The Group

Protection of Personal Data

For Quest Group, the protection of personal data of natural persons is of paramount importance. For this reason, Quest Group fully complies with the regulatory framework for the protection of personal data, ensuring on a permanent basis that a high level of compliance be maintained.

To this end, we have established a business framework in Quest Group, which, on the basis of our timeless legacy– that is the Group’s dominant values that put people and social progress first– adopts and integrates in its daily operation the processing of personal data fully complying with the principles of lawful processing as defined in the General Data Protection Regulation and in the National Legislation.

Thus, in the context of the Group's business activity, we process personal data only when we have a legitimate reason, respecting the principles of fair and transparent processing in respect of the natural persons; and respecting the principles of purpose limitation, data minimization, accuracy and storage limitation.

Furthermore, the Group, in line with the principles of integrity and confidentiality of personal data, and security of processing thereof, shall apply appropriate technical and organizational measures to ensure their appropriate security protecting, inter alia, personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage. Complying with and respecting the principle of accountability is of paramount importance as regards the Group's operations involving processing of personal data.

In this context, Quest Group has adopted the following Policies and Procedures into which the regulatory requirements for the protection of personal data have been incorporated, and which are updated in order to reflect the adjustments that take place at regulatory level and are applied overall by all companies of the Group.

In Particular, Quest Group applies the following Policies:

 

This policy includes the Statement of the Management, the organization of compliance, the Data Protection Principles, and the general guidelines for compliance with the General Regulation.

This policy provides instructions and clarifications regarding the implementation of the fundamental principles for the protection of Privacy by Design and by Default – PbD.

This policy systematically records and standardizes actions to deal with data breaches.

This policy specifies the framework of obligations relating to the retention of Quest Group documents and digital records.

This policy outlines the framework, obligations, roles and responsibilities with regard to the Data Protection Impact Assessment (DPIA), in cases where the processing is likely to result in a high risk for the rights and freedoms of the data subjects.

This policy defines the framework of obligations arising from the processing of personal data by the use of video surveillance systems (CCTV), and specifies the conditions for their lawful operation.

This procedure specifies the framework of actions followed by Quest Group to deal with breaches in a timely manner.

This procedure determines the steps to be followed by the Group’s companies to fully and lawfully process requests by data subjects

This procedure sets out the conditions for the lawfulness of the processing of personal data through video surveillance systems.

This procedure seeks to ensure that all employees of the Group are informed and trained to be able to perform their duties in accordance with the requirements laid down in the regulatory framework for data protection.

This procedure determines the evaluation criteria for carrying out the required Impact Assessment for Personal Data, specifying the terms for assessing the conditions of lawfulness of the processing and the steps for the assessment and management of the risks associated with data processing.

This refers to the way in which Quest Group ensures that the personal data it processes is compliant with the requirements of GDPR.The compliance audit process with the regulatory framework for personal data protection includes the evaluation of the current data processing practices, the identification of weaknesses and issues in compliance and the adoption of measures to address them.

where Quest Group, as the Data Controller, analyzes and assesses the legal basis of the legitimate interest that justifies the processing of personal data. During this process, legal requirements governing the processing of personal data are taken into account, as well as the interests of the Quest Group. Quest Group examines the legal basis of its legitimate interest in order to justify the processing of the personal data it conducts.