Notice regarding the Processing of Personal Data of Employees, Candidates Employees and Former Employees, in accordance with current Greek and European Union legislation

Last update: 10.05.2024

Contents

1. Introduction
2. Data Controller
3. Contact details of the Data Protection Officer
4. Legal basis for processing
5. Processing purposes
6. Types of personal data to be processed and sources of personal data
7. Access to data
8. Transfer to third countries
9. Data retention period
10. Data security
11. Employee rights
12. Update

1. Introduction

ELPEN PHARMACEUTICALS CO INC. (hereinafter referred to as 'ELPEN' or 'our company') considers its Human Resources to be its most important asset, seeking long-term and stable collaborations with its employees.

The current Notice regarding the Processing of Personal Data of Employees, Candidates Employees and Former Employees,  (hereinafter referred to as "the Notice") is intended to inform employees, former employees and candidates employees regarding the scope of the processing of their personal data, as well as to explain their rights in relation to such data, taking into account the General Data Protection Regulation (EU) 2016/679 and the provisions of the relevant Greek and European Union legislation on the protection of personal data.

For the purposes of the Notice, the following has as:  

Employees: those who are employed by our company under any form of employment.

Candidates Employees: those who send, electronically or otherwise, their curriculum vitae or application for the purpose of any form of employment with our company.

Former Employees: those who have been employed by our company in any form of employment, which has terminated or been terminated for any reason, and the employee has left the company.

Processing of personal data: any action taken in relation to personal data of the aforementioned subjects (and, where applicable, their relatives), from the initial collection to the final deletion and/or destruction, and which concerns indicative actions such as, recording, organization, storage, alteration, retrieval, information consultation, use, transmission, dissemination or otherwise making available, alignment, restriction, etc.; and is carried out with or without the use of automated means (hereinafter referred to as 'the Processing').

2. Data Controller

ELPEN PHARMACEUTICALS CO INC -  ELPEN CO INC.
Headquarters: 95 Marathonos Avenue, Postal Code 190 09, Pikermi, Attica
Telephone: +30 211 1865 000
Email: info@elpen.gr
Website: www.elpen.gr
G.E.MI.: 000264601000

3. Contact details of the Data Protection Officer

Athena Eleftheriadou, Attorney at Law, DPO ELPEN PHARMACEUTICALS CO INC.
Marathonos Avenue 95, 190 09, Pikermi, Attica, Greece
Email: dpo@elpen.gr 

4. Legal basis for processing

The processing of personal data of its employees by ELPEN is lawful in every respect and is based on the conditions set by the existing legislation. In principle, our company collects and processes personal data, in accordance with Article 6 par. 1(b) of the GDPR, of employees, former employees and candidates employees of the company, to the extent that such processing is necessary for the performance of a contract to which the data subject is a party; or to take measures, at the request of the data subject prior to the conclusion of the contract. Also for the purposes of settling issues relating to the termination of the employment or engagement relationship with ELPEN, as well as for the management of requests for the granting of data and information related to the terminated employment relationship, such as, information requested by social security funds or even by the former employee themself, information related to company benefits, which may continue to apply after the termination of the employment relationship.

In addition, it may process personal data necessary for the compliance by the company itself, as controller, with a legal obligation in accordance with Article 6 par.1(c) of the GDPR, such as compliance with obligations arising for the employer under labor or insurance legislation.

In some cases, the data subject may have consented to the processing of their personal data for one or multiple specific purposes, in accordance with Article 6 par. 1(a) of the GDPR, for example, by voluntarily sending their CV to the published addresses of our company.

Furthermore, in some cases, the processing of personal data is necessary for the purposes of the legitimate interests pursued by ELPEN as the controller, pursuant to Article 6 par. 1(f) of the GDPR, insofar they include, for example, the selection and recruitment of a suitable candidate for a specific position or the assessment of the employee's performance and compliance with their  obligations under the employment contract, as well as the establishment, support or exercise of legal claims and corporate interests of the company, for the purpose of serving the regular business continuity and the exercise of its rights under, in particular, the labor and insurance law.

Regarding the collection and processing of special categories of personal data, particularly data concerning the health of employees, ELPEN shall proceed with it, on the one hand, when processing is necessary for the performance of obligations and the exercise of its specific rights as controller or of the respective employee as the data subject, in the field of labor law and social security and social protection law, pursuant to Article 9(2)(b) of the GDPR, and conversely, when processing is necessary for purposes of preventive or occupational medicine (e.g., Greek Law 3850/2010), assessment of the employee's ability for work, according to Article 9(2)(h) of the GDPR.

5. Processing purposes

Any collection and processing of personal data of employees by ELPEN is carried out in accordance with existing legislation, fully compliant with the General Data Protection Regulation and with absolute respect for the principles governing processing under the law, with the aim of ensuring security and confidentiality. Our company collects and processes personal data of employees, as detailed above, intended to serve specific purposes, always within the framework of the employment relationship, before, during, and possibly after its termination. Specifically, such purposes include the following:

a. Receiving, collecting, classifying, and reviewing resumes and job applications of candidates employees.

b. General communication with employees.

c. Searching for and selecting suitable candidates for employment.

d. Inviting for interviews and evaluating candidates during interviews.

e. Sending job offers and obtaining, collecting, and retaining the hiring documents of new employees.

f. Drafting, signing, retaining, and enforcing employment contracts.

g. Maintaining an employee file register of the company.

h. Updating and modifying employee details.

i. Managing payroll, leaves, and employee group insurance programs.

j. Managing potential termination of employment with an employee.

k. Managing employee training and evaluation within the company.

l. Compliance with legal obligations of the company as an employer.

m. Managing benefits for employees at the discretion of the company. Assessing and selecting suitable candidates for employment and evaluating hired employees, based on defined criteria and trusting the judgments of its personnel (responsible persons) on a case-by-case basis, in accordance with its policies, without resorting to automated decision-making.

n. Physical security of the company's buildings, machinery, vehicles, and other assets.

o. Maintaining a record archive for the purpose of serving any exercise of rights, issuing employment-related certificates, and satisfying requests related to the employment of employees or prior employment of former employees, and for fulfilling the obligations and protecting the legal interests of ELPEN arising from the respective applicable legislative and regulatory framework, during the employment relationship, as well as after its termination by any means, expiration, termination, or other termination of employment of former employees.

p. Serving the regular operational functioning and protection of confidential corporate information and intellectual property rights and patents. For this purpose, monitoring of the corporate email may occur after the employee's departure from the company or during their absence due to illness or any other leave.

q. Identifying any breaches of corporate procedures and policies, fraud, or generally any illicit activity.

r. Documenting corporate transactions.

s. Investigating security incidents and any breaches of personal data, and generally ensuring the security of the company's information systems.

t. Conducting regular or ad hoc employee training sessions.

6. Types of personal data to be processed and sources of personal data

Personal data that may be processed by ELPEN primarily include the usual personal data that candidates employees may provide to the company upon their application for employment, including information that each candidate may choose to include at their discretion in their resume. Additionally, personal data for processing may include those collected directly by our company from its employees during the hiring process and/or during the course of and for the needs of the employment relationship. In this context, special categories of personal data may also be provided to ELPEN, especially data concerning health.

The personal data processed by ELPEN mainly belong to the following categories, explicitly noting that the entirety of the below data and generally information provided through this Notice may not concern you:

A. Personal data collected from the data subject themselves, namely each candidate, before its employment and during its application for employment by our company, may include (but not limited to): Full name, Specialty, Address, Telephone, Email, Date of birth, Place of birth, Nationality, Citizenship, Identity Card Number (ID), Marital status, Protected Members, Military obligations, Driving ability, Driver's license for car/motorcycle, Education, Knowledge of foreign languages, Professional experience and Employment history, Professional license, Recommendations, Personal medical history, and any other information that the data subject may mention in their Resume.

B. Personal data collected from the employee during their hiring process, for its completion, as well as during or after the termination of the employment relationship, in addition to the above, may include (but not limited to): Father's name, Mother's name, Social Security Number, Tax Identification Number and Tax Office, ID card, Driver's license, Copies of degrees, Employment stamps, Employment status from Social Security, Employment certificates, Tax clearance certificate, Copy of recent Public Utility Company bill or lease contract, Bank account number and IBAN, Medical examinations (if required), Employee Registration Number, Job position, Salary, Marital status, Emergency contact person and phone number, Spouse's name, Details of cohabiting and dependent individuals, evaluation data from participation in training programs (physical attendance or e-learning), image or sound data from training recordings, certificates of attendance at seminars, conferences, educational programs, etc., photograph (in physical or electronic, digitized and non-editable form).

Furthermore, health data (individual health file, biometric information, and results of measurements/examinations that are either provided by law or carried out as part of health promotion actions, in which the employee voluntarily participates, data regarding disability, etc.) may be processed.

Also, processing may occur on access data to the company's systems and files, data collected through closed-circuit television from the company's premises for the protection and security of persons, infrastructure, and generally the company's property, as well as data resulting from the use of communication means in the workplace or related to it, such as telephony and telephone bills, corporate email, or internet use, and other information acquired through electronic means, such as access cards to corporate premises or timekeeping, fuel cards, employee expenses, etc., based on the company's policies and in accordance with applicable law.

Finally, data concerning actions constituting a violation of the company's regulation, principles, codes, or policies, and any disciplinary penalties imposed in accordance with the established corporate procedures, etc.

C. Before hiring, during the interview process with candidates employees, and during the employment relationship, employees, as well as all company executives and supervisors, are subject to evaluation by their supervisors, according to ELPEN's established policy and commitment to continuous progress and development. Data related to the evaluation process include exclusively general and non-personalized references to the employee's performance (e.g., "good," "very good," "excellent").

7. Access to data

The personal data of employees and candidates employees of ELPEN are processed by the personnel of the Human Resources Department and the Finance Department of our company, the supervisors and heads of the respective departments of the company to which the employees belong, and on a case-by-case basis, by members of the Board of Directors of the company.

Furthermore, recipients of personal data include public services, authorities, and bodies to which they are communicated as provided in the applicable legislation and in accordance with the corresponding obligations of ELPEN as an employer. Our company may also be required to disclose certain personal data of its employees to third parties, such as government and judicial authorities, always in accordance with the existing legislation, as well as to substantiate, support, or exercise its legal claims against an employee and to protect its rights arising from the employment relationship.

Moreover, our company may, on a case-by-case basis, transfer personal data of employees, former employees, or candidates employees to cooperating third parties, for which transfer the respective consent of the data subjects is obtained when required. Such collaborators may include, for example, insurance companies for the implementation of an employee group insurance program, lawyers or law firms, consulting firms, etc. In each case, ELPEN, in order to ensure the existence of adequate safeguards for the secure processing of data by third parties, binds its collaborators with the corresponding contractual clauses and, if required, carries out the relevant checks.

8. Transfer to third countries

Data processing takes place in Greece and, in any case, within the European Union.

As a rule, our Company does not transfer data to countries outside the EU. In exceptional cases, where this is required, ELPEN complies with all the terms of safe transfer based on existing legislation and transfers data to third countries for which the European Commission has decided that the level of protection is adequate (Article 45 GDPR). If the European Commission has not made a decision in this regard, our Company transfers personal data to a third country only if it ensures, by other means provided for in existing legislation, that the level of protection is adequate (such as signing the Standard Contractual Clauses of the European Commission, as well as other ways).

9. Data retention period

The personal data of employees, candidates, and former employees are stored/maintained in physical, electronic, or other suitable format files and are retained by ELPEN only for as long as necessary to fulfill the purpose for which they were collected, as described in the Notice, based on their nature, the contractual relationship governing their storage, and the relevant legal obligations of the company. These data are kept in any case only for a reasonable period of time and in accordance with applicable law, and then deleted when the purpose of their processing ceases to exist, unless there is a reason for temporary processing to fulfill a legal obligation (based, for example, on tax or insurance legislation, within the framework of a trial, or any other specific legal/regulatory framework governing the company's operation).

 ELPEN may retain the personal data of employees, candidates, and former employees until the expiration of the statutory limitation period for claims, namely up to twenty (20) years from the termination or any other termination of the employment relationship. If any legal proceedings concerning the data subjects are ongoing within the twenty (20) years, the relevant retention period for personal data will be extended until an unappealable court decision is issued.

In cases where indefinite retention of personal data by our company is desired to serve future needs after the specified period (e.g., for issuing a work experience certificate), former employees may, upon request, provide their explicit written consent.

10. Data Security

ELPEN makes every effort to adopt appropriate technical and organizational measures to ensure the integrity of the data subjects' personal data, ensuring the appropriate level of protection against potential risks and establishing procedures to address any incidents of breaches. Data processing systems and services are constantly monitored to ensure their best possible safeguarding and protection from loss, destruction, misuse, and/or unauthorized access.

11. Employee Rights

Under the existing legislation, particularly the GDPR, employees, as well as candidates or former employees, maintain the following rights, to the extent that their data is processed by ELPEN, for which they may communicate with the company using the contact details provided below:

1.To be informed about the processing of their personal data by our company.

2.To access or request a copy of their data.

3.To request correction or completion of their data if they consider it to be inaccurate, incomplete, or incorrect.

4.To request the deletion of their personal data when the data are no longer necessary for the intended purpose, are being processed unlawfully, or must be deleted in compliance with a legal obligation, or in cases where data processing is based on ELPEN's legitimate interest if you object to the processing and there is no overriding legitimate interest for the processing.

5.To object to some or all of the purposes of processing their personal data or to request restriction of processing under the legal conditions and to the extent possible.

6.To withdraw their consent for the collection and processing of their personal data by ELPEN, to the extent that ELPEN constitutes the legal basis for processing.

7.To lodge a complaint with the competent supervisory authority, in this case, the Hellenic Data Protection Authority, at the email address complaints@dpa.gr.

If you have any questions or comments regarding this Notice or if you wish to exercise any of your rights, you can contact us at email: dpo@elpen.gr.

12. Update

ELPEN reserves the right to amend and/or update this Notice at any time, as deemed necessary. In the event of updates and/or substantial changes, the Notice will be communicated to the relevant parties in a manner that our company deems appropriate and effective, always with the aim of ensuring comprehensive and clear prior notification of the subjects and/or obtaining their consent, where required, while the date of the last update of this document will accordingly be modified.