RIGINOS YACHTS PRIVACY POLICY

  1. INTRODUCTION

WHITE SAILS is part of RIGINOS YACHTS (hereinafter the “Company”) and collects, uses, stores and generally processes personal data of its costumers, partners, business contacts, suppliers, employees, participants in contests and other promotional activities, and users of its within the scope of its business and pursuant to the principles of necessity and proportionality.

The security of personal data is of vital importance for the Company. The Company is fully committed to ensuring that sufficient measures have been undertaken in order to guarantee the security of the personal data and complying with the provision of the applicable data protection legislation.

The Company is fully committed to ensuring and monitoring the continued and effective implementation of the present Policy and expects that all Company employees and others involved will engage and share this commitment.

  1. SCOPE OF THE PRIVACY POLICY

The purpose of the present Privacy Policy (hereinafter the “Policy”) is to define the principles governing the processing of personal data performed by the Company, the basic procedures that shall be followed and to contribute to the implementation of an appropriate level of protection afforded to the personal data within the Company.  The present policy applies to all Company employees.

  1. DEFINITIONS

“Applicable Legislation” means Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and any other data protection laws.

“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating him or her.

“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Processor” means the natural or legal person, public authority, agency or other body processes personal data on behalf of the controller.

“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identifies, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifies or to one or more factors specific to the physical or physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special Categories of personal data” means any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, data concerning health and data concerning a natural person’s sex life or sexual orientation.

“Processing” means any operation or set of operation which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal Data Breach” means A breach of data security leading to the accidental or unlawful/illegitimate destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transferred, stored or otherwise processed.

  1. DUTY OF CONFIDENTIALITY

All Company employees is under the obligation to maintain strict confidentiality of the Personal Data they process. Personal Data shall in no way be disclosed to or accessed by unauthorized third parties. A breach of Personal Data confidentiality constitutes breach of the present Policy.

  1. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

Lawfulness, fairness and transparency of processing: Personal Data shall only be collected and processed in a lawful, fair and transparent manner, for purposes directly related to past, ongoing or planned activities of the Company. The Company is committed in keeping the Data Subject informed of what processing of their Personal Data occurs and to provide the Data Subject all the information required by the Applicable Legislation.

Lawful means that the processing of the Personal Data shall not be in breach of any law and fairness means that the use of the Personal Data shall be within the reasonable expectations of the Data Subject.

Purpose Limitation: Personal Data shall be collected and processed to accomplish specified, explicit and legitimate purposes and no further processing shall occur beyond such purposes.

Accuracy: The Company adopts reasonable measures to ensure that Personal Data is accurate, relevant and up to date.

Storage Limitation: Personal Data shall be kept by the Company in a form which permits identification of Data Subjects for no longer than what is necessary for the purposes for which it is processed. Once information is no longer needed, the Company shall securely delete it.

Integrity and Confidentiality: The Company implements appropriate technical and organizational measures to safeguard that Personal Data is processed in a manner that ensures its appropriate security, integrity and confidentiality.

Accountability: The Company shall be in a position to demonstrate that all the Principles relating to Processing of Personal Data, described above, are complied with in relation to all the Personal Data for which the Company is responsible.

  1. LAWFULNESS OF PROCESSING

In order to ensure that Processing of Personal Data is lawful, any Processing performed by Company employees shall be based on at least one of the following lawful data processing bases. If not at least one of the following lawful bases is applicable, Processing of Personal Data shall not be performed.

  • The Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes.
  • The Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract (i.e. performance of employment contract)
  • The Processing is necessary for compliance with a legal obligation to which the Company is subject (i.e. the submission of employee information to competent authorities)
  • The Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person
  • The Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.

If Processing is performed on Special Categories of Personal Data, Company employees shall ensure that at least one of the following lawful data processing bases applies:

  • The Data Subject has given explicit consent to the Processing of those Personal Data for one or more specified purposes.
  • The Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Company or of the Data Subject in the field of employment and social security and social protection law.
  • The Processing relates to Personal Data which are manifestly made public by the Data Subject.

 

The Processing is necessary for the establishment, exercise or defense of legal claims.

In principle, the Company shall not collect or process Personal Data relating to criminal convictions and offences.

  1. USE OF SERVICE PROVIDERS

Where the Company engages a service provider who collects, uses, stores or otherwise processes Personal Data owned by the Company on behalf and under the instructions of the Company, the service provider shall act as data processor pursuant to the Applicable Legislation. In all such cases, the Company ensures that a data processing agreement is in place. The purpose of this data processing agreement is to ensure that the service provider will Process Personal Data in accordance with the Applicable Legislation and its execution shall take place before the service provider has access to the Personal Data.

  1. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OUTSIDE THE E.U./E.E.A.

Any transfer of Personal Data to a third country or international organization requires special consideration and shall be carried out in compliance with the Applicable Legislation.

The Company shall ensure that the Personal Data shall be transferred outside the E.U./E.E.A. and to countries for which the European Commission has not issued an adequacy decision, only where appropriate safeguards pursuant to the Applicable Legislation are in place (including standard contractual clauses, approved codes of conduct, approved certification mechanisms etc.). In the absence of such adequacy decision or appropriate safeguards, the Company may exceptionally transfer Personal Data to a recipient in a third country or international organization if one of the derogations specified in the GDPR applies.

  1. SECURITY OF PROCESSING

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the likelihood and severity for the rights and freedoms of Data Subjects, the Company implements appropriate technical and organizational measures to ensure that the Personal Data is Processed in a manner that ensures the appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage and generally ensure a level of security and generally to ensure a level of security that is appropriate to the risk.

The Company implements the appropriate technical and organizational security measures for the protection, integrity and confidentiality of its information technology systems and Personal Data.

Where the Company performs Processing activities which are likely to result to a high risk to the rights and freedoms of the Data Subjects, Company employees shall ensure that, prior to processing an assessment of the impact of the envisaged Processing operations on the protection of Personal Data, namely a data protection impact assessment is carried out. Such assessment shall aim to identify any privacy risks and security issues on the Processing of the Personal Data and propose measures to rectify them, so that the Personal Data is Processed in line with the Applicable Legislation.

  1. DATA SUBJECT RIGHTS

According to the Applicable Legislation, the Data Subjects have the following rights in connection with the Processing of their Personal Data.

Right to be informed

The Company is committed in adopting measures to provide the Data Subject all the required information pursuant to the Applicable Legislation in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Right of access

The Company ensures that upon request by the Data Subject, access to his or her Personal Data shall be granted.

Right to rectification

Data Subjects have the right to rectification of any inaccurate Personal Data and the Company is committed in ensuring that any inaccurate or incomplete information is erased, amended or rectified.

Right of erasure

In certain circumstances, pursuant to the Applicable Legislation, Data Subjects have the right to have their Personal Data erased. The Company is committed in ensuring that it complies where the right to erasure is exercised by the Data Subject on grounds pursuant to the Applicable Legislation, unless processing is deemed necessary for reasons specified in the Applicable Legislation.

Right to restriction of processing

In certain circumstances provided by the Applicable Legislation, Data Subjects have the right to obtain from the Company the restriction of Processing of their Personal Data.

Right to portability

Data Subjects have the right to receive their Personal Data, which they provided to the Company, in a structured, commonly used and machine-readable format and have the right to request the transmission of the Personal Data to another controller.

Right to object

In certain circumstances provided by the Applicable Legislation, Data Subjects have the right to object to the Processing of Personal Data. In such cases, the Company shall cease to Process the Personal Data unless it can demonstrate compelling legitimate grounds for the Processing which overrides the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.

  1. PERSONAL DATA BREACHES

The Company has the obligation to notify the supervisory Data Protection Authority any Personal Data Breach, as defined in the present Policy, which is likely to result in a risk to the rights and freedoms of natural persons or to the Data Subjects pursuant to the Applicable Legislation.

Personal Data Breaches can be categorized in:

  • Confidentiality breaches where there is an unauthorized or accidental disclosure of, or access to, Personal data;
  • Availability breaches where there is an accidental or unauthorized loss or access to, or destruction of, Personal Data; and
  • Integrity breaches where there is an unauthorized or accidental alteration of Personal Data.

Any Company employee who suspects that a Personal Data Breach has occurred shall follow the procedure established by the Company for the purposes of responding to Data Breach incidents, including the immediate notification of the incident to the competent person appointed by the Company.

A Personal Data Breach is a misconduct taken seriously by the Company.

  1. RETENTION PERIODS

Personal Data Processed for any purpose or purposes shall not be kept for longer than what is necessary for that purpose or those purposes. The retention period is limited to the strict minimum and time limits shall be established to ensure that Personal Data is not kept longer that necessary. This means that Personal Data cannot be kept because a new purpose might be found in the future.

The Company is committed in ensuring that once the necessary retention period ends, Personal Data is destroyed through a specific procedure and in a manner which ensures the protection from potential unlawful Processing.  Company employees shall comply with the rules set out by the Company in relation to the retention periods and procedures for the safe destruction and/or anonymization of the Personal Data.

  1. POLICY MAINTAINANCE

This Policy is effective as of the date of its approval and may be subject to amendments

 

23 May 2018