PRIVACY POLICY

The company GOLDEN GUIDE PRINT & ONLINE INFORMATION S.A. is today the longest-running Greek professional marketing company, which has been privileged to operate on the market since 1971, when the first printed professional list was issued.

Our Company strives to conduct its business activities in accordance with the principles of privacy as we believe that this is how we show our firm commitment to ethical and responsible practices. We recognise that innovation and new technologies lead to ongoing changes regarding risks, expectations and legislation. We are therefore following privacy standards and aiming at timely adjust to implement them in response to these changes.

This Policy sets out our standards for the management and protection of Personal Data by or on behalf of our company, which originate, directly or indirectly, from any country in the European Economic Area (EEA) and Switzerland, and are transferred to any other country, including transfer between EEA countries. They apply to our activities in each country, with respect to any activity, which involves information about individuals, which we carry out in each of our affiliates and any field (including any successor to our business) including, but not limited to, research, production, business activities, corporate support, and data transfers necessary to carry out the above activities, including but not limited to:

  • Research and Production: initiation, management and funding of research studies / evaluation and involvement of researchers, members of the Science and Ethics Committee and partners to support research studies and development of our products / recruitment for research studies / evaluation of safety, effectiveness and quality of developing and our commercially available products / adherence to our commitment to the safety and quality of our products, including management and reporting of adverse effects and complaints about product quality / submission of application for approval and registration of our products to the health regulations authorities / compliance with relevant legal, regulatory or ethical requirements.
  • Commercial activities: evaluation of markets regarding our products / advertising, marketing, sale, distribution and delivery of our products / communication with our clients and other end users of our products / sponsorship and conduct of events / evaluation and encouragement of our partners to support our commercial activities / compliance with the relevant legal, regulatory or ethical requirements.
  • Corporate Support: recruiting, hiring, managing, developing, communicating with and compensating employees / providing benefits to employees and their dependent family members / conducting employees’ performance and talent appraisals / providing training and other educational and development programmes / conducting disciplinary proceedings and managing employee complaints / management of ethics and privacy concerns and conducting investigations / managing and safeguarding our physical and virtual assets and infrastructure / procurement and payment for products and services / fulfilling our commitments regarding the environment, health and safety and corporate responsibility / media communication / and compliance with relevant legal, regulatory or ethical requirements.

This Policy also applies to all individuals whose data we process, including but not limited to customers, prospective, current and former employees and their dependents, members of the Ethics Committee, partners, investors and shareholders, government employees and other stakeholders.

All Company Employees and Management executives have significant privacy responsibilities which they have to adhere to.

We acknowledge that unintentional errors and misjudgement in data protection can cause risks to the privacy of individuals and risks to our Company's reputation, processes, compliance and finances. Every Company employee and other individuals processing data about our company are responsible for understanding and observing their obligations under this Policy and the applicable laws.

Our Values and Standards on Privacy

We respect our values regarding privacy in everything we do involving people, including how we apply privacy standards. The four privacy values include:

Respect

We recognise that privacy concerns are often related to the essential questions of who we are, how we see the world and how we define ourselves. We thus strive hard to respect the perspective and interests of individuals and societies and to be fair and transparent in how we use and share information about them.

Trust

We know that trust is vital to our success, and so we are working hard to create and maintain customer, employee, patient and other stakeholders' trust, in relation to respect and protection of information related to them.

Preventing damage

We understand that misuse of human-related information can create tangible and intangible harm to individuals, so we try to prevent physical, financial damage, damage to their reputation or other privacy-related harm.

Compliance

We have learned that laws and regulations are not always consistent with the rapid advances in technology, data flow and associated changes in risks and expectations of privacy. We thus strive hard to comply with the spirit and rules of privacy and data protection laws in a way that demonstrates consistency and operational proficiency for our business operations at a global level.

1. We integrate our privacy standards into all activities, processes, technologies and relationships with third parties using Personal Data.We design privacy controls in our processes and technologies that are consistent with our values and privacy standards and the applicable law.The 8 privacy principles outlined below summarise the privacy standards and the basic requirements for high-level processes, activities and their assistive technologies.

Principle of PrivacyOur Basic Commitments
1. Necessity: Prior to the collection, use or distribution of Personal Data, we define and record the specific, legitimate business purpose for which this is necessary.
  • We define and record the time period for which Personal Data is needed for these specified business purposes.
  • We do not collect, use or share more Personal Data than needed, or retain Personal Data in an identifiable form for longer than is necessary for these specified business purposes.
  • We anonymise data when business requirements make it necessary for information about the activity or process to be withheld for a longer period of time.
  • We ensure that these necessary requirements are embedded in any supportive technologies and that the third parties supporting the activity or processing have been informed.
2. Justice: We do not process Personal Data in ways that are unfair to the individuals to which the data relate.
  • We specify whether the proposed collection, use, or other form of processing of Personal Data constitutes a risk for actual or unspecified harm to individuals, in accordance with the Harm Preventing Privacy principle.
  • If the nature of the data, types of people or activity contain an inherent risk of actual or unspecified harm to individuals, we ensure that the risk of harm does not outweigh the relative benefits for these individuals or our mission which is to save and to improve human lives.
  • Where risk is inversely related to benefits for individuals, we process Sensitive or Personal data only with the explicit consent of individuals or as required or expressly permitted by existing laws.
  • We record the risk analysis and design any required mechanisms to obtain and record evidence that demonstrates consensus on assistive technologies.
3. Transparency: We do not process Personal Data in ways or purposes that are not transparent.
  • All persons whose Personal Data are being processed under this Policy will be entitled to a copy of this Policy. We will make available copies of this Policy online at www.xo.gr/privacy. The Data Protection Officer will provide digital and/or hard copies of this Policy upon request sent to the addresses listed below.
  • When collecting Personal Data directly from individuals, we inform them through a clear, distinguishable and easily accessible privacy notice or by similar means, before collecting information on (1) the corporate entity or entities responsible for the processing, (2) the type of data to be collected, (3) the purposes for which the data will be used, (4) with whom the data will be shared, including any requirements to disclose Personal Data upon lawful requests from public authorities, (5) how long they will be stored, (6) how people can ask questions, express concerns or exercise their data-related rights, and (7) the online link to this Policy, where possible and appropriate.
  • When collecting Personal Data from other sources and not necessarily under the direction of our company,before we obtain the data, we verify in writing that the data provider has informed people about the ways in and purposes for which the company intends to use the information. If the written verification can not be obtained from the provider, we only use anonymous data, or before we use Personal Data, we inform individuals affected by a privacy notice or similar means of (1) the corporate entity or entities responsible for processing, (2) the type of data to be collected, (3) the purposes for which it will be used, (4) with whom the data will be shared, including any claims to be revealed, (5) how long they will be stored, (6) how people can ask questions, express concerns or exercise their data-related rights, and (7) the online link to this Policy, where possible and appropriate.
  • We ensure that the necessary transparency mechanisms, including where possible mechanisms supporting individual rights requests, are introduced into assistive technologies, and that third parties supporting the activity or processing do not process individual data in ways that are inconsistent with what people have been told, through the privacy notice or other verifiable means, about how we and others who work for us will use the data.
4. Purpose Restriction: We only use Personal Data in accordance with the principles of Necessity and Transparency.
  • If new legitimate corporate purposes are identified for Personal Data already collected, we either ensure that the new business purpose (including a substantially similar purpose) is compatible with the purpose as described in the privacy notice or other transparency mechanism previously provided to the individual, or obtain the consent of the individual for the new use of their Personal Data.
  • We do not apply the above principle to anonymous data, or where we use Personal Data solely for the purpose of historical and scientific research, and (1) a Ethics Review Committee or other competent auditor has determined that the risk of such use for privacy or other rights of individuals is acceptable and (2) there is respect for existing legislation.
  • We ensure that purpose limitation constraints are embedded in assistive technologies, including any reporting and downstream data sharing capabilities.
5. Data Quality: We keep the Personal Data accurate, complete and up to date and in accordance with its intended use.
  • We ensure that periodic data control mechanisms are integrated into assistive technologies to validate the accuracy of data in relation to the source and downstream systems.
  • We ensure that Sensitive Data is validated as accurate and up-to-date prior to use, evaluation, analysis, reporting or other processing that involves the risk of injustice to individuals if inaccurate or obsolete data is used.
  • When there are changes to Personal Data from our company or third parties working for our company, we ensure that such changes are communicated in time when reasonably possible.
6. Security: We incorporate safety valves to protect your Personal Data and Sensitive Data from loss, misuse, and unauthorised access, disclosure, or destruction.

We have implemented an analytical information security program and apply security controls based on the sensitivity of the information and the size of the risk of the activity, taking into account the best practices of modern technology and the cost of implementation. Our operational safety policies include, but are not limited to, business continuity and disaster recovery standards, identity and access management, information classification, information security incident management, network access control, physical security, and risk management.

7. Data transfer: We are responsible for preserving the privacy of Personal Data when it is transferred from or to other agencies or state borders.
  1. We only transfer Personal Data or permit processing by third parties if the following conditions are met and are responsible for ensuring that third parties with whom we collaborate meet such requirements:
    • If the third party’s role is to process Personal Data for or on behalf of our company, before the third party receives the Personal Data: (1) we complete legal due diligence of privacy to evaluate the privacy practices and risks associated with such third parties; (2) we obtain warranties by contract from such third parties that they will process Personal Data in accordance with our company's instructions and in accordance with this Policy, including, without limitation, all 8 Privacy Principles and other standards set forth in this Policy and existing law, and that they will timely inform our Company of any Privacy Event, including any inability to comply with the standards set forth in this Policy and existing legislation, or Security Event, and that they will cooperate to timely remedy any documented Event and address the individual rights, as defined in Section 2 below, and allow our company to carry out checks and oversee their practices during processing with respect to compliance with such requirements. In addition, if the third party processes Personal Data originating from a country or territory with legislation restricting the transfer of Personal Data, we will ensure that the transfer to the third party meets the conditions for cross-border transferred described below in Section 2. Where one of our subsidiaries acts solely on behalf of our other subsidiaries for the processing of Personal Data, and where required by law, these subsidiaries of our company will perform an internal data processing in accordance with Principle 8 of this Policy.
    • If the third party’s role is to provide Personal Data to our company, before we obtain the Personal Data from the third person, we ensure that the Transparency Requirements are met for the collection of Personal Data from other sources and not specifically under the supervision of our company, and we obtain warranties by the third party that it does not violate any law or the rights of any third party by providing our company with Personal Data.
    • If the third party’s role is to receive from our company data for processing that is not specifically under our company's supervision,before delivering the data to the third party, we ensure that the data is anonymised and obtain written assurances from the third party that it will use the data only for the operational purposes specified in the agreement and in accordance with applicable law and that it will not try to reverse the data anonymisation process.
  2. We conduct cross-border transfer of Personal Data from or on behalf of our Company in accordance with this Policy. We will apply this Policy to transfers of Personal Data from any other country or territory with legislation restricting the transfer of Personal Data.
8. Legally Permissible: We only process Personal Data if it meets the requirements of applicable law.
  • While the other 7 privacy principles and the terms of the Personal Rights described below are intended to ensure that the requirements of most privacy and data protection related laws applicable to our industry worldwide are met, we need to meet additional conditions in some countries, including but not limited to:
    1. Where necessary, we will obtain specific forms of consent to process specific Personal Data, including, but not limited to, approval of processing by labour councils or other trade unions.
    2. Where necessary, we will register the processing of Personal Data with the applicable privacy or data protection regulator.
    3. Where necessary, we will further limit the data retention periods for the Personal Data.
    4. Where appropriate, we will enter into agreements that include special contract clauses, including agreements for cross-border data transfers to third parties.
    5. Where necessary, we will disclose personal data following legitimate requests from the public authorities, including the satisfaction of requests related to national security or security authorities.
  • In the event of a conflict between this Policy and existing law, the standard that provides more protection to individuals will prevail.

2. We will address promptly requests for individual rights to access, rectify, modify or erase any Personal Data or objection to the processing of Personal Data.

  • Access, Rectification, and Erasure: Under the Greek law, individuals have the right to access their Personal Data and to rectify, modify or erase any Personal Data that is inaccurate, incomplete or obsolete. We will approve all individuals’ requests for access, rectification and erasure of Personal Data. If a request for access, rectification or erasure is defined by existing law that provides greater protection for individuals, we will ensure that the additional statutory conditions are met.
  • Selection: In line with the privacy principles for “Respect” and “Trust”, we approve individual requests for objection to the processing of Personal Data, including, but not limited to, the option not to participate in programmes or activities, in which individuals had previously agreed to participate, the processing of their personal data for direct marketing purposes for communication that targets them and which is based on Personal Data, and for any evaluation or decision making related to them, which may influence them significantly, which is carried out through the use of algorithms or automation.
    • Unless and where prohibited by law, we may deny the selection where a particular application may hamper the company's ability to: (1) comply with the law or a moral obligation, including the need to disclose personal data in response to legitimate requests from the public authorities, on the grounds of security or national security; (2) investigate, defend or pursue legal claims, and (3) conclude contracts, manage relationships, or perform other authorised business activities that comply with the principles of Transparency and Restriction of Purpose and which were introduced based on data of people associated with them. Within fifteen working days of any decision refusing a request for selection in accordance with this Policy, we will record and communicate the decision to the applicant.

3. We will respond in a timely manner and escalate all questions related to privacy, complaints, concerns and any Privacy Event or Security Event.

  • Any person, whose Personal Data we process within the scope of this Policy, may ask questions, submit complain or express concerns to our company at any time, including the request to provide a list of all our subsidiaries that are subject to this Policy . We expect that our employees and other individuals working on behalf of our company will provide early notice if they have reason to believe that an applicable law may prevent them from complying with this Policy. Any question, complaint or concern from an Individual or any notice from an employee or other person working on behalf of our company should be addressed to the Data Protection Officer:
    • by email: dataprivacy@xo.gr
    • by fax: +30 210 920 4298
    • by post: Data Protection Officer, GOLDEN GUIDE PRINT & ONLINE INFORMATION S.A., 26 - 28 Georgiou Averof Street, GR-14232 Nea Ionia, Attica
  • Employees and short-term workers are required to inform their Data Protection Officer in time for any questions, complaints or concerns about our company's privacy practices.
  • The Data Protection Officer will control and investigate or work with the Legal Service to investigate all enquiries, complaints, or concerns related to our company's privacy practices, whether taken directly by our employees or other individuals or third parties, including, but not limited to, regulatory agencies, liability officers or other government authorities. We will respond to the person or entity that submitted the enquiry, complaint, or concern to our company within thirty (30) calendar days or within a maximum of sixty (60) calendar days, except where a law or applicant/third party requires a response within a shorter period of time or unless the conditions, such as a simultaneous state investigation, require a longer period of time. In this case, the person or applicant/third party will be notified in writing as soon as possible of the general nature of the circumstances contributing to the delay.
  • The Data Protection Officer, in cooperation with the Law Office and the Compliance Office, will work with the privacy regulator in response to any investigation, inspection or research.
  • For complaints that can not be resolved between our company and the person who submitted the complaint, our company has agreed to participate in the following dispute resolution processes, investigation and resolution of complaints to resolve disputes related to this Policy.
  • However, if at any time persons residing in the EEA or individuals whose Personal Data are subject to the EEA data protection legislation and is transferred outside the EEC, whose data is subject to processing related to this Policy, are entitled under this Policy to impose the terms of this Policy as eligible third parties, including the right to take legal action to claim compensation for the violation of their rights due to of this Policy and the right to receive compensation for damages caused by such violation. Persons residing in the EEA or individuals whose Personal Data is subject to the EEA data protection legislation and are transferred outside the EEA (for reasons of clarity, including the US) may have claims under this Policy against the Company:
    • in the courts or the data protection authority of the EEA country from which their Personal Data has been transferred, or
    • in Greek courts or the Hellenic Data Protection Authority.
  • Our company will respond to the person or entity that submitted the enquiry, complaint, or concern to our company within thirty (30) calendar days, except where a law or applicant/third party requires a response within a shorter period of time or unless the conditions require a longer period of time, in which case the person or third party will be notified in writing.

Terms that you need to know

  • Anonymisation. Changing, cutting, eliminating or otherwise restricting or transforming Personal Data to make it impossible to be used to identify, locate or communicate with the individual.
  • Legislation. All laws, rules, regulations and mandates for opinions with the power of law in any country in which our company operates or in which Personal Data is processed by or on behalf of our company.
  • Our company.The company GOLDEN GUIDE PRINT & ONLINE INFORMATION S.A., its subsidiaries, except for the joint ventures in which our company participates.
  • Privacy. All data for an identified or unidentified individual, including data by which the person is identified or which could be used to identify a person, or locate, track, or communicate with that person. Personal Data includes instant identification information, such as name, identification number or unique job title, and indirect identification information, such as birthdate, unique mobile or portable identification number, telephone number and encoded data.
  • Privacy Event.Breach or violation of this Privacy Policy or a privacy or data protection related law, including a Security Event. Determining whether a privacy event has taken place and whether it has a physical occurrence will be done by the Data Protection Officer and the Legal Department/Compliance Department.
  • Processing. Performing any process or series of processes on human related data, with or without automated means, including, but not limited to, collection, recording, organisation, storage, access, adaptation, conversion, retrieval, counselling, use, evaluation, analysis , reference, distribution, disclosure, and dissemination, transmission, disposal, alignment, combination, inhibition, deletion, erasure or destruction.
  • Security Incident. Access by an unauthorised person to Personal Data or disclosure to an unauthorised person of Personal Data or the reasonable suspicion of our company that this has happened. Access to Personal Data by or on behalf of our company without the intention of violating this Policy is not a Security Event, provided that such Personal Data was then used and disclosed only as permitted by this Policy.
  • Sensitive data. Any type of data relating to people with intrinsic risk of potential harm to individuals, including data that is statutory defined as sensitive, including, but not limited to, health, inheritance, race, ethnic origin, religion, policies or philosophical beliefs or beliefs, criminal records, precise geographic location information, bank or other financial account numbers, state registration numbers, minor persons, sexual life, relations with trade unions, security, social security and other employer or state benefits.
  • Third Party. Any legal entity, organisation or person not belonging to our company, or for which our company has no controlling interest or does not work for our company. Unless expressly specified by this Policy, no subsidiary or sector of our company is required to meet the requirements of a third party under this Policy as all subsidiaries and sectors are required to process human related data in accordance with this Policy, including cases where one of our subsidiaries supports one or more of our subsidiaries during processing.

Changes to this Policy

This Policy may be reviewed occasionally in accordance with the requirements of existing legislation. Whenever this Policy changes in a physical way, a notice will be posted on our company's website (www.xo.gr/privacy) for 60 days.

Effective date

20 May 2018

Top of page