Privacy Policy

The Company Envisions Hub, based in Heraklion, Crete, Industrial Area of Heraklion, Street 1, Building 66, with VAT number 801565926, and email: info@envisionshub.gr , strives to conduct its business activities in accordance with the principles of privacy, as we believe they demonstrate our unwavering commitment to ethical and responsible practices. We recognize that innovation and new technologies lead to continuous changes regarding risks, expectations, and legislation, and for this reason, we follow privacy accountability standards and aim for the timely adaptation of how we implement them in response to these changes.

This Policy sets out our standards for the management and protection of Personal Data from or on behalf of our Company, which originate, directly or indirectly, from any country in the European Economic Area (EEA) and Switzerland and are transferred to any other country, including transfers between EEA countries. It applies to our activities in every country, for every activity involving information about individuals that we carry out in each of our subsidiaries and each sector (including any successors to our business), including but not limited to research, production, commercial activities, corporate support, and data transfers necessary for the conduct of the above activities, including but not limited to:

Research and Production: initiation, management, and funding of research studies / evaluation and involvement of researchers, members of scientific and ethics committees, and partners to support research studies and the development of our products / recruitment for research studies / evaluation of the safety, effectiveness, and quality of our products under development and commercially available / fulfillment of our commitments regarding the safety and quality of our products, including the management and reporting of adverse effects and product quality complaints / submission of applications for approval and registration of our products with health regulatory authorities / compliance with applicable legal, regulatory, or ethical requirements.

Commercial activities: evaluation of markets concerning our products and services / advertising, marketing, sales, distribution, and delivery of our products / communication with our customers and other end users of our products / sponsorship and organization of events / evaluation and encouragement of our partners to support our commercial activities / compliance with applicable legal, regulatory, or ethical requirements.

Corporate support: recruitment, hiring, management, development, communication with, and compensation of employees / provision of benefits to employees and their eligible family members / conducting performance and talent evaluations of employees / providing training and other educational and developmental programs / conducting disciplinary procedures and handling employee complaints / managing concerns related to ethics and privacy and carrying out investigations / managing and securing our physical and virtual assets and infrastructure / procurement and payment for products and services / fulfilling our commitments regarding environment, health and safety, and corporate responsibility / communication with the media / and compliance with applicable legal, regulatory, or ethical requirements.

This Policy also applies to all individuals whose data we process, including but not limited to customers, applicants, current and former employees and their dependents, members of ethics committees, partners, investors and shareholders, government officials, and other stakeholders.

All Employees of the Company and members of Management have significant responsibilities regarding the protection of privacy, which they are obliged to observe.

We recognize that unintentional errors and misjudgments regarding data protection may create risks to the privacy of individuals as well as risks to the reputation, operations, compliance, and finances of our Company. Every employee of the Company, and other individuals who process data on behalf of our Company, are responsible for understanding and complying with their obligations under this Policy and applicable laws.

Our Values and Standards regarding Privacy

We uphold our values regarding privacy in everything we do that involves people, including how we apply privacy standards. The four privacy values include:

Respect

We recognize that concerns about privacy are often linked to fundamental questions of who we are, how we see the world, and how we define ourselves. Therefore, we strive hard to respect the perspectives and interests of individuals and communities, and to be fair and transparent in how we use and share information about them.

Trust

We recognize that trust is of vital importance to our success, and we therefore work hard to create and maintain the trust of our customers, employees, patients, and other stakeholders with regard to respecting and protecting the information that relates to them.

Prevention of Harm

We understand that the misuse of information relating to individuals may cause tangible and intangible harm to people, and we therefore strive to prevent physical, economic, reputational, or other types of harm related to privacy.

Compliance

We have learned that laws and regulations are always connected with the rapid developments of technology, data flows, and the related changes in privacy risks and expectations. Therefore, we work hard to comply with the spirit and the letter of privacy regulations and data protection laws in a way that demonstrates consistency and operational adequacy for our business activities on a global level.

1. We integrate our privacy standards into all our activities, processes, technologies, and relationships with third parties that use Personal Data. We design privacy controls into our processing and technologies that are consistent with our values and privacy standards as well as with applicable legislation. The privacy principles described below summarize the privacy standards and the basic requirements for processing, activities, and supporting technologies at a high level.

Privacy Principle – Our Key Commitments

1. Necessity Before the collection, use, or distribution of Personal Data, we determine and record the specific, lawful business purpose for which it is necessary.

  • We determine and record the period of time during which the Personal Data are needed for those specified business purposes. 

  • We do not collect, use, or share more Personal Data than necessary, nor do we retain Personal Data in an identifiable form for longer than required for those business purposes.

  • We anonymize the data when business requirements do not make it necessary for information about the activity or processing to remain identifiable for longer. 

  • We ensure that the requirements of necessity have been integrated into any supporting technologies and that third parties supporting the activity or processing have been informed. 

  • We determine whether the proposed collection, use, or other form of processing of Personal Data poses a risk of substantial or unreasonable harm to individuals, in accordance with the Privacy Principle of Prevention of Harm.
  • If the nature of the data, the types of individuals, or the activity involve an inherent risk of substantial or unreasonable harm to individuals, we ensure that the risk of harm does not outweigh the corresponding benefits to those individuals, consistent with our mission to save and improve lives.
  • In cases where the risks are inversely proportional to the benefits for individuals, we process Sensitive or Personal Data only with the clear consent of the individuals or as required or permitted by applicable laws.
  • We record our risk analysis and design the necessary mechanisms for obtaining and recording evidence of consent in supporting technologies.

 

  • All individuals whose Personal Data are processed under this Policy will have the right to a copy of this Policy. We will make this Policy available on the website at https://envisionshub.gr/ . The Data Protection Officer will provide digital and/or physical copies of this Policy upon request at the addresses listed below.
  • When Personal Data are collected directly from individuals, we inform them through a clear, noticeable, and easily accessible privacy notice or similar means, before collecting information, about (1) the corporate entity or entities responsible for processing, (2) the types of data to be collected, (3) the purposes for which they will be used, (4) with whom they will be shared, including possible requests for disclosure of Personal Data by lawful authorities or government bodies, (5) the retention period, (6) how individuals may ask questions, raise concerns, or exercise their rights regarding the data, and (7) the electronic link to this Policy, wherever possible and appropriate.
  • When Personal Data are collected from other sources and not directly under our Company’s control, before acquiring the data, we verify in writing that the data provider has informed individuals about the purposes for which our Company intends to use the information. If written confirmation cannot be obtained, we use only anonymized data, or before using Personal Data, we notify the affected individuals through a privacy notice or similar means about (1) the corporate entity or entities responsible for processing, (2) the types of data to be collected, (3) the purposes for which they will be used, (4) with whom they will be shared, including possible requests for disclosure by lawful authorities or government bodies, (5) the retention period, (6) how individuals may ask questions, raise concerns, or exercise their rights, and (7) the electronic link to this Policy, wherever possible and appropriate.
  • We ensure that the necessary level of transparency is integrated into supporting technologies, including features that support individual rights requests, audits of supporting technologies, and that third parties supporting the activity or processing have been informed.
  • If new legitimate business purposes are identified for Personal Data already collected, we ensure that either the new purpose (including a substantially similar purpose) is compatible with the purpose previously described in a privacy notice or other transparency mechanism provided to the individual, or that consent is obtained from the individual for the new use of their Personal Data.
  • We do not apply this principle to anonymized data or where we use Personal Data exclusively for historical and scientific research, and (1) an Ethics Review Committee, or another competent reviewer, has determined that the risk of such use for individual privacy or other rights is acceptable, and (2) applicable law is respected. 
  • We ensure that purpose limitation requirements are integrated into supporting technologies, including reporting and controlled distribution features.
  • We ensure that mechanisms for periodic data quality checks are integrated into supporting technologies to verify the accuracy of data against their source and downstream systems.
  • We ensure that Sensitive Data are verified as accurate and current before any use, evaluation, analysis, reporting, or other processing that may carry the risk of unfairness to individuals if inaccurate or outdated data are used. 
  • When changes occur to Personal Data by our Company or by third parties working for our Company, we ensure that such changes are communicated promptly wherever reasonably possible.

We have implemented a comprehensive information security program and apply controls based on the sensitivity of the information and the level of risk of the activity, taking into account best practices of modern technology and the cost of implementation. Our operational security policies include, but are not limited to, business continuity and disaster recovery planning, identity and access management, information classification, incident management, access control, physical security, and risk management.

(1) We transfer Personal Data only if we permit them to be processed by third parties under the following conditions, and we are responsible for ensuring that third parties we cooperate with meet these conditions:

  • If the role of the third party is to process Personal Data for or on behalf of our Company, before the third party receives the Personal Data, we: (1) complete a legal privacy review to assess the practices and risks related to that third party, (2) obtain guarantees through contracts that those third parties will process Personal Data in accordance with the Company’s instructions, this Policy, and applicable law, including all 8 Privacy Principles and other requirements, (3) inform the Company of any subcontracting arrangements, (4) include contractual safeguards to comply with the requirements of this Policy and applicable law, and (5) cooperate with the Company for any remedial actions. We reserve the right to conduct audits and enforce these practices during the processing period. If the third party processes Personal Data from a country with laws restricting cross-border data transfers, we ensure such transfers comply with legal requirements. Where our Company subsidiaries act as data processors, they will process data under this Policy and applicable law.
  • If the role of the third party is to provide Personal Data to our Company, before we obtain Personal Data from that third party, we ensure conditions of Transparency are met, and we obtain guarantees through contracts that such provision of data does not violate any law or the rights of individuals.
  • If the role of the third party is to receive data from our Company for processing not specifically supervised by our Company, before data are shared, we ensure that they are anonymized, and we obtain written guarantees from the third party that the data will only be used for the business purposes set out in the agreement and in compliance with applicable law, and that they will not attempt to re-identify the anonymized data.

(2) We transfer Personal Data across borders from or on behalf of our Company in accordance with this Policy. We will apply this Policy to cross-border transfers of Personal Data from any other country or jurisdiction with laws that restrict such transfers.

  • While the other 7 privacy principles, along with the requirements of Individual Rights described below, aim to ensure compliance with most privacy and data protection laws applicable in our industry worldwide, in certain countries additional requirements must be met, including but not limited to:
  1. Where required, we obtain specific forms of consent for the processing of certain Personal Data, including, but not limited to, approval from employee works councils or other labor unions. 
  2. Where required, we register the processing of Personal Data with the applicable privacy or data protection authority.
  3. Where required, we further limit the retention period for Personal Data.
  4. Where required, we enter into agreements that include specific contractual clauses, including agreements for cross-border transfers of data to third parties.
  5. Where required, we disclose Personal Data upon lawful requests by public authorities, including for national security or law enforcement purposes. 
  • In case of conflict between this Policy and applicable law, the standard that provides greater protection to individuals shall prevail.

2 . 2. We will respond promptly to requests regarding individual rights of access, correction, modification, or deletion of Personal Data, and objections to the processing of Personal Data. 

  • Access, Correction, and Deletion Under Greek law, individuals have the right to access Personal Data concerning them, and to correct, modify, or delete Personal Data that are inaccurate, incomplete, or unnecessary. We will approve all requests from individuals for access, correction, modification, or deletion of Personal Data. If a request for access, correction, modification, or deletion is defined under applicable law that provides greater protection for individuals, we will ensure that any additional requirements of that law are also met.
  • Choice In accordance with the privacy principles of “Respect” and “Trust,” we will approve individual requests to object to the processing of Personal Data, including, but not limited to, the choice to participate in programs or activities where individuals had previously agreed to participate, the processing of Personal Data for direct marketing communications directed to them, and any evaluation or decision-making regarding them, which may significantly affect them, carried out through the use of algorithms or automation.
  • Except where prohibited by law, we may deny a request where specific circumstances may limit the Company’s ability to: (1) comply with law or an ethical obligation, including where we are required to disclose Personal Data in response to lawful requests from public authorities, subject to conditions from national security or law enforcement authorities, (2) investigate, defend, or exercise legal claims, and (3) perform contracts, manage relationships, or pursue other legitimate business activities consistent with the Transparency principles and the stated purpose for which the data were collected. Within fourteen (14) business days of any such denial of a choice request under this Policy, the decision and the reason for denial will be recorded and communicated to the individual.

3 .We will respond promptly and escalate all questions concerning privacy, complaints, or any suspected Privacy or Security Breach.

  • Any individual whose Personal Data are processed under this Policy may submit questions or complaints regarding the processing of their data, including a request for a list of the Company’s subsidiaries processing data on its behalf. Employees and individuals working for or on behalf of the Company are also encouraged to submit concerns about compliance with this Policy. Such questions or concerns, whether raised by an individual, an employee, or a third party working on behalf of the Company, must be addressed to the Company’s Data Protection Officer.
  • by email: info@envisionshub.gr
  • by post: Industrial Area of Heraklion, Street 1, Building 66.
  • Employees and contractors are obliged to promptly inform the Data Protection Officer of their division of any questions, complaints, or concerns regarding the Company’s privacy practices. 
  • The Data Protection Officer will review and investigate, and will cooperate with the Legal Department to handle all questions, complaints, or concerns relating to the Company’s privacy practices, whether raised directly by employees or by third parties, including but not limited to regulatory authorities, compliance officers, or other governmental bodies. We will respond to the individual or entity that raised the question, complaint, or concern within thirty (30) and no later than sixty (60) calendar days unless applicable law or the requesting party requires a shorter period based on circumstances such as a parallel government investigation. In such a case, the individual or third party will be notified in writing as soon as possible of the general nature of the circumstances causing the delay.
  • For complaints that cannot be resolved between our Company and the individual who raised the complaint, our Company has agreed to participate in the following dispute resolution processes for the handling and resolution of complaints relating to this Policy.
  • However, if at any time, individuals residing in the EEA, or individuals whose Personal Data are subject to the data protection laws of the EEA and transferred outside the EEA, and whose data are processed in relation to this Policy, have the right, under this Policy, to enforce its requirements as third-party beneficiaries, including the right to initiate legal action for compensation for violations of rights under this Policy and the right to compensation for damages resulting from such violations. Individuals residing in the EEA or individuals whose Personal Data are subject to the data protection laws of the EEA and transferred outside the EEA (for example, to the United States), may exercise such rights under this Policy by bringing claims:
  • before the data protection authority of the EEA country from which the Personal Data were transferred, or
  • before Greek courts or the Hellenic Data Protection Authority.
  • Our Company will respond to the individual or entity that raised the question, complaint, or concern within thirty (30) and no later than sixty (60) calendar days unless applicable law or the requesting party requires a shorter response time. In such a case, the individual or third party will be notified in writing.

Terms You Should Know

  • Anonymization – The alteration, removal, elimination, or other restriction or transformation of Personal Data so that their use for identification, location, or communication with the individual becomes impossible.
  • Legislation - All laws, rules, regulations, and orders that are in effect in any country where the Company operates, in which Personal Data are processed by or on behalf of the Company.

Our Company

The company Envisions Hub,

its subsidiaries, excluding joint ventures in which the Company participates. 

  • Personal Data – All data relating to an identified or identifiable individual, including data that identify the person or could be used to identify, locate, track, or communicate with them. Personal Data also include direct identifiers such as name, identification number, unique job title, and indirect identifiers such as date of birth, unique mobile or landline telephone number, and coded data.
  • Privacy Breach – The violation of this Policy or a privacy law or data protection law, including a Security Breach. The determination of whether a Privacy Breach has occurred and whether it has a physical form will be made by the Data Protection Officer and the Legal/Compliance Department.
  • Processing – The execution of any operation or set of operations on data relating to individuals, with or without automated means, including, but not limited to, collection, recording, organization, storage, access, adaptation, alteration, consultation, use, evaluation, analysis, reporting, disclosure, dissemination, transmission, distribution, alignment, combination, blocking, deletion, or destruction.
  • Security Breach – Access by an unauthorized individual to Personal Data or disclosure to an unauthorized person, or any other use of Personal Data inconsistent with this Policy. Access to or disclosure of Personal Data by the Company or on its behalf without the intention to violate this Policy does not constitute a Security Breach, provided that the Personal Data are processed consistently with this Policy.
  • Sensitive Data – Any type of data relating to individuals that carries an inherent risk of potential harm, including data defined by law as sensitive, but not limited to data relating to health, genetics, race, ethnicity, religion, political or philosophical beliefs, criminal records, precise geolocation data, financial account numbers, identification numbers issued by the state, minors, sexual life, union membership, insurance, social security, and other employment or government benefits.
  • Third Party – Any legal entity, organization, or person not belonging to our Company and for which our Company has no controlling interest, or that does not work for our Company. Unless expressly stated in this Policy, no subsidiary or division of our Company is required to fulfill the obligations of a third party under this Policy, as all subsidiaries and divisions are required to process data relating to individuals in accordance with this Policy, including cases where one subsidiary of our Company supports one or more other subsidiaries of our Company in processing.

Changes to this Policy

This Policy may be revised periodically, in accordance with the requirements of applicable legislation. Whenever this Policy is materially changed, a notice will be posted on our Company’s website for 60 days.

Effective Date: : 1/8/25

ENVISIONS_HUB-MAIN_LOGO

Formerly Retreat in Crete,
Now Envisions Hub
A New Era Begins.

retreat-logo

NAVIGATE

CONNECT

SOCIAL LINKS

Instagram Facebook Linkedin

Designed and Developed with by Doitforme Logo

Κανένα προϊόν στο καλάθι σας.

Λογότυπο Envisions Hub - λευκό