Personal Data Security Policy
A. For ordinary website visitors:
The personal data collected are further categorized into the data of ordinary visitors and the data of the users of the website services, as follows: During your navigation on the website, data is collected about the use of the website ("usage data") for purposes of analyzing the use and monitoring and improving the website and the services provided. Usage data may include your IP address, geographic location, browser type and version, operating system, referral source (from which page you arrived at the website), duration of visit, page views and navigation paths of the website, as well as information about the timing, frequency and manner of use of the website and its services by you. The source of the usage data is Google Analytics. How Google Analytics collects and processes data can be found here: www.google.com/policies/privacy/partners/.
The above personal data of website visitors is limited to the information required for the operation and improvement of this website and our services in accordance with the applicable personal data legislation. The Company collects and processes data exclusively for the purposes of the legal and proper operation of the website and to offer visitors and users of the website the best possible user experience.
B. For corporate customers:
In the context of using the website, personal data is collected and processed in the event that the Customer expresses interest (i) in any of the Company's products (ii) for cooperation with the Company and (iii) for communication with the Company.
In particular, in all the cases under (i) to (iii) above in which the Customer, a natural or legal person, expresses an interest in some of the Company's services, data is collected which, depending on the type of business, may also be personal data and which include the following: company name, contact person, management details, postal code, telephone numbers, email, activity. The above personal data of the users of the website services are used by the Company in order to contact you for the purposes of information about its products and services.
C. as Responsible and Executor of the Processing, in accordance with the EU General Data Regulation. 2016/679
Technical security mechanisms for the protection of personal data implemented by the Company:
All the company's central electronic devices (server, switch, router, firewall, NAS) are located in a secure area, with limited and controlled access by the company's staff and visitors. Access to the space is made through a request to the company's address and stating the time and description of the work to be carried out. The site is visited by external partners only on scheduled days and times and with the full supervision of the company's sysadmin.
Domain Controller
The use of the domain controller in combination with the active directory service is used to create unique users per operator, but also user groups. It is also used to assign permissions per operator or per group at the folder and file level. Each operator's username and password is created after a request from the staff address to the company's sysadmin. Then the sysadmin creates the new user and sets the system requirement so that the new user creates a unique security code when first entering the system. The code in question must comply with company policies, which state that it must be at least eight characters with at least one capital character, one number and one special character. The system every 6 months asks the operator to renew his code with a new one and prohibits him from entering the same code as the previous ones. No one from the company has the ability to view the operators' codes but only has the ability to reset a new one in the process of losing it to the operator. Finally, the operator is informed in writing by the personnel department that under no circumstances is he authorized to share his system security code with anyone inside or outside the company.
DHCP
The use of DHCP covers the access of specific electronic devices to the company network, as it assigns a specific network address to each electronic device based on the unique address of the electronic device (MAC). The delegation refreshes the network addresses daily so that any attempt to introduce an unauthorized device into the network can be monitored. The available address book always consists of the total number of authorized electronic devices.
Firewall
The use of the protection wall provides the company with the ability to control traffic to and from the internal and external network. It also provides the possibility of routing specific traffic from the external network to a specific device in the internal network using an absolute port number and communication protocol. The firewall also records traffic to and from internal and external network addresses, specifically (date, time, workstation, external communication address, usage protocol, duration). Finally, the company is given the possibility based on the needs of the operator or group of operators to cut off access based on (address book, protocol, hours).
NAS
The network storage device is used by the company to store backups as well as store files. The device supports LDAP protocol for its connectivity with the company's domain controller, a feature that ensures authorized access to the contents of the NAS based on the usage policies of operators or groups of operators as defined in the policies of the domain controller.
Router
The company's connectivity to any external network is done through a certified router of the Internet service provider. Access to the router is not possible from company staff. This is entirely managed by the authorized department of the internet service provider. The router is serialized before the firewall so that its direct connectivity is controlled and routed by the firewall.
Call center
The company's Call Center supports the recording of calls based on the information of the caller. The recording is stored in a secure area within the company's network and accessible only by authorized personnel upon request approval.
Exchange Mail Server
The use of Exchange Mail Server provides the company with the possibility of centralized email management. Based on configuration operators have access to specific emails based on their role in the company. Email passwords are stored on electronic devices and not disclosed.
FTP
The company provides SFTP accessible space to its customers. At the start of the cooperation of a new customer, the company communicates the address, username and password to the customer. When the customer enters the system for the first time, he is asked to enter a new password which is kept secret by the customer. By entering the unique username and password, the customer has access to a space that is accessible only by the customer and by authorized personnel of the company. Access authorization from the company side is given upon command by the sysadmin for a limited time and specific task. The storage of the files on the part of the company's network is done in a restricted access area only by the sysadmin, who is also responsible for moving the files to an extended access area depending on the work/processing that the received files must receive. For the entry of the company for the purpose of storing customer files, a written confirmation from the customer is required with the following characteristics (file name, file password if any, purpose of sending the file and name of sender).
Antivirus
Antivirus in the company has a dual purpose. First, it protects against the introduction of malicious software that could potentially export sensitive personal data to unknown processors, and second, it provides a secure method of locking the ports of electronic devices to prevent the connection of unauthorized external storage media. With the above procedure, the company ensures the export of files from the facilities to any portable storage medium. The use of portable storage media is only possible through a list of authorized storage media. The use of these is through an approval process by the sysadmin. This application contains information on the use of the storage medium, the purpose, the content, the date of departure and arrival at the company. Upon return of the external storage medium the sysadmin is responsible for receiving, checking and clearing the device.
Internet access
Access to the internet will be done using a remote web browsing system. By using this feature, the company protects the sending and receiving of files to and from its network in an area of unauthorized access. The files that must be sent or received via the Internet are placed in a space accessible only by the sysadmin and then after a process of checking the type of content and their security, they are transferred to the corresponding space based on the processing they must receive.
Backup
The company holds backup copy with a frequency of one every day and a history of six (6) months with a step of one month. That is five (5) backup copies of previous months and three (3) weekly backups of the last month as well as five (5) daily backups of the last week. Backups are exported and kept on a network storage medium accessible to the sysadmin. Backups are kept encrypted.
Print Server
The network printers are accessed through a printer management system hosted on the company's main computer. By using centralized printer management the company can and has access to a log file which provides user information, print file name, date, time and printer of use.
ERP/CRM
The company's ERP system manages the customer base and their movements. The system used by the company is structured and configured in such a way as to ensure limited access based on the input of the user name and password as well as the role of the operator in question based on his assigned work duties. The username and password are assigned to the operator once by the company address. The password is not set based on the complexity of company policies. If an operator is removed, the user is deactivated. The system in question maintains a file based on which the user name, action, date and time can be identified. Password guessing is protected by automatically locking the user after a certain number of failed attempts. The company also, based on its policy, renews the entry codes in the system at regular intervals in order to ensure the integrity of the information. Finally, configuration allows the sysadmin to enable or disable actions such as extracting files on a per-user basis.
Physical Access Security
The entrance to the company's offices is covered by a controlled access system with a security code at the main entrance. Also, the area is covered by a closed camera surveillance system which covers the entrance areas, transit areas, access areas to the central computer units as well as the main office area of the company. The monitoring system records the history of the cameras based on the capacity. The recording system has a controlled access management system which is covered by a username and password which is announced to the company's address.
Recording of telephone orders for the assignment of work: The Company records work orders given by telephone and stores them for a period of up to five (5) years from their receipt.
Third party technical service providers:
The Company may use third-party technical service providers who host, store, manage and maintain the website, its content and the data collected as well as other technical service providers (e.g. email services) to communicate with you on cases where it has received your express consent for such communication. The Company only uses third party service providers who agree to only use the personal information provided to them only for the purpose for which it was provided (eg technical services, website technical support) and who agree and warrant that all processing in which they engage will be legal and compliant with the provisions of applicable personal data legislation.
The Company does not sell, distribute or lease your personal information to third parties unless required by law to disclose such information. More specifically, the Company may disclose your personal data to third parties when this disclosure is necessary for the creation, exercise or defense of legal claims, either in the context of judicial proceedings or relevant summons of Competent Authorities or in the context of administrative or extrajudicial proceedings or for the purpose of preventing or stopping an attack on its computer systems or networks or protecting its rights or property.
The server and data center used by the website is located within the European Union and is therefore subject to compliance with the provisions of applicable personal data legislation. The data collected through this website is not transmitted to companies outside the European Union.
Period of processing of Personal Data
The storage and processing of the data of the customers of the services of the website is done exclusively and only as permitted by law or in accordance with your express consent only for as long as necessary to satisfy the processing (as defined above) or until you disagree with the use of your personal data by the Company or until you withdraw your consent.
In the event that it is required by law or in the event that the retention of personal data for a longer period of time is required for the legal claim or defense of the Company against legal claims, the Company will retain the personal data for a longer period of time.
Designation of Personal Data Protection Officer
The Privacy and Security Policy of the Company is in full harmony with the Regulation of the European Union 679/2016 on the Protection of Personal Data. For this purpose, the Company has appointed the Athens Lawyer Eleni Dede (AMDSA: 34461) as the Personal Data Protection Officer, who is designated as responsible for every issue related to the application of the above Regulation by the Company and with which the users and any interested parties party can communicate by e-mail at