ISO/IEC 27701:2019 – Privacy Information Management Policy

Greece Lean Six Sigma
Extending ISO/IEC 27001:2013 for Privacy and GDPR Compliance

At Greece Lean Six Sigma, we recognize that privacy is a fundamental right and a cornerstone of trust in the digital age. In alignment with ISO/IEC 27701:2019, we have extended our ISO/IEC 27001 Information Security Management System to incorporate a Privacy Information Management System (PIMS) that governs the secure and lawful handling of all personally identifiable information (PII) across our services and systems.

This policy defines how we collect, process, retain, protect, and share personal data — in compliance with the EU General Data Protection Regulation (GDPR) and international privacy standards.

Objectives of This Policy

  • Ensure compliance with ISO/IEC 27701 and GDPR (EU 2016/679)
  • Protect the rights of individuals whose data we process
  • Demonstrate transparent and ethical data management
  • Minimize privacy risks through a structured management system

Scope of Application

This policy applies to:

  • All personal data collected or processed by Greece Lean Six Sigma
  • All services, platforms, and delivery methods (in-person, live online, self-paced)
  • All employees, contractors, trainers, certification partners, and third-party vendors

Our Core Privacy Principles

1. Lawful, Fair, and Transparent Processing

We process data under clearly defined legal bases:

  • Contractual necessity (e.g., enrollment, certification)
  • Legal obligation (e.g., invoicing, tax compliance)
  • Legitimate interest (e.g., alumni engagement)
  • Consent (e.g., newsletters, marketing)

2. Data Minimization and Purpose Limitation

We only collect and retain personal data that is:

  • Directly relevant to the purpose for which it was collected
  • Not retained longer than necessary
  • Never repurposed without legal basis or renewed consent

3. Individual Rights Protection

We ensure full exercise of GDPR rights:

  • Right of access
  • Right to rectification or erasure
  • Right to data portability
  • Right to restriction or objection to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr)

Data subject requests can be sent to:
privacy@greeceleansixsigma.gr

4. Privacy by Design and by Default

All systems, forms, and tools are designed to embed privacy principles from the outset. Data Protection Impact Assessments (DPIAs) are conducted where applicable.

Governance and Controls

  • Access to personal data is based on role and principle of least privilege.
  • Personal data is encrypted and stored securely in GDPR-compliant data centers (within the EU).
  • All third-party processors (e.g., LMS providers, CRM platforms) operate under signed Data Processing Agreements (DPAs).
  • Privacy and data protection awareness training is mandatory for staff and contractors.
  • A Data Breach Response Plan is in place, in line with Article 33–34 of GDPR.

Roles and Responsibilities

RoleResponsibility
Data ControllerGreece Lean Six Sigma
Privacy OfficerOversees PIMS & GDPR compliance
All StaffFollow privacy rules, report breaches
Third PartiesAct only under contract & with lawful instruction

Monitoring, Review, and Continuous Improvement

This policy is reviewed:

  • At least annually
  • Upon legal or operational change
  • After any significant data incident or audit

We maintain audit logs, version control, and documented evidence of compliance for all core privacy functions.

Victoria Tsolidou
Founder & Managing Director
Version: 1.0 | Date: 02.05.2024