Personal Data Protection Policy

The protection of your personal data is very important to us! 

The information that follows describes the way we process your personal data, which we collect when you communicate with us or you use any of our services. 

For any processing of personal data carried out when you use any of the services of HELLENIC CULTURE CENTRE – IFIGENIA GEORGIADOU (CENTRE henceforth), or visit this website, the Controller is Ms Ifigenia Georgiadou, Argyrokastrou 2-4, 11362, Tel. (+30) 6944105484, e-mail: ifigenia@hcc.edu.gr  

  • What personal data is processed by us? 

HELLENIC CULTURE CENTRE-IFIGENIA GEORGIADOU, in its capacity as data controller, processes personal data of natural persons who participate or intent to participate in our educational programmes and other services (“data subjects”). Data processed by the CENTRE, as appropriate, shall include, inter alia: (a) personal information, like the information collected from registration forms (name, surname, place of residence, mother tongue, contact details, student/teacher experience), (b) billing and payment data,  (c) sound (voice) and image data of the data subject, if they participate in a online class, as per the relevant notification provided by the CENTRE, (d) special categories of data, i.e., where applicable, health-related data that may be disclosed by the data subject (e.g. special learning difficulties, other health issues). The disclosure/ processing of the data specified in subparagraphs (a), (b) and (c) above is a legal or contractual obligation of the data subject or a requirement to conclude a contract. Where the data subject does not provide the above data or part thereof, he or she will not be able to participate in the CENTRE’S training programmes.

  • What is the source of this data? 

As the case may be, the source of the data will either be the students themselves disclosing their data, or a third party who has a contractual relationship with the data subject (in case the third party mediates for the subject’s participation in the CENTRE’s programmes).  To the extent that such third party transmits the subject’s personal data to the CENTRE,  they shall be responsible for complying with the applicable provisions of the personal data legislation. In this context, they may need to obtain the data subjects’ consent before transmitting data to the CENTRE.

  • Children’s data  

We do not knowingly collect any personal data from anyone under the age of 15. If you are under 15 years of age, do not use or provide information on this site and do not provide any information about your person to the CENTRE, except with the consent of those exercising your parental responsibility. If we find that we have collected or received personal data from a child under the age of 15, we will delete this information. If you believe we may have information from or about a child under the age of 15, please contact us.

  • For what purposes do we collect your personal data and on what legal basis? 

As the case may be, the purposes of processing personal data by the CENTRE are: 

(a) To register, provide services to and in general to manage the requests of the interested subjects for the services of the CENTRE and the of the participants in the educational programmes, as well as to issue certificates of attendance. 

For such data processing, including the processing of sound and image data from an online class in which the data subject may participate, the legal basis for the processing shall be the performance of the relevant contract concluded with the CENTRE and compliance with a legal obligation of the CENTRE, while for special categories of data (as specified in clause 1 (d) above) that may have been disclosed to the CENTRE, the legal basis for processing shall be the data subject’s relevant consent given by the very disclosure of the relevant personal data to the CENTRE and the protection of the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent. 

(b) To safeguard the interests of the Hellenic Culture Centre. 

For such data processing, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the CENTRE which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data (e.g. for the establishment, exercise or support of legal claims, in which case the processing, if necessary, will also extend to specific categories of data). 

(c) To send marketing material via electronic mail. 

The legal basis for this processing is the consent of the subject, according to article 6 par. 1 a) of the General Data Protection Regulation (GDPR)

(d) Once the data subjects’ consent has been obtained, the CENTRE will use their image and/or voice and/or feedback comments, in the context of a relevant photography, video or sound recording session or collection of feedback method, to create marketing material that the CENTRE may use in its brochures, on its website, in its promotional videos or in any other way. 

For all the above purposes, the CENTRE does not proceed with automated decision-making, including profiling of data subjects.

  • Who are the recipients of your data? 

As the case may be and depending on the purpose of processing, personal data may be transmitted to the authorised employees & partners in each department / programme of the CENTRE, to authorised persons in the third party (in case the third party mediates for the subject’s participation in the CENTRE’s programmes) and to companies associated with the CENTRE with which the CENTRE has a contract and which process the data on its behalf (e.g. IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy and compliance with the data protection legislation. 

In addition, the CENTRE may transmit personal data to third parties where so required by law, or for the purposes of, or in connection with legal proceedings in which it participates, or otherwise for the purposes of supporting, exercising or defending its rights, or to third parties that are law enforcement authorities and have submitted a lawful transmission request, or where it considers that transmission is necessary in connection with any investigation into the suspicion or existence of any illegal activity. Personal data shall not be transmitted outside the European Economic Area.

  • For how long do we retain your data? 

The above data will be retained for a period time as required or allowed by the legislation/regulatory framework in force each time, taking into account the applicable prescription period, which may extend to up to 20 years. Specifically: 

(a) where processing is carried out under a relevant contract, the personal data shall be stored for as long as necessary for the performance of the contract and for the establishment, exercise and/or support of any legal claims of the CENTRE arising from that contract; and 

(b) where the processing is imposed as an obligation by provisions stemming from the applicable legal framework, personal data shall be stored for as long as the relevant provisions so require.

  • What are your rights regarding your personal data?

a. The right to be informed / transparency

Data subjects have the right to be informed accurately and clearly about the collection and use (processing) of their personal data. This right is governed by one of the basic principles of the GDPR, the principle of transparency (relevant Articles 12-14 GDPR).

In particular, on the basis of the above principle, the information must be concise, transparent, comprehensible, easily accessible and worded in plain and clear language. Indefinite terms should be avoided (eg “could”, “possibly”, etc.). Especially when it comes to minors, the language should be very friendly to them. This policy is written in simple language, so that a person at least 15 years of age can understand its main points.

The information must include, inter alia, the following information: the purpose and legal basis of the data processing, the sources of the data and their categories (when the collection is from other sources and not from the subject themselves) and any recipients.

b.The right of access 

Data subjects have the right to receive:

  • confirmation regarding the processing of their data,
  • a copy of this data, and
  • information about processing (relevant Articles 12, 15 GDPR).

The right of access allows the data subject to become aware of their data and information about processing in order to be able to verify its legitimacy.

This right does not need to be justified by the data subject. The information provided to the data subject in the context of the exercise of the right of access includes the following:

  1. the purposes of the processing,
  2. the relevant categories of data,
  3. recipients or categories of recipients,
  4. if possible, the period of retention of the data or, where this is not possible, the criteria determining that period,
  5. the exercise of rights,
  6. the source of the data when not collected by the data subject,
  7. the existence of automated decision-making, including profiling and important information on the logic, significance and intended consequences of such processing.

c.The right to rectification  

Data subjects have the right to request:

  • the correction of their data, when it is inaccurate, or
  • the completion of their data, when they are incomplete, inter alia by means of a supplementary declaration (relevant Articles 12, 15, 19 GDPR).

d.The right to erasure (“right to be forgotten”)

The right of erasure (“right to be forgotten”) is the right of the data subject to request the deletion of personal data concerning him / her, if they no longer wishes this data to be processed and if there is no legal reason for the controller to retain this data (see Article 17 of the GPDR).

In particular, the data subject may revoke their consent on which the processing is based, in which case the data should be deleted if there is no other legal basis for the processing.

Also, if the data are no longer necessary in relation to the purposes for which they were collected or otherwise or illegally processed, or if the data subject objects to the processing and there are no compelling and legitimate reasons for processing, the data subject may request their deletion.

e.The right to restriction of processing 

Data subjects have the right to request a restriction on the processing of their data (relevant Articles 18, 19 GDPR). In particular, the data subject may ask the Controller to restrict the processing. This right is an alternative to the right of deletion (Article 16 of the GDPR) and the right of objection (Article 21 of the GDPR). It is not an absolute right and only applies in specific cases.

f.The right to data portability

The right to portability (Article 20 GDPR) offers data subjects an easy way to manage their own personal data. Facilitates the easy transfer, copying or transfer of personal data from one IT environment to another.

Data subjects have the right to receive their own personal data, which has been processed with automation through a processor, in a structured, commonly used and machine-readable format (eg XML, JSON, CSV, etc.). They also have the right to request that the Controller transmit this data to another Controller, without objection from the original Controller. If technically feasible, they can request the direct transfer of their data from one Controller to another.

The right to portability can be exercised when all of the following apply:

  • personal data are processed by automated means (which excludes printed files),
  • the legal basis of the processing is either the consent of the data subject (Article 6 par. 1a or Article 9 par. 2a GDPR) or the execution of a contract to which the data subject is a party (Article 6 par. 1b GDPR),
  • personal data relates to the data subject and has been provided by them. They are considered to have been provided by the data subject when provided consciously and actively,
  • the exercise of the right does not adversely affect the rights and freedoms of others.

The exercise of the right to data portability does not affect the exercise of the other rights of the data subject, which are exercised independently.

g.The right to object to the processing  & to revocate consent

The right of objection (Article 21 of the GDPR) is the right of the data subject to oppose, at any time and for reasons related to their particular situation, the processing of personal data concerning them.

In the event that the data subject objects to the processing of their personal data, the Controller must stop such processing – without prejudice to the lawfulness of the processing based on consent prior to its withdrawal – unless she demonstrates imperative and lawful reasons for processing, which take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or support of legal claims.

h.The right to human intervention / The Right to non-automated individual decision making, including profiling

The controller, in order to legally perform automated data processing – including profiling – must comply with the principles of fair processing and have a legal basis for processing. 

In this context, she ensures the transparency of the processing, providing information to the data subjects, minimizing the personal data she keeps, ensuring that it is accurate, verifying them, following the appropriate retention periods and updating them on a regular basis.

In particular, she must be able to justify the need to collect and use personal data for profiling for the purpose of processing which she pursues each time, otherwise she must choose anonymous or pseudo-anonymous data.

Especially for a decision that produces legal effects that concern the subject or significantly affect them, with an exclusively automated method, including profiling, the following applies:

  • The Controller may lawfully take such a decision, in accordance with Article 22 (par. 2) of the GDPR, only if the subject has given express consent or when the decision is necessary for the conclusion or performance of a contract between the data subject and the Controller or the specific decision is authorized by the law of the EU or of a Member State to which the Controller is subject and which provides for appropriate measures to protect the rights of the subject.
  • If the decision in question was taken as necessary for the conclusion or performance of a contract between the Controller and the subject or with the express consent of the subject, the latter has the right to challenge it and the Controller is obliged to apply appropriate measures to protect their rights, to ensure human intervention in the decision-making or the right to express an opinion as well as to challenge the decision by the subject.
  • If the Controller performs automated data processing, including profiling, provides the data subject with the data when receiving the data (when she has collected it from themselves) or at a reasonable time (when it has been obtained from another source), in addition to the information contained in Articles 13 and 14 of the GDPR, and the following additional information:
    • whether and to what extent automated decision-making takes place, including profiling,
    • on the logic followed,
    • on the significance and intended consequences of the processing,
    • no later than the first communication with the data subject, the Controller shall indicate the subject’s right to object which is clearly described and separately from any other information.
  • The data subject is entitled, even in the event of profiling, to ensure that the processing is restricted at any stage thereof, in accordance with Article 18 of the GDPR.
  • The Controller is obliged to delete the relevant personal data, if the basis of the profiling is the consent of the subject and it is revoked or the subject exercises the right to delete their data, according to article 17 GDPR, unless there is no other legal basis for processing, in accordance with the provisions of the Rules of Procedure.
  • The data subject is entitled to oppose, at any time and for reasons related to their particular situation, the processing of personal data concerning them, which is based on Article 6 (par. 1) (f) of the Rules of Procedure, including profiling (article 21 par.1 GDPR). The Controller shall no longer process personal data unless she demonstrates compelling and lawful reasons for processing that outweigh the interests, rights and freedoms of the subject or to establish, exercise or uphold legal claims (Article 21 par. 2 GDPR).
  • When data subjects object to the processing of their personal data for the purposes of direct marketing, such data shall no longer be processed for those purposes (Article 21 par. 3 GDPR).

i.The right to complain about the processing of your data 

If you have any questions or concerns, you can contact us by phone (+30 6944105484) or via e-mail (ifigenia@hcc.edu.gr) either to exercise your rights (access, objection, etc.) or to request information and we will answer you. The CENTRE will take all possible measures to satisfy your request within 30 days of receiving the relevant application, informing in writing of the request’s  satisfaction, or the reasons that prevent the exercise of the right.

If you remain dissatisfied with the way we process your personal data, you can file a complaint with the Hellenic Data protection Authority. To see how to do this, visit the website https://www.dpa.gr/el/proswpika_dedomena/epexergasia_fusikwn/katagelia_stin_arxi_dedomena

  • Ιs your data secure?

We have implemented appropriate organizational, physical and technological protection measures (including encryption, anonymization and / or pseudonymization procedures, where appropriate) to prevent the unintentional loss, alteration, disclosure and use or access of your personal data in an unauthorized manner. In addition, we restrict access to your personal data only to those employees and associates who need to be aware of it in order to perform their professional duties, who process your data solely in accordance with our guidelines and are bound by the relevant confidentiality terms. We have implemented procedures to deal with any possible breach of personal data and we will notify you and any competent authority of any breach when required by law to do so.

  • How will you be notified of any changes to this Policy?

We will update this Policy whenever necessary. If there are significant changes to the Policy or the way we use your personal data, we will notify you either by posting a notice in a prominent place before the changes take effect or by any other appropriate means. We also encourage you to read this Policy regularly to know how your data is protected.

  • What is the applicable law when processing your Data by us?

We process your Data in accordance with the General Regulation for the Protection of personal data 2016/679/EU, and in general the current national and European legal and regulatory framework for the protection of personal data.

Competent courts for any disputes arising from issues concerning your personal data is the Court of Athens.