In its day-to-day business activities, BIOERΕΥNA uses data related to natural persons, which include:
• Customers (communication and contact persons)
• Current, former, and prospective employees
• Natural persons (communication and contacts) with other stakeholders (e.g., EETT – Hellenic Telecommunications and Post Commission)
When collecting and using these data, the company is subject to legislative regulations that govern the way these activities are conducted and the safeguards that must be implemented to protect them.
The purpose of this policy is to establish the relevant legislation and describe BIOERΕΥNA ‘s steps to ensure compliance with it.
This audit applies to all systems, individuals, and processes that constitute the company’s information systems, including members of the board of directors, managers, employees, suppliers, and other third parties who have access to BIOERΕΥNA’s systems.
2.1 The General Data Protection Regulation
The General Data Protection Regulation 2016 (GDPR) is one of the most significant legislations affecting the way BIOERΕΥNA processes information. It is the will of BIOERΕΥNA’s management to ensure that its compliance with GDPR and other related legislations is clear and demonstrable at all times.
2.2 Definitions
According to the Regulation, the following definitions apply.
“Personal Data” is defined as:
any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing”:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller”:
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for its nomination may be provided for by Union law or the law of a Member State.
The fundamental principles underlying the GDPR and governing the processing of personal data are:
1. Personal data are:
a) processed lawfully, fairly, and in a transparent manner in relation to the data subject (‘lawfulness, fairness, and transparency’),
b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (‘purpose limitation’),
c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’),
d) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (‘storage limitation’),
e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and subject to the implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’),
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate, compliance with paragraph 1 (‘accountability’).
ΒΙΟΕΡΕΥΝΑ ensures compliance with all these principles in both the processing it currently carries out and in the introduction of new processing methods, such as new Information Technology systems.
2.4 Rights of Data Subjects
ΒΙΟΕΡΕΥΝΑ supports the exercise of data subjects’ rights under the GDPR, which are:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision making and profiling.
2.5 Consent
If it is not necessary for a reason allowed by the GDPR, explicit consent must be obtained from a data subject for the collection and processing of their data. Transparent information about the use of our personal data must be provided to data subjects at the time consent is obtained, and their rights regarding their data, such as the right to withdraw consent, should be explained. This information should be provided in an accessible format, written in clear language, and free of charge.
If personal data is not obtained directly from the data subject, then this information must be provided within a reasonable period after acquiring the data and, in any case, within one month.
2.6 Privacy by Design and by Default
BIOEREYNA has adopted the principle of privacy by design, and by default (as per Article 25 of the GDPR). It will ensure that the design of all new or significantly modified systems that collect or process personal data undergo appropriate privacy impact assessments, including the completion of one or more data protection impact assessments (GDPR-DOC-07 Data Protection Impact Assessment).
The data protection impact assessment will include:
• Examination of how personal data is processed and for what purposes.
• Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s).
• Evaluation of the risks to individuals when processing personal data.
• Identification of the technical and organizational measures required to address the identified risks and demonstrate compliance with the law.
Applications must adhere to the principle of data minimization as well as data quality, including the ability to delete data after the period required for the processing purpose. Furthermore, they should allow the implementation of all necessary technical security mechanisms to protect data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, or access, and any other form of unlawful processing, in accordance with GDPR-DOC-16 Data Retention and Protection Policy. The use of techniques such as data minimization, encryption, and pseudonymization should be considered where applicable and appropriate.
2.7 Transfer of Personal Data
Transfers of personal data outside the European Union are carefully examined before the transfer takes place, and they are subject to acceptance by the European Commission if the safeguards for personal data in the receiving country have been deemed acceptable.
2.8 Responsible for Auditing Procedures and Privacy Policies
The Responsible for Auditing Procedures and Privacy Policies provides services as an external consultant, covering the responsibilities of the Data Protection Officer for whom there is no clear obligation for the BIOΕRΕΥΝΑ to appoint, according to the GDPR. BIOEREYNA does not perform “large-scale processing of special categories of personal data” as required by Article 37.1.g of the GDPR to appoint a Data Protection Officer. The DPO is required to have the appropriate level of knowledge and can either be an internal resource or be assigned to a suitable service provider (GDPR-DOC-05 GDPR Roles, Responsibilities, and Duties and GDPR-DOC-09 GDPR Skill Development Process).
2.9 Obligations as a Data Processor
BIOEREYNA, in providing services to its clients, processes personal health data. The relevant contracts it signs must include the following commitments:
«BIOEREYNA, in providing in-home blood sampling services on behalf of the Client, processes personal data. This processing is considered as “processing on behalf of a data controller” according to Article 4, paragraph 8 of the General Data Protection Regulation (GDPR). Consequently, it is subject to the provisions of Articles 28 and 29 of the GDPR.
The purpose of processing data by BIOEREYNA is to provide in-home blood sampling services under the Client’s instruction. The processing involves demographic data of donors (such as name, telephone number, and address), and in specific cases, the type of medical tests conducted.
The duration of the processing is……………days.
In detail and in accordance with Articles 28 and 29 of the GDPR, BIOEREYNA:
1. Ensures that it implements appropriate technical and organizational measures in a way that the processing meets the requirements of the GDPR and safeguards the rights of data subjects.
2. For the implementation of this contract, the Client approves and accepts that BIORESEARCH may use the blood collection services of the company [Company Name], which, as another processor, implements appropriate technical and organizational measures to ensure that the processing complies with the requirements of the GDPR and safeguards the rights of data subjects. BIOEREYNA is obligated to inform the Client about any intended changes concerning the addition or replacement of the other processor.
3. During the execution of this contract, BIOEREYNA shall:
3.1. Processes personal data solely based on documented instructions from the Client,
3.2. Ensures that individuals authorized to process personal data have committed to confidentiality or are under a legal duty of confidentiality,
3.3. Assists the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR,
3.4. Deletes all personal data in its possession after the provision of processing services, and securely erases all existing copies, as well as destroys all hard copies,
3.5. Provides the Client with all necessary information to demonstrate compliance with the obligations set out in Article 28 of the GDPR and allows and facilitates audits, including inspections, conducted by the Client or another auditor appointed by the Client. In particular, the BIOEREYNA immediately informs the Client if, in its opinion, any instructions it receives violate the GDPR or other Union or national data protection provisions.
4. During the performance of its contractual obligations, BIOREYNA employs personnel who, with responsibility, are knowledgeable about the obligations arising from this Article of the contract towards the Client and adhere to them to ensure the security of the aforementioned information.
5. BIOEREYNA and any person acting under its supervision, who has access to the data, process said data only upon the instruction of the Client.
2.11 GDPR Compliance Management
To ensure that BIOEREYNA complies with the principle of accountability under the GDPR at all times, the following actions are taken:
• The legal basis for the processing of personal data is clear and indisputable.
• All personnel involved in personal data management understand their responsibilities for adhering to good data protection practices.
• Training in data protection is provided to all personnel.
• Rules regarding consent are applied.
• Available guidelines are provided to data subjects who wish to exercise their rights regarding personal data, and these requests are handled effectively.
• Regular reviews of procedures related to personal data are conducted.
• Privacy protection is adopted from the design phase for all new or modified systems and processes.
• There are written commitments with data processors if applicable.
• The following documentation of processing activities is recorded:
o Organization name and relevant details
o Purpose of processing personal data
o Categories of individuals and personal data processed
o Categories of recipients of personal data
o Agreements and mechanisms for transferring personal data to countries outside the EU, including details of the applied controls
o Personal data retention programs
o Relevant technical and organizational controls that are in place.
The privacy and personal data protection policy, as well as these actions, will be reviewed on an annual basis as part of the information security management system’s management review process.