Privacy Policy
Last update: September 2025
Introduction
C&M Engineering S.A. (hereinafter referred to as the “Company”) fully recognizes the importance of protecting personal data and is committed to treating with care and confidentiality the personal data of employees, customers, partners and other third parties that it collects and processes. The term “personal data” refers to personal data as defined in Article 4(1) of the GDPR, meaning any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The Company acts as the “data controller”, in accordance with Article 4(7) of the GDPR, for all personal data processing activities covered by this Privacy Policy. The term “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller
The Company (website: www.cmengineering.gr) informs that for the purposes of its business activities, it processes personal data which result to the identification of natural persons (for example: users of the website and/or other stakeholders such as company clients, employees, suppliers). Personal data is being processed in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and with the generally relevant domestic legislation that may be issued in the context of the implementation of the GDPR and more specifically Law 4624/2019, the relevant directives, decisions and regulations that may be issued by the Personal Data Protection Authority (PDPA) in this context, as well as with any other legislation or regulatory and normative framework on Personal Data Protection that amend, revise or replace any of the aforementioned laws and regulations. Communication for matters concerning the processing of personal data may be conducted at email: dp@cmengineering.gr (To the attention of the : Data Protection Officer).
Data Collected/Processed
According to the activities of the Company, the personal data that are processed are as follows:
Table 1 : Categories of Personal Data Collected
| Category | Personal Data Collected |
| First Name/Surname and Contact Details | First Name/Surname I Parents’ Names I Address I Email Address I Telephone |
| Identification Information and/or Data required under a professional relationship | ID number I Social Security number I Birth Details I V.A.T. number I Marital Status I Employees/Consultant’s Educational Training and Professional Experience I Employees/Consultants’ Compliance Record in Occupational Health & Safety I Renumeration I Curriculum Vitae I Sensitive Personal Data when required for Employees/Consultants’ insurance purposes I First Name/Surname next of kin to be notified in case of emergency I Occasionally, when required, photo. |
| Data related to the use of the Company’s web site | IP Address I browser type I cookies I web site usage data (such as pages visited or time spent). See also relevant Cookies Policy. |
Means of Collecting Personal Data
Means through which personal data may be collected:
- Within the context of professional interactions, personal data are directly provided by the Stakeholders (internal and/or external).
- Through the use of the Company’s entrance video surveillance system (CCTV). Its operation being clearly designated at the entrance of the premises.
- Through the Company’s Website automated technologies (e.g. cookies).
- Through third party analytics providers for the Company’s website/social media.
Legitimate Basis for Processing Personal Data
The Company provides services to other companies (private or public sector) i.e. business-to-business services. The data it handles/collects are primarily Corporate Data, processed solely for the purpose of complying with legal obligations which it has undertaken and specifically within the context of fulfillment of contractual obligations. The Company processes personal data in the context of its specific professional activities and professional relationships.
Table 2 : Company’s Personal Data Processing Activities
| # | Professional Domain | Purpose of Personal Data Processing |
| 1 | Management and IT | Collection and processing of data in the context of monitoring the Company’s entrance through the video surveillance system (CCTV). |
| 2 | Management, Business Development | Collection and processing of data in the context of examining the CV of candidate employees / subcontractors. |
| 3 | Business Development, Project Administration | Collection and processing of personal data in the context of selecting a project team and submitting an offer to potential clients. |
| 4 | Project Management, Project Administration | Collection and processing of personal data for car rental purposes in the context of fulfilling a project’s contractual obligations. |
| 5 | Project Management | Collection and processing of personal data in the context of sending data to a client for carrying out a project. |
| 6 | Project Management | Collection and processing of personal data for the creation of topographic maps in the context of project execution/contractual obligations. |
| 7 | Project Administration | Collection and processing of personal data in the context of corporate travel planning. |
| 8 | Project Administration | Collection and processing of personal data in the context of communication and meeting planning. |
| 9 | Project Management/ Contract Administration/Legal Support | Collection and processing of personal data in the context of managing the Company’s contracts. |
| 10 | Legal Support | Processing personal data in the context of the management of legal issues and the provision of legal advice. |
| 11 | Accounting Department | Processing of personal data regarding : the recruitment of employees I payroll related matters and service contracts I health insurance related matters I process of personal data of associates / suppliers / customers / engineers in the context of the operation of the Company. |
| 12 | Health, Safety, Environment | Collection and processing of data in the context of conducting seminars / training I Issue Safe Pass I Record occupational accidents. |
| 13 | Project Administration | Processing of personal data of Consultants’ / Associates / Clients in the context of the operation of the Company. |
| 14 | Project Management/Document Control/Project Administration/Accounting | Processing of employee/consultants’ data within the framework of maintaining the file of each project according to contractual obligations. |
| 15 | www.cmengineering.gr | Data collected for the purpose of maintaining and improving the Company’s website, responding to inquiries (for professional opportunities) or promoting and improving the Company’s services. |
Data Retention
Personal data is retained for as long as necessary for the purposes for which it was collected, or as required by law. Retention periods may vary depending on the type of data, the purpose of processing, and other relevant factors.
The following principles apply regarding retention of data:
- Data is retained only for the period necessary for the purposes of processing.
- Where there is a legal and/or regulatory requirement, the data retention period is determined on that basis.
- Where possible, the data retention period is quantified, along with the criteria used to determine that period (example: 5–10 years after the end of the contract is usually the requirement of Contracting Authorities for project auditing purposes).
- During the retention period of personal data, appropriate protection/security measures are applied.
Factors considered when determining the data retention period include:
- The nature of the data.
- The purpose of processing.
- Legal and regulatory requirements applicable in the environment in which the Company operates.
- The value of the data to the Company.
- The risks to the Company and to data subjects that may arise from retaining the data.
- Any potential obligations of the Company which result from retaining the data.
Data Security
During the retention period of personal data, appropriate protection and security measures are applied (such as: regular backups, confidentiality agreements, secure physical and digital storage).
Data Processors IData Sharing
Recipients of personal data may include employees of the Company, acting as authorized personnel responsible for the organization, management, operation, and fulfillment of the purposes arising from the data subjects’ contractual obligations. The Company may assign the processing of your personal data to third parties, in order to better and more effectively fulfill its purposes (indicatively, for the operation of its IT systems, technical support, communication delivery, etc.). Such assignments are always carried out in compliance with the requirements of Data Protection Law. The processors are not permitted to carry out further processing of your personal data, nor are they allowed to disclose your personal data to third parties.
Third Country Recipients
Personal data may be shared with third country recipients (outside the EU) only if the Company ensures that one of the lawful bases under Article 6(1) and/or Article 9(2) of the GDPR is met and that:
a) The Commission has issued an adequacy decision for the third country to which thedata disclosurewill take place (Article 45 GDPR), or
b) Appropriate safeguards are in place for thedisclosureof such data in accordance with the GDPR (Article 46 GDPR), or
c) For occasional processing, one of the derogations provided in Article 49 of the GDPR applies (e.g., the explicit consent of the user and their informed awareness of the risks involved in thedisclosure, thedisclosure is necessary for the performance of a contract at the request of the data subject, there are reasons of public interest, or it is necessary for the establishment, exercise, or defense of legal claims and vital interests of the data subject, etc.).
Your Data Protection Rights
Each data subject has the following rights under the GDPR:
- The right to be informed through a Privacy Policy.
- The right of access to your personal data at any time.
- The right to rectification, correct any information you consider to be inaccurate and/or complete information you consider to be incomplete.
- The right to erasure, request deletion/erasure of your personal data, provided that the Company is not obligated by existing legal framework to retain your personal data, and there is a legitimate basis for this, as stipulated in the GDPR.
- The right to restriction of processing of your personal data, provided that there is a legitimate basis for this, as stipulated in the GDPR.
- The right to object to processing your personal data, provided that there is a legitimate basis for this, as stipulated in the GDPR.
- The right to data portability by requesting the disclosure of the personal data collected by the Company to another organization, or directly to you, provided that there is a legitimate basis for this, as stipulated in the GDPR.
- The right to withdraw consent, provided that the legitimate reason for processing is based on consent.
Requests concerning the above rights are handled by the Data Protection Officer (email: dp@cmengineering.gr) and are responded to within thirty (30) days. The Company has the right to refuse a request for restriction on processing or deletion of your personal data if such processing is necessary for the exercise or defense of its legal rights.
Cookies and Websites Analytics
Our website may use cookies to enhance user experience and gather anonymous analytics data. You can manage your cookies preferences through your browser settings or through the cookie banner on our website.
For more details, see our Cookies Policy.
Policy Updates
The Company reserves the right to revise and update this Privacy Policy at any time, to reflect legal or operational changes. Any updates will be posted on this page with a revised ‘Last Updated’ date. Continued use of the website by the data subject–user after any changes to the Privacy Policy constitutes acceptance of such changes.
Contact Us
If you have any questions about this Privacy Policy you may contact us at:
C&M Engineering
99 Pratinou Street., 116 34 Athens, Greece
Email: dp@cmengineering.gr (Data Protection Officer)
Telephone: +30 210 7220014