PRIVACY AND PERSONAL DATA POLICY FOR COMPUTER TEAM


1. Information on the Processing of Personal Data
For us at Computer Team, protecting the personal data of our customers and partners is of paramount importance.
To this end, we take the appropriate technical and organizational measures to protect the personal data we process
and to ensure that their processing is always carried out in accordance with the obligations set by the law, both by
the company itself and by third parties who process personal data on our behalf.
This Privacy and Personal Data Protection Policy applies to the services we provide to our customers, to the
communication towards any interested party and to the website www.cteam.gr and its online services.


2. What is the GDPR?
The General Data Protection Regulation (GDPR) 2016/679 (EU) is the new regulatory framework of the European
Union (EU). The purpose of this law is to establish the conditions for the processing of personal data, the protection
of the rights and freedoms of natural persons and in particular the right to the protection of personal data.
Personal data, as defined in Article 4 of the GDPR, is the information that can be used to identify you and to
communicate and make transactions with you, and in particular your name, your postal address, your e-mail
address, your phone number, and other information when it is combined with your personal information.


3. Definitions
a. Personal data: The information that concerns a living natural person and identifies him directly or indirectly, such
as the name, the VAT number, the contact details (addresses, telephone numbers), the personal identification card
number, the geographical position data, the online identification, physical characteristics, age, etc. Information
concerning legal entities is not “personal data” and is not protected by the relevant legislation. A subset of personal
data is the so-called special categories of personal data (or sensitive data), which relate to the private personal
sphere of the individual (e.g. religious beliefs, political views, membership in trade unions, health, racial origin, sex
life, administrative or criminal prosecutions and convictions). The natural persons to whom the personal data relate
are called “data subjects”.
b. Processing: The collection and use of personal data by any means, such as storage, transmission to third parties,
deletion, etc.
c. Controller: The natural or legal person who determines the purposes and manner of processing, either alone or in
conjunction with others (“joint processors”).
d. Processor: The natural or legal person who processes personal data on behalf of the controller.
e. Consent: A clear, free, specific and fully aware explicit statement or other positive action of the data subject, with
which they directly agree to the processing of their personal data and its existence should always be able to be
proved and provided by the controller.


4. The Computer Team as the controller
Computer Team, as the controller, with the name “Computer Team SA”, based in Thessaloniki, Kathigitou Rossidou
19, 54655 with VAT number 094297699, for the purposes of conducting its business activities collects and processes
personal data of its associates, its suppliers, its employees and its customers, in accordance with applicable national
law and European Regulation 2016/679 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data. Therefore, Computer Team acts as the controller in accordance with
Article 4 (7) of the GDPR.


5. Computer Team as the processor
In the context of its activity, Computer Team undertakes the implementation and support of IT projects,
therefore, as the processor:
• Processes personal data only on the basis of written instructions from the controller.
• Ensures that persons authorized to process personal data have committed to confidentiality.
• Takes the necessary technical and organizational security measures.
• Does not hire another processor (“subcontractor”) except with the permission of the controller which
may be general or specific (in case of general authorization, the “controller” is informed in case a
replacement/addition of a subcontractor is required, so that the controller to be able to object to these
changes).
• Takes into account the nature of the processing and assists the controller with the appropriate technical
and organizational measures, in order to fulfill the obligation of the controller to respond to requests for
the exercise of the rights of the data subject.
• Assists the controller in ensuring their compliance with the obligations of keeping records of processing
activities, processing safety, reporting of breaches and impact assessment study (taking into account the
nature of the processing and the information available to the processor).
• At the option of the controller, deletes or returns all personal data to the controller after the end of the
processing services and deletes the existing copies.
• Makes available to the controller all the necessary information to prove compliance with the obligations
set out in this article and allows and facilitates controls.


6. The personal data we process
We process your personal data only for a legal purpose, provided that one of the conditions of article 6 par.
1 of the GDPR is met. The website www.cteam.gr was designed in such a way that users can visit it without
having to reveal their identity and without having to provide personal data unless they wish (e.g.
sending/posting a CV for a possible employment offering). In the course of our activities and our cooperation
with you, we will need to collect and process some of your personal data in order to offer you specific
services and to be able to adequately meet your needs. More specifically:


6.1 Personal data of our customers
Computer Team collects and processes the personal data of the clients, the categories of which are
mentioned in the Additional Agreements (for the GDPR) that it co-signs with them and which accompany the
main Contracts. This Personal Data may come to its knowledge in order to provide comprehensive services
to its Customers.
The legal basis for the above processing is the fulfillment of our contractual obligations (GDPR article 6 par.
1b) and the legal interest of the Computer Team (GDPR article 6 par. 1f).


6.2 Personal data from the use of electronic services on our website.
To improve our website to better serve your needs, we measure its performance. During your visit, we
automatically collect the following information about your computer and your visit: the network and the
internet service provider, through which you have access to the Internet, your activity on our website, the
date and time of your browsing on the website our Internet Protocol (IP address), your computer’s operating
system and your browser software (browser). The legal basis for the above processing is the legal interest of
Computer Team which is involved in the optimization of the services provided by us to you, as users (GDPR
article 6 par. 1h).


6.3 Personal data collected and processed by Computer Team for its staff and
prospective employee
• The staff of Computer Team is well trained and informed about their obligations regarding the
protection of personal data and the professional secrecy of customers, suppliers and partners. There is
always a contractual relationship between Computer Team and its employees, with the necessary
commitments of confidentiality and taking the appropriate organizational and technical measures to
protect personal data.
• When a new job position is created, Computer Team collects CVs of prospective employees. At this
stage, Computer Team collects and processes personal data of the candidates, such as name, identity
card/passport number, age, marital status, address, telephone number, email address, CV, degrees,
certifications, work experience, job application, etc. The collection of CVs of the prospective employees
is done after they have been send by the applicants, to the email address cv@cteam.gr, or other jobsearch websites where the prospective employees submit their CVs voluntarily, after having given their
consent to the Website, electronically, and where the personal data are processed only by the necessary
competent and authorized personnel for this process, thus respecting the confidentiality in the
evaluation of CVs, as a basic principle of the GDPR.
• Computer Team ensures that the personal data of each candidate is kept intact and secure, for 1 year
from the receipt of the CV, in order to be considered in future employment opportunities.
• When Computer Team decides to hire a prospective employee, it collects and processes personal data of
employees, such as name, passport/identity card number, age, marital status, address, telephone
number, email address, CV, degrees, certifications, previous work experience, job, health certificates,
sick leave, VAT, SSN, AM IKA, IBAN, employment contract, payroll data, on education, and on attendance
of employees. These data are necessary for the performance of contractual and legal obligations of
Computer Team.
Legal bases for the above processing are the execution of the contract (GDPR article 6 par. 1 b ‘), the
execution of its legal obligations (eg compliance with tax, insurance and labor obligations set by law) (GDPR
article 6 par. 1c) and the legal interest of the Computer Team (GDPR article 6 par. 1f), as well as the consent
of the prospective employees to send their CVs (GDPR article 6 par. 1a).


6.4 Personal data of our third party partners/suppliers
The Computer Team collects and processes personal data of its partners/suppliers (eg, web host,
accountants/tax experts, lawyers, security technicians, occupational physicians, etc.) such as name, email
address, telephone number, address, VAT number, identity card number, SSN, IBAN, Business Cards,
invoices, documents, contracts, etc. We also keep a history of meetings, a directory of categorization,
evaluation and development of our partners/suppliers, as well as audit reports. This information is necessary
for us to be able to communicate, direct and supervise our partners, always aiming at our perfect
cooperation and the satisfaction of our customers.
Legal bases for the above processing are the execution of the contract (GDPR article 6 par. 1 b ‘), the
execution of our legal obligations (eg compliance with tax, insurance and labor obligations set by law) (GDPR
article 6 par. 1 M) and the legal interest of the Computer Team (GDPR article 6 par. 1f).


7. Purposes of processing personal data
• The recruitment, payroll of employees, and all general liabilities of the company to its employees (eg
group insurance contract, etc.) but also the processing of personal data of employees for tax and
insurance purposes, as required by law (eg announcement of their recruitment to ΕΡΓΑΝΗ, granting of
legal licenses, etc).
• The collection of CVs of prospective employees, who voluntarily send their CVs electronically (via
cv@cteam.gr or another job-search website) and which are seen and evaluated only by the few people
responsible and authorized for this process.
• The management and training of human resources, in the context of the legal interest for the good and
efficient management of the company as well as for the continuous improvement of its operation and
efficiency.
• Communication with Computer Team customers and suppliers/partners.
• The implementation and support of IT projects to our customers and their users.
• The processing of the financial data of the Computer Team Clients (such as Health Service Providers,
etc.), the personal data and the payroll data of the employees of its Clients, as well as personal and
financial data of the partners and suppliers of Computer Team’s Clients.
• The processing of personal patient records processed by Computer Team Clients and which may come to
its knowledge, in the context of supporting its software applications.
• The management of legal or extrajudicial disputes of the Company, based on its relevant obligations
arising from the Law.
• The collection of user data for the optimization and the best efficiency of our services and the
Company’s Website but also for its protection.
The personal data of the above mentioned data subjects will be subjected to any processing other than
those mentioned above, only after prior relevant notification, if an emerging need so requires.


8. Basic Principles of personal data processing
• The processing of personal data takes place in a legal, fair and transparent manner.
• The collection of personal data is carried out only for defined, clear and legal purposes.
• The storage time of personal data is limited and is done only for the fulfillment of the respective purpose
of the processing.
• Personal data is accurate and up to date.
• Inaccurate personal data is corrected or deleted.
• Personal data remains confidential and securely stored.
• Personal data is not disclosed to third parties unless it is necessary to offer services for them, and only
after some agreement.


9. Where is your personal data disclosed?
The Computer Team may transmit the personal data provided by individuals to third parties, in the following
cases and for specific purposes.


9.1 To its employees or external associates
These are experienced professionals who are well-informed about the obligations of confidentiality
regarding the personal data of the clients. Computer Team employees/external partners have access only to
the personal data of the clients, which are deemed absolutely necessary for the execution of their duties.
There is always a contractual relationship between Computer Team and its employees/external partners,
with the necessary confidentiality commitments and taking appropriate organizational and technical
measures to protect customers’ personal data.


9.2 Other third parties due to legislation
We may disclose your personal information to social security agencies, the Ministry of Labor, the competent
tax authorities as well as to any administrative, judicial or other public authority as defined in applicable law
or court order to comply with the law or to comply with a mandatory legal process (eg for tax purposes), or
to protect the rights or security of Computer Team.


9.3 Other third parties with your consent
In addition to the disclosures described in this Privacy and Privacy Policy, we may transfer information about
you to third parties, provided you give us your free and express consent.


9.4 Transmission of P.D. outside the EEA
Computer Team does not transmit personal data to third countries outside the European Economic Area
(European Union, Iceland, Liechtenstein and Norway). However, in the event of such an event, we will only
transfer personal data to third countries that provide an adequate level of data protection and for which a
European Commission adequacy decision has been issued. Otherwise, we can transmit the data only if the
data subject has explicitly consented to the transmission or if the transmission is subject to appropriate
guarantees, as regulated in Articles 46 of the General Regulation (eg Standard Contractual Clauses, Binding
Company Rules). We will also inform the data subjects about this issue and in particular we will explicitly
mention the third countries where the data will be transmitted as well as the above-mentioned mechanisms
that allow this transmission in accordance with the General Regulation (eg European Commission adequacy
decision, Standard Contractual Clauses, Binding Corporate Rules, etc.). For the avoidance of doubt, where
the United Kingdom is no longer a Party to the EEA, the references in this paragraph to the EEA shall mean
the EEA and the United Kingdom.


10. Storage Period
The data storage period is decided based on the following specific criteria depending on the case:
When processing is required as an obligation by provisions of the applicable legal framework, customers’
personal data will be stored for as long as the relevant provisions require.
When processing is performed on a contract basis, customers’ personal data is stored for as long as is
necessary for the execution of the contract and for the establishment, exercise, and/or support of legal
claims under the contract.
The CVs of the prospective employees are kept for up to 1 year from their receipt. After this time limit, they
are deleted without notice.
The CVs of the Computer Team employees are stored in the Information Systems and in a physical file until
the end of their contract for management purposes (eg participation in tenders, grant programs).
Regarding the personal data of the customers and the employees of Computer Team, we keep them for 20
years from the end of our contractual cooperation, for the possibility of projecting ancillary claims of these
subjects, which are subject to the 20-year limitation period.
Regarding the personal data of the Computer Team suppliers, we keep them for 20 + 1 years from the end of
our contractual cooperation.


11. Personal Data Security
The Computer Team implements appropriate technical and organizational measures aimed at the safe
processing of personal data and the prevention of accidental loss or destruction and unauthorized and / or
illegal access to them, their use, modification or disclosure. These technical and organizational measures are
taken both during the design of the processing media (eg encryption of the data of the server and the
computers of the company, etc.), and by default, so that only the personal data that are necessary for the
respective process are processed (principle of minimization of personal data). The Computer Team does not
rest on the technical security measures it has taken so far, but is constantly looking for new and modern
methods in order to shield the personal data it collects and processes. In any case, the operation of the
internet and the fact that it is free to anyone does not guarantee that unauthorized third parties will never
be able to violate the applicable technical and organizational measures by gaining access and possibly using
personal data for unauthorized and / or illegal purposes.


12. Actions in case of violation of customers’ personal data
Violation of personal data means the violation of security rules resulting in the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or
otherwise processed. The person who detects a breach of personal data will take appropriate measures to
protect the personal data from any further adverse effects and will report the breach to the DPO without
delay, who will record the breaches found and assess their causes. In the event that a violation of the
personal data of the subjects is found and this violation may endanger their rights and freedoms, the
Computer Team undertakes to notify without delay and in any case within 72 hours from the moment it
becomes aware of its event violation, to the Authority for the Protection of Personal Data (APDPX).
Furthermore, if the breach of personal data is likely to result in a high risk to the data subject’s rights and
freedoms, the data subject should be notified by the Company without delay.


13. Your rights
Every natural person whose data is processed by Computer Team has the following rights:


13.1 Right to information
You have the right to be informed about the identity and contact details of us, or our representatives, the
purposes of the processing for which the personal data is intended, as well as the legal basis for the
processing, recipients or categories of recipients of the personal data. As part of the principle of
transparency that governs the operation of our company, you can contact us for further information on how
your personal data is processed and how to exercise your rights, by submitting the relevant requests. Your
requests will be answered without delay and in any case within one month of receiving the request. This
period may be extended by a further two months, if necessary, taking into account the complexity of the
request and the number of requests.


13.2 Right of access
You have the right to be aware of and verify the legality of the processing and to request copies of the
personal data being processed. Thus, you have the right to access the data and receive additional
information about their processing. You also have the right to access specific information about the content
of your individual rights and how to exercise them.


13.3 Right of correction
You have the right to study, correct, update or modify your personal data.


13.4 Right of deletion
You have the right to request the deletion of your personal data when we process it with your consent or in
order to protect our legal interests. In all other cases (such as when there is a contract, obligation to process
personal data required by law, public interest), this right is subject to certain restrictions or does not exist as
the case may be (e.g. we have the right to refuse the deletion of personal for the purpose of establishing,
exercising or upholding our legal claims).


13.5 Right to restrict processing
You have the right to request a restriction on the processing of your personal data in the following cases: (a)
when you dispute the accuracy of the personal data and until it is verified, (b) when you oppose the deletion
of personal data and request instead of the deletion the restriction of their use, c) when personal data is not
needed for processing purposes, however they are necessary to establish, exercise, support legal claims, and
(d) when you object to the processing and until it is verified that there are legitimate reasons to continue
processing that relate to and prevail over the reasons why you oppose the processing.
13.6 Right to object to processing
You have the right to object at any time to the processing of your personal data in cases where, as described
above, it is necessary for the purposes of the legitimate interests we pursue as controllers, as well as to the
processing for the purposes of direct informative promotion. In particular, you have the right to object to
any decision made solely on the basis of automated processing, including profiling, which produces or affects
you legally. Exceptionally, you may not object to the automated decision-making that concerns you, when
the aforementioned decision is either necessary for the conclusion or performance of the contract we have
entered into with you, or is based on your explicit and free consent.


13.7 Right to portability
You have the right to receive your personal data free of charge in a form that allows you to access, use and
process it using commonly used processing methods. You also have the right to request that, if technically
possible, we transfer the data directly to another controller. This right exists for the data you have provided
to us and their processing is carried out by automated means based on your consent or in execution of a
relevant contract.


13.8 Right to withdraw consent
Wherever the processing of data is based on your express and free consent, you have the right to revoke it
freely, without prejudice to the legality of the processing based on your consent, before revoking it.
To revoke your consent you can contact the Data Protection Officer of Computer Team.


13.9 Right of appeal to the HDPA
In case of violation of your personal data you have the right to file a complaint to the Hellenic Data
Protection Authority (www.dpa.gr): Call Center: +30 210 6475600,
Fax: +30 210 6475628,
E-mail: contact@dpa.gr.


14. Third party websites
Our Website may provide links to other Websites that are not owned or controlled by us, but which we
believe could be useful or interesting to our Website visitors. In this case, we are not responsible for the
privacy practices used on other Websites or for the validity of their content or for the collection of
information by the parties who own and control those websites, or the use of their Cookies. Therefore, we
are not responsible for any damage or problems that occur to anyone who will use this foreign Website and
ultimately, it is up to you whether or not to use a link from another Website provided by our Website, in
case you do not trust him completely.


15. Renewals and changes
We may need to change or modify this Privacy Policy in order to comply with the evolving legal environment
or the needs of our Company. You are responsible for reviewing this Privacy Policy when you visit the
Website, to be aware of any changes and updates to this Policy. All amended terms automatically take effect
30 days after their initial posting on the Website.


16. Contact details of the Data Protection Officer (D.P.O.) / Compliance
Officer:
For any issue regarding the processing of personal data you can contact the Personal Data Protection
Department of Computer Team at the following contact details:
D.P.O .: dpo@cteam.gr
Address: 19 Kathigitou Rossidou street, Thessaloniki
Phone: 2314 439750-79