Privacy and Data Protection Policy of IMBRIW (INSTITUTE OF MARINE BIOLOGICAL RESOURCES AND INLAND WATERS) of EL.KE.TH.E “HCMR” (Hellenic Center of Marine Research)

Date Application: 9/9/2020

Thank you for visiting the Website of the Legal Entity under Public Law “INSTITUTE OF MARINE BIOLOGICAL RESOURCES AND INLAND WATERS”, with the distinctive title “IMBRIW “, with Tax Identification Number 999355106 Tax Office of Koropi, which is located at 46th km Souniou Avenue, in Anavyssos, Attica.

Before using our service, please read this Personal Data Protection Policy carefully.

Introduction

“INSTITUTE OF MARINE BIOLOGICAL RESOURCES AND INLAND WATERS” hereinafter “IMBRIW” the controller informs you about how information about you is collected and processed.
Personal Data is any information that refers to individuals whose identities are known or can be verified.
The protection of your Personal Data is very important for IMBRIW. We process Personal Data in accordance with data protection legislation and ensure that our staff is aware of their obligations when processing Personal Data on behalf of the Organisation. The aim of this policy is to ensure that the processing of Personal Data by IMBRIW complies with the requirements of data protection legislation and that its staff is aware of the rights of the subjects and the obligations of the Organisation when processing Personal Data. As described in the Terms of Use and the Cookies Policy, the services provided through the website are aimed at the public, do not target minors and do not process Personal Data for minors under 16 years of age.

The Policy applies to all members of the Organisation and to all Personal Data that are
processed on behalf of IMBRIW by any means and in any form.

Definitions

“Personal Data“: means any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Processing“: means any operation or set of operations which is performed on Personal
Data or on sets of Personal Data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction;

“Restriction of Processing“: means the marking of stored Personal Data with a view to
limiting their processing in the future;

“Controller“: means the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the processing of
Personal Data; where the purposes and means of such processing are determined by Union
or Member State law, the controller or the specific criteria for its nomination may be
provided for by Union or Member State law; in this case IMBRIW.

“Processor“: the natural or legal person, the public authority, the service or other body that
processes Personal Data on behalf of IMBRIW.

“Consent“: of the data subject means any freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of Personal Data relating to him or
her;

“Personal Data breach“: means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
transmitted, stored or otherwise processed;

“Data Subject“: The person (natural person) to whom the data refers.

“Personal Data Protection Legislation“: includes Regulation 2016/679 on data protection
(GDPR) and Law 2472/1997on Personal Data Protection, instructions and decisions of the
Personal Data Protection Authority, Law 3471/2006on the protection of Personal Data in
electronic communications and any other specific legislation in force in Greece regarding the
protection of privacy and / or the processing of Personal Data. The legislation for data
protection governs the way in which the data controller such as IMBRIW can process the
Personal Data of the subjects, while recording and securing their rights.

“Personal Data Protection Authority (DPA)“: is the Greek DPA, located at 1-3 Kifissias
Avenue, PC 115 23, Athens, tel.: + 30-210 6475600, Fax: + 30-2106475628, www.dpa.gr. DPA
is a constitutionally established independent public authority, which has as its mission the
supervision of the application of the General Data Protection Regulation (GDPR), national
laws 4624/2019 and 3471/2006, as well as other regulations concerning the protection of
the individual from the processing of Personal Data. The Greek DPA is preoccupied with
protecting the rights and the privacy of the individual, aiding them in case of violation of
their rights and offering support and guidance to the controllers for their complying with the
rule of law.

“Recipient” means a natural or legal person, public authority, agency or another body, to
which the Personal Data are disclosed, whether a third party or not. However, public
authorities which may receive Personal Data in the framework of a particular inquiry in
accordance with Union or Member State law shall not be regarded as recipients; the
processing of those data by those public authorities shall be in compliance with the
applicable data protection rules according to the purposes of the processing;

‘Third party’ means a natural or legal person, public authority, agency or body other than
the data subject, controller, processor and persons who, under the direct authority of the
controller or processor, are authorised to process Personal Data;

“Data Protection Policy“: a set of rules and procedures that everyone involved in the
organisation is required to follow. They balance the right and the need of the Organisation
like IMBRIW to process Personal Data with the obligation to protect the rights and respect for
the privacy of the Data Subject.

“Staff“: includes all employees of IMBRIW which are linked to an employment contract or the
provision of services as well as all temporary staff, contractors, consultants and third parties
with whom there is cooperation and in the framework of which contracts have been
concluded or confidentiality or non-disclosure clauses have been included.

“IMBRIW“: The Organisation with the name “INSTITUTE OF MARINE BIOLOGICAL RESOURCES AND INLAND WATERS”, and
the distinctive title “IMBRIW”,

IMBRIW complies with GDPR

IMBRIW respects and observes the principles governing the processing of Personal Data,
namely:
(a) Personal Data are processed lawfully and transparently in a transparent manner in
relation to the data subject (“legality, objectivity and transparency”). This means IMBRIW will
use Personal Data fairly and determine a legal basis for processing. When the subjects will provide to IMBRIW Personal Data for the first time or if the purpose of the processing
changes, they have the right to request to know the way, the purpose, the period for which
their Personal Data will be stored, the recipients or the categories of recipients, the contact
information of the controller and the DPO, their rights with regard to data, including data
access and transfer rights, correction and deletion, the right to object to the processing, the
consequences of not providing the Personal Data required by law or for contractual
purposes, and the existence and rights associated with automated decision-making,
including profiling.

(b) Personal Data are collected for specified, express and lawful purposes and are not further
processed in a manner incompatible with those purposes (“limitation of purpose”). The
IMBRIW processes Personal Data for processing purposes only and will not use them for other
purposes that are not compatible with the original purposes. Subject to appropriate
safeguards, further processing for archiving purposes of general interest, scientific or
historical research or statistical purposes shall not be considered incompatible with the
original purposes.

(c) Personal Data are appropriate, relevant and limited to what is necessary for the purposes
for which they are processed (“data minimization”). IMBRIW ensures that only the absolutely
necessary Personal Data are processed, for the purpose for which they were collected and
will not be collected or retained because they may be useful in the future.

(d) Personal Data are accurate and, where necessary, updated, all reasonable steps will be
followed to promptly delete or correct Personal Data which is inaccurate in relation to the
purposes of the processing (“accuracy”). The data will be inaccurate when they are incorrect
or misleading as to the facts to which they refer. IMBRIW has created and will periodically
check whether it needs to develop other procedures, to maintain the quality of data
collection, whether collected or received by the Organisation or not, as well as for their
exact modification, update or correction.

(e) are kept in a form which allows the identification of data subjects only for the period
required for the purposes of the processing of Personal Data (“limitation of the storage
period”), and which in no case exceeds the period necessary for the purposes for which the
Personal Data are processed. Each Address, Department or Office of the organisation is
responsible to identify and comply with the appropriate detention periods as well as to
ensure their safe destruction when the time elapses or the purpose of processing ceases and
there is no legal requirement or legitimate interest or right to continue their observance.
They may be stored for a longer period of time, provided that Personal Data are processed
solely for the purposes of archiving in the public interest, scientific and historical research or
for statistical purposes subject to the application of appropriate technical and Organisational
measures.

(f) Personal Data shall be processed in such a way as to guarantee the appropriate security
of Personal Data, including their protection against unauthorized or unlawful processing and
accidental loss, destruction or deterioration, using appropriate technical or Organisational
measures (“integrity and confidentiality “). For this reason, any Personal Data Processing on
behalf of IMBRIW or Personal Data collected by the Organisation, takes place in compliance
with strict contractual clauses. The Data Protection Officer of IMBRIW participates, learns and
presents to the management its point of view in the initial stages of each project or in the
proposed change of a process that has significant implications for the processing of Personal Data. The processing of Personal Data by any Address, Department, Office or employee
complies with the Security Policy of IMBRIW the staff of IMBRIW has been informed in order to
report any fact or suspicion that has or may result in loss, theft, unauthorized disclosure,
accidental destruction or disclosure of Personal Data in accordance with the prescribed data
breach response procedures.

IMBRIW respects and complies with European and Greek legislation, investing equally in the
trust of the public and users of its infrastructure. Follows and follows the recommendations
of the Greek DPA, the European Data Protection Council and the European Commissioner.
Implements good practices and adopts appropriate codes of conduct and policies for the
internal Organisation and management of Personal Data.

It is at the disposal of the Supervisory Authorities and the subjects in order to prove its
compliance with the relevant provisions, providing the following information: a) the name
and contact details of the data protection officer, b) the purposes of the processing and the
legal basis, c a description of the categories of underlying data and Personal Data; (d) the
recipients of any recipients of Personal Data that may exist; (e) if and in which countries the
Personal Data is transmitted; Organisational security measures of Personal Data.

It strives to design and develop the appropriate structures for the operation of the systems
and procedures for the proper and legal processing of all Personal Data, in a way that
ensures their integrity, accuracy, relevance and safety. For this reason, it adopts solutions
for the protection of privacy and confidentiality by definition and specially designed for the
needs of IMBRIW.

Conducts data protection impact assessment when using new technologies or planning high
risk processing for Personal Data.  Follows the recommendations of the Supervisory Greek and European authorities,
i.e. DPA. The IMBRIW categorizes Personal Data and controls, recognizes, takes action and
eliminates the processing risk, in order to eliminate as much as possible the risk to Personal
Data Protection and the privacy of the Data subjects.

Ensures transparent processing and provides alerts and updates regarding Personal Data
processing. While it uses consent as the legal basis for the processing of Personal Data, when
this is the appropriate choice to serve the processing purposes.

Controls and ensures that Personal Data are not disclosed to the ones having not the
relevant right nor third parties, unless permitted or required by law. For this purpose, it
ensures that the staff of IMBRIW who is directly involved in the processing of personal data
has been trained and updated on an annual basis. IMBRIW verifies and ensures that external
partners receiving Personal Data from the Organisation, whether they can be considered as
processors or not, have taken the appropriate, technical and organisational measures to
ensure compliance with the data protection principles and related requirements described
in the current policy. The control of employees and external collaborators is continuous.
Violation of the rules and principles of the protection of Personal Data by an employee of
the Organisation also has disciplinary sanctions.

Thoroughly monitors and evaluates its associates, who transmit data back to the
Organisation and asks for the appropriate assurance and affirmation that they have the right
and have taken the appropriate measures in order not to assert the rights of the subjects.

IMBRIW manages the requests of the subjects who oppose to the processing or who wish to
limit it, in order to respond to a great extent and it also voluntarily corrects inaccurate data
or even deletes them. In any case, it respects and satisfies the requests of subjects not to
use their data for commercial purposes and promotional activities.

It has established the appropriate structure and procedures for managing any incident or
complaint concerning the processing of Personal Data and the Organisation’s compliance
with this policy. Any complaint and incident will be handled by the Organisation as a
controller with the assistance and advice of the Data Protection Officer
dpo@lists.hcmr.gr

IMBRIW as a Controller

At IMBRIW the entire staff is responsible for supporting compliance with this policy. The staff
processes Personal Data only to serve the legitimate, operational purposes directly related
to the performance of their duties. All staff of the Organisation are responsible for reporting
breaches that have occurred or are in progress, to the Data Protection Officer, as soon as
they become aware of and follow the procedures and actions provided by internal policy.
These procedures are described in detail in the documents of the Organisation.

The Data Protection Officer (DPO)

Takes into great consideration the risk associated with processing operations, while
evaluating the nature, scope, context and purposes of processing and is responsible for
informing and advising IMBRIW and its employees working on their obligations under
European and Greek data protection legislation. Monitors compliance with European and
Greek legislation, the Organisation’s policies regarding the protection of Personal Data,
including the delegation of responsibilities, awareness and training of staff involved in
processing operations, and related audits. Provides advice, when requested, on impact
assessment on data protection and monitors its implementation. It cooperates with the
supervisory authority, and acts as a point of contact for the supervisory authority and the
subjects on processing-related matters. DPO also keeps the documentation records of the
procedures for the protection of Personal Data and manages in cooperation with the
Organisation the process of informing the data subjects and the DPA.

Internal audit

IMBRIW has adopted procedures for the preclusive audit regarding the compliance of the staff
and of all the involved partners, during the Personal Data Processing with the procedures
and policies that have been communicated to them by the Organisation. It is also
responsible for investigating and assigning responsibilities to anyone who may be involved in
an incident of breach of the Organisation’s obligations regarding the lawful Personal Data of
the subjects.

Changes to Privacy Policy

Please check the Implementation Date (see beginning of this Policy) to see when this Policy
was last revised. Each review will take effect upon posting on the website in the appropriate
section, and the previous one will be archived.
If we make substantial changes to this Policy that extend our rights to use the personal data
we have already collected from you, we will notify you and provide you with the option to
use this data in the future.

Data and Privacy Protection

At this point we provide all the necessary information i.e. regarding the type of data we may
collect during your visit to our Website or from the contact we will have, and to inform you
about how we use this information and how we protect your privacy when you use our
services.

It is a commitment of IMBRIW to use only the Personal Data that are necessary to offer the
best possible services to the served public or if required by law, always within the
framework of Greek and European Regulation, providing the maximum possible protection
of your personal data when you use its services.

What information do we collect from you?

The IMBRIW collects data through the contact it has with its employees, partners, visitors or
users of its services for various purposes, in any way e.g. when you visit the website
https://imbriw.hcmr.gr/, and when you fill in some of the contact forms that exist on these
pages, the form for the Subjects to exercise their data protection rights, etc.

Cookies and / or other user / visitor data may be used to facilitate user access when using
certain services and / or pages of the Website.

Indicatively, the Organisation may collect browsing data from our Websites: data from the
Browsing History. At the same time, because the Organisation has given the employees
specific passwords for entering the services of their websites, it may also collect data of the
accounts of the users / employees of the Organisation.

It may also collect your information from the contact form. The personal data that he
collects is the Name of the user who wants to contact, the email as well as free text about
the reason for which they communicate (https://imbriw.hcmr.gr/contact-us/) Also, the
Institute manages in case you have a request regarding the management and processing of
Personal Data by the Organisation, in this case fill in the contact form regarding the request
you have regarding the management of your Personal Data by IMBRIW.

For more information you can contact the e-mail address dpo@lists.hcmr.gr

How we collect your personal data

We collect your personal data directly from you when necessary in order to offer you a
service. Usually the data are provided by you voluntarily entering them in the form available
on our website (i.e. name, e-mail address, etc.) in order to request from IMBRIW to offer you
the services you select (https://imbriw.hcmr.gr/contact-us/).

In extremely rare cases, we may collect data in order to protect our interests or to respond
to a request from the authorities regarding protection and security issues that may arise
from relevant legal requirements.

If you are asked to provide Personal Data or information while using the Organisation’s
services or to submit an application to the Organisation’s website you will find information
here (- link to refer to the Personal Data Internal Management and Processing Policy) to
learn in which way we use and protect data and information, the legal basis regarding the
processing and in what exercise your rights.

You may also make a request to IMBRIW on how the Personal Data are processed by the
Organisation. In this case you need to send your personal information as well as the request
you make regarding your Personal Data to the Organisation dpo@lists.hcmr.gr.

Visit to our Website

When you visit the website of our Organisation https://imbriw.hcmr.gr/, we may
automatically collect data and information transmitted to our server and they are stored in
logs each time you visit it. This information does NOT identify the user, it is technical / IT
data, it is anonymous, and their sole purpose is to improve the quality of service and the
provision of statistics on the use of the Website, such as:

1. Browser type and version information that was used
2. The operating system used by the access system
3. The website you left before visiting the Organisation’s website
4. The Internet Protocol (IP) Address
5. The internet service provider
6. Similar data and information for the protection of our website from attacks and external risks i.e., malware

Utilisation of Cookies

Cookies are small text files that are installed on your computer, tablet, mobile phone and
generally the device with which you browse the internet and thus, on the website
https://imbriw.hcmr.gr/ They are widely used in order to make the websites work better
and more efficiently. Cookies do not give us full access to your computer or device and are
not used to violate your privacy. More information about the cookies used and how you can
manage and delete them, you can download here.

Data storage

The hosting center (data center) where your personal data is stored are located in cloud
services, a space which is well protected and only accessible by authorized individuals
working in the Computer Center Department. Back-up copies that are retained, are kept in a
fireproof safe and in a safe location.

Retention period of personal data

The retention time of your personal data that we collect from the website is determined as
follows:

In case you fill in the contact form your personal data are kept for a period of time according
to your request.

After the end of the period of time defined either by our contractual relationship or by the
legislation (i.e. tax, etc.), the prescribed procedures for their safe destruction are followed.

Technical measures to protect your data

The protection of your data is very important for IMBRIW We take all necessary, technical and
organisational measures to ensure their proper use, confidentiality and integrity. IMBRIW will
never send a message asking you to provide us with security data such as password, financial
information or other sensitive information via email or link.

We strive to use the latest technological solutions and procedures to protect your personal
data. Where possible we have adopted Secure Sockets Layer (SSL) encryption technology for
the security of your data and communication privacy. We have taken appropriate security
measures to protect you from the loss, misuse or alteration of the data we collect from you
through our websites and to protect your privacy.

IMBRIW has provided for and installed both an antivirus system and a firewall, in order to be
as protected as possible from an external attack. However, we would like to emphasize that
the internet is not a secure means of communication and we cannot guarantee the security
of the data you enter on this website or send to us via the internet, at least for the entire
route.

Policy Amendments and Changes

IMBRIW may modify this data protection and privacy policy. Please ALWAYS DO check the
Application Date at the beginning of this to see when it was last revised. Each revision will
come into effect as soon as we post the revised privacy statement and the older one will be
archived.

If we make substantial changes to this statement that extend our rights to use the personal
data we have already collected from you, thereby affecting your privacy, we will inform you
and give you, where possible, the option to use these data in the future.

Should you have questions about your privacy policy or need help exercising or
understanding your privacy rights, please contact:
the Data Protection Officer, sending your request to the e-mail address dpo@lists.hcmr.gr
In any case, for exercising your rights you can submit a request by applying to the Greek
DPA, located at 1-3 Kifissias Avenue, PC 115 23, Athens, tel.: + 30-210 6475600, Fax: + 30-
2106475628, www.dpa.gr

Rights of data subjects

We implement data processing as follows:
As an employer, for staff matters.
As an Insurance Institution, for the service of our members and visitors.
As obligated to comply with any requirement of the legal framework in which we operate.

Your rights under European and Greek Personal Data protection legislation are:

Right to Information

There must be a clear reason why the IMBRIW must collect or use your personal data. Thus,
you have at any given time the right to obtain information about your personal data, the
way we process them and where we have them stored, always in compliance with the
current regulation and free of any charge. A summary of this information will usually be
provided to you when we collect your personal information, but in any case, you can also
receive detailed information from our website.

Right to Access

Personal Data Regulation gives you the right to request, view and receive a copy of any
personal information we hold about you. However, in order to respond to your request, we
may need additional information (i.e. to identify the subject and to make sure that the
personal data is not sent to the wrong person). Where possible, you will be able to access
the information we hold through the account. We will arrange to respond to any relevant
request within a period of one month, unless for objective reasons we may need more time,
in this case we will inform you. Please refer to our website in the relevant section to select
the appropriate form: https://imbriw.hcmr.gr/contact-us/

Right to Correction

You can ask from us the correction – update of your personal data in case they are
inaccurate or incomplete. If we have passed the information on to others, we will take steps
to notify them and take the necessary corrective action. If we find that the information does
not need to be changed, we will contact you within one month to explain our decision.

Right to Deletion

We strive to ensure that the data we receive will not be retained and will not be processed
for longer than necessary. However, since you have the right to request the deletion of your
personal data, IMBRIW will delete them immediately. This will happen particularly in the
following cases:

• They are no longer necessary for the purpose for which they were originally
  collected
• You agreed to the collection and editing initially and later changed your mind
• We have stated that we will use them to serve our own “legitimate interests”, which
  have now disappeared and there is no other reason to retain your data
• You have sound reason to believe that we used your data illegally
• You have a well-documented opinion that we have an obligation by the law to stop
  processing and stop holding your data
• The data refers to a minor for whom there is no legal possibility for the processing of
  their data

However, in some cases where applicable legal obligations (i.e. tax) require mandatory data
retention, data deletion may be prohibited. In these cases, we will explain why we cannot
delete your personal data and for how long. While we can also refuse to delete data if there
is no clear reason or if the request was excessive.

If we have passed the information on to others, we will take steps to notify them so they will
take the necessary corrective action.

We will arrange to respond to any relevant request within a period of one month, unless for
objective reasons we may need more time, in which case we will inform you. Please refer to
our website in the relevant section to select the appropriate form. But if we have any
objections, we will explain our decision to you.

Please note that if we comply with a request, we may still be required to retain some
information such as that you made the request and that we have responded. We may also
need to retain some data such as contact details in a log protocol so that we do not
communicate for advertising purposes in the future.

Right to Restriction of Processing

You have the right to request the restriction of processing of your personal data from IMBRIW
and IMBRIW will immediately proceed to the limitation of the processing of these, at least, in
order to consider your request, to limit, correct or stop the processing of data. If this is not
possible, we will explain why we cannot restrict the processing of Personal Data.

Right to Data Portability

For the processing of personal data for which we use computer systems, either by contract
or with your consent, you have the right to request that we provide you with these in one of
the most widely used forms of reading, for example in an XML file.

Right to Object

You have the right to object to the processing of the Personal Data which we carry out:

•  for the fulfillment of a task assigned to us and performed in the public interest
• because processing is necessary for the purposes of legitimate interests
• for advertising / marketing purposes
• for scientific or historical research and statistics

We will not be able to respond to your request if:

• there is an imperative and legal reason which prevails
• there is an urgent need to establish, exercise or support legal claims

We will contact you within a month to explain our decision.

Automated decision-making rights, including profiling

As a processor IMBRIW has the right to utilize technology in order to make decisions that have
a significant impact on subjects in very specific cases and under certain conditions. In
particular, we may use technology for automated decision-making and profiling when:

•  is necessary for the conclusion or execution of a contract between IMBRIW and you
•  is based on your explicit consent
• allowed by European or Greek legislation

In any case, the specific technology will have been implemented having taken the
appropriate measures to protect the rights, freedoms and legal interests of the data subject,
providing the appropriate information, i.e. what information we use, for what purpose and
the effects. You can ask us to reconsider the decision with human participation.

How you can exercise your rights

After being informed from our website, you can fill in the contact form (link that refers to
the contact form).

To exercise any of your rights you can:

Contact the department of IMBRIW which is deemed supervisory. Information about the
infrastructure of the Organisation and the contact details can be found here :

Alternatively, send an e-mail to the Data Protection Officer of IMBRIW, at dpo@lists.hcmr.gr
In any case, for exercising your rights you can submit a request by applying to the Greek
DPA, located at 1-3 Kifissias Avenue, PC 115 23, Athens, tel.: + 30-210 6475600, Fax: + 30-
2106475628, www.dpa.gr