Subject Access Request
DATA SUBJECT ACCESS REQUESTS
(Subject Access Request-SAR)
-
- PURPOSE
- According to the General Regulation on the Protection of Personal Data (EU) 2016/679, GDPR which came into effect on May 25, 2018, and based on the Personal Data Protection Policy implemented by Enterprise Aikaterini Petropoulou & Co. , each Natural Person ( P.P. ) has the following information rights, which can be exercised and the Company can respond immediately without putting the P.P. in a disadvantageous position.
- In matters of objectivity, legality and transparency in the processing of his Personal Data ( PD ) by the Company.
- To the purpose for which they are processed and to the minimization of the data processed.
- In the accuracy of the data maintained and processed by the Company and concerning the subject of the data.
- In limiting the storage time of P.D.
- To the extent of security and protection of the P.D. from unauthorized use. 2. The Data Subject Access Request ( Subject Access Request – SAR ) which is available here is a means for the FP to find out what data the Business holds on its behalf, why it holds it, and with whom it shares it
- VALIDITY 3. To be valid, the Access Request must be made in writing and sent by mail (post or email ). The data that the subject can request is specified in Paragraph B2 of Chapter 3 of the Personal Data Protection Policy. 4. Once the subject submits an Access Request, the data subject may be asked to confirm his identity through some basic information that will be required by the Business before sending the response regarding his P.D.
- In the event that someone requests a P.D., he must present an authorization with a signature certified by a public authority in which the P.D. authorizes him to carry out a request on his behalf. And in this case, the Company will contact the directly interested party about their personal data before contacting the authorized person. D. _ CHARGES PER REQUEST 6. This provision will be made without any financial burden, unless his request is manifestly unfounded or abusive. If the individual requests further copies of this information from the Company, a reasonable administrative fee may be incurred. E. _ DATA PROVIDED 7. The Company as a Data Processor will provide all the information it has at its disposal, which the FP has requested and is entitled by law to receive. The provisions of the GDPR define what a DPO can receive: 8. The data subject will have the right to receive from the data controller confirmation as to whether their personal data exists and is being processed. 9. In the event that this is confirmed, he will have access to the following P.D.:
- Purposes of processing . _ _
- Categories of P.D. that concern it.
- The categories of recipients of the PD in case the Company transfers them to someone else for processing and especially if their data goes outside the country or to non-domestic organizations.
- Where possible the intended retention time of the P.D. of the F.P. or alternatively, if this is not possible, the criteria on the basis of which the retention time has been defined.
- The existence of the right to request the controller to correct, delete, limit or refuse the processing of his personal data.
- The right to lodge a complaint/complaint with the national personal data supervisory authority www . dpa . Gr
- In the event that the data controller does not collect the data from the VAT itself, the source from which it collects the data concerning the VAT.
- The case of the existence of an automated decision-making system, including as defined in the corresponding articles of the General Regulation ( GDPR ) and in these cases information related to the reasoning, the importance, but also the possible consequences for the subject of the specific processing.
- In the event that the P.D. is transferred to another country, or to an international organization, the data subject should have the right to be informed about the measures to protect his personal data that exist based on article 46 of the General Regulation ( GDPR ) 10. The Company will provide a copy of the POs being processed. In the event that the FP requests additional copies, the Company reserves the right to charge a reasonable fee based on the costs it has incurred for the provision of the additional copy. The provision of the data (unless otherwise agreed) is made in the same way in which the request was made by the data subject (i.e. in case the request was made by email the answer will be given by email ) F . RESPONSE TIMES 11. Based on the General Regulation ( GDPR ), Subject Access Requests should be responded to within one month from the date of receipt, unless the request is unusually long and complex. In this case, the FP that made the request should be contacted and the time of the delay explained, 12. In the event that someone from the Company receives a Subject Access Request, they should contact their Data Protection Officer Company ( dataprivacy @ hotelising . com ) and to inform him as soon as possible, including the Subject’s Access Request and any other information he has. 13. The Data Protection Officer and the response team will deal with the request in accordance with what is stated in the Company’s Privacy Policy.