Bioanadrasi EU Data Protection Policy
INTRODUCTION AND SCOPE
This Data Protection Policy sets out the obligations of Biofeedback EU when processing personal data. It also sets out what Biofeedback EU employees and external partners must do when handling Biofeedback EU personal data.
WHAT IS PERSONAL DATA AND WHAT IS A DATA SUBJECT?
a. Personal data is any information relating to an identifiable living individual. You may see documents that refer to “data subjects”: this is what data protection law calls individuals. An individual is identifiable when:
i. Biofeedback EU holds clear direct identifiers – such as name, telephone number, postal address, email address, date of birth and/or
ii. It is reasonably likely that Biofeedback EU can identify the individual by other reasonable means. For example, an employee identification number, where HR can link it to the employee’s name, or a customer reference number, where customer support can link it to the name or address.
b. Online identifiers – such as cookie identifiers and device identifiers – are also covered by the law, as are decisions made about individuals and subjective opinions expressed about individuals.
c. Sensitive personal data is any information relating to health, religion, sexual life or orientation, racial or ethnic origin, political opinions, trade union membership, genetic data or biometric data used to uniquely identify a person (such as fingerprints or facial recognition). Information relating to criminal convictions or suspected criminal activity is governed by very similar rules, so where this Policy refers to sensitive personal data it also includes criminal offence data.
d. You may collect personal data in various ways, such as: from recruitment agents, social media, correspondence with employees or with customers.
WHAT IS PROCESSING?
Processing is any use that Biofeedback EU makes of personal data. This includes obtaining or creating personal data, modifying it, storing it, disclosing it or even accessing it, anonymizing it or deleting it.
WHAT OBLIGATIONS DOES Bioanadrasi EU HAVE?
Biofeedback EU must comply with the General Data Protection Regulation (“GDPR”). Biofeedback EU’s obligations under this law are set out in this Policy.
WHAT ARE MY OBLIGATIONS?
All employees and, where applicable, external partners/contractors of Biofeedback EU must comply with this Data Protection Policy and any additional policies introduced by Biofeedback EU. Failure to comply with this Policy may result in disciplinary action. The appendices to this policy contain additional notes.
BASIC DATA PROTECTION PRINCIPLES
EU Biofeedback follows these data protection principles when processing personal data:
a. Legality, Justice and Transparency
Always process personal data fairly – in accordance with the individual’s reasonable expectations – and lawfully.
Informing individuals about how Biofeedback EU will use their personal data
i. Individuals must understand how their personal data will be collected and used. When developing a new product or activity that will involve personal data, Biofeedback EU considers how individuals will be informed.
ii. When Biofeedback EU collects personal data directly from individuals, it provides notice at the time of such collection.
iii. When Biofeedback EU collects personal data from another source, it shall provide notice within a reasonable time, but no later than one month, after Biofeedback EU obtains the data. If Biofeedback EU intends to contact the individual or disclose the data to third parties, then the notice shall be provided no later than such communication or disclosure.
iv. The privacy notice shall contain the information listed in Annex 1.
v. Biofeedback EU shall ensure that privacy notices are: concise, intelligible, use clear and plain language, which is suitable for the public; easily accessible; and provided in writing (which may include electronic means), unless the individual requests that the information be provided orally.
vi. If the purposes of the processing of personal data change, Biofeedback EU shall provide a new privacy notice before the new processing commences – please contact us if you believe that a purpose for which you are processing personal data is not already covered by the applicable privacy notice.
Justification of each processing
i. Biofeedback EU processes personal data only where it can satisfy one of the grounds for processing set out in the law. These include the following:
a. Processing is necessary for the performance of a contract with the individual or in order to take steps at the individual’s request prior to entering into a contract,
b. Processing is necessary for compliance with a legal obligation to which Biofeedback EU is subject.
c. Processing is necessary for the legitimate interests of Biofeedback EU or for the legitimate interests of a third party, unless the interests of the individual override those interests.
ii. The annexes provide guidance on the relevant reasons for each business area of Biofeedback EU.
iii. Biofeedback EU processes sensitive personal data only if it can satisfy one of the additional sensitive data grounds. The appropriate grounds for each business area of Biofeedback EU are listed in the annexes.
b. Scope limitation
i. Biofeedback EU processes personal data only for purposes that are lawful and for which Biofeedback EU has informed the individual, within the framework of the principle of Transparency and in the Processing Record.
ii. Biofeedback EU must not process personal data for incompatible purposes – please contact us if you wish to do this.
c. Data minimization and accuracy
i. Biofeedback EU ensures that personal data are adequate and relevant for the purposes for which they are processed and limited to what is necessary for the purpose of the processing. Biofeedback EU does not collect more personal data than is necessary solely because it may prove useful later.
ii. Biofeedback EU also ensures that personal data is accurate and, where necessary, kept up to date and takes all reasonable steps to correct or erase inaccurate personal data.
d. Storage restriction
i. Biofeedback EU determines how long it needs to process personal data for a specific purpose and retains the personal data only for that period. Personal data is retained for up to ten (10) years. At the end of this period, Biofeedback EU deletes the personal data or ensures that the data does not allow the identification of individuals.
e. Integrity and Confidentiality
i. Biofeedback EU keeps all personal data it processes secure and protected from “unauthorized or unlawful processing and accidental loss, destruction or damage”. This is achieved by implementing various security measures, as well as by implementing the measures it imposes on data processors.
ii. Biofeedback EU also implements a data breach response program to enable it to record, remediate and report any data breaches as required by law.
f. Accountability
i. Privacy by design and by default: Biofeedback EU is able to demonstrate its compliance with this policy and with applicable data protection legislation. Biofeedback EU ensures that privacy concerns are considered early in the implementation of services and processes (privacy by design) and that, by design, it processes only the minimum amount of personal data necessary (privacy by default). Biofeedback EU has developed a new project checklist and guidance to ensure that these requirements are taken into account from the outset of any new project or initiative.
ii. Data Protection Impact Assessment: In certain cases – high-risk processing – Biofeedback EU may be required to carry out a Data Protection Impact Assessment (DPIA). A DPIA is an audit carried out on a specific area of an organisation’s activities to identify and minimise the risks of non-compliance. The New Project Checklist and related guidelines also take into account DPIAs.
iii. Processing record: Biofeedback EU is required to keep a formal record of its processing activities.
RIGHTS OF INDIVIDUALS
Biofeedback EU promptly processes requests from individuals to exercise their data protection rights. If you receive a request from an individual, please forward it to info@bionadrasis.com.
Individuals have the following rights:
a. Access: to obtain i) confirmation as to whether Biofeedback EU is processing their personal data,
(ii) a copy of the personal data (in a commonly used electronic format, if the request is submitted electronically)- and iii) provision of supporting explanatory information.
b. Portability: to request the “portability” (i.e. transfer) of their personal data to a specific third party or to the individual themselves, in a machine-readable and structured format (e.g. CSV files). There are exceptions – for example, this only applies to personal data that has been provided by the individual or collected automatically from the individual, which is held in digital form and which Biofeedback EU processes with the individual’s consent or for the performance of a contract with that individual.
c. Rectification: to request the rectification of inaccurate personal data.
d. Objection: to object to: (i) processing for direct marketing purposes, (ii) profiling based on direct marketing and/or (iii) processing based on Biofeedback EU’s legitimate interests.
e. Erasure (or “right to be forgotten”): to request the erasure of personal data in certain circumstances, for example, where: (i) the processing is based on consent and the consent is later withdrawn; or (ii) the individual has validly exercised the right to object and wishes the data to be erased.
f. Restriction: to request that personal data be “restricted” (i.e. blocked/stopped) while complaints are being resolved (e.g. regarding accuracy), or if the processing is unlawful but the individual objects to erasure.
Individuals also have the right not to be subject to decisions based solely on automated processing of personal data concerning them (i.e. without human involvement in the decision) which produce legal effects or have similarly significant effects, unless such decisions are permitted by law. There are limited exceptions to this. Biofeedback EU does not use automated individual decision-making technology. Every edit is supervised by real human intervention.
EXCHANGE OF PERSONAL DATA WITH THIRD PARTIES AND INTERNATIONAL TRANSFERS
a. Data processors are other organizations that process personal data on behalf of a controller. Biofeedback EU may appoint processors to assist it in processing personal data (e.g. payroll provider).
b. When appointing any data processor to collect, store or use personal data on behalf of
Biofeedback EU, Biofeedback EU shall:
i. Before engagement: Ensure that the data processor provides satisfactory assurances regarding its data protection practices, and
ii. Upon engagement: Sign the data processor to specific data processing terms, and
iii. After engagement: Confirm on an appropriate periodic basis that the assurances given prior to engagement regarding their data protection practices continue to apply.
c. When Biofeedback EU transfers personal data to data processors or data controllers based outside the EEA (which includes data processors who access personal data from countries outside the EEA, e.g. in order to provide IT support services), a data transfer mechanism is put in place, unless the country in question has been deemed adequate by the European Commission. Please contact us if you suspect that personal data is being transferred outside the EEA, for example, in the context of your team activities, a project you are involved in or a system you use.
TRAINING
Biofeedback EU provides training on this policy and other Biofeedback EU policies, procedures and obligations related to data protection to all employees and contractors upon joining Biofeedback EU and on an annual basis thereafter.
AUDITS AND MONITORING
Biofeedback EU monitors compliance with this policy and other policies related to data protection and implements appropriate corrective actions to remedy any non-compliance. If you believe that this policy is not being adhered to in any way at Biofeedback EU, please contact us.
POLICY UPDATES
EU Biofeedback is responsible for notifying you of changes to this Policy and will also provide a brief explanation of the reasons for any notified changes to this Policy.
PUBLICATION AND FINAL PROVISIONS
Bioandrasis EU will publish this Policy and any other amendments thereto at www.bioandrasis.com.
EFFECTIVE DATE: 11/11/2021
Contact: You may raise any questions or concerns regarding this policy by contacting: info@bionadrasis.com or by phone at 210 4829 303. You should also contact us if you believe you need an exception to a rule of this policy.
COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority for our country is:
Data Protection Authority
Personal Data
1-3 Kifisias, P.C. 115 23, Athens
Telephone: 210 6475600
E-mail: contact@dpa.gr