Personal Data Protection Policy
[EU 2016/679 - GDPR]

The company Delphic Air (the "Company") informs you, pursuant to Regulation (EU) 2016/679, Law 4624/2019 and the other provisions of the relevant Greek and European legislation on personal data protection, in its capacity as a controller, that it processes your personal data collected either by signing a contract for the provision of services or later, including those that will arise from the conclusion and operation of the contract (s) with the Company, or in the context of general relations and collaborations with the Company, in accordance with the following. This information indicatively concerns: active, candidate and former customers of the company, suppliers and associates of the Company, third parties related to them (proxies, representatives, employees, etc.) and the employees of the Company including the sub-candidates. (Where "Customer" is mentioned, it applies to all of the above). This information may be supplemented by more specific updates on a case-by-case basis, such as in particular cases of cookies, special categories of data, data collected through the website, video systems etc. or be part of a contract.

1. Introduction

1.1 General Regulation 2016/679 (GDPR), hereafter referred as "Regulation", was adopted in order to avoid disputes between Member States over personal data protection laws and to reform the way organizations approach personal data. The Regulation strengthens the fundamental rights of Europeans to their personal data and controls controllers and processors when they are liable for a breach of the GPDR.

1.2 The Regulation is immediately applicable in all EU Member States from 25 May 2018. It replaces Directive 95/46 / EC concerning data protection, which was adopted in Greece by Law 2472/1997.

1.3 The Regulation applies to all data subjects (individuals) within the EU, but also applies to organizations outside the EU, as long as they monitor or process personal data during their transactions.

1.4 The purpose of this Policy is the lawful processing and protection of personal data of the subjects processed by the COMPANY. This policy aims to protect the rights and freedoms of subjects.

1.5 This policy applies to any processing of personal data performed by the COMPANY.

2. Policy Description

2.1 THE COMPANY is committed to comply with all relevant EU and Greek laws and decisions of the Personal Data Protection Authority, concerning personal data and the protection of the rights and freedoms of subjects in accordance with the Regulation .

2.2 The COMPANY has developed and implements the Data Protection Policy as well as any other necessary policies and procedures regarding the processing and protection of personal data.

2.3 The Privacy Policy applies to any processing of personal data by the COMPANY, including the personal data of customers, em-ployees, suppliers, associates and any other natural person whose data is processed by the COMPANY.

2.4 The COMPANY will notify the Data Protection Officer (DPO) of any changes to the data processing purposes and the DPO shall reflect these changes in this policy.

2.5 Any violation of personal data that affects the subjects will be reported as soon as possible to the Personal Data Protection Authority (“DPA”)

2.6 The COMPANY sets the objectives for data protection. 2.7 Affiliates and any third parties which cooperate with or act on behalf of the COMPANY and have access to personal data must read, understand and fully comply with this policy. No third party may have access to personal data processed by the COMPANY without the signing of the cooperation agreement and / or confidentiality agreement.

2.8 THE COMPANY has adopted Information and information systems protection policy that the employees implement on the prem-ises or for the purposes of the work or have been provided to them by the COMPANY. This regulation has been notified to employees.

3. Roles and Responsibilities

3.1 The COMPANY is, according to the Regulation, is a Controller.

3.2 The COMPANY is responsible for its compliance with the Regulation.

3.3 Compliance with data protection legislation is the responsibility of all employees who process personal data.

3.4 The Training Policy of the COMPANY determines the necessary directions for the training and sensitization of the employees for the processing and protection of the personal data.

3.5 The necessary roles and responsibilities have been defined. More specifically:

3.5.1 The Management: · Ratifies privacy policy and security policy. · Approves the mechanisms of compliance with the Regulation (GDPR). · Announces to employees, customers and associates the importance of personal data protection and its active support in complying with the new regulation (sending e-mail or announcement on the website).

3.5.2 The Data Protection Officer: · Reports to the Administration the issues concerning processing and protection of personal data. · Informs and advises the COMPANY on the processing and the employees who are in charge of processing of their ob-ligations as those are described in the Regulation and other EU and Greek legislative provisions on data protection. · Acts as a contact person and cooperates with the DPA on issues related to the data processing. · DPO’s contact details had been announced to the DPA.

3.5.3 The Directors and Chiefs: · Monitor the compliance of their subordinates with this policy.

3.5.4 The Senior System Engineer: · Implements and manages the technical mechanisms of compliance and protection of personal data in the daily operations of the systems.

3.5.5 The Human Resources Manager: · Implements the procedures of compliance and protection of human resources. · Implements the appropriate training and awareness program for staff.

3.5.7 Employees: · They are responsible for ensuring the accuracy and update of any personal data received by the COMPANY.

4. Basic Principles of Personal Data Processing The processing of personal data is carried out in accordance with the data protection principles set out in the Regulation.

4.1 Personal data shall be processed lawfully and in a transparent manner in relation to the data subject ("legality, objectivity and transparency”). 4.1.1 The COMPANY determines the legality of the processing before the processing of personal data. 4.1.2 The Regulation contains rules according to which the subjects are to be informed of their data being processed in a comprehensible form and in plain language.

4.2 Personal data will be collected for specified, explicit and legitimate purposes and will not be further processed in a manner in-compatible with those purposes; 4.2.1 The data obtained for specified purposes will not be used for purposes other than those for which they were originally collected.

4.3 The data is appropriate, relevant and limited to what is necessary for the purposes it is processed (“data minimization"). 4.3.1 The COMPANY collects the absolutely necessary information for the purpose of processing. 4.3.2 All data collection forms (electronic or written) must include information on the processing of personal data and must be approved by the Data Protection Officer. 4.3.3 The COMPANY ensures that on an annual basis all procedures as well as data collection methods are reviewed to ensure that the collected data is still sufficient, relevant and not excessive.

4.4 All reasonable steps will be taken to promptly delete or correct personal data which is inaccurate in relation to the purposes of the processing ("accuracy");

4.4.1 The stored data is reviewed annually by the data controller and modified as required. Inaccurate data should not be kept.

4.4.2 The COMPANY is responsible for the training of its staff regarding the importance of data accuracy in their collection and management.

4.4.3 It is the responsibility of the data subject (employee, customer, associate) to ensure that the data held by the COMPANY is accurate and up to date. Completing a registration or application form by a data subject will include a statement that the data contained in it is accurate at the date of submission.

4.4.4 The subjects will inform the COMPANY for any changes in their personal data so that it is possible to update the respective files. The DPO will provide them the necessary instructions on data modification.

4.4.5 Once a year, the DPO reviews the retention dates of the personal data being processed and identifies any data that is no longer required in the context of the purpose of the processing. Such data is to be securely deleted / destroyed.

4.4.6 The DPO is responsible for responding to requests for modification of personal data by data subjects within one month. This period of response can be extended to two additional months in case of complex requests. If the COMPANY decides not to modify the data, the data protection officer should justify to the subject the decision of the COMPANY and inform him/her of his right to file a complaint to the DPA.

4.5 The data shall be kept in a form which allows the identification of data subjects only for the period required to fulfill the purposes of the processing of personal data.

4.5.1 When personal data is retained beyond the date of processing, it will be anonymized or destroyed in order to protect the identity of the person to whom the data relates.

4.5.2 Personal data will be retained in accordance with the Record Keeping Procedure and, once its retention date has expired, should be securely destroyed.

4.5.3 The DPO will specifically approve any retention of data beyond their retention periods and must ensure that the justi-fication is clearly defined and in accordance with the requirements of the relevant legislation. This approval must be recorded.

4.6 Data shall be processed in such a way as to guarantee the appropriate security of personal data, including its protection against unauthorized or unlawful processing and accidental loss, destruction or deterioration, using appropriate technical or organizational measures (“integrity, availability and confidentiality”).

4.6.1 The IT Manager (Senior System Engineer) makes a risk assessment taking into account all the processing activities of the COMPANY. In order to determine the appropriate mechanisms, it also examines the extent of potential damage or loss that may be caused to individuals (eg staff or customers) in the event of a breach of security, as well as any damage to reputation, including potential loss of customer trust.

4.7 The Controller bears the responsibility and is able to prove the compliance of the COMPANY with the Regulation (“accountabil-ity”).

4.7.1 The COMPANY bears the burden of proof of its compliance with the Regulation, establishing the appropriate policies, technical and organizational measures, as well as adopting appropriate techniques (security incidents’ management procedures, responding to requests, etc.)

5. Rights of subjects.

5.1 Data subjects have the following rights regarding the processing of their personal data:

5.1.1 Right to information. Information to be provided to the data subject (eg identity of the controller, purposes and legal basis of the processing, etc.)

5.1.2 Right of access. I.e to receive confirmation for the processing or not of the personal data concerning the subject. If it has been processed, subjects can exercise the right of access to such data.

5.1.3 Right to data correction. The right of the subject to demand the correction of its inaccurate personal data or the com-pletion of its incomplete personal data.

5.1.4 Right to oblivion. Right of the subject to request the deletion of its personal data concerning for the reasons stated in the Regulation.

5.1.5 Right to restrict processing. The subject may request the restriction of the processing when one of the restrictively mentioned in the Regulation reasons is valid.

5.1.6 Right to data portability. The right of the subject to collect its personal data, which was provided to a controller and to transfer the said data to another controller.

5.1.7 Right of objection. The right of the subject to access administrative and judicial proceedings in order to either challenge unlawful proceedings or to claim remuneration for the damage suffered.

5.1.8 Right of objection in profiling cases. Right of the subject to challenge illegal processing in profiling cases.

5.2 THE COMPANY ensures that data subjects can exercise the above rights.

5.2.1 The COMPANY has adopted a special form for the exercise of the rights by the data subject.

5.2.2 The COMPANY has developed the process of managing the requests of the subjects.

5.2.3 The COMPANY has appointed a Data Protection Officer (DPO) and has communicated his contact details to the Personal Data Protection Authority. For any request, complaint, etc. regarding personal data, the data subject can contact the DPO at

6. Consent

6.1 When the processing is based on consent, the COMPANY is able to prove that the data subject has has agreed to the processing of its personal data.

6.2 If the consent of the data subject is provided in the context of a written statement relating to other matters, the request for consent shall be made in such a way that it is clearly distinguishable from other matters, in a comprehensible and easily accessible form, using clear and simple words.

6.3 The data subject has the right to revoke his consent at any time. Withdrawal of consent shall not affect the lawfulness of the data processing that was based on the consent prior to its withdrawal.

6.4 The withdrawal of consent is submitted to the DPO in accordance with the provisions of 5.2.3 for the submission of a request of the subject.

7. Personal Data Security Taking into account the latest developments, the cost of implementation and the nature, scope and purposes of the processing, as well as the potential risks and seriousness of the processing for the rights and freedoms of individuals, the COMPANY applies appropriate technical and organizational measures to ensure an adequate level of risk security. Particularly :

7.1. The Company has recorded the processing activities in the Processing Activity Archive.

7.2. The Company establishes appropriate technical and organizational measures for the protection of personal data and risk man-agement including technologies, antivirus protection, firewall systems, default protection and design.

8. Data Confidentiality

8.1 The COMPANY ensures that personal data is not disclosed to unauthorized persons, including family members, friends, etc. All employees of the COMPANY must be careful when they are called to disclose personal data processed by the COMPANY to third parties and / or when they are called to identify the subject. The Company's employees attend special training that allows them to effectively deal with the risks that may be caused by such requests. The employees of the COMPANY should bear in mind that the disclosure of the information must only be relevant to and necessary for the conduct of the activities of the COMPANY.

8.2. The COMPANY signs confidentiality agreements with its associates and staff in case they are informed of personal data of Company’s customers, employees or other natural persons, whose data is held by the COMPANY in the capacity of "data processor".

9. Preservation of personal data and transmission to third parties.

9.1 The COMPANY does not keep personal data in a form that allows the identification of data subjects for a longer period of time than is necessary, in relation to the purpose (s) for which they were originally collected.

9.2 THE COMPANY may store personal data for a longer period of time than it is necessary for the purpose of the personal data archiving, in order to protect the public interests, for scientific or historical research or for statistical purposes. In such cases the Company will apply appropriate technical and organizational measures to safeguard the data subject 's rights and freedoms.

9.3 The COMPANY retains the personal data of the subjects throughout the duration of the cooperation and until the expiration of the general statute of limitation period (20 years). In case of candidates (partners, customers) the data will be kept for 5 years. The COMPANY maintains CVs of prospective employees for the period of 12 months.

9.4 After 5 years, the COMPANY may decide to maintain the above data in electronic form.

9.5. The COMPANY does not transmit personal data that it processes to third parties, unless it is obliged to do so by law or court decision or in order to protect its legal interests and rights. Exceptionally, the personal data of the employees may be transferred to associates-accountants of the COMPANY within the framework of their responsibilities and for the purpose of the sound operation of the COMPANY. It can also be transferred to the company's legal counsels for specific purposes.

9.6 The COMPANY does not transmit personal data outside the EU.

10. Management of Personal Data Violation Cases

10.1 In case of breach of personal data, the DPO shall notify the DPA immediately, if possible, and in any case within 72 hours from the moment it becomes aware of the breach, unless the breach of personal data does not endanger the rights and freedoms of individuals. If the notification to the DPA is not made within 72 hours, the delay should be justified.

10.1.1 The management of security incidents as well as the notification of the breach of personal data are described in the Security Incident Management and Claims Management Procedure.

11. Data processors.

11.1 The COMPANY uses only the data processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of the Regulation and ensures the protection of the rights of the data subjects.

11.1.1 The processing performed by the data processor is governed by a contract or other legal act subject to the EU laws or the Greek legislation. Such contract binds the data processor in relation to the COMPANY and determines its object and duration the nature and purpose of the processing, the type of personal data and the categories of data subjects.

11.2 The processor does not engage another processor without the prior specific or general written permission of the COMPANY.

11.3 The data processor and any person acting under the supervision of the controller or of the processor who has access to personal data, may only process such data at the request of the controller, unless the EU or or of the Member State's legislation provides oth-erwise

12. Use of personal data.

Personal data may be collected for future communication with the customer, supplier, employee. It may also be kept for future com-munications, personalized and not, regarding the news of the Company, but also to safeguard the legal interests of the subjects and the Company (use of security camera etc.)

13. Storage period.

The personal data is kept for a period of time stipulated by the relevant legal provisions in accordance with the clause 9.

14. Amendments to the Personal Data Protection Policy. The COMPANY updates the Personal Data Protection Policy on a regular basis and at least once a year so that it is always in accord-ance with EU Regulations and Greek legislation.

15. Definitions.

"data subject": Any natural person whose personal data is processed by the COMPANY.

"personal data”: any information related to an identified or identifiable natural person ("data subject"); identifiable person is a person whose identity can be identified based, directly or indirectly, on such factors as name, ID number, position data, personal ID’s bar code or one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of natural person

“special categories of personal data”: racial or ethnic origin, political views, religious or philosophical beliefs or trade union mem-bership, as well as the processing of genetic, biometric data for the purpose of natural person life or sexual orientation.

"processing" means any operation or series of operations carried out, with or without the use of automated means, in personal data or in personal data sets.

"profiling" means any form of automated processing of personal data consisting of the use of personal data for the evaluation of certain personal aspects of a natural person, in particular for the analysis or prediction of aspects of performance at work; the financial situation, health, personal preferences, interests, credibility, conduct, position or movements of that natural person

"controller" means a natural or legal person, public authority, service or other entity which, alone or in conjunction with others, determines the purposes and manner of personal data processing;

“data processor" means a natural or legal person, public authority, department or other body which processes personal data on behalf of the controller;

"recipient" means the natural or legal person, public authority, service or other entity to which personal data are disclosed, whether third party or not.

"consent" of the data subject is any indication of will, i.e declaration or clear positive action, expressed freely, specifically, expressly and in full awareness, by which the data subject expresses his/her consent to the processing of his/her personal data

"breach of personal data" means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.