Last Update: 18-03-2019
The Piraeus Bank Group Cultural Foundation (henceforth, PIOP), recognises and respects the importance of personal data that it handles in the context of its activities, and has therefore adapted fully its policy to the requirements of the General Data Protection Regulation 2016/679/EC (henceforth, GDPR).
With the present statement, the PIOP wishes to inform those that contact the Foundation at its headquarters in Athens and its branches in Tavros, Kallithea, Dimitsana, Stymphalia, Sparta, Tinos, Chios, Ioannina, Volos, Lesvos and Soufli by telephone or at its e-mail address, and those that use one of its services or its website (www.piop.gr), under what capacity, for what purpose and on which legal basis it processes data that concern them and can be used, directly or indirectly, to identify them - i.e. their personal data. In particular, the information concerns:
For this purpose, we request that you dedicate some time to read the present statement by the PIOP.
If you have any question or query, if you wish to receive a copy of the present statement, or if you wish to exercise one of the rights listed below about your personal data, please contact us via e-mail at firstname.lastname@example.org or by telephone at 210 3256922.
1. The PIOP as "Processing Entity" of Personal Data
The Piraeus Bank Group Cultural Foundation is a non-profit public welfare institution. Its registered seat is at 6 A. Geronta Street, Athens 105 58. PIOP supports the preservation and showcasing of the country's cultural heritage, with particular emphasis on craft and industrial technology, and advances the interconnection between Culture and Environment. According to its statutes, its operating expenses are covered by the Piraeus Bank. The PIOP also seeks co-financing by national and European programs for certain projects. It has forged networks of cooperation with universities, research centres, cultural associations, and specialist scientists from Greece and abroad. In the context of its activities, the PIOP processes personal data, of which it thus becomes the "Processing Entity".
1.1 Contact particulars for the Processing Entity
Appellation: Piraeus Bank Group Cultural Foundation
Address: 6 A. Geronta Street, Athens 105 58
Telephone - Fax: 210 3256922 – 210 3218145
Data Protection Officer (DPO):
Name & Surname: Evangelos Mihaloliakos
Advanced Quality Services Ltd.
1A Sarantaporou & Tirnavou Streets
Aghios Stephanos, Attica 145 65
Telephone: 210 6216997
Fax: 210 6216990
2. Personal Data Subjects and Sources
(a) In the context of its activities, PIOP collects personal data that are directly given to it by the following:
(b) Personal data can also be collected automatically, as for example via the "cookies" activated when you visit our website (cf. cookies policy).
3. Personal Data Categories
The personal data collected and processed by the PIOP can be, according to the case each time:
4. Purpose of the Processing
The PIOP processes your personal data in order to:
5. Lawfulness of Processing:
In particular, the legal grounds for processing your data are the following:
Regarding special categories of personal data:
Regarding data relating to criminal convictions and offences:
6. Transfer of personal data outside the European Union
The newsletter services to registered users are offered within the mailchimp platform, based in the US and is complied with all legal obligations to protect your personal data.
7. Disclosure to third parties
The PIOP does not make unlawful disclosures or transfers of your personal data to third parties. Therefore, your data will not be forwarded to third parties for the purpose of commercial promotion.
The PIOP uses third parties - service providers who undertake the processing. They are contractually bound against PIOP not to use your personal data unless they receive specific instructions, and so will not share your personal data with anyone other than the PIOP and will safeguard the data securely for as long as PIOP has instructed them to do so.
In certain cases, the PIOP may be under a legal obligation to disclose your data, as in the case of a court order or when PIOP is cooperating with public authorities and organisations within the European Union pursuant to provisions of EU or internal law.
Therefore, the PIOP may disclose or transfer your data to third parties, when there apply the legal conditions to do so, and specifically when there apply:
- your prior consent as the data subjects; or
- a legal obligation to disclose data to the competent State entities and organisations and the competent Judicial and Public Prosecutor Authorities, when the request is duly made by an authority having the related mandate.
8. How long is your data kept?
The PIOP keeps your personal data for as long as the purpose of the processing is on-going. After that period elapses, PIOP maintains your personal data, as per the law, when necessary in order to comply with a legal obligation under EU or national law and when necessary for substantiating, exercising or supporting any legal claims of the Foundation.
9. What are your rights and when can you exercise them?
According to the General Data Protection Regulation, depending on the legal grounds on which PIOP is based for processing your data, you have the following rights:
9.1 Right of Access
You have the right to receive:
a) statement of confirmation regarding the processing of your data; and
b) a copy of such data.
To submit a request to access your personal data, you can do so in writing, via e-mail, or even verbally; however, we recommend that you submit the application in writing or via e-mail, so you can monitor the progress of your request.
You may not wish that the processing of all your personal data held by PIOP should cease. In this case, it would facilitate and expedite the procedure if you stated precisely for which data you wish to exercise this legal right.
When you submit a request for access (to personal data) you must include the following information:
- Name and contact particulars.
- Any information that the PIOP uses to identify you or distinguish you from other people with the same name, such as code number, etc.
- Details or relevant dates that will help locate what you are searching for.
When can the PIOP refuse to grant the request for access?
The Foundation may refuse to grant the right of access if your data also includes personal data of another person, except if:
- The other person has consented to the disclosure of its data or it is justifiable to give you the related information without the other person's consent.
- To make the related decision, the Foundation will need to weigh your right of access against the rights of the other person as regards his/her own information.
The PIOP may also refuse to grant the right of access when the request is obviously groundless or excessive.
In every case, the PIOP must notify you and justify its decision. It must also inform you of your right to register a complaint with the Data Protection Agency or before a Court.
How long will it take for the Foundation to reply to my request?
The PIOP warrants that it will respond to your request within one month. In specific cases more time may be needed to assess your request, and up to two months may elapse before you receive our reply. If the PIOP will make use of this additional time, it will inform you within one month of the reason why the extra time is needed.
Can the PIOP levy a charge for granting a third party's right of access to its data?
One copy of your personal data will be given you free of charge. However, if it is obvious that your request is repeated groundlessly or excessively, you may be charged for the related administrative expenses.
9.2 Right of Information
You also have the right to be informed about the following:
- The purpose for which the PIOP processes your data.
- With whom it shares or to whom it discloses the data.
- For how long it will keep your data and how it came to that decision.
- That you are entitled to question the accuracy of your data and ask that it be deleted, that you can ask that it not be used, that you can register a complaint with the Data Protection Agency, that you are informed about the source of the data and about whether your data are used for making automated decisions and whether they are transferred to a third country.
9.3 Right of Correction
You are entitled to request that your data be corrected, if they are inaccurate, or that they be supplemented, if they are incomplete.
To exercise your right you must notify the PIOP that you question the correctness and comprehensiveness of your personal data. You must specify which data are incorrect or deficient, explain how PIOP must correct them, and provide evidence of the inaccuracies.
When you request a correction of your data, the PIOP will diligently check if the data are accurate or not, based on the evidence you will submit and the particulars that the PIOP already holds. Then, it will inform you about whether it has corrected, deleted or supplemented the data. If the PIOP considers that the inaccuracy or non-comprehensiveness of the data has not been proved, it will notify you thereof, justifying its negative response. If the PIOP has disclosed the data to third parties, it will contact them and inform them about the corrections or additions it has made, except if that is unfeasible or requires disproportionate effort. The PIOP can also inform you to whom it has forwarded your data.
9.4 Right of Deletion
You are entitled to request that your personal data be deleted, if you no longer wish them to be processed and if there is no lawful reason for the PIOP to hold them under its capacity of Processing Entity.
Specifically, this right is exercised:
- when the legal basis for processing is your consent and you revoke same, and if there applies no other lawful basis for the processing, and therefore the data must be deleted;
- when your data are no longer necessary for the purposes for which they were obtained or if they are otherwise or illegally subjected to processing, or if you oppose their processing and there apply no imperative or legal grounds for the processing; and
- if the data was obtained illegally or when you were a child in the context of providing an on-line service.
Note however, that this is not an absolute right, since the retention of personal data by the PIOP is lawful when necessary on grounds such as compliance with a legal obligation of the Foundation or for substantiating, exercising or supporting a legal claim.
The PIOP is entitled to refuse to delete the data in the following cases:
- When retention of the data is necessary on grounds of freedom of expression and the right to information.
- When retention of your data is a legal obligation.
- When retention of your data is necessary for reasons of public health.
- When retention of your data is necessary for substantiating, exercising or supporting legal claims.
- When deletion of your data would obstruct or render unfeasible the processing for purposes of scientific or historical research.
9.5 Right to Restrict Processing
As an alternative to the right to demand deletion or to oppose data processing (discussed in para. 9.7 below), you are entitled to request that the processing of your data be restricted, though only in the following cases:
- When you invoke inaccuracies in your data, and the Foundation, as Processing Entity, is reviewing the related request.
- When the processing is illegal.
- When the data are no longer necessary for the purpose of the processing, but you request that they be retained for exercising and defending your legal claims.
- When you have exercised the right of opposition and the PIOP, as Processing Entity, is considering whether there applies an overriding right on its part.
This right can be exercised in combination with the right of correction and the right of opposition. Specifically: (a) if you request a correction of inaccuracies in your data, you can ask that processing be restricted for as long as the PIOP is considering the correction request; or (b) if you invoke the right of opposition, you can concurrently ask that processing be restricted for as long as the PIOP is considering the request.
9.6 Right to the transferability of Data
You are entitled to receive your personal data that have been subject to processing by the PIOP under its capacity as Processing Entity, in a structured, commonly used format that can be read by appliances (e.g. XML, JSON, CSV, etc.). You are also entitled to ask PIOP to forward such data directly to another Processing Entity without raising any objection.
You can exercise the right of transferability only when all the following conditions are met:
- The personal data are processed by automated means (i.e. printed files are excluded).
- The legal basis of the processing is either your consent, or the performance of a contract to which you are a contracting party (article 6, para. 1b, GDPR).
- The personal data concern you and have been provided by you.
- The exercise of the right does not impact unfavourably the rights and freedoms of others.
9.7 Right of Opposition
You are entitled to oppose, at any time and on grounds related to your particular circumstances, the processing of personal data that concern you, when the processing is based either on a duty performed in the public interest or on the legitimate interest of the Foundation, including the drawing-up of a profile.
The PIOP will stop the processing, except if it invokes imperative and lawful reasons for the processing which override your interests, rights and freedoms or for substantiating, exercising or supporting legal claims.
9.8 Right to non-Automated Individual Decision-Making, including drawing-up a Profile.
If the PIOP needs to reach a decision that produces lawful results for you by a method that is exclusively automated, including drawing-up a profile, it will inform you of the following:
9.9. How you can exercise your rights
For any question or query, and for exercising any of the above rights in connection to personal data, the interested party can contact the Data Protection Officer of our Company, Mr. Evangelos Mihaloliakos (telephone number: 210 6216 997; e-mail address: email@example.com).
If you wish to exercise any of your above rights, every possible measure will be taken to meet your request within a reasonable timeframe and at the latest within one (1) month from verification of the request you submitted, notifying you in writing that your request has been fulfilled or for the reasons that may be impeding the exercise of the right involved, or that one or more of your rights has been granted, as per the General Data Protection Regulation. Note than in certain cases fulfilling your requests may not be possible, for example if the grant of a right contravenes a legal obligation or conflicts with the contractual legal basis for the processing of your data.
10. Right to register a Complaint with the Data Protection Agency
If you consider that there is illegal processing of your personal data or that your related rights have been violated, and subject to the condition that you have first contacted the Foundation's Data Protection Officer about the issue involved, i.e. you have exercised your rights as against the Foundation and have not received an answer within one month (a term that may be extended to two months in the case of a complex request) or if you consider that the response you received was not satisfactory and the issue has not been resolved, you can contact the Data Protection Agency (address: 1-3 Kifisias Ave., Athens 11523; e-mail: firstname.lastname@example.org; fax no. 2106475628; and for more information, also visit the Agency's website at www.dpa.gr).
11. Security of Personal Data
The PIOP applies technical and administrative measures to ensure the appropriate level of protection for personal data in order to prevent deletion, loss, distortion, unauthorised access and disclosure or transfer to an unauthorised person or entity in any manner.
The PIOP has in place business continuity and recovery from crisis plans, which it tests periodically and updates, and has instituted and applies appropriate policies and procedures for the security of the data it processes.
Further, to this end the PIOP has reviewed the contracts it has entered with those performing the processing, so that they are contractually bound to respect your personal data as provided in the GDPR, by instituting and maintaining measures to ensure that the data are protected against deletion, loss, distortion, unauthorised access and disclosure or transfer to an unauthorised person or entity in any manner, and by signing a confidentiality clause.
12. Updates of the present Statement of Data Protection Policy
The present statement may be revised if so needed in order to adapt it to any changes in legislation, respond to the comments and requirements of personal data subjects, and take into account changes in the products, services and internal procedures of the PIOP. Each change will be published and the date of the latest update will be noted at the beginning of this Statement of Data Protection Policy.