Privacy Policy

Ι. INTRODUCTION 

The Company “VELLUM CONSULTANTS ANONYMOUS COMPANY” (hereinafter referred to as “VELLUM”), based in Athens, 5 Akadimias Street, 10671, P.O. Box 10671, with VAT registration number 095574029, as legally represented, is in full compliance with EU Regulation 679/2016 (General Data Protection Regulation, hereinafter referred to as “GDPR”). Communication with VELLUM can be made at the following contact details: 

Address: 5 Akadimias Street, Athens, Athens, P.O. Box 10671

Tel: +30 2109416622

Fax: +30 2109416029

E-mail: [email protected] 

I.1. Object of the company’s activity

VELLUM is a company that provides IT project management consulting services and technical support for software applications.

 

I.2. The role of the company as a controller and processor

The main activity of the company is the implementation of projects on behalf of private entities. The scope of activity concerns B2B relationships, as it acts as a consultant to other companies in the capacity of a consultant. In the event that the company undertakes to implement a project involving the processing of personal data, VELLUM acts as a processor, in terms of the legislation on the protection of personal data, as in the processing of personal data it is subject to the instructions of the body, on whose behalf it acts. Therefore, the company itself does not determine the means and purposes of the processing of personal data pursuant to Article 4 para. 8 and Article 28 of the GDPR, but, as the processor, it follows the instructions of the controller in question.

Furthermore, it has the status of controller, in the context of its administrative function, and in particular in the context of the management of its staff, its accounting, its computerisation and other activities, which accompany its operational capacity to implement the projects it undertakes pursuant to Article 4 para. 7 and Articles 24 to 27 of the GDPR. Therefore, VELLUM must, at all times, implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR and national legislation. The aforementioned obligation of VELLUM and its compliance with it are described in this personal data processing policy document.

VELLUM, as a controller, processes mainly simple personal data (employees, suppliers, etc.), protected under the GDPR, Law 4624/2019, to the extent that it does not contradict the above Regulation, as well as σthe relevant decisions of the Personal Data Protection Authority of a binding nature (hereinafter “the PDPPA”).

 

I.3. Legislative framework 

For the protection of personal data, the General Data Protection Regulation applies. Regulation      for the protection of personal data (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC, Law 4624/2019 (Government Gazette A’ 137/ 29.8.2019) “Personal Data Protection Authority, measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and incorporation into the national legislation of the Member States”. 4624/2019 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data. This policy is based on the GDPR, Law 4624/2019 to the extent that it does not contradict the provisions of the GDPR, the decisions, directives and opinions of the Data Protection Authority and the guidelines and recommendations of the European Data Protection Board.

 

I.4. Scope of this policy

This policy defines the data subjects and the categories of their personal data processed. In addition, this policy analyses the processing of personal data by VELLUM, as controller, on the basis of the principles governing such processing, in accordance with Article 5 of the GDPR. In addition, this policy refers to the legal bases under which VELLUM processes personal data for specific, explicit and legitimate purposes and includes the necessary legal documentation for the choice of these legal bases. This policy refers to the measures for the protection of natural persons against a possible breach of their personal data, but also to the obligations that VELLUM, as the processor, bears. VELLUM reserves the right to update this policy as it sees fit, provided that This policy shall be updated in this policy as and when any change in the above-mentioned legal framework takes place. This policy is posted on the company’s website and is available to the Data Protection Authority, together with the records of activities under Article 30 of the GDPR.

 

  1. PROCESSING OF PERSONAL DATA 
  2. File of processing activities (Article 30 of the GDPR)

VELLUM keeps a record of the processing activities for which it is the controller. That record shall include all the following information:

  1. the name and contact details of the controller and, where applicable, the joint controller, the representative of the controller and the data protection officer,
  2. the purposes of the processing,
  3. a description of the categories of data subjects and categories of personal data,
  4. the categories of recipients to whom the personal data are to be or have been disclosed, including recipients in third countries or international organisations,
  5. where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in Article 49 § 1(b) GDPR, the documentation of appropriate safeguards,
  6. where possible, the time limits laid down for the deletion of the various categories of data,
  7. where is possible, a general description of the technical and organisational safety measures referred to in Article 32 § 1 G.C.P.D.

In addition, VELLUM keeps a record of the processing activities for which it is the processor. This record shall include all the following information:

  1. the name and contact details of the processor or processors and the controllers on whose behalf the processor is acting and, where applicable, the representative of the controller or processor and the data protection officer,
  2. the categories of processing carried out on behalf of each controller,
  3. where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of the appropriate      guarantees,
  4. where is possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.

 

  1. Data subjects and categories of personal data

Α. VELLUM processes, as a controller, personal data of the following subjects, namely:

  1. a) of employees its employees,

(b) of prospective employees who express an interest in jobs,

(c) its suppliers and external partners in general, if they fall within the concept of data subject under the legislation,

  1. d) the shareholders of the company, whose details are necessary for the preparation of the minutes of the company.

The following is a summary of the categories of personal data processed by VELLUM for each of the above mentioned groups of data subjects.

FOR WORKERS

  • Status of employees (fixed-term or indefinite)
  • Employment contracts
  • Curriculum vitae
  • Identity and communication data
  • VAT number and tax office
  • Family status data
  • Health and social security data
  • Data concerning educational and employment status (previous experience and letters of recommendation)
  • Payroll and bank account IBAN
  • Position and duties of employees – specialties 
  • Log files (log files)
  • Image and video data from a video surveillance system, which is installed in the offices of the company VELLUM (there is no recording but only monitoring, a few seconds are stored in case of an alarm)

 

FOR WORKERS WHO ARE CANDIDATES

  • Job to be filled
  • Communication data 
  • Curriculum vitae and if included in the CV:
  • Identity data 
  • Family status data
  • Data concerning educational and employment status (previous experience and letters of recommendation)
  • Specialty
  • All data is deleted after recruitment.

 

FOR SUPPLIERS AND GENERAL EXTERNAL CONTRACTORS

  • Identity and communication data
  • VAT number and tax office
  • Data from their financial offer
  • Contract for work or independent services (scope of the work or services, time of delivery, amount      remuneration and other conditions)
  • Tax document
  • Bank account IBAN

 

FOR SUPPLIERS AND GENERAL CONTRACTORS

  • Identity and communication data
  • VAT number and tax office
  • Data resulting from their financial offer
  • Contract for work or independent services (scope of the work or services, time of delivery, amount      remuneration and other conditions)

 

FOR THE SHAREHOLDERS OF THE COMPANY

  • Name,
  • Id,
  • Address.

 

FOR THE VISITORS OF OUR COMPANY’S WEBSITE

See the Privacy Policy published on our company’s website 



FOR FOLLOWERS ON OUR SOCIAL NETWORKING SITES

See in this regard the published on our company’s website our PRIVATE POLICY FOR SOCIAL NETWORKS 



The summarized personal data processed by VELLUM are listed in detail, by sector of activity, in the activity file available to VELLUM, as controller, pursuant to Article 30 of the General Data Protection Regulation, which is available to any interested party.

 

Β. In addition, VELLUM, as a processor, processes, on behalf of and on behalf of other entities for which it undertakes to carry out projects, personal data of the following subjects, namely, personal data related to the execution of the project on behalf of the company acting as controller. The way of processing is defined by the scope of the project in question and is limited exclusively to the purpose of the project, as the company as the data processor does not further process the data, nor does it use or exploit them for any other purpose with or without economic benefit.

The summarized personal data processed by VELLUM are listed in detail, by sector of activity, in the activity file available to VELLUM, as the processor, pursuant to Article 30 G.C.P.D.




3Α. Processing of personal data by the company VELLUM, as controller, based on the principles of Article 5 G.C.P.D.

Article 5 § 1 (a) GDPR: personal data are processed lawfully and fairly in a transparent manner in relation to the data subjects (lawfulness, objectivity, transparency)

VELLUM, as a controller, in the context of its compliance with the principle of fair or lawful processing of personal data, must inform data subjects that it will process their data in a lawful and transparent manner and furthermore be able, at any time, to demonstrate its compliance with these principles, in accordance with the principle of accountability under Article 5 § 2, in conjunction with Articles 24 § 1 and 32 C.The processing of personal data in a transparent manner is a manifestation of the principle of fair processing and is linked to the principle of accountability, giving data subjects the right to exercise control over their data, making VELLUM, as the controller, accountable. VELLUM, as controller, must identify and select the appropriate legal bases, as provided for in Article 6 § 1 and Article 9 § 2 GDPR, which is inextricably linked to the principle of fair and lawful processing, as well as to the principle of purpose limitation. In addition, VELLUM, as controller, must inform, pursuant to Articles 13 § 1 (c) and 14 § 1 (c) GDPR, the data subjects of the choice and use of the specific legal bases, as the choice of each legal basis has a legal influence on the application of the rights of the data subjects. 

With regard to employees, VELLUM applies a series of laws that require the processing of personal data of the specific subjects. Thus, VELLUM is obliged to comply with articles 648 et seq. of the Civil Code, as well as all labour and social security legislation. In addition, VELLUM is also obliged to comply with tax legislation and to submit payroll data to . TAX AUTHORITIES. The processing of personal data of employees is also necessary for the execution of the employment contract. Consequently, VELLUM processes personal data of special categories of its employees, such as health data contained in their sick leave certificates, for the performance of an obligation of VELLUM and the exercise of employees’ rights in the field of labour and social security law. It should be noted that VELLUM also processes personal data of its employees in the context of its managerial right, on the basis of a legitimate interest. Therefore, VELLUM processes personal data of its employees in accordance with the following legal bases of the GDPR, viz:

  • Article 6 § 1 (b) GDPR, insofar as the processing is necessary for the performance of contracts to which the employees are parties.
  • Article 6 § 1 (c) in conjunction with Article 6 § 3 (b) GDPR, as long as the processing of employees’ personal data is carried out in compliance with all labour, social security and tax legislation, 
  • Article 9 § 2 (b) GDPR, insofar as the processing is necessary for the performance of the obligations of VELLUM and the exercise of specific rights of VELLUM or its employees in the field of labour law and social security and social protection law, as defined by specific laws (granting of sick leave).

Certain records or areas of the company’s activity fulfil several purposes of processing personal data, with the result that some of the above legal bases of Articles 6 and 9 of the GDPR, are applied in parallel – simultaneously. The detailed application of the above legal bases for each area of activity of VELLUM is indicated in the activity file of VELLUM, which is available to any interested party, as well as this policy.

With regard to prospective employees, VELLUM processes their personal data in order to take measures at their request for a specific job, before the conclusion of the contract. Therefore, VELLUM processes personal data of the candidate employees in accordance with the following legal basis of the GDPR, viz:

  • Article 6 § 1 (b) GDPR, if the processing is necessary to take measures at the request of the prospective employees before the conclusion of the contract.

 

With regard to suppliers and external partners in general, VELLUM processes their personal data or the data of their legal representatives, if they are legal persons, under the contracts it has concluded with them. Consequently, VELLUM processes personal data of its suppliers and external partners in general, in accordance with the following legal bases of the GDPR, namely:

  • Article 6 § 1 (b) GDPR, insofar as the processing is necessary for the performance of contracts to which suppliers and external partners in general are parties.
  • Article 6 § 1 (c) GDPR, regarding the evaluation of partners, due to the company’s obligation to comply with the GDPR. 

Finally, VELLUM has installed a video surveillance system in its premises (offices) to protect persons and property from illegal acts. Specifically, the video surveillance system is designed to protect VELLUM’s assets from unlawful acts, such as theft and damage, and to protect natural persons (citizens, employees) who are on its premises from unlawful acts, such as theft of their assets, physical injury, etc. The physical integrity of the company’s employees and visitors, as well as its property, fall within the vital interests of these persons, which require protection. Accordingly, the company processes personal data of beneficiaries and employees pursuant to Article 6 § 1 (f) GDPR in order to fulfil its legitimate interests.

It is noted that VELLUM has provided its addresses and its departments with forms containing relevant information on the processing and protection of personal data, depending on the procedure to which they relate and the data subjects involved. These forms shall inform data subjects of the processing of their personal data in accordance with Article 13 of the GDPR, including a clear indication of the legal basis for the processing and the specific legal framework providing that legal basis. In addition, with regard to its employees, VELLUM has conducted a detailed briefing on the processing of their personal data, which it carries out. The same applies to the contracts that VELLUM concludes with its suppliers, if the latter fall within the concept of data subject under the GDPR.

Article 5 § 1 (b) GDPR: personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest or for scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89 § 1 (purpose limitation).

The above list and analysis of the legal bases on which the processing of personal data of the above data subjects is based also reveals the purposes of the processing of such data by VELLUM (legal purposes). Thus, VELLUM processes personal data for the following purposes, which apply on a case-by-case basis:

  • For the purpose of fulfilling rights and obligations arising from a contract to which the data subject is a party.
  • For the purpose of compliance by VELLUM with its legal obligations arising from the application of specific, case-by-case legislation.
  • For the purpose of safeguarding the vital interests of the data subjects concerning their physical integrity and property and protecting them against unlawful acts.
  • For the purpose of fulfilling obligations and exercising specific rights of VELLUM or data subjects in the field of labour law and social security and social protection law, in accordance with specific legal provisions.

 

The above objectives are defined specifically and in detail for each of the areas of activity of VELLUM in its activity file, which is available to all interested parties, as is this policy document. In addition, the information sheets drawn up by VELLUM to inform data subjects about the processing of their personal data, or the specific articles on the processing of personal data contained in contracts concluded by VELLUM, explicitly state the purposes to be processed (specified and explicit purposes).

Article 5 § 1 (c) GDPR: personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation).

VELLUM processes strictly and only the personal data of the data subjects mentioned above, which are necessary for the conclusion and execution of contracts or required by law.

 VELLUM does not process more data than necessary and limits the processing of personal data of the aforementioned data subjects to the strictly necessary, appropriate and relevant according to the field of activity of each data subject depending on the specific case. 

For this reason, VELLUM has recorded in detail the personal data that it processes for each specific area of its activity in its activity file. That is to say, the personal data processed are limited to what is necessary, per sector of activity of VELLUM and in accordance with the processing purposes specified for each sector of activity. 

Article 5 § 1 (d) GDPR: personal data shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure the immediate deletion or rectification of personal data which are inaccurate in relation to the purposes of processing (accuracy).

VELLUM has relevant application forms for corrections and changes to data. In addition, BELOUM, in compliance with the personal data legislation, provides data subjects with the necessary information on the rights that the data subject has in relation to the declaration and updating of his/her data in BELOUM. 

Before processing non-updated data, the company will update them in order to comply with the principle of data accuracy and quality. Furthermore, it shall periodically update data which it does not process on a regular basis. 

The company proceeds to secure deletion and/or destruction of data after the expiration of the retention period using the appropriate organizational and technical security measures that will ensure the complete deletion of data and the impossibility of re-identification of the data subjects by adhering to a deletion/destruction protocol. Furthermore, it shall delete any file containing personal data which was createdν temporarily created for the processing of personal data.

 

Article 5 § 1 (e) GDPR: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, provided that the personal data are processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Art.

The retention period of the personal data processed by VELLUM is determined by the provisions of the Civil Code on limitation periods, as well as by the provisions of tax and social security legislation, in conjunction with the above-mentioned Article 5 1 (e) GDPR, which imposes a limitation on the period of storage of personal data. Furthermore, VELLUM complies with Directive No. 1/2011 of the Personal Data Protection Authority, which concerns the processing of personal data through video surveillance systems for the protection of persons and property from unlawful acts and provides, among other things, specific time limits for the retention of images and videos, in accordance with the Policy on the retention period of personal data (PRIVACY POLICY). 

The company applies its policies, as well as the technical and organizational security measures of ISO 9001 and ISO 27001 for the protection and security of personal data. 

 

Article 5 § 1 (f) GDPR: personal data shall be processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality). 

VELLUM applies appropriate technical and organisational measures in order to ensure the appropriate level of security against risks, in accordance with article 32 of the General Data Protection Regulation.The company is ISO 9001 and 27001 certified.

In the event of a personal data breach (Article 33 GDPR), VELLUM, as controller, will notify without delay and, if possible, within 72 hours from the moment it becomes aware of the fact of the personal data breach, the supervisory authority competent under Article 55 of the GDPR, namely the Personal Data Protection Authority, unless the personal data breach is not likely to cause a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.

3.B. OTHER OBLIGATIONS OF THE COMPANY

Α. LEGAL BASIS FOR CONSENT

VELLUM does not process personal data that requires consent. However, in the event that such processing is carried out, the following procedure shall be taken into account:

1) Prior to the processing of personal data, the need for processing under the lawful basis of consent and the conditions for its lawful receipt are recorded and legally documented.

2) Prior to the processing of personal data, the data subject must be informed in writing and give his or her consent voluntarily.

3) Consent can be given explicitly or implicitly, e.g. by providing personal data to the data controller.

4) Consent does not necessarily have to be in writing, however, in order to be evidenced, it is recommended that it be in writing or in digital form, in a manner that can be demonstrated to have been lawfully obtained.

5) It is technically and organisationally ensured that the data subject can withdraw his or her consent at any time.

6) Consent is not required in the following cases:

(a) if the data subject has generally made his or her personal data publicly accessible, e.g. information given in a newspaper or telephone directories, and has not prohibited their processing;

(b) for the performance of a contract to which the data subject is a party,

(c) in order to take action on the data subject’s request prior to the conclusion of the contract,

(d) to comply with the legal obligations of the data controller;

(e) to protect the vital interests of the data subject or another natural person,

(f) The data subject must be adequately informed of the personal data to be collected and the purposes of their processing before giving his or her consent.

7) The data subject must be informed, at least, about:

(a) the identity of the data controller;

(b) the type of personal data processed;

(c) the purpose of the processing,

(d) the legitimate interest of the DPA in the processing of personal data, where applicable,

(e) the categories of data recipient if disclosure is planned,

(f) the details of a planned cross-border transfer,

(g) the retention period of the data or criteria used to determine them,

(h) whether automated decision-making is applied and the relevance of the processing for the data subject;

(i) instructions on the rights of the data subject;

In the event that consent is required for any processing, the company keeps a record of the consents of the data subjects that it has received, so that it can prove that it has received them, as well as a record of any withdrawals of consent, so that it is able to stop processing the data in the event that the legal basis for processing them no longer exists.

 

Β. OBLIGATION TO INFORM THE DATA SUBJECTS 

The company shall inform the data subjects of the processing of their data before the start of their collection in accordance with Articles 13 and 14 of the GDPR. The Company has a process in place to plan for the Data Update where it is required.

The GDPR requires that the natural person be given the recorded information unless the person already has it. It is therefore important to determine whether or not it is reasonable to assume that the natural person already knows all the information that would otherwise have to be given to him or her. If it is assumed that the natural person is already aware of the information that has been collected about him or her, then the logical steps that led to this conclusion should be recorded as evidence of compliance with the GDPR. Care should be taken to ensure that this applies to all the information required and all the data subjects involved. Otherwise action should be taken to address any gaps.

Where personal data are collected from the data subject

In case the data subject does not have the required information at the time his/her personal data are acquired, he/she should be provided with the following:

  1. The identity and contact details of of the person responsible the identity of the data controller.
  2. The contact details of the data protection officer 
  3. The purposes and lawful basis of the processing
  4. The legitimate interests pursued by the controller or a third party
  5. The recipients or categories of recipients of the personal data, if any
  6. Details of any plans to transfer the personal data to a third country or international organisation
  7. The time limit for the retention of personal data (or the criteria that determine this period)
  8. The right of the data subject to access, rectification, erasure and portability of his/her personal data.
  9. The right of the data subject to restrict or object to the processing of his/her personal data
  10. The right of the data subject to withdraw his/her consent at any time
  11. The right of the data subject to lodge a complaint with a supervisory authority
  12. Whether the collection of the personal data is a legal obligation or requirement under a contract, and whether the data subject is obliged to provide the data
  13. Whether there is automated processing, including profiling, and in such cases, the rationale and intended consequences of such processing

Where the personal data have not been collected by the data subject:

If the personal data have not been collected directly from the data subject, there are a number of additional cases (in addition to the case where the natural person already has the information) that the GDPR allows, in which case no additional information needs to be provided. These are: If providing such information proves impossible or involves a disproportionate effort, if there is coverage by other applicable legislation providing appropriate, measures to protect the data subject’s legitimate interests (GDPR Article 14), If the data is confidential due to a legal obligation. In such cases, the rationale that led to this consideration shall be recorded and documented as evidence of compliance with the GDPR. Care should be taken to ensure that this applies to all required information and all natural persons involved. Otherwise action should be taken to address any gaps.

If none of the above cases apply, the information must be provided to the natural person: within a reasonable time and at the latest within one month of the collection of the personal data, if the data are used for communication (e.g. email addresses), at the latest at the time of the first communication, when the personal data are disclosed to another recipient (if applicable).

The company informs the data subjects before transmitting the data to third parties.

  1. Recipients of personal data processed by VELLUM, as controller

VELLUM discloses the personal data of the above mentioned subjects to public bodies, as appropriate, if required by law, in order to carry out legal procedures. The aforementioned public bodies are independent controllers, with regard to the personal data of the above-mentioned subjects. 

The company transfers data only in cases where it is strictly necessary to achieve its legitimate purposes and where the relevant legal basis for processing the data is met. In this case, it keeps a record of data transfers to third party recipients and maintains all necessary technical and organizational measures for the secure transfer of data, as well as for ensuring that the data have been received after transfer to the correct recipient. 

The following are the public bodies, which are recipients, where applicable and depending on the sector of activity, of the personal data processed by VELLUM, as controller and operate as independent controllers, with regard to the personal data communicated by VELLUM, namely:

  • Ministry of Labour and Social Affairs
  • Competent tax authority
  • Labour Inspectorate (SEPE)
  • Judicial authorities
  • Police authorities

 

Also, VELLUM discloses personal data, which it processes, as a controller, on a case-by-case basis and depending on the sector of activity, to external partners, such as chartered accountants, insurance companies, and other suppliers, etc.

Some of the above recipients, to whom personal data are communicated by VELLUM, as controller, have the status of processors, in accordance with Article 28 of the General Data Protection Regulation. VELLUM selects processors who are compliant with the GDPR and have private agreements, in accordance with the law, by which the processors commit themselves to the lawful processing of personal data on behalf of VELLUM and to their liability towards VELLUM and the data subjects in the event of unlawful processing by them. In particular, VELLUM has the following processors:

ORKOTOI ACCOUNTANTS: In order to carry out the appropriate financial audits and prepare the relevant reports, in the context of their cooperation with VELLUM, the chartered accountants inevitably process some of the personal data referred to above on its behalf and at its request.

ERP (Enterprise Resource Planning system): the company uses an ERP system to manage the data it collects as part of its administrative function.

 

IT companies: Depending on the scope of the project, the company cooperates with IT companies if required for the execution of the project. 

 

Any processors used by the company must be bound by contractual clauses that they process the data only for the purposes specified by the company in the contract they sign, which includes the minimum content of Article 28 of the GDPR. 

 

  1. Processing of personal data by VELLUM, as processor

VELLUM processes, as processor, the personal data of the data subjects, on behalf of and at the request of the respective controllers.

The processing by VELLUM, as the processor, is governed by contracts, which bind it in relation to the data controllers and define the scope and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the data controller. Those contracts shall provide in particular that VELLUM, as the processor:

  • process the personal data only on the basis of recorded instructions from the controllers, including with regard to the transfer of personal data to a third country or an international organisation, unless it is obliged to do so under Union law or Greek law to which VELLUM, as processor, is subject; in this case, VELLUM, as processor, shall inform the controllers of that legal requirement prior to processing, unless that law requires it to do so;
  • ensures that the persons authorised to process personal data have given a confidentiality undertaking or are subject to an appropriate regulatory obligation of confidentiality,
  • take all necessary appropriate technical and organisational measures to ensure an appropriate level of security of personal data against risks,
  • complies with the conditions referred to above for the recruitment of another processor,
  • take into account the nature of the processing and assist controllers with appropriate technical and organisational measures, to the extent possible, to fulfil the obligation of controllers to respond to requests to exercise the data subject’s rights under the GDPR,
  • assists controllers in ensuring compliance with their obligations under the GDPR relating to (a) the taking of the necessary measures to taking appropriate      technical and organisational measures to ensure the security of personal data; and b) in carrying out an impact assessment on the protection of personal data and the possible consultation of the Data Protection Authority (DPA), taking into account the nature of the processing and the information available to VELLUM, as the processor,
  • at the option of the controllers, delete or return all personal data to the controllers after the end of the provision of processing services and delete existing copies, unless Union or Greek law requires the storage of personal data,
  • make available to controllers all information necessary to demonstrate compliance with the obligations laid down in the GDPR for processors (Article 28 GDPR) and allow and facilitate audits, including inspections, carried out by controllers or other controllers appointed by controllers.
  • It shall inform the Data Controllers of any request it receives from third parties for the disclosure of the data of the data subjects it processes.
  • The company transmits the data of the data subjects in cases where it is required to do so by law. Consequently, it rejects any request for disclosure of data subjects’ data that is not mandatory, and informs and consults any data controller in the case of a data processor or data subject before making any data disclosure. In any case, it shall inform the data subject in advance of the request for disclosure.

VELLUM, as processor, shall immediately inform the controllers if, in its view, any of their instructions violate the GDPR, or other EU or national data protection provisions.

Where VELLUM, as the processor, engages another processor to carry out specific processing activities on behalf of the controllers, the relevant contract shall be signed in accordance with Article 28 of the GDPR, so that the processing complies with the requirements of the GDPR. 

III. RIGHTS OF DATA SUBJECTS IN RELATION TO THEIR PERSONAL DATA PROCESSED BY BELLOOM AS DATA CONTROLLER

The data subjects whose personal data are processed by VELLUM, as controller, have the following rights:

  • Right of access to their personal data.
  • Right to rectification of incomplete, not updated or inaccurate personal data. 
  • Right to erasure of personal data provided that the legal period of their retention by the company has expired and their retention is not required by law. 
  • The right to restrict the processing of their personal data provided that the extent of the processing is not imposed by law. 
  • Right to object to the processing of their personal data.
  • The right to lodge a complaint with the Data Protection Authority if the company processes their personal data unlawfully.

In the event that the company proceeds, at the request of the data subject, to satisfy a right of the data subject, which satisfaction affects the processing of his/her data by a third party to whom the company has transmitted his/her data, then it shall immediately inform the third party in order to comply with the satisfaction of the data subject’s request.

The above rights are exercised free of charge, however, when the right is exercised improperly, a fee may be requested from VELLUM, in accordance with the conditions set out in the G.C.P.D, in accordance with Article 12 § 5 GDPR. In any case, VELLUM shall respond to requests within one month, except in exceptional cases, where VELLUM’s response time to a request may be longer, up to two additional months, of which VELLUM shall notify the data subject in due time. 

The data subjects can exercise their rights through the special forms posted on the company’s website https://vellum.gr/ or by post to the address of the company’s headquarters indicated above, or by mail to [email protected] .

Last revision 17.06.2024

Facebook Linkedin
Academy 5, Athens 10671

Tel: +302109416622 / Fax: +302109416029

[email protected]

GEMI: 1862901000