Security Policy

1. Purpose - Field of Application


The purpose of this Policy is to describe the organizational and technical measures implemented by the company Digital Academy during the processing of data which results in compliance with the General Data Protection Regulation. (Regulation (EU) 2016/679) and provisions of Law 4624/2019.

This Policy applies to the logistics equipment, personnel and procedures and operations performed by the company in the exercise of all its activities related to data processing.

2. General Principles


2.1 Principles of processing

The company takes all necessary measures to ensure compliance with the following basic principles of processing:

  • a) Legitimacy, objectivity and transparency. Personal data shall be processed lawfully in a transparent manner in relation to the data subject in accordance with the following.
  • b) Limitation of purpose. Personal data are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes.
  • c) Data minimization. Personal data are appropriate, relevant and limited to what is necessary for the purposes for which they are processed.
  • d) Accuracy. Personal data are accurate and, where necessary, updated, all reasonable steps must be taken to promptly delete or correct personal data which are inaccurate in relation to the purposes of the processing.
  • e) Limitation of the storage period. Personal data are kept in a format that allows the identification of data subjects only for the period required for the purposes of the processing of personal data.
  • f) Integrity and confidentiality. Personal data are processed in a way that ensures proper security of personal data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or damage.
  • g) Accountability. The company is responsible and able to demonstrate compliance with the above principles.

3. Processing – Purpose


3.1 Legality

The processing of personal data by the company as Head of Processing is performed under the following conditions:

  • a) processing is necessary for the execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to concluding the contract,
  • b) processing is necessary for compliance with a legal obligation of the controller.

The processing of personal data by the company, as Head of Processing, is carried out in accordance with the Private Agreement concluded by the company from which the basis of the processing by the Processing Manager is derived.

3.2 Subject consent

  • a) The company, as Head of the Processing, proceeds in a simple and understandable way to inform the subject about the processing, according to the private contract that it concludes. The update is performed electronically through a form which is presented automatically during the installation of the relevant application.
  • b) Information on the terms of processing is included in the form PA1 "Subject information instruction". The consent of the subject is clearly stated in the application and in all cases is maintained.
  • c) Withdrawal of consent is provided in a clear and simple manner in the application of the company. Respectively, the energy of the revocation is preserved if it occurs electronically.

3.3 Special categories

The company processes personal data of its employees related to health. Processing is necessary for the performance of the obligations and the exercise of specific rights of the data controller or data subject in the field of labor law and social security and social protection law.

4. Rights of the subject


4.1 General settings

  • a) The company provides any information to the data subject regarding its processing rights, such as information, access, correction, deletion, restriction, portability and objectivity. For this purpose, the form PA1 "Instruction for informing the subject" is provided and maintained. The information is given in printed or electronic form as follows:
    • - To the employees of the company, during the recruitment with the conclusion of the relevant contract or by posting at a specific point in the internal network of the company.
    • - To taxi drivers, by concluding the relevant contract or by means of a form during the installation of the company's application.
    • - To the passengers, for the service of the private contract of execution of the processing, through a form which is presented automatically during the installation of the relevant application of the company.
  • b) The company responds to the data subject 's requests regarding his rights within one month of receiving the requests. In case of delay, the company justifies this weakness and informs, within one month of receipt of the request, the data subject for the extension of the deadline.
  • c) Data subjects may contact the company for questions regarding the processing of personal data by sending an e-mail to gdpr@taxaki.com
  • d) The company may request the provision of additional information necessary to confirm the identity of the data subject, if it has reasonable doubts about the identity of the natural person submitting the request. The company may refuse to act on the request if it is not able, reasonably, to verify the identity of the data subject. This justification is recorded by the company.
  • e) The company may not act at the request of the subject. In this case, and within one month from the receipt of the request, it informs the data subject with the reason for the non-action and for the possibility of the subject to file a complaint to a supervisory authority and to file a court appeal.
  • f) The company may, if the data subject's requests are manifestly unfounded or excessive, in particular due to their repetitive nature:
    • - impose a reasonable fee, taking into account the administrative costs of providing the information or notification or execution of the requested action, or
    • - refuse to follow up on the request.
  • The reasoning regarding the manifestly unfounded or exaggerated recorded by the company.
  • g) The company keeps a summary of requests and answers arising from the above (b) - (e) points.

4.2 Specific provisions


  • a) The company collects personal data relating to the data subject exclusively from the data subject himself. The information regarding the information of the subject is mentioned in the form PA1.
  • b) The company does not process personal data for any purpose other than that for which it was collected.
  • c) The company does not transmit personal data to a Third Country or international organization.
  • d) The company corrects inaccuracies or completes incomplete personal data at the request of the subject, in accordance with the provisions of paragraph 5.1
  • e) The company deletes personal data, at the request of the subject in accordance with the provisions of paragraph 5.1, and if one of the conditions mentioned in the form PA1 is met.
  • f) The company restricts personal data when one of the following applies:
    • - the accuracy of the personal data is disputed by the data subject, for a period of time which allows the company to verify the accuracy of the personal data,
    • - the accuracy of the personal data is disputed by the data subject, for a period of time which allows the company to verify the accuracy of the personal data,
    • - the accuracy of the personal data is disputed by the data subject, for a period of time which allows the company to verify the accuracy of the personal data,
    • - the data subject has objections to the processing, pending verification of whether the company's legitimate reasons take precedence over the data subject's reasons.
  • g) The company may process, other than storage, data whose processing has been restricted only with the consent of the subject or for the establishment, exercise or support of legal claims or for the protection of the rights of another natural or legal person. The company informs the data subject before lifting the processing restriction.
  • h) The company provides, upon request, the personal data to the data subject in a format commonly used and machine-readable when:
    • - processing is based on consent or contract,
    • - the processing is performed by automated means.
  • i) The company proceeds, if there is a request from the data subject and it is technically possible, to transfer the personal data to another data controller.

5. Obligations of the company


  • a) The company ensures that this policy is reviewed and updated when conditions change as the scope, context and purpose of processing or for any other reason deemed necessary.
  • b) The implementation of the organizational and technical measures of this Policy extends from the definition of the means of processing, the time of processing and until their possible deletion.
  • c) The company with the measures of this Policy ensures that only the personal data that are necessary for the respective purpose of processing are processed and are not made accessible without the intervention of the natural person to an indefinite number of natural persons.
  • d) The company has the ability to use the performers of the processing provided that they provide sufficient assurances for the correct observance and application of this Policy.
  • e) The possibility of hiring another executor of the processing from the executor of the processing with the prior special permission of the controller is not used.
  • f) The company maintains the PA3 files "Archive of processing activities" and PA4 "Archive of categories of processing activities".
  • g) The files are kept in printed and / or electronic form and are available to the Data Protection Authority upon its request.

6. Processing security


  • a) In determining the security measures and mechanisms required, the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored or otherwise processed shall be taken into account.
  • b) The company, considering the risks under point (a) as well as technological developments, implementation costs and the nature of processing, determines and implements the necessary security measures to meet all safety principles, such as integrity, availability, the confidentiality of the processing and its systems as well as the possibility of restoring availability and access in a timely manner.
  • c) The level of security is regularly assessed through procedures for regularly testing the effectiveness of organizational and technical measures.
  • d) The security measures and mechanisms required are grouped according to their category. This results in the following sub-Policies:
    • - Physical Safety Policy
    • - Logical Access Policy
    • - Network Security Policy
    • - Processing Systems Continuity Policy
    • - Internal control and evaluation policy
    • - Secure storage policy
    • - Malware protection policy
    • - Acceptable Use Policy.

7. Taxaki Driver Voip App


7.1 Data collection

  • - Location: This application collects location data even when it is running in the background, to ensure its smooth operation. It also shares the driver's location so that customers can see him on the map as he drives towards them, informs the system of the driver's exact location, so that his condition can be updated accordingly and also share the driver's location with the other members of his team. The exact location is necessary to select the most suitable taxi for the customer.
  • collects user location data when using the application as well as when the application is in the background
  • shares the location data collected by Google in order to visualize on the map the exact position of the location of the driver
  • shares the user's location with other users of the application
  • shares the user's location with Taxaki App users who are searching for a taxi through the application
  • - Camera: This application requires permission to use the camera on the user's device to allow him to instantly take and post a new profile picture.
  • - Microphone: This application requires permission to use the microphone of the user's device so that he can converse with customers and colleagues through the application.