Information Notice on the processing of Personal Data of Candidate
This notice concerns the processing of your personal data by the companies of ATHEXGROUP and specifically by the parent company “HELLENIC EXCHANGES – ATHENS STOCK EXCHANGE S.A.” (hereinafter “ATHEX”) or its subsidiaries “HELLENIC CENTRAL SECURITIES DEPOSITORY S.A.” (hereinafter “ATHEXCSD”) and “ATHENS EXCHANGE CLEARING HOUSE S.A.” (hereinafter “ATHEXCLEAR”) (together hereinafter referred to as “the companies”), following an expression of interest on your part to work at one of the companies of the Group and the submission of your details via the respective electronic platform. Please read this notice in order to be informed in detail about the terms of processing your data:
I. Data controller
Depending on the position for which you have submitted your application, ATHEX, ATHEXCSD or ATHEXCLEAR will be the controller of the personal data that are subject to processing in the framework of the personnel recruitment process for taking up employment at one of the companies. The registered seat of the companies is in Athens, at 110 Athinon Ave., postal code 104 42, contact telephone number: +30 210 33 66 800, e-mail: protocol@athexgroup.gr.
II. Purpose of processing & Collection of personal data
In the framework of recruitment, the companies process personal data which they collect directly from you, through submission to the companies of your resume (e.g., full name, contact details, work experience, academic background, competencies, and skills), interviews, and the carrying out of relevant tests (competencies/knowledge/professional conduct) where necessary. Your data may also be collected during our “chat” on the electronic platform when you submit questions seeking clarification or additional information.
Lastly, your data, relating to your previous work experience and conduct, may be collected from references you have provided us with.
The companies collect and process personal data exclusively for the purpose of assessing your candidacy and evaluating your suitability for the position in which you are interested.
You may also opt for details of your resume to be transmitted automatically to us from other sources such as Facebook or LinkedIn.
Moreover, basic details (such as full name, contact details) and details of your resume may be received by partner educational institutions in the framework of our participation in traineeship programmes for students.
III. Legal basis for processing the data
The legal basis for the processing that is carried out in pursuit of the aforementioned purpose is the fact that the processing of your data is necessary in order to take steps at your request prior to entering into an employment contract (par. 1 (b), article 6, Regulation (EU) 2016/679 [GDPR]).
IV. Recipients of personal data
The companies shall ensure that your personal data are processed solely by their necessary, in each case, personnel who have been properly informed regarding the secure processing of your personal data.
In addition, a recipient of your data is the company “Teamtailor AB”, which provides, operates, and supports the electronic platform for the collection and storage of your data. The aforesaid company acts as in the capacity of processor of your personal data and is contractually bound not only to comply with all necessary rules on the protection of personal data but also to ensure that your personal data are processed in the strictest confidence and solely on the instructions and for the purposes of the Controller.
Recipients of your personal data also include natural and legal persons, to which the companies assign the performance of specific tasks on their behalf, such as collaborating companies that provide skill-testing tools, which also act as processors.
The aforesaid persons, acting in the capacity of personal data processor, have been informed and committed themselves in advance to confidentiality in respect of your data, are fully aware of and follow our instructions regarding the processing of personal data, and take all appropriate measures to ensure protection of the data.
V.Transfers of data to countries outside the European Economic Area (EEA) or international organizations
Your personal data may be transferred outside the EEA and stored with cloud service providers whose registered seat may be in the USA. These are partners of the company Teamtailor, which provides, operates, and supports the electronic platform for the collection and storage of your data and has taken the necessary measures to ensure that the transfer of data is subject to appropriate guarantees.
More specifically, the aforesaid transfers are subject to Standard Contractual Clauses (SCCs) for the cross-border transfer of personal data, which have been signed and are in effect. Furthermore, in compliance with the Schrems II judgment of the European Court of Justice, a Transfer Impact Assessment (TIA) has been carried out and additional safeguards have been put in place to ensure the security of your data during transfer.
VI. Profiling and automated decision-making
In the framework of tests of professional conduct by means of online tools, a profile of you may be created and in particular, an evaluation may be made of certain aspects relating to your professional conduct or skills.
In the framework of the aforesaid profile creation, automated means of processing may also be used. Despite this, however, any automated processing does not lead to automated decision-making with regard to your hiring or not. The final assessment is always carried out by our competent personnel, based on all the parameters envisioned for the position.
The conducting of tests, where necessary, may be a requirement for the conclusion of a contract, and in particular so that the companies can take into account, in the framework of the overall recruitment process, your suitability for the job in which you have expressed interest.
VII. Data retention period
Your personal data are retained only for the reasonable period of time necessitated by the nature of their processing and only for as long as necessary to achieve its purpose. More specifically, your data are retained for the duration of the selection process, and for an additional one (1) year, so that they may be reassessed in the event that a similar position opens up which fits your profile. If your resume has been submitted without a specific post being advertised, it will be retained for one (1) year. At the end of the aforesaid period, and after you have been asked whether you wish your data to be retained for an additional period, the data will either be deleted or retained for a further year, depending on your choice.
VIII. Rights of data subjects
In accordance with the provisions of Regulation (EU) 2016/679(GDPR), as a data subject, you have the following rights, which may be exercised as appropriate:
● Right to access your personal data
● Right to correct and/or update your data
● Right to deletion/right to be forgotten
● Right to restrict processing
● Right to data portability
IX. Exercise of rights
If you wish to receive further information about the processing of your personal data, you can contact the companies either in writing at: Athens Exchange S.A., 110 Athinon Ave., 104 42 Athens, for the attention of: Data Protection Officer (DPO), or by e-mail addressed to the Data Protection Officer (DPO) of the Company at: dataprotectionofficer@athexgroup.gr.
We shall reply to your request within one (1) month of its receipt and at no cost to you. This time limit may be extended for a period of two (2) more months, due to the complexity or number of requests, in which case you will be notified regarding the extension and the reasons for it at the earliest and by no later than one month after receiving the request.
X. Security of personal data
The companies implement an information security management system and take appropriate organizational and technical measures to ensure secrecy, the security of data processing, and the protection of data from any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as well as from all inappropriate forms of processing. In this respect, the authorized personnel of the companies have received the appropriate training and guidance.
XI. Submission of complaints
If you believe that: a) any request submitted by you has not been adequately and legally satisfied, or b) your right to personal data protection is being breached by any processing that we carry out, you have the right to submit a complaint to the Hellenic Data Protection Authority (postal address: 1-3 Kifissias Ave., 115 23, Athens, https://www.dpa.gr/, tel. 210 6475600, e-mail: contact@dpa.gr).
