DATA SECURITY BREACH MANAGEMENT POLICY

Policy Statement    

Kentriki Private Company (the “Company”) holds a great deal of Personal Data. It is critical that any Personal Data held by the Company is protected from misuse. Breaches of Personal Data could lead to financial loss through litigation or regulatory penalty, loss of business or damage to the reputation/brand of the Company. 
A Personal Data breach can have serious consequences for the individuals concerned such as identity theft and fraud and it is important that each and every one of us takes responsibility for any potential, suspected, threatened or actual security breaches. This Policy sets out the procedure with which all Company’s employees and contractors (referred to in the remainder of this Policy collectively as employees) must comply if they become aware of a data security breach. 

Purpose & Scope    

This Policy will help ensure that the consequences of data security breaches are managed as quickly and effectively as possible and ensure compliance with our legal obligations, which may involve reporting data security breaches to the Data Protection Authority and/or to affected individuals. 

For the Purposes of this Policy :

A data security breach occurs if there is breach of security that leads to:
•    the accidental or unlawful destruction, loss or alteration of Personal Data; or 
•    any unauthorised disclosure of or access to Personal Data

"Personal Data" includes any information about a customer, applicant, colleague, a member of the public or any other individual, including name, contact details, account details and personnel records.

Examples of data security breaches include:

•    Loss or theft of data or equipment on which Personal Data is stored; 
•    Inappropriate access controls allowing unauthorised use;
•    Equipment or technical failure leading to loss of or corruption of data;
•    Human error, for example sending an email to an incorrect recipient or forgetting to use the 'BCC' field instead of the 'CC' field;
•    Hacking attack; or
•    "Blagging" offences where information is obtained by deceiving the organisation who holds it into believing the person requesting the information is entitled to access the information.

Implementation Guidelines    

What do you do if there is a data security breach?

■    You must report immediately any potential, suspected, threatened or actual security breach to the Company’s management. The Company’s management will ascertain the nature and severity of the breach and will manage the breach in accordance with this Policy. 
■    Your notification should include the following details:
■    Your name, job title and telephone and email contact details;
■    Description of what has happened;
■    Volume of data involved and number of individuals affected;
■    Type(s) of data involved, including personal data and which individuals this affects;
■    Status of security breach (i) potential (ii) suspected (iii) threatened (iv) actual (and if actual, has this been isolated (and how) or is it ongoing?); 
■    Who is aware of the breach;
■    What actions have been taken to address the breach and have these mitigated any adverse effects; and
■    Any other relevant information.

Breach management procedure

■    The Company’s management shall:
■    Investigate the reported breach to establish the scale and nature of the breach; 
■    Consider what can be done to recover the loss of Personal Data; 
■    Identify the safeguards in place, or to be put in place, to protect the misuse of the Personal Data; 
■    Identify any relevant teams to assist and if appropriate, any third parties, such as banks, websites, insurers, police or credit card companies to prevent fraudulent use of Personal Data;
■    By establishing the cause, determine whether any further actions can be taken to contain the breach e.g. taking systems offline, changing access codes, finding lost equipment etc.;
■    Determine the value of the Personal Data to the third party in receipt; and
■    Take all necessary steps to mitigate the effects of the data breach.

Breach reporting

■    Company’s management without undue delay and, where feasible, not later than 72 hours after having become aware of it, shall notify the personal data breach to the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural individuals. Where the notification to the supervisory authority is not made within 72 hours, it is accompanied by reasons for the delay. 
■    When the personal data breach is likely to result in a high risk to the rights and freedoms of natural individuals, the Company’s management shall communicate the personal data breach to the data subject without undue delay. The notification to the data subject shall comprise or take into account the following:
■    Describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if available);
■    The type of breach that has occurred may affect the level of risk presented to individuals. For example, a confidentiality breach whereby medical information has been disclosed to unauthorised parties may have a different set of consequences for an individual to a breach where an individual’s medical details have been lost, and are no longer available;
■    When assessing risk, a key factor is the type and sensitivity of personal data that has been compromised by the breach. Usually, the more sensitive the data, the higher the risk of harm will be to the people affected, but consideration should also be given to other personal data that may already be available about the data subject. 
■    If a data security breach involves Personal Data that is being processed by the Company on behalf of a third party, details of the data security breach may need to be notified to that third party.  

Roles & Responsibilities    

■    Overall data protection compliance of the Company is the responsibility of its management and the latter is also responsible for monitoring of the application of this Policy and any supporting policies.

■    Employees are responsible for ensuring the security of Personal Data and for reporting actual, potential or suspected breaches in line with this policy. Reference should also be made to the Data Protection Policy.  

If you have any questions about this Policy, please raise them in the first instance to k.dotsikas@savills.gr.  

Awareness training will be provided to all relevant new employees with refresher training and updates provided where required.

Breaches of Policy

Any member of staff who is found to have not complied with this Policy will be subject to disciplinary action. Such behaviour may constitute gross misconduct and, as such, may result in immediate dismissal. The Company always takes a strict approach to breaches of Personal Data.

We will review this Policy periodically and will make any updates deemed necessary. You will be required to comply with any updates made as from the date the updated Policy is made available to employees.

DATA PROTECTION POLICY

Policy Statement    

Kentriki Private Company (the “Company”) needs to collect and use information about its employees, clients and other individuals who come into contact with the Company for a variety of purposes.
 

Purpose & Scope    

The purpose of this Policy is to provide Company’s management, employees and partners with guidance on the appropriate matters to consider when processing personal data on behalf of the Company.

This Policy applies to the Company and to all contractors and consultants who may have access to personal data in the course of fulfilling their duties. 

Implementation Guidelines     

To meet the objectives outlined within the policy statement, the Company takes a principles-based approach to data protection, embedding ownership of data protection and responsibility for the identification, assessment, management, monitoring and reporting of data protection and security risks and issues. Below are the key principles of good practice which must be complied with to ensure that the processing of personal data is carried out fairly and lawfully, without adversely affecting the rights of individuals. These provide that personal data must be:

1.    Processed fairly, lawfully and in a transparent manner.

2.    Processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes.

3.    Adequate, relevant and limited to what is necessary in relation to the purpose with which it is processed.

4.    Accurate and kept up to date. Inaccuracies must be rectified without delay.

5.    Kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the Personal Data was collected 

6.    Kept confidential and processed in line with individual data subjects' rights

7.    Secured against loss, destruction and damage

8.    Not transferred to people or organisations situated in countries without adequate protection for individual data subjects

Roles & Responsibilities    

The Company has developed and implements adequate technological and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, including appropriate data protection processes and procedures, information security policies and data breach management processes. These should also be made available to all relevant staff.

Company’s management is responsible for ensuring that this policy is implemented, revised and amended from time to time to meet Greek legislation which brings into effect various aspects of the General Data Protection Regulation. In addition, Company’s management is responsible for monitoring of the application of this Policy and any supporting policies in the Company’s business.

Company’s employees are responsible for ensuring they understand and comply with the requirements set out in this Policy.

This policy is communicated to all employees and is available on the Company’s intranet or the staff handbook.

Relevant staff must receive training in this policy, on their rights and responsibilities under the policy and how the policy affects the way they carry out their duties.

Any questions regarding the implementation of this policy should be referred to k.dotsikas@savills.gr.  

DATA SUBJECT RIGHTS POLICY

Policy Statement

   
Kentriki Private Company (the “Company”) holds a great deal of Personal Data about individuals: employees; customers; prospective customers; tenants and prospective tenants and business contacts. Under data protection legislation individuals have a number of rights in relation to their Personal Data.  

Purpose & Scope  

 
This Policy provides an overview of individuals' rights and explains the procedures with which all Company’s employees and contractors (referred to in the remainder of this Policy collectively as employees) must comply if an individual makes a request to exercise their data protection rights.  

What rights do individuals have under data protection legislation? 

■    Under the General Data Protection Regulation (GDPR) individuals have the following rights: 

-the right to be informed;
-the right of access; 
-the right to rectification; 
-the right to erase; 
-the right to restrict processing; 
-the right to data portability; 
-the right to object; and
-rights in relation to automated decision making and profiling. 

Implementation Guidelines    

■    All Company’s employees should have a fairly good understanding of what each of these rights involves so that they are able to recognise these rights if an individual seeks to exercise them.  Employees should also be aware of and seek to adhere to the timeframes for responding to requests and the consequences if we fail to respond as we should. 

■    It is important that all employees familiarise themselves with, and follow, the procedures set out in the Company’s documented guidelines and procedural documents if they ever receive a request from a data subject relating to their personal data. The Company has one calendar month to respond to any such requests and employees must make sure that any requests they receive are escalated appropriately in good time to allow the Company to comply with this deadline.

■    Failures to comply with individuals' requests under the GDPR are considered to be serious breaches of an individual's rights.  Such breaches could result in significant reputational and brand damage and attract the maximum possible fine under the GDPR regime, which equates to up to a 4% of Group turnover or €20million.  Failure to comply could also have an adverse effect on the individual.  It is therefore important that all requests are recognised and are acted on promptly to enable the Company to respond to requests correctly and within the one month time frame.  

Roles & Responsibilities    

■    Overall data protection compliance is the responsibility of the Company’s management, and the latter shall also be responsible for monitoring of the application of this Policy and any supporting policies.

■    Employees are responsible for ensuring they understand and comply with the requirements set out in this Policy.

If you have any questions about this Policy, please raise them in the first instance to k.dotsikas@savills.gr

Awareness training will be provided to all relevant new employees with refresher training and updates provided where required.

Breaches of Policy    

Any member of staff who is found to have not complied with this Policy will be subject to disciplinary action. Such behaviour may constitute gross misconduct and, as such, may result in immediate dismissal. The Company takes a strict approach to compliance with Personal Data requirements.

Policy Updates    

We will review this Policy periodically and will make any updates deemed necessary. You will be required to comply with any updates made as from the date the updated Policy is made available to employees.

INFORMATION SECURITY POLICY

Policy Statement  

 
Kentriki Private Company (the “Company”) holds confidential information relating to individuals, both internal and external. It is critical that the information and systems are protected from misuse. Breaches of security could lead to financial loss through litigation or regulatory penalty, loss of business or damage to the reputation/brand of the Company. Information security is important to maintain commercial confidentiality in order to reduce market / competitor risk.

Purpose & Scope    

The purpose of this Policy is to define a framework that protects the Company’s computer systems, network and all data contained within, or accessible on or via these computer systems from all significant  threats whether internal, external, deliberate or accidental.

This Policy applies to the Company’s businesses irrespective of the exact place where they are conducted and covers Information Assets (as defined below) held on the Company’s systems and / or any mobile devices / 3rd party systems on which the Company’s data is held.

For the Purposes of this Policy :

An Information Asset is defined as a body of information, defined and managed as a single unit so it can be understood, shared, protected and used effectively. Information Assets have recognisable and manageable value, risk, content and lifecycles. 

“Information Security” is the system and process designed to protect and preserve the confidentiality, integrity and availability of Information Assets, and additionally those systems and processes designed to protect and preserve the authenticity and reliability of information and Information Assets.

Implementation Guidelines  

  
Working with the Company’s IT consultant, all appropriate measures are taken to:

■    Protect Information Assets and any client information within the Company’s custody or safekeeping or held by a 3rd party on behalf of the Company by safeguarding its confidentiality, integrity and availability.

■    Establish safeguards to protect Information Assets from theft, misappropriation, abuse, unauthorised access, misuse and any form of damage.

■    Establish responsibility and accountability for Information Security in each Company department.

■    Require management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the risk and severity of Information Security incidents. For example, employees are made aware that password sharing is unacceptable.

■    Ensure that the Company is able to continue its commercial activities in the event of significant Information Security incidents. 

Roles & Responsibilities    

■    Company’s management is responsible for monitoring of the application of this Policy and any supporting policies and for recognizing on a permanent basis the risks associated with Information Security within the Company’s business and with the implementation of this Policy across all Company’s operation departments.

■    Company’s directors are responsible for reporting suspected and actual Information Security breaches in accordance with the relevant data breach management policy.

■    Employees are responsible for ensuring the security of Savills information assets. Reference should also be made to the Group Data Protection Policy.  

Further guidance on the application of this Policy can be found on the Company’s intranet, the employee handbook or from the Company’s IT consultants. 

Awareness training will be provided to all relevant new employees with refresher training  and updates provided where required

Breaches of Policy    

Any member of staff who is found to have not complied with this Policy will be subject to disciplinary action. Such behaviour may constitute gross misconduct and, as such, may result in immediate dismissal. The Group always takes a strict approach to breaches of Information Security.

GROUP RETENTION OF RECORDS POLICY

Policy Statement    

Kentriki Private Company (the “Company”) is required to retain certain records to fulfil its statutory or regulatory obligations and/or to meet the Company's operational or business needs.

Purpose and Scope    

The purpose of this Policy is to provide Company’s management, employees and partners with guidance on the matters to consider when establishing local retention and disposal procedures for different categories of records.

This Policy applies to all records (whether in paper or electronic form) that are created, received or handled by the Company’s employees during the undertaking of their duties. It also applies to records held in audio or visual form such as call recordings and CCTV footage. 

Implementation Guidelines     

- Contents of Records

All records must remain complete and intact, including all emails, notes of conversations taken at the time, dates and telephone messages, in order that reliance may be placed on them in case of complaint or litigation.  

- Storage of Records / Archiving

Records must be stored in a safe and secure manner so as to prevent access by unauthorised third parties.  If an external provider is used to store records a written contract must be put in place with the provider and a due diligence exercise should be undertaken to ensure that storage facilities are safe and secure and that the provider is appropriately accredited. 

Prior to archiving any records, a destruction date should be specified by reference to the relevant retention period set out in the relevant Retention Schedule. 

- Retention of Records

Personal data processed for any purpose must not be kept for longer than is necessary for that purpose. This means not retaining documents or records that contain personal data beyond the length of time necessary for the purpose for which that data was obtained. 

The Company must retain some records for set periods of time and also has obligations to delete certain information when it is no longer needed. 

All records should be retained in line with the periods set out in the Retention Schedule below and should be deleted at the end of the relevant period in accordance with the "Disposal of Records" section below. 

The Retention Schedule is as follows:

Record Type : Retention Period

Accounting & Finance : 5 years

Contracts : 20 years

Corporate records : 20 years

Electronic mail :  15 years

Insurance records : 10 years

Legal files & Papers : 20 years

Payroll documents : Termination + 10 years

Personnel records : Termination + 10 years

Tax records : 5 years

Disposal of records

At the end of the minimum retention period specified in the above Retention Schedule for the relevant operating company, the record should be reviewed and destroyed or permanently deleted, unless there is a special reason for keeping it (and this has been confirmed by the Company’s management).

Any confidential paper records (which include all client records and any documents containing personal data) should be shredded or placed in confidential waste bin for destruction by an accredited provider.  Where external providers are used to destroy paper records destruction certificates must be obtained.  

Documents held electronically should be deleted in their entirety from our systems. Please speak to the Company’s IT consultant to establish how these documents can be fully deleted. 

If you need to dispose of equipment which might contain personal data, for example computers, hard drives or other hardware, you must make sure that equipment is wiped prior to disposal. This means that all personal data held on that piece of equipment must be erased thoroughly from the equipment. Please speak to the Company’s IT consultant to establish the best way to wipe equipment. 

Roles & Responsibilities    

Company’s management is responsible for monitoring of the application of this Policy and any supporting policies and for making any necessary updates or adjustments in accordance with relevant legislation or the Company’s business needs.  

Employees are responsible for ensuring they understand and comply with the requirements set out in this Policy and with any updates made as from the date the updated Policy is made available to employees.

If you have any questions about this Policy, please raise them to k.dotsikas@savills.gr 

Awareness training will be provided to all relevant new employees with refresher training  and updates provided where required.