Personal Data Processing (Regulation (EU) 2016/679)
Description of the process by which Personal Data are retrieved and processed
Processing is lawful only if and as long as at least one of the following conditions is fulfilled:
- The data subject has consented to the processing of his/her Personal Data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is a party, or for action to be taken at the request of the data subject before concluding a contract;
- Processing is necessary for the controller to comply with a legal obligation (it is specified that your Company is the Controller);
- Processing is required to safeguard a vital interest of the data subject or another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public authority entrusted to the controller.
Purpose of the recording of the process:
A company needs to know which personal data (PD) it processes and that the data are processed in accordance with the law. This is of vital importance, and, to ensure so, the people who use the Personal Data have to be informed about it. The data should be destroyed when the purpose of their processing has been fulfilled and should not be retained for a period longer than the one determined by the initial purpose of the collection.
Firstly, we must clarify that processing means any act performed, with or without the use of automated means, on Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, searching information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
The processing may be performed only for the specific purposes for which the data are collected and which are either those for whom consent is given or for which the law provides that are permitted without consent.
Purpose of processing
- Collection of Personal Data for Payroll Calculations under the Greek Labour Law.
- Submission of electronic files/statements to the competent government departments.
Description of the processing:
- Collection of payroll details after meeting with the customer and reporting on what data are needed.
- Recording of the following information in an excel file: Surname, name, father’s and mother’s name, date of birth, identity card number, Taxpayer Identification Number and competent Tax Office, residence address, family status, number of children, IKA [Social Security Fund] registration number and AMKA [Social Security Number], hiring date, gross monthly salary, employment contract, recruitment specialty, and any years of previous service, bank account number and bank where the payroll account is kept.
- Import of the data into the payroll program and process thereof at regular intervals to calculate payroll.
- The processing falls within the scope of the service contract we have entered into with the customer.
- The Payroll Server/Program works in a cloud environment; so, the Personal Data are in a safe place, the persons who have access to them are registered and it is ensured (by codes) that unauthorized persons do not have access to them. The authorized persons having access have undertaken a relevant obligation to process the Personal Data in accordance with the Law, and there are General Terms and Conditions for the processing of the Personal Data that the Company notifies to all employees.
Who has access
Access to the Personal Data is granted to the users of the payroll program in accordance with the instructions given by the company and the relevant employment and personal data confidentiality contracts that they have signed.
What type of processing can they perform, and to serve what purpose
The processing allowed only concerns the calculation of monthly payroll and the export of financial records according to the needs of the client company. They also have the right to create electronic files and deposit them with the relevant insurance and labour authorities under the Greek Law.
Recording, who performs the processing and when.
The movements of the users processing Personal Data in the specific payroll program are recorded according to the parameters of the S1 payroll program. Namely, which user performed a particular action, when and where (workstation).
Possibility of interface with other files.
It is strictly forbidden to mix the payroll files with the personal records of the individual operator and to reproduce them on his/her workstation (PC). Therefore, a special payroll files processing folder has been created that is common, and only the users of the payroll program of specific clients have access to it and is accessible only by connecting to the company’s secure network. Reference to the above is also made in the contracts of the company’s employees as well as in the training that takes place during the employee’s induction and in the various training seminars that take place at regular intervals.
Duration of maintaining the Personal Data
The Personal Data should be maintained for as long as the Company is under the obligation (contract) to provide services to the customer. Once this obligation has expired, they must be removed from the company’s central system and/or transferred back to the customer. For the deletion of a company or a company employee, at the time of its execution, a special record is created by the system to serve as proof of this action, including the details of the user who made it and the time.