Data Protection Policy

Data Protection Policy

Greece Lean Six Sigma (GLSS)

1. Introduction

Greece Lean Six Sigma (hereinafter “GLSS”, “we”, “us”) acts as Data Controller and, where applicable, Data Processor for personal data processed in the context of:

  • registrations and applications

  • training and coaching services

  • examinations and certifications

  • customer support and business operations

GLSS is committed to processing personal data with lawfulness, transparency, confidentiality, and accountability. This policy defines how personal data are collected, stored, used, protected, and disposed of across all GLSS activities.

This policy applies to all forms of data, regardless of format, including electronic, paper-based, verbal, or any other medium.

2. Privacy and Data Protection Principles

As part of its operations, GLSS processes personal data that may identify individuals, including but not limited to:

  • full name

  • contact details (email, phone, address)

  • account credentials

  • professional and certification information

All processing activities are governed by:

  • the EU General Data Protection Regulation (GDPR)

  • applicable national data protection legislation

  • ISO-aligned internal policies and controls

GLSS processes personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency

  • Purpose limitation – collected only for explicit and legitimate purposes

  • Data minimization – adequate, relevant, and limited to what is necessary

  • Accuracy – kept up to date where required

  • Storage limitation – retained only as long as necessary

  • Integrity and confidentiality – protected against unauthorized access, loss, or damage

  • Accountability – demonstrable compliance with legal and ISO requirements

3. Roles and Responsibilities

All GLSS personnel and collaborators are responsible for protecting personal data in accordance with this policy.

3.1 Data Protection Officer (DPO)

Contact details:
📧 dpo@greeceleansixsigma.gr
📞 +30 231 231 5681

Responsibilities include:

  • Advising GLSS on GDPR and privacy obligations

  • Acting as the primary contact point for data subjects

  • Overseeing implementation of data protection measures

  • Conducting periodic assessments and audits

  • Supporting breach response and regulatory communication

3.2 Information Security Manager

Responsible for:

  • Information security risk management

  • ISMS design, implementation, and maintenance (ISO/IEC 27001)

  • Cybersecurity awareness and training programs

  • Security testing and monitoring

  • Compliance with security-related legal and regulatory requirements

3.3 IT Systems Manager

Responsible for:

  • Secure configuration and maintenance of IT systems

  • Patch management and system upgrades

  • Network monitoring and integrity checks

  • Backup execution and validation

  • Enforcement of digital security controls

3.4 Compliance Function

Ensures that:

  • Personal data of certification holders, trainers, examiners, examinees, and invigilators are accessed only by authorized personnel

  • Applicant documentation is securely stored and centrally governed

  • Confidentiality, integrity, and availability are maintained

3.5 Business Development Function

Ensures that personal data of:

  • Authorized Partners

  • Agents

  • Prospective clients

are accessed only by authorized staff and never disclosed unlawfully.

3.6 System Administration

Ensures that personal data of registered users on the GLSS website and platforms:

  • Are accessible only to authorized roles

  • Are not disclosed to unauthorized parties

  • Are protected by appropriate technical controls

4. General Data Protection Guidelines

  • Access to personal data is granted strictly on a need-to-know basis

  • Informal or unauthorized data sharing is prohibited

  • Confidential information must be requested through proper authorization

  • All staff receive mandatory privacy and data protection training

  • Credentials and passwords must be encrypted and securely stored

  • Personal data must never be disclosed to unauthorized internal or external parties

  • Uncertainty regarding data handling must be escalated to management or the DPO

5. Data Storage and Security

5.1 Physical Records

  • Stored in locked cabinets with restricted access

  • Clean desk policy enforced

  • Secure shredding for disposal

5.2 Electronic Data

  • Protected against unauthorized access, loss, or cyber threats

  • Stored only on approved GLSS servers or approved GDPR-compliant cloud services

  • Strong passwords enforced and changed regularly

  • Encryption minimum standard: AES-128 (or higher) at rest and in transit

  • Secure email communication via TLS (Microsoft Exchange, Sendinblue, Amazon SES)

  • Daily backups executed and periodically tested

  • No direct storage of personal data on laptops or mobile devices

  • Approved antivirus, firewall, and intrusion prevention systems applied

6. Data Usage

Personal data processed by GLSS are used exclusively for GLSS-related services and legitimate business purposes.

Employees must:

  • Lock screens when unattended

  • Encrypt data before electronic transfer

  • Work only on centralized systems (no local copies)

7. Data Accuracy, Monitoring, and Protection Measures

GLSS commits to:

  • Monitoring access to sensitive data

  • Implementing controlled data collection procedures

  • Providing ongoing privacy and cybersecurity training

  • Maintaining secure networks and firewalls

  • Operating breach reporting and response procedures

  • Including data protection clauses in contracts

  • Maintaining accurate and up-to-date records

  • Applying logging and monitoring to detect misuse or data leakage

8. Subject Access Requests (SARs)

Data subjects have the right to:

  • Know what personal data GLSS holds and why

  • Access their data

  • Request correction or deletion

  • Understand how GLSS complies with GDPR

Requests may be submitted via:
📧 privacy@greeceleansixsigma.gr
or via the designated digital request form.

Identity verification is mandatory before data disclosure.

  • First copy: free of charge

  • Additional copies: €30

  • Response time: within 14 days

8.1 Data Rectification

Requests for correction may be submitted via the same channels. Identity verification is required.

8.2 Data Erasure

Requests for erasure may be submitted at any time.
Before erasure, the DPO will inform the data subject of:

  • Legal or contractual retention obligations

  • Impact of erasure on certifications or services

9. Children’s Data

GLSS services are not intended for individuals under 16 years of age.
We do not knowingly collect data from minors.

If a parent or guardian believes that a minor’s data have been provided, they should contact:
📧 dpo@greeceleansixsigma.gr

10. Disclosure of Personal Data

Personal data may be disclosed without consent only when legally required by competent authorities.
All such requests are reviewed for legality and proportionality, with legal consultation where necessary.

11. Privacy Statement

GLSS maintains a publicly available Privacy Statement, detailing:

  • Types of data collected

  • Purpose and legal basis of processing

  • Third-party processors

  • Data protection safeguards

The Privacy Statement is available on our website.

Approval & Governance

Approved by:
Victoria Tsolidou
Founder & Managing Director
Greece Lean Six Sigma

Version: 1.1
Effective Date: 01.03.2025
Review Cycle: Annual or upon material change