anaptixiaki logo
anaptixiaki logo

Privacy Policy

PERSONAL DATA PROTECTION POLICY

The «ANAPTIXIAKI HPEIROU SA - Local Government Development Agency», wishing to safeguard your personal and sensitive personal data, has implemented all the necessary technical and organizational measures as defined by the General Data Protection Regulation (EU) 2016/679. Protecting your privacy and safeguarding the confidentiality of your information and data is our fundamental priority. 

This policy explains the legal framework under which your data is collected and processed, the types of data we collect and process, the procedure and purpose of collection, the time of their retention, as well as the reasons for their disclosure to third parties if required. In addition, all your rights and the actions you can take to exercise them are disclosed and analysed.  

This information document provides any person who receives or is interested in receiving services from the Agency with concise, accurate and transparent information regarding the practices followed for the management and protection of personal data. 

The Organization reserves the right to modify and update this Policy whenever it deems necessary, and any changes will take effect upon their public display on the Website https://www.epirussa.gr/ and at the reception points of our facilities. 

The Agency has appointed a Data Protection Officer (DPO), who can be contacted directly on any relevant matter at the following email address dpo@epirussa.gr.

 

Introduction 

  • Personal Data 

Personal data is any information relating to a specific natural person or a person whose identity can be verified directly or indirectly (e.g. name, identity number, address, etc.) («Data Subject»). Data concerning racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, health data, sexual life, sexual orientation, etc. for the purposes of this document are included in the concept - general term «personal data». 

  • Edit 

Processing is any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

  • Processing Manager 

A controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be provided for by Union or Member State law. 

  • Performing the processing 

A processor is the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. 

  • Data Protection Officer (DPO) 

The Data Protection Officer (DPO) ensures, in an independent manner, the supervision of the strategy and compliance of the controller and processor with the provisions of the GDPR 2016/679 EU (GDPR) and mediates between the various stakeholders (e.g. supervisory authorities, data subjects). Its role is advisory (not decisive) and it is not personally liable for non-compliance with the Regulation. 

 

Legal framework for the protection of personal data 

At the Agency, we collect and process your personal data in accordance with this privacy notice; and  

  • in compliance with the EU Regulation 2016/679,  
  • the applicable Greek data protection legislation,  
  • the legal framework in force for the provision of the services provided by the Agency, 
  • and the consents we obtain (in cases where there is no lawful basis for the processing). 

This notice provides you with the necessary information regarding your rights and obligations and explains how, why and when we collect and process your personal data. 

 

Personal Data we collect 

During your visit and for the provision of services by the Agency, a variety of personal data is collected, such as, but not limited to: contact details, demographic data, family data, etc. These data are collected: 

  • In electronic form. 
  • In printed form. 
  • In combination of the above. 

in order to provide you with our services. This information will henceforth form part of the Agency's records and will be kept for the period of time specified in the applicable legislation depending on the category of data/documents to which it belongs.

Our Agency staff will be aware of your personal data for the purposes of carrying out their duties, but this will be limited in scope and extent in accordance with their responsibilities. All Agency staff are bound through their employment contracts by clauses of confidentiality, secrecy and privacy of the information they become aware of, and all employees follow the Public Sector Code of Conduct, which aims to protect the confidentiality of information. Due to the importance of privacy and protection of your privacy, we carry out strict regular audits to protect your data, as well as periodic regular training of our staff to ensure proper compliance with the procedures as defined by the applicable legislation. 

The Agency only processes your personal information that is necessary to fulfil its legal, regulatory and contractual obligations and to provide you with its services. We will never collect unnecessary personal data from you and we will not process your data in any way other than as set out in this notice. We take all possible and appropriate measures to ensure that our data collection and processing only includes only what is strictly necessary. We acquire, retain, process only the data that is necessary for the performance of our services to you and the performance of our legal obligations and we only retain it for as long as necessary. 

Our systems, employees, processes and activities are designed to limit the collection of personal information to the extent necessary and to achieve the stated purpose. Minimizing the processing of personal information allows us to control and reduce data protection risks and breaches and to support our compliance processes with applicable data protection laws and regulations. 

 

Categories of Personal Data collected 

  • Personal and sensitive employee data
  • Personal and sensitive data of partners/suppliers
  • Citizens' personal and sensitive data

For example:

  • Personal and contact details: first name/surname, marital status, home address, personal e-mail, home telephone, mobile telephone, etc. 
  • Demographic and identity data: date of birth, identity card number, passport number, VAT number, social security number, etc. 
  • Special categories of personal data: income data

 

How Personal Data is received 

Personal data processed and stored by the Agency may be obtained by: 

  • Verbally, upon your arrival at the reception and service points of the Agency. 
  • Completing the documents and applications necessary to deal with your issues. 
  • By the persons accompanying you or legally entitled to act on your behalf (your personal representative) if you are unable to provide this information yourself. 

 

Legal Basis for Processing 

The Agency in the context of its operation and for the fulfilment of its objective (provision of services for the benefit of citizens) receives and processes a variety of personal and sensitive personal data based on the following legal bases.  

  • Article 6 / paragraph 1 / point (b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. 
  • Article 6 / paragraph 1 / point (c) of the GDPR: processing is necessary for compliance with a legal obligation of the controller. 
  • Article 6 / paragraph 1 / point (e) of the GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, 
  • The need to fulfil the obligations and exercise specific rights of the controller or data subject of the controller or data subject in the field of labour law and social security and social protection law.  
  • Article 9 / paragraph 2 / point (f) of the GDPR: processing is necessary for the establishment, exercise or defence of legal claims or where the courts are acting in their judicial capacity.  
  • the need to fulfil archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR on the basis of Union or Member State law, which are proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.  
  • Consent, in cases where it is explicitly required for the processing of sensitive personal data not covered by the aforementioned legal bases. It is stressed that this is obtained by written consent. Please note that you can withdraw your consent by submitting your request either to the Protocol or to dpo@epirussa.gr .

 

The purposes and reasons for processing your personal data are detailed below: 

We collect and store your personal data and data that fall into the special categories for the provision of services to you based on the legal bases set out in the previous section and in particular for:   

  1. The contractual agreement with you 
  2. Data retention for historical purposes and for the future need to document cooperation  
  3. Our legitimate interest in the provision of services 
  4. Maintaining data in order to enable the Agency to respond to audits by audit authorities of the legality of procedures and payments 
  5. The enforcement of rights and obligations arising from social security law  
  6. The maintenance of employee records and their processing in accordance with labour legislation 
  7. Your interest in receiving these services 
  8. The performance of a task carried out in the public interest 
  9. The establishment, exercise or maintenance of legal claims or where the courts are acting in their judicial capacity 
  10. Compliance with a legal obligation 

 

In addition: 

We retain your special categories of data for as long as required by law. 

We may share your information with third (non-Organisation) parties only if required by law: 

  • When a formal court decision has been issued. 
  • When sharing information with the police can prevent a serious crime. 
  • When you give us an explicit mandate and authorization to do so. 
  • When we need to safeguard the legitimate interests of the Agency or third parties, such as the collection of our claims through third party agents (e.g. tax authorities) or through a branded complaint, etc. 
  • When it is our legal obligation (e.g. tax authorities, social security funds) after you have been informed. 
  • or obtain your informed consent

 

Sharing and disclosure of your Personal Data 

We do not share or disclose your personal data without your consent, for any purpose other than the purposes set out in this notice or where required by law. The Agency uses selected partners (acting as «processors» under the GDPR) to provide the services and business functions below, however all processors acting on our behalf process your personal data in accordance with the instructions they receive from us and fully comply with this privacy notice, the principles of the General Data Protection Regulation (EU) 2016/679 and any other appropriate confidentiality and security measures. In particular, all of the selected partners have fully accepted, the confidentiality and secrecy clauses set by the Agency, regarding the processing of data. Indicative categories of processors with whom we may share your data are: 

  • External accounting support partners. 
  • Provision of computerised systems. 
  • External information support partners. 
  • External partners Auditors (Internal Auditors, Statutory Auditors, etc.).
  • Occupational Physician.
  • Security Technician 
  • Public bodies (DIYΓEIA, KIMDES, e-government platforms)

 

Protection measures 

At the Agency, we take all reasonable technical and organisational measures and precautions to protect and safeguard your personal data. We work to protect you and your data from unauthorised access, modification, disclosure, destruction or any other processing and have put in place the necessary levels of security measures such as: network security controls, firewall software, continuous training of staff in technical and organisational security measures. 

 

How long we keep your data for 

At the Agency we only retain personal data for as long as necessary and we have strict policies and procedures in place to review and retain your data in order to meet our commitments. According to Greek legislation, the records of the O.T.A. are considered public records. Therefore their maintenance is determined by the PD 480/1985 «Clearance of the archives of Local Authorities and their foundations, legal persons governed by public law and their associations». Under the ID, records are kept from two (2) years to perpetuity depending on their usefulness and necessity. They are then checked by the General State Archives and either destroyed or transferred to the storage facilities of the G.A.K. if they are classified as historical.  

If you have consented to us using your data for promotional activities and informing you about events and other activities of the Organization, we will retain this data until you notify us otherwise and/or withdraw your consent by sending a request to the following email address dpo@epirussa.gr. The tax data are kept in accordance with tax legislation. 

 

Exercising your rights 

With regard to the personal data concerning you, you may exercise the following rights by submitting a written request in person or through a duly authorised representative of the Agency, or by sending the request by post, duly signed and certified. 

α) The right to information and access to all personal data held and processed by the Agency, concerning you, the type of processing, the purposes of processing, the recipients or categories of recipients of your personal data, as well as the time of their retention. 

b) Right to rectification. If you believe that we hold any incomplete or inaccurate data about you, you have the right to request that we correct and/or complete this information. 

c) The right to delete your personal data exclusively and only in the following cases: 

  • when your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed 
  • where you withdraw your consent on which the processing of your personal data was based and there is no other legal basis for the processing  
  • where the law requires the deletion of your personal data or where they have been processed without the necessary legal basis.  

(d) Right to restriction of processing in the following cases: 

  • when you question the accuracy of your personal data and until the Agency verifies the accuracy of your personal data 
  • when, instead of erasure, you request the restriction of the processing of your personal data 
  • where the Agency no longer needs your personal data for the purposes of processing, but the personal data are required by you for the establishment, exercise or defence of legal claims. 

e) Right of portability, i.e. you have the right to request the transfer of your data to another Organisation either in Greece or abroad, or their delivery to you in a standardised electronic format on a portable storage medium (e.g. CD, DVD). 

f) The right to object to the processing of your personal data, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or support of legal claims of the Agency.

g) Right to object to direct or indirect marketing and promotional activities by us and/or any automated decision-making process we may use. 

The right of erasure shall not apply if the processing or maintenance of the data by the Agency is mandatory and/or necessary in accordance with the legislation, as well as for the establishment, exercise or support of legal claims and rights or the fulfilment of its obligations.  

In order to exercise any of the above rights, identification by means of an official legal document or a duly signed authorisation is required. 

The Agency will reply to your request free of charge, without delay and in any case within one month of receipt of the request, except in exceptional cases, in which case the above deadline may be extended by two more months, if necessary, taking into account the complexity of the request, the volume of material to be processed and/or the number of requests. The Agency. will inform you of any extension within one month of receipt of the request and of the reasons for the delay. 

If it is not possible to meet your request, the Agency will inform you without delay and at the latest within one month of receipt of the request, of the reasons for the request and of the possibility to lodge a complaint with the Data Protection Authority (DPA), as well as of your right to bring an action before the competent judicial authorities. 

 

Submit a Complaint/Complaint 

The Agency only processes your personal data in accordance with this privacy statement and in accordance with the relevant data protection laws. If, however, you wish to make a complaint about the processing of your personal data or if you are dissatisfied with the way we have handled your personal data, you have the right to lodge a complaint either at the email address of the Agency's Data Protection Officer: dpo@epirussa.gr, or in writing through the secretariat of the Agency. Finally, you have the right to lodge a complaint with the Data Protection Authority (DPA) [1-3 Kifissia Street, P.C. 115 23, Athens, tel.: +30 2106475600, email : contact@dpa.gr] if you consider that your rights to the protection of your personal data have been infringed. You also have the right of recourse to the competent judicial authorities for the protection of your personal data.

 

E.04.01/4.0/20-9-2021
EU.DG.G.G.3.01