the integration training for the employees and in the various training sessions that take place at regular intervals.
- Third Parties – international transfers of PD
- Forwarding to service providers
KLEOPAS may employ external service providers who act as data processors for KLEOPAS to provide certain services to KLEOPAS, such as site service providers, marketing service providers, or IT support service providers. When providing these services, the external service providers may access and / or process personal data.
KLEOPAS requires from these external service providers to implement and use security safeguards to ensure the confidentiality and security of the personal data received from KLEOPAS.
- Other recipients
KLEOPAS may forward – in compliance with the applicable data protection law – personal data to law enforcement authorities, state authorities, legal counsellors, external consultants or business partners. In the case of a corporate merger or takeover, personal data may be transferred to third parties involved in the merger or takeover.
- International Transfers of Personal Data
The Personal Data collected or received by KLEOPAS for its customers may be forwarded and processed by recipients within or outside the European Economic Area (EEA). Countries included are those listed at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm, which provide an adequate level of data protection in line with the European data protection legislation. Recipients in the US are certified under the EU – USA Privacy Shield agreement and are therefore recognized as providing an adequate level of data protection in line with the European data protection legislation. Other recipients may be located in other countries that do not offer an adequate level of data protection in line with the European data protection legislation. KLEOPAS, prior to forwarding any data in this case, will have taken care of having obtained the consent of the Data Protection Authority for these countries as well as the explicit consent of its relevant customer for transfers to recipients in each one of these countries separately, by checking the relevant fields in the applicable document used by KLEOPAS “Consent to Transmission and Processing in Other Countries”, where these countries are identified. KLEOPAS will take all necessary steps to ensure that data transfers outside the EEA are adequately protected as required by the applicable data protection legislation. Regarding transfers to countries that do not provide an adequate level of data protection, KLEOPAS supports the transfer of data to the provision of appropriate safeguards. Every customer of KLEOPAS may request a copy of the appropriate safeguards by contacting KLEOPAS as described in Section 12 (Contact) below.
- Principles governing the processing of personal data
KLEOPAS commits that the Personal Data processed will:
(a) undergo fair and lawful processing in a transparent manner in relation to the subject of data;
(b) be collected for specified, explicit and legitimate purposes and will not be further processed in a manner incompatible with those purposes;
(c) be appropriate, relevant and limited to what is necessary for the purposes for which they are being processed;
(d) be accurate and, where necessary, updated – KLEOPAS will ensure that all reasonable steps are taken to immediately delete or correct personal data which are inaccurate in relation to the purposes of the processing;
(e) be retained in a form which permits identification of subjects of data only for the time required for the processing of personal data;
(f) be processed in such a way as to guarantee the appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or deterioration, using appropriate technical or organizational measures.
KLEOPAS will ensure that the subjects of personal data are informed of the duration of the processing, which will not exceed the time required for the purpose of the processing.
All subjects of personal data will receive clear instructions on how to exercise their rights under the law as set out in Section 10 below.
- Legal basis for processing
KLEOPAS processes the personal data provided by its customers in the context of executing its contractual obligations towards the customers, as specified in the relevant contract. KLEOPAS may also proceed to processing for other (one or more) specific purposes, provided the customer has consented to the processing of the data explicitly, as well as for the other reasons stated in the Law.
KLEOPAS may process sensitive personal data provided by its customer only if the latter has explicitly consented to the processing of sensitive personal data for one or more specific purposes and as otherwise permitted by the Law. This includes indicatively: where processing is necessary to carry out the obligations and exercise certain rights of KLEOPAS or the rights of the customer as subject of the data, in the field of labour law, of the social security and social protection law.
KLEOPAS may process when processing concerns personal data that has been clearly disclosed by the customer as the subject of data.
Finally, KLEOPAS may process when processing is necessary for the foundation, exercise or support of its legal claims.
Respectively, the above apply to the processing of personal data of KLEOPAS employees.
- What rights does the subject of personal data have and how can these be exercised?
KLEOPAS will inform the subjects of the personal data it processes about their rights under the Law.
In particular, under the applicable data protection law, the relevant subject of data has the right to (i) request access to their personal data, (ii) request the rectification of personal data, (iii) request the deletion of personal data (iv) request the limitation of the processing of personal data, (v) request data portability, (vi) oppose the processing of personal data (including objection to the preparation of a profile), and (vii) object to automated decisions (including objection to compile a profile).
In order to exercise his / her rights, each subject of data is called to contact KLEOPAS as mentioned in Section 12 (Contact) below.
In the case of complaints, each subject of data also has the right to file a complaint with the competent data protection supervisory authority.
- Duration of retention of PD
PD are retained for the time that KLEOPAS has a (contractual) obligation with the customer for the provision of services, where the maximum period is the limitation period specified by the relevant tax, insurance or other provisions, unless the customer requests in writing otherwise. After the expiry of this obligation, the data must be removed from the core system of KLEOPAS and / or transferred back to the customer. In order to delete a company (customer) or a company employee (customer) a special registration is created by the system at the time of its execution, serving as proof of this action, including the details of the user who made it and the time.
- Contact
For any concerns or questions about this Security & Privacy, any interested person is invited to contact KLEOPAS as follows:
350 Sygrou Avenue, PC 176 74, Kallithea – Athens, gratsia@alliott.gr, 2109579050
The contact details of KLEOPAS Data Protection Officer are as follows:
Maria Gratsia, daughter of Stylianos, 350 Sygrou Avenue, PC 176 74, Kallithea – Athens,
gratsia@alliott.gr 2109579050