Personal Data Protection Statement

Last Update: 17-02-2021

The Piraeus Bank Group Cultural Foundation (henceforth, PIOP), recognises and respects the importance of personal data that it handles in the context of its activities, and has therefore adapted fully its policy to the requirements of the General Data Protection Regulation 2016/679/EC (henceforth, GDPR).

With the present statement, the PIOP wishes to inform those that contact the Foundation at its headquarters in Athens and its branches in Tavros, Kallithea, Dimitsana, Stymphalia, Sparta, Tinos, Chios, Ioannina, Volos, Lesvos and Soufli by telephone or at its e-mail address, and those that use one of its services or its website (www.piop.gr) and its e-shop (www.piopmuseumshop.gr), under what capacity, for what purpose and on which legal basis it processes data that concern them and can be used, directly or indirectly, to identify them - i.e. their personal data. In particular, the information concerns:

• data categories;
• data sources;
• the criteria for determining the timeframe over which the data are maintained;
• the rights which the GDPR provides to subjects concerning their personal data; and
• the policies and other protective measures applied by the PIOP, and the guarantees of personal data security that the PIOP offers them.

For this purpose, we request that you dedicate some time to read the present statement by the PIOP.

If you have any question or query, if you wish to receive a copy of the present statement, or if you wish to exercise one of the rights listed below about your personal data, please contact us via e-mail at piop@piraeusbank.gr or by telephone at 210 3256922.

1. The PIOP as "Processing Entity" of Personal Data

The Piraeus Bank Group Cultural Foundation is a non-profit public welfare institution. Its registered seat is at 6 A. Geronta Street, Athens 105 58. PIOP supports the preservation and showcasing of the country's cultural heritage, with particular emphasis on craft and industrial technology, and advances the interconnection between Culture and Environment. According to its statutes, its operating expenses are covered by the Piraeus Bank. The PIOP also seeks co-financing by national and European programs for certain projects. It has forged networks of cooperation with universities, research centres, cultural associations, and specialist scientists from Greece and abroad. In the context of its activities, the PIOP processes personal data, of which it thus becomes the "Processing Entity".

1.1 Contact particulars for the Processing Entity

Processing Entity:
Appellation: Piraeus Bank Group Cultural Foundation
Address: 6 A. Geronta Street, Athens 105 58
Telephone - Fax: 210 3256922 – 210 3218145
e-mail: piop@piraeusbank.gr

Data Protection Officer (DPO):
Name & Surname: Evangelos Mihaloliakos
Address:
Advanced Quality Services Ltd.
Business Consultants
1A Sarantaporou & Tirnavou Streets
Aghios Stephanos, Attica 145 65
Telephone: 210 6216997
Fax: 210 6216990
e-mail: emichalo@aqs.gr

2. Personal Data Subjects and Sources

(a) In the context of its activities, PIOP collects personal data that are directly given to it by the following:

• employees, suppliers and in general associates of the Foundation, in the context of their legal contractual relationship with PIOP;
• various persons who enter into transactions or relations with PIOP, including participants in events or educational seminars, visitors to the museums, the museum shops or the Foundation's libraries, the recipients of the Foundation's newsletter, various persons who enter into transactions or relations with e-shop, etc.

(b) Personal data can also be collected automatically, as for example via the "cookies" activated when you visit our website and our e-shop (cf. cookies policy).

3. Personal Data Categories

The personal data collected and processed by the PIOP can be, according to the case each time:

• Ordinary Data, especially contact particulars such as name and surname, address, telephone number, e-mail address, etc. or personal data required for the performance of the contractual relationship between the third party and PIOP, including the transactions with our e-shop, such as ID Card Number, Tax ID Number, etc.
• Special Category Data (sensitive data), in particular data concerning health in specific cases, as for example health data of PIOP employees to ensure compliance with the PIOP's obligations under labour or insurance legislation, or health data of participants in activities of the Foundation (e.g. persons with disabilities, when we must comply with the related  legislation or in specific cases in order to meet special requests of the subjects); when necessary, the express consent of the subjects is sought in these cases.

4. Purpose of the Processing

The PIOP processes your personal data in order to:

• contact you;
• respond to your queries;
• respond to your requests (for participating in the activities of our Foundation and other requests);
• inform you of its activities (via newsletter or otherwise);
• assess your CV before concluding an employment or project contract;
• enter into agreements with you;
• meet its obligations against you as they arise from agreements;
• register your participation in educational programs and events/activities it organises throughout Greece;
• comply with its legal obligations arising from internal and EU law;
• organise its activities in the field of electronic communications; and
• via its CCTV systems, to protect the security of its facilities, its employees and third parties that visit them lawfully from entry by parties who have no right to be on its premises and from any criminal act against the Foundation's assets and those who use its facilities lawfully.

5. Lawfulness of Processing:

In particular, the legal grounds for processing your data are the following:

• Article 6, para. 1a GDPR: When you have consented to the processing of your data for one or more specific reasons.
• Article 6, para. 1b GDPR: When the processing is necessary for the performance of a contract in which you are a contracting party or in order to take steps at your request prior to entering into a contract.
• Article 6, para. 1c GDPR: When processing is necessary for PIOP's compliance with a legal obligation as arising from EU or national law.
• Article 6, para. 1f GDPR: When processing is necessary for the purposes of the legitimate interests pursued by PIOP, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

    Regarding special categories of personal data:

• Article 9, para. 2a GDPR: When you have consented to the processing of your special category data (health, etc.) for one or more specified purposes, after we have first informed you fully thereof.
• Article 9, para. 2b GDPR: When processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data subjects in the field of social protection, in so far as it is authorised by EU or internal law.

Regading data relating to criminal convictions and offences:

• Article 10, GDPR: When processing is permitted or required under EU or internal law.

6. Transfer of personal data outside the European Union

The newsletter services to registered users are offered within the mailchimp platform, based in the US and is complied with all legal obligations to protect your personal data.

7. Disclosure to third parties

The PIOP does not make unlawful disclosures or transfers of your personal data to third parties. Therefore, your data will not be forwarded to third parties for the purpose of commercial promotion.

The PIOP uses third parties - service providers who undertake the processing. They are contractually bound against PIOP not to use your personal data unless they receive specific instructions, and so will not share your personal data with anyone other than the PIOP and will safeguard the data securely for as long as PIOP has instructed them to do so.

In certain cases, the PIOP may be under a legal obligation to disclose your data, as in the case of a court order or when PIOP is cooperating with public authorities and organisations within the European Union pursuant to provisions of EU or internal law.

Therefore, the PIOP may disclose or transfer your data to third parties, when there apply the legal conditions to do so, and specifically when there apply:

-   your prior consent as the data subjects; or

-   a legal obligation to disclose data to the competent State entities and organisations and the competent Judicial and Public Prosecutor Authorities, when the request is duly made by an authority having the related mandate.

8. How long is your data kept?

The PIOP keeps your personal data for as long as the purpose of the processing is on-going. After that period elapses, PIOP maintains your personal data, as per the law, when necessary in order to comply with a legal obligation under EU or national law and when necessary for substantiating, exercising or supporting any legal claims of the Foundation.

9. What are your rights and when can you exercise them?

According to the General Data Protection Regulation, depending on the legal grounds on which PIOP is based for processing your data, you have the following rights:

9.1 Right of Access

You have the right to receive:

a) statement of confirmation regarding the processing of your data; and

b) a copy of such data.

To submit a request to access your personal data, you can do so in writing, via e-mail, or even verbally; however, we recommend that you submit the application in writing or via e-mail, so you can monitor the progress of your request.

You may not wish that the processing of all your personal data held by PIOP should cease. In this case, it would facilitate and expedite the procedure if you stated precisely for which data you wish to exercise this legal right.

When you submit a request for access (to personal data) you must include the following information:

- Name and contact particulars.

- Any information that the PIOP uses to identify you or distinguish you from other people with the same name, such as code number, etc.

- Details or relevant dates that will help locate what you are searching for.

When can the PIOP refuse to grant the request for access?

The Foundation may refuse to grant the right of access if your data also includes personal data of another person, except if:

- The other person has consented to the disclosure of its data or it is justifiable to give you the related information without the other person's consent.

- To make the related decision, the Foundation will need to weigh your right of access against the rights of the other person as regards his/her own information.

The PIOP may also refuse to grant the right of access when the request is obviously groundless or excessive.

In every case, the PIOP must notify you and justify its decision. It must also inform you of your right to register a complaint with the Data Protection Agency or before a Court.

How long will it take for the Foundation to reply to my request?

The PIOP warrants that it will respond to your request within one month. In specific cases more time may be needed to assess your request, and up to two months may elapse before you receive our reply. If the PIOP will make use of this additional time, it will inform you within one month of the reason why the extra time is needed.

Can the PIOP levy a charge for granting a third party's right of access to its data?

One copy of your personal data will be given you free of charge. However, if it is obvious that your request is repeated groundlessly or excessively, you may be charged for the related administrative expenses.

9.2 Right of Information

You also have the right to be informed about the following:

- The purpose for which the PIOP processes your data.

- With whom it shares or to whom it discloses the data.

- For how long it will keep your data and how it came to that decision.

- That you are entitled to question the accuracy of your data and ask that it be deleted, that you can ask that it not be used, that you can register a complaint with the Data Protection Agency, that you are informed about the source of the data and about whether your data are used for making automated decisions and whether they are transferred to a third country.

9.3 Right of Correction

You are entitled to request that your data be corrected, if they are inaccurate, or that they be supplemented, if they are incomplete.

To exercise your right you must notify the PIOP that you question the correctness and comprehensiveness of your personal data. You must specify which data are incorrect or deficient, explain how PIOP must correct them, and provide evidence of the inaccuracies.

When you request a correction of your data, the PIOP will diligently check if the data are accurate or not, based on the evidence you will submit and the particulars that the PIOP already holds. Then, it will inform you about whether it has corrected, deleted or supplemented the data. If the PIOP considers that the inaccuracy or non-comprehensiveness of the data has not been proved, it will notify you thereof, justifying its negative response. If the PIOP has disclosed the data to third parties, it will contact them and inform them about the corrections or additions it has made, except if that is unfeasible or requires disproportionate effort. The PIOP can also inform you to whom it has forwarded your data.

9.4 Right of Deletion

You are entitled to request that your personal data be deleted, if you no longer wish them to be processed and if there is no lawful reason for the PIOP to hold them under its capacity of Processing Entity.

Specifically, this right is exercised:

- when the legal basis for processing is your consent and you revoke same, and if there applies no other lawful basis for the processing, and therefore the data must be deleted;

- when your data are no longer necessary for the purposes for which they were obtained or if they are otherwise or illegally subjected to processing, or if you oppose their processing and there apply no imperative or legal grounds for the processing; and

- if the data was obtained illegally or when you were a child in the context of providing an on-line service.

Note however, that this is not an absolute right, since the retention of personal data by the PIOP is lawful when necessary on grounds such as compliance with a legal obligation of the Foundation or for substantiating, exercising or supporting a legal claim.

The PIOP is entitled to refuse to delete the data in the following cases:

- When retention of the data is necessary on grounds of freedom of expression and the right to information.

- When retention of your data is a legal obligation.

- When retention of your data is necessary for reasons of public health.

- When retention of your data is necessary for substantiating, exercising or supporting legal claims.

- When deletion of your data would obstruct or render unfeasible the processing for purposes of scientific or historical research.

9.5 Right to Restrict Processing

As an alternative to the right to demand deletion or to oppose data processing (discussed in para. 9.7 below), you are entitled to request that the processing of your data be restricted, though only in the following cases:

- When you invoke inaccuracies in your data, and the Foundation, as Processing Entity, is reviewing the related request.

- When the processing is illegal.

- When the data are no longer necessary for the purpose of the processing, but you request that they be retained for exercising and defending your legal claims.

- When you have exercised the right of opposition and the PIOP, as Processing Entity, is considering whether there applies an overriding right on its part.

This right can be exercised in combination with the right of correction and the right of opposition. Specifically: (a) if you request a correction of inaccuracies in your data, you can ask that processing be restricted for as long as the PIOP is considering the correction request; or (b) if you invoke the right of opposition, you can concurrently ask that processing be restricted for as long as the PIOP is considering the request.

9.6 Right to the transferability of Data

You are entitled to receive your personal data that have been subject to processing by the PIOP under its capacity as Processing Entity, in a structured, commonly used format that can be read by appliances (e.g. XML, JSON, CSV, etc.). You are also entitled to ask PIOP to forward such data directly to another Processing Entity without raising any objection.

You can exercise the right of transferability only when all the following conditions are met:

- The personal data are processed by automated means (i.e. printed files are excluded).

- The legal basis of the processing is either your consent, or the performance of a contract to which you are a contracting party (article 6, para. 1b, GDPR).

- The personal data concern you and have been provided by you.

- The exercise of the right does not impact unfavourably the rights and freedoms of others.

9.7 Right of Opposition

You are entitled to oppose, at any time and on grounds related to your particular circumstances, the processing of personal data that concern you, when the processing is based either on a duty performed in the public interest or on the legitimate interest of the Foundation, including the drawing-up of a profile.

The PIOP will stop the processing, except if it invokes imperative and lawful reasons for the processing which override your interests, rights and freedoms or for substantiating, exercising or supporting legal claims.

9.8 Right to non-Automated Individual Decision-Making, including drawing-up a Profile.

If the PIOP needs to reach a decision that produces lawful results for you by a method that is exclusively automated, including drawing-up a profile, it will inform you of the following:

• The PIOP, as Processing Entity, may lawfully reach such a decision only if you have given your express consent, or if the decision is necessary for entering or performing a contract with PIOP, or such a decision is permitted under EU or national law when appropriate measures have been taken to protect the subject's rights.
• If the above decision is made as being necessary for entering or performing a contract between the PIOP as Processing Entity and you as data subject or on the basis of your express consent, you are entitled to question that decision, so that the PIOP is under the obligation to apply appropriate measures to protect your rights, and ensure that there is human intervention in reaching the decision or that the right of freedom of opinion and your right, as data subject, to question the decision, are applied.
• If the PIOP intends to effect automated data-processing, including for drawing-up a profile, it will also notify to you, upon obtaining the data (when it has obtained them from you) or within a reasonable timeframe (when they have been obtained from another source), the following information:
• about whether, and to what degree, automated decision-making is effected, including drawing-up a profile;
• about the rationale applied;
• about the significance and the expected outcome of the processing;
• about the subject's right of opposition, which is described clearly and separately from any other information.
• If drawing-up a profile is involved, you are entitled to restrict the processing at any stage thereof.
• The PIOP will be under the obligation to delete the related personal data, if the basis for drawing-up the profile is your consent and such consent has been revoked or if you exercise the right of deletion of the data and there applies no other lawful basis for the processing, as per the provisions of the Regulation.

9.9. How you can exercise your rights

For any question or query, and for exercising any of the above rights in connection to personal data, the interested party can contact the Data Protection Officer of our Company, Mr. Evangelos Mihaloliakos (telephone number: 210 6216 997; e-mail address: emichalo@aqs.gr).

If you wish to exercise any of your above rights, every possible measure will be taken to meet your request within a reasonable timeframe and at the latest within one (1) month from verification of the request you submitted, notifying you in writing that your request has been fulfilled or for the reasons that may be impeding the exercise of the right involved, or that one or more of your rights has been granted, as per the General Data Protection Regulation. Note than in certain cases fulfilling your requests may not be possible, for example if the grant of a right contravenes a legal obligation or conflicts with the contractual legal basis for the processing of your data.

10. Right to register a Complaint with the Data Protection Agency

If you consider that there is illegal processing of your personal data or that your related rights have been violated, and subject to the condition that you have first contacted the Foundation's Data Protection Officer about the issue involved, i.e. you have exercised your rights as against the Foundation and have not received an answer within one month (a term that may be extended to two months in the case of a complex request) or if you consider that the response you received was not satisfactory and the issue has not been resolved, you can contact the Data Protection Agency (address: 1-3 Kifisias Ave., Athens 11523; e-mail: complaints@dpa.gr; fax no. 2106475628; and for more information, also visit the Agency's website at www.dpa.gr).

11. Security of Personal Data

The PIOP applies technical and administrative measures to ensure the appropriate level of protection for personal data in order to prevent deletion, loss, distortion, unauthorised access and disclosure or transfer to an unauthorised person or entity in any manner.

The PIOP has in place business continuity and recovery from crisis plans, which it tests periodically and updates, and has instituted and applies appropriate policies and procedures for the security of the data it processes.

Further, to this end the PIOP has reviewed the contracts it has entered with those performing the processing, so that they are contractually bound to respect your personal data as provided in the GDPR, by instituting and maintaining measures to ensure that the data are protected against deletion, loss, distortion, unauthorised access and disclosure or transfer to an unauthorised person or entity in any manner, and by signing a confidentiality clause.

12. Updates of the present Statement of Data Protection Policy

The present statement may be revised if so needed in order to adapt it to any changes in legislation, respond to the comments and requirements of personal data subjects, and take into account changes in the products, services and internal procedures of the PIOP. Each change will be published and the date of the latest update will be noted at the beginning of this Statement of Data Protection Policy.