Personal Data Protection Policy
Article 1 – Purpose of the personal data protection policy
At "Evangelia Zimvragoudaki" law practice, hereinafter referred to as the "Practice", we guarantee the protection and respect of the privacy of our clients and other individuals who interact with us, as well as the protection of their personal data. For this reason, within the framework of the applicable national and EU legal framework governing the protection of personal data, in particular the EU General Data Protection Regulation 2016/679 (hereinafter referred to as the GDPR) and Law 4624/2019, our Practice hereby announces this Personal Data Protection Policy, in order to provide you with full information about the personal data it collects and further processes, both when you browse this Website and when we provide our services.
This Personal Data Protection Policy applies to all facilities and/or digital environments belonging to our Practice and related to its activities.
Specifically, the purpose of this Policy is to define the basic principles and rules according to which our Practice collects, stores, and further processes personal data, as defined by applicable law.
This Policy does not, under any circumstances, replace or alter the obligation to maintain attorney-client privilege; on the contrary, it reinforces our Practice's commitment to the best possible protection of the personal data it processes and applies beyond and in parallel with attorney-client privilege. In particular, it should be noted that the confidentiality obligations arising from the principle of security, as specified in particular in Article 32 of the GDPR, converge with the provisions of the Code of Conduct on confidentiality governing the legal profession.
Article 2 – Definitions
For the purposes of understanding this Policy, the following terms have the following meanings:
• "Personal Data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• "Special categories of personal data": personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
• "Processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
• "Controller": the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, or the specific criteria for its appointment may be laid down by Union or Member State law.
• "Processor": the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
• "Data subject": the natural person whose personal data is being processed, e.g. clients, service users, etc.
• "Existing Legislation": The applicable national and EU legislation on personal data protection, specifically the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR"), Law 4624/2019, Law 3671/2006, the case law of the Court of Justice of the European Union (hereinafter "CJEU"), as well as the Decisions, Guidelines and Opinions of the European Data Protection Board (hereinafter referred to as "EDPB") and the Hellenic Data Protection Authority (hereinafter referred to as "HDPA").
Article 3 – Data collected
Our Practice, within the scope of its activities and in accordance with the regulatory framework of the Lawyers' Code, may collect personal data of our associate lawyers and other associates, as well as of our clients and/or their opponents, as well as other natural persons with whom we interact in the course of our legal practice. These persons may be clients and/or opposing parties, their attorneys, external associates, owners of sole proprietorships, legal or other representatives of legal entities, as well as employees or third parties, but also, in general, associates with whom the Practice deals.
Specifically, the information collected directly or indirectly may include name, surname, father's name, mother's name, year of birth, place of birth, gender, nationality, home address, place of work, email address, contact telephone and fax numbers, passport number, identity card number (ADT), Tax Identification Number (AFM), Professional Registration Number (if applicable), Social Security Number (AMKA) and other insurance fund registration information, bank account number and/or credit/debit card details, data relating to family status, education and professional training details, data included in case files, case files, legal documents and court decisions, as well as any other information related to our clients' cases.
Furthermore, it is possible that this data may not always belong to parties directly involved with our Practice, but also to third parties, whether adversaries or not (e.g., family members of a client or employee or adversary, information about their children, etc.) to the extent that this is necessary for the provision of legal services and the fulfilment of the relevant processing purposes.
Article 4 – Special Categories of Personal Data
On a case-by-case basis, in the context of handling cases and always within the framework of the exercise of the legal profession, our Practice may collect and further process data belonging to special categories of personal data such as: e.g. health data (medical records, diagnoses, opinions, disabilities), as well as data relating to criminal convictions and offences or related security measures, and other related judicial data.
Article 5 – Data of minors
In accordance with the applicable legal framework, our Practice may collect and further process personal data of minors (i.e. persons under the age of 18), either directly or indirectly through their parents and guardians or those with parental responsibility, or even through third parties, always in the context of handling case files and cases.
However, given that it is impossible to always verify the age of persons entering or using our Practice's website, parents and guardians of minors are advised to contact us directly if they discover any unauthorized disclosure of data by minors for whom they are responsible, in order to exercise their rights, such as the right to have their data deleted.
Article 6 – Method of collecting and storing personal data
Our Practice uses multiple physical and/or digital communication channels to collect the required and necessary personal data, such as, indicatively, case files, e-mail, telephone conferences and communications, etc.
The personal data in question may be incorporated into physical and/or electronic files that constitute supporting documents and, in general, documents that are necessary for the compilation of case files, which are provided to our Practice either directly by our clients or indirectly through access to case files (e.g., copies of opposing parties' pleadings, criminal case documents, etc.).
In addition to the above, personal data may also be collected from other sources, such as public services and authorities (e.g., Land Registry, Land Cadaster, Tax Practice, EFKA), registers and databases (such as General Commercial Register, Teiresias), as well as other publicly accessible sources, such as company websites, official announcements, press releases, and online publications. This information is collected to the extent necessary to substantiate and support the legal actions or positions of our clients and to the extent permitted by the applicable legal and regulatory framework.
The personal data provided to our Practice is stored in secure physical and/or digital spaces with restricted access by authorized personnel and associates, such as, indicatively, lockable cabinets, as well as electronic files and protected dedicated servers of the Practice, respectively.
Article 7 – Purposes of Processing
Our Practice’s activity consists of providing legal services and data protection Practicer services in general.
In this context, our Practice may collect and process personal data in order to:
1. Represent and defend its clients in any court, authority, or service, or in out-of-court settlements, in the provision of legal advice and opinions
2. Provide legal advice and opinions
3. Participate in established Greek or international bodies, and
4. Provide Data Protection Practicer services.
Furthermore, our Practice, in the context of fulfilling its employer obligations, collects and processes the personal data of its employees, while at the same time collecting and processing the personal data of its associates in general in the context of the transactional relationships it develops.
Our Practice also informs you that:
This Website does not use cookies and does not engage in any tracking or data collection through them.
No automated decision-making, including profiling, is carried out.
Article 8 – Legal bases for processing
The processing of personal data made available to our Practice takes place:
1. within the framework of each mandate given to us to represent and defend the rights and interests of our clients,
2. within the framework of fulfilling contractual terms for the provision of legal services or Data Protection Practicer services
3. in the context of compliance with a legal obligation, and
4. in the context of defending the legitimate interests of our Practice or its clients and associates.
In cases of processing special categories of personal data, our Practice carries out the processing necessary to establish, exercise, or defend the legal claims of our clients or associates.
Article 9 – Transfer to Third Parties
Personal data collected and processed by our Practice may be transferred to third-party recipients when this is necessary for the fulfillment of the respective processing purposes and/or when required by the applicable legal and regulatory framework. Such recipients may be, as the case may be: Processors acting on behalf of the Practice, such as cloud service providers (e.g., Microsoft), providers of invoicing and interconnection software with the Independent Public Revenue Authority (AADE), providers of technical support and maintenance of information systems, external partners (such as translators, experts, bailiffs, accountants, technical consultants), who are bound to our Practice to ensure confidentiality and all obligations provided for by national and EU legislation on the protection of personal data, notaries and mediators, in the exercise of their lawful duties and to the extent necessary to support your case, judicial, administrative, and prosecuting authorities, as well as regulatory, supervisory, or independent authorities, in the exercise of their legal duties and responsibilities.
Data transfer is carried out in accordance with the principles of necessity, proportionality, and data minimization, and always subject to the condition that the confidentiality and security of the information is ensured.
Article 10 – Transfer of Personal Data outside the EEA
In principle, our Practice does not transfer your personal data to third countries and/or international organizations (outside the EEA).
In the event that the transfer concerns a country outside the European Union (EU) or the European Economic Area (EEA), the Practice must verify whether:
• The Commission has issued an adequacy decision for the third country to which the transfer will be made.
• Appropriate safeguards are in place in accordance with the GDPR for the transfer of such data.
Otherwise, the transfer to a third country is prohibited and the Practice may not transfer personal data to it, unless one of the specific derogations provided for in the GDPR applies (e.g. the data subject's explicit consent and information about the risks involved in the transfer, the transfer is necessary for the performance of a contract at the request of the data subject, there are reasons of public interest, it is necessary to support legal claims and vital interests of the data subjects, etc.).
Article 11 – Data Retention Period
The personal data we collect in the course of our business is retained for a predetermined and limited period of time, depending on the purpose of its processing. In particular, the data is kept for as long as necessary to complete the assignment or legal case entrusted to us, and in any case, their retention does not exceed the applicable limitation periods and time limits provided for by applicable law. After these periods have elapsed, the data is deleted in a secure manner, unless otherwise provided or permitted by more specific provisions.
Similarly, data relating to employees, associates, or other personnel of our Practice shall be retained for as long as our professional or employment relationship lasts, as well as for as long as necessary to fulfill the obligations arising from labor, tax, insurance, and other relevant legislation. After the expiry of the relevant legal deadlines, the data is deleted in a secure manner, unless there is a legitimate reason for its further retention.
The above periods are extended in the event of a dispute, exercise, establishment and/or support of legal claims and, in general, legal actions until the issuance of a final court decision or other definitive resolution of the dispute.
The data will be deleted when the data subject requests it.
Article 12 – Disclaimer for Third Party Websites
The Practice's website may provide links that redirect visitors to third party websites. The Practice does not control these third-party websites and is not responsible for the content posted on them or on further links appearing on them. The Practice is not responsible for the privacy practices of third parties or for the content of third-party websites.
Article 13 – Rights of Data Subjects
In addition to strictly observing attorney-client privilege, the Practice ensures that data subjects can exercise their rights under applicable personal data protection legislation. These rights are as follows:
1. The right of access to data.
2. The right to rectify data.
3. The right to erase data ("right to be forgotten").
4. The right to restrict data processing.
5. The right to withdraw consent where processing is based on consent.
6. The right to data portability, and
7. The right to object to the processing of data.
Where provided for by the GDPR, our Practice may refuse to comply in whole or in part with your request relating to your personal data.
In the event that any of the above rights are exercised, our Practice will respond within one month of receiving the request and verifying your identity. This deadline may be extended by two (2) additional months, if necessary, if the request is complex or there are a large number of requests. In this case, our Practice will inform you of the reasons for the delay within one month of receiving the request. Also, within the above time frame, our Practice will duly inform you in case of any refusal to satisfy your request in whole or in part, as well as the reasons for the refusal.
If your request is submitted electronically, you will be informed, if possible, by electronic means, unless you request otherwise.
Article 14 – Exercising your rights
If you wish to exercise your rights under current legislation, as described above, you can submit your request marked "PRIVACY" by email to: info@zimvragoudaki-law.gr.
Furthermore, if you believe that any of your rights regarding the protection of your personal data have been violated, or if you have any complaints regarding this, you have the right to contact the competent supervisory authority, namely the Hellenic Data Protection Authority (HDPA) (www.dpa.gr).
Article 15 – Updates to the Privacy Policy
Our Practice may amend this Privacy Policy from time to time to comply with regulatory changes. Updated versions of this Personal Data Protection Policy will be posted on our Practice's website with a date indication so that it is clear which is the most recently updated version.
