Privacy policy
INFORMING CUSTOMERS & COMPANY STAFF
BIOSTATISTICS IKE
REGARDING THE PROCESSING OF PERSONAL DATA
A. Details of the Data Controller
The company under the name BIOSTATISTICS IKE (and distinctive title BIOSTATISTICS), based in Athens (29 Mavrommaton Street, Postal Code 10434, tel. 2108232425 e-mail:
B. Type of data and sources of origin
The personal data collected and processed by the Company and relating to its customers are:
1. Identification details, full name, gender, date of birth, tax identification number, AMKA number (for doctors).
2. Your contact details, postal and email address, telephone number (mobile).
The personal data referred to in points 1-2 above are provided to the Company directly by its customers. The provision of your data is a requirement for the conclusion and execution of the contract between us, which will not be possible if you refuse to provide them.
The personal data collected and processed by the Company and relating to its employees are:
- Identification and payroll details, such as full name, father's name, gender, date of birth, tax identification number, Social Security Number, identity card/passport number, marital status, Social Security Number and/or other insurance fund registration numbers.
- Contact details, such as postal and email address, telephone numbers (landline, mobile).
- Bank payment details, such as bank account number (IBAN).
- Data related to your employment status, such as job position, type and duration of contract, working hours, leave, absences, evaluations, education and professional experience details.
- Sensitive health data, such as certificates of incapacity for work, medical opinions on special benefits or arrangements in the workplace, disability data, where applicable.
The personal data referred to in points 1-5 above is provided to the Company directly by you, as data subjects. The provision of this data is a requirement for the conclusion and execution of the employment contract between us and for the Company's full compliance with its obligations under labor, insurance, and tax legislation. Failure to provide such data makes it impossible to commence or continue the employment relationship.
C. Purposes and legal basis for processing
The Company collects and processes the above-mentioned personal data concerning you as customers for the following purposes and legal bases:
1) Provision of services for clinical studies
The above-mentioned personal data are processed for the purpose of providing clinical study services, including the identification of participating healthcare professionals, communication with them, etc. The legal basis for the processing of identification, contact, and clinical study data is the performance of our contract, in accordance with Article 6(1)(b) of the GDPR. If special categories of data, such as health data, are provided to us for the performance of our contract, the legal basis for the relevant processing is consent, in accordance with Article 9(2)(a) of the GDPR.
2) Pricing of services
The data under points 1, 2, and 3 above in Section B, which are related to your payments, may be further processed for the purpose of invoicing the Company's services, and the legal basis for their processing is the fulfillment of the Company's legal obligations under tax law, in accordance with Article 6(1)(c) of the GDPR.
The Company collects and processes the above-mentioned personal data concerning you as employees for the following purposes and on the corresponding legal bases:
- Management of the employment relationship: Your data under points 1, 2, and 4 of Section B are processed for the purpose of drawing up, executing, and monitoring your employment contract, as well as meeting the operational needs of the Company (e.g., distribution of tasks, management of working hours, leave, evaluations, training, etc.).
Legal basis: the performance of the employment contract, in accordance with Article 6(1)(b) of the GDPR.
- Compliance with obligations under labor, insurance, and tax legislation: Your data relating to identification, insurance, and payroll, including those under points 1 and 3 of Section B, are processed in order to comply with the Company's legal obligations to the competent authorities (ERGANI, EFKA, AADE, OAED, SEPE, etc.), as well as for the granting of legal permits and benefits.
Legal basis: compliance with a legal obligation, in accordance with Article 6(1)(c) of the GDPR.
- Management of special arrangements for health and safety reasons: Your special category data under point 5 of Section B, such as health certificates, medical opinions, information on disability or reduced working capacity, are processed exclusively when necessary for the fulfillment of the Company's obligations in the field of labor law and health and safety at work.
Legal basis: Article 9(2)(b) and (h) of the GDPR.
- Provision of additional benefits or facilities: In cases where the Company provides additional benefits (e.g., private insurance, wellness programs, employee support programs), you may be asked to provide additional data. These will only be provided and processed with your explicit consent.
Legal basis: your consent, in accordance with Article 6(1)(a) and Article 9(2)(a) of the GDPR.
- Security of persons and facilities: The Company may use a surveillance system (e.g., CCTV cameras) solely for the security of personnel, customers, and facilities. The use of the system is proportionate and in accordance with the guidelines of the Personal Data Protection Authority.
Legal basis: the Company's legitimate interest, Article 6(1)(f) of the GDPR.
D. Data transfer – Recipients
In order for the Company to fulfill the above-mentioned functions and its relevant obligations, it discloses the personal data of its customers to categories of persons or entities (recipients). Recipients only have access to your Personal Data that is strictly necessary for the performance of their tasks or the provision of services they have undertaken to the Company. These categories are as follows:
1. Processors: the Company works with the following processors on its behalf to assist it in fulfilling its legal or contractual obligations, which are
Ä accounting service providers,
Ä IT system support service providers,
Ä hosting service providers, cloud providers,
Ä product and service promotion service providers,
Ä physical security service providers,
provided that the confidentiality of your data is maintained.
2. Financial institutions, to the extent necessary to execute the transaction
3. Tax authorities, in accordance with applicable tax legislation
4. Lawyers, where necessary for the exercise of the Company's rights and the protection of its legitimate interests
5. Bailiffs, notaries, judicial, prosecuting, and police authorities, as well as auditing authorities, if required by law or court order, or upon their relevant legal requests in the exercise of their duties.
E. Data retention period
Your data as customers is kept by the Company throughout the period of provision of its services to you and for up to 15 years in accordance with current tax legislation. Your data as employees is kept by the Company for the entire period of your employment with it and for up to 15 years in accordance with current tax and labor legislation.
If, by the end of the above periods, legal proceedings are in progress in which the Company is involved and which concern you directly or indirectly, the retention period for your data will be extended until a final court decision is issued.
After the expiry of the above periods, your personal data will be deleted/destroyed in accordance with the Company's destruction policy.
F. Transfer of data outside the EU
The Company does not transfer your personal data to third countries outside the EU.
G. What rights you have in relation to your data and how you can exercise them
As customers and/or employees of the Company, you have a number of rights under Articles 15-22 of the GDPR with regard to your personal data processed by the Company.
The table below lists your rights by processing purpose and corresponding legal basis. In this table, you will find detailed information (meaning, method, and deadlines for exercising) and a form for exercising each right.
If you wish to exercise any of your rights, please complete the relevant form and send it to
|
|
RIGHTS |
||||||||
|
Access (Article 15 GDPR) |
Rectification (16) |
Erasure (17) |
Restriction (18) |
Portability (20) |
Objection (21) |
Automated decision-making (22) |
Withdrawal of consent (7.3) |
||
|
PURPOSE |
LEGAL BASIS |
|
|
|
|
|
|
|
|
|
Provision of clinical study services to customers in general (in terms of simple data, such as identification and contact details) |
Performance of a contract (Article 6.1b GDPR) |
X |
X |
X |
X |
X |
|
|
|
|
Provision of clinical study services (in relation to any health data) |
Consent (9.2a) |
X |
X |
X |
X |
X |
|
|
X |
|
Pricing of products/services |
Compliance with legal obligations (6.1c) + tax legislation |
X |
X |
|
X |
|
|
|
|
Please note that the Company has the right in any case to refuse, in whole or in part, to comply with your request to restrict the processing or erasure of your data, if the processing or retention of your personal data is necessary for the establishment, exercise, or defense of its legal rights or the fulfillment of its legal obligations.
The Company must respond to your request within one month of receiving it. This deadline may be extended by a further two months, if deemed necessary by the Company, taking into account the complexity of the request and the number of requests, in which case the Company will inform you within one month of receipt of the extension and the reasons for the delay.
The table below lists your rights as an employee for each purpose of processing and the corresponding legal basis. In this table, you will find detailed information (meaning, method, and deadlines for exercising) and a form for exercising each right.
|
|
RIGHTS |
||||||||
|
Access (Article 15 GDPR) |
Rectification (16) |
Erasure (17) |
Restriction (18) |
Portability (20) |
Objection (21) |
Automated decision-making (22) |
Withdrawal of consent (7.3) |
||
|
PURPOSE |
LEGAL |
|
|
 |
|
|
|
|
|
|
Management of the employment relationship (contract, duties, evaluation, working hours, leave, etc.) |
Contract performance (Article 6.1b GDPR) |
X |
X |
X |
X |
X |
|
|
|
|
Compliance with obligations under labor, social security, and tax legislation (ERGANI, EFKA, AADE, SEPE, etc.) |
Performance of a contract (Article 6.1b GDPR) |
X |
X |
|
X |
X |
|
|
X |
|
Management of special health and safety arrangements at work |
Article 9.2b & GDPR |
X |
X |
X |
X |
|
|
|
|
|
Additional benefits/facilities (e.g., private insurance, social benefits) |
Consent |
X |
X |
X |
X |
X |
|
|
X |
|
Surveillance of premises for security reasons (CCTV, etc.) |
Overriding legitimate interest (6.1f + Law 3471/2006, Article 11.3) |
X |
X |
X |
X |
|
X |
|
|
If you wish to exercise any of your rights, please complete the relevant form and send it to
Please note: The Company has the right to refuse, in whole or in part, to comply with a request for erasure or restriction when processing is necessary for:
– the fulfillment of a legal obligation,
– the exercise or support of its legal claims,
– the performance of the employment contract.
A response to your request will be provided within one (1) month. The deadline may be extended by up to two (2) additional months, upon providing you with a reasoned explanation.
If the Company does not act on your request when exercising the above rights or if, following its response, you consider that your above-mentioned rights have been violated, you have the option of submitting a complaint to the Personal Data Protection Authority, 1-3 Kifissias Avenue, 115 23, Athens, https://www.dpa.gr/, tel. 2106475600.
For any matter concerning the protection of your personal data, you can contact our Company's Data Protection Officer at: tel. 6936988100 and/or e-mail: