Pursuant to the application of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Hellenic American Union (Massalias Str., no. 22, Postal Code 10680, Athens) (the “HAU”) would like to inform you of the following:
1. What data is processed by the HAU belonging to which natural persons: The HAU, in its capacity as data controller, processes personal data of minors who participate or are willing to participate in the HAU’s events and who are being represented by their parent(s) or guardian (jointly and, as the case may be, the “data subjects”). Data processed by the HAU may include: (a) personal information (e.g. full name and e-mail address); (b) financial data relating to the payment of fees to the HAU, such as bank card information, bank account numbers, and billing and payment data, if fees are charged for participating in the event ; (c) voice data (voice) of the minors participating in the event, in cases when the parent or guardian have provided their consent for the minor to speak during the event in full knowledge of the fact that material from the event may be uploaded to the internet on the HAU’s behalf and that alternative means to participate without speaking are available, such through an online chat (e.g. by submitting questions). The disclosure of the data in clauses (a) and (b), above, is a legal or contractual obligation of the data subject or a requirement to fulfill a contract. Where the data subject does not provide the above data or a part thereof, he or she will not be able to participate in the HAU’s event.
2. Source of data: The source of the data, as the case may be, is the minor participant himself/ herself disclosing his/ her data or the data subject’s parent or guardian.
3. Purpose and legal basis of processing data: The HAU processes data subjects’ personal data, as the case may be, for the following purposes: (a) to register, provide services, and in general manage the participants in the event. For such data processing, the legal basis for the processing is the performance of the relevant contract concluded with the HAU and compliance with a legal obligation of the HAU, while for voice data of minors participating in the event (as specified in clause 1 (c) above), the legal basis for processing shall be the consent given by the minor’s parent or guardian, which consent is provided by their clear affirmative act to permit the data subject to speak during the event, being aware of the fact that the event material may be uploaded to the internet on the HAU’s behalf. (b) To safeguard the interests of the HAU. For such data processing, the legal basis is that processing is necessary for the purposes of the prevailing legitimate interests pursued by the HAU (e.g. for the establishment, exercise or support of legal claims). (c) To send marketing material via electronic mail. It must be clarified that the HAU is entitled to use the data subjects’ electronic mail contact details, lawfully obtained in the context of the provision of its services or any other transaction, for the direct promotion of similar services or for the furtherance of similar purposes, even where data subjects have not given their prior consent, provided that they are given, when contact details are collected, as well with every message, a clear and transparent option to object, easily and free of charge, to the collection and use of their electronic data. For such processing of data, the legal basis is that processing is necessary for the purposes of the prevailing legitimate interests pursued by the HAU (i.e. the legitimate interests relating to the promotion of its services). For all of the above purposes, the HAU does not proceed with automated decision-making, including profiling of the data subjects.
4. Recipients of data: Depending on the case and purpose of processing, personal data may be transmitted to authorized employees in each department/ service unit of the HAU, as well as to companies associated with the HAU with which the HAU has a relevant contract and which processes the data on its behalf (e.g. IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy and compliance with the data protection legislation. In addition, the HAU may transmit personal data to third parties where so required by law, or for the purposes of, or in connection with legal proceedings in which it participates, or otherwise for the purposes of supporting, exercising or defending its rights, or to third parties that are law enforcement authorities and have submitted a lawful transmission request, or where it considers that transmission is necessary in connection with a investigation into the suspicion or existence of illegal activity. Personal data will not be transmitted outside the European Economic Area.
5. Data retention time: The above data will be retained for a period time as required or allowed by the legislation/regulatory framework in force each time, taking into account the applicable prescription period, which may extend to up to 20 years. Specifically: (a) where processing is carried out under a relevant contract, the personal data shall be stored for as long as necessary for the performance of the contract and for the establishment, exercise and/or support of any legal claims of the HAU arising from that contract; and (b) where the processing is imposed as an obligation by provisions stemming from the applicable legal framework, personal data shall be stored for as long as the relevant provisions so require.
6. Data subjects’ rights: The data subject shall have the following rights under the GDPR: (a) to receive a copy of the personal data held by the HAU, together with other information on how data is processed; (b) to request that personal data concerning him or her be rectified and, under conditions, to request the deletion or restriction of processing, or to object to the processing of personal data; (c) to receive a copy or to request the transmission of a copy of his or her personal data to a third party in a structured, commonly used and machine-readable format (right to data portability). Where the processing of data is based on his or her consent, the data subject shall have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. If the data subject wishes to receive further information about the processing of his or her personal data or to exercise any of his or her above rights, he or she must email the HAU Data Protection Officer exclusively at: firstname.lastname@example.org, or send a letter to the mailing address mentioned above. Finally, the data subject has the right to file a complaint with the competent supervisory authority about how the HAU handles his or her data (www.dpa.gr).Download the above legal statement in .pdf format