Privacy Policy

DESQUARED S.A.
Desquared S.A. is a leading digital product partner that offers services such as product strategy, product design, mobile and web development product management, customer experience management and performance marketing. It was founded in Athens, Greece in 2012 and has more than 100 employees. Some of its partners include Cosmote, National Bank of Greece, Alpha Bank, Kritikos, Heron and Public.

The company's contact information is as follows:

Desquared, a leading software development company is dedicated to ensuring its clients’ users’ and its own users' privacy and personal data are protected in compliance with the General Data Protection Regulation (GDPR). This commitment is outlined in the present Privacy Policy, which covers a comprehensive range of topics and provides clear examples and analogies to help users understand the company's data protection practices.

The Privacy Policy starts by defining the roles of Data Controllers and Data Processors.

The policy also discusses the principles of Privacy by Design and Default, guiding Desquared in building privacy into its products and services from the ground up and choosing contractors who provide privacy and information security safeguards as personal data subprocessors. This approach is similar to constructing a house with built-in security features or designing a car with safety features incorporated from the beginning. This commitment is seen in both the software development for B2C applications and the online ordering platform that Desquared offers.

Automated decision-making and profiling are other aspects addressed in the Privacy Policy. Desquared provides algorithm solutions to its clients so as for them to analyze their user preferences and recommend relevant content or suggested actions based on their interest. This can be compared to a self-checkout system in a supermarket or creating a personalized playlist based on a user's listening habits. The solution itself is utilized by the client who will provide explanations according to their Privacy Policies and their Privacy Notices about the safeguards used for the legal process of the personal data gathered on their initiative or in their name.

Desquared’s website is not reliant as per its business on the market structures that have been Cookie- (or tag- or pixel- ) driven. Desquared's Cookie Chapter in the Privacy Policy outlines how the company uses cookies and similar technologies to improve user experience, provide personalized content, and analyze website traffic.

The Privacy Policy also covers external links, emphasizing that Desquared is not responsible for the privacy practices of third-party websites, including those of its clients. This applies to both the software solutions and the online ordering and delivery as well as supporting services platform. Following an external link can be compared to stepping into a neighboring store in a shopping mall or taking a guided tour, where the rules and policies of each attraction are separate.

Changes to the Privacy Policy may occur from time to time, reflecting updates in Desquared's practices, services, or legal requirements. This can be compared to updating a map to include new roads and landmarks or releasing a software update that introduces improvements and new features.

Desquared's Privacy Policy provides contact information for users to ask questions, provide feedback, or exercise their data subject rights under the GDPR.

Lastly, the policy addresses complaints and dispute resolution, demonstrating Desquared's commitment to resolving any issues that may arise concerning its data processing activities and compliance with the GDPR. This process can be compared to mediation or a customer service department handling issues and finding satisfactory solutions for customers who have experienced problems with products or services.

Desquared's Privacy Policy ensures compliance with the GDPR and protects the personal data of its users across its software development and online ordering platform.

Introductory Remarks

In the context of Desquared's commitment to data protection and compliance with the GDPR, the company has developed three distinct policies to address different aspects of user privacy and security: (A) Privacy Policy, (B) Security Policy, and (C) Individual Rights Policy. Each of these policies serves a specific purpose in addressing the needs and concerns of Data Subjects.

(A) Privacy Policy:
The Privacy Policy outlines how Desquared as a Data Controller collects, processes, and protects personal data of its users in compliance with the GDPR. It details the company's data protection practices, roles as a Data Processor and, in exceptional cases, as a Data Controller, as well as its commitment to Privacy by Design and Default. The Privacy Policy also includes, among other subjects, information on automated decision-making, profiling, possible cookie usage, external links, policy updates, contact information, and dispute resolution processes. The primary purpose of the Privacy Policy is to inform users about how their personal data is being managed and protected by Desquared.

(B) Security Policy:
The Security Policy focuses on the technical and organizational measures Desquared has implemented to safeguard personal data and ensure the confidentiality, integrity, and availability of the data they process. This policy addresses topics such as access controls, encryption, network security, incident response, and employee training. It demonstrates the company's commitment to maintaining a robust security infrastructure to protect personal data from unauthorized access, disclosure, alteration, or destruction. The Security Policy aims to assure users that their personal data as collected by Desquared as a Data Controller is secure and well-protected.

(C) Individual Rights Policy:
The Individual Rights Policy outlines the rights of Data Subjects under the GDPR and describes the procedures through which they can exercise these rights. These rights include the right to access, rectify, erase, restrict processing, object to processing, data portability, and the right to lodge a complaint with a supervisory authority. The policy also details how Desquared will handle requests from Data Subjects exercising their rights, such as timeframes for response and any applicable fees. The main purpose of the Individual Rights Policy is to empower Data Subjects with the knowledge and tools they need to take control of their personal data and exercise their rights under the GDPR.

The Privacy Policy, Security Policy, and Individual Rights Policy each serve distinct purposes in addressing different aspects of data protection and user privacy. While the Privacy Policy provides a comprehensive overview of Desquared's data processing practices, the Security Policy focuses on the measures in place to safeguard personal data, and the Individual Rights Policy empowers users with the knowledge and tools to exercise their rights under the GDPR.The Individual Rights Policy addresses the rights of data subjects as outlined in the General Data Protection Regulation (GDPR), providing comprehensive guidelines on how Desquared ensures the protection and fulfillment of these rights.

The Security Policy, on the other hand, focuses on the technical and organizational measures employed by Desquared to protect personal data against unauthorized access, disclosure, alteration, or destruction. It outlines the company's approach to risk management, incident response, and ongoing security monitoring. The Security Policy also provides guidance on staff training, vendor management, and the importance of regular audits and reviews to ensure continuous improvement of Desquared's security posture.Both the Individual Rights Policy and the Security Policy intersect with the Privacy Policy in various areas. For instance, the Privacy Policy describes Desquared's commitment to data protection and the legal bases for processing personal data, while the Individual Rights Policy elaborates on the rights and mechanisms available to data subjects in relation to that processing. Similarly, the Privacy Policy touches upon the security measures Desquared has in place to protect personal data, which are then detailed extensively in the Security Policy.

By implementing these distinct but interconnected policies, Desquared demonstrates its dedication to ensuring compliance with the GDPR and other relevant data protection regulations. The company's commitment to upholding the highest standards of data privacy and security is evident in its proactive approach to policy development, risk management, and continuous improvement.

Introduction and Scope

This Privacy Policy ("Policy") is designed to inform you about Desquared's commitment to the protection and privacy of your personal data in accordance with the General Data Protection Regulation (GDPR). The Policy applies to all personal data collected, processed, and stored by Desquared through the use of our website, services, and any related activities where Desquared acts as the data controller. By using our website and services, you acknowledge and agree to the terms set forth in this Policy.

Definitions

For the purposes of this Policy, the following terms have the meanings set forth below:

  • Personal Data: Any information relating to an identified or identifiable natural person, known as a "Data Subject." An identifiable person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, or online identifier.
  • Processing: Any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • Data Controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data.
  • Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
  • Data Subject: The individual whose personal data is being processed.
  • Consent: Freely given, specific, informed, and unambiguous indication of the Data Subject's agreement to the processing of their personal data.
Data Collection and Use

Desquared processes personal data as a Data Processor to provide services, enhance user experience, and comply with legal obligations. It may collect personal data as a Data Controller only to the extent that a legal basis is explicitly provided, either through consent or as a prerequisite for the execution of a legal or contractual obligation, as outlined in Articles 6 and 7 of the GDPR. For example, when you create an account on our website, we collect your name, email address, and password to create and manage your account.

The types of personal data collected depend on the context of the data subject's interactions with Desquared and the services utilized. As a Data Controller, Desquared may collect, with explicit advance notice, information such as name, email address, phone number, IP address, and browsing behavior. As a Data Processor, Desquared is bound to process personal data in accordance with the guidelines provided by the Data Controller.

Legal Basis for Processing

Desquared processes personal data it has collected as a Data Controller based on one or more legal bases provided by the GDPR, including:

  • Consent: When you explicitly provide permission for specific processing activities, such as subscribing to a newsletter or allowing cookies on our website.
  • Contractual Necessity: When the processing is necessary to fulfill a contract between you and Desquared, such as processing your payment details to complete a purchase.
  • Legal Obligations: When the processing is necessary for compliance with a legal obligation, such as tax reporting or responding to a valid request from a law enforcement agency.
  • Legitimate Interests: When the processing is necessary for the purposes of our legitimate interests or those of a third party, provided those interests do not override your rights and freedoms. This may include processing to improve our services, protect against fraud, or analyze website usage.
Consent

Desquared obtains and manages your consent in compliance with the GDPR. When we request your consent, we will provide clear and specific information about the data processing activities for which your consent is sought. You have the right to withdraw your consent at any time, and we will make it easy for you to do so, such as by providing an "unsubscribe" link in our email communications or offering a simple opt-out mechanism on our website.

Data Retention and Storage

Desquared retains personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations. We implement appropriate technical and organizational measures to ensure the security of your personal data and to protect it against unauthorized access, disclosure, alteration, or destruction. Pursuant to Article 5(1)(e) of the General Data Protection Regulation (GDPR), Desquared shall retain personal data only for the duration necessary to fulfill the purposes for which the data was collected or as mandated by applicable laws and regulations. Desquared is committed to ensuring compliance with the principles of storage limitation and data minimization.For example, we use secure servers, encryption, and access controls to protect your personal data. We also regularly review our data retention policies and practices to ensure that we are not retaining personal data for longer than necessary.

Rights of Data Subjects

As a Data Subject, you have specific rights under the GDPR, which Desquared is committed to honoring.

These rights include:

  • Right to Access: You have the right to request access to your personal data held by Desquared and to obtain information about how we process it.
  • Right to Rectification: You have the right to request the correction of any inaccurate personal data held by Desquared, as well as the completion of any incomplete data.
  • Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data held by Desquared, under certain conditions.
  • Right to Restriction of Processing: You have the right to request that Desquared limit the processing of your personal data under certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data held by Desquared in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Object: You have the right to object to Desquared's processing of your personal data under certain conditions.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant supervisory authority if you believe that Desquared's processing of your personal data is not compliant with the GDPR.
Third-Party Service Providers

Desquared may engage third-party service providers to perform certain data processing activities on our behalf, such as software solutions providers on management software regarding payment processing, agency on web hosting or cloud-based services, or marketing services. These third parties, acting as Data Processors, are contractually obligated to process personal data in accordance with Desquared's instructions and the GDPR's requirements, as stipulated in Article 28 of the GDPR. Desquared ensures that these service providers maintain suitable security measures and utilize personal data solely for the specific purposes authorized.

International Data Transfers

Desquared may transfer personal data to third countries or international organizations outside the European Economic Area (EEA) in accordance with the GDPR's requirements. When such transfers occur, we ensure that an adequate level of protection is in place, using mechanisms such as standard contractual clauses, binding corporate rules, or other approved methods, including request of risk-assessments and following protocols on information security.

Children's Privacy

Desquared is committed to protecting the privacy of children. Our website, services, and products are not intended for individuals under the age of 16, and we do not knowingly collect, process, or store personal data from children. Similarly, Desquared ensures that its services are age-restricted and not accessible to younger children.

If we become aware that a child has provided us with personal data without parental consent, we will take steps to remove such information and terminate the child's account, much like a librarian removing an inappropriate book from the children's section.

Data Processing for Specific Purposes

Desquared may process personal data, mainly for the benefit of the Data Controller that has appointed Desquared, for specific purposes, such as marketing, analytics, or customer support. Think of these purposes like separate compartments in a toolbox, each containing specific tools to accomplish a particular task. When processing data for these purposes, we ensure that we have a valid legal basis, such as consent or legitimate interest, and that the data is only used for the intended purpose.

For example, if you are a client of ours, we may process the email address of your employees that are already engaged via your administration to send you the materai referred to under article 11 L.3471/2006, in line with Directive 2002/58. This is clarified in Recital 173 and Article 95 of the GDPR, according to which, the GDPR does not apply where there are already existing e-Privacy rules. To that extent, we may process your personal data to provide assistance and resolve any issues you may be experiencing with our services, similar to a mechanic diagnosing and repairing your car.

Data Sharing and Disclosure

Desquared may share your personal data with third parties under certain circumstances, such as when required by law, to protect our rights or property, or to facilitate the provision of our services. Imagine a detective sharing crucial case information with another law enforcement agency to solve a crime. We ensure that any third-party recipients of your personal data are bound by contractual agreements or other legal obligations to protect your information and only use it for the specific purposes for which it was disclosed.

For example, we may share your personal data with payment processors to facilitate transactions or with analytics providers to help us understand how our website and services are being used, like a sports coach sharing player statistics with a data analyst to develop a winning strategy.

Security Measures

Desquared is committed to protecting the security of your personal data. We and any subprocessors appointed implement appropriate technical and organizational measures to safeguard your information from unauthorized access, disclosure, alteration, or destruction. These measures can include safety features of a bank vault such as secure servers, access controls, and regular security assessments.

Data Breach Notification

In the event of a personal data breach, Desquared shall promptly notify the competent supervisory authority and affected data subjects, as mandated by Articles 33 and 34 of the GDPR. Desquared will implement appropriate measures to mitigate potential risks and minimize the impact of the breach on the individuals concerned.

Data Retention

In the event of a personal data breach, Desquared shall promptly notify the competent supervisory authority and affected data subjects, as mandated by Articles 33 and 34 of the GDPR. Desquared will implement appropriate measures to mitigate potential risks and minimize the impact of the breach on the individuals concerned.

Data Subject Rights and Requests

As a Data Subject, you have specific rights under the GDPR, including the right to access, rectify, erase, restrict processing, data portability, object to processing, and lodge a complaint with a supervisory authority. Think of these rights as a set of keys that grant you access to and control over your personal data stored in Desquared's systems.

For example, if you feel that Desquared is holding incorrect personal data about you, you have the right to request that the information be corrected or updated. Exercising your data subject rights can be compared to adjusting the settings on your smartphone, customizing your privacy preferences to suit your needs.

Exercise of Data Subject Rights

Regarding the scope To exercise your rights as a Data Subject, you may submit a request to Desquared's Data Protection Officer (DPO). Desquared will respond to your request in a timely manner, usually within one month and certainly within the deadline that it foreseen and will take appropriate action. Submitting a request to the DPO is akin to filing a complaint with a manager to address a concern about a product or service, although this time it is referring to your personal data handling

Data Protection Impact Assessments (DPIAs)

DPIAs are systematic processes used by Desquared to evaluate the potential risks and impacts of new technologies, projects, or data processing activities on personal data privacy. Desquared may conduct a DPIA before launching a new marketing campaign to ensure that it complies with GDPR requirements and respects user privacy. Conducting a DPIA is like performing a safety inspection on a vehicle before a road trip, checking for potential hazards and taking precautions to ensure a smooth journey or comparable to a medical check-up, identifying potential health risks and implementing preventative measures.

Data Protection Officer (DPO)

The DPO is a designated individual within Desquared responsible for overseeing the company's data protection strategy and ensuring compliance with GDPR requirements. The DPO reviews data processing activities, provides guidance on data protection matters, and serves as a point of contact for Data Subjects and supervisory authorities.

In line with Article 37 of the GDPR, Desquared has appointed a Data Protection Officer (DPO) to oversee the company's data protection strategy and ensure adherence to GDPR requirements. The DPO is responsible for reviewing data processing activities, offering guidance on data protection matters, and acting as a liaison for Data Subjects and supervisory authorities, as outlined in the EDPB's guidelines on DPOs.

Cooperation with Supervisory Authorities

Desquared is committed to cooperating with supervisory authorities to ensure compliance with GDPR requirements and resolve any potential issues or disputes. If a supervisory authority requests information about Desquared's data processing activities, the company will promptly provide the necessary details via the DPO. This cooperation can be compared to a business partnering with a regulatory agency to maintain industry standards and ensure the best possible outcomes for all parties.

Privacy by Design and Default

Privacy by Design and Default is a principle that guides Desquared in building privacy into its products and services from the ground up, ensuring that user privacy is protected by default. This principle can be compared to designing a car with safety features, like airbags and seat belts, incorporated from the beginning to protect passengers by default.

In accordance with Article 25 of the GDPR, Desquared adheres to the principles of Privacy by Design and Default, which require the incorporation of data protection measures into the design and operation of products and services from the outset. By implementing robust privacy safeguards, such as encryption and minimal data collection, Desquared ensures the protection of user privacy by default, analogous to integrating safety features like airbags and seat belts into a vehicle's design from the beginning.

Automated Decision-Making and Profiling

Automated decision-making and profiling involve using algorithms and other automated tools to make decisions or analyze personal data without human intervention. In these cases Desquared may for example be asked to use an algorithm to analyze user preferences and recommend relevant content based on their interests. Automated decision-making can be compared to a self-checkout system in a supermarket, where the machine scans items and calculates the total price without human assistance. Profiling is like creating a personalized playlist for a user based on their listening habits and preferences, using algorithms to predict their taste in music. Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or significantly affects them. Desquared must allow for human intervention in the decision-making process and provide the data subject with an opportunity to express their views and contest the decision. Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. This right applies to data used by Desquared for automated decision-making and profiling.

Cookie Policy

Desquared's Cookie Policy, in compliance with the GDPR and the ePrivacy Directive, sets forth the company's usage of cookies and similar technologies to enhance user experience, deliver personalized content, and analyze website traffic. Desquared may deploy cookies to recall a user's language preferences, facilitating a seamless browsing experience by displaying the website in their preferred language.

Desquared's Privacy Policy details the company's use of cookies and similar technologies, pursuant to Articles 6(1)(a) and 7 of the General Data Protection Regulation (GDPR) and in compliance with the guidelines provided by the European Data Protection Board (EDPB).

Desquared ensures that these cookies and technologies are used in a manner that respects user privacy and complies with the GDPR. The company is committed to providing clear and comprehensive information about the cookies it uses, obtaining user consent when required, and implementing appropriate safeguards as stipulated by the GDPR and EDPB guidelines. The following list contains the cookies and technologies are utilized by Desquared to enhance user experience, provide personalized content, and analyze website traffic and is updated over time:

  • Essential cookies: Always Active
    These items are required to enable basic website functionality.
  • Analytics: By choice
    These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues. This storage type usually doesn’t collect information that identifies a visitor.It is helpful to note that there are some initiatives on Privacy Shield 2 after the annulment of the first one by the European Court of Justice. The European Commission and the US Department of Commerce have been negotiating a new framework for EU-US data transfers since 2020. On 15 December 2021, the European Commission published a draft adequacy decision that endorses Privacy Shield 2.0 as a valid mechanism for ensuring adequate protection of personal data transferred from the EU to the US. The draft decision is subject to approval by EU member states and the European Data Protection Board before it can enter into force. Privacy Shield 2.0 aims to address the concerns raised by the CJEU in its Schrems II ruling, such as providing stronger safeguards against US government access to personal data, enhancing the role and independence of the Privacy Shield Ombudsperson and strengthening the enforcement and oversight mechanisms. Desquared remains observant of all relevant progress and reserves its right to update this Policy as required.

It is helpful to note that there are some initiatives on Privacy Shield 2 after the annulment of the first one by the European Court of Justice. The European Commission and the US Department of Commerce have been negotiating a new framework for EU-US data transfers since 2020. On 15 December 2021, the European Commission published a draft adequacy decision that endorses Privacy Shield 2.0 as a valid mechanism for ensuring adequate protection of personal data transferred from the EU to the US. The draft decision is subject to approval by EU member states and the European Data Protection Board before it can enter into force. Privacy Shield 2.0 aims to address the concerns raised by the CJEU in its Schrems II ruling, such as providing stronger safeguards against US government access to personal data, enhancing the role and independence of the Privacy Shield Ombudsperson, and strengthening the enforcement and oversight mechanisms. Desquared remains observant of all relevant progress and reserves its right to update this Policy as required.

External Links

In accordance with Desquared's Privacy Policy, the company's approach to external links is explicitly outlined, with an emphasis on the fact that Desquared bears no responsibility for the privacy practices employed by third-party websites. This is in line with the provisions outlined under Recital 26 of the General Data Protection Regulation (GDPR) and the guidelines provided by the European Data Protection Board (EDPB). For instance, Desquared may facilitate links, either directly or via its applications, to a news article hosted on a third-party website; however, the privacy practices governing said website do not fall under Desquared's Privacy Policy. In a manner akin to visiting an adjacent store within a shopping complex, users are subject to the rules and policies imposed by the respective establishment upon following an external link.

Changes to this Privacy Policy

Desquared reserves the right to revise its Privacy Policy periodically in order to reflect changes in its operational practices, the provision of services, or to address legal requirements. Such revisions may entail updating the Privacy Policy to incorporate details regarding a new service that necessitates the collection of additional personal data. In accordance with Article 12 of the GDPR and EDPB guidelines, any changes to the Privacy Policy are comparable to software updates, wherein enhancements and novel features are introduced to optimize user experience and rectify existing issues.

Complaints and Dispute Resolution

Desquared is committed to resolving any complaints or disputes that may arise in relation to its data processing activities and compliance with the GDPR. If a user believes that their data protection rights have been violated, they can lodge a complaint with Desquared or a supervisory authority. Desquared is steadfast in its commitment to address and resolve any grievances or disputes arising in connection with its data processing activities and compliance with the GDPR. In the event that a user deems their data protection rights to have been infringed upon, they have the option to file a complaint with Desquared or a supervisory authority, as stipulated in Articles 77 and 79 of the GDPR. The process of addressing complaints and disputes is analogous to mediation, in which an impartial party facilitates conflict resolution and the attainment of a mutually agreeable settlement.

Contact Information

As mandated by Article 13 of the GDPR, Desquared furnishes users with contact information, enabling them to pose queries, offer feedback, or exercise their rights as Data Subjects under the GDPR. To this end, users may reach out to Desquared's Data Protection Officer with requests for data erasure, as outlined in Article 17 of the GDPR at the following e-mail: example@email.com.

Athens, 13/9/2023
Version 2.0. of the Privacy Policy

For Desquared,
The CEO ie. Managing Director
The CTO
The DPO