GENERAL DATA PROTECTION POLICY
The protection of your personal data is very important to us. In that direction, we attach great importance on harmonizing our Company's practices with the legislation in force. This General Data Protection Policy (hereinafter referred to as the "Policy" or the “Data Protection Policy” or the “GDPR Policy”) concerns the conditions for collecting, storing, retaining, processing and using of your personal information by the Limited Partnership under the name “CISTERN ART EE” with distinctive title “CISTERN ART” located on 161 Gounari str. Glyfada Attica, Zip Code 16674, Athens, with Company Registration No 149394701000, VAT No 801112650 issued by the Glyfada Tax Registry, with branch offices located in Kifissia Attica, 2 Panagitsas str. Zip Code 14562, hereinafter referred to as the "Company"
The basic definitions of the terms and names to be used in this document, as referred to in Article 4 of the General Regulation on Personal Data Protection 2016/679 / EU (EU GDPR), are the following:
Personal Data: Any information or data relating to an identified or identifiable natural person ("data subject"). As intentifiable natural person is considered to be the natural person whose identity can be acertained, directly or indirectly, in particular by reference to an identifying element such as its’ name, identity card and/or passport number, tax information, location data, summarized identity, or one or more factors specific to physical, physiological, genetic, physical, economic, cultural or social identity of that natural person.
Personal data of special categories (sensitive): Personal data which are by nature very sensitive in relation to fundamental human rights and freedoms are considered sensitive and therefore require special protection as the context of their processing could pose significant risks to the fundamental human rights and freedoms. This personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, as well as the processing of genetic data, biometric data used for undisputed identification of a persons’ health status or data relating to its’ sexual life or its’ sexual orientation.
It is clarified that all personal data of minors -under the age of 16 - are by definition considered as sensitive and treated as such.
Controller: a natural person or legal entity, a public authority, a service or other entity that alone by itself or acting jointly with others determine the purposes and the manner in which personal data are processed.
Processor: a natural person or legal entity, a public authority, a service or other entity processing personal data on behalf of the controller.
Each educational organization, regardless of its type, legal form and size, maintains and processes personal data and is referred to as a controller.
Any natural person or legal entity of the public or private domain that processes data on behalf of a controller is referred to as the processor. (Example, an accounting office in which the training organization assigns the payroll of its employees).
Processing: any action or set of actions carried out with or without the use of automated means of collecting personal data or clusters of personal data (sensitive and non-sensitive) such as collection, registration, organization, structure, storage, adaptation or alteration, retrieval, search of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, erasure or destruction.
Authority: The Personal Data Protection Authority (PDPA)
The Company is designated as a controller and strictly complies with the Data Protection Principles set out in Article 5 of the General Data Protection Regulation.
1. WHAT IS THE COMPANYS’ PUPROSE/SCOPE
The main purpose of the Company is the commercial trade of artworks (wholesale and retail), the promotion and public projection of artists and artworks, rendering of metal turning services, the manufacture of special purpose machines, rendering of publishing services, the design and development of technologies information on applications, rendering of public relation and communication services, the organization of scientific and cultural events, rendering of industrial design services, rendering of intellectual property management services (except for films), rendering of training services, rendering of services for the production and presentation of artistic events, printing services, sculpture services and organization of art exhibitions and artistic events.
Within the framework of its above mentioned objective, the Company cooperates with natural persons and / or legal entities by directly assigning part or all of the works assigned to it (assignments or subcontracts) or by ensuring for third party projects the provision of services of collaborating natural or legal entities ("Affiliates"), promoting these services, for which they contracted in their name and on behalf of them.
2. WHAT IS PERSONAL DATA?
The term "personal data" or “private data” or "data" as used in this Policy refers to information belonging to natural persons (such as full name, forenames, e-mail addresses, identity card numbers and/or passport numbers, tax ID numbers, Social Security Numbers (SSN), bank account details, etc.), as well as legal entities and their legal representatives information (company name, registered office, VAT number, postal address, postal code, contact phone number, e-mail address, bank account details, legal representatives and their data as natural persons etc.), hereinafter "Personal Data or Private Data or Data".
3. WHAT PROCESSING OF PERSONAL DATA REFERS TO?
As Processing of Personal Data is considered any action or set of operations/actions carried out with or without the use of automated means for collecting data, either in an electronic form (soft copy) or in a hard copy, such as collection, registration, organization, classification, structure, storage, adaption, change, retrieval, search for information, use, transmission, dissemination, association, combination, restriction, deletion and destruction of Personal Data.
4. WHICH DATA DO WE COLLECT
A) The Company collects all the necessary information from its contractors (either as a customer or as a supplier) for the preparation and performance of the service contract and/or for the communication between us following your explicit consent, in particular:
1) Counterparty data (for natural persons: first and last name, father name and mother name)
2) Full Residence Address
3) telephone (fixed / mobile),
4) e-mail address.
B) When you visit and navigate on the Company's website, we ARE NOT collecting your Data, except from the ones automatically collected by the cookies you have authorized yourself by providing your consent to be used. Specifically, the only types of cookies used by our Site belong to the following categories:
(a) Absolutely Required Cookies and
(b) Functionality Cookies and both are necessary for the proper operation of the site. The information they collect is anonymous and does not monitor the activity of browsing other sites.
5. WHY ARE WE ARE PROCESSING YOUR DATA FOR?
We collect your Data solely for the purposes of:
(a) providing our services the service provided by the Company,
(b) complying with any obligations imposed by applicable law, e.g. issuing a tax document, an invoice etc.
6. WHAT IS THE LEGAL BASE FOR DATA PROCESSING BY THE COMPANY?
Data Processing is performed for the execution of any contract between us for the provision of our services, for your information on the activities, events and promotions of the Company to you, as well as for the communication of the Company with you, only after your explicit consent, in writing or electronically.
7. DO WE USE THE DATA FOR OTHER PURPOSES I.E PROMOTING GOODS AND / OR SERVICES?
The Company does not use the Data for purposes other than those mentioned in paragraph 6 above, which relate to the proper provision of our services, in view of high quality standards and the compliance of our company with the applicable legislation.
The Company may use the Affiliates and Customer Information on its website for publicity/promotional or other purposes related to the Company's professional visibility and publicity.
8. WHO ARE THE DATA RECIPIENTS?
The recipients of the Data are the Company and its strictly necessary staff, committed and bound to confidentiality. All employees, with an indefinite or fixed-term relationship, as well as all subcontractors, assistants, employees who work on behalf of the Company are bound by this Policy.
9. HOW DO WE SECURE THAT YOUR DATA ARE RESPECTED
The Data Processors have agreed and contracted with the Company:
• to be bound by confidentiality/non-disclosure agreements,
• not to disclose any data to third parties without the prior provided permission by the Company,
• to take all appropriate security measures
• to comply with the legal framework for the protection of personal data, and in particular the EU GDPR Regulation.
The Company takes all appropriate technical and organizational security measures to ensure that processed personal data are accurate and, where necessary, accordingly updated.
The Company takes all necessary measures to ensure that inaccurate or incomplete data will be erased or accordingly corrected. Personal data processed are appropriate, proportionate and relevant to the needs of the service rendered to the customer, meet the contractual obligations undertaken by each contract party and are collected only for defined, explicit and legitimate purposes, as above mentioned as well as in the relevant contracts.
The personal data process is conducted by the Company in a manner that ensures their confidentiality and follows rules and other procedures to protect them against unauthorized access, misuse, alteration, forbidden dissemination, disclosure, loss or accidental / unlawful destruction and any other form of unfair processing. The Company applies technical and organizational security policies, routines and procedures to protect the personal data it collects from potential security breach, loss, misuse, alteration or destruction.
Internal audits on the processing of personal data are routinely conducted by the Company to review the effectiveness of the applicable data protection measures.
Specially authorized individuals have access to data processing systems through which personal data is processed or used only in accordance with the Company's instructions. Data processing systems cannot be used by unauthorized persons. Persons authorized to use data processing systems have specific and targeted access only to the data for which they have been authorized. Personal data may not, during the processing or use or after, be recorded, read, copied, modified, or shifted by unauthorized persons of the Company.
Access to personal data is limited only to those who have authority in the course of their duties appointed to them by the Company, provided they need to be aware of them. People who have access to the data are required to keep the data confidential.
10. FOR HOW LONG DATA WILL BE STORED?
As a general rule, all personal data are deleted/destroyed by the termination of our contractual relationship.
The duration of the retention of the Data is also determined by the retention obligation imposed by the applicable legislation governing the Company's contractual and tax obligations.
Exceptionally, it is possible to extrapolate the length of retention of the Data for purposes of proofing before the courts of law in regards of the compliance of contractual obligations by the Company or in case it is required by a rule of law or due to compliance with instructions from Public or Independent Authorities.
11. ARE YOUR DATA SECURE?
The Company is committed in safeguarding your Personal Data.
We have received appropriate organizational and technical measures for the security and protection of Data from any form of accidental or fraudulent processing. Security measures shall be reviewed and amended whenever necessary to meet the conditions and standards set forth in the applicable legislation.
Indicatively, and not restrictively, the following rules describe how and in which space the data are safekept. The data stored in hard-copy files are kept to a point where unauthorized persons have no access. The same applies to files that are kept electronically, but for some reason they have been printed-out.
Important points are:
• Envelopes and scanned data are kept in a locked cabinet.
• Employees are confident that print-outs are not left unattended where unauthorized people could access them, such as for example in or near the printer.
• Printed-out data that are not in use are usually destroyed. In the event that the data are stored electronically (soft copies), they are protected against unauthorized access, accidental destruction and spyware. Specifically:
- Data are protected by strong passwords that are frequently changed and are not disclosed to employees who are not authorized.
- If the data are stored on portable media (such as a CD-ROM, a usb stick etc.), they are stored securely when not in use
- All servers and computers containing data are protected by an approved software and firewall.
Your Data may only be processed by specifically authorized persons, employees and partners solely for the purposes stated above.
The Company carries out regular audits and routine inspections to verify that the data are secure and that the present Policy is implemented.
12. WHAT ARE YOUR RIGHTS?
You have the right to access your personal data. This means that you have the right to be informed by us whether we process your Data. If we process your Data, you can ask to be informed about the purpose of the processing, the kind of Data we process, who we give it, for how long we store it, whether we use automated collecting tools, but also about your other rights, such as correcting, deleting data, limiting the extend of processing and submitting a complaint to the Data Protection Authority.
You have the right to correct inaccurate personal data. If you find that there is an error in your Data, you can apply for us to correct it (for example, a name correction or an update of an address change).
You have the right to delete / the right to oblivion. You may ask us to delete your data if they are no longer necessary for the aforementioned processing purposes.
You have the right to transfer your Data. You may ask us to receive the Data you have provided in a readable form or ask us to forward it to another controller.
You have the right to restrict your processing. You may ask us to restrict the processing of your Data for as long as your filed objection on procession is pending.
You have a right to object to the process of your Data.
You may oppose to the process of your Data or withdraw your consent and we will seaze processing your Data, unless of course there are other compelling and legitimate reasons that prevail over your right.
13. HOW CAN YOU PERFORM YOUR RIGHTS?
In order for you to exercise your rights you can send us a request (Form 1), describing the right you wish to exercise, either at the postal address (Mamush Gallery 3 Panagitsas str. P.O 145 62 Kifisia, Attica), under the title/subject "Exercise of a right access/correction/deletion/restriction/challenge", or via e-mail to the address ([email protected]) under the title/subject "Exercise of the right of access / rectification / deletion / restriction / opposition", describing your request, We will review it and revert as soon as possible.
14. WHEN DO WE REPLY TO YOUR REQUESTS?
We will respond to your requests free of charge, without any delay, and in any case within (1) one month from the date of receipt of your request. However, if your request is complicated or there are a large number of requests (clustered requests) by you, we will inform you within one (1) month whether we will be needing an additional two (2) month extension, within which we will respond to you.
If your claims are manifestly unfounded or excessive due in particular to their recurrence, the Company may impose a reasonable fee, taking into account the administrative costs of providing the information or executing the requested action or refusing to follow up the request.
15. HOW TO FOLLOW UP THE DEVELOPMENT OF YOUR REQUESTS
For more information, you can directly contact us over the phone 2106232900 or via e-mail address ([email protected]) using the title: "Request Progress".
16. DO WE USE AUTOMATIC DECISION-MAKING TOOLS / INCLUDING CREATING A PROFILE WHEN YOUR DATA PROCESSING?
NO, we do not make decisions, nor do we create a profile based on our automated data processing.
17. WHAT IS THE LAW APPLICABLE FOR PROCESSING OF YOUR DATA BY THE COMPANY?
We process your Data in accordance and compliance with the General Personal Data Protection Regulation 2016/679 / EU and in general the current national and European legal and regulatory framework for the protection of personal data.
18. TO WHOM SHOULD YOU SUBMIT ANY COMPLAINTS IN CASE OF INFRINGEMENT OF THE APPLICABLE LAW FOR PROTECTION OF PERSONAL DATA?
You have the right to lodge a complaint addressed to the Personal Data Protection Authority (1-3 Kifissias Avenue, Athens / www.dpa.gr) if you believe that processing of your Personal Data violates the current national and regulatory framework for the protection of private data.
19. HOW WILL YOU BE INFORMED FOR ANY MODIFICATION OF THIS POLICY?
We will update this Policy whenever deemed necessary in order to comply with the applicable national and European laws and regulations on the protection of personal data. If there are any significant changes to the Policy or the way we use your Personal Data, we will post in a prominent place on mamushgallery.com.
We encourage you to review this policy regularly in order to monitor how your Data are protected from time to time.
The Company is the controller of the process of the private data of natural persons or individual businesses it receives.
If you wish to contact any matter relating to the processing of your Data and the exercise of your rights, you may contact the Company’s Data Controller, mr Christos Gkikas, on the phone 2106232900 or in the e-mail address [email protected]
I HAVE READ AND UNDERSTOOD THE ABOVE AND HEREBY PROVIDE MY CONSENT AND PERMISSION TO THE COMPANY TO COLLECT AND PROCESS MY PERSONAL DATA IN ACCORDANCE WITH THE TERMS AND THE PURPOSES REFERRED TO IN THIS POLICY.