PERSONAL DATA MANAGEMENT SYSTEM POLICY

IN ACCORDANCE WITH EUROPEAN REGULATION 2016/679 (GDPR)

Version #1 – May 2018

INTRODUCTION

We are a company that operates with a strong sense of responsibility and respect for the principles of Business Ethics and Corporate Responsibility. Within this framework, we place particular importance on the Protection of Personal Data, especially since our activities require the processing of personal data belonging to children.

This document has been prepared as part of the company’s compliance process ahead of the implementation of the General Data Protection Regulation (EU 2016/679 – GDPR), effective as of 25/05/2018.

OUR PERSONAL DATA PROTECTION POLICY

  1. The importance of Personal Data Protection (PDP)

Personal Data Protection is of high importance for the following reasons:

a) Legal compliance of the company
b) Adoption of business ethics principles
c) Ensuring the smooth operation of the business and customer service
d) Safeguarding corporate reputation
e) Avoidance of financial losses

  1. Scope of Personal Data Protection

Personal Data Protection covers all information (full name, social security number, age, address, telephone, email, etc.) relating to natural persons associated with our business in various capacities, such as:

a) Camper (minor)
b) Parent/guardian of the camper
c) Employee / associate
d) Job applicant
e) Supplier

  1. GDPR Preparation and Compliance

To ensure proper preparation and compliance with GDPR, we have decided to engage a specialized Data Privacy & Protection consultant who will:

a) Evaluate the personal data management environment
b) Recommend corrective/improvement measures regarding data subject information, consent collection where required, and data security
c) Develop training material for staff
d) Establish the company’s Personal Data Register
e) Draft an action plan in case of a personal data breach

  1. Lawful Processing and Employee Obligations

The company is committed to the lawful processing of employees’ personal data, with transparency, for specific purposes, and with respect for data subjects’ access rights. The company avoids collecting unnecessary personal data, especially sensitive data.

Employees, as “data subjects,” explicitly consent:

a) To the processing of their personal data necessary for the lawful execution of contractual obligations, compliance with the ISO 22000 quality system, and communication with them

b) To the free use of their image, voice, and work produced במסגרת their professional collaboration with the company, for the promotion of the company’s brand, image, and activities

Furthermore, employees, acting as “data controllers” and/or “data processors,” commit to:

a) Strictly maintaining confidentiality regarding any data or information in their work environment
b) Fully complying with the company’s personal data protection policy

  1. GDPR Principles in Practice

The company implements GDPR principles by:

a) Always ensuring the consent of parents or legal guardians of children hosted in its facilities
b) Collecting only strictly necessary data
c) Ensuring the accuracy of collected data
d) Clearly explaining the purpose of data collection
e) Processing data only for a specific period and solely for the intended purpose
f) Ensuring confidentiality, integrity, and availability of data

Within this framework, the company fully respects the rights of individuals by providing the ability to:

a) Request access to personal data under processing
b) Request correction of personal data
c) Request restriction of processing
d) Withdraw consent and request deletion of personal data
e) File a complaint with the competent Independent Authority

  1. Contracts and Third Parties

The company will adapt its contracts with employees and external partners/suppliers to ensure the implementation of Personal Data Protection measures in accordance with GDPR.

CONCLUSION

This Policy document is subject to review and possible revision depending on conditions that may arise from:

a) Any provisions or specifications of the GDPR incorporated into national legislation
b) Decisions of the Hellenic Data Protection Authority
c) Best practices adopted by companies or institutional bodies providing services to children
d) Potential changes in the scale and nature of business activities