I. COMPANY INFORMATION

The private capital company under the name “CROSS ΦΑΡΜΑΚΕΥΤΙΚΗ ΕΤΑΙΡΙΑ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΙΑ” and the distinctive title “CROSS PHARMACEUTICALS P.C.,” headquartered in Thessaloniki (KOSTI PALAMA 4, PYLAIA, THESSALONIKI, 55535), with VAT number 998033328 (hereinafter referred to as “we,” “the Company,” or “CROSS”) is the Controller of your personal data processing as a job applicant at our Company, in accordance with Regulation (EU) 2016/679 General Data Protection Regulation (or simply “GDPR”) and Law 4624/2019 on the protection of personal data (collectively referred to hereinafter as “applicable legislation”).

II. SCOPE OF APPLICATION

This Candidate Privacy Policy (hereinafter referred to as “this Policy” or simply “Policy”) informs you about how we process any kind of information that can directly or indirectly identify you, namely any of your personal data that you provide to us as a job applicant when you submit a job application to us, either unsolicited or in response to a job advertisement to fill a vacant position.

Specifically, we inform you of how we process the personal data you provide to us, either directly or through authorized third parties (e.g., recruitment agencies), throughout the hiring process, i.e., from the submission of your job application until the stage of its potential approval or rejection by our Company.

In the event that your application is accepted, our Company will inform you of how it processes employee personal data as an employer through a specific employee privacy policy it maintains.

We emphasize that we do not use automated decision-making without human intervention, including profiling, in a way that produces legal effects concerning you or otherwise significantly affects you.

III. CATEGORIES OF PERSONAL DATA AND SOURCES

The provision of personal data to our Company is optional. If you do not provide or incompletely provide your personal data, we may be unable to assess your application.

A. Job Application Submission

When you submit your job application via the relevant contact form on our Website or by any other means (e.g., via email), we generally collect and process the following categories of personal data you provide to us:

  • Identification details, such as full name.
  • Contact details, such as telephone number and email address.
  • Curriculum vitae (CV), including any information you have included therein about your education and work experience (e.g., previous professional and educational activities, language skills, qualifications, talents, professional skills, any cover letter accompanying your CV).

B. Application Evaluation

If we invite you for an interview to further assess your application and the information you have provided, we generally collect and process the following categories of personal data you provide to us:

  • Information you provide during the interview, such as your answers to specific questions about the job position, information regarding your eligibility to work in Greece, your ability to meet the job’s requirements, and your reasons for wanting to work with us.
  • Any notes we keep about your answers.

C. Job Offer

If we extend a job offer to you and you accept it, we may request additional information in order to carry out certain pre-employment checks. Specifically, we are required to confirm, prior to hiring, the identity of our staff and their capability, reliability, and integrity. At this stage, we typically process the following categories of personal data that you provide to us:

  • Identification details, such as father’s name and mother’s name, ID card number, gender, date and place of birth, nationality, and a passport-style photograph.
  • Contact details, such as mailing address, email address, and telephone number (landline and/or mobile).
  • Curriculum vitae, education certificates, degrees & diplomas, such as language proficiency certificates or professional training seminar certifications (if available).
  • Personal & Family Status Information, such as IKA insurance record or AMA, Tax Identification Number (TIN), Social Security Number (AMKA), marital status, and dependents.
  • Banking information, such as bank account number.

In the event that you accept the job offer and are hired by our Company, you will be informed of how we process the personal data of our employees as an employer, through the relevant Employee Privacy Policy we maintain from time to time.

IV. Purposes and Legal Basis of Processing

Η Εταιρεία μας συλλέγει και επεξεργάζεται Our Company collects and processes your personal data to the extent permitted or required by applicable law, for the following purposes:

  • To contact you and evaluate your application, particularly to assess whether it meets the hiring requirements of the currently available job position.
  • To suggest future employment opportunities, in the event your initial application is rejected, provided that you have requested and granted us your consent to receive such information.
  • To protect the legitimate interests of our Company (e.g., for the establishment and/or defense of our legal claims).
  • To comply with our legal obligations arising from the body of legislative provisions governing our business operations.

The legal basis for processing your personal data is Article 6(1)(b) of the GDPR, according to which processing is necessary in order to take steps at your request prior to potentially entering into a contract of employment with our Company. In the event that your job application is rejected and you ask us to retain your personal data in order to inform you about future job opportunities at CROSS, we rely on your consent as the legal basis for such processing, pursuant to Article 6(1)(a) of the GDPR.

V. Data Transfers – Recipients

As a rule, we do not disclose or transfer data to third parties. However, we may transfer certain personal data to third parties as permitted under Article 6(1)(f) of the GDPR, for the legitimate interests of our Company, namely to support recruitment processes. We may use IT systems or services provided by third-party vendors (e.g., recruitment software service providers) to facilitate the hiring process. In such cases, the third-party providers will act as “processors” under the GDPR and must process your personal data securely, act under our instructions within the framework of our contractual relationship, and comply with applicable data protection legislation.

We may also transfer your personal data to judicial and/or law enforcement authorities, independent authorities, or governmental bodies, where required to do so under applicable law. We do not disclose your personal data to third parties for marketing purposes.

VI. Data Transfers Outside the European Union/European Economic Area

As a rule, we do not transfer your personal data outside the European Union/European Economic Area. Should it become necessary, within the scope and for the purposes mentioned above, to transfer your personal data outside the EU/EEA, such transfer will be carried out in accordance with applicable law, and CROSS will ensure an adequate level of data protection. By entering into appropriate data transfer agreements based on Standard Contractual Clauses (available to you upon request at registration@crosspharma.gr) or by implementing other measures to ensure an adequate level of data protection, CROSS guarantees or confirms that the recipients provide an adequate level of protection for your personal data.

VII. Data Retention Period

Your personal data will be retained for as long as necessary to fulfill the purposes for which they were collected. Once the purpose for processing your personal data has been fulfilled, we will either delete or anonymize the data unless legal obligations require their retention.

As a rule, personal data of job applicants whose applications are rejected are retained for one month after the recruitment process is completed. If your application is rejected and you ask CROSS to inform you of future job opportunities, your personal data will be retained for 12 months or until you withdraw your consent. After the expiration of the retention period, your personal data will be lawfully and securely deleted/destroyed in accordance with our procedures and policies. Where applicable, our Company may retain anonymized statistical data (e.g., to improve the recruitment process).

VIII. Your Rights

You may exercise, as applicable, the rights granted to you under current data protection legislation, which include:

  • The right to be informed (Article 13 GDPR),
  • The right of access (Article 15 GDPR),
  • The right to rectification (Article 16 GDPR),
  • The right to erasure (Article 17 GDPR),
  • The right to restriction of processing (Article 18 GDPR),
  • The right to data portability (to receive your personal data in a structured and commonly used format – Article 20 GDPR, where applicable),
  • The right to object (Article 21 GDPR), applicable to certain data processing activities.

Additionally, whenever we require your explicit consent to process your personal data (e.g., when you ask us to retain your data after your job application is rejected so we can inform you about future employment opportunities), you have the right to withdraw your consent at any time (Article 7(3) GDPR) by contacting us in writing using the contact details provided on our Website.

Please note that the above rights may be subject to limitations under applicable law. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) if you believe that your personal data is being processed unlawfully or that your rights are being violated. The HDPA is based in Athens (1-3 Kifisias Avenue, GR-115 23). For more information on the HDPA’s responsibilities and how to file a complaint, you can visit its website at http://www.dpa.gr.

If you wish to review our Company’s Privacy Policy, it is available here.