PROTECTION OF PERSONAL DATA

(as per article 28 of the GDPR)

1. The Person performing the processing processes all Personal Data as confidential information on behalf of the Processing Manager and in accordance with his written orders and instructions, for the following limited purposes: ( i ) processing in the context of the execution of the Contract, and ( ii ) processing requested by the Data Subjects against the use of services that form the object of the Contract. For example, the Person performing the processing is not entitled to process the Personal Data for his own purposes or to include the Personal Data in products or services he offers to Third Parties.
2. The Person performing the processing must comply throughout the term of the Contract with his respective obligations deriving from the Data Protection Laws and Regulations and the terms of this Appendix.
3. The Person performing the processing is obliged to keep in written form, including electronic form, and to submit within five (5) calendar days from the relevant request of the Processing Manager, a record of all of categories of processing activities that are being performed for the account of the Processing Manager. This file must contain at least:

1. a) the name and contact details of the Person performing the processing, the Processing Manager as well as their representatives and Protection
2. b) the categories of processing carried out on behalf of the Processing Manager
3. c) any transfer of personal data to a third country or international organization, including the identification of said country or international organization and documentation of the appropriate guarantees provided;
4. d)generaldescription of techniques and organizational meters that have been implemented for the protection of personal data.

The Person performing the processing passes the file to the Processing Manager at the beginning of each quarter but also at any time upon his request. In addition, Person performing the processing and, if applicable, his Representative shall make the file available to the supervisory authority upon request. To the extent that the fulfillment of his obligations, as well as any supporting and/or ancillary activities, involve the processing of Personal Data, the Person performing the processing must:

1. not to control, transmit or claim to transmit personal data to Third Parties, unless he has received specific written instructions from the Processing Manager to do such an action.
2. to immediately inform the Processing Manager of requests from Data Subjects, with which they exercise the rights provided for in the Data Protection Laws and Regulations, namely the right of access, correction, restriction of processing, deletion (right to be forgotten), opposition to processing, to data portability or the right not to submit to automated individual decision-making (“Data Subject Request”).
3. to take all appropriate technical and organizational measures to ensure the lawfulness of the processing and the existence of an appropriate level of security. The Person performing the processing should make the maximum effort to ensure the confidentiality, integrity, availability, reliability of processing systems and services on a regular basis, the ability to promptly restore availability and access to personal data in the event of a physical or technical incident. and, finally, the process of regularly checking and evaluating the effectiveness of technical and organizational security measures. d. to implement, when requested by the Processing Manager, appropriate technical and organizational measures to ensure the protection of privacy by design and by default, such as compliance with data retention periods applied by the Controller based on the contract.
4. to make available to the Processing Manager any information reasonably requested in order to demonstrate his compliance with his obligations, as defined in the Data Protection Laws and Regulations and as outlined in this Appendix.

1. Person performing the processing has put in place organizational and technical measures that will ensure the proper and timely execution of the Processor’s orders and instructions related to the exercise of Data Subjects’ rights, including the following: satisfaction of requests of data subjects to the Data Controller within the framework of Data Protection Laws and Regulations
2. modification or correction of personal data at the request of the Processing Manager, cancellation or blocking of access to personal data based on the order of the Processing Manager and, finally, marking of the Personal Data, for which the Person performing the processing will apply more specific rules. In relation to these, the Person performing the processing must make every effort to assist the Person performing the processing to respond to the Data Subjects’ Requests and must take measures such as pseudonymization and encryption of personal data.
3. The Person performing the processing must immediately notify the Processing Manager if, in his opinion, an order or instruction violates Data Protection Laws and Regulations.
4. In case of failure to comply with the obligations arising from this Appendix for any reason, the Person performing the processing agrees to promptly inform the Processing Manager of said failure, in which case the Processing Manager is entitled to immediately stop the transfer of personal data and/or terminate the Contract.
5. The Person performing the processing does not have the right to request coverage from the Processing Manager for any expenses as well as any kind of cost, which it incurs in order to comply with the instructions of the Processing Manager and/or with any of his obligations according to the Appendix or the current legislation.
6. Immediately after the termination or termination of the Contract or this Appendix, the Person performing the processing as well as his Subcontractors are prohibited from processing the Personal Data and are obliged to ensure, upon request and in accordance with the instructions of the Processing Manager, the safe return or destruction of them as well as their copies.

1. REQUIREMENTS FOR DATA SECURITY OF PERSONAL CHARACTER

2. The Person performing the processing guarantees that he processes and keeps the Personal Data separate from the data he processes on behalf of third parties.
3. The Person performing the processing guarantees that he implements and complies with appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, accidental loss, damage, alteration, non-authorized disclosure of access, in particular when the processing involves the transmission of data via network. These measures are in line with the requirements of Data Protection Laws and Regulations and protect the rights of data subjects.
4. The Person performing the processing shall take appropriate technical and organizational measures to ensure the security of any electronic communications networks or services provided to the Processing Manager or used for the transfer or transmission of personal data (including measures aimed at ensuring the confidentiality of communications and the prevention of illegal surveillance, the interception of telecommunications and unauthorized access to any computer or system and thereby ensure the security of communications).
5. Compliance with approved codes of conduct or a certification mechanism approved by the European Commission on behalf of the Person performing the processing may be used as evidence of his compliance with the obligations of the Appendix.
6. When assessing the appropriate level of security, the Person performing the processing takes into account in particular the risks arising from the processing, notably the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the personal data transmitted, stored or submitted to processing in a way that may lead to physical, material or moral damage.
7. The Person performing the processing shall assist the Processing Manager in identifying high-risk processing activities for personal data and shall provide all necessary assistance and information in order for the Processing Manager to comply with his obligations, which are related to carrying out a “Protection Impact Assessment Data” and with the prior consultation with the Supervisory Authority. The latter obligation arises in cases where the Impact Assessment indicates that the processing may cause a high risk to rights and freedoms that cannot be mitigated by other means.
8. The Person performing the processing must ensure that individual under his supervision and who has access to personal data does not carry out any processing, except on the basis of the instructions of the Processing Manager, unless obliged to do so by EU law or national law.
9. In the event that the Person performing the processing, becomes aware or has reasonable grounds to believe that accidental, unauthorized or illegal destruction, loss, modification, disclosure or access to Personal Data has taken place or may take place, he is obliged to inform the Processing Manager, without undue delay and in any case no later than within twelve (12) hours from the moment he became aware of the relevant information. Such notification shall include at least: (i) a detailed description of the relevant data security breach, (ii) the type of data breached, (iii) the identity of each affected person (or, where this cannot be precisely determined, the approximate number of affected subjects and files, (iv) a description of the possible consequences of the security breach (v) a description of the countermeasures proposed or finally taken by the Person performing the processing, including appropriate measures to mitigate the possible adverse of his consequences, and (vi) finally, any other information that the Processing Manager may reasonably request regarding the breach, once it is collected or made available.
10. The Person performing the processing must immediately investigate the security breach, make the best possible effort to detect, mitigate or prevent his effects and, with the consent of the Processing Manager, undertake recovery or any other necessary action to restore the violation. In addition, he undertakes that he will not share or publish any file, communication, announcement, press release or report regarding the breach without the prior written approval of the Processing Manager; on the contrary, he accepts and acknowledges that the Processing Manager may notify the Supervisory Authority at his discretion any relevant communication within the framework of Data Protection Laws and Regulations. Finally, he agrees not to take any action after such disclosure without the Processing Manager’s prior written consent.
11. The Person performing the processing must take measures to assist the Processing Manager in ensuring compliance with his obligation:

(a) keep the Personal Data secure, taking into account the nature of the processing and the information available to him and

(b) to inform the Data Subjects of any incidents of violation of their Personal Data.

2.11. t the request of the Processing Manager, the Person performing the processing shall provide written description of the technical and organizational measures he applies to protect Personal Data from unauthorized or illegal processing and accidental loss, as well as the rationale thereof.

2.12. The Person performing the processing does not share the Personal Data with Third Parties, unless he is under a legal obligation to do so and if he has been informed by the Processing Manager in advance.

1. STAFF OF THE PERSON PERFORMING THE PROCESSING

3.1. The Person performing the processing ensures that the individuals authorized to process the Personal Data have undertaken contractual confidentiality obligations – both for the duration and after the expiry of this Appendix – which ensure data protection of the same level as this Appendix, or are subject to a relevant obligation under law.

3.2. The Person performing the processing guarantees that access to and processing of Personal Data will be limited to legally authorized personnel, based on position and provided that they demonstrate efficiency, honesty, integrity and discretion. The Person performing the processing, upon request, immediately informs the Processing Manager with a list of the names of the processing personnel.

3.3. The Person performing the processing takes the appropriate measures in order to train and inform his staff about their obligations arising from this Appendix and the Data Protection Laws and Regulations and also about the consequences of violating these requirements.

3.4. Consequently, the Person performing the processing takes the least following organizational measures with regard to his staff:

(a) The roles and functions of the personnel who have access to Personal Data and Information systems must be clearly defined and recorded.

(b) Authorized personnel are instructed not to leave the electronic equipment they use during data processing unattended and not to provide any access to Third Parties.

(c) Physical access to areas where personal data is stored is limited to authorized personnel.

(d) Disciplinary action for breach of security must be clearly defined, recorded and communicated to the staff.

1. USE OF SUPERCONTRACTORS BY THE PERSON PERFORMING THE PROCESSING

2. The Person performing the processing may not delegate to a Third Party any of the processing activities carried out on behalf of the Processing Manager based on his contract, without previous written permission of the latter. Any request by the Person performing the processing to contract with a Subcontractor should include, at a minimum, the following information:

(a) the name and contact details of the Subcontractor and, if any, his representatives as well as the data protection officers, he has appointed, (b) the categories of processing activities that the Subcontractors are required to perform.

(c) any transfer of personal data to a third country or international organization, including the identification of that country or international organization, as well as the documentation of the appropriate guarantees,

(d) description of the Subcontractor’s technical and organizational security measures for the protection of personal data.

1. When the Person performing the processing uses Subcontractors:

1. a) is obliged to enter into either a legally binding written contract with the Subcontractor, which provides at least the same protection obligations and the same rights of Data Subjects as this Appendix or another legal act in accordance with EU or national law; to the extent applicable to services of the nature provided by the Subcontractor. (b) must seek the consent of the Processing Manager for any intended change involving the addition or replacement of a Subcontractor with access to the Personal Data and provide sufficient justification for such changes.

1. The Person performing the processing makes available to the Processing Manager a copy of the contracts he concludes with his Subcontractors and which are in force. The Processing Manager has the right to communicate them at any time to the supervisory authority.
2. The Person performing the processing ensures and guarantees that any contract he has with Subcontractors and any dispute or claim arising out of or in relation to him or his subject matter (including non-contractual disputes or claims) is governed by and construed in accordance with Greek law and is subject to exclusive jurisdiction of the courts of Athens.
3. By signing this, the Person performing the processing notifies the Processing Manager that he has already further delegated the Processing of Personal Data to the third parties of the Appendix and undertakes that within sixty (60) days it will impose on them in writing obligations that are at least the same as those provided for in this Appendix, otherwise it will proceed to revoke the assignment to them of the processing of the Personal Data of the Processing Manager.

1. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

2. The Person performing the processing may transmit the Personal Data to a Third Country or an international organization only under the condition of the prior written permission of the Processing Manager. The previous obligation to obtain permission will also cover transfers of personal data that will take place in the future from the Third country or international organization to another Third country or international organization.
3. In the absence of an adequate decision by the European Commission according to the GDPR, the Processing Manager allows at his discretion the transfer of personal data to a third country or an international organization, only if the Person performing the processing guarantees that one of the following exceptions provided by the Laws and Data Protection Regulations applies: (a) The Person performing the processing is under Binding Corporate Rules that have been approved by a supervisory authority within the EU and may be applied to the specific processing,

(b) The relationship between the Person performing the processing and a third party is subject to standard protection clauses approved by the European Commission, (c) The Person performing the processing has established standard data protection clauses adopted by the Supervisory Authority and approved by the European Commission,

(d) The third party in the Third Country has established an approved code of conduct, while undertaking binding and enforceable obligations to implement appropriate safeguards, including those relating to the rights of Data Subjects, or

(e) The third party in the Third Country has an approved certification mechanism, while undertaking binding and enforceable obligations to implement appropriate safeguards, including those concerning the rights of Data Rights Subjects.

1. In the event that the Personal Data is to be transferred to a Third Country or an international organization, the Person performing the processing agrees to assist the Processing Manager in providing and maintaining the appropriate guarantees for his legal transfer, in accordance with the requirements of the GDPR and the Laws and Data Protection Regulations.

1. In the event that the Personal Data is to be transferred to a Third Country or an international organization, the Person performing the processing provides the Data Subjects with effective and enforceable rights regarding the processing of their data at the stage after their transfer, so that continue to benefit from fundamental rights and protective measures.
2. The Person performing the processing warrants that the law of the country to which he is subject does not prevent him from fulfilling the instructions received from the Processing Manager and his obligations under the Contract and that in the event of amendments to the legislation that may have a significant adverse effect in the guarantees and obligations provided for in the Appendix, will notify the changes made to the Manager as soon as he becomes aware of them. In the latter case, the Processing Manager is entitled to immediately suspend the data transfer and/or terminate the Contract.

1. AUDIT RIGHTS

6.1. Upon reasonable request by the Processing Manager, the Person performing the processing must – within 7 days of receiving the above request – provide the Manager with any documentation or records that will enable him to verify and monitor the Person performing the processing compliance with the personal data protection obligations of this Appendix. In addition, he is obliged to inform the Manager of the person who will act within his organization as a point of contact to provide the information requested by the Processing Manager.

6.2. The Processing Manager performing the processing is entitled, after prior written notification of the Person performing the processing, to carry out an on-site inspection of the facilities, equipment and Information Systems used by the Person performing the processing for the purposes of the Contract, in order to confirm whether the latter complies with the obligations established herein Appendix in relation to data protection and security.

6.3. In order to examine the adequacy of the technical and organizational measures taken by the Person performing the processing, the Manager has the right, upon prior written notification, to inspect the equipment and software programs of the Person performing the processing, using remote control means, such as penetration tests or other similar means.

6.4. The Person performing the processing is obliged by contract to ensure that the Processing Manager has the right to carry out checks based on this article and on the Subcontractors with whom the Person performing the processing has been contracted.

6.5. The Person performing the processing must immediately inform the Processing Manager of the existence of legislation that binds him or his Subcontractor and prevents the carrying out of an audit on himself or his Subcontractor. In these cases, the Processing Manager is entitled to immediately stop the transmission of personal data and/or terminate the Contract.

1. COOPERATION WITH SUPERVISORY AUTHORITIES

2. The Person performing the processing guarantees that he will fully comply with his accountability obligations before the Supervisory Authority established by the Data Protection Laws and Regulations.
3. The Person performing the processing and, where applicable, the protection officer and his Representative cooperate, whenever required or deemed appropriate, with the supervisory authorities for the fulfillment of their obligations and duties arising from this Appendix as well as from the Laws and Regulations for Data Protection.
4. The Person performing the processing agrees to submit to the Supervisory Authority a copy of this Appendix and any contract executed through his Subcontractors and involving the processing of personal data, if requested by the Supervisory Authority or required by Data Protection Laws and Regulations.
5. The contracting parties agree that the Supervisory Authority has the right to audit the Person performing the processing and each of his Subcontractors within the framework of Data Protection Laws and Regulations.
6. Unless otherwise agreed with the Processor, the Person performing the processing directs exclusively to the Greek Supervisory Authority any communication or action in relation to issues that arise between the parties and fall within the scope and subject of this Appendix.

1. ISSUES OF LIABILITY OF THE PARTIES

2. Nothing herein shall be construed to exclude or limit the Person performing the processing liability with respect to the terms of this Appendix.
3. The Person performing the processing bears full responsibility towards the Processing Manager for any action or omission of its Subcontractor that contravenes the data protection obligations provided for in this Appendix and the applicable Data Protection Laws and Regulations.
4. The contracting parties agree that if a Data Subject has suffered damage from the Person performing the processing or his Subcontractor due to a breach of the Person performing the processing, he is entitled to receive compensation from him for such damage.
5. The contracting parties agree that if the Person performing the processing is held liable for a breach of this Appendix due to a breach by him for any reason under his obligations arising from the Appendix or the Data Protection Laws and Regulations, the latter is liable for damages to the Processing Manager for any cost, charge, compensation, fines, expenses or damage. The Processing Manager undertakes to promptly notify the Person performing the processing of his said claim.

1. OTHERS PROVISIONS

2. This Data Processing Appendix forms an integral part of the Contract. It is clarified that it cannot abolish additional rights of the Processing Manager established in the Contract, even if they fall within its scope. However, except as expressly stated herein, the terms of this Appendix supersede any contrary provisions contained in the Contract and any related annex, appendix, special terms, variations falling within the scope hereof.
3. Unless otherwise provided herein, the Contract shall continue to apply without change and remain in full force and effect.
4. The Definitions given in the Contract also apply to this Appendix, unless in good faith and the context it appears that otherwise is required.
5. In the event of a conflict between the provisions of the Contract and this Appendix, the terms of the Appendix shall prevail.
6. This Appendix and any dispute or claim arising out of or in connection with it or relating to its subject matter (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of the State, as determined by the Contracting Parties to the Contract, and is subject to the exclusive jurisdiction of the courts, which is provided for in the Contract.
7. In the event that the Parties determine that, upon revision of Applicable Law, the provisions of this Addendum cease to be consistent therewith, they hereby agree to cooperate in good faith and renegotiate the terms of the Addendum to ensure that they fully comply with applicable law.