ISO/IEC 27701:2019 – Privacy Information Management Policy


Greece Lean Six Sigma (GLSS)

(Extension of ISO/IEC 27001:2013 for Privacy & GDPR Compliance)

1. Purpose

At Greece Lean Six Sigma (GLSS), the protection of personal data is a fundamental obligation and an essential component of trust, professional integrity, and governance.

In alignment with ISO/IEC 27701:2019, GLSS has extended its Information Security Management System (ISMS) under ISO/IEC 27001 to include a Privacy Information Management System (PIMS). This system governs the lawful, transparent, and secure processing of Personally Identifiable Information (PII) across all services, platforms, and activities.

This policy defines how GLSS collects, processes, stores, shares, and protects personal data in compliance with:

  • EU General Data Protection Regulation (GDPR – EU 2016/679)
  • ISO/IEC 27701:2019
  • applicable national and international privacy requirements

2. Objectives of This Policy

The objectives of this policy are to:

  • Ensure full compliance with ISO/IEC 27701 and GDPR
  • Protect the rights and freedoms of individuals whose data we process
  • Establish transparent, ethical, and accountable data-handling practices
  • Integrate privacy controls into operational, educational, and digital systems
  • Reduce privacy risks through a structured, risk-based management approach

3. Scope of Application

This policy applies to:

  • All personal data and PII processed by Greece Lean Six Sigma
  • All delivery models (in-person, live online, blended, self-paced)
  • All systems and platforms, including:
    • Learning Management Systems (LMS)
    • Certification and assessment platforms
    • CRM, email, cloud storage, collaboration tools
  • All roles and parties, including:
    • employees
    • trainers and assessors
    • contractors and partners
    • third-party processors and service providers

GLSS acts primarily as Data Controller, and in specific contexts as Data Processor, as defined by GDPR.

4. Core Privacy Principles

4.1 Lawful, Fair, and Transparent Processing

Personal data is processed only under a valid legal basis, including:

  • Contractual necessity
    (e.g. training enrollment, certification, exams)
  • Legal obligation
    (e.g. invoicing, tax and regulatory compliance)
  • Legitimate interest
    (e.g. alumni communication, service improvement)
  • Explicit consent
    (e.g. newsletters, marketing communications)

All processing activities are clearly communicated through our Privacy Notice.

4.2 Data Minimization & Purpose Limitation

GLSS ensures that:

  • Only data strictly necessary for a defined purpose is collected
  • Personal data is not retained longer than required
  • Data is not reused or repurposed without lawful basis or renewed consent
  • Retention periods are documented and enforced

4.3 Protection of Individual Rights

GLSS fully supports the exercise of data subject rights under GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to data portability
  • Right to restriction or objection to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the Hellenic Data Protection Authority
    (www.dpa.gr)

Requests may be submitted to:
📧 privacy@greeceleansixsigma.gr

4.4 Privacy by Design & Privacy by Default

Privacy safeguards are embedded into all systems, processes, and tools from the outset.

  • Default system settings favor data minimization and restricted access
  • Data Protection Impact Assessments (DPIAs) are conducted where required
  • New platforms and vendors are evaluated for privacy compliance before use

5. Governance and Privacy Controls

GLSS implements technical and organizational controls including:

  • Role-based access and least-privilege principles
  • Encryption of personal data at rest and in transit
  • Secure, GDPR-compliant data centers (EU-based)
  • Signed Data Processing Agreements (DPAs) with all processors
  • Continuous monitoring and logging of data access and changes
  • Formal Data Breach Response Plan aligned with GDPR Articles 33–34

6. Roles and Responsibilities

RoleResponsibility
Data ControllerGreece Lean Six Sigma
Privacy Officer / PIMS LeadOversight of privacy compliance and PIMS
Employees & TrainersCompliance with privacy rules and reporting incidents
Third-Party ProcessorsProcessing data only under contract and lawful instruction

All staff and collaborators receive periodic training on privacy, GDPR, and secure data handling.

7. Monitoring, Review & Continuous Improvement

This policy is:

  • Reviewed at least annually
  • Updated following:
    • legal or regulatory changes
    • system or process changes
    • audits or data incidents
  • Supported by:
    • audit logs
    • version control
    • documented evidence of compliance

The PIMS is continuously improved through internal reviews and risk assessments.

8. Approval & Document Control

Approved by:
Victoria Tsolidou
Founder & Managing Director
Greece Lean Six Sigma

Version: 1.0
Effective Date: 02.05.2024
Review Cycle: Annual or as required