Data Protection Policy ICAP Outsourcing S.A.
“ICAP Outsourcing S.A..”, Kallithea, Eleftheriou Venizelou Ave. number 2, 17676, with VAT number  (Gen. Com. Reg. No. )
Last Amended on 2019.12.03
1. Field of Scope
This privacy notice lays out the manner in which ICAP Outsourcing S.A. (hereinafter referred to as “ICAP”) collects, uses, processes, stores, manages, and protects the individuals’ personal data (hereinafter referred to as “Personal Data”), so as to meet the data protection standards of the company and comply with the applicable law.
ICAP provides services in the field of Inbound and Outbound calls and establishes call centers on behalf of any client or business. In particular an outbound call center is one in which call center agents make outbound calls to customers on behalf of a business or client. An inbound call is one that a customer initiates to a call center or contact center of ICAP’s customers. Call centers established by ICAP may handle either inbound or outbound calls exclusively or might deal with a combination of the two, according to the contract, signed between ICAP and each particular Client. In addition, ICAP provides employee payroll services as well as Business Process Outsourcing solutions and services to legal entities.
The company's activities include, but are not limited to, the following purposes: (a) The provision of telephone services third parties by creating a call center to receive incoming calls and making outgoing calls, (b) The provision of services for the promotion and services and products of third parties or themselves, either through telephone or other means of communication, (c) The provision of business advisory services to sales promotion, and design and organization of call centers, (d) conducting market research for products and third party services, excluding television market, (e) The provision of administrative and technical support to private or public third parties as well as the undertaking of projects with similar context according to the instructions of the Client (f) The provision of services (including but not limited to Outsourcing Services, Recruitment Process Outsourcing (RPO), Payroll Services, Staffing Solutions, Business Process Outsourcing) where such data is collected directly by the individuals (g) The personal data processing that pertains to candidate employee or employment data, academic and payroll data collected through third party recruitment platforms, ICAP’s network or existing Clients (h) The personal data processing that pertains to certain health data of the employees.
(i) pertaining to Client, User and candidate employee data obtained during the use of the Services
(ii) pertaining to the personal data of clients, employees or candidate employees obtained during the provision of the aforementioned services
(iii) pertaining to clients, employees or candidate employees of ICAP’s websites www.icapcontactcenter.com
(hereinafter called “Website”).
This policy shall not apply to information collected through any other website, services, products, platforms or for practices of companies that we do not control. We are not responsible for any personal data protection practices pertaining to websites, services, products, platforms of other companies.
2. Categories & Types of Collected Data
Taking into consideration all the above, it is necessary to clarify that ICAP Outsourcing SA in most instances, collects, uses, processes, stores, manages data provided by ICAP’s clients themselves such as customers, suppliers or third parties’ data - which may contain personal data (who may refer to individuals or companies) - within the framework of provision of our services. Such data in most instances has been collected by ICAP’s clients and are related to data of their customers. However, ICAP may collect customer’s data on behalf of its Clients directly from any data subject. ICAP shall operate then as the “Processor” of the personal data, which are included in the said business data. Consequently, in those cases different provisions of the GDPR 679/2016 shall apply, with which we comply. So in these cases that ICAP collects on behalf of his client the following categories of data.
Data Collected By Icap By Its Capacity As Data Processor:
In these cases, ICAP undertakes on behalf of its clients to make and to receive telephone calls according to the instructions of the individual client, as they are imprinted in the relevant contract signed between ICAP and the client. In addition ICAP collects employee personal data within the context of its statutory purposes (provision of payroll and business outsourcing services to legal entities). In the context of executing the specific contract, ICAP usually collects on behalf of its clients the following categories of data:
A. Communication Data that includes any communication that any individual or legal entity send to ICAP whether that be through the contact form on our website, through email or especially via telephone calls. It should be mentioned that in most instances the phone calls are recorded via relevant software. This software usually belongs to the ICAP, but in some cases it may be software that belongs to the client itself. If the software belongs to the client, ICAP’s employees have access through the use of passwords.
B. Customer Data that includes data relating to any purchases of goods and/or services that ICAP has undertaken the responsibility to communicate to customers on behalf of ICAP’s clients. Customer data usually includes information such as customer’s name, title, billing address, delivery address email address, phone number, contact details, purchase details, tax number, card details, identity card number, nationality.
C. Marketing Data that includes data about how customers use our website and any online services and especially data about your preferences in receiving marketing from us on behalf of our Clients/Users and your communication preferences.
Data Collected By Icap By Its Capacity As Data Controller:
A. Client’s data: this category of data may include data relating to businesses, legal entities and individuals that want to or already use the Inbound/Outbound services provided by ICAP, such as client’s name, title, billing address, delivery address email address, phone number, contact details, purchase details, tax number, card details, identity card number, the collection, management, and provision of commercial and economic information (business information) etc.
B. Website visitors or user data: IP Address, contact details and full name, e-mail (via contact form on website).
C. Candidate Employee Data: name/surname, date of birth, address, academic and professional qualifications, contact details, address, nationality, candidates suitability evaluation reports, previous employment information, marital status, e-mail, military service completion/exemption certificate.
D. Employment & Payroll data: first name, last name, Tax Registration No. Identification Card/Passport No. (Date of issuance & issuing authority),IKA's Registration No., father's name, mother's name, date of birth, AMKA Registration No., address, Tax Authority Department (ΔΟΥ), contact details, nationality, marital status, protected members (numbers, date of birth, name), social insurance history, educational level, health record for chronic disease, unemployment card nr., bank account particulars, social security stamps, family status certificate, military service completion/exemption certificate.
Ε. Outsourced employees payroll data: all employment registration data (first name, last name, Tax Registration No. Identification Card/Passport No. (Date of issuance & issuing authority), IKA's Registration No., father's name, mother's name, date of birth, AMKA Registration No., address, Tax Authority Department (ΔΟΥ), contact details, nationality, marital status, protected members (numbers, date of birth, name), social insurance history, educational level, health record for chronic disease, unemployment card nr., bank account particulars, social security stamps, family status certificate, military service completion/exemption certificate) salary and benefits package).
F. Employee health/medical data: Names/surnames, diagnostic results, doctors’ notes, health treatments, illnesses, hospital reports.
Declaration Regarding The Processing of Personal Data By ICAP (by its capacity as Data Controller and Processor - in accordance with the General Data Protection Regulation EU 679/2016)
Why will you process my Personal Data (PD)?
ICAP provides products and services containing commercial and financial, personal, academic information about legal entities and individuals on the basis of its statutory purpose, such as described in detail above in paragraph 1. Their contents vary depending on the type and purpose of the provided service of ICAP.
The lawful basis of the data processing in relation to the contact center services, is the performance and execution of the contract.
The lawful basis of the data processing within the context of the provision of payroll and business outsourcing services, is ICAP’s legitimate interest and in some instances (health data) the explicit consent of the data subjects.
In addition, ICAP may collect personal data of candidate employees with their consent for the purpose of exploring employment opportunities.
Furthermore ICAP collects candidate employee data through third party sources (online recruitment platforms or business networking sites/platforms or other) on the basis of its legitimate interest. More specifically:
Information automatically collected when visiting and interacting in the Website: We inform you that your personal data and information that are collected and processed when you manage your account in the Website, are appropriate to the purpose for which they are collected and are required for the processing of your inquiries, applications and the use of ICAP Services.
In particular, when visiting and interacting with the Website, certain information may be automatically collected, such as:
In addition, certain information regarding the contact particulars of an interested party (user or visitor) may be obtained through the contact form embedded on the Website.
In this instance the legal basis for the data processing, is the consent of the Data Subject.
ICAP does not manage, collect or process geolocation data, which are collected and processed exclusively by the companies providing operating systems for each device you use (in case of use of iOS-Apple Inc or in case of android - Google Inc). ICAP does not have access to the positioning refresh rate of GPS.
3. Data Collection Points
1. Users/visitors- A, B
2. Corporate Customers of Users/Clients - A, B, C
3. Website (contact form, cookies) -B
4.Third party recruitment platforms (Luceo, Skywalker, Kariera etc) C, D, E, F
5. Third party business networking platforms (linkedin)- A,B
6. ICAP Network -A
7.Employees -C, D, E, F
4. Transfer of Data to Third Parties
ICAP reserves the right to disclose your personal data to any member of its affiliate/subsidiary companies (parent company and its subsidiaries) or other third parties to the extent it is reasonably necessary for the purposes determined in this notice and in particular:
Client and user/visitor data will be transferred to the departments of ICAP that are competent for the smooth and trouble-free operation of the Website services and functions.
Your data may be transmitted and become accessible by legal entities with which, we have entered from time to time into contractual agreements for the purpose of fulfilling our company’s commitment under any signed contract with any Client/User (provision of inbound and outbound call services, business outsourcing and payroll services) in a proper and within our contractual terms framework. Given that ICAP acts as data processor in these instances, the data subjects are encouraged to review the privacy notices of each respective Client under whose instructions ICAP operates.
Client and user/visitor as well as employee data may be disclosed to cloud hosting providers for the purpose of storing and safeguarding the data with the appropriate technical and security measures.
Your payroll data may be transmitted and become accessible by bank institutions with which we cooperate for the purpose of processing the payments of employees as well as to competent state authorities in compliance with a legal obligation to which ICAP is subject.
Client and user/visitor data may be transmitted, become accessible and processed by subsidiaries of our group within the European union, which apply the appropriate technical, physical and administrative security measures for the protection of the data from loss, misuse, damage, alteration, unauthorized access and disclosure, as provided by article 32 of the GDPR 679/2016.
During all data transfers, we always take all appropriate measures so as to ensure that the transmitted data are the minimum required for the intended processing purpose and that the conditions for legitimate and lawful processing will always be met.
5. Personal Data Retention Period
The data retention period depends on the lawful basis of processing, as set out in detail below:
In case the lawful basis for processing is the exercise of legitimate interest, the processing of personal data is carried out for as long as it is considered necessary for the achievement of the intended statutory purpose of ICAP described in paragraph 1 above, and until such time the limitation period of any related claims has expired.
In case the lawful basis for processing is the performance of the contract, we shall retain your data for as long as you retain the contractual relationship with ICAP in hard copy and in electronic form or we shall retain them for as long as it is required until the limitation period of any related claims expires.
In case the lawful basis for processing is the consent of the data subject (such in the case of the Websites contact form and CV data), we shall retain those data until the granted consent by the data subject has been withdrawn unless specific legislation in effect allows us or ordains to retain the data.
In case the lawful basis for processing is the explicit consent of the data subject (such in the case of the processing of employee health data), we shall retain those data until the granted consent by the data subject has been withdrawn unless specific legislation in effect allows us or ordains to retain the data.
As regards the retention time of call recordings, it should be mentioned that ICAP usually deletes them after a period of 60 days. However, this also depends on the obligations described in the contract between ICAP and each Client/User, since it may be predicted a different retention period that responds better to the to the purposes and activities of the Client/User. In any case each customer is properly informed during the telephone communication about the recording and retention period of the recordings (according to ICAP’s contract obligations and the instructions of each Client/User).
6. Legitimate Interest - Statutory Purpose - Lawful Basis for Data Processing
Data processing is necessary for the purposes of the legitimate interests pursued by the ICAP which is described in detail in the first paragraph.
Within this framework, it is necessary for ICAP to process the categories of data, described in detail above in paragraph 2 of the present policy (provision of call center, business outsourcing, recruitment outsourcing and payroll services and related services and solutions) for the purpose of fulfilling its statutory purposes.
Within this context, ICAP, collects, process and provides data related to the employment, academic profile, health and payroll of individuals for the performance of its contracts which it has signed with legal entities.
In addition ICAP collects, processes and provides marketing, client and contact data, which are described in paragraph 2 of the present policy, for the execution of its contractual obligations towards its corporate clients.
ICAP processes and stores the said data within the E.U.
7. Rights of the Data Subjects
You may exercise, as the case may be, the rights deriving from the applicable Greek Legislation and the General Data Protection Regulation (Regulation (EU) 2016/679) which are as follows: (a. the right of information (article 13), b. the right of access (article 15), c. the right to rectification (article 16), d. the right to erasure “right to be forgotten” (article 17), e. the right to restriction of processing (article 18), f. the right to data portability (to receive your personal data in a structured and commonly used format - article 20 where applicable) and g. the right to object (article 21) which applies to certain data processing activities.
These rights can be exercised only in cases where ICAP acts as Data Controller and in particular when ICAP (i) processes the personal data of clients/visitors during the use of its Website (contact form and cookies) (ii) pertaining to Client data obtained during the use of the Services (iii) pertaining to services that relate to employee data in relation to the products and services offered within the framework of ICAP’s statutory purpose (iv) pertaining to candidate employee data or data related to the recruitment, academic profile, health or payroll which have been collected through individuals or outsourced employees.
This Privacy Notice does not apply to personal data mentioned on business documents that our customers transmit to our systems when using our Services.
These rights shall be exercised free of charge for you by sending a relevant letter to the Data Protection Officer (DPO) of ICAP: Eleftheriou Venizelou Street, number 2, Kallithea, PC 17676, Athens, or via e-mail to email@example.com
. In case however the aforementioned rights are exercised excessively and without good cause thus causing us administrative burden, we may charge you with the cost related to the exercise of the respective right.
In case you exercise any of your rights, we will take all appropriate measures available for the satisfaction of your request within thirty (30) days following the receipt of the relevant request. We may either inform you on the acceptance of your request or on any objective grounds that hinder the processing of your request.
Notwithstanding the above, you may at any time object to the processing of your Personal Data, by withdrawing your consent (article 7, par. 3 of the GDPR 679/2016) by sending a letter to the Data Protection Officer (DPO) of ICAP: Eleftheriou Venizelou Street, number 2, Kallithea, PC 17676, Athens, or via e-mail to firstname.lastname@example.org
. This right applies only in cases where the lawful basis for the data processing is the consent of the Data Subject.
8. Data Processing by ICAP
ICAP in most instances, collects, uses, processes, stores, manages data provided by ICAP’s clients themselves such as customers, suppliers or third parties’ data - which may contain personal data (who may refer to individuals or companies) - within the framework of the provision of our services. Such data in most instances has been collected by ICAP’s clients and are related to data of their customers. However, ICAP may collect customer’s data on behalf of its Client directly from any data subject. ICAP shall operate then as the “Processor” of the personal data, which are included in the said business data. Consequently, in those cases different provisions of the GDPR 679/2016 shall apply, with which we comply.
Additionally, ICAP applies throughout the data processing procedure, the appropriate technical, physical, and administrative security measures for the protection and security of the personal data from loss, misuse, damage or modification, unauthorised access and disclosure, in compliance with article 32 of the GDPR 679/2016, in order to ensure the appropriate security level against those risks. Those include, among others, as the case may be: a) application of encryption protocols b) the ability to ensure confidentiality (article 90 GDPR 679/2016), the integrity, availability, and resilience of processing systems and services on an ongoing basis, c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Moreover, ICAP shall take measures so as to ensure that any physical person acting under the authority of the data controller or of the processor, who has access to personal data, shall not process those data except on instructions from the data controller and limits access to your personal information to authorised employees.
Indicative security measures applied by ICAP are as follows:
We use the information we obtain from candidate employees in order to evaluate and categorize the data based on internal customer requirements. We may also carry out customized candidate suitability evaluation reports.
We recommend to our customers to review and interpret the reports on their own based on their actual business requirements. Our customers may choose to use our evaluation reports alone or combine the reports with other information available to them. We do not maintain blacklists of any kind and we do not encourage our customers to reject or approve candidates under any circumstances based on those reports.
10. Submission of Complaint - Appeal
● For any issue regarding the processing of your personal data, you may contact us via e-mail at www.icapcontactcenter.com
● Moreover, you shall always be entitled to contact the Hellenic Data Protection Authority, which may accept the submission of relevant complaints in writing at its protocol in its offices at 1-3, Kifisias Street, Postal Code 115 23, Athens or by e-mail (email@example.com
) in accordance with the instructions indicated on its website.
This policy may be renewed from time to time, due to amendments to the related legislation or change to the corporate structure of ICAP. Thereby, we encourage the Clients/Users to periodically visit this site so as to be informed regarding recent information of privacy practices. In any case, the Clients/ Users may be informed by e-mail or a notice in our Website regarding any amendments to this policy.