Personal Data Protection Policy - ORFIUM Music Rights

Purpose of the Protection Policy

The protection of your personal data is a commitment undertaken by ORFIUM Music Rights Greece. We take into serious consideration the necessity of protecting both your privacy and your personal data, and to this end, we focus our constant efforts on fully complying with all existing data processing rules, pursuant to the imperatives defined by European and Greek law.
The present policy provides every necessary information with regard to the data we process, the purpose and the legal basis of the processing, the duration of data storage, your rights relevant to the processing of your data and the way to exercise them, the terms and conditions put into force for the valid granting of your consent regarding the processing of your data, the legitimate interests the company is aiming to secure, as well as its cookies policy

Abidance of the basic principles of lawful processing

The present Personal Data Protection Policy dispenses extensive and thorough information on the kind of personal data collected by ORFIUM Music Rights Greece and aims at the compliance of the Company with the basic principles governing the processing of Personal Data, the respect towards the rights of physical persons and the ensuring that all Personal Data in its possession are:

collected for determined, explicit and lawful purposes,
submitted to processing solely to serve the purposes for which they have been collected or/and for legal and reglementary reasons or/and for the defense of the Company’s legitimate interest,
appropriate and pertinent to the determined purposes, as well as restricted to the bare minimum,
submitted to lawful processing in compliance with the rights of the physical persons
are accurate and updated when and as prescribed,
are not conserved for a wider period of time that the one required for the determined purpose of the processing or/and for the compliance of the company to its legal and reglementary obligations,
any transmission to third parties is carried out only on the condition that a sufficient level of protection is guaranteed,
are safeguarded with security so as to prevent any unauthorized or illegal processing or eventual loss, destruction or degeneration.

Within the framework of the abidance of the above-mentioned data processing principles, ORFIUM Music Rights Greece has put into force a variety of technical and organizational measures constantly updated and adjusted according to the existing international optimization practices, while implementing a series of internal security policies. In addition, its workforce is properly and incessantly trained with regard to the abidance of the above-mentioned principles of lawful data processing. Moreover, the latest technology is employed to ensure the confidentiality of your communication with our company, as well as the protection of your personal data (collaboration with internationally acclaimed and certified hosting providers, SSL certificates, data encryption).

Data processing officer

The anonymous company with the registered brand name “ORFIUM GREECE SINGLE-MEMBER S.A.” and the distinctive title “ORFIUM MUSIC RIGHTS GREECE”, seated in Athens, in 103, Kallirois str, with VAT Registration number 801380551 and Number of General Registry 155579901000, as lawfully represented, phone number: 210 922 89 95, operating as an Independent Management Entity (henceforth: IME) as defined in the Law 4481/2017 and the Directive 2014/26/EU, is appointed as data processing officer. The company’s stated business object is the management and protection of copyright for musical works on behalf of more than one holders, for their collective benefit.

Data protection officer

The company “Advanced Quality Services Ltd.”, seated in Agios Stephanos, Attiki, in 1A Sarantaporou & Tyrnavou str., postal code: 145 65, phone number: 210 6216997 and e-mail: dpo@orfiummusicrights.gr, is appointed as data protection officer.

Definitions

“Personal Data”: Any information pertaining to an identified or identifiable physical person (“Data Subject”). An identifiable physical person is defined as person whose identity can ascertained, directly or indirectly, in particular through a reference to an identifying element such as name or surname, location data, online identifiers or one or more features that appertain to the physical, physiological, psychological, financial, cultural or social identity of the specified physical person.

“Special categories of personal data”: Personal data indicative of the racial or ethnotic origin, the political views, the religious of philosophical convictions or the participation to a workers’ union, as well as the processing of genetic data, of biometric data as a means for the indisputable identification of a person, of medically relevant data, or of data pertaining to the sexual activity and orientation of a physical person.

“Data processing”: Any action or series of actions carried out with or without the use of automated means, affecting personal data or sums of personal data, such as the collection, registration, organization, classification, storage, adjustment of data, or the modification, retrieval, search for information, use, disclosure through transmission, dissemination or any other form of disposal of data, the correlation or combination of data, the restriction, the erasure or the destruction of data.

“Profiling”: Any form of automated personal data processing consisting in the use of personal data for the evaluation of personal aspects of a physical person, in particular for the analysis or the prediction of character aspects that pertain the physical person’s work efficiency, financial status, health record, personal preferences, interests, credibility, behavior patterns, current location or relocations.

“Data Processing Officer”: The physical or legal person, the public authority or service or any other entity that, singly or jointly with others, defines the purposes and the mode of personal data processing.

“Data Processing Performer”: The physical or legal person, the public authority or service or any other entity that processes personal data on behalf of the data processing officer.

“Recipient of Data”: The physical or legal person, the public authority or service or any other entity to whom personal data are disclosed, whether it is a third party or not.

“Consent” (granted by the Data Subject): Any free-willed, precise, explicit and fully conscious indication of volition, through which the Data Subject expresses agreement, via a declaration or a definite confirmatory action, to the processing of the pertinent personal data.

“Breach of Personal Data”: The breach of security that leads either to an illegal destruction, loss, modification, unauthorized disclosure or access to personal data that have been transmitted, stored or submitted to processing in any other way.

Personal Data collected by ORFIUM Music Rights Greece
Due to its nature, activities, and business object, ORFIUM Music Rights Greece is likely to collect one or more of the below-mentioned data categories:

The following personal data are required if you wish to communicate with us through the website’s contact form and/or by receiving our informational bulletin, when signing up for the correspondent service: name and surname, e-mail. The standard procedure is to collect and process your personal data only upon explicit consent granted by a confirmatory action through the contact form available on our website. However, internet’s nature and modus operandi dictate the deviation from the rule in the following two cases: a) Data collected through the use of cookies (detailed information to this matter can be found on the cookies policy section of our website, which is an integral part of the present personal data protection policy, b) Data automatically collected during your navigation on our website, and more specifically your IP address, as well as the exact date and time of your connection to our website, stored in log files, with the purpose of both preserving the safety of information from random events or malicious actions that are likely to harm the availability, the authenticity, the integrity and the confidentiality of the stored or transmitted data, and backing up any legal claims that might occur.
Name and surname, contact info, as well as details on the musical works etc., are required for the purpose of copyright management of musical works.
Personal data and info that pertain exclusively to the employment relationship with our company, which include, among others, ID and contact info, permits, evaluation, payroll and general financial details, as well as medical data, related to our company’s compliance with the labor and insurance laws.
During your navigation on our website: The kind of device (PC, tablet, mobile phone) and the type of browser you are using, your IP address, the geographical location and the operating system of your device, the duration of your navigation and the frequency of visits on our website.
Upon your signing up on our website for the purpose of creating a personal account: Name and surname, e-mail, postal address, contact number (landline or/and mobile).

Cookies

In order to facilitate the use of our website, we use “cookies”. Cookies are small-size data/text files, stored in the hard disc of your computer or your device by your browser, which are necessary for the use of our webpage. We use cookies to better comprehend how to make use of our webpage and offer a higher quality of navigation.

The cookies we use do not store personal data or personal info that could lead to the identification of the concerned person. Moreover, they do not store data collected with any other method. If you wish to prevent the collection of data by cookies, please configure your browser settings to erase all existing cookies from your computer’s hard disc, block all future cookies and receive a notification warning prior to the storage of a cookie.

More detailed info can be found in the operation manual of your browser. For any further clarification on the use of cookies you can check our website’s cookies policy section.

Minors’ personal data

Personal data of children/minors may be collected within the framework of the employment relation between the company and its employees, namely for the specification of the employees’ family status with regard to wages and working rights issues etc.
The personal data of children/minors are submitted to processing on the part of the company with a view to their major interest, the protection of their privacy and the need to ensure their legal representation.
Furthermore, the company’s website is addressed to individuals having completed their eighteenth (18th) year of age. The company undertakes to make every possible effort to verify the age of the users and is committed to abstain from collecting and processing personal data of minors. In case of a verified underage user, the company will not process the data of the concerned person and will immediately erase all pertinent information, conserving only the necessary data for grounding and backing up its legal claims or for the granting of consent by the minor’s legal guardians.

Processing purposes

The company may use your personal data for the following lawful processing purposes:
(a) To reply to your inquiries and questions pertaining to our services or get back to you following a request submitted through our webpage’s contact form.
(b) To establish any lawful legal claim or defend the company against any attempt of fraud, cyberattack or any other illegal activity.
(c) To assess our webpage’s traffic with the aim to enhance the users’ navigation experience.
(d) For company-related functions, such as internal management, prevention against fraud, use by informational systems for purposes of administration, billing, invoicing, management of contractual or pre-contractual relations, such as service providing, work implementation, proceeds and payments, audits, operational or computerized service, fulfillment of contractual obligations etc.
(e) Data given to us upon the signing, progression and dissolution of the contractual/employment relation.
(f) To ensure the company’s compliance with all its legal obligations (tax, insurance, customs, bookkeeping etc.), to prevent financial crimes, as well as to safeguard its superior legitimate interests, such as the transmission of data to law firms of competent authorities.

Data Processing Legal Basis

The collection and processing of the above-mentioned subjects’ personal data is grounded on:

Article 6, paragraph 1, case B of the GDPR. Data processing that is necessary for the execution of a contract in which the data subjects are one of the contractual parties or to take measures upon request of the subjects prior to the signing of the contract.

The above is the legal basis for processing the personal data of clients, partners and employees of our company, with whom a contractual relation has been established, within the framework of the attainment of the above purposes.

Article 6, paragraph 1, case C of the GDPR: Data processing that is necessary for the company’s compliance with a lawful obligation deriving from the EU or the national Law.

The above is the legal basis for complying with our legal obligations as employers, the payment of our employees, associates and partners, the safekeeping of medical records of the employees, the notification of competent authorities for the recruitment of employees (Ergani, Labor inspectorate).

Article 6, paragraph 1, case A of the GDPR: The subject has consented for the personal data processing for one or more determined purposes.

The above is the legal basis for exceptional activities, in which personal data processing cannot be grounded on any other legal basis (e.g. personal data processing for satisfying the requests submitted by you etc.)

Article 9, paragraph 2, case H of the GDPR: The processing of special categories of personal data is necessary for purposes of preventive or professional-medical evaluation of the employee’s capacity for work, medical diagnosis, provision of health or social care or treatment or running of health and social systems and services on the basis of the EU Law or the state member’s Law or pursuant to a contract with a health sector professional.

The above is the legal basis for the processing of personal data within the framework of an employment relation.

Article 9, paragraph 2, case F of the GDPR: The processing of special categories of personal data is necessary for the grounding, exercise or backing up of legal claims or in cases when the court jurisdictions act under their judicial capacity.

The above is the legal basis for the processing of personal data in the civil, administrative or penal legal affairs of the company.

Article 9, paragraph 2, case B of the GDPR: The processing of special categories of personal data is necessary for the fulfillment of obligations and the exercise of specific rights on the part of the Data Protection Officer or the Data Subject in the areas of Labor Law and Social Security and Protection Law.

The above is the legal basis for the personal data processing within the framework of the employment relation between us.

Profiling

Our company abstains from using personal data for profiling purposes.

Duration of Personal Data conservation

The personal information given to us by you will be conserved only for the time period needed for the attainment of the processing purpose and in compliance with all existing legal provisions.

Recipients of your personal data

The standard rule is not to transmit personal data to third parties, with the exception of partners that are necessary or facilitate us in offering our services to you, but only under a set of rules and conditions that guarantee that your personal data are not submitted to any kind of illegal processing, other than the purpose of the transmission according to the above-mentioned.

Our company is in collaboration with third-party service providers (e.g. computer systems support companies, cloud services providers, consultancy companies etc.) that may be processing personal data on our account. Ιt should be noted that the above-mentioned associates have previously signed binding contracts as prescribed by the GDPR defining their respective obligations with regard to the processing of personal data for determined and lawful purposes and the non-submission of personal data to any form of processing that is incompatible to the aforementioned purposes, the abidance of confidentiality and the overall compliance with the GDPR.

In case it is necessary to transmit your personal data to a third country outside the European Economic Area, we always assure that a substantial level of protection is provided, contractually binding our counterparty or our associate to whom we transmit your personal data, according to the standardized contractual clauses approved by the EU (more info: here) so as to guarantee an equal amount of protection as the one provided in Greece.

What are your data-related rights and how you can exercise them

As prescribed in the General Data Protection Regulation, the “Data Subject” benefits from certain rights pertaining to the personal data processing carried out by ORFIUM Music Rights Greece. In particular, you benefit from:

The right of access: You have the right to be informed as to whether we are processing your data, and if so, to be informed on the kind of data submitted to processing, the purpose of the processing and the recipients of the data.
The right to rectification: You have the right to request for the rectification of any inaccurate data.
The right to erasure: You have the right to request the erasure of your data. It should be noted that according to article 17, paragraph 3 of the GDPR, the right to erasure cannot be exercised to the extent of a data processing deemed necessary for the company’s compliance with a legal obligation, or for the grounding, exercise and backing up of legal claims, or for purposes of scientific or historical research or for statistical purposes.
The right to restriction of processing: You have the right to request the restriction of your personal data processing.
The right to object: You have the right to object to the processing of your data carried out on the basis of our legitimate interest, unless imperative and lawful reasons that override your interests, rights and freedoms justify the act of data processing.
The right to portability: You have the right to request the storage of the data you have given to us in a structured, commonly used and readable by machines format, as well as the transmission of these data to a different data processing officer.

Moreover, in case of a verified data breach that could significantly endanger your data and provided that it does not fall into any of the exceptions stated in the General Data Protection Regulation, we are obliged to inform you on the matter without any unjustified delay.

In case of a granted consent for the processing of specified categories of personal data by the company, you have the right to revoke your consent at any given moment, with future effect. The consent’s revocation does not affect the legality of the processing based on the consent granted before its revocation. In case of a consent revocation, the company is entitled to further process your data only in cases of other lawful reasons justifying the processing.

For the purpose of ensuring the exercise of your rights the company is reserved to request further information deemed necessary for the verification of your identity prior the exercise of your rights. We are obliged to respond to the pertaining request at the latest within one month starting from the date of its confirmed submission. In the case of a complicated request or/and an overflowing number of pending requests, this deadline can be extended by two months. In that case, you will be notified within a month from the submission of your request for the causes that are likely to lead to the small delay in the materialization of the request. However, in case of a request manifestly ungrounded or excessive or unjustifiably submitted ad nauseam, the company has the right, on the basis of the pertinent legislation, either to impose a reasonable fee or to refuse the further materialization of your request.

If you consider that any of your rights or our company’s legal obligation with regard to personal data protection is violated, and provided that you have previously addressed the matter to our Data Protection Officer, having thus exercised your rights towards our company without receiving any reply within the above-mentioned deadline, or if you consider this reply to be unsatisfactory, leaving the matter unresolved, you have the right to file a complaint before the competent supervisory authority (Hellenic Data Protection Authority, Kifisias Boulevard 1-3, postal code: 115 23, Athens, e-mail: complaints@dpa.gr, fax number: 2106475628.

Contact ORFIUM Music Rights Greece

You can get in contact with us at the address of our head offices: 103, Kallirois str., by calling us at +30 210 22 41 950, or by sending us an e-mail at info@orfiummusicrights.gr.

Updating of the Personal Data Protection Policy

The efficiency of the present policy is reevaluated on at least a yearly basis, for keeping up with legislative amendments and any changes in the company’s activities and operations, as well as for responding to the data subjects’ needs. Every change is to be published on our website, with a concurrent update of the exact time and date of the last revision, appearing on the upper part of the Personal Data Protection Policy Statement.