Data Protection Policy ICAP Outsourcing S.A.
“ICAP Outsourcing S.A..”, Kallithea, Eleftheriou Venizelou Ave. number 2, 17676, with VAT number  (Gen. Com. Reg. No. )
Last Amended on 21.01.2019
1. Field of Scope
This privacy notice lays out the manner in which ICAP Outsourcing S.A. (hereinafter referred to as “ICAP”) collects, uses, processes, stores, manages, and protects the individuals’ personal data (hereinafter referred to as “Personal Data”), so as to meet the data protection standards of the company and comply with the applicable law.
ICAP provides services in the field of Inbound and Outbound calls and establishes call centers on behalf of any client or business. In particular an outbound call center is one in which call center agents make outbound calls to customers on behalf of a business or client. An inbound call is one that a customer initiates to a call center or contact center of ICAP’s customer. Call centers established by ICAP may handle either inbound or outbound calls exclusively or might deal with a combination of the two, according to the contract, signed between ICAP and each particular Client.
The company's activities include, but are not limited to, the following purposes: (a) The provision of telephone services third parties by creating a call center center to receive incoming calls and making outgoing calls, (b) The provision of services for the promotion and services and products of third parties or themselves, either through telephone or other means of communication, (c) The provision of business advisory services to sales promotion, and design and organization of call centers, (d) conducting market research for products and third party services, excluding television market, (e) The provision of administrative and technical support to private or public third parties as well as the undertaking of projects with similar context according on the instructions of τhe Client.
(i) pertaining to Client and User data obtained during the use of the Services,
(ii) pertaining to visitors and users or clients of ICAP’s website (hereinafter called “Website”).
This policy shall not apply to information collected through any other website, services, products, platforms or for practices of companies that we do not control. We are not responsible for any personal data protection practices pertaining to websites, services, products, platforms of other companies.
2. Categories & Types of Collected Data
Taking into consideration all the above, it is necessary to clarify that ICAP Outsourcing SA in most instances, collects, uses, processes, stores, manages data provided by ICAP’s clients themselves such as customers, suppliers or third parties’ data - which may contain personal data (who may refer to individuals or companies) - within the framework of provision of our services. Such data in most instances has been collected by ICAP’s clients and are related to data of their customers. However, ICAP may collect customer’s data on behalf of its Clients directly from any data subject. ICAP shall operate then as the “Processor” of the personal data, which are included in the said business data. Consequently, in those cases different provisions of the GDPR 679/2016 shall apply, with which we comply. So in these cases that ICAP collects on behalf of his client the following categories of data.
Data Collected By Icap By Its Capacity As Data Processor:
In these cases, ICAP undertakes on behalf of its clients to make and to receive telephone calls according to the instructions of the individual client, as they are imprinted in the relevant contract signed between ICAP and the client. In the context of executing the specific contract, ICAP usually collects on behalf of its clients the following categories of data:
- Communication Data that includes any communication that any individual or legal entity send to ICAP whether that be through the contact form on our website, through email or especially via telephone calls. It should be mentioned that in most instances the phone calls are recorded via relevant software. This software usually belongs to the ICAP, but in some cases it may be software that belongs to the client itself. If the software belongs to the client, ICAP’s employees have access through the use of passwords. Furthermore, in any case that calls are not being recorded ICAP’s personnel entries to the software data for each (inbound or outbound) call regarding its content.
- Customer Data that includes data relating to any purchases of goods and/or services that ICAP has undertake the responsibility to communicate to customers on behalf of ICAP’s clients. Customer data usually includes informations such as customer’s name, title, billing address, delivery address email address, phone number, contact details, purchase details, tax number, card details, identity card number, nationality
- Marketing Data that includes data about how customers use our website and any online services and especially data about your preferences in receiving marketing from us on behalf of our Clients/Users and your communication preferences.
Data Collected By Icap By Its Capacity As Data Controller:
- Client’s data: this category of data may include data relating to businesses, legal entities and individuals that want to or already use the Inbound/Outbound services provided by ICAP, such as client’s name, title, billing address, delivery address email address, phone number, contact details, purchase details, tax number, card details, identity card number, the collection, management, and provision of commercial and economic information (business information) etc.
- Website visitors or user data: IP Address, contact details and full name, e-mail (via contact form on website)
Declaration Regarding The Processing of Personal Data By ICAP (by its capacity as Data Controller and Processor - in accordance with the General Data Protection Regulation EU 679/2016)
Why will you process my Personal Data (PD)?
ICAP provides products and services containing commercial and financial information about legal entities and individuals on the basis of its statutory purpose, such as described in detail above and in paragraph 1. Their contents vary depending on the type and purpose of the provided service of ICAP.
The lawful basis of the data processing is ICAP’s is the performance and execution of the contract.
Information automatically collected when visiting and interacting in the Website: We inform you that your personal data and information that are collected and processed when you manage your account in the Website, are appropriate to the purpose for which they are collected and are required for the processing of your inquiries, applications and the use of ICAP Services.
In particular, when visiting and interacting with the Website, certain information may be automatically collected, such as:
• your computer’s Internet protocol address (ΙΡ)
In addition certain information regarding the contact particulars of an interested party (user or visitor) may be obtained through the contact form embedded on the Website.
In this instance the legal basis for the data processing, is the consent of the Data Subject.
ICAP does not manage, collect or process geolocation data, which are collected and processed exclusively by the companies providing operating systems for each device you use (in case of use of iOS-Apple Inc or in case of android - Google Inc). ICAP does not have access to the positioning refresh rate of GPS.
3. Data Collection Points
1. Users/visitors - A, B
2. Corporate Customers of Users/Clients - A, B, C
3. Website (contact form, cookies) - B
4. Transfer of Data to Third Parties
ICAP reserves the right to disclose your personal data to any member of its affiliate/subsidiary companies (parent company and its subsidiaries) or other third parties to the extent it is reasonably necessary for the purposes determined in this notice and in particular:
- Client and user/visitor data will be transferred to the departments of ICAP that are competent for the smooth and trouble-free operation of the Website services and functions
- Your data may be transmitted and become accessible by legal entities with which, we have entered from time to time into contractual agreements for the purpose of fulfilling our company’s commitment under any signed contract with any Client/User (provision of inbound and outbound call services and related services) in a correct and within our contractual terms framework. Given that ICAP acts as data processor in these instances, the data subjects are encouraged to review the privacy notices of each respective Client under whose instructions ICAP operates
- Client and user/visitor data may be disclosed to cloud hosting providers for the purpose of storing and safeguarding the data with the appropriate technical and security measures.
- Client and user/visitor data may be transmitted, become accessible and processed by subsidiaries of our group within the European union, which apply the appropriate technical, physical and administrative security measures for the protection of the data from loss, misuse, damage, alteration, unauthorised access and disclosure, as provided by article 32 of the GDPR 679/2016.
- During all data transfers, we always take all appropriate measures so as to ensure that the transmitted data are the minimum required for the intended processing purpose and that the conditions for legitimate and lawful processing will always be met
- ICAP servers are hosted at IBM’s data centre (hosting provider) located in Athens. You may find more information on IBM’s privacy notice in the following link: https://www.ibm.com/privacy/details/us/en/#section_
5. Personal Data Retention Period
The data retention period depends on the lawful basis of processing, as set out in detail below:
- In case the lawful basis for processing is the exercise of legitimate interest, the processing of personal data is carried out for as long as it is considered necessary for the achievement of the intended statutory purpose of ICAP described in paragraph 1 above, and until such time the limitation period of any related claims has expired.
- In case the lawful basis for processing is the performance of the contract, we shall retain your data for as long as you retain the contractual relationship with ICAP in hard copy and in electronic form or we shall retain them for as long as it is required until the limitation period of any related claims expires.
- In case the the lawful basis for processing is the explicit consent of the data subject (such in the case of the Websites contact form), we shall retain those data until the granted consent by the data subject has been withdrawn unless specific legislation in effect allows us or ordains to retain the data.
- As regards the retention time of call recordings, it should be mentioned that ICAP usually deletes them after the period of 60 days. However, this also depends by the obligations described in the contract between ICAP and each Client/User, since it may be predicted a different retention period that responds better to the to the purposes and activities of the Client/User. In any case each customer is properly informed during the telephone communication about the recording and retention period of the recordings (according to ICAP’s contract obligations and the instructions of each Client/User)
6. Legitimate Interest - Statutory Purpose - Lawful Basis for Data Processing
Data processing is necessary for the purposes of the legitimate interests pursued by the ICAP Outsourcing S.A. ICAP Outsourcing Solutions’ statutory purpose described in detail at the first paragraph of this document.
Within this framework, ICAP collects, manages and provides the categories of data, that described in detail above in paragraph 1 for the performance of the contracts with corporate clients. ICAP processes and stores the said data within the E.U.
7. Rights of the Data Subjects
You may exercise, as the case may be, the rights deriving from the applicable Greek Legislation and the General Data Protection Regulation (Regulation (EU) 2016/679) which are as follows: (a. the right of information (article 13), b. the right of access (article 15), c. the right to rectification (article 16), d. the right to erasure “right to be forgotten” (article 17), e. the right to restriction of processing (article 18), f. the right to data portability (to receive your personal data in a structured and commonly used format - article 20 where applicable) and g. the right to object (article 21) which applies to certain data processing activities
- These rights can be exercised only in cases where ICAP acts as Data Controller and in particular when ICAP (i) processes the personal data of clients/visitors during the use of its Website (contact form and cookies) (ii) pertaining to Client data obtained during the use of the Services
- This Privacy Notice does not apply to personal data mentioned on business documents that our customers transmit to our systems when using our Services
- These rights shall be exercised free of charge for you by sending a relevant letter to the Data Protection Officer (DPO) of ICAP: Eleftheriou Venizelou Street, number 2, Kallithea, PC 17676, Athens, or via e-mail to firstname.lastname@example.org@icap.grIn case however the aforementioned rights are exercised excessively and without good cause thus causing us administrative burden, we may charge you with the cost related to the exercise of the respective right.
- In case you exercise any of your rights, we will take all appropriate measures available for the satisfaction of your request within thirty (30) days following the receipt of the relevant request. We may either inform you on the acceptance of your request or on any objective grounds that hinder the processing of your request.
- Notwithstanding the above, you may at any time object to the processing of your Personal Data, by withdrawing your consent (article 7, par. 3 of the GDPR 679/2016) by sending a letter to the Data Protection Officer (DPO) of ICAP: Eleftheriou Venizelou Street, number 2, Kallithea, PC 17676, Athens, or via e-mail to email@example.com@icap.grThis right applies onlyin cases where the lawful basis for the data processing is the consent of the Data Subject.
8. Data Processing by ICAP
ICAP in most instances, collects, uses, processes, stores, manages data provided by ICAP’s clients themselves such as customers, suppliers or third parties’ data - which may contain personal data (who may refer to individuals or companies) - within the framework of provision of our services. Such data in most instances has been collected by ICAP’s clients and are related to data of their customers. However, ICAP may collect customer’s data on behalf of its Client directly from any data subject. ICAP shall operate then as the “Processor” of the personal data, which are included in the said business data. Consequently, in those cases different provisions of the GDPR 679/2016 shall apply, with which we comply.
Additionally, ICAP applies throughout the data processing procedure, the appropriate technical, physical, and administrative security measures for the protection and security of the personal data from loss, misuse, damage or modification, unauthorised access and disclosure, in compliance with article 32 of the GDPR 679/2016, in order to ensure the appropriate security level against those risks. Those include, among others, as the case may be: a) application of encryption protocols b) the ability to ensure confidentiality (article 90 GDPR 679/2016), the integrity, availability, and resilience of processing systems and services on an ongoing basis, c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Moreover, ICAP shall take measures so as to ensure that any physical person acting under the authority of the data controller or of the processor, who has access to personal data, shall not process those data except on instructions from the data controller and limits access to your personal information to authorised employees.
Indicative security measures applied by ICAP are as follows:
- ICAP maintains a dedicated information security team that plans, implements and provides surveillance of our information security program
- The company controls the security and functionality of its products and services before they are introduced to the Internet, for any vulnerabilities in technology
- ICAP maintains a (High Availability Cluster Infrastructure)
- The company performs ongoing infrastructure checks to detect weaknesses and potential intrusions, vulnerabilities in systems etc.
9. Submission of Complaint - Appeal
- For any issue regarding the processing of your personal data, you may contact us via e-mail at firstname.lastname@example.org
- Moreover, you shall always be entitled to contact the Hellenic Data Protection Authority, which may accept the submission of relevant complaints in writing at its protocol in its offices at 1-3, Kifisias Street, Postal Code 115 23, Athens or by e-mail (email@example.com) in accordance with the instructions indicated on its website.
This policy may be renewed from time to time, due to amendments to the related legislation or change to the corporate structure of ICAP. Thereby, we encourage the Clients/Users to periodically visit this site so as to be informed regarding recent information of privacy practices. In any case, the Clients/ Users may be informed by e-mail or a notice in our Website regarding any amendments to this policy.