The purpose of this Policy is to determine the main principles and rules in accordance with which Marketing Greece collects, processes and stores personal data, as provided by applicable legislation.
As part of its activities, Marketing Greece may collect personal data of associates, users of its platform discovergreece.com, including users of its social network accounts, as well in of its associates in general but also of natural persons with which it transacts as part of its statutory duties. These persons may be employees of the company, freelance workers, sole proprietors, lawful or other representatives of legal persons, as well as associates in general of those with which Marketing Greece transacts.
In principle, Marketing Greece may collect and process personal data for the following purposes:
As regards the above purposes, Marketing Greece may collect and process personal data, such as the following:
In addition, Marketing Greece may collect and process data which fall under special personal data categories, such as data regarding health, in order to meet its obligations. Likewise, in exceptional cases, when it is dictated by applicable legislation, Marketing Greece may collect and process personal data regarding criminal convictions or offenses, such a copy of criminal records, always respecting the principle of proportionality.
Moreover, it is possible that some personal data do not belong to the persons directly transacting with Marketing Greece but to third parties (e.g. family members of an employee, children and so on).
According to the circumstances each time, Marketing Greece may process the above data both as a controller and a processor on behalf of third parties.
Marketing Greece may transmit the data to the Greek Tourism Confederation-SETE, which exercises decisive control/dominant influence on Marketing Greece, as well as on the non-profit civil partnership under the corporate name Institute of Greek Tourism Confederation on which the Greek Tourism Confederation-SETE exercises also decisive control/dominant influence, both for internal administrative purposes, including the processing of personal data of associates or/and employees and for information purposes of subjects on the activities and actions of the above three “associated” legal persons.
It is also possible for Marketing Greece to transmit personal data to third parties when this is provided by existing legislation as its obligation or alternatively in accordance with the guarantees provided in existing legislation.
In the event that the transmission regards a country outside the European Union or the European Financial Area, SETE is obligated to notify the Hellenic Data Protection Authority.
The sections which follow describe the general principles based on which Marketing Greece collects and processes personal data, the rights of data subjects, Data Protection Impact Assessment but also obligations in the event of the data breach.
For the purposes herein, the definitions below have the following meaning:
Personal Data: any information regarding an identified or identifiable natural person (“data subject”). The identifiable natural person is that whose identity may be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Anonymization: the processing of personal data in such a manner that the data may no longer be attributed to a specific data subject.
Pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: the natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach: the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Existing legislation: The provisions of Greek, Union or other Legislation which Marketing Greece is subject to and determined personal data protection issues, such as:
When Marketing Greece processes personal data it ensures that:
MARKETING GREECE ensures that data subjects are able to exercise their statutory rights regarding the collection and processing of personal data. These rights are as follows:
Marketing Greece is required to inform the data subjects of their rights and facilitate their exercise. Specifically, it is required to inform them of the procedure they can take in order to exercise them, namely to specify the information they must state in their application, the person to whom they will address their application, the period within which they will be informed of the outcome their request, as well as the possibility to appeal to the supervisory authority.
Marketing Greece may refuse to satisfy, in whole or in part, a request from the data subject only when this possibility is provided for in the General Personal Data Protection Regulation No 2016/679.
Marketing Greece provides the data subject with information about the processing operations following the relevant request submitted within one month of receiving the request and the identification of the subject. The above period may be extended by a further two months, where appropriate if the request is complex or there is a large number of requests. In that case, Marketing Greece is obliged, within one month from the identification of the request, to inform the data subject about the delay, as well as the reasons for the delay. Within that period, it shall also notify the data subject of any refusal to satisfy the request, in whole or in part, as well as the reasons for the refusal.
Any request by the subject is submitted to Marketing Greece to the following e-mail:
If the data subject submits the request by electronic means, information shall be provided, if possible, by electronic means, unless the data subject asks otherwise.
If the data subject's claim is manifestly unfounded or excessive, in particular, because of its recurrent nature, Marketing Greece may make its satisfaction subject to payment of a reasonable fee or refuse to respond to the request.
If Marketing Greece processes the personal data as the processor, then it will send the relevant requests to the controller responsible for reviewing and satisfying them.
In the event that any data subject considers that Marketing Greece does not comply with the existing legal framework regarding the processing of personal data or the exercise of its rights, it may refer the matter to the competent supervisory authority or even file a complaint in accordance with the existing legislation. In Greece, the competent supervisory authority for personal data protection issues is the Hellenic Data Protection Authority and any interested party may be further informed by visiting http://www.dpa.gr/.
When a type of processing may pose a high risk to the rights and freedoms of individuals, Marketing Greece performs an assessment of the impact of the processing operations planned on personal data protection (“impact assessment”) before processing. Impact assessment is a process designed to describe processing, assess its necessity and proportionality, and to assist in risk management by assessing and defining measures to address them. It is not required for all types of processing, but only in cases where a form of processing is considered to be high risk. The impact assessment takes into account the nature, scope, general context and purposes of the processing, in order to assess whether a risk is likely to arise, as well as its gravity for the rights and freedoms of the subjects.
Marketing Greece may decide to carry out an impact assessment for all types of processing, even if this is not considered mandatory by applicable law. In addition, it is not required to prepare a separate impact assessment for each processing type, but it may include in one impact assessment a set of similar processing operations involving similar high risks.
Regulation (EU) 2016/679 sets out the framework within which an impact assessment is required. More specifically, it must be carried out in all cases where the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. For example, such cases include:
The relevant responsibility and decisive competence regarding the conduct of an impact assessment belong to Marketing Greece.
Marketing Greece, when conducting the impact assessment, must define the appropriate procedures and methodologies that best meet its requirements. The impact assessment must contain as a minimum the following elements:
When assessing the impact of a processing operation, compliance with a code of conduct, any certifications, and binding corporate rules should be taken into account, as they can be evidence that Marketing Greece has chosen and has taken appropriate compliance measures. At the same time, if there is more than one controller for one processing operation, the roles and responsibilities of each party should be defined, as well as the risks involved in each individual processing operation.
The impact assessment method is carried out by Marketing Greece, with the participation of many stakeholders in the organization and revolves around four axes:
When, after the conduct of an impact assessment, Marketing Greece finds that mitigation/avoidance/risk transfer measures are not sufficient to reduce risks to an acceptable level, it should contact the Hellenic Data Protection Authority for consultation.
In more detail, in any case of a high-risk processing planning, Marketing Greece should follow the steps below:
Breach of Personal Data
“Personal data breach” shall mean a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, communication of, or access to, personal data collected, stored, or otherwise processed by Marketing Greece.
A personal data breach may occur in many instances, some of which are cited below by way of indication:
If any employee or partner finds or suspects that a personal data breach may have occurred, they will contact Marketing Greece at: firstname.lastname@example.org
Marketing Greece will then assess the report, conduct further research, where necessary, on the need of mandatory notification of the incident to the competent data protection authority and/or the data subjects and submits proposals for the actions to be taken.
The notification to the supervisory authority must include the following:
- Description of the nature of the breach, the categories of data, and the subjects.
- Stating the name and contact details of the controller.
- Description of the contact details of the Data Protection Officer.
- Description of the consequences of the breach.
- Description of the measures taken/proposed to address the breach.
In any case, and if the disclosure to the relevant data protection authority is mandatory, Marketing Greece shall do so within 72 hours from the time when Marketing Greece became aware for the first time of the personal data breach. If the notification is made after the 72 hours have elapsed, it shall be accompanied by a justification for the delay.
If the personal data breach may pose a high risk to the rights and freedoms of natural persons, Marketing Greece must immediately notify the breach in question not only to the supervisory authority but also to the data subject.
If Marketing Greece processes data as the processor, it shall notify the controller without delay without making any disclosures.
A summary of the personal data breach incident including the facts and evidence establishing the breach, its consequences and the actions taken by Marketing Greece are entered into the record of personal data breaches held by Marketing Greece.
Marketing Greece shall ensure that staff involved in the collection and processing of personal data are adequately informed and trained, taking into account the available training and information methods in order to select the most appropriate ones for each occasion.
More specifically, in cooperation with the heads of the individual Organisational Units, Marketing Greece undertakes: