Skip to main content

PRIVACY POLICY FOR DATA PROCESSING OUTSIDE THE WEBSITE

1. Introduction

We consider privacy a matter of utmost importance and in this policy, the principles to which we adhere to and the measures implemented to ensure the lawful processing, security and protection of our clients' and any affiliated third parties' personal data is presented. We remain committed to complying with all relevant EU and national legislation regarding the protection of personal data and the "rights and freedoms" of the data subjects, in accordance with the General Data Protection Regulation (GDPR).

To this end, we have developed and implement the current privacy policy which applies to all the processing operations on the personal data of our clients, during the provision of our services, and our employees/contractors. Moreover, we hereby provide the data subjects with the necessary information regarding the collection, use, sharing, retention and general processing of their personal data, their rights and how to exercise them properly and in accordance with the GDPR.

Please, note that for information on the processing of your personal data in connection with your access and use of the www.theHappyLab.gr website, please refer to the Privacy Policy for Website Users.

We remain at your disposal to provide you with any information within the framework of our compliance with the current European and national legislation on the protection of personal data, as applicable, and the applicable regulatory directives related to the management of personal data, guaranteeing a secure environment for the processing of your personal data.

2. Our company

We are “theHappyLab P.C.”, a company incorporated under the laws of Greece, having its registered address at 15 Elassonos, 16673, Voula, Attica, Greece, with VAT No 802020230, General Commercial Registry Number 168270909000 and telephone number: +30 6947074664 (hereinafter referred to as “theHappyLab”, “we”, “us”, “our”).

3. Our role

3.1

According to the GDPR, the data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Moreover, the data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3.2

Typically, due to the conclusion of service contracts with our corporate clients, the Happy Lab processes data of employees (hereinafter referred to as “participants”) of these companies (hereinafter referred to as “clients”), acting as a data processor for the purposes of provision of our services. These processing operations, as described in the following sections of the current policy, take place as a result of the delegation of responsibilities by our clients, with the latter retaining the role of data controller.

3.3

Apart from this, theHappyLab also acts as a data controller in the following cases:

i. During the processing of the personal data of our employees/contractors.

ii. During our communication with the clients' representatives, through our website, email or telephone.

iii. During the post of photos or videos in the Happy Lab's social media.

iv. During the search process of an employee, through the acquisition of the candidates' CVs.

v. In general, in any occasion a processing operation of ours cannot be linked to the provision of our services to the clients.

4. Categories of personal data we process

4.1

Personal data includes any information in paper or digital form that may lead either directly or in combination with other information (indirectly) to the unique identification of a natural person.

4.2

For the purpose of provision of our services to our clients, the following personal data of the participants will be processed:

i. Name and surname of the participant

ii. Email address

iii. Place of occupation, department and work title

iv. Opinions of the participants regarding the work environment and any potentially relevant recommendations, collected through a questionnaire

v. Photos and videos collected during the events organised by us.

4.3

Regarding our employees/contractors, we collect and process the following personal data:

i. Name, Surname, father's and mother's name

ii. Home address

iii. Tax identification number

iv. Social security number

v. Bank account information

vi. Work experience

vii. Marital/family status

viii. Curriculum Vitae (CV)

ix. Employee's signature

x. Any information may be required by our regional social security and tax offices.

4.4

In general, we do not process in any way any special categories of data under Article 9 of the GDPR, apart from the cases where it is required as part of a legal obligation (for instance, a doctor's notice containing health related information, related to the provision of sick leave days). The concept of special categories of personal data includes personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data, data concerning the health, sexual life or finally, sexual orientation of an individual. In case we become recipients of any personal data as such, we will directly delete them or return them to their provider, asking him/her to refrain from any transfers of such personal data to us.

5. Processing operations on personal data

5.1

Data processing refers to any act or series of acts carried out, with or without the use of automated means, on personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.

5.2

The envisaged processing operations on the aforementioned personal data are the following:

i. Collection of the personal data directly from you, through the use of the website, questionnaires or through your employer.

ii. Storage of the personal data in our company's cloud server.

iii. Use of the personal data for the provision of our services to our clients' employees and the execution of our employees' contract.

iv. Potential use of the personal data in order to comply to any legal obligation such as audits for example.

v. Deletion of the personal data upon request by the data subject or by the time 5 years pass following the provision of our services/ termination of employment - cooperation agreement. The CVs of the candidates will be deleted by the time the hiring process has finished.

6. Legal basis for processing

6.1

A general rule in data processing is that, in principle, it is unlawful unless the conditions set forth in Articles 6 and 9 of the Regulation are met, which provide the necessary legal framework which defines the lawfulness of the processing operations on personal data.

6.2

The legal basis for processing of the categories of personal data referred to in subsection 4.2 is performance of a contract, according to article 6 par 1b' of the GDPR, apart from the processing of photos and videos. The processing of photos and videos of the participants in the events or of the CVs during a hiring procedure are based in consent, according to article 6 par 1a' of the GDPR

6.3

The legal basis for processing of the categories of personal data referred to in subsection 4.3 is, depending on the instance, performance of a contract or compliance with a legal obligation of ours, according to article 6 par 1b' and 1c' of the GDPR.

6.4

We may need to disclose your personal information to government or law enforcement officials, regulatory agencies or other third parties (such as attorneys or regulatory service providers), as necessary, in order to (i) comply with applicable laws or regulations, (ii) cooperate with governmental or law enforcement investigations, (iii) respond to legal claims or processes, (iv) protect the safety and legal rights of the public or any individual, (v) detect, prevent or remedy any suspected fraud, market manipulation or illegal, tortious or wrongful activity or (vi) enforce applicable agreements or other contracts to which you have agreed.

7. Data (sub)processors

7.1

We guarantee that the data processors we engage with implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

7.2

For the provision of part of our services to our clients, we engage with third parties that are in charge of setting up an online questionnaire related to the collection of information about the employees' opinions and recommendations regarding their work environment and their preferences. The personal data provided to such third parties is, apart from the aforementioned opinions and recommendations, the email, the department and work title of the participant. The participants may also add information related either to them, which were not requested by us or the third parties, or any other colleague of theirs. Following the completion of the questionnaire procedure, the third parties provide us with aggregated results related to the findings from the questionnaires responses, which we provide to our client.

7.3

3 In order for us to comply with our legal obligations (such as taxation, social security obligations etc.) or protect our legitimate interests, we engage with our accounting office and possibly our legal department who may be required to process personal data, mostly of our employees/contractors. Access to the personal data of subsection 4.2 will only be provided to the said subprocessors in case it is required in order for us to protect our legitimate interests, according to article 6 par. 1f of the GDPR.

7.4

4 For the purpose of storage of the data collected by us, including the personal data, we use the Google Drive cloud-based storage platform. Any personal data are stored only in virtual form, as they were initially collected, and hard copies are not maintained.

8. Data protection rights

8.1

With the current privacy policy, our aim is to provide the necessary information to our clients about the terms of collection and in general processing of their personal data by our company, as Data Controllers. We acknowledge our responsibility to fully adhere to the principles governing the processing of personal data as provided in the GDPR, namely the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

8.2

Additionally, we respect, protect, and ensure the exercise of the data subjects' rights provided in the GDPR, including:

i. “Right to be informed” regarding anything that is related to the processing of personal data (arts. 12-14 GDPR),

ii. “Right of access” to the personal data and any other information related to the data processing activities (art. 15 GDPR),

iii. “Right to rectification” of inaccurate personal data or completion of incomplete personal data (art. 16 GDPR),

iv. “Right to erasure” (“right to be forgotten”), according to which the data subject could achieve the deletion of his/her personal data under certain conditions (article 17 GDPR),

v. “Right to restriction of processing” of the personal data under certain conditions (art.18 GDPR),

vi. “Right to data portability”, according to which the data subject can receive the personal data concerning him/her, which had been provided to a controller, in a structured, commonly used and machine-readable format and transmit them to another controller without hindrance from the controller to which the personal data had been previously provided (art. 20 GDPR),

vii. “Right to object” at any time to processing of personal data concerning him/her (art. 21 GDPR),

viii. “Right to object to the automated individual decision-making, including profiling” (art. 22 GDPR),

ix. “Right to withdraw from the provided consent” freely, at any time, in case the processing of your personal data is based on consent and

x. “Right to appeal against the competent supervisory authority”.

8.3

We remain at your disposal to respond to any of your requests regarding the above and to ensure the substantial and effective protection of personal data throughout the provision of our services, in compliance with the applicable European and national legislation for data protection, as well as applicable regulatory directives related to data management.

For this purpose, you can submit a request or exercise your rights by contacting us through the way presented in section 12 “Contact information” of the current policy. In the case of a relevant request, we are obliged to respond to it without undue delay and in any event within one month of receipt of the request and provide information to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

You will not have to pay a fee to exercise any of the aforementioned rights. However, we may charge a reasonable fee or refuse to comply with your request in case the latter is clearly unfounded, repetitive or excessive.

9. Data transfers to third parties

9.1

As a rule, we will not transfer your personal data to any third parties without the need of such processing operation to take place and additionally, your prior explicit consent. Respecting the principle of confidentiality, we ensure that the personal data processed will be not disclosed to unauthorized individuals, taking necessary measures accordingly.

9.2

In any case, we categorically state that we will not transfer your personal data to any third parties for their direct use for promotional purposes (marketing) or any other purposes not related to the provision of our services or an applicable legal obligation.

Security

10.1

The secure processing of your personal data is of utmost importance to us and as a result, we implement all the appropriate organizational and technical measures on a case-by-case basis, both primarily preparatory and during processing, to ensure the confidentiality, integrity, and availability of the personal data collected under this Policy, according to the risk-based approach of the GDPR.

10.2

In compliance with the applicable European and national legislations on the protection of personal data, we have appropriately trained and educated our staff, follow appropriate security policies, and use appropriate technical and operational tools, such as access limitation, password polices and targeted staff training.

11. Actions in case of a data breach event

11.1

Despite our efforts to ensure the integrity and security of your personal data, the rapid development of technology may lead to the emergence of new, unforeseen methods that could result in malicious loss, misuse, alteration, or destruction of their personal data. While we cannot absolutely guarantee the security of the personal data in every unforeseen situation, we do guarantee vigilance and effective management of potential risks, always in collaboration with the competent authorities, beyond the security measures already taken.

11.2

According to Article 33 of the GDPR, we shall notify, without undue delay and, if feasible, within 72 hours of becoming aware of the personal data breach, the supervisory authority as per Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. If it is not possible to provide the information simultaneously, it may be provided gradually without unjustified delay.

11.3

Additionally, according to Article 34 of the GDPR, if the personal data held in our records are breached in a manner that may pose a high risk to your freedoms and rights, we have the corresponding obligation to inform you without undue delay, as provided for in the applicable General Data Protection Regulation (GDPR).

12. Contact information

If you have any questions or comments regarding this privacy policy, the measures taken by our company to protect your personal data or you wish to exercise any of your rights as a data subject, please contact us through the following methods:

i. Via an email on contact@thehappylab.gr

ii. Via post by using the following details:

“theHappyLab I.K.E.”

15 Elassonos street

PC 16673

Voula, Attica, Greece

iii. Via telephone on the telephone number+30 6947074664

13. Validity of the Privacy and Personal Data Protection Policy

This Policy was published on 04/03/2025 and is subject to periodic improvement and revision. For this purpose, we encourage you to periodically review this Policy to stay informed about how we manage and process your personal data.

theHappyLab I.K.E. | +30 6947074664 | www.thehappylab.gr