GREEK TOURISM CONFEDERATION – SETE
PERSONAL DATA PROTECTION POLICYGREEK TOURISM CONFEDERATION – SETE
PERSONAL DATA PROTECTION POLICY
In SETE we respect your privacy and undertake to protect your personal data. The purpose of this policy is to inform you about the personal data we collect and process in the course of our operation and communication with you. Our full particulars are: GREEK TOURISM CONFEDERATION – SETE Εmail address: firstname.lastname@example.org Postal Address: 34 Amalias Ave., 10558 Athens, Greece Tel.: +30 210 3217165 Scope and objectives of the personal data protection policy The scope of the present Policy is to determine the basic rules and principles according to which SETE collects, processes and stores personal data, as defined by the applicable Greek and EU legislation in force and, in particular, Regulation (EU) 2016/679 (hereinafter “the Regulation” or “GDPR”). Personal Data Concepts / Definitions For the purposes of the present Policy, the following concepts shall be construed as follows: “Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Special categories of personal data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Anonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject. “Pseudonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. “Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. “Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. “Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. “Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. “Applicable law”: The provisions of the Greek, EU or other law to which SETE is subject and which prescribe personal data protection issues, such as:
- Law 2472/1997 on the protection of individuals with regard to the processing of personal data;
- Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector and the amendment of Law 2472/1997;
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on the protection of privacy and electronic communications) as amended;
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any implementation laws thereof.
- It collects and processes such data lawfully, in accordance with the provisions of the applicable laws and the conditions thereby prescribed.
- It processes personal data only for specified, explicit and legitimate purposes.
- It implements appropriate technical and organizational measures to ensure that personal data are processed in such manner as to warrant the appropriate level of security for personal data, including, inter alia, their protection with regard to unauthorized or illegal processing and accidental loss, destruction or damage. Moreover, to periodically review the adequacy and efficacy of such measures.
- It makes the required effort so that the personal data it keeps and processes are always accurate and updated.
- It does not keep the personal data it collects for a longer time than necessary for the purposes for which they were collected and processed. However, it may keep such data for a longer time, if their processing is required:
- the Commission has issued a pertinent adequacy decision for the third country to which data shall be transmitted;
- appropriate guarantees are in place in accordance with the Regulation about the transmission of such data.
- The right of access to data.
- The right of rectification of data.
- The right of erasure of data (“right to be forgotten”).
- The right of restriction of processing of data.
- The right of portability of data.
- The right to object to the processing of data.