This document is the property of NESTOR CONSULTING S.A. and its partial or complete reproduction is prohibited without its permission.

1. INTRODUCTION

This Privacy Policy (hereinafter the "Policy") concerns the company “NESTOR ANONYMOUS COMPANY OF STUDIES AND CONSULTING SERVICES OF PRODUCTION & MANAGEMENT,” under the trade name NESTOR CONSULTING S.A. (hereinafter “NESTOR”), and the personal data it holds regarding individuals.

Our company is committed to protecting the confidentiality and privacy of Personal Data and complies with the provisions of the "General Data Protection Regulation" hereinafter referred to as "GDPR".

2. DEFINITIONS

  • Personal Data: any information that refers to and describes an individual, such as identification details (name, age, residence, profession, marital status, etc.), physical characteristics, education, employment (work experience, work behavior, etc.), financial status (income, assets, financial behavior), interests, activities, habits. The individual to whom the data refers is called data subject.
  • Sensitive Personal Data or special categories: personal data concerning an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, social welfare, sexual life, criminal prosecutions and convictions, and participation in associations related to the above
  • Health Data: personal data related to the physical or mental health of a natural person, including the provision of healthcare services, and which reveals information about their health status.
  • Personal Data Breach: a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • Data Controller: the natural or legal person that determines the purposes and means of the processing of Personal Data.
  • Processor: the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
  • Processing of Personal Data: any operation or set of operations related to personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, alignment or combination, restriction, erasure, or destruction.
  • Third Party: any natural or legal person, except the data subject, the data controller, the processor, and persons authorized to process personal data under the direct supervision of the controller or processor.

3. WHO IS THE DATA CONTROLLER

NESTOR is the data controller for the personal data it processes in the context of providing its services or selling its products. It retains and processes your personal data with confidentiality and respect for your privacy, taking the necessary technical and organizational measures to further protect them.

4. OBJECT OF PROCESSING

The object of processing is the personal data of our clients, or prospective clients, contractors, or third parties, which we collect or transfer to our partners or third parties in the course of performing our work.

5. PRINCIPLES WE RELY ON

We are committed to adhering to the following principles of personal data processing (Article 5 GDPR):

  • Lawfulness, fairness, and transparency. Personal data is processed lawfully, fairly, and transparently in relation to the data subject.
  • Purpose limitation. Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
  • Data minimization. Personal data is limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy/quality of data. Personal data is kept accurate and up-to-date, where necessary.
  • Storage. Personal data is stored no longer than necessary or required by law.
  • Integrity and confidentiality. We are committed to processing personal data securely, particularly from unauthorized or unlawful processing and accidental destruction or damage, using appropriate technical or organizational measures.
  • We are committed to the principle of accountability.

6. COLLECTION OF PERSONAL DATA

We collect information about you in the following cases, among others:

When you contact us directly through our call center or website to request information about the products or services we offer or to subscribe to our newsletter.

If you purchase a product or service from us.

If your personal data is transferred to us by partners or other third parties.

At the pre-sales or service provision stage to contact you and offer the best possible solution.

We may also collect data occasionally from third parties who may lawfully provide us with information about our clients or whose records we may lawfully access, such as our external partners, credit information providers, and fraud prevention organizations, lawyers, public services (administrative, tax, judicial, regulatory authorities, social security institutions), or other public or private organizations.

We process personal data for purposes as detailed below.

Please help us keep your information up-to-date by informing us of any changes to your personal data.

7. WHAT KIND OF PERSONAL DATA WE COLLECT ABOUT YOU

The following categories of data about you may be collected and processed as described in this Policy:

  • Contact Information (e.g., Full Name, Address, phone number, email)
  • Employment Information (e.g., Occupation)
  • Payment Information (e.g., IBAN/Account Number, preferred payment method)
  • Identification Data (e.g., contract code)
  • Customer History (e.g., satisfaction level, received offers, purchase data, offer dates, complaints)
  • Application/Website/Social Media Data (e.g., cookies)

Appendix 2: "Indicative Categories of Data" presents examples of personal data we process.

8. CATEGORIES OF DATA SUBJECTS

The categories of data subjects include:

  • Clients
  • Prospective Clients
  • Suppliers
  • Partners/Subcontractors
  • Natural persons in their capacity as employees, directors, or partners in a legal entity.
  • Third parties involved in events related to the sale or provision of our services.

9. PURPOSES OF PROCESSING & LEGAL BASIS FOR DATA PROCESSING

The processing of personal data is based on one of the “legal bases” as mentioned in Article 6 §1 of the GDPR. An explanation of the legal bases for processing is available in Appendix 1 of this document. The legal basis for processing each use of your data is stated for each processing purpose.

Sales & Contract Management – for processing sales, creating the appropriate solution, and managing the Contract. [Article 6§1(a), 6§1(b), and 6§1(f) GDPR]

The provision of personal data within the context of our product sales or service provision constitutes a contractual obligation, and failure to provide such data may affect the correct execution of the contract.

Customer Support – to respond to queries and provide technical support regarding our products and services. [Article 6§1(a), 6§1(b), and 6§1(f) GDPR]

Promotional and Marketing Activities – to respond to inquiries and provide updates on our news and products [Article 6§1(a) and 6§1(f) GDPR]

Consent for marketing can be withdrawn at any time, effective for the future.

For existing clients, no consent is required, as they are provided with a clear and distinct option to object N.3471/2006, Article 11 §3.

Safeguarding our Legitimate Interests – e.g., improving our products and services, preventing and detecting fraud against us [Article 6§1(f) GDPR].Compliance with our Legal Obligations – for compliance with our legal obligations towards the police, regulatory, tax, accounting, auditors, judicial authorities, and services [Article 6§1(c) GDPR].

The provision of personal data, as described above, constitutes a legal obligation depending on the specific request.

Processing of Special Categories of Data: NESTOR does not process Special Categories of data. If this ever becomes necessary, it will be done in accordance with the regulation with consent provided Article 9§2(a).

10. HOW WE ENSURE THE SECURITY OF PERSONAL DATA

We ensure that personal data is processed in compliance with policies and procedures that align with the purposes of processing. For example, the following security measures are employed to protect personal data from unauthorized use or any other form of unauthorized processing:

  • Access to personal data is restricted to a limited number of authorized individuals for specific purposes.
  • The personnel responsible for managing your contract are bound by confidentiality clauses and have limited access, only to the data necessary for providing the service.
  • Sensitive data is stored on computers with authorized access. In print form, it is locked in cabinets accessible only by authorized individuals.
  • We select trusted partners, who are contractually bound, in accordance with Article 28 §4 of the GDPR, with the same obligations regarding personal data protection. We also retain the right to audit them, Article 28 §3(e).
  • The IT systems used for processing data are technically isolated from other systems to prevent unauthorized access, such as through hacking.
  • Additionally, access to these IT systems is monitored continuously to detect and prevent illegal use at an early stage.

Finally, we are certified with an ISO 9001:2015 Quality Management System.

 

11. FOR HOW LONG WE STORE DATA

We store personal data for as long as required by the respective processing purpose and any other connected permitted purpose. Data is retained throughout the duration of our contract and, after its termination, for as long as required by applicable law. In the event of a claim, until the final resolution of any dispute.

Information that is no longer necessary will be securely destroyed.

Specifically, for data we process based on your consent (e.g., for marketing purposes), this data will be retained from the time we receive your consent and until it is revoked.

Additionally, we will retain your personal data for up to 5 years in the case of rejection of our offer.

We restrict access to your data to persons who need to use it for the specific purpose.

12. WHO ARE THE RECIPIENTS OF THE DATA

The personal data we collect may be transferred to third parties, provided that the legality of the transfer is justified.

Furthermore, where the legality of the transfer is justified, personal data may be disclosed to the following categories of recipients:

  • Furthermore, where the legality of the transfer is justified, personal data may be disclosed to the following categories of recipients:
  • Courier companies.
  • Our branches and/or affiliated companies, within the scope of their responsibilities.
  • Merchants and external partners, who are contractually bound under Article 28(4) of the GDPR with the same obligations regarding data protection.
  • Any supervisory authority, as required by the applicable regulatory framework.
  • Any public or judicial authority, as required by law or a court decision.

NESTOR uses a range of service providers that collaborate in the provision of its services.

Although the transmission of data over the internet or a website cannot be fully protected from cyberattacks, we and our partners work to maintain physical, electronic, and procedural security measures to protect your data.

13. WHERE DATA PROCESSING TAKES PLACE

The personal data of our customers are processed within the European Economic Area (EEA).

In the case that research outside the EEA is required for the provision of services, this will be done only with your explicit consent. Article 49(4)(a).

14. PERSONAL DATA BREACH

In the event of a breach of the security and integrity of the personal data we hold, NESTOR will take the following steps:(in accordance with Articles 33 and 34 of the GDPR):):

  • Assess and evaluate the procedures necessary to mitigate the breach.
  • Evaluate the risk and the impact on the rights and freedoms of the data subjects.
  • Attempt to reduce the damage caused or that may be caused.
  • Notify the breach within 72 hours of becoming aware of it, if required.
  • Evaluate the privacy impact and take appropriate steps to prevent a recurrence of the breach.

15. YOUR RIGHTS AS A DATA SUBJECT AND HOW YOU CAN EXERCISE THEM

You have the right to request access to your personal data, rectification/deletion of your data, restriction of processing, the right to object to processing, and the right to exercise your data portability right.

If data processing is based on your consent, you may withdraw your consent at any time, with effect for the future.

More specifically, you have the right to:

a. Access: The right to be informed about the processing of your data by us and the right to access the data.

b. Rectification: The right to request the rectification or completion of your data if it is inaccurate or incomplete.

c. Deletion: The right to request the deletion of your data: This right can be satisfied if:

We reserve the right to refuse to satisfy the above right if the processing of the data is necessary for compliance with our legal obligation, for public interest reasons, or for the establishment, exercise, or defense of legal claims (Article 17(3)).

d. Restriction of processing: The right to flag your data with the aim of restricting its processing. For example, when you have disputed the accuracy of your personal data, for the period required to verify it.

e. Portability: The right to receive your data in a structured, commonly used, and machine-readable format and to request its transmission both to you and to another party for processing.

f. Objection: The right to object at any time to the processing of your data, including profiling, particularly when the reason for processing is direct marketing.

Our company will review your request and respond within one month from receiving it, either to satisfy it or to explain the objective reasons that prevent its satisfaction. Considering the complexity of the request and the number of requests, this period may be extended by an additional two months (Article 12(3)).

Exercising the above rights is free of charge, with the submission of a relevant application/letter/email to the Data Controller. The abusive exercise of the above rights (Article 12(5)) may impose a reasonable fee.

If you are not satisfied with how we use your data or with our response to your exercise of the above rights, you have the right to file a complaint with the Data Protection Authority.

You can exercise your above rights at the contact details provided below.

 

16. DATA CONTROLLER CONTACT DETAILS

For any issue concerning the processing of your personal data and to exercise your above rights, you can contact NESTOR CONSULTING S.A., by phone at +30 210.61.49.790 (Monday – Friday 10:00 – 16:00), email: info@nestor.com.gr, or by post at: Leof. Kifisias 172, 151 26, Maroussi.

17. DATA PROTECTION AUTHORITY CONTACT DETAILS

Phone: +30 21064.75.600, email: contact@dpa.gr, and postal address: Leoforos Kifisias 1-3, Postal Code 115 23, Athens.

18. COOKIES

Cookies are important for the effective operation of the NESTOR CONSULTING S.A. website www.nestor.com.gr/en and for enhancing your online experience.

What are cookies?

Cookies are small text files containing information that is stored in your web browser when browsing www.nestor.com.gr/enThese cookies can be removed at any time, as you can modify your browser settings to reject some or all cookies. The help function in most browsers provides information on how to accept cookies, disable cookies, or notify you when receiving a new cookie.

We use cookies to continuously improve the functionality of our website, your browsing efficiency, as well as your login and navigation through the pages.

The information generated by the cookie file regarding your use of the website (including your IP address) will be transmitted and stored on Google's servers.

The cookies used by our website are the following

Cookie  Type Purpose Duration
_fbp Analytics Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website. 3 months
_gcl_au Analytics Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services. 3 months
wpEmojiSettingsSupports Necessary WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user’s browser can display emojis properly. session
Tk_ai Statistics to store a unique user ID. session
hu-consent Strictly Necessary, Performance, Functionality, Targeting Used for saving cookie acceptance preferences 12 months

If you do not accept cookies, you may not be able to use some features of our Service, and we recommend that you keep them enabled.

19. LOG DATA & REMARKETING

We may collect information that your browser sends whenever you visit our website. This log data may include information such as your computer's IP address, browser type, browser version, the pages you visit, the time and date of your visit, the time spent on those pages, and other statistics.

Additionally, we use third-party services such as Google Analytics that collect, monitor, and analyze this type of information in order to improve the functionality of our website and services. These third-party service providers have their own privacy policies regarding how they use this information, and we encourage you to review them.

NESTOR uses remarketing services to advertise on third-party websites after you have visited our website.

The Google AdWords remarketing service is provided by Google Inc.

Google also recommends installing the Google Analytics Opt-out Browser Add-on – https://tools.google.com/dlpage/gaoptout – for your web browser. The Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.

For more information about Google's privacy practices, please visit Google's website at http://www.google.com/intl/el/policies/privacy.

20. COMMERCIAL COMMUNICATION – NEWSLETTER

The visitor/user can visit the website www.nestor.com.gr, which is maintained and managed by our Company, without revealing their identity or providing any personal information, subject to the acceptance of related cookies (see above).

Generally, you are not required to submit personal data to NESTOR online, but we may ask you to provide certain personal information in order to receive additional information about our services and events. Our Company may also ask for your permission for certain uses of your personal data, and you may either consent or refuse such uses.

However, in order for the visitor/user to become a recipient of electronic newsletters sent by the Company to be informed about security systems market issues and benefit from future Company privileges, they can provide their explicit consent regarding their registration to the services of the Website and grant the Company the details that are reflected in the relevant contact form. You will have the option to unsubscribe from the relevant recipient list at any time by following the instructions provided in each communication. If you decide to unsubscribe from a service or communication, we will attempt to delete your data as soon as possible, although we may need some time and/or information before we can process your request.

Personal data collected is stored on restricted access servers controlled by passwords, and the Company uses specific technologies and procedures to enhance the protection of such information against loss or misuse and to protect it from unauthorized access, disclosure, alteration, or destruction. However, while the Company makes every effort to protect the above data, it cannot guarantee that these technologies and procedures will never be compromised in any way.

Therefore, if any visitor/user becomes aware of any illegal, malicious, inappropriate, or unfair use of personal data related in any way to the use of the Website, they are obligated to immediately notify NESTOR CONSULTING S.A. of the fact. NESTOR CONSULTING S.A.

21. PASSWORDS

If we give you (or you have chosen) a password to access certain parts of our website or any other online portal, application, or service we offer, you are responsible for keeping that password confidential and complying with any security procedure we have informed you of. We ask you not to share your password with anyone.

22. LINKS TO OTHER WEBSITES

Our Service may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third-party's website. We strongly advise you to review the Privacy Policy for every website you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

23. PRIVACY POLICY UPDATES

This policy is revised when there is a significant change. The revision will be available on our website www.nestor.com.gr/en.

APPENDIX 1: LEGAL BASIS FOR PROCESSING PERSONAL DATA

According to Article 6 of the GDPR:

Processing is lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.

Sensitive Personal Data:

According to Article 9 §1 & 2 of the GDPR, the processing of special categories of data is permitted only in the specific cases prescribed by law, including the provision of consent.

APPENDIX 2: INDICATIVE CATEGORIES OF DATA

Identification Information:

  • Full Name
  • Title (Mr./Mrs.)
  • Date of Birth
  • Tax Identification Number (TIN)
  • Identity Card Number

Contact Information:

  • Address
  • Email
  • Landline/Mobile Number
  • Fax

Employment Information (e.g., Occupation)

  • Profession
  • Income (for employees)
  • Financial Behavior Data

Payment Information:

  • Bank Account Number / IBAN
  • Preferred Payment Method
  • Credit/Debit Card Number

Identification Data (Indicative):

  • Customer Number / Code
  • Contract Number

Additional Personal Information / Preferences (Indicative):

  • Driving License (category) (for employees)
  • Insurance Company, as indicated by the customer
  • Preferred Communication Channel

Special Categories of Personal Data (Indicative):

  • Medical History (for employees)
  • Health Data (e.g., sick leave for employees)

Customer History (Indicative):

  • Customer Satisfaction Rating (and additional information from satisfaction surveys)
  • Received Offers
  • Warranty Information
  • Complaint History

Application/Website/Social Media Data (e.g., cookies)

  • In the case that the customer is registered or logged in, the following data may be used:
  • Website traffic
  • Cookie Data (subject to acceptance of the cookie policy)