Personal Data Protection Policy

Declaration of Implementation The implementation of the General Data Protection Regulation (GDPR) is a priority for "Terre des hommes Hellas - Terre des hommes Non-Profit Company". Details of the person responsible for the processing:

  • Brand name: Terre des hommes Hellas
  • TAX ID: 997021829
  • Address: 28 METEORON, ATHENS, ATHENS / ATTICA, 11631
  • Contact phone: +30 210-7510007

Definitions

1. "Personal Data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one whose identity can be established, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person

2. 'processing' means any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,

3. "Restriction of Processing": the marking of stored personal data with the aim of restricting their processing in the future,

4. 'filing system' means any structured set of personal data which is accessible according to specific criteria, whether that set is centralised, decentralised or distributed on a functional or geographical basis,

5. 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be provided for by Union or Member State law,

6. "Processor": the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,

7. 'recipient' means the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities shall be carried out in accordance with the applicable data protection rules according to the purposes of the processing,

8. 'Third party' means any natural or legal person, public authority, agency or body, with the exception of the data subject, the controller, the processor and persons who, under the direct supervision of the controller or the processor, are authorised to process personal data,

9. 'Consent' of the data subject: any freely given, freely given, specific, explicit and informed indication of the data subject's wishes by which the data subject signifies his or her agreement, by a statement or by a clear affirmative action, to the processing of personal data concerning him or her,

10. "Personal Data Breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed,

11. "Special Categories of Data": personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of positive identification of a person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Categories of Personal Data collected

"Terre des hommes Hellas", in the context of its activities and its normal operation, may collect personal data of its beneficiaries or partners, as well as of its employees, as well as of its partners in general, but also of other natural persons with whom it deals in the context of its operation. Depending on the form and purpose of processing in each case, "Terre des hommes Hellas" may collect and process personal data, such as, but not limited to, the following:

Categories of Personal Data collected

"Terre des hommes Hellas", in the context of its activities and its normal operation, may collect personal data of its beneficiaries or partners, as well as of its employees, as well as of its partners in general, but also of other natural persons with whom it deals in the context of its operation. Depending on the form and purpose of processing in each case, "Terre des hommes Hellas" may collect and process personal data, such as, but not limited to, the following:

CATEGORIES OF SUBJECTS

CATEGORIES OF DATA

BENEFICIARIES

Data of national and foreign persons who are beneficiaries of social services or programs that "Terre des hommes Hellas" participates in. These may include:

  1. Identity and demographic data (full name, patronymic, etc.),
  2. Insurance details (AMKA or AYPA and other Social Security Institution Registry details if required),
  3. Contact details (postal address, telephone, email, etc.),
  4. Health data (medical certificates and reports, prescriptions for medical treatment, etc.),
  5. Financial information (bank accounts, etc.),
  6. Marital status data, etc.
  7. Ethnic origin
  8. Racial origin
  9. Children's details (name, age)

TRAINEES

Data of natural persons receiving training through the programmes organised by "Terre des hommes Hellas".

These may include:

  1. Full name
  2. Sex
  3. Service - Department
  4. School
  5. Place of work
  6. Original Evaluation
  7. Final Evaluation,
  8. Email
  9. Address
  10. Telephone number
  11. Consent for the use of the trainee's photographic material in the organisation's press releases

SUPPLIERS/TRAINERS

Data of suppliers/trainers of "Terre des hommes Hellas", if they are natural persons or legal representatives/representatives of legal entities.

These may include:

  1. Identity and demographic data (e.g. full name, patronymic, etc.),
  2. Contact details (e.g. postal address, telephone, email, etc.),
  3. Professional data
  4. Contracts
  5. Account balances
  6. Bank Accounts
  7. Other relevant data

DATA OF OTHER NATURAL PERSONS

Data of other natural persons who visit infrastructures of "Terre des hommes Hellas" or cooperate with it.

EMPLOYEES (ACTIVE ANDNON-ACTIVE) / EMPLOYEE CANDIDATES

Data of employees of "Terre des hommes Hellas", under any employment relationship, as well as data of former and prospective employees, which are kept for the purposes of operating their employment relationship with "Terre des hommes Hellas".

These may include:

  1. Identity and demographic data (e.g. full name, patronymic, etc.),
  2. Insurance details (e.g. AMKA and other Social Security Institution Registry details if required),
  3. Contact details (e.g. postal address, telephone, email, etc.),
  4. Biographical Notes,
  5. Health data (e.g. medical certificates and reports, etc.),
  6. Financial information (e.g. bank accounts, etc.),
  7. Family status information (e.g. certificates and attestations, number and details of children, etc.)

Table 1. The categories of Subjects and their data

Purposes and Legal Bases for Processing

"Terre des hommes Hellas” may collect and process personal data of beneficiaries and other natural persons mentioned in the above paragraph who use its services. In principle, "Terre des hommes Hellas" may collect and process personal data for the following purposes with the respective legal bases for processing:

PURPOSE OF PROCESSING

LEGAL BASES

Collection, processing, cross checking and transmission of data from the Tax Administration for the support and operation of the framework of its competences

  1. Compliance with a legal obligation [Art. 6 §1 c) G.C.P.D.] and/or
  2. Serving legitimate interests [Art. 6 §1 (f) of the GDPR]

Collection and processing of the necessary data of employees and/or prospective employees and partners of "Terre des hommes Hellas" for the proper servicing of existing employment or cooperation relationships or the consideration of possible future cooperation

 

  1. Compliance with a legal obligation [Art. 6 §1 c) G.C.P.D.] and/or
  2. Processing in the context of the conclusion of a contract [Art. 6 §1 (b) GDPR] and/or
  3. Serving legitimate interests [Art. 6 §1 (f) of the GDPR] and/or
  4. Necessary for the performance of obligations and the exercise of the rights of the controller or the data subject in the field of labour law and social protection [Art. 9 §2 b) GDPR]

The provision of services

  1. Processing in the context of a contract award [Art. 6 §1 (b) GDPR] and/or
  2. Serving legitimate interests [Art. 6 §1 (f) of the GDPR]

For any other form of processing, "Terre des hommes Hellas". shall request the specific written, free and prior informed consent of the subjects before the start of the processing, if required.

 

  1. Consent [Art. 6 §1 para. 1) G.C.P.D.] and/or

Table 2. The main purposes and legal bases of processing

The reference to more than one lawful basis of processing does not imply that "Terre des hommes Hellas" undertakes lawful basis swapping, undermining the rights of the data subjects, but that there are cases where more than one lawful basis of processing is applicable. Finally, "Terre des hommes Hellas" does not use the consent of the data subjects (either for simple data or for special categories) as the main basis of processing, in accordance with the recommendations of the Working Party of No.29 (now the European Data Protection Board). In exceptional cases, the consent of the data subjects may be requested as a lawful basis for processing (e.g. for sending newsletters for participation in events or for the provision of additional services), where the processing cannot be carried out under a different lawful basis. In these cases too, subjects are informed in advance and appropriately before giving their consent, and retain full rights, including the right to withdraw consent.

Data Transfer/Disclosure to third parties

The personal data collected may be disclosed or transmitted to third parties if this is required to fulfil legal obligations or is necessary for the fulfilment of our services, subject to the guarantees of the relevant legislation. We may outsource the performance of certain of our services to natural or legal persons. To these persons, only those personal data necessary for the fulfilment of the assigned services are transmitted and they are bound to our organisation as regards the confidentiality and secure processing of personal data.

Rights of natural persons "Terre des hommes Hellas" respects the rights of individuals regarding the protection of their personal data. Individuals have the right to:

  1. They are informed about the processing of personal data.
  2. Access to personal data concerning them.
  3. Request the correction of incorrect, inaccurate or incomplete personal data.
  4. Request the erasure of personal data when it is no longer necessary or if the processing is unlawful. Since Article 6(1)(c) GDPR applies as the lawful basis of processing to most of the processing operations of Terre des hommes Hellas, the right to erasure is limited and will be considered on a case-by-case basis under the legal conditions. Besides, according to recital 4 of the GDPR, the right to the protection of personal data is not an absolute right; it must be assessed in relation to its function in society and weighed against other fundamental rights, in accordance with the principle of proportionality.
  5. They object to the processing of personal data for reasons relating to their particular situation, subject to Article 21(6) of the GDPR.
  6. Request restriction of processing of personal data in specific cases.
  7. Submit a complaint to the Personal Data Protection Authority (1-3 Kifissias Avenue, 11523 Ambelokipi, 11523, tel. 210.647.5600, www.dpa.gr) or to the supervisory authority of the EU Member State where they reside or work or to the supervisory authority of the place of the alleged infringement.

Communication of Natural Persons

The above rights, as well as any right regarding personal data, are exercised upon written request submitted at any place accessible to the public, or by electronic communication, by sending a message to dpo@tdhhellas.com1 and is also examined by the Data Protection Officer, who has been appointed by "Terre des hommes Hellas”.

Processing principles

"Terre des hommes Hellas" adheres to the principles governing the processing of personal data. Personal data (Article 5 of the General Data Protection Regulation):

  1. They are processed lawfully and fairly and in a transparent manner in relation to the data subject ("lawfulness, objectivity and transparency").
  2. They shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest or scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) ("purpose limitation").
  3. They are appropriate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimisation").
  4. It shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure the prompt erasure or rectification of personal data which are inaccurate in relation to the purposes of the processing ('accuracy').
  5. They shall be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, provided that the personal data will be processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1) and that appropriate technical measures are applied. Processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality").

Archive of processing activities

Terre des hommes Hellas keeps a record of the processing activities for which it is responsible. This record includes all the following information:

  1. the name and contact details of the controller and, where applicable, the joint controller, the representative of the controller and the data protection officer,
  2. the purposes of the processing,
  3. a description of the categories of data subjects and categories of personal data,
  4. the categories of recipients to whom the personal data are to be or have been disclosed, including recipients in third countries or international organisations,
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards,
  6. where possible, the time limits laid down for the deletion of the various categories of data,
  7. where possible, a general description of the technical and organisational safety measures referred to in Article 32(1).

Protection of personal data

Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, Terre des hommes Hellas applies appropriate technical and organisational measures in order to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR, adopting and implementing a holistic personal data security policy. When assessing the appropriate level of security by Terre des hommes Hellas, particular account shall be taken of the risks arising from the processing, in partiular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed. In order to prevent the occurrence of a personal data breach, "Terre des hommes Hellas" as a controller has adopted and applies an anti-attack policy to the information systems it owns and manages, as well as a specific policy for the management of any personal data breach.

Staff training

"Terre des hommes Hellas" accepts that the protection of personal data requires the awareness of its human resources regarding the protection of personal data. In this direction, it accepts the adoption and implementation of the principle of due education orientation by exploiting the Fair Information Practices (Fair Information Practices-FIP), which encapsulate a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy. Terre des hommes Hellas seeks to raise awareness of basic concepts of personal data protection on the part of its human resources.

Information on the processing of personal data on Social Media

"Terre des hommes Hellas " has accounts in the following Social Media:

  1. Facebook: https://www.facebook.com/tdh.greece/
  2. LinkedIn: https://www.linkedin.com/showcase/terre-des-hommes-hellas/?viewAsMember=true
  3. Youtube: https://www.youtube.com/channel/UCLlM886AB9p5qPrf3goFd-g
  4. Twitter: https://twitter.com/tdh_greece

In the aforementioned media, our organization processes personal data (such as your user name and possibly your photo) in order to provide information about our activities and services and additional ways to contact you. In any case, we declare that we do not know and are not responsible for whether these Social Media further process personal data, whether they have additional processing purposes, whether they make transfers to third countries, whether they use processors and sub-processors, whether they carry out profiling and how they carry out the processing of personal data as a whole. We recommend that before you provide any consent, you consult the personal data protection policies of these Social Media. In case you take your own actions in uploading your photos to our pages on the above mentioned Media or additional personal data, you are responsible for the processing yourself. Due to the particular ease of sharing photos and other personal data on Social Media, we recommend that you use them while assessing the potential risks arising from their publication. Our organization does not and cannot exercise influence and control over the nature and extent of the personal data collected and held by social media platforms as a condition or result of their use and is not responsible for the collection and processing of personal data carried out by them. For more information on the purposes of the collection and further processing and use of personal data by the social networking platforms, as well as on the rights and arrangements available to protect your privacy and personal data, please consult the privacy policy of the respective social networking platform.

Suppliers' obligations

Our suppliers are counted as processors unless otherwise specified using a specific provision or other legal text that is not part of this policy. The choice of technical means or solutions for individual parts of this processing by the processor, of which he informs the controller, does not make him a Data Controller. However, in the event that the processor determines the purposes and means of processing in breach of this and the legislation, then he/she shall be deemed to be the controller for that processing and shall be liable for any damage caused by him/her. The purpose of processing is defined as the fulfilment of the terms of the commercial agreement between the 2 parties. The legal basis for processing is the performance of a contract in accordance with Article 6(1)(b) of Regulation 679/2016 EU. The EU will carry out individual processing operations of personal data [including but not limited to: access, but not search, not transfer, not dissemination, not modification, not erasure unless the controller so instructs], for the purpose of fulfilling obligations for the general purpose of fulfilling other commercial conditions. That is, the EU performs the above processing operations which are directly and exclusively related to the nature of its contractual tasks and not others, always in accordance with the instructions/instructions/directions of the controller to it. The EU is obliged to refrain from processing the data for purposes other than those mentioned above and from using them in any way for other purposes. EU processing operations are mainly automated but also non-automated. Duration of processing: processing by the processor takes place for the duration of the existing contract with the controller as well as in case of its legal extension. The EU declares and affirms that it is capable of carrying out the above processing operations in accordance with the requirements of the GDPR and other legislation, implementing all technical and organisational measures necessary to protect the personal data and the rights of the data subjects. The EU declares and guarantees that: α) Complies with its respective obligations under the General Data Protection Legislation. (b) Will remain in compliance throughout the duration of the Agreement and in the event of any extension of the Agreement.

The processor is obliged to:

  1. processes personal data only on the basis of the controller's instructions, observing the processing principles and the relevant processing file in accordance with Article 30 of the General Data Protection Regulation, which file is updated in every case of change of the information it must contain.
  2. not to disclose, communicate or give access to the personal data processed by him or her and the controller to any third party, not to entrust processing to a third party sub-processor or subcontractor without the prior written consent of the controller, subject to notification to the controller of a binding order or decision by a supervisory, governmental, fiscal or judicial authority, which the controller is obliged to notify the controller of immediately and in writing.
  3. promptly implement appropriate technical and organisational measures appropriate to the type of risk posed by the processing, design and implement proven technical measures to maintain confidentiality and secrecy on the part of its staff, security and protection procedures to protect personal data against accidental or unlawful destruction, erasure or accidental loss, alteration, unauthorised disclosure, use or access and any other unlawful form of processing;
  4. not to make unnecessary reproductions of copies of personal data in either physical or electronic form.
  5. implements the obligations by incorporating the principles of privacy by design and privacy by default at every stage of processing.
  6. accepts compliance audits (G.D.P.R. compliance audits) by the competent Personal Data Protection Authority as well as by the controller in relation to its obligations here.
  7. assists the controller in fulfilling the latter's obligation to respond to the data subjects' statutory requests and to notify him or her directly of any requests made to him or her without the controller himself or herself acting on his or her own initiative.
  8. inform the controller immediately if, in its opinion, any of its instructions infringes the GDPR or any other regulatory or legislative provision on data protection.
  9. inform the controller by all appropriate means immediately and in any event within 24 hours of any event (initial notification) which has led or may lead to a breach of confidentiality and data, whether or not the controller is responsible for it, providing the controller with sufficient information to enable it to comply with the requirements for notification of personal data breaches to a supervisory authority and/or Data Subjects. Following the initial notification, the EU shall prepare a breach report, which shall describe: α) The nature of the personal data breach, the type and cause of the leakage, b) The date and time it occurred or was detected, (c) Describe the paper records or electronic filing systems/software/database concerned, (d) The type, nature and categories of personal data that may have been intercepted or compromised; ε) Indicate the approximate number of personal data subjects affected, (f) describe the potential adverse consequences and risks for thee subjects, the controller to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.
  10. cooperate with the controller and act on the controller's instructions in order to assist the controller in the investigation, mitigation and response to any personal data breach.
  11. comply with the above obligations in an active manner, maintaining a high level of alertness, awareness and attention, commensurate with the risks involved in the processing.

The processing of Personal Data carried out by the EU on behalf of the Data Controller takes place exclusively within the territorial limits of the European Union (EU) or the European Economic Area (EEA). Any transfer of data to a country that is not an EU or EEA Member State requires prior written notification by the EU (detailing the sending country, the type of data, the categories of data subjects affected) and the prior written consent of the Data Controller. Such transfer will be subject to compliance with the specific requirements regarding the transfer of personal data to countries outside the EU and the EEA under the Existing Legislation. In particular, the EU must ensure that in any case of transfer of personal data to a third country or international organisation, appropriate safeguards for the protection of personal data are in place and will inform in advance, in writing and in a timely manner, the controller of the necessity of such transfer in order to give the controller the opportunity to effectively object to it. The EU shall be responsible for the processing of personal data carried out by itself, its staff or its subcontractors or any of its employees. Such processing must be carried out in accordance with the terms of this document, in accordance with the instructions of the controller and the obligations of the performers arising from the GDPR, Law 4624/2019 and other relevant legislation. The EU, in the performance of the above duties, shall be fully liable for any fault of the EU, its staff, any sub-performers and its employees in general towards the controller and shall be obliged to fully compensate any damage, positive or consequential damage suffered by the controller, such as, but not limited to, damages and any other damage which the controller may have suffered as a result of acts and omissions of the processor and/or its employees, which is due to or connected directly or indirectly with the breach by the EU of the above. The IM or the EU shall be relieved of liability for damage if they prove that they are not responsible for the event giving rise to the damage. If the controller or the EU has paid full compensation for the damage caused, that controller or EU shall be entitled to claim from the other controller or EU involved in the same processing the recovery of a part of the compensation corresponding to the part of their liability for the damage caused. In the event that any party breaches this Agreement but no third party damage has yet occurred, the breaching party shall immediately take all lawful steps to remedy the breach and prevent its reoccurrence in the future, keeping a record of the overall handling of the incident. The organisation reserves the right to specify these terms and conditions as appropriate. In any case, however, they shall act as supplementary, are known and have been accepted by the supplier by appropriate and suitable means.

Amendment

This policy may need to be amended in relation to the processing of personal data. In the event that the modification of the terms in question is of such a nature and scope that it is not covered by the above data processing terms, Terre des hommes Hellas will publish the new version of the policy.