Privacy Policy
1. Introduction
The protection of personal data is of particular importance to SALFO AND ASSOCIATES S.A. – ENGINEERING AND MANAGEMENT CONSULTANTS (the “Company”, “we”, “us”). This Privacy Policy describes how we collect and process personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”), Greek Law 4624/2019 and any other applicable legislation in force from time to time.
The Company implements appropriate technical and organisational measures both when designing processing operations and during the processing itself, in order to ensure the protection of personal data and compliance with the principles of the GDPR.
2. Key definitions
Personal data: any information relating to an identified or identifiable natural person.
Processing: any operation or set of operations performed on personal data, whether or not by automated means.
Controller: the natural or legal person that determines the purposes and means of the processing.
Processor: the natural or legal person that processes personal data on behalf of the controller.
Recipient: any natural or legal person, public authority or body to which personal data are disclosed.
Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes.
Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Supervisory authority: the Hellenic Data Protection Authority.
3. Data controller and contact details
The controller of your personal data is SALFO AND ASSOCIATES S.A. – ENGINEERING AND MANAGEMENT CONSULTANTS (trade name: SALFO AND ASSOCIATES S.A.), with EUID ELGEMI.117037201000 and Tax Registration No. 095702185, with contact details: 102 Vasilissis Sofias Avenue, 115 28 Athens, Greece, Tel. +30 210 9210080, E-mail: [email protected].
The Company has appointed a Data Protection Officer (DPO), whose contact details are: [email protected], postal address: 102 Vasilissis Sofias Avenue, 115 28 Athens, Greece.
4. Processing principles
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy and updating.
- Storage limitation.
- Integrity and confidentiality.
5. Categories of personal data, data subjects and purposes of processing
The Company processes personal data relating to different categories of data subjects, solely for specified, lawful and necessary purposes. The main categories are summarised below.
| Category of data subject | Indicative categories of data | Main purposes | Legal basis |
| Shareholders | Identification data, contact details, shareholding information, bank details | Maintenance of corporate books, compliance with company/tax obligations, banking procedures | Legal obligation, legitimate interest |
| Board members | Identification data, criminal record where required, tax/social security clearance, bank details | GEMI filings, corporate records, tenders, compliance, payments | Legal obligation, performance of contract, legitimate interest |
| Employees | Identification data, payroll data, contracts, qualifications, leave records, health data where legally required | Management of the employment relationship, payroll, performance management, compliance with labour/social security law | Performance of contract, legal obligation |
| Clients / suppliers / partners | Identification data, contact details, contractual and tax data, bank details | Pre-contractual measures, entering into / performing contracts, accounting and tax compliance | Performance of contract, legal obligation, legitimate interest |
| Website users | Name, e-mail, contact form details, browsing data and cookies | Replying to contact requests, operation and security of the website, statistical analysis | Consent, legitimate interest |
| Newsletter recipients | Name, e-mail | Sending newsletters and updates regarding the Company’s activities | Consent |
| Job applicants | CV, contact details, qualifications, experience, identification data | Assessment of applications, staffing of projects, entering into cooperation / employment | Pre-contractual steps, consent where applicable |
As a rule, personal data are collected directly from you. In certain cases, they may be obtained from duly authorised third parties, from public registries, or from technical data generated through your use of the website.
6. Legal bases for processing
- your consent, where required;
- the performance of a contract or steps taken prior to entering into a contract;
- compliance with a legal obligation of the Company;
- the protection of vital interests, where applicable;
- the legitimate interests of the Company or a third party, provided that such interests are not overridden by your rights and freedoms.
Where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
7. Recipients of personal data
- Authorised employees of the Company, bound by confidentiality obligations.
- Branches and/or subsidiaries of the group, where necessary for corporate or operational purposes.
- Public authorities, judicial or prosecutorial authorities and other bodies, where required by law.
- Processors, such as IT providers, hosting providers, analytics providers, legal or banking advisors, subject to appropriate contractual safeguards.
- Third parties authorised by you or where disclosure is necessary for the performance of a contract or compliance with a legal obligation.
8. Transfers outside the European Economic Area
Where personal data are transferred to recipients outside the European Economic Area, the Company takes appropriate measures to ensure an adequate level of protection, such as the use of the European Commission’s standard contractual clauses, an adequacy decision or another lawful transfer mechanism.
Where platforms or service providers outside the EEA are used for specific services, any such transfers are carried out only where the necessary safeguards and contractual commitments are in place.
9. Data retention
The Company retains personal data only for as long as necessary to fulfil the purposes of the processing, to comply with legal obligations or to establish, exercise or defend legal claims and, in any event, for a period not exceeding twenty (20) years, which corresponds to the general limitation period for claims pursuant to Article 249 of the Greek Civil Code.
| Category | Indicative retention period |
| Newsletter data | Until consent is withdrawn and for a reasonable period for handling any related requests. |
| CVs | Up to two (2) years from submission, unless earlier deletion is requested or renewed consent is obtained. |
| Tax / accounting records | As required by the applicable tax and accounting legislation. |
| Corporate books and minutes | For as long as required under company and commercial law. |
| Website contact requests | For as long as necessary to handle the request and for a reasonable archiving period. |
Upon expiry of the applicable retention period, your personal data may, where appropriate, continue to be retained for as long as required for the protection and defence of the Company’s rights before courts or other competent authorities. In particular, in the event of judicial proceedings directly or indirectly involving you and the Company or any of its affiliated companies, the above-mentioned retention period for your personal data shall be extended until the issuance of a final and irrevocable court decision.
10. Data security
The Company implements appropriate technical and organisational security measures, such as access controls, role-based access restrictions, logical and physical security measures, firewalls, encryption where appropriate, logging, backup procedures and organisational confidentiality policies.
11. Personal data breaches
In the event of a personal data breach, the Company acts in accordance with the GDPR and applicable legislation. Where required, it notifies the Hellenic Data Protection Authority within the statutory time limits and, where a high risk to your rights and freedoms is likely, also informs the affected data subjects without undue delay.
12. Your rights
- Right to information and access.
- Right to rectification and completion.
- Right to erasure (“right to be forgotten”), where the legal conditions are met.
- Right to restriction of processing.
- Right to data portability, where applicable.
- Right to object to processing.
- Right to withdraw consent, where processing is based on consent.
- Right to lodge a complaint with the Hellenic Data Protection Authority.
13. How to exercise your rights
You may exercise your rights by sending a request to [email protected] or by post to the Company’s address, for the attention of the Data Protection Officer.
The Company responds without undue delay and, in any event, within one (1) month from receipt of the request. That period may be extended by a further two (2) months where necessary due to the complexity or number of requests, in which case you will be informed accordingly.
Where there are reasonable doubts as to your identity, additional proof of identity may be requested.
14. Updates to this Policy
This Policy may be amended from time to time. The version in force will be posted on the Company’s website.
Cookies Policy
This Cookies Policy explains what cookies are, which categories of cookies may be used by the website www.salfo.gr and how you can manage them.
1. What are cookies
Cookies are small text files stored on your device through your browser. They help a website function properly, improve the user experience, enhance security and, where applicable, collect statistical information about how the website is used.
2. Categories of cookies that may be used
| Category | Purpose | Legal basis | Indicative duration |
| Strictly necessary cookies | Support the basic operation of the website and cannot be switched off. | Legitimate interest / provision of the service | For the session or as technically required |
| Preference cookies | Store user choices where applicable. | Consent, where required | As set out in the cookie management tool |
| Statistics / analytics cookies (_ga, _gid, _gat) | Measure traffic and use of the website, e.g. through analytics tools. | Consent | According to the technical settings of each cookie |
| Marketing / third-party cookies | Used only if relevant third-party functions or integrations are enabled. | Consent | According to the policy of the relevant third-party provider |
3. Cookies referred to for the website
The website may use session cookies and analytics cookies, such as Google Analytics cookies (e.g. _ga, _gid, _gat or other similar identifiers used by Google Analytics).
Strictly necessary cookies are installed without prior consent to the extent that they are technically required for the provision of the service. For all other cookies, prior consent is obtained through an appropriate mechanism (such as a cookie banner or preference center).
4. Consent management and settings
You may at any time accept, reject or withdraw your consent to non-essential cookies through the website’s cookie management mechanism or by adjusting your browser settings.
Disabling certain cookies may affect your browsing experience or limit certain website functionalities.
5. Third-party cookies
Where the website uses third-party services (such as embedded content, analytics, maps or social plugins), third-party cookies may also be set. In such cases, the privacy and cookies policies of the respective third-party providers will also apply.
6. Updates to the Cookies Policy
The Cookies Policy may be amended depending on the website’s technical settings and applicable law. The version in force will be available on the Company’s website.
Note: The Company may request additional proof of identity where there are reasonable doubts as to the identity of the applicant. Information is provided free of charge unless the request is manifestly unfounded or excessive, in accordance with Article 12 GDPR.