Personal Data Protection Policy
- Commitment & Scope
INDIGITAL S.A. is committed to protecting the personal data of employees, clients, suppliers, partners, and every natural person with whom it interacts. This Policy implements the requirements of the General Regulation (EU) 2016/679 (GDPR), Law 4624/2019, and the standards ISO/IEC 27001:2022 & ISO/IEC 27701:2019, incorporating the principles of privacy by design and by default into all of the Company’s activities.
- Core Processing Principles
✔ Lawfulness, fairness & transparency – clear legal basis and notification to data subjects.
✔ Purpose limitation & data minimisation – only the data necessary for specific, explicit purposes is collected.
✔ Accuracy & storage limitation – data is kept up to date and deleted when no longer necessary.
✔ Integrity & confidentiality – application of technical and organisational security measures (encryption, access control, pseudonymisation).
✔ Accountability – documentation and demonstrable compliance through records, audits, and training.
- Rights of Data Subjects
Every natural person has the right to information, access, rectification, erasure (‘right to be forgotten’), restriction, portability, and objection to the processing of their data, as well as the right not to be subject to solely automated decision-making. Requests are handled by the DPO within one (1) month and free of charge.
- Data Transfers & Partners
Transfers to third parties are carried out only where a lawful basis and a Data Processing Agreement (DPA) exist. Cross-border transfers outside the EEA are accompanied by appropriate safeguards (e.g. Standard Contractual Clauses). Partners are assessed through the GDPR Compliance Questionnaire and are bound to an equivalent level of protection.
- Responsibilities
Management approves the Policy and allocates the necessary resources. The Data Protection Officer (DPO) oversees its implementation and manages requests. The IT, Legal, Human Resources, Marketing, and Procurement departments implement the measures within their respective functions. All employees and external partners are required to comply with the Policy and to immediately report any potential incident.
- Breaches & Contact
In the event of a data breach, the Company takes immediate corrective action and notifies the Hellenic Data Protection Authority (HDPA) within 72 hours, as well as the data subjects where the risk is high. For any enquiry, request, or incident report: info@indigital.gr.
This Policy is communicated to all employees, reviewed annually, and made available to interested parties.
Date: April 2026
Information Security Management Policy
The Management of INDIGITAL SA is committed to managing Information Security matters with the same responsibility and importance with which it approaches all of its business operations. We believe that in this way, the benefit derived from the operation of the business is maximised for our clients, employees, and shareholders.
Specifically, we are committed to supporting the implementation of Information Security Management methods in order to ensure the integrity, availability, and confidentiality of the information we manage. We intend to fulfil this commitment by following the principles of prevention and protection in accordance with legislative provisions, as well as with the requirements arising from the broader risk management framework developed by the company for strategically significant risks, and through the disclosure of our actions and the continuous improvement of our performance in the field of Information Security.
This ongoing effort is carried out through the monitoring and adoption of modern technologies and international best practices, through the definition of objectives and criteria against which continuous risk level assessments are conducted, through the implementation of response programmes, and through the awareness, training, and involvement of employees in information security management.
The continuous pursuit of improved information security management methods will enable INDIGITAL SA to increasingly and more effectively protect the information it manages. We will keep our clients, employees, and shareholders informed of developments in this regard.
Management extends its full support and highest priority to the Information Security Management System and, in consultation with staff, commits to defining objective purposes and targets which will be reviewed at regular intervals to ensure they remain within the specifications set.
This Policy is communicated to all employees, reviewed annually, and made available to interested parties.
Date: April 2026
Quality Policy
INDIGITAL SA is committed to delivering information technology and digital solutions services that exceed the expectations of its clients, while maintaining the highest standards of quality, reliability, and professionalism.
Our company is committed to:
✔ Providing services that meet or exceed customer requirements and applicable legislative/regulatory requirements
✔ Establishing and achieving measurable quality objectives aligned with the company’s strategic direction
✔ Implementing and maintaining an effective Quality Management System (QMS) in accordance with ISO 9001:2015
Promoting a culture of continuous improvement at all levels of the organisation
✔ Allocating adequate resources to support and develop the QMS
✔ Ensuring the competence, training, and awareness of all personnel
✔ Managing risks and opportunities in a systematic and proactive manner
✔ Meeting or exceeding compliance obligations with applicable laws and regulations
✔ Focusing on understanding and fully satisfying the needs of each client
This Policy is communicated to all employees, reviewed annually, and made available to interested parties.
Date: April 2026
Business Continuity Policy
INDIGITAL SA recognizes that the uninterrupted provision of information technology, digital processing, and technology services to its clients is a critical strategic obligation. The company commits:
✔ To develop, implement and maintain a Business Continuity Management System (BCMS) in accordance with ISO 22301:2019 across its entire scope
✔ To identify and assess disruption risks that threaten its critical activities
✔ To define measurable business continuity objectives and achieve them
✔ To ensure rapid response and service recovery within an acceptable Recovery Time Objective (RTO) following a disruption
✔ To fully comply with all applicable legislative and regulatory requirements
✔ To continuously review and improve the BCMS through exercises, tests, and corrective actions
This Policy is communicated to all employees, reviewed annually, and made available to interested parties.
Date: April 2026