The Privacy Policy reflects the way we handle your personal data. A prerequisite, of course, for its implementation is the collection of your personal data.

The Privacy Policy is a document that briefly informs you about how we collect and process your personal data. While conducting and operating our business, we collect and process personal data from customers, partners, suppliers, employees, prospective employees, and visitors in order to be able to provide excellent service to our customers and to fulfil our contractual and legal obligations.

Our aim is to process as little personal data as possible and for as short a time as possible. We implement policies that require the minimum possible use of personal data and create a secure environment for its processing. The Privacy Policy states the purposes for which we process personal data, the lawful basis for the processing, any recipients of the data and the length of time for which the data is retained. It also makes extensive reference to your rights in relation to personal data and gives you full details of the data controllers so that you can exercise them.

The structure of the Privacy Policy follows the requirements of the General Regulation for the Protection of Personal Data (GDPR) and Law 4624/2019, but it is adapted in a user-friendly environment (hyperlinks to content), so that the user can easily locate the area of interest.

PRIMEVIEW BUSINESS CONSULTANTS AND MARKET SURVEY PRIVATE COMPANY reserves the right to modify or update the current policy, if deemed necessary based on developments in national or European legislation.

1 SECTION – BASIC CONCEPT AND NOTIFICATION

A. DATA CONTROLLER

Controller is the natural or legal person who decides how personal data are processed. It is the person who is responsible for all processing and has the obligation to respond to any request you make about it.

The Controller is our company whose name is PRIMEVIEW BUSINESS CONSULTANTS AND MARKET SURVEY PRIVATE COMPANY and is based in Athens, 5 KONITSIS STREET, MAROUSSI, P.C.: 15125, Telephone: 210 6121222, email: g.dritsa@prime-view.com.

B. DATA PROCESSOR

The company “PRIMEVIEW BUSINESS CONSULTANTS AND MARKET SURVEY PRIVATE COMPANY” acts as a processor on behalf of its clients under service contracts. In this case, all categories of processing carried out by the company as a data processor are carried out under the instructions of its respective client – Controller. In this case, the company is obliged to refer any query or exercise of a right to the controller in order to have it answered.

C. DATA PROTECTION OFFICER

The Data Protection Officer is the natural person to whom the Controller entrusts the resolution of issues relating to personal data. In our company, Mrs. Dritsa Gina has been appointed as the Data Protection Officer. Contact with the Data Protection Officer is made via email at: g.dritsa@prime-view.com, telephone +30 210 6121222 or by post to the following address: 5 KONITSIS STREET, MAROUSSI, P.C.: 15125.

D. NOTIFICATION

We process your personal data in order to be able to provide all of our services and achieve our business objectives while operating in a secure environment for the privacy of the subjects. In order to facilitate your information, the purposes and categories of processing of personal data are listed. Each purpose is accompanied by an analysis of the requirements of the General Data Protection Regulation (GDPR). You are able to use the hyperlinks of the contents if you wish to select one of the purposes.

1.1 Personal data of candidate employees

Our company collects and processes the personal data of candidate employees when collecting their CVs. This data includes, among others: full name, telephone number, e-mail address, as well as information contained in the CV, such as patronymic, gender, marital status, nationality, citizenship, military service, date of birth, place of birth, spouse’s name, nationality, identification data, residence address, educational level, degrees, etc.

In addition, we collect and process personal data of prospective employees when conducting interviews, including, but not limited to, the following information: full name, date of birth, home address, home phone number, mobile phone number, marital status, grammar skills, previous experience, military service, means of transportation, signature, candidate assessment, recruitment source, desired job, desired position, contact comments, interview date and time, desired working hours, and additional characteristics of the candidate.

All personal data collected and processed are used for the purpose of evaluating and selecting candidates for job positions in our company.

1.1.1 Purpose of processing

The Company collects the above data in order to evaluate the Data Subject (candidate employee) and to draw up an employment contract with him/her.

1.1.2 Legal basis of processing

The collection and processing of personal data of candidate employees is based on their consent. The sending of CVs is carried out by the candidate employee himself or at his request by a partner recruitment agency after obtaining consent for the processing of his personal data. If the employee is called for an interview, any additional personal data provided or generated during the interview shall be processed, again with the consent of the candidate. If the candidate is recruited and an employment contract is therefore drawn up, these data shall be entered in the employee’s personal file and shall henceforth be processed by virtue of the contractual relationship.

1.1.3 Transmission of personal data

The data is not transferred to other EU countries or to third countries. However, data may be transferred by our Company to third party recipients only if the data subject has consented to this or if this is required by law.

1.1.4 Retention period of personal data

The period of data storage is decided on the basis of the following specific criteria depending on the case, i.e. when the processing is imposed as an obligation by provisions of the applicable legal framework, personal data are stored for as long as the relevant provisions require, when the processing is carried out on the basis of a contract, personal data are stored for as long as necessary for the performance of the contract and for the establishment, exercise, and/or support of legal claims based on the contract. In the present case, the Company for the CVs it collects should keep them for 6 months and then proceed to delete them.

If you wish to exercise any of your rights referred to in Section 2, regarding the data recorded during the above activities or if you wish to contact us for any other reason, please let us know by sending an email to the address of the Data Protection Officer.

1.2 Health professionals contact list creation – entry in the ERP system.

Our Company conducts market research for the needs of its business, with the participation of healthcare professionals, i.e. doctors, pharmacists, nurses and the general public. The market surveys are mainly in the health and pharmaceutical sector. The Company maintains a list of all ERP participants.

The data collected by the Company are identification data (“first name”, “surname”, “VAT number”, “social security number”, etc.), contact details, category of medical specialization, type of health profession and bank details.

1.2.1 Purpose of processing

All data of the data subject collected by the Company is for the purpose of conducting market research undertaken on behalf of its customers. This list is compiled by the Company itself, in order to be able to carry out relevant surveys at any time.

All data collected by the Company are necessary for the fulfilment of the above purpose. Therefore, the personal data of natural persons collected by the Company are processed lawfully, fairly and in a transparent manner, and are collected for specified, explicit and legitimate purposes (Article 5§1(1)(b) GDPR). Data relating to natural persons fall within the scope of the Regulation. The Company does not receive unnecessary data of natural persons, but only those data that are required by the respective legal obligations of the Company, so that the principle of data minimization is also fulfilled (Article 5§1(c) GDPR).

1.2.2 Legal basis of processing

The collection and processing of the aforementioned personal data is based on the performance of a contract to which the data subject (or the company in which the data subject works) is a party.

1.2.3 Transmission of personal data

The data is not transferred to other EU countries or to third countries. However, data may be transferred by our Company to third parties such as government agencies, partners, or contractors as part of our contractual and legal obligations.

1.2.4 Retention period of personal data

The data of the health professionals’ contact list file are kept in a format that allows the identification of the data subjects and their retention period is twenty (20) years. At the end of this 20-year period, the contact record shall be updated. If the subject does not have the status of health professional at the time of updating, he/she shall be removed from the list. After this deletion, the Company may keep the records without the name of the subjects for statistical purposes.

If you wish to exercise any of your rights referred to in Section 2, regarding the data recorded during the above activities or if you wish to contact us for any other reasons, please let us know by sending an email to the address of the Data Protection Officer.

1.3 Audio and video recording of the survey

1.3.1 Purpose of processing

The company processes data from recordings and video recordings of research meetings. These meetings involve healthcare professionals, the general public, and company employees and may be conducted either physically or online. Consent from the data subject is required for the data to be obtained.

1.3.2 Legal basis of processing

The collection and processing of the aforementioned personal data is based on the performance of a contract to which the data subject (or the company in which the data subject works) is a party.

1.3.3 Transmission of personal data

The data is not transferred to other EU countries or to third countries. However, data may be transferred by our Company to third parties such as government agencies, partners or contractors as part of our contractual and legal obligations.

1.3.4 Retention period of personal data

Data derived from recordings and video recordings of research meetings are kept for the period of time necessary to achieve the purposes of the processing, which has been set at five (5) years.

1.4 Minutes of meetings with health professionals

Our Company keeps a record of the minutes of meetings with health professionals. The data recorded is the survey process, which is used for market research. The minutes record the identification data of the individuals participating in the survey and their responses to the questions.

1.4.1 Legal basis of processing

The Company processes the above data in order to conduct market research. The Company does not receive unnecessary data from natural persons but only those required by the respective legal obligations of the company, thus complying with the principle of data minimization (Article 5(c) GDPR). The data collected by the company from natural persons (full name of the person responsible/legal representative of the company) is necessary to achieve the above purpose.

1.4.2 Transmission of personal data

The data is not transferred to other EU countries or to third countries. However, data may be transferred by our Company to third parties such as partners or contractors as part of our contractual and legal obligations.

1.4.3 Retention period of personal data

The period of data storage is determined on the basis of the following specific criteria depending on the case, namely when the processing is imposed as an obligation by provisions of the applicable legal framework, the personal data are stored for as long as the relevant provisions require, when the processing is carried out on the basis of a contract, the personal data are stored for as long as necessary for the performance of the contract and for the establishment, exercise, and/or support of legal claims based on the contract.

1.5 Personal data collected from visitors when they enter the company.

Our Company collects and processes personal data of its visitors who enter its premises for any work that is not of a permanent nature. Therefore, the concept of visitor includes any partner who does not have a regular presence in the company or a prospective employee or a simple visitor. The data collected are full name, date of entry, identity check, ID card, appointment time, time of entry/exit. The data is collected by the Subject himself.

1.5.1 Purpose of processing

The purpose of the processing is the security of the company’s facilities and systems as well as the full control and knowledge, at all times, of the persons entering and remaining in the building.

1.5.2 Legal basis of processing

The Company has a legitimate interest to collect the above data and to carry out any further processing if necessary for its security and functionality.

1.5.3 Transmission of personal data

The data is not transferred to other EU countries or to third countries. However, the data may be transmitted by our Company to third parties, in particular to security services or public authorities if requested in the context of investigations if required by law.

1.5.4 Retention period of personal data

The data of the access file shall be kept in a format that allows the identification of the data subjects only for the period necessary to achieve the purposes of the processing, which in this case is one (1) month from its creation.

2 SECTION – RIGHTS OF DATA SUBJECTS

In this Privacy Policy you can learn about your rights against us as data controllers of your personal data. We have taken measures to be able to respond to any query you may have within a short period of time not exceeding one month from the receipt of your request and without any charge for this service. In complex cases, more time may be required for our response. In this case, we will inform you of the reasons for the delay and of the expected duration of the delay, which may not exceed a total of three months.

We will respond to you electronically or by other means as you have requested. We reserve the right to charge administrative costs for processing a request that is unreasonably repeated or in the case of a manifestly unjustified or excessive request.

Please note that we will need to verify your identity before we are able to respond to your request.

If we believe that we should not act on your request, we will inform you for the reason of our decision and of your options for legal remedies.

If you believe that our company has processed your personal data unlawfully, please contact us at the address of the data protection officer so that we can rectify the situation and thus improve our service to all visitors. You can send us a formal complaint via email or traditional mail to the address above.

2.1 Right to receive transparent information

We will provide you with all the information required by the GDPR in a short, transparent, understandable and easily accessible format, using clear and simple language, especially for each piece of information. We will provide the information to you in writing or by electronic means.

2.2 Right of access to your own data

You have the right to obtain confirmation from us whether or not your personal data is being processed and, if so, to have access to the data and the following information:

the purpose of the processing,
the relevant categories of personal data,
the recipients to whom we have disclosed or transferred or will disclose the personal data, in particular recipients in countries outside the EU, if applicable,
the period for which the personal data are stored or the criteria determining that period,
the existence of your right to request us to correct or delete personal data or to restrict or object to the processing of personal data,
your right to submit a complaint to a supervisory authority,
where your personal data is not collected directly from you, to provide you with any available information about its source.

2.3 Right of rectification of inaccurate data

If we process incorrect or incomplete personal data, you have the right to request their rectification without undue delay.

2.4 Right to erasure (“Right to be forgotten”)

You have the right to ask us to delete your personal data concerning you and to respond to the request without undue delay where one of the following reasons applies:

your data are no longer necessary in relation to the purposes for which they were originally processed,
you withdraw your consent, and we have no other legal basis for processing your data,
you object to the processing in accordance with Article 21 GDPR (as set out in 8 below) and there are no compelling reasons for the continued processing,
the data have been unlawfully processed,
the data must be erased in accordance with the law.

Please note that we cannot delete your personal data to the extent that processing is required:

to comply with a legal obligation requiring processing,
for reasons of public interest in the field of public health,
for archiving purposes in the public interest, scientific or historical research or statistical purposes, where the request is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
for the establishment, exercise, or support of legal claims.

2.5 Right to withdraw consent

Where you have given your consent to any processing, you have the right to withdraw it at any time. You can do this by sending a request to the email address provided to you herewith g.dritsa@prime-view.com.

Please note that withdrawing your consent will not affect the processing we have already done.

2.6 Right to restrict processing

You can ask us to restrict the processing of your personal data when one of the following applies:

question the accuracy of personal data,
we no longer have a legitimate basis for processing, but you object to the deletion of the data and request that we restrict its use,
we no longer need the data for the original purpose, but you need it to establish, exercise or support legal claims,
you object to the processing of the data in accordance with Article 21 of the GDPR (see below) and request restriction until the ground for objection is verified.

Where processing is restricted on the basis of the above, apart from the continued storage of the data, we will only process it with your consent or: a) for the establishment, exercise or maintenance of legal claims; b) for the protection of the rights of another person; c) for reasons of important public interest of the EU or a Member State.

Where we restrict processing, we will inform you before we remove the restriction.

2.7 Right to data portability

You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller without objection from us, where the processing is based on your consent or a contract and the processing is carried out by automated means and only where technically feasible. This right does not apply to processing which is necessary for the performance of a task carried out in the public interest and which cannot adversely affect the rights and freedoms of others.

2.8 Right to object

You have the right to object, at any time and on grounds relating to your particular situation, to the processing of personal data concerning you which is based either on legitimate interest pursuant to Article 6(1)(f) of the GDPR or is necessary for the performance of a task carried out in the public interest pursuant to Article 6(1)(e) of the GDPR. We will not subsequently process the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or maintenance of legal claims.

2.9 Right to complaint to the competent supervisory authority

In any case and for any request you may request the assistance of the Personal Data Protection Authority where you can make a report or complaint. The address of the Authority is Kifissias 1-3 ATHENS, its website is www.dpa.gr and its contact telephone number is 210 6475000 and fax 210 6475628.