Introduction
For ATTICA HOLDINGS S.A. (Attica Group), the protection of the personal data of employees or third parties who wish to report or are engaged in potential improper behavior incidents is of paramount importance. That is why we implement adequate measures to protect the personal data we process and to ensure that the processing of personal data is always carried in accordance with the requirements of the applicable legislative and regulatory framework.
Controller - Data Protection Officer (DPO)
Attica Group, headquartered in Kallithea, Lysikratous no. 1–7 & Evripidou, 176 74, email: whistleblowing@attica-group.com, tel .: +30 210-8919500, informs that, for the purposes of managing and examining the named Whistleblowing Reports (“Reports”) submitted, based on the established Whistleblowing Procedure, processes personal data of individuals provided by them at their free will and choice, in accordance with the applicable national legislation and the European Regulation 2016/679 regarding the protection of individuals with regard to the processing of personal data and the free flow of such data (General Regulation on Data Protection, hereinafter "Regulation").
For any matter, concerning the processing of personal data you can send an email to the e-mail address DPO@attica-group.com or a letter to the above postal address of ATTICA HOLDINGS S.A.
Personal Data Processing
The Controller ensures that any personal data voluntarily provided by the individual who submits the Report (“Whistleblower”) will only be processed if it is strictly necessary as to ensure the proper and effective management and investigation of the Report, to verify the validity of the contention made and to take appropriate measures, depending on the case and where appropriate/required. Data that may be processed, if voluntarily disclosed, are the name of the Whistleblower, his contact
details, the e-mail address, the telephone number, or any other personal data, which may voluntarily be reported to support a Report. In cases of anonymous Reports and based on what
they refer to, the company will process as much personal data of third parties as necessary for the Report investigation, in accordance with the applicable legislative framework.
Purpose of processing personal data
The processing of the personal data of the persons to which the Report refers and/or any other third parties, shall be carried out for one or more of the following purposes:
• For the implementation of the Whistleblowing Policy
Specifically, to investigate the validity of the Report and to take appropriate measures.
• For communication purposes
Under the investigation of a submitted Report, we may need to contact you by email or phone for administrative purposes (to provide clarifications, additional information, etc.), or in order to respond to your Report.
• To comply with legal obligations
We may process personal data to fulfill legal obligations imposed by the applicable legislative/regulatory framework, decisions of authorities, judicial bodies, etc.
• To safeguard our legitimate interests and protect individuals and goods
We may process personal data to safeguard our legitimate interests, such as, but not limited to,
ensuring compliance with applicable laws and regulations.
Who has access to the personal data and where it may be transmitted/shared
Actions related to the investigation of Reports, that may include the processing of personal data, are entrusted to persons specifically authorised for this purpose who have the necessary guarantees for an independent and effective exercise of the assigned duties.
The personal data contained in the Reports may be disclosed to the corporate bodies and departments that are responsible, on a case-by-case basis, based on the relevant policies and procedures of the company. Furthermore, they may be forwarded to State authorities, judicial or other authorities responsible for the implementation and enforcement of the laws, in case the data collected/provided, under the investigation, establish the validity of the reported incidents. Finally, personal data may be disclosed to third parties, individuals or legal entities, specializing in the subject matter of each submitted Report, if it is deemed appropriate to involve them in the Report investigation.
Data Storage Period
Your personal data shall be stored for as long as necessary for the investigation of the Report and/or the establishment, exercise, and/or support of legal claims based on this Report.
In the event that the Report results to a breach or obligation to comply with provisions of the applicable legislative/regulatory framework, personal data will be stored for as long as the relevant provisions so require.
What are your rights in relation to your personal data
Any natural person whose data is processed by ATTICA GROUP enjoys all the rights provided in the Regulation and in particular:
Right of access:
You have the right to be aware and verify the legitimacy of the processing. Thus, you have the right to access the data and obtain additional information concerning its processing.
Right of rectification:
You have the right to review, rectify, update or amend your personal data by sending an email to DPO@attica-group.com or a letter to the postal address of ATTICA HOLDINGS S.A.
Right to erasure:
You have the right to request the erasure of your personal data when we process it in order to protect our legitimate interests. In all other cases (such as when there is an obligation to process personal data required by law, public interest), this right is subject to specific restrictions or is not applicble as the case may be.
Right to restriction of processing:
You have the right to request a restriction of the processing of your personal data in the following cases: (a) when you challenge the accuracy of the personal data and until their verification takes place; (b) when you oppose the erasure of personal data and request the limitation of their use instead of erasure, (c) when the personal data is not needed for processing purposes, but are necessary for the establishment, exercise and support of legal claims, and (d) when you object to their processing and until it is verified that there are legitimate reasons which are relevant to us, and which supersede the reasons for which you oppose the processing.
Right to object:
You have the right to object at any time to the processing of your personal data where, as described above, it is necessary for the purposes of the legitimate interests we pursue as controllers.
Right to portability:
You have the right to receive your personal data free of charge in a format that allows you to access, use and edit it through commonly used editing methods. You also have the right to request us, if technically feasible, to transfer the data directly to a different Controller.
In order to exercise any of the above rights you can send an email to the address DPO@attica- group.com or a letter to the above postal address of ATTICA S.A. It should be noted that, taking into account the specific nature of the processing of personal data in the context of the Whistleblowing Policy and depending on each case, it may not be possible to fully satisfy any or some of the rights provided for in the Regulation. In any case, the company undertakes to make every effort to fully satisfy each right, in full compliance with the applicable legislative/regulatory framework.
Right to complain to the HDPA
You have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr): Call Centre: +30 210 6475600, Fax: +30 210 6475628, E-mail: contact@dpa.gr
Personal Data Security
ATTICA HOLDINGS S.A. implements appropriate technical and organizational measures to secure the processing of personal data and to prevent the accidental loss or destruction and unauthorized and/or unlawful access to, use, modification or disclosure of personal data. In any event, the way the Internet functions, along with the fact that it is freely accessible to anyone, cannot guarantee that unauthorized third parties will never be able to violate the technical and organizational measures applied, gaining access to and potentially using personal data for unauthorized and/or illicit purposes.