Mana Org | data protection policy

1. Purpose

The purpose of this Privacy Policy (hereinafter referred to as “the Policy”) is to regulate the manner in which the Charity under the name “MANA” (hereinafter referred to as “MANA”) respects and protects the personal data which it holds and holds. elaborates as part of its activities.

In particular, this Policy aims to understand MANA’s staff, staff, volunteers and “beneficiary women”, the key concepts and framework of responsibility for the management of personal data in accordance with General Data Protection Regulation 679 / 2016 / EU (hereinafter referred to as “the GATT”), the national legislation, opinions, decisions and acts of the National Authority for the Protection of Personal Data (hereinafter referred to as “the ASCP”) and the adoption of sound and sound personal data management practices in accordance with the provisions of this Policy.

The Privacy Policy has the additional capacity of updating the data subjects to be notified in accordance with Articles 13-14 CPC and comprises all of the individual MANA Policies relating to:

– The responsibilities, roles and responsibilities of MANA staff, staff and volunteers.

– Privacy Policy

– Archives Conservation and Destruction Policy

– The Appropriate Receipt, Management and Revocation Policy

– Data Subjects Request Management Policy for Exercising Data Subjects Rights

– Data Breach Incident Management Policy

– Policy on the use of communications and electronic media

– Clean Office and Screen Policy

MANA executives, staff, and volunteers are aware of the Policy and are committed to studying it, submitting any questions to Management and adhering to the Policy provisions strictly throughout their cooperation / employment with MANA, regardless of status.

2. Scope

The provisions of this Policy shall be fully complied with by the Management, and the MANA Personnel, irrespective of grade, status or specialty, currently engaged in fixed-term or indefinite-term contracts, full-time or part-time staff, as well as full-time or part-time staff volunteers, who provide services or volunteer work at MANA, provided that they work on its premises and / or on its behalf and process personal data held by MANA, as part of the exercise of their duties.

It is also committed to adherence to this Policy:

– the Data Protection Officer (hereinafter referred to as DPO), MANA (if designated); .

MANA undertakes to disclose this Policy to any present or new executive, employee, affiliate, volunteer, processor as set forth above, and to ensure by appropriate means their knowledge and commitment to monitoring the Policy and practices described therein. of the processing of personal data.

Basic Definitions – Principles of legal processing

3.1. MANA is committed to respecting and protecting the personal data it collects and processes as part of its activities, in full compliance with the obligations arising from the European and internal Regulatory Framework for the protection of personal data. For the purposes of the proper implementation of the Policy, MANA shall inform those responsible for the Policy of the following definitions in accordance with the law:

“Personal data” (hereinafter referred to as “personal data”) is any information referred to the data subject. No aggregated statistical data can be considered personal data from which the data subjects can no longer be identified.

‘Data subject’ means the natural person to whom the data relates and whose identity can be identified directly or indirectly, in particular on the basis of an identity number or one or more specific elements that characterize his or her existence physically, biologically, psychologically, economic, cultural, political or social.

‘Controller’ means the natural or legal person who determines the purpose and manner of processing personal data, in this case the “MANA” Charity.

“Perform processing” is any natural or legal person processing personal data on behalf of the Controller.

“Personal Data Processing” is any work performed on personal data such as collecting, registering, organizing, maintaining or storing, modifying, extracting, using, transmitting, disseminating, associating or combining, interconnecting, blocking, deleting, destroying.

“Profile training” is any form of automated processing consisting of the use of personal data for the evaluation of certain personal aspects of a natural person, in particular for the analysis / forecasting of aspects related to work performance, financial status, health, personal preferences, interests, credibility, behavior, position or movements of a natural person.

“Violation of Personal Data” means a breach of security that results in accidental or malicious destruction, loss, alteration, unauthorized disclosure or access to transferred, stored or otherwise processed personal data.

“Benefiting Women” means this Policy for women who are suffering from breast cancer or other forms of gynecological cancer and are included in MANA’s psychosocial support programs.

3.2. Lawful processing of personal data:

Any processing of personal data by MANA must comply with the following principles in order to be considered lawful and to comply with the requirements of the CPD and the national data protection legal framework:

– The data are fairly and lawfully in a transparent manner with respect to data subject ( “legitimacy, objectivity and transparency”),
– were collected for explicit and legitimate purposes and not further processed in a manner inconsistent with the purposes further processing for archiving purposes in the public interest or for scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89 (2). 1 of the CPC (‘purpose limitation’),
– They are appropriate, relevant and limited to those necessary for the purposes for which they are processed (‘data minimization’),
– They are accurate and, where necessary, updated; all reasonable measures should be taken to immediately delete or correct personal data which are inaccurate with regard to the purposes of processing (‘accuracy’),
– They shall be kept in a form that allows the identification of data subjects only for the time required for the processing of personal data; personal data may be stored for a longer period if the personal data will be processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that appropriate technical and organizational measures are applied a to safeguard the rights and freedoms of the data subject ( “limitation of the storage period”),
– They shall be processed in such a way as to guarantee the appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’) .

4. Legal databases for processing personal data

Any processing of personal data by TOMANA in the context of its purpose and activity (psychosocial support for women with cancer) should be based on a legal basis.

The legal treatment bases according to the CPC are as follows:

– The consent of the data subject for one or more purposes.
– The execution of a contract of which the subject is a party or the taking of measures at the request of the data subject at the pre-contractual stage.
– Compliance with the legal obligation of the controller.
– Safeguarding the data subject or other natural person’s vital interest.
– The performance of a duty performed in the public interest or in the exercise of the public authority of the Controller.
– Fulfillment of the legitimate interests of the Controller or third parties, provided that those interests override the interest or fundamental rights and freedoms of the data subject who enforce the protection of personal data, in particular if the data subject is a child .

2.2 The legal bases for the processing of sensitive personal data are:

– the express consent of the subject for one or more specific purposes.
– the performance of obligations and the exercise of specific rights of the controller or data subject in the field of labor law and social security and social protection law, where permitted by Union or Member State law or by collective agreement in accordance with national law law providing appropriate safeguards for the data subject’s fundamental rights and interests.
– the protection of the data subject or other natural person’s vital interests if the data subject is physically or legally incapable of consent.
– treatment within the legitimate activities of an institution, organization or other non-profit organization with a political, philosophical, religious or trade union purpose and provided that the treatment is exclusively for members or former members of the body or persons who have regular contact with each other; in relation to its purposes and that personal data are not disclosed outside the entity without the data subjects’ consent.
– the processing of clearly disclosed personal data.
– the foundation, exercise or support of legal claims or when the courts are acting in their jurisdiction.
– processing for reasons of substantial public interest, which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and concrete measures to safeguard the data subject’s fundamental rights and interests.
– treatment for the purposes of preventive or occupational medicine, the assessment of the employee’s ability to work, medical diagnosis, the provision of health or social care or the treatment or management of health and social systems and services or under contract with a health professional.
– treatment for reasons of public interest in the field of public health,
– processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes commensurate with the objective pursued, respecting the essence of the right to data protection and providing for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.

MANA collects and processes, on a case-by-case basis, personal data on the basis of its consent, contract, compliance with its legal obligations and legal interest.

5. Obligations – Roles – Responsibilities.

Managing and processing of personal data by MANA entails obligations and responsibilities for management, its executives, staff and associates, depending on their position and duties.

5.1. Administrative Obligations:

MANA Management has the following obligations:

– Determines the purposes and means of processing personal data
– Provides instructions and guidance to personnel, affiliates, and any processor performing on behalf of MANA.
– Ensures the legality of data processing and observes good data processing practices and practices by all MANA executives, staff and associates.
– Ensures proper contractual commitment and oversight of security measures of any processor.
– Ensures the security, confidentiality and confidentiality of personal data of all executives, staff and associates through the necessary commitments.
– Ensures proper adherence to this Policy.
– Ensures the education and training of its staff in relation to its obligations.
– It is generally responsible for demonstrating that MANA complies with the requirements of the GATT before the Personal Data Protection Authority, the courts and / or any other Supervisory Authority.

5.2. Obligations of staff

MANA staff and associates must comply with the orders of the Administration regarding the proper observation and processing of personal data in the performance of their duties, including special category data, which they process as part of their duties. In particular, employees employed by MANA, regardless of status, are subject to the following obligations:

5.2.1 Confidentiality of personal data which they have access to and processed in the course of or in the performance of their duties and shall not be disclosed, transmitted or otherwise disclosed to third parties, unless this is strictly necessary in the performance of their duties or required by law. ‘Third party’ means any natural or legal person, including – but not limited to, the external partners and suppliers of MANA, as well as persons in the employee’s family, friendly and social environment. Third party also means a member of the MANA staff,
5.2.2 Use and manage personal data solely for the purposes for which it is processed by MANA in accordance with its instructions and taking into account the instructions of the Administration.
5.2.3 The use of health data made available to MANA staff, volunteers and associates as a result of MANA activity and / or in the performance of related duties may be processed by MANA staff. for research purposes, if approved by Management, confidentiality guarantees and organizational and technical security measures shall be provided and the data shall be pseudonymised or anonymised.
5.2.4 Unauthorized or unauthorized access, interference, collection, registration, organization, structure, storage, adaptation or alteration, recovery, use, dissemination and any other form of disposal, association, combination, restriction, deletion or destruction of data personal data which are processed or included in MANA’s electronic or physical file.
5.2.5 To comply with and follow the instructions, instructions and instructions specifically received by MANA, or aware of the nature of their duties with regard to physical, organizational and technical security measures to protect confidentiality, integrity and availability of personal data.
5.2.6 Personnel, volunteers and those bound by this Policy are required to notify MANA Management of any breach of their personal data processing rules or instructions or breach of such security. In particular, they must notify Management in a timely manner of any breach of their personal data, including the actions listed in clause 5.3.4. herein, and for any breach of the security of the physical and / or electronic archive of personal data in general, which may or may lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the electronic or physical MANA files.
5.2.7 Communicate with MANA (or Data Protection Officer – if designated) for any queries they may have regarding the protection of personal data and for any personal data issues raised or perceived by them. exercising their duties and / or generally during their stay at MANA’s premises and facilities, including requests by “beneficiary women” to exercise the rights conferred on them by the General Regulation on Protection a Data 679/2016 (information, access, correction, opposition, cancellation, restriction processing, portability, opposition to profiling, a complaint to the Supervisory Authority) complaints regarding the protection of their personal data,
5.2.8 Provide, in general, any assistance to MAN in order to protect the confidentiality, security and confidentiality of personal data which itself or third parties, directly or indirectly, has disclosed or otherwise made available to an unauthorized user or holder and shall cooperate with MANA in order to recover possession of personal data and to prevent further unauthorized use or disclosure or in any other way violate the security of the personal data it holds.
5.2.9 In the event that an employee is legally required to disclose personal data beyond what is required in the performance of his or her duties, the employee shall promptly provide MANA with written notice prior to such disclosure in order to enable him or her to exercise all lawfulness. his rights before all authorities and / or courts, unless such notice is prohibited by law.
5.2.10 In the event of termination of cooperation with MANA on the initiative of either party, the employees acknowledge that they have no right to process MANA’s personal data and no right of access to MANA’s physical and electronic personal data files, including corporate mail and “beneficiary women” data in any physical or electronic file and are therefore required to:

(a) Immediately submit to MANA any electronic files or documents containing personal data, such as medical records or requests for participation by beneficiary women in the MANA programs in their possession or with third parties, and to provide a written statement certifying that declare that they have not kept documents, electronic records or any other copies of the personal data held by MANA for its purposes and that they have returned any physical files and deleted them from any electronic device in their possession (mobile phone, PC, portable storage device, etc.) any personal data file that they had physical or electronic access during their cooperation with TOMA.

(b) Do not remove from MANA’s premises without authorization or instructions from the legal representative or authorized person regarding any document, object or file containing personal data, or a photocopy or any other reproduction thereof.

(c) Abstain from any malicious act, such as destruction, deletion, reproduction, copying, notification, disclosure, dissemination, etc. personal data, which are contained in MANA’s physical and / or electronic file, and shall refrain from any breach in any way the security, confidentiality, integrity and confidentiality of MANA’s personal data.

(d) Fulfill all the above obligations upon termination of their cooperation with MAN for an indefinite period.

6. Secure Management of Personal Data

6.1. MANA is committed to safely managing the personal data it holds and processes. This commitment concerns MANA’s management, staff, volunteers and affiliates regardless of status, as well as any processing operations on MANA’s behalf.

The obligation for the secure management of personal data extends to:

– In physical personal data files, such as, but not limited to, any physical (hard copy) form containing personal data, staff and volunteer files, volunteer resumes, ‘beneficiary women’ files “And contain their health data (medical exams, the program they are following, as well as any documentation relating to them, whether or not medical content is relevant).

– In electronic files of all kinds, including emails, of PDFs.

– In photographs, videotapes and generally audiovisual material from events etc., which is used for the purpose of promoting the work and activity of MANA and raising the awareness of the community.

The safe keeping and processing of personal data involves the adoption of appropriate technical and organizational security measures and the adoption of good personal data management practices. Particularly:

– Physical and electronic files and access to them are classified according to their content, depending on their privacy and content
– Physical personal data files should be kept in protected and locked areas (locked cabinets, locked drawers etc.) .), the keys of which are only those staff members who are entitled to access on the basis of their duties.

– Particular attention shall be paid to the safe keeping and confidentiality of physical files containing special category data (sensitive personal data of beneficiary women). The maintenance of these records is entrusted by MANA to persons who either enjoy medical confidentiality or are bound by specific confidentiality clauses and the processing of data takes place exclusively within the scope of MANA’s purposes and activities.

– It is prohibited to photocopy, distribute or otherwise reproduce files of “beneficiary women” for purposes other than the processing of MANA.

– Further processing of the personal data of women beneficiaries (including data on specific categories) is permitted only for archiving purposes, for statistical and scientific research purposes, subject to the specific consent of the subjects and the necessary protection measures to be taken. data encoding, including data coding and anonymization techniques.

– Electronic records, email management and any remote access to MANA’s electronic systems by its personnel shall be in accordance with the terms and procedures described in MANA’s IT Security Policy.

– The outsourcing of data processing to third parties is carried out with the necessary contractual commitments and is monitored at regular intervals to ensure that the necessary security measures are taken by them, in accordance with the terms and conditions of the CPC and in accordance with explicit instructions for the registration of volunteers. donor and data retention, which are detailed below.

– In the event of any data breach by MANA staff and executives, the breach incident management procedure described in this Policy is followed.

– MANA maintains a file of the necessary legal documents for compliance with the requirements of the ISG (consent forms, processing contracts, clauses and confidentiality agreements), as well as its Policies and Procedures for the proper management of personal data, as required of the CPC.

7. File Retention and Destruction Policy

7.1. Scope: The Archives Preservation and Destruction Policy applies to all physical records maintained in the course of MANA’s operation and activity, including original documents and copies. It also applies to MANA electronic files. This Policy commits to the management, staff, volunteers and generally external partners and / or processors of MANA to the extent that they undertake the management and storage of files of the Association, which (files) contain personal data.

7.2. Responsibilities: MANA determines the time of retention of physical and electronic personal data files, in accordance with the requirements of the principle of limitation of storage period imposed by the GATT, the provisions of applicable national law on the time of record keeping by category and relevant DPO suggestions.

MANA Management may order an extension of time to maintain a record for legal, accounting – tax, audit, medical or other reasons. In this case, the Management undertakes to disclose the existence and content of the record keeping order to the staff processing the file and to take measures to ensure that the record is not destroyed / deleted by staff and volunteers and he is a partner of MANA.

The Recorder is responsible for overseeing the proper maintenance of the MANA File Retention and Destruction Policy by performing the following actions:

– Is responsible for maintaining and amending the Record Keeping Schedule whenever necessary to comply with the relevant legal requirements (legal, accounting, tax, medical record keeping).
– Completes the File Retention Schedule with new categories of MANA documents and files. ”
– Review the Archives Schedule annually.
– Monitoring MANA’s compliance with this Policy.
– Suggests methods of safely destroying physical files (eg document shredder) and permanently deleting electronic files

All staff members are responsible for:

– Creating and maintaining files related to the subject of their work.
– Store files in approved storage media.
– Compliance with this policy and the file management procedures described therein.
– Destruction / deletion of files that have reached the end of their retention period with appropriate destruction / deletion methods.

7.3. Record keeping schedule

File Type ————– Retention Period
CVs ———– Two Years Maximum
Employee File ———— the whole duration of the employment relationship and the limitation period after its expiry (20 years)

Volunteer Archives ——- Throughout the partnership course and 5 years after the end of this
“Beneficiary Women” Files —— 20 Years After Completing the Follow-up of Mana Programs Paypal
Data – – – 10 years after the donation was made
Audiovisual material from Mana Society manifestations —— 10 years from the end of the event
Email and other electronic documents ——– Corporate data emails are kept for 12 months as an “active” beginning The time for keeping other electronic documents (eg PDF files) is judged according to its content.
Other / Identify

8. Obtaining, Managing, Revoking
Consents MANA shall ensure that data subject’s consent is properly obtained, in cases where the data subject’s lawful basis is the data subject’s consent. In particular, MANA shall take the necessary steps to:
– Fully inform subjects in accordance with the requirements of Rule 13 and 14 of the Rules of Procedure, before obtaining consent, in a simple, concise and easily accessible language.
– Obtain the consent of the subject in writing or electronically. In case the data subject consents to the positive action (eg sending a resume), take care to inform the data subject that their particular action entails their consent to the processing of their data, the time the data is kept. , and the right to withdraw their consent.
– Keep a record of the written / electronic consent of the data subjects.
– Ensure that the subject’s consent is free, specific to the purpose of the processing, and that the data subject is fully aware.
– Provide subjects with the free, immediate and easy withdrawal of their consent (eg by sending an e-mail to a person authorized by MANA or to the MANA Data Protection Officer, if designated), informing the subjects that withdrawal of their consent does not affect its legality to the point of withdrawing the processing of their data.
– Deletion of the data of the subject in case of withdrawal of consent, unless their compliance is necessary to comply with MANA’s obligations under the law or to defend MANA’s legal interests before the Courts.

9. Managing Requests for Exercising a Data
Subject’s Right 9.1. MANA Obligations to Exercise Rights:
Data subjects (employees, volunteers, external partners, benefiting women, etc.) have the following rights regarding their personal data:
– the right of access, to inform the subject what data they have is processed by the Processor, for what purpose and to its addressees,
– the right of correction to correct any data deficiencies or inaccuracies,
– the right of deletion (“right to be forgotten”), to delete the personal data of the Subjects from the Controller files, however, where their processing is no longer necessary or data retention is not required for the Controller to comply with the legal obligations or to defend the legitimate interests before the courts,
– the right to limit the processing, if challenged the accuracy of data on the subject
– the right to mobility, to avei the underlying data in a structured and commonly used format
– the right to object, if the subject does not wish to use his data for direct marketing purposes, including the objection to the development of profiles.
– the right to lodge a complaint with the Data Protection Authority (

MANA shall be obliged to facilitate the exercise of the data subject’s rights, except in cases where it is unable to verify the identity of the data subject and shall respond to any such request within one (1) month of receipt. of the deadline which may be extended by two (2) more months if required, taking into account the complexity of the request and the number of requests, informing the data subjects of the extension required by as well as the reasons for the delay.

MANA manages the data subject’s right-of-way requests by doing the following:

– MANA handles the data subject’s right-of-way requests by doing the following:

Identification details of the data subject are requested in case this is not clear (eg ID photocopy, passport number, contact details).

– In the case of a right exercised through a representative, he / she shall take the necessary steps to establish the legal or natural inability of the natural person to exercise the right in person and shall recommend to the Administration accordingly the necessity to respond to the representative’s request.

– Provides the subject with the “Exercise Right Form” to be completed and ensures its proper completion, receipt and proper observance.

It undertakes to update the data subject by any appropriate means, including by electronic means, if more than one month is required to satisfy the right, and to inform the data subject of the reasons for the delay.

– In the event that MANA Management decides not to act on a data subject’s request for entitlement, MANA shall notify the subject in writing within one (1) month of receipt of the request of the reasons for non-action and of the possibility to report to the ASCP; litigation.

– Informs and undertakes the collection of a reasonable fee for the execution of the action requested by the person concerned, in cases of manifestly unfounded or excessive and recurring requests.
– Informs the subject of a request that MANA considers manifestly unfounded or excessive.

9.2. Rights Enforcement Procedure: The above actions and obligations of MANA apply to claiming any rights. MANA manages requests for the satisfaction of each right as follows:

9.2.1. Right of access:
MANA provides data subjects with confirmation that their personal data is being processed and, in the positive case, follows the procedure for granting the right of access to such data and processing information:

– Request Assessment: After verifying the identity of the person making the request, in accordance with [9.1.] Above, the validity of the request is then evaluated. If the request is not assessed as valid, MANA shall notify the person in writing of its refusal to continue the request with a reasoned decision.
– If the request is assessed as valid, MANA shall provide a copy of the data subject to the subject together with the following information concerning such processing:
(a) the purposes of the processing (eg participation in MANA programs
); the relevant categories of personal data collected
(c) the recipients or categories of recipients to whom personal data has been disclosed or is about to be disclosed, in particular those to third countries or international organizations;
(d) where possible, the period during which personal data will be stored. or when this is impossible, the criteria for determining that period,
(e) the existence of the right to request to the controller for correction or deletion of personal data or restriction of processing of not omenon personal data concerning the data subject or right to object to this treatment,
(f) the right to complain to the PDPA,
(g) where personal data are not collected by the data subject, any available information on their origin;
(h) any existence of automated decision-making that produces legal effects on the subject or substantially similarly affects him / her; , including profiling, including those based on specific categories of data, important information on the logic followed, as well as the significance and intended consequences ies of the processing for the data subject.
(i) where personal data are transmitted to a third country or to an international organization, information and information on such transmission and its legal guarantees.
for additional copies that may be requested, MANA may charge a reasonable fee for administrative expenses. In the event of non-payment, MANA completes the processing of the request after its validity has been assessed.
– The enjoyment of the right of access by MANA takes place provided that it does not adversely affect the rights and freedoms of others.

9.2.2. Right of correction: MANA shall, without undue delay, correct any inaccurate personal data relating to it, if the data subject so requests or if the data is found to be inaccurate. In addition, the data subject having regard to the purposes of the processing has the right to request the completion of incomplete personal data, including by means of a supplementary statement.
– For the exercise of the right, which can be done by letter, email, through the Website or even by oral request, MANA provides the subject with the “Right Exercise Form” to be filled in by the subject and takes care of the subject. the correct completion, receipt and proper observance of it.
– The personnel of MANA responsible for this shall ensure that any inaccurate / incomplete data are corrected / supplemented accordingly.
– MANA announces any corrections made in accordance with the above to the subject and to any recipient to whom the personal data were disclosed, unless this proves impracticable or entails a disproportionate effort.

The data subject shall have the right to request from MANA the deletion of personal data concerning him without undue delay and MAN shall be obliged to delete them if one of the following applies:
(a) personal data is no longer necessary in (b) the data subject revokes the consent on which the processing is based and there is no other legal basis for the processing of the data; process,
(c) the data subject objects to the processing by exercising his right to object and there are no compelling and lawful reasons for the processing or the data subject objects to the processing for direct marketing purposes, including the preparation of profiles;
(d) the personal data has been processed unlawful;
(e) personal data must be deleted in order to comply with the legal obligation to which MANA is subject;
(f) personal data has been collected. in relation to the provision of information society services referred to in Article 8 (1) of the GIP.
MANA may refuse to grant the right in cases where processing is necessary:
(a) the exercise of the right to freedom of expression and the right to information;
(b) the observance of the legal obligation of the MANA to impose the processing or the performance of a duty performed in the public interest or in the exercise of public authority conferred on it. MOTHER.
(c) for reasons of public interest in the field of public health, subject to safeguards for the protection of the rights and freedoms of the data subject, in particular professional secrecy;
(d) for purposes of archiving in the public interest, for scientific or historical research purposes, or for statistical purposes, where the right to oblivion is likely to render impossible or greatly impede the achievement of the purposes of such processing, or
(e) the foundation, exercise or support of MANA’s legal claims.
The validity of the request is evaluated by MANA on the basis of the above exceptions, in particular the non-satisfaction of the request for beneficiary women data.
If the request is not assessed as valid or if there is a legitimate reason for not doing so, MANA shall inform the person in writing within one month of the refusal to proceed with the request with a reasoned decision.
Since MANA has made the personal data public and is required to delete it, it must, taking into account the technology available and the cost of implementation, take reasonable steps, including technical measures, to inform the processors who process the relevant data that the underlying requested that any links to such data or copies or copies of such data be deleted from them.

The data subject is entitled to obtain from the MANA limiting processing, when one of the following:
a) the accuracy of personal data is contested, for a period that allows the MANA to verify the accuracy of personal data,
b) the processing is unlawful and the data subject opposes the deletion of personal data and calls, instead, limit their use,
c) MANA no longer needs the personal data Rulers chaff for the purposes of the processing, but the data required by the data subject for the acquisition, exercise or supporting legal claims,
(d) the data subject has objections to the processing in accordance with the right to object, pending verification of whether the legitimate reasons of the controller override the data subject’s reasons.
– Upon receipt of the request, the validity of the request is evaluated by the Controller. If the request is not assessed as valid, the MANA shall inform the subject of the refusal of follow-up on his request with a reasoned decision.
– If the request is found to be valid, the appropriate restriction method will be adopted on a case-by-case basis (eg temporary transfer of selected data to another processing system, removal of access to selected personal data by users, temporary removal of published data from a website, etc.).
– In the case of automated archiving, processing restriction should in principle be ensured by technical means in such a way that data is not subjected to further processing and cannot be changed. In any case, the fact that data processing is limited should be noted on the system.
– Where processing is restricted in accordance with the foregoing, such data other than storage shall be processed only with the consent of the entity or for the foundation, exercise or support of legal claims or for the protection of the rights of another natural or legal person, or for reasons of significant public interest.
– In addition, the data subject who has secured the processing restriction in accordance with the above shall be informed by MANA prior to the removal of the processing restriction.
– MANA subsequently announces any processing restrictions performed in accordance with the above to any recipient to whom the personal data were disclosed, unless this proves impracticable or entails a disproportionate effort. If requested by the data subject, MANA shall inform such recipients thereof.

9.2.5. Right to data portability
MANA is obliged, at the request of the data subject, to provide him with personal data concerning him and which the subject himself has provided, in a structured, commonly used and machine-readable format, as and satisfy the right of the subject to transmit such data to another controller without objection when the following conditions are met:
a) the processing is based on consent of the subject or is necessary c performing a contract to which the subject is party and
b) (processing) is performed by automated means
The data subject may, in the exercise of his right, request the direct transmission of his data from one controller to another, if this is technically feasible. The procedure for granting the right is as follows:

– Upon receipt of the request, the validity of the request and the possibility of its satisfaction shall be assessed.
– If the request is not assessed as valid, MANA shall inform the subject of the refusal to follow up on the request with a reasoned decision.
– The assessment of the request shall take into account the data contained in the request as well as the data falling within the scope of the right to portability, which shall be:
– personal data concerning the data subject. Therefore, anonymised data do not relate to this right. However, data that has been pseudonymised and can identify the subject is within the scope.
– the personal data that the subject has provided to the controller. These are data that the subject has actively and consciously provided (eg e-mail address, username, age, etc.) but also observed data provided by the subject through the use of the service or device (e.g. search history, location and traffic data). Therefore, these categories do not include ‘inferred data’ and ‘derived data’, which include personal data generated by the controller based on the data provided by the data subject. . Subsequently,

This right is not intended to retrieve and transmit data containing personal data of other (non-consenting) subjects to a new controller.
MANA responds to the subject’s portability request by using an interoperable format and by providing the subject with a copy or transmitting the data in question to another controller. Format interoperability is facilitated when it is structured, commonly used and machine-readable. However, these requirements do not oblige MANA to adopt or maintain technically compatible processing systems.
One way to respond to data portability requests is to provide an appropriately secure and documented Application Programming Interfaces (APIs). In any case, even in large data collection requests the response will be in such a way that the person will be able to fully understand the definition, shape and structure of personal data.
Unless there are technological restrictions or other legal restrictions, MANA may provide the data in a format such as CSV, XML and JSON.

9.2.7. Right to object:
MANA is under an obligation not to process personal data if the data subject objects at any time and for reasons related to his or her particular situation in the processing of personal data relating to him or her which is based on:
(a) in the performance of a duty performed in the public interest or in the exercise of public authority conferred on MANA; or
(b) in the legitimate interests of MANA as controller or third party;
including profiling on the basis of the above provisions. Profile compilation means any form of automated processing of personal data involving the use of personal data to evaluate certain personal aspects of a natural person, in particular for the analysis or prediction of aspects related to work performance, financial status, health , personal preferences, interests, credibility, behavior, position or movements of that natural person.
It is then up to MANA to prove that there are compelling and legal reasons that override the data subject’s interests, rights, and freedoms in order to continue processing or for the purposes of establishing, exercising, or supporting legal claims.
Where personal data are processed for scientific or historical research purposes or for statistical purposes, the data subject for reasons related to his particular situation shall be entitled to object to the processing of data relating to him, unless the processing is necessary for execution. a duty exercised for reasons of public interest.
Upon receipt of the request and if the request is not assessed as valid, MANA shall notify the person in writing of its refusal to continue the request with a reasoned decision.
If the request is evaluated as valid, MANA shall refrain from processing the data of the subject for which the right has been exercised and inform the data subject accordingly.

10. Violation Incident Management Policy

Personal Data Violation is a “breach of security” that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed ”
Classification of violations

Violations can be categorized according to the following three information security principles:

– “Breach of confidentiality” when unauthorized access or accidental disclosure of personal data.
– “Availability breach” when unauthorized or accidental loss of access to or destruction of personal data.
– “Infringement of integrity” where unauthorized or accidental alteration of personal data occurs.

Depending on the circumstances, a breach may concern both the confidentiality, availability and integrity of personal data, and any combination thereof.

The purpose of this Policy is to standardize MANA’s response to any reported data breach incident and to ensure proper recording and disclosure in accordance with the Personal Data Protection Regulation (CPD).

The adoption of the above countermeasures is intended to ensure that:

– The incidents (data breach) have been reported in a timely manner and can be properly investigated.
– Incidents are handled by appropriately authorized and qualified personnel.
– All information related to a security breach is collected, recorded and maintained.
– The impact of the breach is clear and precautions are taken to prevent further damage.
– The Personal Data Protection Authority is updated as required.
– The data subjects affected by the breach are updated as required.
– Incidents are treated promptly and normal procedures are restored.
– Incidents are reviewed to identify improvements in policies and procedures.

Scope: The Privacy Policy should be followed by all employees, executives, and third party external partners and / or executives acting on behalf of MANA.

The scope of this policy includes personal data held in any form or medium (paper or digital / electronic). The policy does not apply to information that is classified / classified as Public.

10.1 Managing the incident

Data breaches must be examined on a case-by-case basis, following an assessment of the risks involved and the specific risk assessment to decide the appropriate course of action. Data security methods must be commensurate with the sensitivity of the information and any disciplinary action commensurate with the severity of the infringement. Adoption of appropriate countermeasures aims to ensure that:

– The incidents (data breach) have been reported in a timely manner and can be properly investigated.
– Incidents are handled by appropriately authorized and qualified personnel.
– All information related to a security breach is collected, recorded and maintained.
– The impact of the breach is clear and precautions are taken to prevent further damage.
– The Personal Data Protection Authority is updated as required.
– The data subjects affected by the breach are updated as required.
– Incidents are treated promptly and normal procedures are restored.
– Incidents are reviewed to identify improvements in policies and procedures.
10.2. Steps to Manage Violation Incident
Step 1. Report Violation & Incident
Planning Report Data Security Violations
If parties to this Policy obtain direct or even third-party knowledge of the occurrence of a violation, they shall immediately inform any appropriate means (by appropriate means) , by phone) for the existence of the incident, the conditions and time of its occurrence or the estimated time of its occurrence, if they are unable to accurately identify it. The report should include a complete, accurate and detailed description of the incident, including who reports the incident and what category of data is affected.
MANA designates a specific person from the staff responsible for the management of the incident, which does the following:
– Provides the person who reported the violation the “Case Report Form” to be completed (see ANNEX I) and directs reporting the violation for its proper and complete completion.
– Conducts an investigation of confirmed and suspected security breach incidents, records all information related to a security breach.

– Depending on the incidence of the violation, develops a Violation Response Plan containing the proposed actions to address it and notifies it in writing to MANA Management for approval. The Violation Response Plan also includes the DPO’s assessment if the incident is required to be disclosed to the ASCPD and to the data subject, in accordance with the incident occurrence and the relevant provisions of the CPC. For a digital data breach, the person responsible for managing the incident (or the DPO, if designated), with the assistance of MANA’s Technological Security Officer, respectively develops a Digital Data Incident Management Plan.
– Upon approval of the plan, MANA shall (where appropriate) notify the infringement to the ASCP and inform the data subjects of the breach of their data security.
– Indicates to the Administration the actions required to deal with the incident and mitigate the consequences of the breach and shall ensure that they are implemented after such actions have been approved by the Administration.

Step 2. Actions at the time of Data Security Violation
– For Digital Data Violation: The Digital Data Violence Incident Management Plan is implemented, with the assistance of MANA’s Chief Technology Officer.
– For non-digital data or physical infringement:

– The incident manager and staff immediately investigate the incident and take the necessary steps to reduce further data loss.
– Personnel with the instructions of the responsible person secure the physical area. (Change locks, passwords, or cards if necessary).

– In the event of malicious activity, the Administration determines whether it is appropriate to call the police authorities and restricts traffic to the affected area until the completion of investigations by the police authorities.
– Identify the measures necessary to prevent repetition.

Step 3. Recording personal data security breach.

– All infringement-related information should be collected by MANA so that it can be analyzed to determine the extent of the infringement, the necessary remedial steps and any legal liabilities to be assigned.
– The information to be collected and recorded is as follows:
– Date, time, duration and location of the data breach.
– How the breach was discovered, by whom, and any details of the breach (eg, method of intrusion, entry or exit points, paths followed, affected systems, if data was deleted / modified).
– Information on the affected data, if the data is encrypted / pseudonymized / anonymized and a list of persons whose personal data has been compromised is created.
– In case of not reporting the incident to the Personal Data Protection Authority, the reasons why there is no need to disclose.

Step 4. Analysis of the Immediate Consequences of the Violation
– The incident management officer shall evaluate and explain to the MANA Administration the causes of the incident.
– The necessary steps are taken to recover the personal data that have been breached and identify the affected data subjects.
– The potential impact on the data affected is identified and evaluated by the person responsible.
– It is verified with the assistance of MANA Technological Security Officer if other systems are at risk of immediate or future danger. Analysis of data security breaches may require the assistance of specialized IT consultants to collect the above information and complete the analyzes.
– Estimates the potential risk for people whose data is affected. (Zero – Risk – High Risk) and Management updated.

Step 5. Analysis of the legal consequences of the breach.
In conjunction with the general analysis carried out above, a specific analysis of the legal issues arising from the violation by MANA’s legal adviser or the DPO, where applicable, is legal. Legal analysis should include at least the following topics:

– MANA has the obligation to maintain an Internal Violation Incident Register which records the information of all data security breach incidents (even for risk-free incidents).

– Apply appropriate technical and organizational safeguards to the personal data affected by the breach, making it unintelligible to those who do not have access to it (eg encryption).
– Take measures to ensure that the high rights and freedoms of data subjects are no longer likely to arise.
– Disproportionate communication efforts are required. In that case, a public announcement or similar measure should be made in place of which the data subjects can be informed in an equally effective manner.
– Third party liability to MANA for actions or omissions that have caused a breach and control of a claim by third parties.
– Employee liability: Investigation into possible violation of MANA policies by employees and / or volunteers and generally external partners.

Step 6. Organize an information request management system.

Depending on the size of a data security breach and the number of affected persons, a significant volume of information requests may be sent to MANA. The infringer incident management officer is designing an Information Request Management System, which should cover the following issues:

– How to communicate with the public (specific number, email address).
– How to communicate with employees <
– How to contact external partners, executives, volunteers, etc.
– (Auxiliary) Outsourcing call center activities
– Preparing answers to requests.
– Prepare a “Frequently Asked Questions” (FAQ) site. Frequently asked questions can help reduce the number of calls to a call center.

Step 7. Notification of violation to the Personal Data Protection Authority

Where it is assessed by the incident management officer that the breach may endanger the rights and freedoms of individuals, MANA must notify the ASCP of the incident within 72 hours of becoming aware of it.


– Completion of the Data Breach Reporting Form by the incident manager or DPO, if specified.
– Submit the completed Form Disclosure Violation Data Protection Authority of Personal Data, and any additional documents in encrypted form in address
– Contact the person responsible for incident management with the PDPA to address the occurrence of the violation.

Step 8. Notification of personal data breach to data subjects

In the event that MANA considers that the infringement may endanger the rights and freedoms of natural persons, MANA shall, in addition to disclosing to the ASCPF, notify the data subject of the breach of personal data.

Reporting to subjects shall be promptly carried out at any stage of dealing with a data breach incident when it is found that the breach of security has resulted in a breach of personal data and there is a high risk for the data subject’s rights and freedoms.

The communication should:

– Be individual (via Email, SMS, Letter, etc.)

– Be clear and understandable.

– If the individual communication requires disproportionate effort, the incident manager shall recommend the manner of public communication or other similar measure in which the data subjects are equally efficiently informed.
– The incident management officer prepares the text of the announcement, which is approved by the Administration and ensures how the announcement will be sent to the subjects or post the corresponding announcement on the MANA Website.

Step 9. Actions After Violating Personal Data Security

The incident manager must ensure that the causes and circumstances of the breach are fully elucidated and that management and staff are informed of the results, as the case may be. In particular, the responsible person will take the following actions:

– Carries out a thorough analysis of the data security breach to determine the root causes.
– Controls data security restriction measures to ensure that the breach has been fully addressed. <
– Specifies a prevention plan for a corresponding data security breach, which is approved by the Mana Command.
– Evaluates the policies and procedures for collecting, maintaining, storing and processing data to determine the necessary revisions and modifications.
– Assess the need for additional employee training in data protection policies and procedures.
– Revisions processing contracts to third parties.

– Checks and updates where relevant the site’s privacy policies and terms of use
– Assesses the actions and speed of response of staff and management during the breach.
– Modifies the Safety Breach Plan to improve the effectiveness of prevention.

11. Policy on the use of communication and electronic media

Employees, in the performance of their duties, must use MANA’s communication and electronic processing media (such as computers, telephones, mobile phones, etc.) for purposes related to the performance of their duties. . Under this obligation, employees must:

– Avoid using (personal or corporate) mobile phone while working for personal purposes. In any case, the conversation on the mobile phone for personal purposes should be limited to what is absolutely necessary and may take place at the time of break and with the necessary discretion.
– Use Mana’s computers and equipment for purposes related to their performance, and avoid navigating on websites that are not relevant to their work processing, including the use of social media for personal purposes. It is strictly forbidden to navigate on websites with illegal or unethical content and to navigate to insecure websites in general.
– Abstain from the use of professional e-mail (business correspondence) for personal purposes and for acts of unlawful interference, including the exercise of competitive activity. Mana reserves the right to occasionally inspect professional correspondence, in particular to identify any illegal activity of the employee, after informing the regulated employees. It is explicitly recognized that professional correspondence is a property of Mana, which retains the right to observe and use it after the end of the employment relationship.
– Not to exceed their duties in the export and / or unauthorized disclosure and / or copying of personal and / or physical media (eg Flash disks) that are the property of Mana, including personal data files, and refrain from any use for personal purposes.
– In the case of remote work and remote access to the Mana network, workers must refrain from accessing computers that do not meet the necessary security requirements (eg they do not have an antivirus protection system) and must restrict each remote access to only what is available. strictly necessary for the performance of their duties. In the event of a breach of the above security requirements, they must immediately inform Mana.
– After termination of employment contract, workers are required to return any equipment (such as computers, mobile phones, etc.) that they have been assigned by Mana and owned by him / her after removing any personal content files from the equipment. In the event that Employees use personal equipment (mobile phones, computers) for business purposes in the performance of their duties, they must, for any reason, terminate the employment contract, provide written assurance to Mana that they have removed their personal equipment for any professional content (eg, professional email).


At the end of the working day, all employees must clean their offices and their workplaces in general and secure both equipment and any documents related to their work. Documents should be placed in the appropriate place (cabinet or drawer for archiving). All documents containing personal data should be stored in a protected and, if possible, locked file. The following guidelines should be observed by all employees, regardless of:

– Employees should devote a scheduled hour each day to clearing paper from their office.

– The computer should be disconnected when the workplace is unattended.
– The computer should shut down at the end of the business day.

– Employees must remove all Confidential and Internal Information, including personal data, from their office and keep it in a locker or drawer or file when their workstation is unattended and at the end of the working day.

All confidential and internal documents, including those containing personal data, will be stored in drawers or cabinets and should always be locked if the appropriate infrastructure is in place.

All cabinets containing confidential files or internal information when not in use or when unattended should be secured and locked. Access to them should be justified by the position and duties of the employee

– Employees should not leave the keys used to access confidential or internal information in an unattended workplace.

– All equipment (laptops, other equipment, etc.) should be locked in a drawer or cupboard when the work area is unattended or at the end of the working day.
– It is forbidden to post passwords publicly on or under a computer, in bulletin boards or in any other accessible location.

– Copies of documents containing confidential or internal use information from printers and fax machines should be removed immediately and destroyed by secure destruction methods (eg document shredder).

– Office cabinets and filing cabinets at the end of the day or if employees are away from your workplace for a long time during the day should lock.

– Mass storage devices, such as CD-ROMs, DVDs or USBs, etc., should be considered sensitive and confidential and securely kept in locked drawers at the end of the day or if employees leave the work area during the day.

– All waste paper, reports and printer ribbons should be destroyed using special equipment (document shredder).

13. Policy Update

MANA reserves the right to amend this Policy whenever it deems necessary, subject to its needs and practices and to the requirements of the law as applicable.

MANA Management decides to update the Policy and undertakes to inform, by all appropriate means (eg by sending an email), the staff, volunteers and those who are bound by the modifications and monitor compliance staff etc. to them.

House of ΜΑΝΑ
10, Rigillis str. 10674 Athens, GR
T: +302107295546
terms of use privacy policy © 2019 House of MANA. All Rights Reserved. website design & development by myrto papazisi