Privacy Policy

1. Scope

This privacy policy defines how CORDIA S.A. (hereinafter referred to as ‘CORDIA’ or the ‘Company’) collects, uses, processes, stores, manages, and protects the personal data (hereinafter referred to as ‘personal data’) of customers, suppliers, partners, subcontractors, job applicants and visitors to the website in order to meet the company’s data protection standards and comply with applicable law.

This policy applies to any information (i) that relates to the customer (hereinafter referred to as the “Customer”) as part of CORDIA S.A.’s provision of services or forging public relations with them (ii) that relates to the supplier’s personal data as part of its commercial cooperation or provision of services with/to CORDIA S.A. or offer evaluation as part of market research (iii) relating to the data of prospective employees which are collected during the recruitment procedure; iv) relating to visitors and customers of the website of CORDIA S.A. http://www.cordia.gr/. (hereinafter referred to as the “Website”); (v) relating to customer data in the context of customer service (complaints recording procedure); vi) relating to data of visitors to the Company’s facilities and through the use of CCTV.

CORDIA S.A. is committed to protecting the confidentiality of visitors / customers / suppliers / job applicants (individuals) and other data subjects to whom the personal data refer and to comply with the applicable data protection legislation

2. Categories and Types of Collected Personal Data

• Collected data:

A. CV evaluation process: First and Last Name, Gender, Date of Birth, Telephone Numbers, E-mail, Residential Address, Nationality, Education Level, Education and Training History, Card ID Number, Desired Compensation, Work History (Experience), Criminal Record.

B. Procedure for the management of customers’ personal data as part of the provision of services (mail room services, area security & management of video surveillance systems and access cards, maintenance of electromechanical equipment, cleaning, management of corporate vehicles, technical support, telephone support – helpdesk, Stand By service: First and Last Name, Gender, Telephone Numbers, e-mail, Residential Address, Tax Identification Number, Bank Accounts, Card ID Number, Passport Number, Image Files (animated and static), Driving License Number, Behavioral / Position data – profiling (Start Date, Working Hours).

C. Procedure for the management of personal data of suppliers / partners / subcontractors in the context of commercial cooperation / provision of services (mail room services, area security, video surveillance and access card management, maintenance of electromechanical equipment, cleaning, management of corporate vehicles): First and Last Name, Gender, Telephone Numbers, e-mail, Residential Address, Tax Identification Number, Bank Accounts, Card ID Number, Passport Number, Image Files (animated and static), Driving License Number, Behavioral Data (Start Date, Working Hours), Signatures, Emergency Contact Details.

D. Contact procedure with website visitors: Arrangements concerning the subject’s consent.

E. Visitor monitoring procedure at the Company’s facilities: Telephone Numbers, e-mail, First and Last Name, Date of Birth, Card ID Number, Image files (animated and static), Vehicle License Plate, Work Location.

F. Offer evaluation procedure, market research, customer satisfaction research and promotion of products and services (Marketing): Company / Organization, Job Title, Job Location, Business Unit / Department, First and Last Name, Gender, Phone Numbers, e-mail, performance data (Performance Evaluation), profile data.

G. Closed Circuit Television (CCTV) system data: Image data (video).

Statement on the Processing of Personal Data by CORDIA S.A. [in its capacity as Controller and Processor – in accordance with the General Data Protection Regulation (EU) 679/2016]

Purposes of Personal Data Processing by CORDIA S.A.

CORDIA S.A. provides energy and environmental services, as well as integrated maintenance, operation, and facility management services, which include, inter alia, all kinds of maintenance, operation, supervision, supply and sale of all types of spare parts, materials and equipment, as well as marketing of items which are necessary for the performance of the above contracts.

The legal basis for the processing of personal data in this context is the performance of the relevant contract (provision of the services described above), CORDIA S.A.’s legitimate interest (indicatively in the cases of processing personal data as part of business opportunity research, evaluation of offers, product and service promotion activities) and in some cases the consent of the data subjects (marketing activities, receiving visitor data through the website, complaints recording, etc.).

In addition, CORDIA S.A. may collect personal data of prospective employees who are interested in working with the Company for the sole purpose of exploring the possibility of a future partnership – employment. The legal basis for the aforementioned data collection is the consent of the data subject who provides the necessary information for the processing as well as the processing of the personal data at the request of the data subject which is necessary for taking measures prior to the conclusion of a contract.

Information that is automatically collected during the visit and interaction with the Website

CORDIA S.A. website uses only essentially necessary cookies (necessary cookies) for the storage of the user’s consent while browsing the Website.

This means that when you visit and interact with the Website, no personal data are collected.

For the detailed description of the cookies used and the type of data collected through them, please refer to Cookies & Other Technologies section.

CORDIA S.A. does not manage, collect, or process geographical distribution data, which are collected and processed exclusively by the companies that provide operating systems for each device you use (in case of use of iOS-Apple Inc or of Android – Google Inc). CORDIA S.A. does not have access to GPS location refresh rate.

3. Data collection points

1. General Electronic Commercial Registry (G.E.MI. website) -B, C

2. Sole proprietorships, customers -B, C, F

3. Sole proprietorships, suppliers – B, C, F

4. Job applicants – A

5. Companies / online platforms for staff management / evaluation – A

6. Video surveillance systems – E, G

7. Website – D

4. Recipients and transfer of data to third parties

CORDIA S.A. reserves the right to disclose the personal data of the data subjects to any member of its affiliate / subsidiary companies (parent company and its subsidiaries) which have in place appropriate technical, physical, legal and administrative security measures for the protection of personal data from loss, misuse, damage, alteration, unauthorized access and disclosure, as provided for in Article 32 of the General Data Protection Regulation, i.e. Regulation (EU) 2016/679, or to other third parties to the extent that this is reasonably necessary for the purposes stipulated in this policy and more in particular:

• The personal data of the data subject shall be transferred to the internal departments of CORDIA S.A. which are responsible for the smooth and unimpeded provision of the Company’s services and the functionalities of its Website as well as for the service of customers within the evaluation / management process of their complaints / requests.

• Personal data of the data subjects may be transmitted and accessed by legal entities (partners, subcontractors, etc.) with whom we enter into contractual agreements from time to time in order to pursue our statutory purpose (provision of services) in the legitimate interest of our company.

• Personal data relating to invoicing may be transferred and made accessible to banking institutions with which we work to process employee payments as well as to relevant public bodies as part of our compliance with a legal obligation.

• Personal data of the data subjects may be disclosed to cloud hosting providers for the purpose of storing and safeguarding the data with the appropriate technical and security measures.

• The personal data of customers and / or suppliers (sole proprietorships) may be disclosed to companies providing commercial and financial information concerning the creditworthiness of traders in order to exercise the right to financial freedom based on information that ensures commercial trust, credibility, and security of transactions. We enter into personal data processing agreements with these companies under GDPR.

• In the course of all data transfers, we always take all appropriate measures to ensure that the data transferred is the minimum required for the intended purpose of the processing and that the conditions for lawful and valid processing will be met in all cases. CORDIA S.A.’s partners to whom the personal data may be transferred have signed the necessary data processing agreements or have provided certain guarantees regarding the transfers of personal data by applying standard contractual clauses in their agreements.

5. Personal Data Retention Period

The retention period of personal data depends on the legal processing data, as detailed below:

• Where the legal basis for processing is the exercise of the legitimate interest, the processing and retention of personal data shall be carried out for as long as it is deemed necessary to achieve the intended purpose of CORDIA S.A., as well as for as long as necessary for any relevant claims to become time barred.

• Where the Customer Information personal data is provided with their own consent during the dispatch of the CV or data via the contact form of the Website, we shall retain their data until the data subject withdraws his/her consent. If, for any reason, such consent is interrupted, we shall retain them for as long as necessary until any relevant claims become time barred.

• If the legal basis for processing is the performance of the contract, we shall retain your data for as long as you maintain a contractual relationship with us in both paper and electronic form or for the remaining time until any relevant claims (civil, tax, etc.) become time barred.

• If the processing of personal data is carried out on the basis of a legal obligation [Article 6(c) of the GDPR], their retention period is determined on the basis of the statutory requirements and the period during which audits can be carried out by the competent authorities.

In any case, the exact retention periods of personal data for each individual processing procedure are recorded in the personal data retention register of CORDIA S.A. as provided for by the GDPR. You can get detailed information on the specific retention periods of personal data by submitting a request in accordance with the procedure set out in this policy.

6. Legitimate Interest – Intended Use – Legal basis for data processing

CORDIA S.A. has created and maintains a database of customers, partners, and suppliers, as part of its general business activity (provision of energy and environmental services, as well as maintenance, operation, and facility management services, in accordance with the aforementioned and the pursuit of its statutory objectives. CORDIA S.A. processes and stores such data within the EU, while in certain cases the personal data may be transferred to countries outside the EEA. During the transmission of personal data to these countries, CORDIA S.A. ensures that the recipient of the data provides appropriate data protection safeguards (such as, but not limited to, signing contractual clauses between the controller and the processor / recipient, binding corporate rules in place, etc.).

The legal basis for the processing of personal data in this context is the performance of the relevant contract (as part of the provision of the services described above), the legitimate interest of CORDIA S.A. (indicatively in the cases of processing of personal data as part of business opportunity research, offer evaluation, product and service promotion activities) and in some cases the consent of the data subjects (marketing actions, receiving visitor data through the website, complaints recording).

For the assessment of the prospect of professional cooperation, CORDIA S.A. accepts and assesses CVs provided with the consent of prospective employees and processes them at the request of the subjects for the purpose of concluding an employment contract.

7. Rights of data subjects

You may exercise, as the case may be, your rights under the applicable Greek legislation and the General Data Protection Regulation [Regulation (EU) 2016/679], which are the following: a. Right to be informed (Article 13) b. Right of access (Article 15), c. Right to rectification (Article 16), d. Right to erasure ‘right to be forgotten’ (Article 17)), e. Right to restriction of processing (Article 18) f. Right to data portability (receiving personal data in a structured and commonly used format – Article 20, where applicable); and g. Right to object (Article 21) applicable to certain data processing activities.

• These rights may be exercised only in cases where CORDIA S.A. acts as a Data Protection Officer and in particular a) in the processing of personal data of prospective employees for the assessment of the possibility of a potential professional cooperation b) in the processing of personal data related to the pursuit of its statutory purpose (provision of services) c) in the processing of personal data of customers during the assessment procedure and the dealing with complaints/requests d) for the processing of suppliers / partners’ data during billing procedure.

• These rights are exercised free of charge with the dispatch of a relevant letter to the Data Protection Officer of CORDIA S.A.: – addressed to Complaints / Customer Service Department of CORDIA S.A.: 2 Attikis &Thermopylon Street, P.C. 15235 Vrilissia, Attica, dpm@cordia.gr.

• However, if the aforementioned rights are exercised abusively and for no reasonable cause, thus causing an administrative burden, we may charge you the costs related to the exercise of the respective right.

• If you exercise any of your rights, we SHALL take all reasonable steps to respond to your request within thirty (30) days of receipt of your request. We may either inform you of the acceptance of your request or of any objective reason that prevents us from processing your request.

• Notwithstanding the above, you have the possibility at any time to object to personal data processing by withdrawing your consent [Article 7 (3) of the GDPR, i.e. Regulation (EU) 2016/679] by sending a letter to the Data Protection Officer (DPO) of CORDIA S.A.: dpm@cordia.gr.. This right applies only in cases where the legal basis for data processing is the consent of the data subject.

8. Data processing by CORDIA S.A.

In some cases, our customers provide their business data, such as customer, supplier, or third-party data – which may contain personal data (which may refer to individuals or companies) – as part of our provision of services. In such cases, CORDIA S.A. shall act as the ‘Processor’ of the personal data included in such business data. Therefore, different provisions of the General Data Protection Regulation (GDPR), i.e., Regulation (EU) 2016/679 apply in these cases, to which we adhere.

In addition, CORDIA S.A. applies throughout the data processing procedure all appropriate technical, physical and administrative security measures for the protection and safety of personal data against loss, misuse, damage or alteration, unauthorized access and disclosure, in accordance with Article 32 of the General Data Protection Regulation, i.e. the Regulation (EU) 2016/679, in order to ensure the appropriate level of security against these risks. These include, inter alia, as appropriate: a) the application of encryption protocols; b) the ability to ensure confidentiality (Article 90 of the General Data Protection Regulation (EU) 2016/679), integrity, availability and resilience of processing systems and services on an ongoing basis; c) the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; d) the process of regular monitoring, evaluation and assessment of the effectiveness of technical and organizational measures in order to ensure the security of processing.

In addition, CORDIA S.A. takes measures to ensure that any individual acting under the supervision of a data controller who has access to personal data shall only process such data under the instructions of the data controller and shall reserve access to your personal information solely to authorized employees.

The indicative security measures applied by CORDIA S.A. are as follows:

A. Organizational security measures

1. Appointment of a Personal Data Protection Officer

2. Staff Organization / Management – defining roles and responsibilities for the people involved in the processing of personal data

3. Management of information assets

4. Staff training on personal data security – information on the individual policies / procedures of CORDIA S.A.

5. Management of processors

6. Establishment of a procedure for the destruction of data and storage media

7. Management of personal data breach incidents

8. Monitoring of security measures

B. Technical safety measures

1. Access control

2. Backups

3. Computer configuration

4. User action and security event logs

5. Management and protection of external – removable storage media

6. Software and application security

7. Change management

C. Physical security measures

1. Physical access control

2. Environmental safety – protection against natural disasters

3. Protection of portable storage media

9. Profiling

We use the information we collect during the provision of our services (security and CCTV management services, access cards issuance, help desk services, mailroom management) to optimize our services. In particular, we collect data such as first and last name, identity, job position, title, and other behavioral data (entering and exiting workplaces) on a case-by-case basis.

CORDIA S.A. does not use this data to make decisions about an organization – nor does it maintain blacklists and does not encourage customers to decide whether to deal with a business entity or a sole proprietorship.

10. Cookies & other Technologies

1. What are cookies and why CORDIA S.A. uses them: Cookies are pieces of information, which in the form of very small text, usually consisting of letters and numbers, are stored in the browser used by each User / Customer (Chrome, Mozilla Firefox etc.), contributing to a more efficient operation of the Website. Under no circumstances do cookies cause damage to the users’ computers or to the files stored on them. The information stored in cookies is used for identification purposes. We thus manage to operate the Website in an efficient way. The Website solely uses the essentially necessary cookie entitled ‘cookie consent’ which stores the consent of the user who visits the Website during his / her browsing.

2. Under no circumstances do cookies contain personal information or information that would allow anyone to contact the visitor of the Website, via phone, e-mail, etc. Moreover, with the use of cookies no access is granted to documents or files on your computer.

3. Technically necessary cookies are essential for the proper functioning of the website; they allow you to browse and use its functions. These cookies do not identify you personally. Without these cookies, we cannot offer an effective operation of our website.

The website software is designed to ensure the highest level of security and trust. All information contained in applications submitted through the website is equally secure and confidential. Only authorized employees who have been properly trained in handling Customer / visitor personal data shall have access to this information and only when this is necessary in order to satisfy your requests and for the performance of the relevant contract.

11. Submission of a complaint – Appeal

• For any matter relating to the processing of personal data, you can contact us via email at dpm@cordia.gr.

• In addition, you always have the right to contact the Hellenic Data Protection Authority, which may receive the relevant complaints in writing in its secretariat at its offices at 1-3 Kifisias Street, P.C. 115 23, Athens or via e-mail (contact@dpa.gr) in accordance with the instructions contained on its website.

12. Modifications

This policy may be updated from time to time, due to changes in the relevant legislation or a change in the corporate structure of CORDIA S.A. We thus encourage Customers / Visitors to visit this website from time to time in order to keep themselves up to date with the latest information on our personal data protection practices. In any case, Customers may be notified via email or notice on our website of any modifications to this policy.

Privacy Policy for Video Surveillance Systems

  1. Introduction
    Controller: The company under the name ‘’CORDIA S.A.’’ keeps installed in its facilities an active video surveillance system, which is used for the protection of persons and assets.
  2. Legal Basis for the Processing Operation
    The processing is necessary for the purposes of legitimate interests pursued by CORDIA S.A. as a Controller [Article 6 (1) 1. point f] of the General Data Protection Regulation, i.e. Regulation (EU) 2016/679 (hereinafter referred to as ‘GDPR’).
  3. Analysis of Legitimate Interests
    The legitimate interest of CORDIA S.A. is based on the need to protect its facilities and the goods therein from unlawful acts (e.g. theft etc.), as well as the need to protect safety of life, physical integrity, health and property of its staff and third parties who are legally present in the surveilled area.
    CORDIA S.A. limits recording in areas where it has assessed that there is an increased likelihood of committing illegal acts, e.g. theft, such as the entrance and parking lot of corporate vehicles, without focusing on areas where the privacy of the persons whose image is taken may be excessively restricted, including their right for respect of personal data.

  1. Data collected
    The only personal data we collect through the video surveillance system is image data
  2. Data recipients
    The retained material may be accessed only by the competent and specifically authorized to this end staff of CORDIA S.A., who are in charge of the site / facility security. The material is not transmitted to third parties, except in the following cases: i) to the competent judicial, prosecutorial and police authorities when it contains data necessary for the investigation of a criminal offence regarding persons or assets of the Controller; ii) to the competent judicial, prosecutorial and police authorities when they lawfully request data during the discharge of their duties; and iii) to the victim or perpetrator of a criminal offence, when the data may constitute evidence of the offence.
  3. Retention Periods
    The data is kept for 14 calendar days after which it is automatically deleted. In the event that an incident is detected during this period, part of the video is isolated and kept for up to one (1) more month, in order to investigate the incident and bring legal actions for the defense of CORDIA S.A.’s legitimate interests; if the incident concerns a third party the video shall be retained for up to three (3) more months.
  4. International Data Transfers Analysis of Legitimate Interests
    The processing of personal data shall be mainly carried out within a Member State of the European Union (EU).
  5. Your Rights and How to Exercise them Analysis of Legitimate Interests Under GDPR you have the following rights:
    Right of access: you have the right to know if we are processing your image
    and, if so, to receive a copy. Right of restriction: you have the right to request from us to restrict
    processing, eg. not to erase data that you consider
    necessary for the establishment, exercise or defense of legal claims.
    ● Right to object: you have the right to object to processing.
    ● Right to deletion: you have the right to request that we delete your data.
    In order to exercise your rights, you can contact CORDIA S.A. as below: Vrilissia Attica, 2 Attikis and Thermopylon str., P.C. 152 35, tel. (+30) 210 6085030, e-mail dpm@cordia.gr. More information can be found in the CORDIA S.A. Privacy Policy, which is available in our website http://www.cordia.gr/.
    In order for CORDIA S.A. to consider a request related to your image, you are required to identify approximately the period of time you were within the range of the cameras and provide CORDIA S.A. with an image of you in order to facilitate the identification of your own data and to ensure the concealment of any depicted third persons’ data. Alternatively, you may visit the facilities of CORDIA S.A. to view the images which depict you.
    Please note that the exercise of the right to object or deletion does not entail the prompt removal of data or the modification of processing. In any case, CORDIA S.A. shall reply to you in detail as soon as possible, within the timeframe set by the GDPR.
    If you believe that the processing of your data is in breach of the GDPR, you have the right to submit a complaint with the relevant supervisory authority, namely the Data Protection Authority (1-3 Kifisias Street, P.C.11523, Athens, https://www.dpa.gr/, tel. (30) 210-6475600), after contacting first the Data Controller as described above.
phone