Application Statement

The implementation of the General Data Protection Regulation (GDPR) is a priority for U.o.W.M.

U.o.W.M. accepts as personal data: Any information relating to an identified or identifiable natural person alive. For example, this information includes name, home address, ID number, Internet Protocol (IP) code, information about their health and insurance capacity, employment status, and more.

Special categories data, such as health, racial or ethnic origin, trade union activity, etc., receive special protection.

The rules apply when collecting, using, and storing personal data is done digitally or in hard copy through a structured filling system.

This policy is in line with the EU General Data Protection Regulation. (GDPR), and opinions/decisions issued by the Hellenic Data Protection Authority.

 

Terms and Definitions

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,
  2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
  3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future,
  4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements,
  5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
  6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis,
  7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law,
  8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,
  9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing,
  10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data,
  11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,
  12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed,
  13. ‘special categories data’ means personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union affiliation, as well as the processing of genetic, biometric data for the data relating to health or data relating to the natural sexual life or sexual orientation of a person,
  14. ‘main establishment’ means a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union. b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union.
  15. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51.

 

Categories of Personal Data Collected

U.o.W.M. in the context of the above activities and its regular operation in the public interest, it may collect personal data of both its citizens or associates who use its services – applications, as well as its employees, students as well as, generates his associates, but also other natural persons with whom he deals within the framework of his responsibilities.

Depending on the form and purpose of processing per service, U.o.W.M. may collect and process personal data, such as the following:

 

CATEGORIES OF DATA SUBJECTS CATEGORIES OF DATA
Students of U.o.W.M. Students who for some time have studied or are studying at U.o.W.M. Personal data held by the U.o.W.M. may include:

 

1.      Identity and demographics (e.g., name, patronymic, etc.),

2.      Insurance details (e.g., AMKA or ΑΥΠΑ and other details of the Social Security Institution Register if required),

3.      Contact details (e.g., postal address, telephone, Email, etc.),

4.      Health data (e.g., medical certificates and opinions, prescriptions for medical treatment, etc.),

5.      Financial data (e.g., bank accounts, tax returns, etc.),

6.      Elements of marital status and so on.

7.      Other information

8.      Τhird party data (e.g. relatives)

9.      Scores and degrees

10.   Attendance at classes

11.   Intellectual property projects (e.g., works, diplomas, etc.)

12. Photographic material

Beneficiaries

(educational services)

Data of Greek and foreign citizens who are beneficiaries or trade with U.o.W.M., because the status of a natural person is sufficient for information that refers to it to fall into personal data, without requiring the status of a Greek citizen and therefore the provisions also protect the personal data of foreigners such as students and faculty members in mobility through exchange programs, refugees and migrants who may attend lifelong learning programs and others.
Suppliers / Contractors The data of U.o.W.M.and ELKE’s suppliers, in the case of natural persons or legal representatives of legal persons, because “personal data” refers only to information relating to natural persons and does not fall into this category of data relating to legal persons such as companies, unions, institutions. These may include:

1.      Identity and demographics (e.g., name, patronymic, etc.),

2.      Insurance details (e.g., AMKA or ΑΥΠΑ and other information of the Social Security Institution Register if required),

3.      Contact details (e.g., postal address, telephone, Email, etc.),

4.      Copies of Criminal Records

1.      5. Professional details

Data of other natural persons The data of other natural persons who happen to visit U.o.W.M.’s infrastructure or belong to collaborating bodies.
Employees (Active or Not) / Candidate Employees Data of U.o.W.M. and ELKE employees, under any employment relationship, and data of former and prospective employees, which are kept in official files or any other services to operate their employment relationship with the legal entity. These may include:

1.      Identity and demographics (e.g., name, patronymic, etc.),

2.      Insurance details (e.g., AMKA and other Social Security Authority details if required),

3.      Contact details (e.g., postal address, telephone, Email, etc.),

4.      Health data (e.g., medical certificates and opinions, blood donation data, etc.),

5.      Financial data (e.g., bank accounts, tax returns, statement of assets, etc.),

6.      Assets (e.g., statement of assets)

7.      Marital status details (e.g., certificates and certificates, number and details of children, etc.)

Table 1. The categories of Data Subjects and their data

 

Purposes and Legal Basis of Processing

U.o.W.M. and ELKE, in the context of its activities related to e-government and their operation for the public interest, may collect and process personal data of citizens and other natural persons referred to in the above paragraph and making use of the training provided, its employees, and its affiliates in general. In principle U.o.W.M. and ELKE may collect and process personal data for the following purposes with the corresponding legal processing bases:

PURPOSE OF PROCESSING LEGAL BASIS
U.o.W.M. and ELKE’s operation in all their areas of responsibility as well as the study, operation, administration, management of Information and Communication Systems, equipment, software and services, respectively. 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2.     Processing is necessary for the performance of a contract [Art. 6 §1 case. b) GDPR] where it exists and / or

3. Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Service in higher and lifelong educational services 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2. Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Cooperation and interconnection with relevant bodies of the European Union Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR]
Ensuring the interoperability of Information and Communication Systems 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2.     Processing is necessary for the performance of a contract [Art. 6 §1 case. b) GDPR] where it exists and / or

3. Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Providing advice to students and other individuals 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2.     Processing is necessary for the performance of a contract [Art. 6 §1 case. b) GDPR] where it exists and / or

3. Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The provision to each State and European Union service of statistics and other information and evaluations in the context of participation in European programs 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2.     Processing is necessary for the performance of a contract [Art. 6 §1 case. b) GDPR] where it exists and / or

3. Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The study, development, operation, exploitation, management, and maintenance of U.o.W.M.’s Information and Communication Systems 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2.     Processing is necessary for the performance of a contract [Art. 6 §1 case. b) GDPR] where it exists and / or

3. Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The collection, processing, cross-referencing, and transmission of data of the Tax, Insurance, and Labor Administration exclusively for the support and operation of the framework of their responsibilities 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2. Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The collection and processing of video data using CCTV, as well as the collection and processing of identification data (e.g., police ID), for security reasons Processing is necessary for the purposes of the legitimate interests [Art. 6 §1 case f) GDPR]
The collection and processing of the necessary data of employees and / or prospective employees and associates for the proper service of existing employment or cooperation relationships or the consideration of possible future cooperation 1.    Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

2. Processing is necessary for the purposes of the legitimate interests [Art. 6 §1 case f) GDPR]

The collection and processing of the necessary data of minor children for the intersection of potential benefit or providing social services to students. 1.   Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

2.     Processing is necessary for the performance of a contract [Art. 6 §1 case. b) GDPR]

For any other form of processing, U.o.W.M.and ELKE requests special written, free, and after prior informed consent of the subjects before the start of the processing, if required.

Table 2. The main purposes and legal bases of processing

 

The reference to more than one legal basis of processing does not mean that the U.o.W.M. changes them (lawful basis swapping), undermining data subjects’ rights. Still, there are cases where more than one legal processing base is applicable.

Furthermore, since U.o.W.M. is part of the Public Administration bodies (according to no. 14 of law 4270/2014 but also the Register of Services and Bodies of the Greek Administration), further process is applied after the end of elaboration to archive in the public interest or for scientific or historical research or statistical purposes, which is not considered incompatible with the original purposes according to Art. 5 paragraph 1, case b) and Art. 89 paragraph 1 of GDPR.

Finally, the P.D.M. does not use the consent of the data subjects (whether it is simple data or special categories) as the main processing base, recognizing the inherent inequality that exists about the data subjects at any time and under the recommendations of its Working Group No. 29 (now European Data Protection Council). However, and exceptionally, for a few cases where additional service is provided to the subjects (beyond the legal ones), the consent is used to a limited extent as a legal basis for processing and only then.

 

Rights of Data Subjects

U.o.W.M. recognizes individuals’ rights concerning the protection of their personal data. Thus, natural persons have the right to:

  1. Be informed about the processing of their personal data.
  2. Gain access to the personal data concerning them.
  3. Request the correction of incorrect, inaccurate, or incomplete personal data.
  4. Request the deletion of personal data when it is no longer necessary or if the processing is illegal. If applied as a legal basis for processing Art.6 par.1 case. e ) GDPR (processing for the fulfilment of a duty performed in the public interest or during the exercise of public power and the Art.9 par.2 case b ), g), j) in most of the proseccess of U.o.W.M., the right of deletion is limited and will be evaluated on a case-by-case basis under strict conditions. According to Art. 4 of the Explanatory Memorandum of the GDPR, the right to personal data protection is not absolute; it must be valued concerning its functioning in society and weighed against other fundamental rights under the principle of proportionality.
  5. Oppose personal data processing for reasons related to their unique situation, subject to Art.21 par.6 of GDPR.
  6. Apply for a restriction on personal data processing in specific cases.
  7. Express their opinion and challenge the decision.
  8. Submit a complaint to the Hellenic Data Protection Authority.

These rights are valid in the entire application of the GDPR, regardless of where the data processing occurs and where U.o.W.M.is based.

 

Processing principles

U.o.W.M. accepts the basic principles governing the processing of personal data. According to article 5 of GDPR, personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’),
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’),
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’),
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’),
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’),
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

U.o.W.M. keeps a record of the processing activities for which it is responsible. That record contains all of the following information:

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer,
  2. the purposes of the processing,
  3. a description of the categories of data subjects and of the categories of personal data,
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations,
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards,
  6. where possible, the envisaged time limits for erasure of the different categories of data,
  7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

 

Protection of Personal Data

Taking into account the nature, the scope, the context, and the purposes of the processing, as well as the risks of the different probability of occurrence and seriousness for the rights and freedoms of natural persons, U.o.W.M. apply appropriate technical and organizational measures to ensure and be able to prove that the processing is carried out under the Regulation.

During the assessment of the appropriate security level by U.o.W.M., account shall be taken in particular of the risks arising from the processing, particularly from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

In case o of a personal data breach (article 33), U.o.W.M. as the controller shall notify without delay and, if possible, within 72 hours of becoming aware of the breach of personal data to the supervisory authority responsible under Article 55, unless a breach of personal data does not endanger the rights and freedoms of individuals. When the notification to the supervisory authority is not made within 72 hours, it will be accompanied by a justification for the delay.

 

Staff Training

U.o.W.M. accepts that the protection of personal data presupposes the awareness of its human resources regarding personal data protection. In this regard, agrees with the adoption and implementation of the following:

  1. Orientation of appropriate training by exploiting Fair Information Practices (FIP), which condense a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy. Human resources cannot become experts in the field of privacy protection overnight, however, their familiarity with the international requirements of privacy protection is possible and necessary. Employees who have crucial roles in privacy need to acquire more specific knowledge. For most of the workforce, however, a thorough understanding of privacy’s general principles is essential.
  2. o.W.M. seeks to raise awareness of fundamental concepts of personal data protection on its human resources. This in no way means that its staff’s training is too theoretical or abstract. Instead, it becomes a practice. The core of education focuses on three simple but essential issues:
    1. Motivation: Why should employees care about privacy?
    2. Definition: What is personal data?
    3. Responsibility: What should employees know about how U.o.W.M. is accountable for privacy?

 

Communication of Natural Persons

The above rights, as well as any rights related to personal data, are exercised upon a written request submitted to any point that is accessible to the public or via electronic communication by sending a message to dpo@uowm.gr and is also examined by the Data Protection Officer, as defined by U.o.W.M.

 

Modification

This policy may need to be amended concerning the processing of personal data. In case the modification of the terms in question is of such nature and extent that the above data processing terms do not cover it, U.o.W.M. must make public the new version of the policy.