Data Protection & Security Policy

Thank you for visiting the website of “Bionephros”, a member of the “Doctum Pharmaceuticals” K Giokaris & CO. Group, located in Thessaloniki St., Moschato P.C. 18345.

Before using our website, please read this Data Protection & Security Policy carefully.

Introduction

Bionephros S.A. as data controller would like to inform you about the way your data is collected and processed.

Personal data (PD) are any information related to an identified or identifiable natural person (data subject).

Bionephros S.A. takes the protection of your personal data very seriously. We process personal data in accordance with data protection laws and regulations and ensure that our personnel are aware of their obligations when processing personal data on behalf of the Company.

The purpose of this policy is to ensure that the processing of your personal data by Bionephros S.A. complies with the principles governing lawful data processing and that the personnel of Bionephros S.A. are aware of the rights of the data subject and the obligations of the Company when processing personal data.

As it is reflected in the Terms of Use of the Website https://www.bionephros.gr/oroi-xrisis-istoselidas--w-97724  and the Cookies Policy https://www.bionephros.gr/politiki-cookies-w-72858, the services provided through this website are intended for the general public, do not target minors and do not process the personal data of minors under 16 years of age.

This Policy applies to all members of the Company and all processing of Personal Data on behalf of Bionephros S.A., by any means and in any form whatsoever.

Definitions

Personal Data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly.

“Processing”: any operations or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage etc.

“restriction of processing”: means the marking of stored personal data with the aim of limiting their processing in the future.

“data controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, in this case Bionephros S.A.

data processor”: the natural or legal person, public authority, agency or other body which processes personal data on behalf of Bionephros S.A.

“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

“Data protection officer”: Computer Studio S.A., located at 223 Vouliagmenis Ave., Athens, PC 172 37, Tel: (210) 9761865, Fax: (210) 9708067, www.computerstudio.gr. The Natural Person that has been declared to the Data Protection Authority is Lioulias Dimitrios. info@bionephros.gr.

“Data subject”: The individual (natural person) to whom the data relates.

“General Data Protection Regulation”: it includes the 2016.679 regulation on the protection of personal data (GDPR) and the law 2472.1997 on the protection of personal data, guidelines and decisions of the Personal Data Protection Authority, the law 3471/2006 on the protection of personal data in the electronic communications and any other specific legislation in force in Greece regarding the protection of privacy and/or the processing of Personal Data. The legislation on data protection regulates the way a data controller, like Bionephros S.A. can process the personal data of the subjects, while recording and at the same time safeguarding their rights.

“Personal Data Protection Authority (PDA): The Supervisory Authority in charge is the Hellenic Data Protection Authority (HDPA), located at 1-3 Kifissias Ave. 115 23, Athens, tel. +30-210 6475600, Fax: +30-2106475628, www.dpa.gr. It is a constitutionally consolidated independent Authority whose mission is the protection of the personal data and the privacy of individuals, the assistance in the event of a violation of his/her relevant rights, as well as the support and guidance of the data controllers to fulfill their legal obligations.

Recipient”: a natural or legal person, or public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“Third Party”: any natural or legal person, public authority, agency or body other than the data subject, controller, processor and person who, under the direct authority of the controller or processor, are authorised to process personal data.

“Data Protection Policy”: a set of regulations and procedures, which all participating in the Company are required to adhere to. They balance the right and the need of a Company, such as Bionephros S.A. to process Personal Data with the obligation to protect the rights and respect the privacy of the data subject.

“Personnel”: includes all employees of Bionephros S.A., who have a relevance by a contract of employment or the provision of services as well as all temporary staff, contractors, consultants and third parties with whom there is a cooperation, in the framework of which a contract has been concluded or a confidentiality or non-disclosure clauses have been included.

“Bionephros S.A.”: Bionephros S.A. is an Anonymous Company, member of the Doctum Pharmaceutical Group – K. Giokaris & Co. S.A. Bionephros S.A. is in full compliance with the laws and regulations on the protection of personal data.

Bionephros S.A. respects and adheres to the principles governing the processing of personal data, in particular:

  • Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”). This means that Bionephros S.A. shall use Personal Data fairly and identify legal basis for processing. When the subject provides Bionephros S.A. with personal data for the first time or if the purpose of processing changes, they may be informed upon request about: the identity and contact details of the data protection officer, the purposes and the legal basis for the processing, the recipients or the categories of recipients of the personal data, the period of time for which personal data will be stored, their rights concerning the processing of their personal data, including the right of access and transfer of the data, rectification and erasure, restriction of processing and the right to object to processing, the consequences of not providing the personal data required by law or for contractual purposes, and the existence and rights associated with automated decision-making, including profiling.
  • Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”).  Bionephros S.A. processes personal data only for the purposes for which the data subject has previously been informed and will not use it for other purposes that are incompatible with the initial purposes. Without prejudice to appropriate safeguards, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes.
  • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”). Bionephros S.A. ensures that only the strictly necessary personal data are processed for the purpose for which they were collected and no personal data will be collected or retained because they may be useful in the future.
  • Personal data shall be accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”. The personal data will be inaccurate when incorrect or misleading as to any matter of fact to which they relate. Bionephros S.A. has created and will periodically check if it needs to develop further processes for the maintenance of the quality of data collection, whether collected or obtained by Bionephros S.A. or not, as well as their exact modification, updating or rectification.
  • Personal data shall be kept in a form which permits identification of data subjects only for the time required for the purposes for the processing of the personal data (“storage limitation”) and which by no means will exceed the time required for the purposes for which the personal data shall be processed. Every department and every administration of the Company makes certain that appropriate retention periods are identified and followed and ensures their safe destruction when that period elapses or the purpose for processing ceases to exist and there is no legal claim or legal interest or right to continue their retention. They may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures.
  • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“Integrity and confidentiality”). For this reason, any processing of personal data on behalf of Bionephros S.A. or of personal data collected by the Company that takes place is subject to strict contractual clauses. The Data Protection Officer participates, is informed and expresses his opinion to the administration during the initial stages of each project or upon a proposed change in a process that has a significant impact on the processing of personal data. The processing of personal data by any department or employee complies with the Security Policy of Bionephros S.A. https://www.bionephros.gr/politiki-aporritou--prostasias-dedomenon-w-31733. The personnel of Bionephros S.A. have been informed to report any factual or suspected incident that has or may lead to the loss, theft, unauthorized disclosure, accidental destruction or disclosure of personal data according to the foreseen procedures for responding to data breach.

Bionephros S.A. respects and abides by European and Greek legislation, investing equally in the trust of the public and the users of its facilities. It follows and conforms to the guidelines of the Data Protection Authority, the European Data Protection Board and the European Commissioner. It implements proper practices and adopts the appropriate codes of conduct and policies for the internal organisation and management of personal data.

It is at the disposal of the competent authorities and data subjects for the purpose of demonstrating its compliance with the relevant provisions by providing the following information: a) the name and contact details of the data protection officer, b) the purposes of the Processing, c) description of the categories of data subjects and categories of personal data, d) the recipients of the recipients to whom the Personal Data may have been or will be disclosed e) to which countries personal data are transmitted, if any f) the retention period of personal data g) description of the technical or organisational security measures of personal data.

It seeks to design and develop appropriate structures for the operation of systems and procedures to ensure the proper and lawful processing of all personal data, in a way that safeguards their integrity, accuracy, relevance and security. For this reason, it adopts solutions for the protection of privacy and confidentiality by default and by specific design to meet the needs of the Company.

It performs data protection impact assessments when it uses new technologies or plans for high risk personal data processing. Especially regarding the installation and use of a closed circuit television (CCTV) and similar equipment. It follows the guidelines of the competent Greek and European authorities, e.g., the Data Protection Authority, in compliance with any Code of Ethics and Conduct to which it is subject or has adopted. Bionephros SA categorises personal data and controls, identifies, takes measures and eliminates the risk arising from their processing, with the aim of eliminating risk to the personal data and the privacy of the subject as much as possible.

It ensures processing in a transparent manner and provides notifications and updates regarding personal data processing. It uses consent as the legal basis for processing personal data, when this is the appropriate option to serve the purposes of processing personal data; especially for marketing purposes, it always provides information on how to delete them from relevant lists.

It checks and ensures that personal data are not disclosed to those who do not have the relevant rights or to third parties, unless permitted or required by law. To this end, it makes certain that all employees of the Company who are directly involved in the processing of personal data are trained and updated on an annual basis. It checks and ensures that its external partners who receive personal data from the Company, regardless of whether they may be considered processors, have taken appropriate, technical and organizational measures to ensure compliance with the data protection principles and relevant requirements described in this policy. Employees and external partners are continuously checked. Violation of the rules and general data protection regulations by an employee of the Company also involves disciplinary penalties.

It handles requests by data subjects, who object to the processing or wish to limit it, with the aim of responding in the best possible way, and even voluntarily takes action to rectify inaccurate data or even delete them. In all cases, it respects and takes action to grant the requests of the data subjects not to use their data for commercial purposes and for promotional activities.

It has created the appropriate structure and procedures to handle any incident or grievance regarding the processing of personal data and the compliance of the Company with this policy. Any grievance and incident will be handled by the Security Team and the representative of the departments involved in cooperation with and under the direction of the Data Protection Officer, Lioulias Dimitris.

Bionephros S.A. as Controller of Personal Data

At Bionephros S.A. all employees are responsible for demonstrating compliance with this policy. The personnel process personal data only to serve legitimate, business purposes that are directly related to the performance of their duties. All Company employees are responsible for reporting violations that have occurred or are ongoing, either to the Security Team or the Data Protection Officer, as soon as they become aware of them and follow the internal policy procedures and actions.

The personal data we collect are used, based on at least one of the legal bases provided by GDPR 2016/679 in Article 6:

  • To respond to a request, problem or grievance you have raised so we will have your consent as a legal basis GDPR 2016/679 Article 6 § 1 case a, duty to comply with our contractual obligations GDPR 2016/679 Article 6 § 1, case b, to perform the task assigned to us, GDPR 2016/679 article 6 § 1 case e
  • in order to meet our contractual obligations during the provision of our services GDPR 2016/679 Article 6 § 1 case c
  • in order to comply with our legal obligations, GDPR 2016/679 Article 6 § 1 case c
  • in order to perform a task carried out in the public interest which was vested in us, GDPR 2016/679 Article 6 § 1 case e
  • when we deem it necessary since it will be the ultimate solution to the protection of our legitimate interests, unless the interests or fundamental rights and freedoms of the data subject, which impose the protection of personal data, prevail over those interests, in particular if the data subject is a child, GDPR 2016/679 Article 6 § 1 case f
  • in extremely rare cases to protect the vital interest of a natural person, GDPR 2016/679 Article 6 § 1 case d

We shall not transfer, sell, or in any other way distribute, or share your personal data with others unless we are required to do so because they provide us with contractual services or disclosure is permitted or required by law, or you request it.

We may transfer your personal data to other bodies only when we have the right to do so and in compliance with the legislative framework.

We may also be obliged to transfer personal data to the competent authorities, e.g. the police, for the purposes of crime prevention or investigation and customer safety. In such cases, the Company will assist with the request if the personal data are requested by a Company or authority which is able to demonstrate that the particular data will assist in preventing or suppressing criminal activities or that the Company is required by law to transfer.

For more information, you may contact the DPO of Bionephros S.A., Lioulias Dimitrios at the email address: info@bionephros.gr

Employees and Partners

Employees and collaborators of Bionephros S.A. who are entrusted with the specific responsibility and task of data processing, have knowledge of this policy and are adequately trained in the proper management and processing of personal data. Evaluation and recording of the risks to the natural freedoms of Data Subjects from the processing of their personal data has been carried out and if necessary, they will proceed with an impact assessment (DPIA). They apply and adequately document why these procedures have been selected as appropriate, and in which way they ensure the compliance of the company. To fulfil their duties, they consult the Security Team and the Data Protection Officer.

The Data Protection Officer (DPO)

He has due regard of the risk associated with the processing operations and takes into account the nature, scope, context and purposes of processing and is responsible for informing and advising Bionephros S.A. and its employees who process personal data about their obligations deriving from the European and Greek data protection laws. He monitors compliance with European and Greek legislation, the policies of the Company regarding the protection of personal data, including delegation of responsibilities, awareness-raising as well as training of the employees involved in processing operations, and related audits. He provides advice, when requested, with regards to data protection impact assessment and monitors its performance. He cooperates with the supervisory authority, and acts as a point of contact for the supervisory authority and for the data subjects on issues related to processing. He himself also maintains documentation of the procedures for the protection of personal data and manages in collaboration with the Company, the process of informing the data subjects and the Data Protection Authority.

The Security Team of Bionephros S.A.

It is responsible for offering advice to the company regarding technical measures and the audits required to protect and safeguard personal data, ensuring their integrity and non-disclosure, by making use all appropriate means and measures.

Internal control

Bionephros S.A. has adopted procedures for the preventive control of the compliance of the personnel and of all the collaborators involved, in the processing of personal data according to the procedures and policies stated to them by the Company.

Changes in the personal data protection policy

This policy was approved by the administration of the Company on 8.5.2019 and will be subject to revision whenever it is deemed necessary by Bionephros S.A.

Please check the Implementation Date (see beginning of this Policy) to see when this Policy was last revised. Each revision will take effect from its posting on the appropriate section of the website, and the former will be archived.