Our company, Calin SA, was established in 1995. We secured the rights to develop the Greek network of the stores Calzedonia – Intimissimi – Intimissimi Uomo – Tezenis – Falconeri as the master franchisor.
The speed at which the chain has grown is indicative of the highly positive response to the product range by the consumer public. Today, the network is composed of 133 stores selling the brands Intimissimi, Intimissimi Uomo, Calzedonia and Tezenis – Falconeri in Greece, and there are 4482 stores worldwide.
It is now an extensive well-established and well-known chain of stores with a brand name that provides substantial added value with international appeal.
One of the main features of our chain of stores is their modern, well-planned layout and the high aesthetic standard of their fixtures and fittings, investments that bring significant commercial benefits to the properties we choose, to the benefit of their owners.
This is because the philosophy of the brands we represent in the Greek market is to attract Calzedonia, Intimissimi, Intimissimi Uomo and Tezenis – Falconeri customers to retail stores with modern design and fixtures and a welcoming environment. These stores offer direct, first-class service for customers, who have the opportunity, with the assistance of our trained sales staff, to select the products they need from a large and frequently updated range.
The General Data Protection Regulation (hereafter GDPR) was passed on 16 April 2016 (Regulation 679/2016) by the European Parliament. It entered into force on 5 May 2016 with a transitional period of 2 years, with immediate effect as a law directly applicable in all the Member States of the European Union as of 25 May 2018.
The core of the GDPR is a set of rules that ultimately aim to give citizens greater control over their personal data. It simplifies and consolidates the legal environment so that citizens and businesses can benefit from the digital economy regardless of which EU country they are in. Compliance is designed to be responsive to today’s digital world and sets rules and obligations that go hand in hand with the speed of the online era.
This policy sets out our standards for the management and protection by, or on behalf of, our company, of personal data which originate, directly or indirectly, from any country in the European Economic Area (EEA) or Switzerland and which are transferred to any other country, including transfer between EEA countries. These standards apply to our activities in each country, to any activity we conduct in any field that involves information about individuals, including, but not limited to, research, production, commercial activities, corporate support and transfers of data that are necessary for the performance of the above activities, including but not limited to:
- Commercial activities: market assessment in relation to our products; advertising, marketing, sale, distribution and delivery of our products; communication with our customers and other end users of our products; sponsorship and conduct of events; evaluation and encouragement of our partners to support our commercial activities; compliance with relevant legal, regulatory or ethical requirements.
- Corporate support: recruitment, hiring, management, development, communications with, and compensation of employees; administration of benefits for employees and their dependents; conducting appraisals of employee performance and skills; provision of training and other learning and development programs; implementing employee disciplinary and grievance proceedings; management of ethics and privacy concerns and conduct of investigations; managing and safeguarding our physical and virtual assets and infrastructure; procurement and payment for goods and services; fulfilling our commitments on the environment, health and safety and corporate responsibility; communication with media outlets; and compliance with the relevant legal, regulatory or ethical requirements.
This policy also applies to all persons whose data we process, including but not limited to customers, prospective, current and former employees and their dependents, members of the Ethics Committee, partners, investors and shareholders, government employees and other interested parties.
All company employees and its management executives have significant responsibilities in connection with privacy, and they are obliged to meet these responsibilities.
We recognize that unintentional errors and misstatements in data protection can create risks for the privacy of individuals and risks for our company’s reputation, processes, compliance and finances. Every employee of the Company, and any other persons responsible for processing data for our company, are responsible for understanding and observing their obligations under this policy and existing legislation.
Our values and standards with regard to privacy
We apply our values regarding privacy to everything we do involving people, including how we apply privacy standards. The four values affecting privacy include:
We recognise that personal privacy concerns are often related to the essential questions of who we are, how we see the world and how we define ourselves. For this reason, we strive to respect the perspectives and interests of individuals and communities, and to be fair and transparent in how we use and share information about them.
We are aware that trust is vital to our success, and we therefore work hard to create and maintain relationships of trust with customers, employees and other interested parties as far as respect and protection of their personal information is concerned.
Prevention of harm
We understand that misuse of personal information can create material and non-material damage to individuals, and we accordingly try to prevent physical or financial harm, as well as damage to an individual’s reputation or any other harm that might be caused in relation to privacy issues.
We are aware that laws and regulations do not always keep pace with the rapid advances in technology, data flow or the associated changes in risks and expectations of privacy. Accordingly, we strive to comply with the spirit and rules of privacy and data protection laws in a way that demonstrates consistency and operational competence in our business operations at a global level.
- We incorporate our privacy standards into all activities, processes, technologies and relationships with third parties that use personal data. We design privacy controls in our processes and technologies that are consistent with our privacy values and standards and with the applicable legislation. The 8 privacy principles outlined below summarise the privacy standards and basic requirements for processes and activities and their supporting high level technologies.
||Our Fundamental Commitments
|1. Necessity – Before collecting, using, or sharing personal information, we define and document the specific, legitimate business purposes for which this is necessary.
- We define and record the time period for which personal data is required for these specified business purposes.
- We do not collect, use or share more personal information than is necessary, or keep personal data in an identifiable form for longer than is necessary for these specified business purposes.
- We anonymise the data when business requirements necessitate that information about the activity or process is to be retained for a longer period of time.
- We ensure that these necessary requirements are embedded in any support technologies and that third persons providing support for the activity or the processing are properly informed.
|2. Fair and Just Use – We do not process personal data in ways that are unfair to the persons to whom the data relates.
- We determine whether the proposed collection, use or other processing of personal information presents a risk of tangible or intangible harm to individuals in accordance with our privacy value of preventing harm.
- If the nature of the data, the types of persons or the activity, involves an inherent risk of causing real or undetermined harm to individuals, we ensure that any risk of harm is outweighed by a corresponding benefit to those individuals or to our mission of saving and improving lives.
- Where the risk is disproportionate to the benefits for individuals, we only process sensitive personal information with the explicit consent of the individuals concerned or as expressly required or expressly permitted by applicable law.
- We document the risk analysis and design any required mechanisms for obtaining and recording evidence of consent into support technologies.
|3. Transparency – We do not process personal data in ways or for purposes that are not transparent.
- All persons whose personal information is processed under this policy will be entitled to receive a copy of the policy. Copies of the policy will be available online at www.calin.gr . The Data Protection Officer will provide digital and/or physical copies of this policy upon request from the addresses listed below.
- When collecting personal information directly from individuals, we notify them via a clear, distinct, and easily accessible privacy notice or similar means, before collecting information, regarding (1) the corporate entity or entities responsible for data processing, (2) the type of data to be collected, (3) the purposes for which it is to be used, (4) who it will be shared with, including any requirements to disclose personal information in response to lawful requests by public authorities, (5) the time period for which it will be kept, (6) how people can ask questions, express concerns or exercise their rights regarding the information, and (7) an online link to this policy, where possible and appropriate.
- When personal information is collected from other sources and not necessarily at the direction of our company, prior to obtaining the data, we verify in writing that the data provider has informed individuals about the ways in and purposes for which the company intends to use the information. If the written verification can not be obtained from the provider, we only use anonymous data, or, before we use personal data, we inform the individuals affected via a privacy notice or similar means regarding (1) the corporate entity or entities responsible for data processing, (2) the type of data to be collected, (3) the purposes for which it is to be used, (4) who it will be shared with, including any requirements to disclose personal information in response to lawful requests by public authorities, (5) the time period for which it will be kept, (6) how people can ask questions, express concerns or exercise their rights regarding the information, and (7) an online link to this policy, where possible and appropriate.
- We ensure that the necessary transparency mechanisms, including where possible, mechanisms supporting individual rights requests, are introduced into support technologies, and that third parties supporting the activity or processing do not process personal data in ways that are inconsistent with what people have been told, through privacy notices or other verifiable means, about how we and others working for us will use the information.
|4. Limited Purpose – We use personal data only in accordance with the principles of necessity and transparency.
- If new legitimate business purposes are identified for personal data already collected, we either ensure that the new business purpose (including substantially similar purposes) are compatible with the purpose as described in the privacy notice or other transparency mechanism previously provided to the individual, or we obtain the consent of the individual for the new use of his or her personal information.
- We do not apply the above principle to anonymous data, or where we use personal data solely for the purpose of historical and scientific research, and (1) a Ethics Review Committee or other competent auditor has determined that the risk of such use to privacy or other rights of individuals is acceptable and (2) existing legislation is respected.
- We ensure that constraints which are due to any limited purpose are embedded in support technologies, including any reporting and downstream data sharing capabilities.
|5. Data Quality – We keep accurate, complete and up-to-date personal information that is consistent with its intended use.
- We ensure that periodic data review mechanisms are incorporated into support technologies to validate data accuracy against source and downstream systems.
- We ensure that sensitive information is validated as accurate and current prior to its use, evaluation, analysis, reporting or other processing that may carry a risk of unfair treatment of persons if inaccurate or outdated data are used.
- Where changes are made to personal information by our company or by third parties working for our company, we ensure that these changes are communicated in a timely manner where reasonably possible.
|6. Security – We incorporate security safeguards to protect personal and sensitive data from loss, misuse, and unauthorised access, disclosure, or destruction.
- We have implemented a detailed information security programme and we apply security controls based on the sensitivity of the information and the risk level of the activity, taking into account the best practices offered by modern technology and the cost of implementation. Our operational security policies include, but are not limited to, business continuity and disaster recovery standards, identity and access management, information classification, information security incident management, network access control, physical security, and risk management.
7. Data Transfer – We are responsible for preserving the security and privacy of personal data when it is transferred to or from other organisations or across country borders.
|(1) We only transfer personal information to, or allow it to be processed by, third parties if the following requirements are met, and we are liable for ensuring that the third parties we cooperate with meet these requirements:
- If the role of the third party is to process personal data for or on behalf of our company, prior to receipt of personal data by the third party in question, we: (1) complete legal due diligence to evaluate privacy practices and risks associated with these third parties; (2) obtain guarantees by contract from these third parties that they will process personal data in accordance with our company’s instructions and in accordance with this policy, including, without limitation, all of the 8 privacy principles and other standards set out in this policy and existing legislation,and will promptly notify our company of any privacy incident, including any inability to comply with the standards as per this policy and the applicable legislation, or any security incident, and will cooperate to remedy any substantiated incident in a timely manner and address the individual rights as defined in section 2 below, and allow our company to audit and oversee their practices for the duration of processing as far as compliance with these requirements is concerned. Furthermore, if the third person is processing personal data originating from a country or territory with legislation that restricts the transfer of personal data, we will ensure that the transfer to the third party meets the conditions for cross-border transfer described below in Section 2. Where one of our subsidiaries acts solely on behalf of another of our subsidiaries in the processing of personal data, and where required by law, our company’s subsidiaries will execute an internal data processing agreement in accordance with principle 8 of this policy.
- If the role of the third party is to provide personal data to our company, before we obtain the said personal data from the third party, we ensure that the transparency requirements for the collection of personal data from other sources not specifically under the supervision of our company are met, and we obtain warranties by third party contract that it is not violating any law or the rights of any third party by supplying personal data to our company.
- If the third party’s role is to collect data that is not specifically under our company’s control for processing from our company, before we deliver the data to the third party, we ensure that the data is anonymised and we obtain written guarantees from the third party that they will use the data only for the operational purposes specified in the agreement and according to existing legislation, and that they will not attempt to reverse the anonymising process.
(2) We transfer personal information across country borders by or on behalf of our company in accordance with this policy. We will apply this policy to transfers of personal information from any other country or territory with legislation that imposes restrictions on transfer of personal information.
| 8 Legally Permissible – We only process Personal Data if the requirements of the applicable legislation are met.
- While the other 7 privacy principles, as well as the individual rights conditions described below, are intended to ensure that the requirements of most privacy and data protection laws that apply to our business sector around the world have been met, in some countries it is necessary to comply with additional requirements, including but not limited to the following:
- Where necessary, we will obtain specific forms of consent to process specific personal data, including, but not limited to, approval of processing by labour councils or other employee trade unions.
- Where necessary, we will register the processing of personal data with the applicable privacy or data protection regulator.
- Where necessary, we will further limit the personal data retention periods.
- Where appropriate, we will enter into agreements that include special contract clauses, including agreements for cross-border data transfers to third parties.
- Where necessary, we will disclose personal data following legitimate requests from the public authorities, including to satisfy requests related to national security or from the security authorities.
- In the event of a conflict between this policy and existing legislation, the standard that provides the greatest protection to individuals will prevail.
- We will promptly address requests associated with individual rights to access, correct, modify or delete any personal information and any objection to the processing of personal data.
- Access, Correction and Deletion – on the basis of Greek legislation, individuals have the right to access personal information about them, and to correct, modify or delete any personal data that is inaccurate, incomplete or obsolete. We will approve all individuals’ requests for access, correction and deletion of personal data. If an application for access, correction or deletion is defined by existing legislation which provides greater protection for individuals, we will ensure that the additional conditions are met according to the legislation.
- Choice – In accordance with the privacy principles of ‘Respect’ and ‘Trust’, we will honour individual privacy-related objections regarding the processing of personal data, including, but not limited to, the choice to opt out of programmes or activities that individuals have previously agreed to participate in, including the processing of personal data about them for direct marketing purposes, communications targeted at them based on personal data and any evaluation or decision-making relating thereto, which has the potential to materially affect them, and involves the use of algorithms or automation.
- Unless prohibited by legislation, we may refuse the choice to opt out where a specific application may hinder the company’s ability to: (1) comply with the law or a moral obligation, including the need to disclose personal data in response to legitimate requests from public authorities, on law enforcement or national security grounds; (2) to investigate, defend or seek legal recourse, and (3) conclude contracts, manage relationships, or engage in other authorised business activities that comply with the principles of transparency and limited purpose, and which were entered into on the basis of personal information about persons associated with them. Within fifteen working days of any decision to reject a request to opt out in accordance with this policy, we will register and communicate the decision to the applicant.
- We will respond in a timely manner and rank all questions related to privacy, complaints, concerns and any privacy or security incident as appropriate.
- Any person whose personal data we process within the scope of this policy may ask questions, complain or express concerns to our company at any time, including applications to supply a list of all our subsidiary companies that are subject to the application of this policy. We expect that our employees and other individuals working on behalf of our company will provide prompt notice if they have reason to believe that an applicable law may prevent them from complying with this policy. Any question, complaint, or concern expressed by an individual or any notice from an employee or other person working on behalf of our company should be addressed to the Data Protection Officer.
- By e -mail
- By post
- By telephone:
- Employees and contractors are required to inform their Data Protection Officer in a timely manner of any questions, complaints or concerns regarding our company’s privacy practices.
- The Data Protection Officer will review and investigate or work with the Legal Department to investigate all inquiries, complaints, or concerns related to our company’s privacy practices, whether received directly from our employees or other individuals or third parties, including, but not limited to, regulatory agencies, responsible officers or other state authorities. We will respond to the person or entity who raised the question, complaint or concern to our company within thirty (30) days, or within a maximum of sixty (60) calendar days, unless a law or an applicant or third party requires a response within a shorter period of time or unless the circumstances, such as a parallel state investigation, require a longer period of time. In this case, the person or applicant or third party will be notified in writing as soon as possible of the general nature of the circumstances contributing to the delay.
- The Data Protection Officer, in cooperation with the Legal Department and the Compliance Department, will work with the privacy regulator in response to any inquiry, inspection or investigation.
- For complaints that can not be resolved between our company and the person making the complaint, our company has agreed to participate in the following dispute resolution procedures in order to investigate and resolve complaints and settle disputes related to this policy.
- However, if, at any time, persons residing in the EEA, or persons whose personal data is subject to EEA data protection legislation and are transferred outside the EEC, and where their data is subject to processing under this policy, they have the right under this policy to impose its terms as eligible third parties, including the right to take legal action to claim damages for the violation of their rights under the policy and the right to receive compensation for damage caused by such breach. Persons residing in the EEA or individuals whose personal data is subject to EEA data protection legislation, where the said data is transferred outside the EEA (for reasons of clarity, including to the US) may seek legal recourse under this policy from the company
- in the courts or from the data protection authority of the EEA country from which their personal data has been transferred, or
- in the Greek courts or from the Hellenic Data Protection Authority.
- Our company will respond to the person or entity who raises the query, complaint, or concern to our company within thirty (30) calendar days unless a law or applicant or third party requires a response in a shorter period of time or unless the circumstances require a longer period of time, in which case the individual or the third party will be notified in writing.
Terms you need to know
- Changing, abbreviating, eradicating or otherwise restricting or transforming personal data to make it impossible for it to be used to identify, locate or communicate with an individual.
- Legislation All laws, rules, regulations and enforceable legal rulings in any country in which our company operates or in which personal data is processed by or on behalf of our company.
- Our Company The company CALIN SA (COMMERCIAL TRADE IN CLOTHING ITEMS).
- Personal Data All data on a identified or not specifically identified individual, including data that does identify an individual or could be used to identify, locate, track, or contact an individual. Personal Data also includes direct identification information such as name, identity card number, or unique job title, and indirect identification information such as date of birth, unique mobile or wearable device identification number, telephone number or encoded data.
- Processing Performing any process or series of processes on human data, with or without automated means, including, but not limited to, collection, recording, organisation, storage, access, adaptation, alteration, retrieval, consultation, use, evaluation, analysis, reporting, distribution, disclosure, and dissemination, transmission, sharing, correlation, combination, obstruction, deletion, erasure or destruction.
- Security Incident. Access by a unauthorised person to personal data or disclosure to an unauthorised person or the reasonable suspicion on the part of our company that this has happened. Access to personal data by or on behalf of our company without the intention of violating this policy is not a security incident, provided that such personal information was then used and disclosed only as permitted by this policy.
- Sensitive Information. Any type of data relating to people carrying an intrinsic risk of potential harm to individuals, including data that is legally defined as sensitive, including, but not limited to, health, inherited characteristics, race, ethnic origin, religion, politics or philosophical convictions or beliefs, criminal records, precise geographic location information, bank or other financial account numbers, state registration numbers, indication of minors, sexual preference, membership of trade unions, details of insurance, social security and other employment-related or state benefits.
- Third Party. Any legal entity, organisation or person not belonging to our company, or over whom/which which our company has no controlling interest or who/which does not work for our company. Unless expressly specified by this policy, no subsidiary or division of our company is required to meet the requirements of a third party under this policy since all subsidiaries and divisions are required to process information about people in accordance with this policy, including circumstances where one of our subsidiaries provides support for one or more of our subsidiary companies for processing purposes.
Changes to this Policy
This Policy may be amended from time to time according to the requirements of applicable legislation. Whenever there are material changes to this policy a notice will be posted on our company website ( www.calin.gr ) for 60 days.
25 May 2018