Privacy Protection Policy
ARTICLE 1 – Object of personal data protection policy
At the law firm “YIANNATSIS AND ASSOCIATES” (hereinafter referred to as the “Company” or “Data Controller”), we fully respect the personal data of our clients and third parties. True to our principles, our Company provides information about the personal data it collects, the purpose of processing, the legal bases for processing, the manner of use, as well as the rights of the data subjects when they visit our premises or our website (www.yiannatsis.gr). Visitors to the website are required to carefully read the Privacy Protection Policy before visiting or using the pages and services, and in case of disagreement, they must refrain from using them.
ARTICLE 2 – Definitions
For the purposes of this policy, the following terms are understood as follows:
“Personal data“: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Special categories of personal data“: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Processing“: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Pseudonymization“: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that it cannot be attributed to an identified or identifiable natural person.
“Data Controller“: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the data controller or the specific criteria for its nomination may be provided for by EU or Member State law.
“Processor“: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
“Consent” of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Personal data breach“: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
“Data concerning health“: Personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, and which reveal information about their health status.
“Applicable legal framework“: The provisions of the current Greek and European legislation for the protection of personal data, which govern the operation of our Company. Indicatively, Law 4624/2019, Regulation (EU) 2016/679, Law 3471/2006, Directive 2002/58/EC, Law 4194/2013, and Presidential Decree 81/2005.
ARTICLE 3 – General Principles of Processing Personal Data
Our Company, during the processing of personal data, adheres to the following principles:
- The principles of lawfulness, fairness, and transparency. According to these principles, personal data is subject to lawful and fair processing in a transparent manner in relation to the data subject.
- The principle of purpose limitation. According to this principle, personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
- The principle of data minimization. According to this principle, personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- The principle of accuracy. According to this principle, personal data is accurate and, when necessary, kept up to date. Furthermore, all reasonable measures are taken to promptly erase or rectify inaccurate personal data in relation to the purposes of the processing.
- The principle of storage limitation. According to this principle, personal data is kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes of the processing.
- The principles of integrity and confidentiality. Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using suitable technical or organizational measures.
Article 4 – Collected Data
The collected information includes full name, father’s name, mother’s name, year of birth, place of birth, gender, nationality, residential address, workplace, email address, landline or mobile phone number, fax number, Identity Card Number (ID), Tax Identification Number (TIN), Professional Registry Number (if applicable), Social Security Registry information, bank account number, and credit/debit card details, data related to family status, education, and professional training.
Article 5 – Special Categories of Personal Data
Furthermore, within the framework of the mandate, our Company may collect and process data belonging to special categories of personal data (i.e., sensitive personal data), such as health-related information, copies of criminal records, and other data related to legal disputes.
Article 6 – Data of Minors
According to the applicable legislation, the Company is entitled to collect and process personal data of minors with the explicit consent of the minor, provided that they have reached the age of 15, or otherwise the lawful representative of the minor. In case the above-mentioned information is provided by a third party, the processing of personal data is permissible if it is necessary for the legitimate interests pursued by the Company or its principal.
Article 7 – Legal Bases for Processing
The processing of personal data made available to our Company takes place under the following legal bases:
- With the lawful consent of the data subject.
- When processing is necessary for the performance of a contract.
- For the purposes of the legitimate interests pursued by the Company or our principal.
- To comply with a legal obligation of the Company.
Specifically, in cases involving special categories of personal data (sensitive personal data), processing takes place under the following circumstances:
- With the lawful consent of the data subject.
- When it is necessary for the establishment, exercise, or defense of legal claims.
Article 8 – Cookies – Disclaimer for Third-Party Websites
In addition to the necessary cookies for the operation of our website www.yiannatsis.gr, our company also uses the cookies referred to in our corresponding Cookies Policy for continuous improvement of the visitor’s experience on the website.
In the case of redirection to a third-party website, the cookies policy of the respective third party applies. Furthermore, the company is not responsible for the content posted on third-party websites or for the privacy policy of those third parties.
Article 9 – Processing Purposes
Our company may collect and process personal data for the following purposes:
- To fulfill the contractual obligations of the company.
For the representation and defense of its principals before courts, authorities, and in general, the provision of legal services. Furthermore, within the framework of fulfilling its employer obligations, the company collects and processes personal data of its employees, while at the same time collecting and processing personal data of its general partners within the scope of the business relationships it develops.
In cases of submitting proposals for cooperation, the company processes the personal data sent to it for the purpose of evaluating the qualifications of potential collaborators. The legal basis for processing is the consent of the applicant. The data is retained for a reasonable period of one year for informing the applicant in case of a new job offer. In any case, the data subject has the right to request the immediate deletion of their personal data.
Article 10 – Transfer to Third Parties
It is possible for the company to transfer the above-mentioned data to third parties in cases provided for by the applicable legislative framework as its obligation. In such cases, it must adequately inform the data subjects before proceeding with the transfer.
The Company does not transfer personal data to countries outside the European Union.
Article 11 – Subscription to newsletters
If a data subject subscribes to our company’s newsletter, their email address will be used exclusively for this purpose and will not be disclosed to third parties. The data subject can choose to unsubscribe and have their data deleted at any time. Participation in our newsletter is valid for the calendar year of subscription and the following year. The data subject will have the option to renew their subscription to our newsletter. If they do not choose to renew their participation, their email address will be deleted from our newsletter.
This information is never disclosed to third parties. The recipient of the newsletters can be removed from the mailing list by using the Unsubscribe/Delete option.
Article 12 – Data Retention Period
The personal data we collect in the course of our activities is retained for the necessary duration to fulfill the order, provided that we have not received a deletion request from the data subject. After the order has been processed, the data is retained only in the form of a file with the lawful consent of the instructing party. In any case, data may be retained for as long as required by applicable legislation (e.g., tax laws).
Article 13 – Rights of Data Subjects with Personal Data
Data subjects can exercise their rights provided by the applicable legislation regarding the collection and processing of personal data at any time. These rights are as follows:
- The right of access to the data.
- The right to rectification of the data.
- The right to erasure of the data (“right to be forgotten”).
- The right to restriction of data processing.
- The right to data portability.
- The right to object to data processing.
If permitted by the applicable legislation, our company may reasonably refuse to fully or partially satisfy the data subject’s request regarding their personal data, providing justified reasons.
These rights can be exercised through physical presence, by mail to the address of the Company’s headquarters (38 Karneadou Street, Postal Code 10676), as well as through email communication to lawoffice@yiannatsis.gr. The identification of the data subject is established by a public document (copy or attachment to the email message) from which the person’s identity is evident (e.g., ID card, passport, driver’s license).
Our company is committed to responding within a reasonable period of one month from the receipt of the request and the identification of the data subject. If the nature of the request requires more time for satisfaction or if there is a large number of requests, our company will notify the data subject of the reasons for the delay within one month from the receipt of the request.
If the request is submitted electronically, the information is provided, if possible, by electronic means unless the data subject requests a different method of communication.
If the data subject’s request is clearly unfounded or excessive/abusive, particularly due to its repetitive nature, our company reserves the right to subject the satisfaction of the request to the payment of a reasonable fee or to refuse to comply with the request, always in accordance with the General Data Protection Regulation and the applicable legislation.
Furthermore, if the data subject considers that there has been a violation of their personal data, they have the right to address the Hellenic Data Protection Authority (HDPA) (www.dpa.gr).
The processing of personal data is carried out in a manner that ensures its confidentiality. Our company uses appropriate technical and organizational security measures and rules to protect the personal data of the data subjects from any unauthorized access, disclosure, loss, or accidental/unlawful destruction, and any other form of unlawful processing.
Article 14 – Updates to the Privacy Policy
Our company may modify this Privacy Policy without prior notification.
Version: May 2023
The above text is an accurate translation of the Greek text. In case of any discrepancies or inaccuracies in the translation, the Greek text shall prevail.