The present General Personal Data Protection Policy (hereinafter “Personal Data Protection Policy” or “PDPP”) concerns the processing of personal data carried out by the Public Benefit Foundation under the name “Bodossaki Foundation” (“the Foundation”), a private-law legal person.
2. DEFINITIONS FOR PERSONAL DATA
(N.B.: The definitions are in accordance with art. 4 of the GDPR)
“Personal Data” means any information by reference to which a natural person (“data subject”) is identified or identifiable.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of the present Policy, the Foundation acts as Controller.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
“Personal data subject”: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Recipient” means a natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
3. COLLECTION OF PERSONAL DATA
The types of processing performed in the framework of the Foundation’s operation have the following characteristics that are available here.
4. OBSERVANCE OF CONFIDENTIALITY
The Processors that perform the processing on behalf of the Foundation have agreed and contractually undertaken to observe confidentiality, not to make personal data accessible to third parties without the Foundation’s permission, to take appropriate security measures and, in general, to comply with the legal framework for the protection of personal data.
The Foundation does not, in principle, transfer personal data of the data subjects to a third country or to an international organisation. However, where this is deemed necessary, such transfer shall take place in accordance with the provisions of articles 44 et seq. of the GDPR.
Regarding ACTIVE CITIZENS FUND (ACF) – EEA GRANTS programme: The Foundation may transfer personal data solely within the European Economic Area and, in particular, to the FMO and/or other EFTA agencies, in line with its duty of accountability as Fund Operator, always in accordance with the data protection laws and regulations in force and taking appropriate technical and organizational measures to protect such personal data.
Regarding CERV Programme: The Foundation may transfer personal data exclusively within the EU in the context of its accountability as a Beneficiary of the Programme, always in accordance with applicable data protection laws and regulations and taking appropriate technical and organisational measures to protect personal data.
Regarding Points of Support Programme: The Foundation may share personal data with entities within the EU and/or Canada and Jersey (jurisdictions covered by an adequacy decision) and in particular with participating foundations in the context of the operation of the Programme, always in accordance with applicable data protection laws and regulations and taking appropriate technical and organisational measures to protect personal data.
5. TRANSFER AND STORAGE OF PERSONAL DATA
Any transfer or transmission of the personal data of the data subjects shall take place via electronic systems and the data shall be transmitted in encrypted format.
6. RIGHTS OF THE DATA SUBJECTS
In its capacity as Controller, the Foundation, in full compliance with the provisions of the legislation on the protection of personal data, shall satisfy and facilitate the exercise of the following rights of the data subjects, as such rights are provided for by the law:
6.1. Right of access
The data subjects have the right to receive from the Foundation, at any time, information as to whether or not it processes their personal data and, if it does, they may request to be informed of the purpose of the processing, the type of data that are subject to processing, their recipients, the period during which they shall be stored, the existence of their right to submit a request for the rectification or erasure of personal data or for the restriction of the processing or to object to such processing, and of their right to lodge a complaint with a supervisory authority, if automated decision-making is taking place. In addition, the data subjects shall be provided with a copy of the said personal data without undue delay.
6.2. Right to rectification
The data subject has the right to require the Foundation to rectify inaccurate or out-of-date personal data that concern them. It also has the right to require the completion of incomplete personal data, including, among other means, by an additional declaration. Furthermore, the Foundation undertakes to communicate any rectification of personal data to any recipient to whom the said personal data have been disclosed, unless this proves impossible or would entail a disproportionate effort. The Foundation undertakes the obligation to inform the data subject about such recipients upon request.
6.3. Right to erasure
The data subject has the right to request the Foundation to erase personal data that concern them, under the conditions of art. 18 of the GDPR and art. 34 of Law 4624/2019.
6.4. Right to restriction of the processing
The data subject has the right to request the Foundation to restrict the processing the personal data that concern them, under the conditions of art. 18 of the GDPR. If the processing of personal data is restricted, such personal data shall, with the exception of storage, only be processed if specific exemptions apply, in accordance with Art. 18 GDPR.
6.5. Right to the portability of the data
The data subject has the right, under the conditions of art. 20 of GDPR, to receive the personal data that concern them and which they have provided to the Foundation in a structured, commonly used and machine-readable format, as well as the right to transfer such data to another controller without objection from the Foundation to which the personal data had been provided as Controller.
6.6. Right to objection
The data subject has the right to object at any time and for reasons related to his/her particular situation to the processing of personal data that concern them, under the conditions of art. 21 of the GDPR. If the data subject objects to the processing of data that concern them, the Foundation shall no longer process such data unless it demonstrates compelling legitimate grounds for the processing which override the interests and rights of the data subject or for the establishment, exercise or defence of legal claims.
6.7. Automated individual decision-making, including profiling
The Foundation does not make use of automated individual decision-making. However, if in the future it adopts automated individual decision-making, the data subject shall in any case have the right to object to a decision based solely on automated processing, including profiling, where such decision produces legal effects that concern or significantly affect the data subject.
7. Satisfaction of the rights
Overall, the Foundation ensures that:
- Procedures are in place to allow the easy exercise of the rights of the data subjects, so that all necessary actions can be initiated immediately.
- It shall respond to a request made by the data subject without undue delay and in any event within thirty (30) calendar days at the latest. In the event that it cannot satisfy any right exercised by the data subject, the Foundation shall ensure that a specific, adequate and complete justification is provided.
- Except in cases of manifestly unfounded or excessive requests, all actions relating to the satisfaction of the rights of the data subjects shall be carried out free of charge for the data subjects.
For exercising the rights provided for by the law, for the submission of queries or for any other matter related to the processing of personal data described in this privacy notice, data subjects may use the following email address: [email protected]
In cases where the data subjects consider the processing of their personal data to be in violation of the regulatory framework in force for the protection of personal data, they have the right to lodge a complaint with the Hellenic Data Protection Authority (“HDPA”, 1-3 Kifissias Ave., GR-11523, Athens, tel.: +30 2106467500, e-mail: [email protected]).
8. Amendment of this policy (issue: March 2023)
The Foundation reserves the right to amend the present Policy, either in whole or in part, when it so deems necessary. Any amendment hereto shall take immediate effect as of its posting on the Foundation’s website. Users are advised to consult the present document at regular intervals, to make sure that they are aware of its most recent issue.