Privacy policy | ΙΑΜΕΧ MEDICAL PRODUCTS SA

1. Introduction

This Privacy Policy (hereinafter "the Policy") refers to the company IAMEX SA (hereinafter "the Company") and the personal data it holds about individuals.

The Company is committed to the protection of Personal Data confidentiality and privacy and complies with the relevant provisions of the "General Regulation of Personal Data Protection" hereinafter "GDPR" and national legislation (Law 4624/2019) and this policy.

2. Definitions

• Personal Data: is any information that refers to and describes a person, such as: identification (name, age, residence, occupation, marital status, etc.), physical characteristics, education, work (previous employment), financial status, interests, activities, habits. The individual (natural person) to whom the data refers is called the data subject.
• Violation of personal data: breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored or otherwise processed.
• Controller: the natural or legal person who determines the purposes and the procession guidelines of the Personal Data.
• Processor: the natural or legal person, public authority, office service or other body that processes personal data on behalf of the controller.
• Processing of personal data: any act or series of acts relating to personal data, such as the collection, registration, organization, structure, storage, adaptation or alteration, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion, or destruction.
• Third Party: any natural or legal person, except for the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or processor, are authorized to process the personal data.
• Personal data subject: The natural person to whom the data refers and whose identity is known or can be determined based on one or more data characterizing its condition from physical, biological, mental, economic, cultural, political, or social.

3. Who is the Controller?

The Company is responsible for the processing of personal data (Controller), which collects directly from individuals and processes in the context of the provision of its services and products, maintains and processes personal data with confidentiality and respect for the privacy of the Subject, taking the necessary technical and organizational measures for their further protection.

The Company performs the processing of personal data (Processor), which are transmitted to it by third parties and processes in the context of the provision of its services and products, maintains and processes personal data with confidentiality and respect the privacy of the subject, taking the necessary technical and organizational measures for their further protection.

4. Principles On which the Company is based

The Company undertakes to comply with the following principles of personal data processing Article 5 GDPR:

• Lawfulness, fairness, and transparency.
• Purpose Limitation - Personal data is collected for specified, clearly states and lawful purposes and not processed in a manner incompatible with those purposes.
• Data minimization - Personal data is adequate, relevant, and limited only to what is necessary to achieve its processing purposes.
• Data accuracy / quality - Personal data is integral to be accurate, complete and, where necessary, up to date.
• Storage Limitation - Personal data must be kept no longer than necessary or required by law.
• Integrity and confidentiality - The procession must ensure security, in particular protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
• Accountability - The controller or processor are demonstrating that they have the necessary documentation in place to prove that they are meeting their compliance requirements.

5. Collection of Personal Data

The company collects subjects’ identifiable information in the following cases:
• When the subject buys a product or service from the company.
• When personal data is transmitted to the company by Companies, Partners or other third parties.
• When communicating directly with the company, through its website, to request information about the services offered.
• When communicating directly with the company, through its website or through ads posted on other websites or in the press, for a job by sending a CV.

The company also collects data from time to time, from third parties, which may be legally transmitted information about the company's customers or to the files the company can legally access, such as external partners, health professionals, public services (administrative, tax, judicial, regulatory authorities, Insurance Funds) or other Legal Entities governed by Public Law or Legal Entities governed by Private Law.

The personal data is processed by the Company for the purposes as detailed below.

The company pursues the subjects’ assistance to keep the information of the subjects up to date, informing about any changes of personal data.

6. What Kind of Subject’s Personal Data the Company Collect?

The following subject data categories may be collected and further processed as described in this Policy:

• Personal Information
• Information necessary for the employment, professional or other relationship that connects the subjects with the company (previous employment, studies, marital status, etc.)
• Contact Information
• Occupational Status Information
• Payment Information
• Data of applications / websites / social media (cookies)

7. Categories of subjects

The categories of subjects include:

• Customers
• Suppliers
• Associates such as lawyers, accountants, etc.
• Company staff

8. What are the Purposes of Processing & the Legal Basis of Data Processing?

The processing of personal data is based on one of the "legal bases", as referred to in Article 6 §1 of the GDPR. The legal basis of processing data refers to each processing purpose.

Sales of products and services - for the elaboration of the sales, the configuration of the appropriate solutions and the Contract’s management. [Article 6§1 (a), 6§1 (b) and 6§1 (f) GDPR]

Customer Support - for answering questions and for support regarding the Company's products through the contact form or electronically in the form of email. [Article 6§1 (a), 6§1 (b) and 6§1 (f) GDPR]

Promotion and Marketing - for answering questions and for information about the Company's news and products [Article 6§1 (a) and 6§1 (f) GDPR]

Consent on marketing issues can be revoked at any time, with effect for the future.

Relationships with employees and associates: for the activation, operation, support, and termination of these relationships [Article 6§1 (a), 6§1 (b), 6§1 (c) and 6§1 (f) GDPR).

Purposes of Legal Interests - For the service of company legal interests’ purposes or third parties [Article 6§1 (f) GDPR].

Compliance with Legal Obligations - for the compliance with the legal obligations of the Company to the regulatory, tax, accounting, judicial authorities, and services [Article 6§1 (c) and 6§1 (e) GDPR]

The provision of personal data as above, is a statutory obligation which depends on the specific request.

Processing Special Data Categories: According to article 9 §1 and 2 of the GDPR, the processing of special categories of data is allowed only in the specific cases defined by law, among which, the provision of consent art. 9§2 (a).

9. How the Company Ensures the Safety of Personal Data

The Company ensures that personal data are processed, in compliance with policies, procedures and in accordance with the purposes of processing. For example, the following security measures are used to protect personal data against misuse or any other form of unauthorized processing:

• Access to personal data is restricted to a limited number of authorized persons only for those purposes.
• The staff of the competent departments is bound by confidentiality clauses having graded and limited access, only to what is necessary for completion.
• Sensitive data is stored on PCs with authorized access. Also, in printed form they are locked in cabinets where only authorized persons have access.
• The Company selects reliable partners, who are bound in writing in accordance with article 28 §4 of the GDPR with the same obligations regarding the protection of personal data. It reserves the right to control them Article 28 §3.
• Computer systems used to process data are technically isolated from other systems to prevent unauthorized access, for example through illegal access (hacking).

In addition, access to these computer systems is monitored on a permanent basis to detect and prevent illegal use at an early stage.

10. For How Long the Data is Stored

The company stores personal data for as long as required by the respective processing purpose and any other permitted linked purpose. The data are kept for as long as provided by the current legislation.

Information that is no longer needed is securely destroyed or anonymized.

Especially for the data processed by the Company based on the consent of the subject (eg for marketing purposes), these are kept from obtaining the relevant consent and until it is revoked.

The Company restricts the access of the subjects’ data only to the authorized persons who are necessary to use them for the specific purpose.

11. Who are the Recipients of the Data?

The personal data collected by the Company may be transmitted to third parties, provided that the legality of the transfer is justified.

Furthermore, if the legality of the transfer is justified, personal data may be disclosed to the following categories of recipients:

• Individual customers or companies, for which the Company acts as "Processor", who are themselves "Controllers".
• Employees or associates of the company who may process the subjects’ personal data under its instructions.
• Collaborating companies within their responsibilities.
• External collaborators, who are bound in writing in accordance with article 28 §4 of the GDPR with the same obligations regarding the protection of personal data.
• Any supervising authority, as required by the applicable supervisory framework.
• Any public or judicial authority, if required by law or court order.

12. Where Processing Takes Place

Company's customers personal data are processed within the European Economic Area (EEA).

In case that an investigation is required for the provision of services outside the EEA then this is done with the explicit consent of the subjects. Article 49, §1 (a).

13. Personal data breach

In case of security and integrity violation of the general data available to the company and refer to personal data, the Company will take the following measures: (in accordance with articles 33 and 34 of the GDPR):

• It will review and evaluate the procedures required to mitigate the breach
• It will assess the risk and their impact on the rights and freedoms of data subjects.
• It will try to reduce as much as possible the damage that has been or may be caused.
• It will notify you within 72 hours of being notified of the breach, if required
• It will assess the impact on privacy and take appropriate measures to prevent a recurrence of the breach.

14. Data Subjects’ rights and how these can be exercised

Data subjects have the right to request access to the personal data concerning them, correction / deletion of their personal data, restriction of processing, right to object to the processing and / or to exercise their right to data portability.

If the processing of data is based on the consent of the subjects, their consent can be revoked at any time, with effect for the future.

More specifically, Data Subjects have rights as per below:

a. The right to be informed / transparency: Subjects have the right to know who is processing their data, what categories of data they are using and why. The organizations processing their data must give clear information in plain language (for more details see Articles 12, 13 and 14 of the GDPR).

b. The right of access: Subjects ‘right to be informed about the processing of the Data by the company, and the right of accessing the data.

c. The right to rectification: subjects’ right to request correction or completion of their data if it is inaccurate or incomplete.

d. The right to erasure (right to be forgotten): Subjects’ right to request the deletion of their data. Company can satisfy that right if:

• The data are no longer necessary for the purposes for which they were collected
• If there is no legal basis for processing other than consent.
• If they exercise the right of objection (see below)
• If the data has been processed contrary to the applicable legislation
• If the data must be deleted to comply with a legal obligation

The company reserves the right to refuse to satisfy if the processing of the data is necessary for the observance of a legal obligation, reasons of public interest or the establishment, exercise, or support of legal claims (article 17 §3).

e. The right to Restriction of processing: Subjects ‘right to limit the processing of their data. For example, when they have questioned the accuracy of their personal data, for the period that will be required for verification.

f. The right to Data Portability: Subject’s right to receive their data in a structured, commonly used, and machine-readable format as well as to request their transmission, both to them and to another person who will process them.

g. The right to Object: Subjects’ right to object to the processing of their personal data by an organization, if this is not contrary to the public interest (for more details see Article 21 of the GDPR).

h. The right to human intervention: Subjects’ right to object where a decision is based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them (for more details see Article 22 of the GDPR).

The Company will examine Subjects’ requests and will respond within one month from the receipt of the requests either for their satisfaction or for the objective reasons that prevent their satisfaction or, considering the complexity of the requests and their number, within an additional period of two months. (Article 12 §3)

The exercise of the above Subjects’ rights is carried out free of charge for them, by sending a relevant application / letter / email to the Data Protection Officer. The abusive exercise of the above rights (Article 12 §5) may impose the payment of a reasonable fee.

If Subjects are not satisfied with the use of their data by the Company or with its response to the exercise of their above rights, they are entitled to file a complaint to the Hellenic Personal Data Protection Authority.

Subjects may exercise the above rights, in the contact details listed below.

15. Processor’s contact details

For any issue regarding the processing of the Subjects’ personal data and for the exercise of their above rights, they can contact the company, by phone at +30 210 6298412 (Monday - Friday 10:00 - 16:00), by e- mail: gdpr@iamex.gr and by post to: Achaias 5, Kifissia, PC 145 64, for the attention of the Data Protection Officer, Iamex SA.

16. Contact Information of the Hellenic Personal Data Protection Authority

Phone: +30 2106475600, e-mail: contact@dpa.gr and postal address: 1-3 Kifissias Avenue, 115 23, Athens.

17. Cookies

Cookies are important for the effective operation of the website www.iamex.gr and to improve the online user experience. The website uses a special tool for managing cookies. Users can click "Reject" to not accept any cookies other than what is necessary for the operation of the website, "Accept All" to accept the use of all cookies or select "Cookie Settings" to see detailed descriptions of cookies and choice whether to accept certain cookies or not. The relevant tool after the selection they will make is minimized in the lower right corner of the website and they can click on it to change any settings they made earlier.

What are cookies?

Cookies are small text files that contain information stored in the web browser of the user's computer while browsing the www.iamex.gr. These cookies can be removed at any time, as the user can modify the browser settings to reject some or all cookies. The help function in most browsers provides information on how to accept cookies, disable cookies or notify the user when receiving a new cookie.

Cookies do not harm your computer, mobile device, or the files stored on it and are not aware of any document or file from the computer of the website visitor.

The Company uses cookies to continuously improve the functionality of its website, the effective browsing of the user, as well as the connection and navigation on the pages. If the users do not accept cookies, they may not be able to use some functions or services and for this reason it is recommended to leave them enabled.

For third party cookies on the websites that the users visit through links from the company's website, they can see below links to third party websites. For additional information about cookies, the user can be informed here: www.allaboutcookies.org

18. Logging Data

The company may collect information that the user's browser submits each time it visits the company's website. This log data may include information such as the IP address of the user's computer.

In addition, the company may use third-party services, such as Google Analytics, to collect and analyze such information to improve the functionality of its website and services. These third-party service providers have their own privacy policies regarding how they use this information, and the company suggests the user to be informed about it.

For more information about Google's privacy practices, please visit the Google Web site at http://www.google.com/intl/en/policies/privacy.

19. Commercial Communication

The user can visit this website www.iamex.gr which is maintained and managed by the Company, without disclosing its identity and without providing any personal information, subject to the acceptance of the relevant cookies (see above).

Generally, the user is not required to submit personal data to the Company online, but the user may be required to provide some personal data to obtain additional information about the company's products, services, and events. The Company may also request the user's permission for certain uses of his personal data, and it may either consent to or deny such uses.

However, for the visitor / user to receive electronic information material sent by the Company to be informed about issues of its services, the economy and current affairs in general and to receive privileges from the Company in the future, it can provide its explicit consent regarding its registration in the services of the Website and the provision to the Company of the data which are reflected in the relevant contact form. The user will be able to unsubscribe from the relevant recipient list at any time following the instructions contained in each communication. If the user decides to delete from a service or communication, the company will try to delete the user's data as soon as possible.

The collected personal data is stored on restricted access servers controlled by passwords and the Company uses special technologies and procedures to enhance the protection of this information against loss or misuse as well as to protect it from unauthorized access, notification, modification, or destruction. However, although the Company makes every effort to protect the above information, it cannot guarantee that the above technologies and processes will never be affected in any way.

To this end, if any visitor / user becomes aware of any illegal, malicious, inappropriate, or improper use of personal data, which is related in any way to the use of the Website, Company must be notified immediately.

20. Links to Third Party Websites (Links)

The Company's website may contain links to third party websites, which are operated and maintained exclusively by the latter and which the Company may not control. The Company assumes no responsibility for personal data protection practices or policies of third-party websites and cannot guarantee the security of the user's browsing on them. Therefore, the user must carefully read the respective privacy policies of these websites as they may differ significantly from the company protection policy. This privacy statement applies only to information collected from the company's website.

21. Privacy Policy Update

This policy is reviewed when there is a significant change. This review will be available on the company website www.iamex.gr