1. Objects and purpose of this policy

Our Company respects your privacy and protects your personal data. For any issue that may be addressed herein, you may contact the data protection officer listed below. With this policy we aim to keep you informed of the personal data we collect and process during our operation. Your personal data is collected and maintained for the necessary time, for the specified, explicit and legitimate purposes described below, processed in a lawful, fair and transparent manner, always in accordance with the applicable legal framework and in a manner that guarantees completeness and confidentiality. This data shall be suitable, relevant, appropriate, and not exceed the data required in the light of the foregoing purposes and shall be accurate and, if necessary, updated.

1. Concepts and Definitions

“Personal data”: any information relating to an identified or identifiable natural person (“data subject”). Identifiable is the natural person whose identity can be directly or indirectly identified, in particular by reference to an identifier such as name, identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of this natural person.

“Processing of Personal Data”: any act or series of acts performed with or without the use of automated means on personal data or on personal data sets, such as the collection, registration, organization, structure, storage, adjustment or alteration, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of distribution, link or combination, restriction, deletion or destruction.

“Data Controller” is the natural or legal person, public authority, agency or other body that, alone or in along with others, determines the purposes and manner of processing personal data.

“Performer of the processing” means the natural or legal person, public authority, service or other entity that processes personal data on behalf of the data controller.

“Consent” of the data subject: any indication of a free, specific, explicit and fully aware will, with which the data subject indicates that he or she agrees, with a statement or a clear affirmative action, to the processing of personal data relating to him / her

“Personal data breach“: the breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed

“Health Data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, and which discloses information about his or her state of health.

“Special categories of personal data/Sensitive personal data” personal data revealing racial or ethnic origin, political beliefs, religious or philosophical beliefs or participation in trade unions, as well as the processing of genetic data, biometric data for the unambiguous identification of face, health data or data concerning the sexual life of a natural person or the sexual orientation.

III. General Principles for the Processing of Personal Data

Our Company ensures that the personal data it processes are

• Subject to processing that is lawful and legitimate with respect to the data subject
• Collected for specified express and legal purposes
• Appropriate, relevant and limited to those necessary for the purposes for which they are processed
• Accurate and updated
• Processed in such a way as to guarantee the appropriate security of personal data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures.
• Retained only for the time required for the processing of personal data. In some cases they may be retained for a longer period, especially if the processing of such data is deemed necessary for:

– the compliance with a legal obligation imposed by a provision of another law.

– the compliance of the Company with the duty to fulfill a public interest objective.

– archiving for purposes of public interest, scientific or historical research

– for purposes relating to the protection of public health 

– for statistical purposes

–  for the foundation, opposition, exercise or support of legal claims.

1. Legal Framework for the Protection of Personal Data

In addition to the Regulation (EU) 2016/679 of the European Parliament and of the Council (2016/679) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, any national law with respect to the processing and protection of personal data, 
as well as the Directives issued by the Data Protection Authority, shall apply. Indicatively, the following laws are mentioned:

• Law 4624/2019 (Measures for the Implementation of the European Parliament’s General Data Protection Regulation [2016/679])
• Law 2472/1997 on the protection of individuals from the processing of personal data.
• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
• Directive 1/2011 of the Data Protection Authority on the Use of Video Surveillance Systems for the Protection of Persons and Goods.
• Directive 115/2001 of the Data Protection Authority on the Protection of Personal Data in the Field of Labor Relations.
• Law 3471/2006 on the protection of personal data and privacy in the field of electronic communications
• Regulations of the relevant administrative bodies.
• Health Protocols, Acts of Legislative Content, Joint Ministerial Decisions.

1. Purposes of Processing

In accordance with the above legal framework, personal data collected by our Company are used for the following processing purposes:

1. a) To manage your reservation as well as any other hosting service
2. b) To manage the relationship with you before, during and after your visit
3. c) For the Company’s compliance with Greek and European Law
4. d) For marketing purposes
5. e) For the establishment, recognition, exercise or defense of a right and legal claims
6. f) To support business processes
7. g) To improve our services
8. h) For the security of our information systems
9. i) For membership acquisition programs.
10. j) For the performance of a task performed in the public interest and in the field of public health

1. Legal basis for the Processing of Personal Data

Our Company processes your personal data transparently, in accordance with the principles of legality, proportionality, confidentiality and integrity, limitation of purpose and accuracy, specific time of data retention and data minimization.

The legal basis for processing your personal data may be:

1. a) your consent
2. b) the need to process your data in the context of our contractual obligation or at the pre-contractual stage
3. c) the need to process your data in accordance with our legal obligation
4. d) the need to process your data in the context of safeguarding our legitimate interests
5. e) the need to process data to protect the vital interests of you or the person you accompany
6. f) the need to export statistics
7. g) the need for processing to fulfil a duty in the public interest, in particular in the field of public health.

VII. Data that the Company processes

For the above purposes, our Company collects and processes personal data, including indicatively the following:

1. Employees / External Partners: full name, father’s name, mother’s name, year of birth, place of birth, gender, nationality, address, email address, contact phone numbers, identification card number (ID), tax registration number (VAT), AMKA, bank account number (IBAN), marital status, education and training status of the employee/ partner, work experience, curriculum vitae, salary, working hours, medical record / health certificate

Purposes / Legal basis for data processing:

–Managing the working relationship between the Company and the employee/external partner. The processing of this data is considered necessary for the performance of the employment contract.

– Fulfilling the employer’s obligations of the Company. The processing of data is necessary for the compliance of the Company with its legal obligations.

2. Prospective Employees:name, surname, contact information, education, work experience, email, nationality, marital status

The Company collects and processes candidates’ personal data for vacancies. This data is collected by the candidate upon submission of the relevant application. In case of non-recruitment, the CV of the candidate is retained for 2 years to cover any future job opportunities.

Purposes / Legal basis for processing

-Assessment of the candidate’s suitability for a particular job vacancy. The legal basis for processing is the legal interest of the Company and the consent of the prospective employee.

3. Participants, speakers and invited to scientific conferences, actions and events
4. a) Full name, postal address, status, profession, email.
5. b) Image data (photo / video recording). As part of the implementation of the actions of the Company, it is possible to take pictures and / or videotape the various events, conferences or workshops organized by the Company. This data may be posted on the site or social media managed by the Company.

Purposes / Legal basis for data processing:

– The purpose is the successful organization. The processing of personal data is considered essential for the successful management and organization of their actions and purposes.

4. Residents / Visitors: full name, passport number, date of birth, credit card number, length of stay, price, email, address, telephone, pricing information

Purposes / Legal basis for data processing:

– Performance of a contract to which the subject is a party

– Consent of the subject

– Compliance with the legal obligation of the Company

5. Suppliers: Full Name, VAT, IBAN, Telephone, Address, Email

Purposes / Legal basis for data processing:

–          Performance of a contract to which the subject is a contractual party

6. Special categories of personal data
   6.1 Employees: The Company may collect and process data belonging to specific categories of personal data (“sensitive data”), such as data relating to the health of its employees, in order to meet its insurance obligations. We may also process health data in the context of the obligation to comply with the National Legislation and the application of the Health Protocols, as they apply each time. Similarly, in exceptional cases, when required by applicable law, the Companymay collect and process data relating to criminal convictions or offenses, such as copies of criminal records, always respecting the principle of proportionality.

Residents / Visitors / Participants: The Company may process data belonging to specific categories of personal data (“sensitive data”), such as data on eating habits, allergies, religious beliefs, illnesses etc.. We may also process health data in the context of the obligation to comply with the National Legislation and the application of the Health Protocols, as they apply each time.

Purposes / Legal basis for data processing in the above cases:

– Fulfillment of the obligations and exercise of specific rights of the Company or the data subject in the field of labor law and social security and social protection law.

– Protecting the data subject’s vital interests

– The fulfilment of a duty in the public interest, in the field of public health.

6.2 Communication Data

Persons who have expressed their wish through valid consent to receive news and updates from the Company.

Purposes / Legal basis for data processing:

Consent of persons wishing to receive updates and offers from the Company

VIII. COOKIE POLICY

Ενσωμάτωση των παραγράφων 1 – 8 της πολιτικής που ήδη υπάρχει στο site

1. Transmission of Data

The entire workforce of the Company that processes your personal data is contractually bound by the terms of confidentiality and privacy of your data. It is part of our philosophy and our basic principle that we shall not disclose your information to third parties for their own independent business or marketing purposes without your consent.

However, we may share your information with the following:

• Affiliate companies.
• Business partners. We may also share your information with trusted business partners. These partners may use your information to provide the services you requested and to provide you with promotional material, advertisments, and other material, in the event you have given your consent.
• Service providers and / or any third party who may undertake the processing on our behalf. We may also disclose your information to companies that provide services on our behalf, such as IT subcontractors, companies that send bulk emails on our behalf, banks, credit card issuers, law firms, mail service companies, print service companies, etc.
• Other third parties with your consent or by your order. In addition to the disclosures described in this Privacy Policy, we may share information about you with third parties if you give your consent or request it.
• Public Bodies (e.g., National Public Health Organization), where expressly provided for by national legislation.  

Exceptionally, the following are allowed to have access to your personal data:

1. a) the judicial and prosecutorial authorities in the exercise of their functions of their own motion or at the request of a third party claiming a legitimate interest and in accordance with lawful procedures;
2. b) other bodies of the Greek State, which by virtue of their statutes have such a right and competence.

1. X. Data Retention Time

We take reasonable steps to ensure that your personal information is retained only for as long as it is necessary and for the purpose for which it was collected or for as long as it is required under contract or applicable law.

The CVs collected by the relevant HR department are kept for two years and then destroyed.

Tax information is maintained in accordance with tax law.

1. Rights of the Subjects of Personal Data

The Company ensures that data subjects are able at any time to exercise their rights under the law regarding the collection and processing of personal data. These rights are as follows:

You have the following rights with respect to your personal data:

• You have the right to know why your personal data is needed, what will happen to it, and how long it will be retained for.
• Right of access: You have the right to access your personal data that is known to us.
• Right to rectification: you have the right to supplement, correct, have deleted or blocked your personal data whenever you wish.
• If you give us your consent to process your data, you have the right to revoke that consent and to have your personal data deleted.
• Right to transfer your data: you have the right to request all your personal data from the controller and transfer it in its entirety to another controller.
• Right to object: you may object to the processing of your data. We comply with this, unless there are justified grounds for processing.

To exercise these rights, please contact us. Please refer to the contact details at the bottom of this Privacy & Cookie Policy. If you have a complaint about how we handle your data, we would like to hear from you, but you also have the right to submit a complaint to the supervisory authority (the Data Protection Authority).

 The Company will respond to your request free of charge, without delay and in any event within one month upon receipt of the request.

In the event that the satisfaction of your request is impossible, the Company will inform you within one month upon receipt of the request, of the relevant reasons and of the possibility to file a complaint with the Data Protection Authority, as well as about your right to appeal to the competent judicial authorities.

If your claim is deemed by the Company to be manifestly unfounded or excessive, it may give rise to the charge of a reasonable and proportionate fee, taking into account administrative costs to satisfy it or refusing to process your claim.

XII. DPO information

For any request regarding the processing of your personal data, please refer to the Data Protection Officer (DPO) of the Company:

Full name: …………….

Τelephone: (+30) ………………

E-mail: ………………………….

Website: ……………………….

Address:  ……………………………….

XIII. Right to report to the Competent Authority.

In case you feel that your privacy is in any way affected, you may contact the Hellenic Data Protection Authority (www.dpa.gr, 1-3 Kifissias Avenue, 115 23, Athens, +30 210 6475600, +30 210 6475628, contact@dpa.gr).


XIV. Changes to this Policy

The Company may unilaterally revise this Policy at any time for reasons of compliance with regulatory changes or for operational purposes.

We encourage you to review this Policy regularly to find out how the Company manages and processes your personal data.