Personal Data Protection Policy
The company under the name “XDIGINET SINGLE MEMBER PRIVATE COMPANY” and the distinctive title “XDIGINET SINGLE MEMBER P.C.” with its registered office in Ioannina, 8 Chanteli Street, No. 8, with VAT No. 801138234 (hereinafter referred to as the “Company” or “XDIGINET”) with this Personal Data Protection Policy (hereinafter referred to as the “Policy”) in its capacity as Data Controller aims to inform the users of the website https://xdiginet.gr/ (hereinafter referred to as the “Website”) about the purpose and the means of processing their personal data. XDIGINET respects the privacy and personal data of all individuals who interact with it. In this context, and for the purpose of transparent information to all interested parties, the Company posts on its Website this Policy in order to provide adequate information regarding the personal data it processes in the context of its legitimate activities.
This Policy has been drafted taking into account the current National and EU legal framework for the protection of personal data and in particular the General Data Protection Regulation (EU) 2016/679 (“the Regulation”) and Law 4624/2019.
In particular, this Policy aims to clarify the basic principles and rules of personal data processing followed by XDIGINET, as well as to inform data subjects regarding the processing operations carried out, the legal basis of such operations and the rights of data subjects.
For the purposes of this Policy, the following terms have the following meanings:
“Personal Data”: means any information relating to an identified or identifiable natural person (“data subject”) an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“Processing”: means any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his or her appointment may be provided for by Union or Member State law.
“Processor”: means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Data Subject”: the natural person whose personal data are processed. In this particular case, the Data Subject is considered to be any user of our Website.
“Consent” of the data subject: any freely given, freely given, specific, explicit and fully informed indication of intent by which the data subject signifies his or her agreement, by declaration or by a clear affirmative action, to the processing of personal data concerning him or her.
“Personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
“Existing legislation”: The respective national and EU legislation on personal data protection and in particular the General Data Protection Regulation (EU) 2016/679, Law 4624/2019 “Personal Data Protection Authority, measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and transposing into national law Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data.
General Principles for the Processing of Personal Data
When XDIGINET processes personal data, it shall ensure that:
- To process such data lawfully, in accordance with the provisions of existing legislation and the conditions laid down therein, subjecting them to lawful and fair processing in a transparent manner in relation to the data subject (Principle of Lawfulness, Objectivity and Transparency).
- Process personal data only for specified, explicit and legitimate purposes and not further process them in a way incompatible with those purposes (Principle of Purpose Limitation).
- Be adequate, relevant and limited to what is necessary for the purposes for which they are processed (Principle of Data Minimisation).
- Take appropriate technical and organisational measures so that personal data are processed in a way that ensures an adequate level of protection and security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage. In addition, periodically review the adequacy and effectiveness of these measures (Integrity and Confidentiality Principle).
- To make the necessary efforts to ensure that the personal data it holds and processes are always accurate and up-to-date and that all reasonable steps are taken to promptly delete or correct personal data that are inaccurate in relation to the purposes of the processing (Principle of Accuracy).
- Not to retain the personal data collected for a period longer than the purposes for which they were collected and processed. However, it may retain them for a longer period if the processing of these data is necessary:
i. to comply with a legal obligation that requires processing under a provision of law,
ii. for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company,
iii. for reasons of public interest,
iv. for archiving purposes in the public interest, or for scientific or historical research purposes, or for statistical purposes, after appropriate technical and organisational measures have been taken, including pseudonymisation, and only if these purposes cannot be served by anonymisation of the data,
v. for the establishment, exercise or defence of legal claims (The Limitation of Storage Period Principle).
- To take the necessary measures to comply with the requirements of the Existing Legislation and to be able to prove at any time that it complies with the above (Accountability Principle).
Personal Data We Collect and Process, Purpose of Processing and Lawful Basis.
Ι. Personal data collected through the contact form.
Through the contact form, the user has the possibility to contact the Company. If the user wishes to use this service, he/she must fill in the relevant fields (a) his/her name (mandatory field), (b) his/her e-mail address (mandatory field), (c) the subject of the communication, and (d) the content of the message he/she wishes to communicate to the Company.
Purpose of Processing and Lawful Basis.
The purpose of the collection and processing of such personal data is the provision of XDIGINET’s services, and in particular the provision of specialized consulting services and other digital content services, the direct contact of the User with the Company, the optimal response of XDIGINET to the User and its service. The legitimate basis for processing the personal data of the users is the legitimate interest of the Company to provide high quality services to the users of the Website (G.D.P.R. article 6 paragraph 1 point f).
Purpose of Processing and Lawful Basis.
An additional legal basis for processing is your consent, pursuant to Article 6 (1) (a) G.D.P.R., which is required for the storage on your terminal device of the cookies used by our website. The information generated by the cookies is read by our website and may also be transferred to our partners (technical support consultants, lawyers) or to competent authorities, if necessary. Please note that all our partners are committed to maintaining confidentiality and taking appropriate technical and organisational measures to ensure the protection of your personal data.
III. Social media buttons
On our Website, there are social media widgets from social networks (e.g. Facebook, Instagram and LinkedIn) with the use of which, after the user logs in to the social network, a special digital fingerprint of the user is created, for which both the Company and the social network itself act as joint controllers.
For more information on the data processing policy and the configuration options of these networks, please visit the following websites:
The purpose of collecting and processing such data is to improve the services provided by us and in general the user’s experience when visiting the Website. The legitimate basis for processing the personal data of users is the legitimate interest of the Company to provide high quality services to the users of the Website (G.D.P.R. article 6(1)(f)).
Personal Data of Minor Users
XDIGINET does not address minors and does not wish to collect and process personal data of minors (i.e. persons under the age of 18). However, since it is impossible to cross-check and verify the age of the users of our Website, we ask the parents/guardians of minors, in case they find any unauthorized data disclosure on behalf of minors, to immediately notify the Company, as to take the necessary protective measures (e.g. immediate deletion of their data). If the Company becomes aware that it has collected personal data of a minor, it undertakes to delete them immediately and to take all necessary measures to protect such data.
Data Protection Impact Assessment (DPIA)
Where a type of processing is likely to present a high risk to the rights and freedoms of natural persons, XDIGINET shall carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data (“impact assessment”). An impact assessment is a process designed to describe the processing, assess its necessity and proportionality and assist in risk management by evaluating and defining measures to address the risks. It is not required for every form of processing, but only in cases where a form of processing is considered high risk. The impact assessment takes into account the nature, scope, overall context and purposes of the processing in order to assess whether a risk is likely to occur, as well as its seriousness for the rights and freedoms of data subjects.
How do we ensure that Processors respect your Personal Data?
XDIGINET, in the context of its activities, may transfer data to third parties and/or allow access to them (legal or natural persons) acting as processors and/or sub-processors, to support its operation and serve its purposes, such as, for example, transferring data to service providers, website developers, cloud service providers, application development support companies, etc.
Our partner companies that act as processors and/or sub-processors on our behalf have agreed and contractually bound themselves to the Company:
i. maintain confidentiality and ensure data confidentiality,
ii. process the data only for a specific purpose and for no other purpose
iii. not to transmit data to third parties,
iv. take appropriate organisational and technical security measures to ensure data protection,
v. comply with the legal framework for the protection of personal data and in particular the Regulation and Law 4624/2019.
Transfers to third parties
Users’ personal data may be transferred to public authorities, independent authorities, etc. in the exercise of their duties, either on their own initiative or at the request of a third party with a legitimate interest, following all legal procedures and subject to appropriate safeguards to ensure the protection of personal data. XDIGINET SINGLE MEMBER P.C. reserves the right to disclose and/or transmit personal data to a third party to whom it may transfer or merge parts of its business or assets. In the event of a change in our business, the new owners have the right to use your personal data in the same way as set out in this Policy.
Transfer of Personal Data outside the EU
In case of transfer of personal data of users collected through our Website to a country outside the European Union (EU) or the European Economic Area (EEA), XDIGINET SINGLE MEMBER P.C. will first check whether :
a) the European Commission has issued an adequacy decision for the third country to which the transfer is to be made.
b) The appropriate safeguards in accordance with the Regulation are met for the transfer of such data.
Otherwise, the transfer to a third country is prohibited and the Company will not transfer users’ personal data to that country, unless one of the specific exceptions provided for in the Regulation applies (e.g. the express consent of the user and his/her information on the risks involved in the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support legal claims and vital interests of the user, etc. If in the context of its lawful activities there is a need to transfer personal data outside the EU, the Company shall select the appropriate legal transfer mechanisms in full compliance with the Regulation and the Existing Legislation and shall inform the data subjects accordingly.
Data Retention Period
The personal data of users are collected and kept for a predetermined and limited period of time, depending on the purpose of processing, after which the data are deleted from the archives of XDIGINET SINGLE MEMBER P.C. When processing is imposed as an obligation by provisions of the applicable legal framework or a specific retention period is provided, your personal data will be stored for as long as the relevant provisions require. Users’ personal data processed with consent will be kept until the consent is withdrawn, without this withdrawal affecting the lawfulness of the processing up to that point.
Security of Personal Data
All officers and employees of XDIGINET SINGLE MEMBER P.C. are responsible for ensuring that the personal data held and processed by the Company are kept securely and are not disclosed or transmitted to any third party, unless the third party is authorized by the Company to receive and process such information in the context of (a) the legitimate activities of SINGLE MEMBER P.C. and if it has entered into a corresponding confidentiality agreement or (b) there is a legal obligation to do so by law or by court order or (c) there is a legal obligation to do so.
XDIGINET SIGNLE MEMBER P.C. takes all appropriate technical and organizational measures for the security of the personal data it holds and processes. Although no method of transmission over the Internet or method of electronic storage is completely secure, the Company takes all necessary digital data security measures (antivirus, firewall, etc.).
XDIGINET SINGLE MEMBER P.C. applies, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures designed to apply data protection principles and incorporate the necessary safeguards in the processing in such a way as to meet the requirements of the G.D.P.R. and protect the rights of data subjects (data protection by design).
XDIGINET SINGLE MEMBER P.C. shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for the purpose of the processing are processed (data protection by default).
XDIGINET SINGLE MEMBER P.C. shall ensure that the personnel involved in the collection and processing of personal data are adequately informed and trained.
In case of a personal data breach, the Company shall promptly inform the Personal Data Protection Authority, unless the breach is unlikely to cause a risk to the rights and freedoms of natural persons, providing all required information and documentation. If the breach is likely to pose a high risk to the rights and freedoms of natural persons, XDIGINET SINGLE MEMBER P.C. shall promptly notify the data subjects of the breach in question, unless such notification requires a disproportionate effort, or in the meantime the Company has implemented appropriate technical and organisational protection measures on the data affected by the breach that render it incomprehensible to unauthorised users, or in the meantime the Company has taken measures to ensure that the data affected by the breach are not accessible to unauthorised users.
XDIGINET SINGLE MEMBER P.C. ensures that it is able to respond immediately to the requests of users, for the exercise of their rights in accordance with the Existing Legislation.
In particular, each user has the following rights:
a) The User has the right to access his/her Data: To request information on the processing of his/her personal data by XDIGINET SINGLE MEMBER P.C. To request access to his/her personal data held by XDIGINET SINGLE MEMBER P.C. More specifically, he/she may request to receive a copy of his/her personal data held and to check the lawfulness of the processing.
b) Right to rectification of inaccurate data: Request the correction of personal data in case they are inaccurate or incomplete.
c) Right to erasure: To request the erasure of his/her personal data if their retention is not based on any legitimate basis or legitimate interest.
d) Right to restriction of processing: To request restriction of the processing of his/her personal data, subject to specific conditions.
e) Right to data portability: to request the portability/transmission of his/her personal data either to himself/herself or to third parties.
f) Right of Withdrawal/Objection: Revoke at any time the consent given for the processing of his/her personal data, without this revocation affecting the lawfulness of the processing up to that point, to object to the processing of his/her personal data by XDIGINET.
To exercise your rights, you may contact us at firstname.lastname@example.org by submitting a request:
a) for the correction or deletion of the personal data you have entered or in any other way you have provided or we have collected through our Website,
b) for the restriction of the processing of the personal data you have entered or in any other way you have provided or we have collected through our Website,
c) to object to the processing of the personal data you have entered or in any other way you have provided or we have collected through our Website,
d) to the processing of the personal data you have entered or in any other way you have provided or we have collected through our Website. In case of exercise of any of the above rights, XDIGINET shall provide the data subject with information on the processing operations upon request submitted within one (1) month from the receipt of the request and the identification of the data subject. This period may be extended by two (2) more months, if necessary, if the request is complex or if there is a large number of requests. In this case, XDIGINET shall, within one (1) month of receipt of the request, inform the User of the delay and the reasons for it.
XDIGINET may refuse to comply in whole or in part with a relevant request received from the data subject only where this possibility is provided for by the Regulation or national legislation.
If a request from the data subject is manifestly unfounded or excessive, in particular because of its repetitive nature, XDIGINET may make compliance with it subject to the payment of a reasonable charge to cover the administrative costs involved in complying with it or refuse to comply with it.
- Disclaimer for Third Party Websites
In case of our Website contains links that redirect users to third party websites, we inform you that XDIGINET does not control and is not responsible for any risk or damage (positive/ negative) that the user may suffer from the use of the content of the Website and these websites, nor for the way in which the users’ personal data are processed. XDIGINET takes all necessary measures to ensure that this Website is a safe environment for users, providing them with valid, reliable and up-to-date information.
- Right of recourse to the Personal Data Protection Authority
For any complaint regarding this Policy or personal data protection issues, if we do not satisfy your request, and you believe that your personal data protection is in any way affected, you may submit a complaint through a dedicated portal (https://www.dpa.gr/el/syndesi/prosvasi ) to the Personal Data Protection Authority (PPA) (Athens, 1-3 Kifissia Avenue, P.O. Box 115 23, tel: +30 2106475600). Detailed instructions for lodging a complaint are available on the Authority’s website (https://www.dpa.gr/el/polites/katagelia_stin_arxi ).
Last Revision: July 2022