INSTITUTE OF THE GREEK TOURISM CONFEDERATION – INSETE

PERSONAL DATA PROTECTION POLICY

 

In INSETE we respect your privacy and undertake to protect your personal data. The present privacy statement aspires to inform you about the personal data we collect and process in the course of the provision of our services and our communication with you.

 

Our full particulars are:
INSTITUTE OF THE GREEK TOURISM CONFEDERATION (INSETE)

Εmail address: dpo@insete.gr

Postal Address: 32 Voukourestiou Street, 10671 Athens, Greece

Telephone: 210-3244368

 

Subject matter and objectives of the personal data protection policy

The scope of the present Policy is to determine the basic rules and principles according to which INSETE collects, processes and stores personal data, as defined by the applicable national and EU legislation in force and, in particular, Regulation (EU) 2016/679 (hereinafter “the Regulation”).

 

Personal Data Concepts/Definitions

For the purposes of the present Policy, the following concepts shall be construed as follows:

“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Anonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject.

“Pseudonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Applicable law”: The provisions of the Greek, EU or other law to which INSETE is subject and which prescribe personal data protection issues, such as:

  • Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector and the amendment of Law 2472/1997;
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on the protection of privacy in electronic communications) as amended (Directive 2009/136);
  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any implementation laws thereof;
  • Law 4624/2019: Personal Data Protection Authority, measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the incorporation into national legislation of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 and other provisions.

 

General Principles of Personal Data Processing

When INSETE processes personal data, it ensures that:

  1. It collects and processes such data lawfully, in accordance with the provisions of the applicable laws and the conditions thereby prescribed.
  2. It processes personal data only for defined, express and lawful purposes.
  3. It implements appropriate technical and organizational measures to ensure that personal data are processed in such manner as to warrant the appropriate level of security for personal data, including, inter alia, their protection with regard to unauthorized or illegal processing and accidental loss, destruction or damage. Moreover, it periodically reviews the adequacy and efficacy of such measures.
  4. It makes the required effort so that the personal data it keeps and processes are always accurate and updated.
  5. It does not keep the personal data it collects for a longer time than necessary for the purposes for which they were collected and processed. However, it may keep such data for a longer time if their processing is required:
    1. for complying with a legal obligation which imposes such processing pursuant to the provisions of a law (especially in the context of its obligations as beneficiary in the realization of co-financed National Strategic Reference Framework/NSRF programmes, etc.),
    2. for fulfilling a duty discharged in the public interest,
  • for archiving purposes in the public interest or for scientific or historical research purposes or for statistical purposes, after appropriate technical and organizational measures are taken, including their pseudonymization, and only to the extent that such purposes may not be served through the anonymization of data,
  1. for substantiating, exercising, or supporting legal claims.

 

Purposes for processing:

INSETE collects and process personal data for the following purposes:

  1. In order to meet its obligations as imposed by the law and by the provisions of its Charter for its objectives and actions, such as:

(a) the study, protection and promotion of the status and contribution of the tourism sector in the sustainable economic, social and cultural development at national and European level;

(b) the support and promotion of entrepreneurship (conventional and social) in the tourism sector and in any other services sector which is directly or indirectly linked to it;

(c) the enhancement of development mechanisms and policies for human resources in the tourism sector and in any other services sector which is directly or indirectly linked to it;

 (d) the provision of any kind of scientific, technical and other support to SETE with regard to any issue which pertains to the scope and objectives of its activities and which contributes to the accomplishment of its goals.

  1. In order to meet its obligations as imposed by the law and in particular by the social security and taxation laws in force with regard to its employees and suppliers.
  2. In order to implement as beneficiary National Strategic Reference Framework/NSRF and other programmes which are co-financed with community funds and to fulfil its pertinent obligations in line with national and EU law.
  3. In order to be able to recruit staff or to contract with independent partners.
  4. In order to ensure its smooth operation in line with the objectives set out in its Charter and with the applicable laws.
  5. In order to ensure the safety of its staff, facilities and equipment.
  6. In order to lawfully execute contracts and meet the legal obligations therein prescribed.
  7. In order to undertake scientific research and studies for statistical purposes (INSETE Intelligence).
  8. In order to undertake educational/vocational activities (INSETE Training) and to organize educational/vocational seminars, conferences and events.

 

Legal basis for personal data processing

INSETE shall process your personal data with transparency in accordance with the principles of lawfulness, proportionality, confidentiality and integrity, the limitation with regard to the purpose and accuracy, the specific time that data are kept and the minimization of data.

The legal basis for the processing of your personal data may consist in any of the following, as the case may be:

(a) your consent;

(b) the requirement to process your data in the context of our contractual obligations;

(c) the requirement to process your data in the context of our compliance with a legal obligation;

(d) the requirement to process your data in the context of safeguarding our lawful interests;

(e) the requirement to extract statistical data.

 

What data are processed

With regard to the aforesaid objectives, INSETE may collect and process personal data which may include, without being limited to, the following:

 

Personal Data Categories

  • Employees and/or independent partners: full name, father’s name, mother’s name, year of birth, place of birth, gender, citizenship, postal address, email address, contact telephones, identity card number, VAT number (Greek AFM), social security number (Greek AMKA) and other social security fund numbers, bank account number (IBAN), particulars about family status, education and training of employee, previous experience, curriculum vitae, references from previous employers.

Purposes – Legal basis for processing:

  • The management of the employment relationship. The processing of data is essential for the execution of the employment contract.
  • The fulfilment by INSETE of its obligations as employer. The processing of data is essential for INSETE’s compliance with legal obligations.
  • Candidate employees/partners: INSETE collects and processes data of candidate employees & partners upon a candidate’s submission of a pertinent application for a vacant post. In such cases, INSETE collects and processes only the personal data that are required for the assessment of the candidate’s appropriateness for the specific post/partnership (e.g. name, surname, contact details, education, previous experience, etc.). Such data shall be collected on submission of an application in any manner (e.g. by dispatch of an email message to INSETE’s email address provided with the relevant announcement/invitation) and from the curriculum vitae which the candidate attaches to his/her application. Moreover, for the assessment of applications for a post/partnership, INSETE may use additional questionnaires which disclose information about candidates in order to facilitate the further assessment of the candidate’s appropriateness for a specific post. Should the application for a post cite contact information for previous employers and provided a candidate declares his/her express consent to that effect, Marketing Greece shall be entitled to contact them in order to request information exclusively pertaining to the post and the candidate’s capacity/ability to match the post. Should the application for a post cite contact information for previous employers, INSETE shall be entitled to contact them in order to request information exclusively pertaining to the post and the candidate’s capacity/ability to match the post.

 

Purposes – Legal basis for processing:

Candidates’ data are collected for the purpose of:

  • Assessing a candidate’s appropriateness for a specific post. The legal basis for processing is INSETE’s lawful interest.
  • Keeping on file a candidate’s application for potential post vacancies. The legal basis for processing is INSETE’s lawful interest.
  • Contacting previous employers, whose particulars have been provided by candidates for this purpose. The legal basis for processing is the prior explicit consent of the candidate, if this has been granted.

 

  • Participants, tutors and/or coordinators in seminars and educational/vocational activities: full name, postal address, email address, contact telephone, profession, VAT number (Greek AFM), bank account number (IBAN), etc. Moreover, in its search for partners (tutors, coordinators, etc.) for the realization of its educational/vocational activities, INSETE may request particulars about the candidate partner’s family status, education and training, previous experience, curriculum vitae, references from previous employers/partners, etc.

Purposes – Legal basis for processing:

Candidates’ data are collected for the purpose of:

  • Accomplishing INSETE’s goals as per its Charter and in particular fulfilling the Institute’s educational role. The legal basis for processing is INSETE’s lawful interest.
  • Assessing the appropriateness of a candidate educational partner for a specific partnership. The legal basis for processing is INSETE’s lawful interest.
  • Contacting previous employers and/or partners, whose particulars have been provided by candidates for this purpose. The legal basis for processing is INSETE’s lawful interest.

 

  • Visual data: In the context of the organization of seminars, conferences and other such activities and events of INSETE, such events may be recorded in photographs and/or videos and such material may be uploaded in INSETE’s portal or social media accounts.

Purposes – Legal basis for processing:

Visual data are collected for the purpose of:

  • The management of events. The processing of data is essential for the management of events and of their purposes. The legal basis for processing is INSETE’s lawful interest.

 

  • Contact data (email, full name, telephone, etc.): of persons who are in regular contact with INSETE with regard to its objectives in the context of the lawful activities of INSETE as the research and scientific institute of SETE, contact data of journalists for the communication of Press Releases and updates about INSETE’s institutional actions, positions and events, and contact data of persons who have declared their wish and have provided their consent to receive updates from INSETE (full name, email address, post office box, capacity, profession, contact telephone numbers).

Purposes – Legal basis for processing:

Data are collected for the purpose of:

  • the requirement to process data in the context of safeguarding INSETE’s lawful interests as the Institute of its social institutional partner (SETE). The legal basis for processing is INSETE’s lawful interest.
  • the dispatch of updates about the institutional activities, positions and events of INSETE. The legal basis for processing isthe consent of persons who wish to receive updates from INSETE about its events and actions and about developments in the tourism sector.

 

  • In the context of the realization of National Strategic Reference Framework/NSRF programmes, INSETE may collect, indicatively and depending on the category of each operational programme, the beneficiaries’ microdata, full name, father’s name, identity card or passport number (and copy of the identity card or passport), contact particulars (address, telephone number, email address), educational level, professional training, curriculum vitae, answers to questionnaires, signatures (attendance registers), documents pertaining to tender participation procedures, such as: tax and social security clearance certificates, income tax returns, registration of a new business and of any subsequent changes with the competent tax office (Greek DOY), and any particulars required under the applicable legislation for public contracts and the National Strategic Reference Framework.

In the context of its programmes, INSETE may use psychometric tests. The processing of personal data of participants in such programmes in the course of the administration of psychometric tests shall be subject to their clear consent, which may be revoked at any time without, however, affecting the lawfulness of any processing undertaken until the time it is revoked. Moreover, participants may refrain from taking certain (optional) tests if they so wish. In such case, they should bear in mind that this may impact the outcome of the entire procedure, which shall not be complete.

 

Purposes – Legal basis for processing:

Data are collected for the purpose of:

  • the requirement to process data in the context of INSETE’s legal obligations (indicatively, Law 4314/2014 and other regulatory provisions with regard to the implementation of co-financed programmes). The legal basis for processing is INSETE’s legal obligations.

 

As the case may be, ΙΝSETE may process such data both as controller and as processor on behalf of third parties. In particular, pursuant to article 54A of law 4314/2014, as in force, for personal data of participants in acts which are co-financed by the European Social Fund and which are implemented in the context of operational programmes, the Ministry of Economy and Development shall be the Controller and INSETE, as beneficiary, shall be the Processor.

 

Special categories of personal data

INSETE may collect and process data which belong to special categories of personal data (“sensitive data”), such as data concerning health, in order to meet its social security obligations. Such data may at times not pertain to parties directly transacting with INSETE but to third parties (e.g. members of an employee’s family, offspring, etc.).

 

Purposes – Legal basis for processing:

Data are collected for the purpose of:

  • In order for INSETE to meet its obligations as imposed by the law and in particular by the social security laws in force.

 

Also, in exceptional cases and when prescribed by the applicable laws (e.g. laws concerning NSRF programmes and public contracts law), INSETE may collect and process data concerning criminal convictions and offences, such as criminal records, invariably respecting the principle of proportionality.

 

Purposes – Legal basis for processing:

Data are collected for the purpose of:

  • The requirement to process data in the context of INSETE’s legal obligations (indicatively, Law 4314/2014, Law 4412/2016 about public contracts and other regulatory provisions with regard to the implementation of co-financed programmes). The legal basis for processing is INSETE’s legal obligations.

 

As the case may be, ΙΝSETE may process such data both as controller and as processor on behalf of third parties. In particular, pursuant to article 54A of law 4314/2014, as in force, for personal data of participants in acts which are co-financed by the European Social Fund and which are implemented in the context of operational programmes, the Ministry of Economy and Development shall be the Controller, and INSETE, as beneficiary, shall be the Processor.

 

Transmission of Data

INSETE may transmit data to the Greek Tourism Confederation-SETE, which is INSETE’s main partner, and to its affiliated company under the name “Marketing Greece TOURISM PROMOTION AND DEVELOPMENT S.A.”, both for internal administrative purposes, including the processing of personal data of partners and/or employees, and for the purpose of informing subjects about the activities and actions of the said three “affiliated” legal persons. Moreover, the aforesaid parties may transmit data to INSETE.

INSETE may also transmit data to third parties (legal or natural persons) acting as processors, in support of its operation (e.g. accounting support, payroll purposes, technical support) and in support of its actions (e.g. educational/vocational).

INSETE may also transmit such data to third parties either on account of its obligation when this is prescribed by the applicable laws or, alternatively, in accordance with the guarantees prescribed by the applicable laws. In such cases, it should adequately inform the data subjects before proceeding to such transmission.

In the event that such transmission should involve a country outside the European Union (EU) or the European Economic Area (EEA), INSETE should check whether:

  • The Commission has issued a pertinent adequacy decision for the third country to which data shall be transmitted;
  • Appropriate guarantees are in place in accordance with the Regulation about the transmission of such data.

If not, transmission to a third country is prohibited and INSETE may not transmit personal data to such country, unless one of the special derogations prescribed in the Regulation should apply (e.g. express consent of the subject and information of same about the risks the transmission entails, the transmission is necessary for the execution of a contract upon the subject’s request, there are reasons of public interest, it is required to support legal claims and vital interests of the data subjects, etc.).

In any case, personal data processed by INSETE in the context of the implementation of co-financed programmes shall not be transmitted to third parties, apart from the Controller at each instance (in case INSETE is not the Controller), the joint beneficiary of each act, the competent state and audit and administrative authorities, and the project partners/concessionaires in the context of the implementation of each programme and, in general, exclusively and only when required in accordance with the relevant legislative and regulatory national and EU provisions that shall apply in the implementation of co-financed programmes.

 

Data retention period

INSETE shall retain your personal data for a limited time period depending on the purpose of their processing and upon expiry of such period personal data shall be deleted from our files, unless a different retention period is prescribed or allowed by the applicable laws (e.g. NSRF, social security, labour legislation, etc.). Where your consent is essential for the collection of your personal data, your consent may be revoked at any time without, however, affecting the lawfulness of any processing undertaken prior to its being revoked.

Curriculum vitae and / or any completed questionnaires of the applicant for a job / collaboration are kept in INSETE for a period of one year and then destroyed, unless there is an obligation to keep the relevant file for a longer period due to compliance with relevant legislation (e.g. x calls for expressions of interest for staff in the context of the implementation of ESPA programs, where there is a general legal obligation to keep all the documents of the file of a co-financed program by the beneficiary of each Operation for five years from its expiration).

Ιn cases of personal data provided directly by the subject in order for him to receive a newsletter and other updates from INSETE, the data are kept until the withdrawal of the subject’s consent, which can be done at any time, without, however, affecting the legality of the processing preceding the revocation.

The personal data processed by INSETE in the context of the implementation of espa programs, are mandatory for five years from the end of each co-financed Operation, due to a relevant legal obligation.

 

Data Protection Officer (DPO)

INSETE has appointed a Data Protection Officer-DPO, hereinafter the “DPO”. Email: dpo@insete.gr

 

Rights of Personal Data Subjects

INSETE shall ensure that data subjects are able to exercise the rights provided for same by the law with regard to the collection and processing of personal data. Said rights are:

  1. The right of accessto data.
  2. The right of rectificationof data.
  • The right of erasureof data (“right to be forgotten”).
  1. The right of restriction of processingof data.
  2. The right of portabilityof data.
  3. The right to object to the processing of data.

 

In the event that any of the above rights should be exercised, we shall take all possible steps to satisfy your request within a reasonable time and in any event within one (1) month from submission of your request and its/your identification. That period may be extended by two further months where necessary, in the event that your request is complex or if there is a great number of requests. In such case, INSETE is obliged, within one month of identifying the request, to notify you about the delay and the reasons for such delay. Within the said time, INSETE is obliged to inform you of any refusal on its part to satisfy, in whole or in part, the request you submitted and about the reasons of such refusal.

INSETE may refuse to satisfy, in whole or in part, a request received by the data subject only when this option is provided for under the General Data Protection Regulation (EU 2016/679).

If INSETE is processing personal data as processor, it shall transmit such requests to the controller, who is responsible for examining and satisfying such requests.

To exercise any of the above rights, you may contact INSETE’s Data Protection Officer (dpo@insete.gr).

 

Right to Appeal to the Personal Data Protection Authority

If you believe that there is a breach of any of your rights with regard to the protection of Personal Data, you may file a complaint with the competent supervising authority, viz. the Hellenic Data Protection Authority. For more information, please visit the website http://www.dpa.gr.

Data Privacy Impact Assessment (DPIA)

When a type of processing may entail a high risk for the rights and liberties of natural persons, INSETE shall undertake, prior to any processing, an assessment of the impact of the planned processing acts on the protection of personal data (impact assessment). Impact assessment is a process designed to describe the processing, evaluate its necessity and proportionality, and contribute to risk management, through the assessment of risks and the determination of measures to address such risks. It is not required for all types of processing but only at instances where a type of processing is considered to be high risk. In the context of assessing the impact, the nature, extent, broader context and objectives of the processing are assessed in order to evaluate whether it is likely for a risk to materialize and also to evaluate the seriousness of such risk for the rights and liberties of the data subjects.

INSETE is responsible and has authority to decide whether an assessment should or should not be undertaken.

 

Personal Data Breach

A “personal data breach” is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized communication, disclosure of, or access to, personal data collected, stored or in any way processed by INSETE.

A personal data breach may occur in many instances, some of which are indicatively mentioned below:

  • Loss, destruction or theft of data or documents or equipment in which they are contained or stored.
  • Right of access to personal data obtained in any way by persons who have not been duly authorized/licensed.
  • Disclosure of information to third parties who have not been duly authorized/licensed.
  • Dispatch of post or email to wrong recipients. In order for an incident to be deemed to be personal data breach, it is of no consequence whether such incident occurred as a result of fraud, negligence, act, omission, accidental or unpredictable event.

In the event that INSETE or any employee or partner thereof or any third party should become aware of or suspect any breach of personal data, s/he shall inform INSETE at the following email address: dpo@insete.gr

If INSETE is processing data as processor, it shall notify without delay the controller and shall not make any disclosures.

 

Training

INSETE shall make arrangements for the staff involved in the collection and processing of personal data to be adequately informed and trained, taking into consideration available training and information methods in order to select the most appropriate ones at each instance.

 

Personal Data Protection Policy Updates

INSETE may from time to time amend the present Policy in order to comply with changes in regulations, for operational reasons or in order to respond to the needs of its institutional role.

Updated versions of the present policy shall be posted on INSETE’s website and shall indicate the date, so that you may identify the most recent updated version.

The present Policy was posted on 24.5.2018 and subsequently amended / updated on 10/10/2018, 6/24/2019 and 4/5/2020.