Pursuant to the application of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Hellenic American Union (22 Massalias Street, 10680 Athens) (the “HAU”) and the company under the corporate name “SmartRep Private Company” (3-5 Aristeidou Street, 15562, Cholargos Attiki) (the “SmartRep”) would like to inform you of the following:
1. The HAU and the SmartRep, in their capacity as joint data controllers, process personal data of the following persons (“data subjects”): (a) adults who make use of the “SmartRep Virtual Examiner” software/ solution (the “Solution”); and (b) minors that use the Solution, and which are being represented by holders of the parental responsibility or the guardianship. The HAU and the SmartRep process data subjects’ personal data, as the case may be, for the following purposes: (a) to register, provide services and in general manage the users of the Solution, to hold mock interviews with the users of the Solution and assess their level of proficiency based on their performance in the interview, as well as to handle any complaints/ incidents that may be reported by the data subjects. For such data processing, the legal basis shall be the performance of the relevant contract concluded with the HAU and compliance with a legal obligation of the HAU and the SmartRep. (b) To safeguard the interests of the HAU and the SmartRep. For such data processing, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the HAU and the SmartRep which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data (e.g. for the establishment, exercise or support of legal claims, in which case the processing, if necessary, will also extend to specific categories of data). (c) To send marketing material via electronic mail. It should be noted that the HAU and SmartRep is entitled to use the data subjects’ electronic mail contact details, lawfully obtained in the context of the provision of its services or any other transaction, for the direct promotion of similar services or for the furtherance of similar purposes, even where data subjects have not given their prior consent, provided that they are given, when contact details are collected, as well with every message, a clear and transparent option to object, easily and free of charge, to the collection and use of their electronic data. For such processing of data, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the HAU and the SmartRep (i.e., the legitimate interests relating to the promotion of their services), which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data. (d) To ensure and improve the functionality of the Solution, in which case the HAU and the SmartRep may carry out automated decision-making. The Solution uses natural language processing (NLP), which is a field of artificial intelligence that allows computers to understand, interpret and respond to human language in a natural and useful way. When the users address the virtual teacher through the microphone, NLP is the mechanism that helps the Solution "understand" exactly what they are asking, no matter how complex or vague the way it is phrased. After understanding the question, NLP also allows the system to generate a natural and understandable answer. For such processing of data, the legal basis is the performance of the relevant contract concluded with the HAU and the fact that that processing is necessary for the purposes of the legitimate interests pursued by the HAU and the SmartRep (i.e., the legitimate interests relating to the operation and improvement of the Solution), which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data.
2. Data processed by the HAU and the SmartRep may include (a) personal information of the data subject (e.g. full name, father’s name, gender, date of birth, native language, phone number (home/ mobile), e-mail address); (b) the language proficiency test for which the data subject wishes to take a mock interview using the Solution, the data subject’s voice, the data subject’s performance in the interview/ oral examination and his/ her answers on the basis of which the data subject’s proficiency level was determined by the Solution’s virtual examiner; and (c) financial data relating to the payment of fees to the HAU and/ or the SmartRep for the use of the Solution, such as bank card information, bank account numbers, billing and payment data etc. The disclosure of the data specified in subparagraphs (a) to (c) above is a legal or contractual obligation of the data subject or a requirement to conclude a contract. Where the data subject does not provide the above data or part thereof, he or she will not be able to register and therefore, use the Solution.
3. The source of the data, as the case may be, is the data subject himself/ herself disclosing his/ her data or the holders of the parental responsibility or the guardianship of the data subject.
4. As the case may be and depending on the purpose of processing, personal data may be transmitted to the authorized employees in each department of the HAU and the SmartRep and to companies associated with the HAU and the SmartRep with which the HAU and the SmartRep have concluded a contract and which process the data on their behalf (e.g. IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy and compliance with the data protection legislation. In addition, the HAU and the SmartRep may transmit personal data to third parties where so required by law, or for the purposes of, or in connection with legal proceedings in which they participate, or otherwise for the purposes of supporting, exercising or defending its rights, or to third parties that are law enforcement authorities and have submitted a lawful transmission request, or where they consider that transmission is necessary in connection with any investigation into the suspicion or existence of any illegal activity. Personal data shall not be transmitted outside the European Economic Area.
5. The above data will be retained for a period time as required or allowed by the legislation/regulatory framework in force each time, taking into account the applicable prescription period, which may extend to up to 20 years. Specifically: (a) where processing is carried out under a relevant contract, the personal data shall be stored for as long as necessary for the performance of the contract and for the establishment, exercise and/or support of any legal claims arising from that contract; and (b) where the processing is imposed as an obligation by provisions stemming from the applicable legal framework, personal data shall be stored for as long as the relevant provisions so require.
6. The data subject shall have the following rights under the GDPR: (a) to receive a copy of the personal data held by the HAU and the SmartRep, together with other information on how data is processed; (b) to request that personal data concerning him or her be rectified and, under conditions, to request the deletion or restriction of processing, or to object to the processing of personal data; (c) to receive a copy or to request the transmission of a copy of his or her personal data to a third party in a structured, commonly used and machine-readable format (right to data portability). Where the processing of data is based on his or her consent, the data subject shall have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. If the data subject wishes to receive further information about the processing of his or her personal data or to exercise any of the aforementioned rights, he or she must email the HAU Data Protection Officer at: privacy@hau.gr, or send a letter to the mailing address mentioned above. Finally, the data subject has the right to file a complaint with the competent supervisory authority about how the HAU and the SmartRep handles his or her data (for Greece: www.dpa.gr).
Download the notification in .pdf format