This Policy has been drafted taking into account the current National and EU legal framework for the protection of personal data and in particular the General Data Protection Regulation (EU) 2016/679 (“the Regulation”) and Law 4624/2019.
In particular, this Policy aims to clarify the basic principles and rules of personal data processing followed by NEXT COM, as well as to inform data subjects regarding the processing operations carried out, the lawful basis of such operations and the rights of data subjects.
For the purposes of this Policy, the following terms have the following meanings:
“Personal Data”: means any information relating to an identified or identifiable natural person (“data subject”) an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“Processing”: means any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his or her appointment may be provided for by Union or Member State law.
“Processor”: means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Data Subject”: the natural person whose personal data are processed. In this particular case, the Data Subject is considered to be any user of our Website.
“Consent” of the data subject: any freely given, freely given, specific, explicit and fully informed indication of intent by which the data subject signifies his or her agreement, by declaration or by a clear affirmative action, to the processing of personal data concerning him or her.
“Personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
“Existing legislation”: The respective national and EU legislation on personal data protection and in particular the General Data Protection Regulation (EU) 2016/679, Law 4624/2019 “Personal Data Protection Authority, measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and transposing into national law Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data.
C. General Principles for the Processing of Personal Data
When NEXT COM processes personal data, it shall ensure that:
- To process such data lawfully, in accordance with the provisions of existing legislation and the conditions laid down therein, subjecting them to lawful and fair processing in a transparent manner in relation to the data subject (Principle of Lawfulness, Objectivity and Transparency).
- Process personal data only for specified, explicit and legitimate purposes and not further process them in a way incompatible with those purposes (Principle of Purpose Limitation).
- Be adequate, relevant and limited to what is necessary for the purposes for which they are processed (Principle of Data Minimisation).
- Take appropriate technical and organisational measures so that personal data are processed in a way that ensures an adequate level of protection and security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage. In addition, periodically review the adequacy and effectiveness of these measures (Integrity and Confidentiality Principle).
- To make the necessary efforts to ensure that the personal data it holds and processes are always accurate and up-to-date and that all reasonable steps are taken to promptly delete or correct personal data that are inaccurate in relation to the purposes of the processing (Principle of Accuracy).
- Not to retain the personal data collected for a period longer than the purposes for which they were collected and processed. However, it may retain them for a longer period if the processing of these data is necessary:
i. to comply with a legal obligation that requires processing under a provision of law,
ii. for the performance of a task carried out in the public interest or in the exercise of official authority vested in the NEXT COM,
iii. for reasons of public interest,
iv. for archiving purposes in the public interest, or for scientific or historical research purposes, or for statistical purposes, after appropriate technical and organisational measures have been taken, including pseudonymisation, and only if these purposes cannot be served by anonymisation of the data,
v. for the establishment, exercise or defence of legal claims (The Limitation of Storage Period Principle).
7. To take the necessary measures to comply with the requirements of the Existing Legislation and to be able to prove at any time that it complies with the above (Accountability Principle)
D. Personal Data We Collect and Process, Purpose of Processing and Lawful Basi
Ι. Personal data collected through the contact form.
Through the contact form, the user has the opportunity to contact with Company. In case the user wishes to use this service, he/she must fill in the relevant fields (a) his/her name (mandatory field), (b) his/her e-mail address (mandatory field), (c) the subject of the communication (mandatory field), (d) any other data in free text that he/she wishes to share with Company.
Purpose of Processing and Lawful Basis.
The purpose of the collection and processing of such personal data is the provision of NEXT COM’s services to the user, the direct contact with the Company, the optimal response of NEXT COM to the user and its service. The legitimate basis for processing the personal data of the users is the legitimate interest of the Company to provide high quality services to the users of the Website (Article 6(1)(f) of the General Data Protection Regulation).
II. Personal Data collected while browsing the Company’s Website.
While browsing the NEXT COM Website, data is collected regarding the user’s demographic information such as country of residence and other types of information related to his/her preferences in products and services. In addition, data related to information related to customer surveys and/or various offers are collected.
Purpose of Processing and Lawful Basis.
The purpose of the collection and processing of this personal data is to ensure directness and personalization in the provision of NEXT COM services and, in particular, the provision of specialized consulting services tailored to the specific needs and requirements of each user. The legitimate basis for processing the personal data of users is the legitimate interest of the Company to provide high quality services to the users of the Website (G.D.P.R. Article 6(1)(f)).
Purpose of Processing and Lawful Basis.
An additional legal basis for processing is your consent, pursuant to Article 6(1)(a) G.D.P.R., which is required for the storage on your terminal device of the cookies used by our website. Finally, the information generated by the cookies may also be transferred to our partners (technical support consultants, lawyers) or to competent authorities, if necessary. Please note that all our partners are committed to confidentiality and to taking appropriate technical and organisational measures to ensure the protection of your personal data.
For detailed information on the types of cookies we use, please visit our Cookies Policy
IV. Social media buttons
On our Website, there are social media widgets from social networks (e.g. Facebook, Instagram and LinkedIn) with the use of which, after the user logs in to the social network, a special digital fingerprint of the user is created, for which both the Company and the social network itself act as joint controllers.
For more information on the data processing policy and the configuration options of these networks, please visit the following websites:
The purpose of collecting and processing such data is to improve the services provided by us and in general the user’s experience when visiting the Website. The legitimate basis for processing the personal data of users is the legitimate interest of the Company to provide high quality services to the users of the Website (G.D.P.R. article 6(1)(f)).
E. Personal Data of Minor Users
NEXT COM does not address minors and does not wish to collect and process personal data of minors (i.e. persons under the age of 18). However, since it is impossible to cross-check and verify the age of the users of our Website, we ask the parents/guardians of minors, in the event that they discover any unauthorized data disclosure on behalf of minors, to immediately notify the Company to take the necessary protective measures (e.g. immediate deletion of their data). If the Company becomes aware that it has collected personal data of a minor, it undertakes to delete them immediately and to take all necessary measures to protect such data.
F. Data Protection Impact Assessment (DPIA)
Where a type of processing is likely to present a high risk to the rights and freedoms of natural persons, NEXT COM shall carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data (“impact assessment”). An impact assessment is a process designed to describe the processing, assess its necessity and proportionality and assist in risk management by evaluating and defining measures to address the risks. It is not required for every form of processing, but only in cases where a form of processing is considered high risk. The impact assessment takes into account the nature, scope, overall context and purposes of the processing in order to assess whether a risk is likely to occur, as well as its seriousness for the rights and freedoms of data subjects.
G. How do we ensure that Processors respect your Personal Data?
NEXT COM, in the context of its activities, may transfer data to third parties and/or allow access to them (legal or natural persons) who act as processors and/or sub-processors, to support its operation and serve its purposes, such as, for example, transferring data to service providers, website developers, cloud service providers, support companies for application development, etc.
Our partner companies that act as processors and/or sub-processors on our behalf have agreed and contractually bound themselves to the Company:
i. maintain confidentiality and ensure data confidentiality,
ii. process the data only for a specific purpose and for no other purpose
iii. not to transmit data to third parties,
iv. take appropriate organisational and technical security measures to ensure data protection,
v. comply with the legal framework for the protection of personal data and in particular the Regulation and Law 4624/2019.
H. Transmission to third parties
Users’ personal data may be transmitted to public authorities, independent authorities, etc. in the exercise of their duties, either on their own initiative or at the request of a third party with a legitimate interest, following all legal procedures and in compliance with the appropriate safeguards to ensure the protection of personal data. NEXT COM, reserves the right to disclose and/or transfer personal data to a third party to whom it may transfer or merge parts of its business or assets. In the event of a change in our business, the new owners have the right to use your personal data in the same way as set out in this Policy.
I. Transfer of Personal Data outside the EU
In the event that personal data of users collected through our Website is transferred to a country outside the European Union (EU) or the European Economic Area (EEA), NEXT COM will first check whether :
α) The European Commission has issued a relevant adequacy decision for the third country to which the transfer will take place.
(b) The appropriate safeguards in accordance with the Regulation have been complied with for the transfer of such data.
Otherwise, the transfer to a third country is prohibited and the Company will not transfer users’ personal data to that country, unless one of the specific exceptions provided for in the Regulation applies (e.g. the express consent of the user and his/her information on the risks involved in the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support legal claims and vital interests of the user, etc. If in the context of its legitimate activities there is a need to transfer personal data outside the EU, the Company shall select the appropriate legal transfer mechanisms in full compliance with the Regulation and the Existing Legislation and inform the data subjects accordingly.
J. Data Retention Period
Users’ personal data are collected and retained for a predetermined and limited period of time, depending on the purpose of processing, after which the data are deleted from NEXT COM’s archives. When processing is imposed as an obligation by provisions of the applicable legal framework or a specific retention period is provided, your personal data will be stored for as long as the relevant provisions require. The personal data of users that are processed with consent will be kept until consent is withdrawn, without this withdrawal affecting the lawfulness of the processing up to that point.
JA. Security of Personal Data
All officers and employees of NEXT COM are responsible for ensuring that personal data held and processed by the Company are kept securely and are not disclosed or transmitted to any third party, unless the third party is authorised by the Company to receive and process such information in the context of (a) the legitimate activities of NEXT COM and if it has entered into a corresponding confidentiality agreement or (b) there is a legal or statutory obligation to do so.
NEXT COM takes all appropriate technical and organisational measures to ensure the security of the personal data it holds and processes. Although no method of transmission via the Internet or method of electronic storage is completely secure, the Company takes all necessary digital data security measures (antivirus, firewall) etc.
NEXT COM implements, both at the time of determining the means of processing and at the time of processing, appropriate technical and organisational measures designed to apply data protection principles and incorporate the necessary safeguards in the processing in such a way that the requirements of the GDPR are met and the rights of data subjects are protected (data protection by design).
NEXT COM shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for the purpose of processing are processed (data protection by design).
NEXT COM shall ensure that the personnel involved in the collection and processing of personal data are adequately informed and trained.
In the event of a personal data breach, the Company shall inform the Personal Data Protection Authority without delay, unless the breach is unlikely to cause a risk to the rights and freedoms of natural persons, providing all required information and documentation. If the breach is likely to pose a high risk to the rights and freedoms of natural persons, NEXT COM shall promptly notify the data subjects of the breach in question, unless such notification requires a disproportionate effort, or in the meantime the Company has implemented appropriate technical and organisational protection measures on the data affected by the breach that render it incomprehensible to unauthorised users, or in the meantime the Company has taken measures to ensure that no unauthorised users are able to access the data.
JB. Your Rights
NEXT COM ensures that it is able to respond immediately to the requests of users, in order to exercise their rights in accordance with the existing legislation.
In particular, each user has the following rights:
a) The User shall have the following rights: To request information on the processing of his/her personal data by NEXT COM.To request access to his/her personal data held by NEXT COM. More specifically, he/she may request to receive a copy of his/her personal data held and to check the lawfulness of the processing.
b) Right to rectification of inaccurate data. Request the correction of personal data in case they are inaccurate or incomplete.
c) Right to erasure: To request the erasure of his/her personal data if their retention is not based on any legitimate basis or legitimate interest.
d) Right to restriction of processing: Request restriction of the processing of his/her personal data, under certain conditions.
e) Right to Data Portability: to request the portability/transmission of his/her personal data either to himself/herself or to third parties.
f) Right of Withdrawal/Objection: to withdraw at any time the consent given for the processing of his/her personal data, without this withdrawal affecting the lawfulness of the processing until then, to object to the processing of his/her personal data by NEXT COM.
To exercise your rights, you can contact us by email at email@example.com by requesting: a) correction or deletion of the personal data you have entered or otherwise provided or collected through our Website, b) restriction of the processing of the personal data you have entered or otherwise provided or collected through our Website, c) objection to the processing of the personal data you have entered or otherwise provided or collected through our Website on our Website, d) request for the processing of the personal data you have entered or otherwise provided or collected through our Website, e) correction or deletion of the personal data you have entered or otherwise provided or collected through our Website on our Website. In case of exercise of any of the above rights, NEXT COM shall provide the data subject with information on the processing operations upon request submitted within one (1) month from the receipt of the request and the identification of the data subject. This time limit may be extended by two (2) more months, if necessary, if the request is complex or there is a large number of requests. In this case, NEXT COM is obliged, within one (1) month of receipt of the request, to inform the user of the delay and the reasons for it.
NEXT COM may refuse to comply in whole or in part with a relevant request received from the data subject only where this possibility is provided for by the Regulation or national legislation.
If a request from the data subject is manifestly unfounded or excessive, in particular because of its repetitive nature, NEXT COM may make compliance with it subject to the payment of a reasonable charge to cover the administrative costs involved in complying with it or refuse to comply with the request.
JC. Disclaimer for Third Party Websites
In case of our Website contains links that redirect users to third-party websites, we inform you that NEXT COM does not control or bear responsibility for any risk or damage (positive/oppositive) suffered by the user from the use of the content of the Website and these websites, nor for the way in which the personal data of users are processed. NEXT COM takes all necessary measures to ensure that this Website is a safe environment for users, providing them with valid, reliable and up-to-date information.
JD. Right of recourse to the Personal Data Protection Authority
For any complaint regarding this Policy or personal data protection issues, if we do not satisfy your request, and you believe that your personal data protection is in any way affected, you may submit a complaint through a dedicated portal (https://www.dpa.gr/el/syndesi/prosvasi) to the Personal Data Protection Authority (PPA) (Athens, 1-3 Kifissia Avenue, P.O. Box 115 23, tel: +30 2106475600). Detailed instructions for lodging a complaint are available on the Authority’s website (https://www.dpa.gr/el/polites/katagelia_stin_arxi).
Last Revision: September 2023