The purpose of this Personal Data Protection Policy (hereinafter “the Policy”) is to regulate the manner in which the Municipality of Agistri, Local Self-Governing Body (L.P.D.D.) based on Agistri Island and legally represented, respects and protects the personal data it keeps and processes in the context of its activities. In particular, this Policy aims at the understanding by the Administration and the staff of the Municipality (regardless of employment status), of the basic concepts and the framework of responsibilities involved in the management of personal data in accordance with the General Data Protection Regulation 679/2016/EU (hereinafter “the GDPR”), the national legislation, opinions, decisions and acts of the National Authority for the Protection of Personal Data (hereinafter “the GDPR”) and the adoption of lawful and correct personal data management practices, based on the provisions of this Politics.
The Personal Data Protection Policy is additionally subject to the notification of the data subjects to whom it is communicated in accordance with Articles 13-14 GDPR and consists of all the individual Policies of the Municipality of Agistri concerning:
A. The obligations, roles and responsibilities of the bodies of the Municipal Council and the staff of the Municipality of Agistri.
B. The Secure Personal Data Management Policy.
C. The Policy of Preservation and Destruction of Records.
D. The Policy of Correct Receipt, Management and Withdrawal of Consent.
E. The Data Subject Request Management Policy for the exercise of data subjects’ rights.
F. The Data Breach Incident Management Policy.
G. The Policy for the Use of Communication Media and Electronic Processing Media.
H. The Clean Office and Screen Policy.
The employees of the Municipality of Agistri are aware of the Policy and undertake to study it, to ask the Administration any questions they may have and to strictly observe the provisions of the Policy, throughout their work/employment in the Municipality of Agistri, regardless of status.
The provisions of this Policy must be fully complied with by its highest bodies, the Municipal Council and the employees of the Municipality of Agistri, regardless of rank, status or specialty, who are currently employed with employment contracts of a fixed or indefinite duration, the fully or partially employed staff, as well as any external partners as the case may be, who provide monthly services to the Municipality of Agistri, provided that they are employed in its facilities and/or on its behalf and process personal data held by the Municipality of Agistri in the context of the exercise of their duties.
The Municipality of Agistri undertakes to communicate this Policy to every present or new employee, partner, processing in accordance with the above and to ensure by any appropriate means their knowledge and commitment to the proper observance of the Policy and the practices described within , regarding the processing of personal data.
3. Basic Definitions – Principles of legal processing
3.1. The Municipality of Agistri is committed to respect and protect the personal data it collects and processes in the context of its activities, fully complying with the obligations arising from both the European and the internal Regulatory Framework for the protection of personal data. For the purposes of the proper implementation of the Policy, the Municipality of Agistri informs those obliged to comply with the Policy of the following definitions in accordance with the law:
“Personal data” (hereinafter “personal data”) is any information that refers to the data subject. Aggregated data of a statistical nature, from which the data subjects can no longer be identified, are not considered personal data.
“Sensitive data” or “special category data”, are data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, social welfare, sex life or sexual orientation, participation in associations / unions of persons related to the above, as well as related to criminal prosecutions or convictions. Genetic and biometric data are also included, with the aim of unambiguously identifying a person.
“Health data” is the information related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about the state of his health. Health-related data includes information about the natural person that is collected when registering for health services and when providing them. Such information may be a number, symbol or identity attribute assigned to a natural person for the purpose of fully identifying the natural person for health purposes, information resulting from examinations or analyzes of a body part or substance, including from genetic data and biological samples and any information, for example, about disease, disability, risk of disease, medical history, clinical treatment or the physiological or biomedical condition of the data subject, regardless of source, for example, from a doctor or other healthcare professional , hospital, medical device or in vitro diagnostic test.
“Data subject” is the natural person to whom the data refer and whose identity can be determined directly or indirectly, in particular on the basis of an identity number or on the basis of one or more specific elements characterizing his condition in terms of physical, biological, mental, economic, cultural, political or social.
“Processor”, the natural or legal person who determines the purpose and manner of processing personal data, in this case the Municipality of Agistri.
“Processor” is any natural or legal person who processes personal data on behalf of the Controller.
“Processing of personal data” is any operation performed on personal data, such as collection, registration, organization, retention or storage, modification, export, use, transmission, dissemination, association or combination, interconnection, binding, deletion, destruction.
“Profiling” is any form of automated processing consisting of the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyze/predict aspects related to work performance, financial situation, health, personal preferences , the interests, credibility, conduct, location or movements of a natural person.
“Personal Data Breach” means a security breach that results in the accidental or malicious destruction, loss, alteration, unauthorized disclosure or access of transferred, stored or otherwise processed personal data.
3.2. Principles of legal processing of personal data:
Any processing of personal data by the Municipality of Agistri should obey the following principles in order to be considered lawful and meet the requirements of the GDPR and the national legislative framework for data protection:
- The data is lawfully and legitimately processed in a transparent manner in relation to the data subject (under the principles of “lawfulness, objectivity and transparency”),
- They are collected for specified, express and lawful purposes and are not further processed in a manner incompatible with those purposes; further processing for archival purposes in the public interest or for scientific or historical research or statistical purposes is not considered incompatible with the original purposes (” purpose limitation’),
- They are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimization”).
- It is accurate and, where necessary, updated; all reasonable steps must be taken to promptly delete or correct personal data that is inaccurate, in relation to the purposes of the processing (“accuracy”).
- They are kept in a form that allows the identification of the data subjects only for the period necessary for the purposes of the processing of the personal data; the personal data may be stored for longer periods, as long as the personal data will be processed only for the purposes archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes, as long as appropriate technical and organizational measures are applied to safeguard the rights and freedoms of the data subject (“restriction of the storage period”).
- They are processed in a way that guarantees the appropriate security of personal data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
4. Legal bases for processing personal data
Any processing of personal data takes place by the Municipality of Agistrio in the context of its purposes and activity based on the provisions of the Legislation governing its operation and organization, the Code of Municipalities and Communities as well as the general regulatory framework governing Local Government Organizations (OTA), should be based on a legal processing basis.
The purposes for which the Municipality of Agistrio processes personal data are the following:
- The receipt and control of all kinds of requests submitted by citizens/municipalities addressed to the various services of the Municipality as well as their transmission to other competent services.
- The issuance and granting of certificates and certificates to the citizens/municipalities by the relevant department of the Municipality.
- Licensing (as well as license renewal) of shops-businesses of health interest, nurseries, etc.
- The diligence and processing of all issues related to the employment relationship of the Municipality staff (recruitment, verification of the authenticity of academic qualifications, keeping attendance records, maintaining work files, promotion, retirement, granting of permits, payroll, termination of the employment relationship, etc.).
- The management of personal data for the implementation of the voluntary programs of the Municipality
- The conduct of auctions, tenders, and the legitimate collection of offers and selection of suppliers in accordance with the law
- The servicing of the contractual relationship with the suppliers and their payment in compliance with the contractual obligations of the Municipality.
- The compilation of lists (financial debts, budget, balance sheet) in the context of the responsibilities and activities of the Municipality.
- The posting on the “DIAVGEIA” online platform – for reasons of transparency – of personal data of contractors, project contractors as well as the decisions of the Board of Directors of the Municipality.
- The evaluation of the staff working in the Municipality..
- The drawing up of proposals for the purpose of imposing fines for any violation concerning shops of health interest.
- The compilation and editing of a telephone directory for the purpose of communication of the employees of the Municipality with other public services.
- The management of personal data in the context of the responsibilities of the Town Planning Service as well as the Cleaning Service of the Municipality.
- The receipt and promotion of complaints submitted by citizens/municipalities on issues related to the responsibilities-activities of the Municipality’s services.
- The receipt, management and record keeping of requests – complaints submitted through the online service as well as through the call center
- The preparation of a consolidated list of invoices, the preparation and editing of the payment orders of the suppliers.
- The granting of social and welfare benefits upon corresponding request from the beneficiaries.
- The promotion and highlighting of the actions of the Municipality, through the filming and the observance of audio-visual material of the events – activities held each time.
- The operation of the school board and the management of data within the framework of its responsibilities – actions.
- The defense of the legal interests and rights of the Municipality before the courts (e.g. planning disputes, asserting claims, etc.).
- The management of electronic and paper correspondence. The drawing up and posting of property status statements (“pothen esches”) of the elected bodies of the Municipality.
- The determination and collection of municipal fees as well as the acceleration of the payment process in case of third party debts to the Municipality.
- The Diligence and processing of submitted Naturalization applications. The maintenance, curation and drafting of the Enlistment Lists, the editing of the process of sending the Enlistment Lists to the Conscription Service and the processing of the Enlistment Search Process.
- The preparation and updating of the electoral rolls.
- The management of data within the competences of the Registry Office.
- The management, editing and processing of submitted requests for certification of all types of Registry Facts from the Prosecutor’s Office, the Insurance Funds, the conscription and the various public services.
The legal bases of processing according to the GDPR are as follows:
A. The consent of the data subject for one or more purposes.
B. The execution of a contract, to which the subject is a contracting party, or the taking of measures at the request of the data subject in the pre-contractual stage.
C. Compliance with a legal obligation of the data controller.
D. Safeguarding the vital interest of the data subject or other natural person.
Ε. The fulfillment of a duty performed in the public interest or in the exercise of public authority by the Controller.
F. The fulfillment of legitimate interests of the Controller or third parties, provided that these interests are overridden by the interest or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular if the data subject is a child.
The legal bases for processing sensitive personal data are as follows:
A. The subject’s express consent for one or more specific purposes.
B. The execution of the obligations and the exercise of specific rights of the controller or the data subject in the field of labor law and social security and social protection law, if permitted by Union or Member State law or by collective agreement in accordance with national law providing appropriate guarantees for the fundamental rights and interests of the data subject.
C. The protection of the vital interests of the data subject or other natural person, if the data subject is physically or legally unable to consent.
D. The processing in the context of the legal activities of an institution, organization or other non-profit organization with a political, philosophical, religious or trade union objective and provided that the processing concerns exclusively the members or former members of the organization or persons who have regular communication with it in relation to its purposes and that personal data are not shared outside the specific entity without the consent of the data subjects.
Ε. The processing of manifestly publicized personal data.
F. The establishment, exercise or support of legal claims or when the courts act in their jurisdictional capacity.
G. Processing for reasons of substantial public interest, which is proportionate to the intended objective, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
H. The processing for the purposes of preventive or occupational medicine, assessment of the employee’s ability to work, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services or pursuant to a contract with a health professional.
I. Processing for reasons of public interest in the field of public health.
J. Processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes which are proportionate to the intended objective, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard fundamental rights and of
interests of the data subject.
The Municipality of Agistri collects and processes personal data based on the fulfillment of duties deriving from the public interest, compliance with its legal obligations, servicing of its contractual relationships, as well as the consent of the data subjects.