Privacy Policy

Privacy Policy

INFORMATION SOCIETY S.M.S.A.

1. Scope of Privacy
   • Information Society S.M.S.A. (Information Society) is the main executive entity for the implementation of strategy, projects and actions of the Ministry of Digital Governance, performed within the framework of Public Administration’s Digital Transformation. Since its establishment, Information Society has been the principal entity implementing and managing the Information and Communication Technologies (ICT) systems and infrastructures of Public Administration. Projects of a nationwide scope, implemented throughout the national territory by the Information Society, are of unique technological and operational innovation, are distinguished as of great complexity and cover all sectors of Public Administration.
   • Information Society guarantees its commitment to respecting and protecting the privacy of all natural persons it interacts with and the safeguarding of their personal data, collected either in paper or electronic form, within or outside its premises. Therefore, Information Society with respect to the applicable national and European legal framework on personal data protection, especially the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Greek Law 4624/2019 communicates this lawful, fair and transparent Privacy Policy in order to provide data subjects with sufficient information about the personal data it collects and processes within the scope of its activities as an entity implementing and managing the Information and Communication Technologies (ICT) systems and infrastructures of Public Administration
   • This Policy aims at defining the basic principles and rules according to which Information Society collects, stores and generally processes personal data, as defined by national and EU legislation on personal data protection, within the contexts of its activities but also throughout its website (http://ktpae.gr) (hereinafter «Website»)
   • Information Society’s contact details are:

INFORMATION SOCIETY S.M.S.A.

Address:         194, Siggrou av., Kallithea,

17671, Athens

Tel:                 +30 213-13.00.700

Email:               info@ktpae.gr

2. Definitions

For the purposes of the present policy, the following terms are to be defined:

• personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• special categories of personal data (or “sensitive personal data”): personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership as well as genetic data, biometric data which allows to uniquely identify a natural person, health data and/or data regarding sexual orientation.
• processing: any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• anonymization: the processing of personal data in such a way that data can no longer be attributed to a particular data subject;
• pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
• data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law;
• data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
• consent: of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
• existing legislation: The provisions of the existing Greek, EU or other legislation which is applicable to the Information Society and regulate matters of data protection and privacy, such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation-GDPR) and any implementing laws, such as the Greek law 4624/2019, and Greek law 4623/2019.

3. 3. Personal Data Collected and further Processed by Information Society

Information Society, in the context of its activities, may collect personal data relating to individuals with which the Information Society cooperates or interacts.

Information Society may collect information that constitutes personal data in the following cases:

Data collected through the website (http://www.ktpae.gr)

• Data collected through the communication form

When you choose to contact us through the electronic communication form available in the Information Society’s website, we will ask you to provide certain information, such as your name, surname, e-mail address as well as any further information you include in the entry “Comments”.

Purposes of processing – Legal basis:

We collect the information you will provide through the communication form with the sole purpose of serving and contacting you in order to satisfy your request. The legal basis of processing is the Information Society’s legitimate interest to facilitate its communication with the public and handle the requests it receives in the context of its operations.

• Data collected through the Newsletter subscription form

When you choose to subscribe to our Newsletter through the newsletter subscription form available on the Information Society’s website, we will ask you to provide certain information, such as your e-mail address to which you wish to receive the newsletter and, optionally, your name and surname.

Purposes of processing – Legal basis:

The sole purpose of the collection and further processing of the information you provide  through the Information Society’s newsletter subscription is to communicate with you and inform you about  corporate news, events and Information and Communication Technologies (ICT) actions and projects, implemented by the Information Society. The legal basis of processing is your consent, which you provide via the relevant subscription form. You can always withdraw your consent by clicking the “unsubscribe” button, which exists in all relevant communications. Such withdrawal shall not affect the lawfulness of the processing based on your initially provided consent.

• Online Technologies

In addition, we may collect only certain necessary information relevant to the visits of the concerned website, as for example the Internet Protocol address (IP address), the type of the web browser operated by the user and cookies. For more information regarding the use of cookies in the present website, please refer to our Cookies Policy.

3.2. Data collected in the context of Public Procurement

Information Society, within the context of its actions related to public procurement, may collect and process personal data of the natural persons it interacts with.

Purposes of processing – Legal basis:

Information Society may collect personal data of Contractors/Contractors candidates and its representatives or its project team members, or personal data of Vendors/Vendors candidates and its representatives or its project team members, or members of committees, such as name, surname, contact information, ID number, Tax ID number, education data (e.g. CV, degrees, certificates of knowledge, etc.), professional experiencerelating data  (e.g. CV data related to previous work experience), financial data (e.g. IBAN), data relating to prior criminal convictions (e.g. criminal record), as well as such data as may be further submitted, if required under the relevant legislation. The legal basis of processing is the performance of a contract or compliance with a legal obligation to which Information Society is subject, such as Greek law 4412/2016.

3.3. Data collected in the context of project implementation monitoring, in case Information Society is the implementing body

Information Society, within the context of its actions related to public procurement, may collect and process personal data of the natural persons it interacts with.

Purposes of processing – Legal basis:

Information Society may collect personal data of Contractors/Contractors candidates and its representatives or its project team members, or personal data of Vendors/Vendors candidates and its representatives or its project team members, or members of committees, such as name, surname, contact information, ID number, Tax ID number, education data (e.g. CV, degrees, certificates of knowledge, etc.), work relating data  (e.g. CV data related to previous work experience), financial data (e.g. IBAN), data relating to prior criminal convictions (e.g. criminal record), as well as such data as may be further submitted, if required under the relevant legislation. The legal basis of processing is the performance of a contract or compliance with a legal obligation to which Information Society is subject, such as Greek law 4412/2016.

3.4. Data collected in the context evaluating potential employees/potential external collaborators

When you chose to submit a job application to Information Society or an application to cooperate with Information Society, we collect and process personal information necessary to assess your suitability for the job (including but not limited to first name, surname, date of birth, ID number, social security number, contact details, professional qualifications, education, previous work experience, insurance data, data relating to criminal convictions, etc.). We collect the data that you provide to us via the application form and the documents attached to it (e.g. CV, certificates, attestations, etc.).

Purposes of processing – Legal basis:

Information Society may collect the personal data of potential employees in the context of the selection and recruitment of its personnel and external collaborators. The legal basis of processing is the performance of a contract or the execution of certain preparatory actions prior to the conclusion of a contract.

4.         Disclaimer for third–party websites

Information Society’s website may include links, which redirect to third-parties’ websites. Information Society does not control those websites and is not responsible for the content posted on them or any further links appearing on them. Information Society is not responsible for third-parties’ privacy practices or for their websites’ content.

5.         Transfer of personal data

Information Society may transfer personal data to third parties (legal entities or individuals) when provided by existing law as an obligation, or, alternatively pursuant to the guarantees set by the existing legislation. More specifically, in the context of pursuance of the processing purposes, personal data may be transferred to (i) Third companies which provide relevant services to the Information Society, such as social media service providers, etc. In any case, all these companies are contractually bound with the Information Society in order to ensure the observance of confidentiality, as well as of all obligations provided in the legislation on data protection. (ii)Public authorities and supervisory authorities (General Secretariat for Information Systems , Police departments, prosecuting authorities, etc.).

Where the transfer of data concerns a country outside the European Union (EU) or the European Economic Area (EEA), Information Society shall always check whether:

• The Commission has issued an adequacy decision on the third country to which the transfer is addressed to.
• Appropriate safeguards are in place in accordance with the Regulation for the transfer of such data.

In any other case, the transfer to a third country is not allowed and the Information Society may not transfer personal data unless any of the specific derogations provided for in the Regulation apply (e.g. explicit consent of the data subject, upon informing him/her on the risks of the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support the legal claims and the vital interests of the subject etc.).

6.         Data privacy and security

Information Society takes all appropriate measures to prevent unauthorized access to data subjects’ data, as well as to maintain their accuracy and ensure their appropriate use. However, it is noted that no electronic data transfer or storage method is 100% secure. Nevertheless, Information Society takes all necessary security measures (antivirus, firewall).

In cases where the Information Society maintains originals/ copies of documents containing personal data in hard files, it takes all appropriate measures to ensure their protection, not only from unauthorized access (e.g. locks, alarms, transfer of documents in sealed envelopes, data classification etc.), but also from damages or destruction (e.g. fire protection systems, use of cabinets non accessible in case of flood).

7.         Data Subjects’ rights

Information Society shall take appropriate measures to ensure that data subjects can exercise their rights, as provided by national and Union legislation regarding the collection and processing of personal data concerning them. It is noted that all data subjects can exercise, at any time, their rights in relation to the processing of their data, as defined in the General Data Protection Regulation. More specifically, each data subject has the following rights:

• To request to be informed on the personal data kept by the Information Society.
• To request access on his/her personal data. The data subject can ask to receive a copy of his/her personal data maintained and examine the lawfulness of processing.
• To request the correction of his/her personal data. The data subject may request to confirm the accuracy of his/her data and, if found inaccurate, to correct them.
• To request the deletion of personal information provided. The data subject can ask to have his/her personal data deleted or retracted, unless prohibited by legitimate reasons or by law.
• To request for limitation of processing.
• To request for portability of his/her personal information. The data subject has the right to receive his/her personal data in a structured, commonly used and machine-readable format (pdf, word, etc.). This right may only be satisfied in cases of automated processing.
• In cases where the processing is based solely on the data subject’s prior consent, he/she has the right to withdraw his/her consent at any time. Withdrawal of consent does not affect the lawfulness of processing performed based on consent before its withdrawal.

To exercise any of the above rights, you can contact with the Information Society’s DPO by email at dpo@ktpae.gr.

Information Society provides the data subject with information on the processing operations within one (1) month from the submission of the data subject’s relevant request and following the data subject’s identification.

Data subjects have the right to lodge a complaint before the Hellenic Data Protection Authority (HDPA) for issues concerning the processing of their personal data. For the HDPA’s competence and the means of filing a complaint, detailed information is provided on the website of the DPA: www.dpa.gr .

8.         Data retention period

All personal data collected and processed by Information Society are retained for a pre-determined and specified period of time, depending on the purpose of processing. When this time period expires, the personal data are safely deleted and/or destroyed, unless their further retention is permitted or required by law.

9.         Updates to the Privacy Policy

Information Society may revise this Privacy Policy from time to time for the purpose of compliance with regulatory changes or in order to meet its operational needs and legal obligations. Updated versions will be uploaded on this website, with a date indication in order to inform which is the most up-to-date version.

Last update: July 2022