Compliance with General Data Protection Regulation

General description of the procedures for the protection of personal data, for the implementation of the

For the purposes of this technical offer, the terms “Personal Data”, “Data Subject”, “Data Controller”, “Data Processor”, “Processor”, “Processing”, “Processing”, “Supervisory Authority”, “Third Parties” and “Recipients” shall be interpreted in accordance with the General European Data Protection Regulation 2016/679 EU (hereinafter “the Regulation“) and applicable national legislation.

In particular:

‘Data subject’ means a natural person to whom the data refer and whose identity can be directly or indirectly identified, in particular by reference to an identification number or to one or more factors specific to his or her physical, biological, mental, economic, cultural, political or social identity.

“Personal data” (hereinafter “personal data”) is any information relating to the data subject. Aggregated data of a statistical nature, from which the data subjects can no longer be identified, shall not be regarded as personal data.

“Sensitive data” means data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, social welfare, sexual life or sexual orientation, participation in associations/unions of persons related to the above, as well as data relating to criminal prosecutions or convictions. Also included are genetic and biometric data, for the purpose of unambiguous identification of a person.

“Controller”, the natural or legal person who determines the purpose and manner of processing of personal data, in this case the Company.

“Processor” is any natural or legal person who processes personal data on behalf of the Controller.

“Processing of personal data” means any operation which is performed on personal data, such as collection, recording, organisation, storage or retention, alteration, extraction, use, disclosure, transmission, dissemination, alignment or combination, interlinking, blocking, erasure, destruction.

“Profiling” is any form of automated processing consisting of the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyse/predict aspects relating to the job performance, financial situation, health, personal preferences, interests, interests, reliability, behaviour, location or movements of a natural person.

“Personal data breach” means a breach of security leading to the accidental or malicious destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored or otherwise processed.

The processing of Personal Data includes the following categories of Personal Data:

Identification data: first name, surname, date of birth, place of residence, place of work, nationality, identity card or passport number, AMKA, VAT number, employment status, email, etc.
Financial data: bank account number, income shown in tax returns or tax statements from tax authorities, individual insurance account, etc.

The data collected by the “Subcontractor – Processor” are stored in a secure and structured electronic and physical file. The purposes of storage are to:

data security,
compliance with labour laws and all kinds of labour and insurance legislation,
completion of the implementation of the action,
insurance coverage of beneficiaries (in accordance with the legislation in force)

Support for information on collected data

During the implementation of a training project, user data are collected which constitute the respective Registers (Trainees, Trainers, etc.), but also data that are entered during the implementation of the individual actions of the project (results of training processes, etc.) The effective protection of users’ personal data is considered a matter of utmost importance both operationally and as an obligation to comply with the regulations and principles set out in the New General Data Protection Regulation of the European Union (2016/679) – (GDPR).

The system will provide functions to provide immediate information to each user regarding the data collected. The information will be absolutely clear for users, comprehensive, and will cover:

The type and amount of data collected per project phase
The reason for collecting the data
How the data is used
Any processing of the data
The duration of data retention within the system.
Any transfers made to third parties and the type of processing to be carried out by them

The system will provide functions to provide direct information to each user on the terms of use of the integrated information system and any sub-systems of the integrated information system.

The system will provide functionality to provide immediate information to each user regarding any additional data that may be collected during the training processes.

The above updates will be displayed via appropriately designed and easily accessible screens.

Support for recording consent to data collection

The system provides functions to record and log the consent of each user (fully discrete) regarding:

The collection and management of data that he/she enters into the system
The collection and management of data entered into the system by third party users/processors (partners of the candidate Contractor, e.g. project coordinators)
The system will inform the user in a clear way about which data is required to be retained in the context of the project, and the period of time for which it will be retained.
The collection and management of data resulting from users’ participation in training activities.

After the user is informed, he/she is invited to submit his/her consent by selecting the corresponding opt in button in the system interface. The user’s choice (consent) is recorded and stored.

Data access/processing/portability support

The system will provide clear instructions to users on how to access the personal data collected and entered in the information system.
The system will provide clear instructions to users on what data they can process in the context of the project and how this is possible.
The system will provide clear instructions to users on how to extract the data collected during project implementation.

The above updates will be displayed via appropriately designed and easily accessible screens.

Support for the implementation of password security policies

The system shall support at least the following functions:

Code complexity policy. For example: definition of minimum number of characters, requirement for inclusion of special characters, requirement for inclusion of capitalized characters, requirement for inclusion of numeric characters.
Code generation in a random manner and according to the complexity policy without the intervention of a physical person (administrator)
Password reset procedures without reminder and without the intervention of a natural person – administrator (through automated sending of relevant messages)
Mandatory password change procedures (e.g. at the user’s 1st login to the system)

Intra-system support for data access control procedures

The system supports multiple levels of access to its data (viewing and editing). These levels are defined by graded and differentiated access rights to functionalities and data, and based on the principle of minimization. Each user category (system role) is associated with one or more access levels.

The system fully adopts a roles-permissions based architecture. In more detail:

Each role created in the system is associated with a set of rights
Permissions are those that determine the ability to run specific system processes and the ability to view or export specific data.
As a result, access to individual system functions and data is fully controlled and classified based on system roles.
Furthermore, it is possible to configure and configure the “permissions” associated with each system role.

Finally, a user can have more than one role. For example, a coordinator of a group of trainers may be a trainer himself. In this case, the user can switch roles without having to log out of the system and log in with other access data. By switching roles, the system interface is modified accordingly so that the corresponding menus, data, etc. are displayed.

Over secure channel SSL/TLS – HTTPS security protocol (SSL/TLS certificate)

During the implementation of a Training and Certification project, user data are collected, which constitute respective “groups” of users (Beneficiaries, Trainers), but also data that are entered during the implementation of the Project Activities (participation in e-courses, results of evaluations, etc.).

The effective protection of users’ personal data is considered a matter of utmost importance both operationally and as an obligation to comply with the regulations and principles set out in the New General Data Protection Regulation of the European Union (2016/679) – (GDPR).

The integrated information system shall provide the following relevant functionalities:

It supports fully classified access to specific data and its functions. As a general principle, access is fully controlled based on the systemic role of users. The role of the user in the information system precisely defines the permissions he/she has, and in this way both the availability of individual functions and the ability to view data groups are controlled. The principle followed in each case is that of minimising as far as possible the access and processing of data.
It supports the minimum requirement for mandatory user password change at the 1st login, as well as varying levels of complexity in user passwords. In this way, it is possible to set rules that define:
the minimum number of characters in the code
the requirement to include uppercase – lowercase characters
the requirement to use figures
the requirement to use special characters (e.g. @#!$%), etc.

The information system also supports:

secure password change procedures (at will and without the mediation of a system administrator)
procedures for reminding and securely changing the password (through a fully automated process which includes procedures for sending relevant information messages)
Performs the authentication process using an initial password.
On their first successful login, the information system environment informs them that they are required to change their password.
Users enter a code of their preference (in line with the code complexity policy mentioned above)
The user profile is updated with the new password.

All communications, logins, file exchanges, will be over secure channel SSL/TLS. The domain of the information system has a security protocol https (SSL/TLS certificate), which is used for all accesses to the database. The provider of SSL/TLS is an internationally recognized provider of secure web transit solutions with years of proven experience in digital security issues.

A 2 factor authentication function is implemented, using a password and a confirmation code via e-mail for all user roles.

Monitoring the operation of the system

The operation of the information system is monitored 24/7 in terms of performance and security events (network performance management, network analysis, intrusion detection & protection) through an adequate application / service and / or infrastructure. This functionality is offered through Solarwinds tools and more specifically through Solarwinds Network Performance Monitor, Network Bandwidth Analyzer Pack, Network Security Event manager.

In addition, it is noted that the network support and hosting infrastructure provided under the project – apart from ensuring the uninterrupted availability of the systems – provide increased protection against malicious attacks that may lead to unauthorized access to data of the information system.

The infrastructure offered includes:

Adequate computing resources – physical or virtual machines – to ensure the privacy, integrity, availability and reliability of systems and processing services on an ongoing basis.
Network firewall infrastructure and IPS & IDS (Intrusion Detection System, Intrusion Protection System.