General Data Protection Regulation (GDPR)
1 Scope and Purpose
This Policy applies to any natural person whose personal data is processed, including (but not limited to) members of the administration board, past and current employees of the organization, including distance-working personnel, program(s) beneficiaries or candidates thereof, external service providers and suppliers throughout the years. It also applies to persons that have submitted personal data via volunteer forms, or that have filled in a physical or electronic form in the Caritas Athens website or that have submitted a resume for employment. This Policy serves as a minimum standard of personal data processing.
2.1 Legal Framework
This Policy complies with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), as in force, and with all applicable laws and regulations currently in force in Greece, including all applicable EU and national legislation, as well as derivative law / opinions / decisions issued by the Greek Data Protection Authority (“DPA”).
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly. Different information which may, if gathered together, lead to the identification of a particular person, are also considered as personal data. Personal data that have been anonymized, pseudonymized or cryptographed, but may be used for re-identification of a natural person, maintain their nature as personal data and fall within the scope the GDPR. Any data rendered anonymous in such a manner that the data subject is not or no longer identifiable is not considered personal data. Data are indeed anonymous in this sense, when anonymization is irreversible.
”Special categories of personal data” also referred to as “sensitive data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or health status, social welfare, sexual orientation or activity, criminal convictions and offences, or participation in related associations or entities.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The GDPR grant protection to personal data irrespectively of the technology used for their processing. It is technologically neutral and applies on both automated and manual processing, as long as the data is organized according to specific criteria (e.g. alphabetical order). The way that data is stored (e.g. in an information system, via videosurveillance or in written form) is irrelevant. Personal data are subject to the requirements of the GDPR.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Data subject” means an identified or identifiable natural person, residing in the EU, whose personal data is processed.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
“Data file” means a stock of personal data structured in a maner permitting the identification of a natural person (e.g. any information technology tool or application containing personal data).
“Transmission” means granting access to personal data in any way, manner or form (e.g. by permitting access, dissemination or publication).
“Data protection impact assessment” means a systematic process for the identification, assessment and documentation of the hazards and consequences of personal data processing acts.
“Third Country” means any country not providing adequate protection of personal data, as stipulated in the GDPR.
2.3 General processing obligations
2.3.1 Principles relating to processing of personal data
Caritas Athens ensures that every person handling or processing personal data adheres to the following principles:
- lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes, made clear to the data subject upon collection of data and not for undefined purposes.
- data minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. They will not be further processed in a manner that is incompatible with those purposes.
- accuracy: personal data shall be accurate and, where necessary, kept up to date, having regard to the purposes for which they are processed, and are rectified without delay.
- storage limitation: personal data shall be not kept for longer than is necessary for the purposes for which the personal data was collected or are processed.
- integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
18.104.22.168 Νόμιμη επεξεργασία
Caritas Athens, as the controller, collects and processes personal data in a lawful manner. If the data is processed by a third party, this processor shall ensure compliance with this Policy and applicable laws and regulations. Processing shall be lawful only if and to the extent that at least one of the following applies (legal basis):
- a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- c) processing is necessary for compliance with a legal obligation to which the controller is subject;
- d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Caritas Athens ensures that the data subject is informed and consents freely and willingly, prior to any procession. In order to demonstrate consent, the organization uses written declaration or lawful recording of telephone calls. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Consent is not required when the processing is necessary:
- a) for the performance of a contract to which the data subject is party;
- b) in order to take steps at the request of the data subject prior to entering into a contract;
- c) for compliance with a legal obligation to which the controller is subject;
- d) in order to protect the vital interests of the data subject or of another natural person;
- e) if the legitimate interests pursued by the controller or by a third party override the interests or fundamental rights and freedoms of the data subject.
(In the above cases, consent does not constitute the legal basis of the procession - if in doubt, please contact the organization DPO).
22.214.171.124 Processing of special categories of personal data
For the purposes of its activities and its cooperation with other organizations or Authorities, Caritas Athens collects and processes special categories of personal data (also referred to as “sensitive data”, i.e personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or health status, social welfare, sexual orientation or activity, criminal convictions and offences, or participation in related associations or entities).
For processing such data, the organization shall ensure explicit consent of the data subject. By way of derogation, consent is not required if:
- a) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- b) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- c) processing relates to personal data which are manifestly made public by the data subject;
- d) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- e) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- f) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies;
- g) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- h) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
126.96.36.199 Obligation to inform
Given that the data subject should know the kind of data to be collected and the purposes of processing before giving consent, the organization shall provide the data subject with all of the following information:
- the identity of the controller (i.e. Caritas Athens)
- the contact details of the data protection officer (DPO)
- the kind of personal data to be collected and processed,
- the purposes of processing
- the legitimate interests pursued by the controller, as applicable
- he recipients or categories of recipients of the personal data, if any
- the specifics of a designed cross-border transfer, if applicable
- the period for which the personal data will be stored, or the criteria used to determine that period
- the existence of automated decision-making and the significance and the envisaged consequences of such processing for the data subject
- the rights of the data subject and the manner to exercise them.
188.8.131.52 Purposes of processing
The organization ensures that personal data are processed only for the purposes indicated at the time of their collection or for purposes specified by law. Personal data are processed in good faith and only to the extent they are necessary in relation to the purposes for which they are processed. All persons processing personal data have been committed to ensure that the processing is lawful and consistent with the purpose that the data were collected for.
Caritas Athens processes personal data of employees, program(s) beneficiaries or candidates thereof, external service providers and suppliers, processors, as well as of administration board members, for functional and administrative purposes, subject to applicable legislation and regulatory regime, both national and European.
184.108.40.206 Personnel files
Caritas Athens processes personal data of employees and staff members, as well as of administration board members. Employee files and the PD contained therein are classified as “confidential information”. The employees, staff members and administration board members have been informed in writing of the processing of their personal data and of the relevant rights and manner of exercising them.
220.127.116.11 Data quality
The organization has informed all those involved in PD processing that the data has to be accurate and, if necessary, rectified and updated. The organization takes every necessary technical and organizational measure to ensure the rectification or destruction of inaccurate or incomplete (vis-à-vis the purposes of processing) data.
18.104.22.168 Data protection impact assessment
The organization carries out a data protection impact assessment (dpia), properly documented and aided by the DPO, when an envisaged type of processing is likely to result in a high risk to the rights and freedoms of data subjects.
The dpia will be carried out prior to the processing, in order to identify and mitigate the risk to the protection of personal data.
High risk processing types include:
- systematic and extensive evaluation of personal aspects relating to the data subjects which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the data subjects’ rights and obligations
- processing on a large scale of special categories of data
- systematic monitoring of a publicly accessible area on a large scale (e.g. video-surveillance of a public space).
When the dpia indicates that the processing would result in a high risk for the data subjects, the organization shall review the envisaged processing.
22.214.171.124 Transfer to third parties
Personal data may be disclosed to third parties only when necessary and the organization shall inform the data subjects of the categories of recipients. Personal data shall be anonymized or pseudonymized before disclosure, if deemed necessary and possible.
Third parties processing PD on behalf of the controller (e.g. sub-contractors, external processors or service providers) shall be contractually obliged to adhere to this Policy and to take all necessary technical and organizational measures to ensure data subjects’ rights according to applicable laws. This Policy is referenced in the third-party contracts.
126.96.36.199 Cross-border transfer of personal data
Personal data may be transferred to a Third Country provided that its legislation and regulatory regime offers an adequate level of data protection. If this is not the case, the data may be transferred only if the controller or the processor receiving the PD has provided appropriate safeguards ensuring an adequate level of protection according to article 46 of the GDPR. The organization may also transfer PD to the competent national Authorities to be further transferred to Third Country Authorities, if obliged by law.
The organization adopts appropriate technical and organizational measures to minimize the risk of accidental or intended breach, destruction or loss of PD, during transfer, and provides adequate safeguards for the protection from unauthorized disclosure of, or access to, personal data transmitted, taking into account technological developments and processing features.
188.8.131.52 Data security
The organization adopts appropriate technical and organizational measures to mitigate the risk of accidental or intended breach, destruction or loss of PD, and to deter unauthorized disclosure of, or access to, personal data. For this purpose, technological developments are taken into account and security procedures are determined based on the features of the processing.
184.108.40.206 Data storage
The organization retains and stores personal data only for the period absolutely necessary for the purposes for which the data has been collected. It may retain the data beyond a 20-year period, if rights or obligations vis-à-vis the Authorities or individuals may arise from them beyond that term. The data is stored in compliance with applicable law and data protection regulations. Storage periods are determined according to: (a) legal obligations for data retention for a specified amount of time, (b) the prescribed time-limit, (c) possible litigation and (d) guidelines by the data protection authorities or other supervisory authorities. The organization erases or destroys the data that no longer need to be retained, according to the specified time limitations, in a manner that ensures security. If the data are used for statistical or research purposes, it is anonymized to ensure non-identification of the data subject.
2.3.2 Rights of the data subjects
The data subjects have the following rights under the GDPR and the conditions and limitations thereof:
- Right to information
- Right to access the data
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object processing
- Right to object automated individual decision-making
The organization ensures that those rights are respected by its personnel, that the relevant procedures are followed and that DPO advice is sought, if necessary for the exercise of those rights.
2.3.3 Documentation of a personal data breach
Any infringement of this Policy, relevant legislation and regulations constitutes a personal data breach (indicatively, unlawful destruction, loss, alteration, unauthorized disclosure, processing without consent or for purposes other than those indicated at the time of collection).
The person who discovers the personal data breach shall take appropriate measures and apply the necessary procedures to protect personal data from further abuse and shall report the breach to the DPO with no delay. The DPO shall document systematically any personal data breach reported, assess the breach and take any further measures required to remedy the breach and prevent its reoccurrence.
2.3.4 Notification of a personal data breach
In the case of a personal data breach, the organization shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The organization shall also notify without undue delay the data subjects, when the personal data breach is likely to result in a high risk to their rights and freedoms.
2.3.5 Keeping a record of processing activities
The organization keeps a record of all personal data processing activities or operations it engages in. This record shall contain all of the following information:
- a) the name and contact details of the controller and, where applicable, the joint controllers and processors,
- b) the name and contact details of the DPO,
- c) a description of the personal data retained and the category they fall into,
- d) the purposes and legal basis of the processing,
- e) a description of the categories of data subjects,
- f) the categories of recipients to whom personal data have been or will be disclosed, including recipients in Third Countries,
- g) where possible, the envisaged time limits for erasure of the different categories of data,
- h) where possible, a general description of the technical and organizational security measures,
- i) the realization of a dpia, if applicable,
- j) prior information of the data subjects.
Data are organized based on their requirements for protection. Data files with special protection requirements, such as special categories of data or personality profiles, are filed in separate files, labelled accordingly and are classified as confidential.
2.3.6 Training and awareness
The organization promotes the training and awareness of its personnel on data protection and privacy issues, subject to applicable legal and regulatory regime, and according to the policies and procedures adopted. The Data Protection officer (DPO) provides informatory material, organizes training sessions and answers all questions of the personnel.
2.4 Obligations when adopting new processing activities and procedures
Personal data protection constitutes an integral part of any development or enhancement in the organization of Caritas Athens. As a result, when new processing activities are envisaged or assessed and re-designed, the principle of data protection by design and by default is taken into consideration.
2.4.1 Data protection by design
When new data processing systems are introduced, the organization ensures a high level of data protection. More specifically, each new system and process shall be subject to the following principles:
- a) Technical and organizational measures will be taken to ensure the systematic and safe handling of the life cycle of personal data, from their collection to their processing and erasure.
- b) Data processing systems shall require the collection of the minimum of data required for the fulfillment of the collection purpose.
- c) When the purpose of the processing is not hindered by the anonymization of data, personal data shall be anonymized, to prevent identification of the data subject.
- d) When personal data cannot be anonymized, safety measures shall be adopted, such as pseudonymization, encryption or access limitation, depending on the nature of data.
- e) Access to personal data shall be granted subject to the principle of necessity, i.e. personal data access shall only be provided to fulfill specific roles responsibilities.
- f) Systematic quality control of personal data shall constitute an integral part of the data life cycle, to ensure high quality of data. In specific, there shall be procedures for the identification and rectification of false or incomplete personal data.
- g) Data processing systems shall be adequately protected from unauthorized access by technical and organizational measures.
- h) Data subjects shall be able to control their personal data by transparent, user-friendly and effective means.
2.4.2 Data protection by default
The organization shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
Further data processing is allowed only when the data subject chooses or agrees to a lower level of protection, e.g. by manually changing privacy settings at a website, an information technology application or equivalent thereof, to a less restrictive option, thus providing explicit consent for further processing ("opt-in").
Caritas Athens, as the controller, determines the purposes and means of processing and is responsible for the appropriate processing and adhering to data protection and safety, as provided in this Policy or applicable laws.
Third parties, as processors, shall process personal data on documented instructions from the controller. Processors shall notify the controller of any personal data breach without undue delay.
Processor shall bind by contract other processors, carrying out specific processing activities on behalf of the controller, to respect the same data protection obligations and instructions of the controller.
2.7 Data Protection Officer
The organization has designated a Data Protection officer (DPO), responsible for coordinating data protection. The DPO:
- a) monitors the organization’s compliance with applicable data protection laws and regulations;
- b) is informed and applies explanatory documents of the EU Commission, the European Data Protection Board (former Article 29 Working Party) and the national Supervising Authority regarding compliance with the GDPR;
- c) supports the administration of the organization in ensuring compliance with data protection legislation;
- d) regularly monitors application of this Policy;
- e) supports correct keeping of data processing activities log and any other log or list containing documentation of the organization’s compliance status;
- f) monitors and assists in the performance of dpia, where applicable;
- g) is responsible for the response to data subjects’ requests;
- h) promotes the awareness of the organization’s personnel regarding data protection and provides advice on the processing;
- i) act as the contact point for the supervisory authority on issues relating to processing and cooperates with the authorities on any matter.
The organization’s administration adheres to the implementation of this Policy and provides the necessary staff and resources. The Administration ensures that employees, personnel, external service providers, as well as the entities those are responsible for, know, understand and implement the Policy requirements and that they are properly trained for this duty.
2.9 Data breach
Any person breaching this Policy is liable and may face disciplinary proceedings or even termination of contract, in serious cases. Depending on their character and scope, breaches may be reported to the supervisory authority or result in criminal, civil or regulatory measures.
3 Details - comments - report to the authorities
For more information o data protection, please refer to the European Commission webpage (https://ec.europa.eu/info/law/law-topic/data-protection_el) or the Greek Supervisory Authority (Hellenic Data Protection Authority) (https://www.dpa.gr/portal/page?_pageid=33,213319&_dad=portal&_schema=PORTAL).