Data Protection Policy

DATA PROTECTION POLICY

Last update: 31.05.2023

SUBJECT OF THE PERSONAL DATA PROTECTION POLICY

The company "GENOSOPHY I.K.E." (hereinafter referred to as the "company") takes care of the security of your personal data and takes appropriate technical and organizational measures to protect them in accordance with the relevant national and EU legislation, especially the General Data Protection Regulation (EU) 2016/679, the relevant national legislation, as well as the Decisions, Directives, and Opinions of the Personal Data Protection Authority.

This Policy is applicable and enforced at the company's headquarters and in the digital environment related to its activities, www.genosophy.gr.

The contact details of the company, which acts as the Data Controller for your data, are as follows:

Company Name: "GKOUSKOU - ILIOPOULOS I.K.E." trading as "GENOSOPHY I.K.E."

Postal Address: Voreiou Ipirou 28, Athens, Attica

Email Address: info@genosophy.gr

Contact Phone: 2155300877

Website: www.genosophy.gr

Definitions

For the purposes of this Policy, the following terms have the following meanings:

"Personal Data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Special Categories of Personal Data": personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

"Genetic Data": personal data concerning the genetic characteristics of an individual that have been inherited or acquired, in particular through an analysis of a biological sample from the individual in question and that provide unique information about the physiology or health of that individual.

"Biometric Data": personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

"Health Data": personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

"Processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Data Controller": a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

"Processor": a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

"Data Subject": a natural person whose personal data is being processed, e.g., customers, employees, etc.

"Recipient": The natural or legal person, public authority, service, or other entity to whom personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data within the framework of a specific investigation under Union or Member State law are not considered recipients; the processing of such data by these public authorities is carried out in accordance with the applicable data protection rules, depending on the purposes of the processing.

"Third party": Any natural or legal person, public authority, service, or entity, other than the data subject, the data controller, the processor, and the persons who, under the direct authority of the data controller or the processor, are authorized to process personal data.

"Consent of the data subject": Any indication of the data subject's wishes, which is freely given, specific, informed, and explicit, by which the data subject agrees, either by a statement or by a clear affirmative action, to the processing of personal data relating to him or her.

"Personal data breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

"Anonymization": The processing of personal data in such a way that the data can no longer be attributed to a specific data subject.

"Pseudonymization": The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it cannot be attributed to an identified or identifiable natural person.

"Existing legislation": The current national and Union legislation on the protection of personal data, specifically including General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR"), the Greek Law 4624/2019, as in force, as well as Decisions, Directives, and Opinions of the Greek Data Protection Authority.

General Principles of Personal Data Processing

The company collects and processes your personal data according to the following processing principles:

Legality, Objectivity, Transparency: The company collects and processes your personal data lawfully and transparently.
Purpose Limitation: The company processes your personal data only for specific, explicit, and lawful purposes.
Data Minimization: The company implements appropriate technical and organizational measures to ensure that the personal data it processes are relevant, adequate, and limited to what is necessary for the purposes for which they are processed.
Accuracy: The company ensures that the personal data it retains and processes are always accurate and up-to-date.
Storage Limitation: The company does not retain personal data for a period longer than required by the purposes for which they were collected and processed. However, the company may retain data for longer periods if processing is necessary for:

a) Compliance with a legal obligation that requires processing based on a legal provision,

b) The performance of a task carried out in the public interest,

c) Reasons of public interest,

d) Archiving purposes in the public interest or for scientific, historical research, or statistical purposes, with appropriate technical and organizational measures, including pseudonymization, and only if these purposes cannot be served through data anonymization,

e) Establishment, exercise, or defense of legal claims.

Integrity and Confidentiality: The company ensures that the collection and processing of your personal data are conducted securely, using appropriate technical and organizational means to protect them from unauthorized or unlawful processing, accidental loss, destruction, or damage.

Personal Data We Collect

The company collects and processes your personal data only when absolutely necessary, essential, and suitable to achieve the intended purposes. Specifically, the personal data we collect and process include:

Identity information (e.g., full name, date of birth, gender, identification documents, tax identification number, profession, or the company/organization you work for),
Third-party data, such as information about your relatives (e.g., names, identification details) for cases like result collection or authorization,
Contact information (e.g., postal address, telephone numbers, email) for communication, result delivery, and sending informational and promotional materials,
Health data, including examination results, medical personnel, medical history, medications, medical opinions, and reports, for diagnostic and treatment purposes,
Genetic data for laboratory testing (e.g., microbiology, molecular biology, cytogenetics),
Website browsing data, such as Internet Protocol (IP) address, browser type, used during your visit to our website www.genosophy.gr. For more information on the use of cookies on our website, please refer to our Cookie Policy,
Image and video data from Closed-Circuit Television (CCTV) and security cameras,
Data related to your requests for exercising rights or submitting complaints,
Data of job applicants to our company contained in attached CVs or related forms (e.g., name, contact details, education, work experience, etc.),
Employee data in our company, including personal information, contact details, marital status, dependents, qualifications, professional certifications, evaluations, etc.,
Data of suppliers and partners of the company, including personal information, contact details, qualifications, and any further information required by national legislation (e.g., tax laws).

Collection of Personal Data

The collection of personal data is carried out both through physical and electronic means on a case-by-case basis, including, but not limited to:

During the submission of your genetic material.
When completing various forms or through our electronic communication.
When using our telephone center or our website for scheduling appointments or obtaining other medical services.
When we provide our services to you based on information you provide or that arises from your examination or test results.
When you apply to work in our company.
When you are employed as a worker in our company.
When you collaborate or supply products/services as a partner/supplier with our company.
When you request to receive a newsletter.
When you enter company premises monitored by closed-circuit television (CCTV) and security cameras.

Purposes and Legal Bases for Processing Your Personal Data

The personal data collected by the company is used for the following processing purposes:

To provide preconception genetic and biological analysis services, schedule appointments, process your genetic data, send/deliver your test results, maintain and update your file, etc. Regarding the processing of special categories of data, specifically sensitive data (health, biometric, and genetic data), processing is necessary for the provision of services and execution of our contractual obligations through research analysis.
Legal bases for this processing include: (a) your explicit consent for processing the aforementioned data and executing our contract, (b) the necessity of processing your data for research analysis purposes, (c) the necessity of processing for fulfilling obligations and exercising specific rights in the fields of labor law and social security law, or for fulfilling duties for the public interest, (d) the necessity of processing your data for establishing, exercising, or defending legal claims.
To ensure the company's compliance with legal obligations, such as tax and insurance legislation, etc. The legal basis for processing in this case is the company's compliance with its legal obligations.
To safeguard and protect the lawful interests of both natural persons (e.g., clients) and the company. For example, closed-circuit television (CCTV) and security cameras are used to protect the safety of individuals, materials, and facilities, according to specific installation requirements. The legal basis for processing in this case is the legitimate interest of the company.
For sending newsletters about company news, commercial communication about our products and services, and to inform you about innovations, products, and offers of the company. The legal basis for processing in this case is your prior explicit consent.
For communication and management of your requests after prior identification, whether related to personal data protection issues or the quality of service. The legal basis for processing in this case is the legitimate interest of the company and/or the company's compliance with its legal obligations according to current legislation.
For generating statistical data after anonymizing your data. The legal basis for processing in this case is the necessity for generating statistical data.
For scientific research purposes after anonymization or pseudonymization of your data. The legal basis for processing in this case is the necessity for scientific research, provided that the necessary technical and organizational measures are taken, such as pseudonymization and encryption, and in compliance with legal obligations. Your consent will be requested only for your participation in relevant research programs.
For the lawful conclusion and execution of contracts between the company and third parties. The legal basis for processing in this case is the necessity of processing the data within the framework of the execution of our contractual obligations or during the pre-contractual stage.
To enable the company to hire personnel and collaborate with external partners (e.g., dietitians, etc.). The legal basis for processing in this case is: (a) the necessity of processing the data within the framework of the execution of our contractual obligations or during the pre-contractual stage, and (b) the necessity of processing for fulfilling obligations and exercising specific rights in the fields of labor law and social security law, or for fulfilling duties for the public interest.

Transmission of Personal Data

The company may transmit the aforementioned personal data to:

Third parties to whom it has entrusted the processing of personal data on its behalf. Specifically, the company may transfer your personal data to partners within its network, who act either on behalf of the company or independently, being contractually bound to the company to provide independent services (e.g., collaborating nutritionists/psychologists), or to third-party affiliated Companies that process your personal data on behalf of the company. In each case, the third parties to whom data of the subjects may be transmitted are contractually bound to the company, ensuring the obligation of confidentiality as well as all obligations provided by the Applicable Legislation. In all the above cases, the company specifies the individual elements of the processing, signs special agreements with the third parties to whom it assigns the execution of specific processing activities, ensuring that the processing is carried out in accordance with the Applicable Legislation. These third parties are contractually bound to the company to process your personal data only for the specific and contractually defined purposes and not to disclose or communicate them to third parties unless required by law.

To judicial and prosecutorial authorities, as well as other public authorities (e.g., Tax Authorities, etc.) in the exercise of their duties either ex officio or upon request by a third party invoking a lawful interest, and in accordance with legal procedures. Furthermore, for the purpose of protecting the public interest in the field of public health, we may disclose, according to the relevant legislation, your personal data to the competent authorities, such as the National Organization of Public Health (EODY).

Retention Period of Personal Data

The personal data collected by the company are retained for a predetermined and limited period of time, depending on the purpose of the processing, after the expiration of which the data are deleted and/or securely destroyed, unless otherwise provided or permitted by the applicable legislation for a different retention period.

The retention period of your data is determined indicatively based on certain specific criteria and depending on the case. Indicatively:

(a) Your personal data are retained for the entire duration necessary for the purpose of their processing and/or the respective applicable legal framework. Upon the expiry of this period, the data are retained in accordance with the current institutional framework for the period provided for by the expiration of the contractual relationship or for as long as is required to protect the company's rights before a Court or other competent Authority. We retain your applications along with the attached CVs that you submit for two (2) years to evaluate them for a specific position, and after the two years have passed, we securely destroy or delete them.

(b) When processing is required by provisions of the current legal framework, your personal data will be stored for at least the period imposed by the relevant provisions. Specifically, according to Article 14 of Medical Ethics Code Law 3418/2005, medical records are kept for a decade (10 years) from the patient's last visit to private medical practices and other primary healthcare units in the private sector and for two decades (20 years) from the patient's last visit in any other case. Specifically, the short medical history that you may provide us before undergoing examinations is only retained for as long as required for the diagnosis of the examination, and then it is securely destroyed. DNA samples are retained and securely destroyed after six months from the date of sample collection.

(c) For marketing activities and any other case where processing is based on your consent, your personal data are retained until your consent is withdrawn, without affecting the lawfulness of processing based on your consent prior to its withdrawal. To revoke your consent, you must submit a request to the company's Data Protection Officer (DPO) (see below for contact details). Alternatively, for the purposes of promoting products and services, you can also use the unsubscribe options by clicking on the corresponding link provided in our electronic communications. During the period your email address remains in our database, you will periodically receive informative email messages from us.

(d) The data we collect when you submit a request, as well as the relevant file in which they are recorded, are retained for twenty (20) years from the date of their collection.

Data Privacy and Security

Taking into account recent developments, the cost of implementation, the nature, scope, framework, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of users arising from processing, the company takes the necessary technical and organizational measures to protect your personal data. While no method of transmission over the Internet or electronic storage method is completely secure, the company implements all necessary data digital security measures (antivirus, firewall, etc.) to protect data. Additionally, the company adopts required security measures, such as installing a video surveillance system (CCTV), alarm system, etc.

Data Protection Impact Assessment (DPIA)

When processing is likely to result in a high risk to the rights and freedoms of individuals, the company conducts a Data Protection Impact Assessment (DPIA) before processing. The DPIA is a process designed to describe the processing, assess its necessity and proportionality, and assist in risk management by evaluating and determining measures to address them. It is not required for every form of processing, but only in cases where a form of processing is considered high risk. The DPIA considers the nature, scope, general context, and purposes of processing to assess the likelihood of a risk occurring and its seriousness for the rights and freedoms of subjects.

The company may decide to conduct a DPIA for processing, even if it is not deemed mandatory by existing legislation.

Specifically, a DPIA is required in all cases where processing "is likely to result in a high risk to the rights and freedoms of individuals." Such cases include, but are not limited to:

Cases of systematic and extensive evaluation of personal aspects related to natural persons, based on automated processing (including profiling), leading to legal effects concerning/impacting the data subject.
Cases of large-scale processing of special categories of data (sensitive data).
Cases of systematic processing of personal data.

Personal Data Breach

In the event of a personal data breach, the company follows a specific incident handling procedure for data security breaches. If you become aware of or suspect a breach of your personal data, please inform us promptly at the email address info@genosophy.gr.

Your Rights

The company ensures its ability to promptly respond to your requests for the exercise of your rights in accordance with the Applicable Legislation. These rights are as follows:

(a) Right to Withdraw Consent:

In cases where processing is based solely on your prior consent, e.g., for the purposes of promoting products and services (marketing activities), you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

(b) Right of Access and Information:

You have the right to know about your processed data and verify the lawfulness of processing. Upon request, you have access to your data and can receive supplementary information regarding their processing, to whom they are disclosed, and for what purpose they are processed. Regarding your file, you are entitled to access the files at any time, as well as to obtain free copies of the file.

You have the right to complete, correct, update, or modify your personal data.

(d) Right to Erasure:

You have the right to request the erasure of your personal data unless there is a legitimate reason that requires their further retention by the company.

(e) Right to Restriction of Processing:

You have the right to request the restriction of processing of your personal data in the following cases: (1) when you dispute the accuracy of personal data until verification is made, (2) when you object to the erasure of personal data and request restriction of their use instead, (3) when personal data is no longer necessary for us but is necessary for the establishment, exercise, or defense of legal claims, and (4) when you object to processing until it is verified that there are legitimate grounds that concern us and override the reasons for your objection to processing.

(f) Right to Object to Processing and Automated Individual Decision-Making, Including Profiling:

You have the right to object at any time to the collection and processing of your personal data when it is necessary for lawful interests pursued by the company or for direct marketing purposes and profiling. It is noted, however, that the company "does not engage in automated decision-making processes."

(g) Right to Data Portability:

You have the right to receive, free of charge upon identification, your personal data in a structured, commonly used, and machine-readable format (PDF, Word, etc.). You also have the right to request, where technically feasible, the transmission of data directly to another data controller (e.g., your personal doctor). This right applies to data you have provided to us, and their processing is carried out by automated means based on your consent or in the performance of a relevant contract.

If you wish to exercise any of the aforementioned rights, the company will respond within one (1) month from the receipt and verification of your request. This deadline may be extended by two (2) additional months if necessary, considering the complexity of the request and the number of requests. In this case, the company will provide you with relevant information about this extension within one (1) month from receiving the request, as well as the reasons for the delay. If your request is manifestly unfounded or excessive, especially due to its repetitive nature, the company may make the satisfaction of it subject to the payment of a reasonable fee or refuse to satisfy the request.

Right to Lodge a Complaint with the Hellenic Data Protection Authority

For any complaints you have regarding this policy or issues related to personal data protection, if your request is not satisfied, you can contact the Hellenic Data Protection Authority via the following link: www.dpa.gr, at the following contact details: Kifisias Avenue 1-3, Postal Code 115 23, Athens, +30 210 6475600, +30 210 6475628, contact@dpa.gr.

Contact Details of the Data Protection Officer

For the exercise of all the above rights, as well as for any issue related to the processing of your personal data, you can contact the Data Protection Officer at the email kalliopi.gkouskou@genosophy.gr or at the phone number 2155300877 (communication hours 9am to 5pm).

Updates to the Personal Data Protection Policy

This Personal Data Protection Policy may be amended/revised in the future. Therefore, we recommend that you refer to the updated version of this Policy each time for your adequate information.