Skip to content Skip to footer
Date of issue: 2024 jan 29

Data Protection Policy

English Version

DATA PROTECTION POLICY

  1. Introduction

Doxiadis Associates was founded in 1951 by the well-known architect Konstantinos A. Doxiadis. Since its inception, the firm has evolved from a small group of architects and engineers to a large consulting organization of international standing.

Its activities cover the whole spectrum of development, with particular emphasis on addressing the problems of settlements. The projects undertaken and successfully completed by the Doxiadis Associates are estimated to have contributed to improving the living conditions of more than two hundred million people worldwide.

Today the activities of the Doxiadis Associates are:

Planning / Design, Provision of Consulting, Project Management and Supervision Services in the fields of Architecture, Civil Engineering Works, Infrastructure Works (Roads, Airports, Maritime, Hydraulics,), Urban and Regional Planning, Topo – Survey / Geographical Information Systems (including the production and distribution of Geographical Digital Data), Forest Studies, Environmental Studies.

The protection of the personal data of our clients or our business partners is of primary importance to Doxiadis Associates. For this reason, we take all appropriate measures to protect the personal data we process and to ensure that it is always processed in accordance with the obligations provided for by the applicable legal framework, both by the Company itself and by third parties processing personal data on its behalf.

Doxiadis Associates, based in Athens (174 Mesogeion Avenue, 15561, Cholargos, Athens) email: doxiadis@doxiadis.com website: www.doxiadis.com, wishes to inform the public that it processes the personal data of data subjects in accordance with the national legislation applicable to its establishment and with the European Regulation 2016/679 on the protection of natural persons with regard to the processing of their personal data and on the free movement of such data (General Data Protection Regulation, hereinafter “the Regulation“) as applicable.

For any matter relating to the processing of personal data, you can contact Doxiadis Associates directly by email at gdpr@doxiadis.com.

174 Mesogeion Avenue.
GR 15561 Chorargos, Athens – Greece Tel. +30.210 6246300 – Fax +30.210 6246399 E-mail: doxiadis@doxiadis.com

PART A

Processing of personal data collected in the context of the Provision of Design and Consulting Services

  1. Type of personal data we process

Doxiadis Associates processes personal data concerning (i) its clients, (ii) its business partners, (iii) and job applicants. In addition, the Company processes personal data relating to data subjects in cases where such data are transferred to the Company by third Companies and/or Organisations, including EU institutions, public bodies, agencies or services, banking institutions and private companies, in the context of the performance of various data processing contracts and/or subcontracts.

The personal data processed by Doxiadis Associates include the name, e-mail address, telephone number, contact details, professional experience and education and may also include the date of birth, nationality, bank account details, national identity card number and/or passport number, VAT number, etc. of data subjects falling into the aforementioned categories.

  1. Purpose of processing and how we use your personal data

In the context of providing Consulting and Consulting Services, the Doxiadis Associates does not systematically process personal data of natural entities or persons as a Data Controller, except in cases where the Company processes CVs, data for the purposes of recruitment of personnel or the formation of teams for participation in a competition. However, in the same context there are cases where the Doxiadis Associates is involved in processing activities on behalf of a Data Controller for the purposes of performing a project contract awarded to it by the latter. In these circumstances, any information relating to the purposes and means of processing, the personal data processed and the data retention periods is determined exclusively by the specific Data Controller in accordance with the scope of the relevant project contract and, therefore, varies according to the specific characteristics of each project. The processing activities of the Doxiadis Associates are governed by the scope, terms and conditions of the specific contract and are carried out in accordance with the written instructions provided by the Data Controller to the extent that they are compatible with the respective obligations imposed by the applicable legal framework at national and/or European level. In such cases Doxiadis Associates acts in the capacity of data processor and performs its tasks in accordance with the applicable legislation.

The Doxiadis Associates Data Protection Policy is publicly available on the Company’s website www.doxiadis.com.

  1. The reasons for processing your personal data

The legitimate grounds for the lawful processing of your personal data are:

Document revision: 02 Date: 09 October 2023

  1. the performance of a contract or the intention to award a contract, such as the execution of a project or the provision of services, in order to fulfil the contractual obligations thereunder.
  1. safeguarding and protecting both your and our legitimate interests.
  2. compliance with obligations and duties imposed by law or administrative acts, including where it is required to file in public registers or publish corporate acts and information concerning a public limited company.
  3. the consent you provide under the specific conditions set out in the applicable legal framework or under contractual relationships or when you communicate with parts of our Company.
  4. explicit notification by the data subject himself/herself and processing necessary to protect the vital interests of the data subject or another natural person (where the data subject is physically or legally incapable of giving consent) are the legitimate grounds on which we process any information provided in relation to health data.
  1. Recipients of personal data outside the Company

The Doxiadis Associates transmits personal data to third parties to whom the Company entrusts the processing of personal data on its behalf, remaining responsible for such processing, while determining in writing, on the basis of a specific contract, the scope of the processing, its duration, its nature and purpose, the type of personal data, the categories of data subjects, the rights and obligations of the controller, in order to ensure that the processing is carried out in accordance with the provisions of the law.

  1. Transfer of personal data to third countries or international organisations

Personal data processed by the Doxiadis Associates may be transferred to third countries outside the EU or to international organisations, including countries that ensure a level of protection of personal data lower than that set by the European Union and the framework of the GDPR. The transfer of personal data hereunder may be carried out for specific reasons, such as compliance with regulatory obligations, preparation or submission of a project proposal, execution or performance of a contract, protection of the Company’s legitimate interests. In any case, the Doxiadis Associates shall ensure that such data transfer is compatible with the legal privacy obligations and in accordance with the protection standards and requirements set by the GDPR legal framework.

  1. Data retention

Data retention conditions shall be determined on the basis of the following specific criteria:

  1. Where processing is required as an obligation under applicable law, your personal data will be stored for the period of time provided for in the relevant provisions applicable to each case.

Document revision: 02 Date: 09 October 2023

  1. Where processing is based on a contract, your personal data will be stored for the period of time required for the proper performance of the contract and then for the establishment, exercise and/or defence of legal claims arising from the contract or as otherwise required by mandatory law.
  2. Where processing is carried out for recruitment purposes, your personal data is kept until your consent is withdrawn. Such withdrawal may be made at any time without affecting the lawfulness of the processing based on consent in the period prior to its withdrawal.
  3. For marketing purposes, your personal data is kept until your consent is withdrawn. This withdrawal may be made at any time without affecting the lawfulness of the processing based on consent in the period prior to its withdrawal.

To withdraw your consent, you can contact the relevant department of the Company directly by email at gdpr@doxiadis.com.

  1. Your rights in relation to your personal data

Each data subject whose data is processed by the Company has the following rights:

  • Right of access: you have the right to be informed and to verify the lawful nature of the processing. Thus, you have the right to access your personal data and to obtain additional information about how we process it.
  • Right of rectification: you have the right to review, correct, update or modify your personal data by contacting us at the above contact details.
  • Right to erasure (right to be forgotten): you have the right to request the erasure of your personal data when we process it with your consent or to protect our legitimate interests. In all other cases (such as where there is a contract, an obligation to process personal data required by law or in the public interest), this right is subject to specific restrictions or does not exist, as the case may be.
  • Right to restriction of processing: c) where the personal data are not necessary for the purposes of processing but are necessary for the establishment, exercise or defence of legal claims; and d) where you object to processing and a decision on your objection to processing is pending.
  • Right to object to processing: you have the right to object at any time to the processing of your personal data where, as described above, the processing is based on the legitimate interests we pursue as Data Controllers, as well as for the purposes of direct marketing and consumer profiling, where applicable.
  • Right to data portability: you have the right to receive your personal data free of charge in a format that allows you to access, use and process it by commonly used processing methods. You also have the right to ask us, where technically feasible, to transfer the data directly to another controller. This right exists for data that you have provided to us on the basis of your consent or for the performance of a relevant contract.

Document revision: 02 Date: 09 October 2023

  • Right to withdraw your consent: Where the processing is based on your consent, you have the right to withdraw it without affecting the lawfulness of the processing based on consent prior to its withdrawal.

To exercise any of the above rights, you may contact the Doxiadis Associates directly by email at gdpr@doxiadis.com , where we will respond to your request within 30 days.

  • Right to lodge a complaint with the Supervisory Authority: you have the right to lodge a complaint with the competent Data Protection Authority (www.dpa.gr): tel: +30 210 6475600, fax: +30 210 6475628, e-mail: contact@dpa.gr.
  1. Personal data security

The Doxiadis Associates applies all appropriate technical and organizational measures to ensure the secure processing of personal data and to prevent accidental loss or destruction and unauthorized and/or unlawful access, use, modification or disclosure. When assessing the appropriate level of security and in the process of selecting and implementing appropriate technical and organisational measures, the Company shall take into account the level of technology, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks inherent in the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed,

PART B
Processing of personal data through a video surveillance system

  1. Processor:

Doxiadis Associates Consultants on Development and Ekistics S.A., 174 Messogeion Avenue, 155 61, P.C. 155 61, Tel. 210 62 46 300

  1. Purpose of processing and legal basis:

We use a surveillance system for the purpose of protecting persons and property. The processing is necessary for the purposes of legitimate interests pursued by us as controller (Article 6(1)(f) GDPR).

  1. Analysis of legitimate interests

Our legitimate interest consists in the need to protect our premises and the goods located there from unlawful acts, such as theft. The same applies to the safety of the life, physical integrity, health and property of our staff and third parties lawfully present in the premises under surveillance. We only collect image data and limit the capture to areas where we have assessed that there is an increased likelihood of committing illegal acts e.g. theft, such as at our counters and at the entrance, without focusing on areas where the privacy of

Document revision: 02 Date: 09 October 2023

the persons whose image is taken may be unduly restricted, including their right to respect for personal data.

  1. Recipients

The material kept is accessible only by our competent/authorized personnel who are in charge of the security of the site. This material is not passed on to third parties, except in the following circumstances: a) to the other Users/Owners of the Premises where the video surveillance system operates, when it contains data necessary for the investigation of a criminal act involving persons or property of such persons or property b) to the competent judicial, prosecutorial and police authorities when it contains data necessary for the investigation of a criminal act, which concerns persons or property of the controller or other Users/Owners of the Video Surveillance Area, c) to the competent judicial, prosecutorial and police authorities when they request data, lawfully, in the exercise of their duties , and d) to the victim or perpetrator of a criminal act, when it concerns data which may constitute evidence of the act.

  1. Time of observance

We keep the data for fourteen (14) days, after which they are automatically deleted. In the event that during this period we detect an incident, we isolate part of the video and keep it for up to one (1) month more, in order to investigate the incident and initiate legal proceedings to defend our legitimate interests, while if the incident concerns a third party we will keep the video for up to three (3) months more.

  1. Rights of data subjects

Data subjects have the following rights:

    • Right of access: you have the right to know whether we are processing

your image and, if so, to receive a copy of it.

    • Right to restriction: you have the right to ask us to restrict processing,

such as not deleting data that you consider necessary for the

establishment, exercise or support of legal claims.

    • Right to object: you have the right to object to processing.
    • Right to erasure: you have the right to request that we delete your data.

You can exercise your rights by sending an e-mail to gdpr@doxiadis.com or a letter to our postal address or by submitting the request to us in person at the shop’s address. In order for us to consider a request related to your image, you will need to identify approximately when you were in range of the cameras and provide us with an image of you to help us identify your own data and to help us conceal the data of third-party depicted persons. Alternatively, we give you the option of coming to our premises to show you the images in which you appear. We also point out that exercising the right to object or erasure does not imply the immediate deletion of data or the modification of processing. In any case, we will reply to you in detail as soon as possible, within the time limits set by the GDPR.

Document revision: 02 Date: 09 October 2023

  1. Right to lodge a complaint

If you believe that the processing of your data infringes Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Greece is the Data Protection Authority, Kifissia 1-3, 115 23, Athens, Greece, https://www.dpa.gr/, tel. 2106475600.

Document revision: 02 Date: 09 October 2023