MARKETING GREECE PROMOTION AND DEVELOPMENT OF TOURISM S.A.
PROTECTION OF PERSONAL DATA POLICY
- Purpose and scope of the personal data protection policy
- General Personal Data Processing Principles
- Data Protection Impact Assessment
- Personal Data Breach
Purpose and scope of the personal data protection policy
The purpose of this Policy is to determine the main principles and rules in accordance with which Marketing Greece collects, processes and stores personal data, as provided by applicable legislation.
As part of its activities, Marketing Greece may collect personal data of associates, users of its platform discovergreece.com, including users of its social network accounts, as well in of its associates in general but also of natural persons with which it transacts as part of its statutory duties. These persons may be employees of the company, freelance workers, sole proprietors, lawful or other representatives of legal persons, as well as associates in general of those with which Marketing Greece transacts.
In principle, Marketing Greece may collect and process personal data for the following purposes:
- In order to meet the obligations imposed by law, as well as the provisions of its articles of incorporations on its purposes and its actions, such as:
- The development and application of promotional and marketing programmes of Greece in general and the advertising of the Greek tourism product, internationally and in Greece, including the application of promotional programmes for individual touristic regions and tourism products.
- The study and research of the international and Greek tourism market.
- Tthe provision of consulting services regarding the creation, development and application of a branding system for Greek tourism on a national, regional, local and per category level.
- The listing and showcasing of the historical, cultural, folkloric, geographical, nutritional, recreational, natural environment, etc. elements and characteristics of Greece and its regions.
- The support in the promotion and marketing of programmes, events and actions, which fall within the framework of the national and regional tourism policy and the respective strategy planning of Greek tourism.
- The design of tourism promotional and advertising campaigns, programmes and actions in cooperation and supplementary to the competent public authorities.
- The preparation of a communication strategy plan for the tourism promotion of Greece, as well as of individual touristic regions or products.
- The promotion or support of production of material and of products in general, whose further distribution contributes to the tourism promotion of Greece, as well as of individual touristic regions or products.
- The support of public and private bodies, which are involved in tourism in Greece.
- Any other related activity
- In order to meet the obligations imposed by law, in particular, the applicable employment, insurance, commercial and tax legislation as regards its employees and its suppliers.
- In order to be able to hire personnel or to transact with freelance workers.
- In order to ensure its proper operation within the framework of its statutory purpose and existing legislation.
- In order to ensure the safety of its personnel, facilities and equipment.
- In order to lawfully conclude contracts and meet the lawful obligations imposed by them.
- In order to organize campaigns and promotional actions for Greece and for the Greek tourism product, in Greece and abroad.
- In order to establish collaborations and partnerships with private and public sector bodies, within the framework of its statutory purposes.
As regards the above purposes, Marketing Greece may collect and process personal data, such as the following:
- name and surname, father’s name, mother’s name, year of birth, place of birth, gender, nationality, address, e-mail, contact telephones, Identification Card Number, Tax Identification Number, Social Security Number and other insurance funds’ registration numbers, bank account number, details regarding health, marital status, education and training of employee, work experience, data regarding services provided by Marketing Greece to third parties.
In addition, Marketing Greece may collect and process data which fall under special personal data categories, such as data regarding health, in order to meet its obligations. Likewise, in exceptional cases, when it is dictated by applicable legislation, Marketing Greece may collect and process personal data regarding criminal convictions or offenses, such a copy of criminal records, always respecting the principle of proportionality.
Moreover, it is possible that some personal data do not belong to the persons directly transacting with Marketing Greece but to third parties (e.g. family members of an employee, children and so on).
According to the circumstances each time, Marketing Greece may process the above data both as a controller and a processor on behalf of third parties.
Marketing Greece may transmit the data to the Greek Tourism Confederation-SETE, which exercises decisive control/dominant influence on Marketing Greece, as well as on the non-profit civil partnership under the corporate name Institute of Greek Tourism Confederation on which the Greek Tourism Confederation-SETE exercises also decisive control/dominant influence, both for internal administrative purposes, including the processing of personal data of associates or/and employees and for information purposes of subjects on the activities and actions of the above three “associated” legal persons.
It is also possible for Marketing Greece to transmit personal data to third parties when this is provided by existing legislation as its obligation or alternatively in accordance with the guarantees provided in existing legislation.
In the event that the transmission regards a country outside the European Union or the European Financial Area, SETE is obligated to notify the Hellenic Data Protection Authority.
The sections which follow describe the general principles based on which Marketing Greece collects and processes personal data, the rights of data subjects, Data Protection Impact Assessment but also obligations in the event of the data breach.
For the purposes herein, the definitions below have the following meaning:
Personal Data: any information regarding an identified or identifiable natural person (“data subject”). The identifiable natural person is that whose identity may be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Anonymization: the processing of personal data in such a manner that the data may no longer be attributed to a specific data subject.
Pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: the natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach: the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Existing legislation: The provisions of Greek, Union or other Legislation which Marketing Greece is subject to and determined personal data protection issues, such as:
- Law 2472/1997 on the protection of individuals with regard to the processing of personal data.
- Law 3471/2006 on the protection of personal data and privacy in the electronic communications sectors and amendment of Law 2472/1997.
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended.
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any laws on its implementation.
General Personal Data Processing Principles
When Marketing Greece processes personal data it ensures that:
- It has lawfully collected and processed this data in accordance with the provisions of existing legislation and the conditions set by it.
- It processes the personal data only for determined, explicit and lawful purposes.
- It does not disclose personal data to third parties unless it is necessary and permitted by existing legislation. In this case, it discloses only the data which are absolutely necessary for respect to the purpose of disclosure, while it is responsible for informing the data subjects prior to disclosing the personal data.
- It uses appropriate technical and organizational measures in order for the personal data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. In addition, it reviews the adequacy and efficiency of these measures periodically.
- It makes every effort in order for the personal data it keeps and processes is always accurate and up-to-date.
- The personal data collected are not kept longer than necessary for the purposes for which they were collected and processed. However, personal data may be stored for longer periods insofar as the processing of the personal data is necessary:
i) for complying with a legal obligation which imposes the processing based on a provision of law or a regulatory administrative act.
ii) for the fulfillment of an obligation which is carried out in the public interest.
iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, after all the appropriate technical and organizational measures are taken, including their pseudonymization, provided that those purposes cannot be fulfilled through data anonymization.
iv) for the establishment, exercise or defense of legal claims.
Rights of Data Subjects
MARKETING GREECE ensures that data subjects are able to exercise their statutory rights regarding the collection and processing of personal data. These rights are as follows:
- The right of access to data.
- The right of rectification of data.
- The right to erasure of data (“the right to be forgotten”).
- The right to restrict data processing.
- The right to data portability.
- The right to object to data processing
Marketing Greece is required to inform the data subjects of their rights and facilitate their exercise. Specifically, it is required to inform them of the procedure they can take in order to exercise them, namely to specify the information they must state in their application, the person to whom they will address their application, the period within which they will be informed of the outcome their request, as well as the possibility to appeal to the supervisory authority.
Marketing Greece may refuse to satisfy, in whole or in part, a request from the data subject only when this possibility is provided for in the General Personal Data Protection Regulation No 2016/679.
Marketing Greece provides the data subject with information about the processing operations following the relevant request submitted within one month of receiving the request and the identification of the subject. The above period may be extended by a further two months, where appropriate if the request is complex or there is a large number of requests. In that case, Marketing Greece is obliged, within one month from the identification of the request, to inform the data subject about the delay, as well as the reasons for the delay. Within that period, it shall also notify the data subject of any refusal to satisfy the request, in whole or in part, as well as the reasons for the refusal.
Any request by the subject is submitted to Marketing Greece to the following e-mail:
If the data subject submits the request by electronic means, information shall be provided, if possible, by electronic means, unless the data subject asks otherwise.
If the data subject’s claim is manifestly unfounded or excessive, in particular, because of its recurrent nature, Marketing Greece may make its satisfaction subject to payment of a reasonable fee or refuse to respond to the request.
If Marketing Greece processes the personal data as the processor, then it will send the relevant requests to the controller responsible for reviewing and satisfying them.
In the event that any data subject considers that Marketing Greece does not comply with the existing legal framework regarding the processing of personal data or the exercise of its rights, it may refer the matter to the competent supervisory authority or even file a complaint in accordance with the existing legislation. In Greece, the competent supervisory authority for personal data protection issues is the Hellenic Data Protection Authority and any interested party may be further informed by visiting http://www.dpa.gr/.
Data Protection Impact Assessment (DPIA).
When a type of processing may pose a high risk to the rights and freedoms of individuals, Marketing Greece performs an assessment of the impact of the processing operations planned on personal data protection (“impact assessment”) before processing. Impact assessment is a process designed to describe processing, assess its necessity and proportionality, and to assist in risk management by assessing and defining measures to address them. It is not required for all types of processing, but only in cases where a form of processing is considered to be high risk. The impact assessment takes into account the nature, scope, general context and purposes of the processing, in order to assess whether a risk is likely to arise, as well as its gravity for the rights and freedoms of the subjects.
Marketing Greece may decide to carry out an impact assessment for all types of processing, even if this is not considered mandatory by applicable law. In addition, it is not required to prepare a separate impact assessment for each processing type, but it may include in one impact assessment a set of similar processing operations involving similar high risks.
Regulation (EU) 2016/679 sets out the framework within which an impact assessment is required. More specifically, it must be carried out in all cases where the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. For example, such cases include:
- Cases of systematic and extensive assessment of personal aspects related to natural persons, based on automated processing (including profiling), on which decisions are made which produce legal effects on/ affect the data subject (e.g. credit control capacity by a financial institution).
- Cases of large-scale processing of specific data categories (sensitive data) or personal data relating to criminal convictions and offenses (e.g. medical records held in hospitals).
- Cases of systematically monitoring publicly accessible space on a large scale (e.g. use of cameras).
The relevant responsibility and decisive competence regarding the conduct of an impact assessment belong to Marketing Greece.
Marketing Greece, when conducting the impact assessment, must define the appropriate procedures and methodologies that best meet its requirements. The impact assessment must contain as a minimum the following elements:
- Systematic description of processing operations.
- Assessment of necessity and proportionality.
- Systematic description of the processing operations envisaged and the purpose of the processing.
- Assessing risks to the rights and freedoms of data subjects.
- Stating the planned measures to address those risks.
When assessing the impact of a processing operation, compliance with a code of conduct, any certifications, and binding corporate rules should be taken into account, as they can be evidence that Marketing Greece has chosen and has taken appropriate compliance measures. At the same time, if there is more than one controller for one processing operation, the roles and responsibilities of each party should be defined, as well as the risks involved in each individual processing operation.
The impact assessment method is carried out by Marketing Greece, with the participation of many stakeholders in the organization and revolves around four axes:
- Specifying the processing framework of personal data.
- Defining existing and planned controls.
- Assessing risks to the rights and freedoms of the subjects.
- Deciding on compliance or otherwise with the protection principles and review.
When, after the conduct of an impact assessment, Marketing Greece finds that mitigation/avoidance/risk transfer measures are not sufficient to reduce risks to an acceptable level, it should contact the Hellenic Data Protection Authority for consultation.
In more detail, in any case of a high-risk processing planning, Marketing Greece should follow the steps below:
- Choose an impact assessment methodology that meets the statutory requirements.
- Submit the Impact Assessment report to the competent supervisory authority (if needed – required by national law).
- Ask the supervisory authority for advice if no adequate measures to mitigate the high risk are available or applicable (when the residual risk remains too high).
- Periodically review the impact assessment and the processing involved, at least when the risk of the processing operation changes.
- Document the decisions are taken.
Breach of Personal Data
“Personal data breach” shall mean a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, communication of, or access to, personal data collected, stored, or otherwise processed by Marketing Greece.
A personal data breach may occur in many instances, some of which are cited below by way of indication:
- Loss, destruction or theft of data or documents or equipment in which they are contained or stored.
- Acquiring a right of access, by any means, to personal data by persons that are not properly authorized/licensed.
- Disclosure of information to third parties that are not properly authorized/licensed.
- Sending mail or emails to wrong recipients. In order to classify an incident as a personal data breach, it is irrelevant whether this was the result of willful misconduct (dolus), negligence, act, omission, accidental or unforeseeable events.
If any employee or partner finds or suspects that a personal data breach may have occurred, they will contact Marketing Greece at: email@example.com
Marketing Greece will then assess the report, conduct further research, where necessary, on the need of mandatory notification of the incident to the competent data protection authority and/or the data subjects and submits proposals for the actions to be taken.
The notification to the supervisory authority must include the following:
– Description of the nature of the breach, the categories of data, and the subjects.
– Stating the name and contact details of the controller.
– Description of the contact details of the Data Protection Officer.
– Description of the consequences of the breach.
– Description of the measures taken/proposed to address the breach.
In any case, and if the disclosure to the relevant data protection authority is mandatory, Marketing Greece shall do so within 72 hours from the time when Marketing Greece became aware for the first time of the personal data breach. If the notification is made after the 72 hours have elapsed, it shall be accompanied by a justification for the delay.
If the personal data breach may pose a high risk to the rights and freedoms of natural persons, Marketing Greece must immediately notify the breach in question not only to the supervisory authority but also to the data subject.
If Marketing Greece processes data as the processor, it shall notify the controller without delay without making any disclosures.
A summary of the personal data breach incident including the facts and evidence establishing the breach, its consequences and the actions taken by Marketing Greece are entered into the record of personal data breaches held by Marketing Greece.
Marketing Greece shall ensure that staff involved in the collection and processing of personal data are adequately informed and trained, taking into account the available training and information methods in order to select the most appropriate ones for each occasion.
More specifically, in cooperation with the heads of the individual Organisational Units, Marketing Greece undertakes:
- To define the goals of training and awareness of the company’s staff.
- To identify the appropriate educational audience.
- To define the appropriate training measures and resources, as well as appropriate partners to provide training.
- To define and ensure the amount of funding for training.
- To identify the appropriate training messages and coordinate the promotion of the training campaign within the company.
- To ensure regular evaluation and any updating of the training campaign.