1.INTRODUCTION
In the European Union, the General Data Protection Regulation – Regulation (EU) 2016/679 (hereinafter referred to as the “GDPR”) has been in effect since 25 May 2018, as it was incorporated into Greek law by Law 4624/2019 (Government Gazette A’ 137). For the text of the Regulation, you can visit the following URL: https://eur-lex.europa.eu/legal-content/EL/TXT/?uri=CELEX:32016R0679.

This Data Protection Policy (hereinafter referred to as the “Data Policy” or “DPP”) concerns the website of the Non-Profit Civil Company “UNITY IN PHILIA”, located at Zalokosta 8, Athens, Attica, Postal Code 106 71 (hereinafter referred to as “The Company”). The Company is the creator and holder of all rights to this website, with the domain name: https://unityinphilia.gr/.

The Company places particular importance on the protection of personal data, including that of individuals visiting its website. For this reason, it has developed this Data Protection Policy to inform the aforementioned individuals about the ways in which their personal data is collected, used, and further processed.

This website may include links to other websites, which are the responsibility of third parties (natural or legal persons) and are not under the supervision, management, or oversight of the Company. Additional websites may be added in the future, for the terms of protection and management of personal data of which the Company bears no responsibility.

2. DEFINITIONS FOR PERSONAL DATA
(Note: The definitions follow Article 4 of the GDPR)
“Personal Data”: any information through which an identifiable natural person (“Data Subject”) can be identified.

“Processing”: any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data Controller”: the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data and in this case, the Company.

“Processor”: the natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller.

“Data Subject”: the natural persons for whom the Data Controller collects and processes personal data (in this Data Policy, Data Subjects are the users of the Foundation’s website, donors, volunteers, suppliers/partners, employees, and all parties concerned and third parties – visitors of the website).

“Recipient”: the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether a third party or not.

“Third Party”: any natural or legal person, public authority, agency or body, except the data subject, the data controller, the processor and the persons who, under the direct authority of the data controller or the processor, are authorised to process personal data.

“Consent”: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. COLLECTION OF PERSONAL DATA
When a visitor/user visits the Company’s website and provided that
(i) they interact with it, or
(ii) fill in standard communication web pages (forms), or
(iii) express interest in providing voluntary work,
(iv) communicate with the Company to inform about making a donation.
the following information is collected:

Identification Name and surname collected through the standard communication page (form) and the application expressing interest in providing voluntary work, Gender and age collected through the application expressing interest in providing voluntary work.Contact details: Email address collected through the standard communication page (form) and the application expressing interest in providing voluntary work, Mobile phone number collected through the application expressing interest in providing voluntary work.Other data necessary for the issuance of donation certificates: Tax Identification Number (TIN), Tax Office, and other data deriving from transaction receipts, sent electronically by the respective donor to the Company for the issuance of the relevant certificate.Further Personal Data: Any personal data you voluntarily disclose in messages addressed to the Company through this website.Additionally, automated information may be collected such as:– the user’s online address (IP address). The IP address is determined by the provider of the connection through which the visitor/user accesses the internet and subsequently the website. The IP address and other information that may be inferred from it (for example, the user’s location – at city level) are retained only under the conditions of the law,– the type of browser and the operating system,– the websites and links chosen by the user (by “clicking”) within the page,– the basic connection information with the server,– information collected through software such as “HTML cookies”, “Flash cookies”, “web beacons” and other similar technologies.

4. PURPOSE OF PROCESSING PERSONAL DATA
The personal data collected by the Company aim to fulfill the following purposes:
a) to fulfil its statutory purposes,
b) to provide information regarding its operation and, in general, its promotion,
c) to extract statistics regarding the use of this website.
Specifically, the personal data collected from the Company’s website and stored in the relevant database are intended to be used for the purposes stated above, that is for:

responding to requests/inquiries submitted through the standard communication web pages (forms),processing applications expressing interest in providing voluntary work,issuing donation certificates,managing the website and any form of communication.For the purpose under (1), the legal basis for processing is taking steps at the pre-contractual stage and the execution of a contract, compliance with a legal obligation, and fulfilling the purposes of the Company’s legitimate interests depending on the nature of the request/inquiry submitted.For the purpose under (2), the legal basis for processing is taking steps at the pre-contractual stage and the execution of a contract.For the purpose under (3), the legal basis for processing is the execution of a contract and compliance with the Company’s legal obligations.For the purpose under (4), the legal basis for processing is the fulfilment of the legitimate interests of the Data Controller consisting of the proper functioning of its website and consequently the adequacy of its online presence.

5. RECIPIENTS OF DATA AND PURPOSE OF TRANSMISSION
The personal data of users of the Company’s website are transmitted to its partners and/or subcontractors but always under conditions that fully ensure that the personal data of the Data Subjects are not subject to any unlawful processing, that is other than the purpose of transmission. The main recipient of the personal data of users is:

  1. a) The sole proprietorship “GRAPSAS GEORGIOS” (Headquarters – BYRONOS 70 – 26224 PATRA – Contact Phone +30 697 435 5761) gains access to data of users visiting the Company’s website in the context of the services provided by it, which consist of the development, maintenance, and hosting of this website. This Company processes personal data on behalf of the Company (acting as the Processor, as defined in Article 4, paragraph 8 of the GDPR) based on a contract entered into with it, providing adequate assurances for the implementation of appropriate technical and organisational measures, in such a way that the processing it performs meets the requirements of the GDPR and the relevant data protection legislation.

Personal data of users collected through the standard pages (forms) of this website may, depending on the nature of each submitted request/inquiry, be transmitted to supervisory, independent, judicial, prosecutorial, public or other authorities or bodies or parties.

6. MAINTAINING CONFIDENTIALITY
Access to the personal data of users of this website is granted to designated personnel of the Company, who are committed to maintaining confidentiality and privacy. At the same time, unauthorized access is prohibited. Also, the Processors acting on behalf of the Company have agreed and are contractually bound to maintain confidentiality, not to disclose personal data to third parties without the Company’s permission, to take appropriate security measures and to comply with the legal framework for the protection of personal data, subject to the application of relevant legal provisions and to the competent authorities only.
The Company will not transfer personal data of users to a third country or an international organisation unless the specific conditions of Articles 44 et seq. of the GDPR are met.
The website may offer the possibility to share users’ actions on Social Networks and other related tools. The use of such additional/tools allows the exchange of information with the users’ friends or the general public, depending on the settings they have defined in their personal account (“profile”). Users/visitors are encouraged to refer to the privacy policies of the individual social networking services for more information on how they handle their data.

7. TRANSFER AND STORAGE OF PERSONAL DATA
Any transfer or transmission of the personal data of the Data Subjects is carried out via electronic systems and the data are transferred in encrypted form.
The data are stored on servers of providers in Greece.

8. RIGHTS OF DATA SUBJECTS
The Company, as Data Controller, fully complying with the provisions of the GDPR, satisfies and facilitates the exercise of the following rights of Data Subjects:

8.1. The Data Subject has the right to be informed about the collection and use of their personal data.

8.2. Data Subjects have the right to receive, at any time, information from the Company regarding whether it is processing their personal data and, in the affirmative case, may request to be informed about the purpose of the processing, the type of data being processed, the recipients of these data, the retention period, and whether automated decision-making occurs. Additionally, Data Subjects will be granted access to such personal data without undue delay.

8.3. The Data Subject has the right to request the Company to rectify inaccurate or outdated personal data concerning them. They also have the right to request the completion of incomplete personal data, including through a supplementary statement. Furthermore, the Company undertakes the obligation to notify every rectification of personal data to each recipient to whom the personal data were disclosed, unless this proves impossible or involves a disproportionate effort. The Company undertakes the obligation to inform the Data Subject about such recipients, if requested.

8.4. The Data Subject has the right to request the Company to erase personal data concerning them if they are no longer necessary for the purposes of processing mentioned above and under the conditions of Article 17 of the GDPR.

8.5. The Data Subject is entitled to request the Foundation to restrict the processing of personal data concerning them. If the processing of personal data is restricted, the said personal data, apart from storage, shall only be processed under specific exceptions.

8.6. Right to data portabilityThe Data Subject has the right, under the conditions of Article 20 of the GDPR, to receive the personal data concerning them which they have provided to the Company in a structured, commonly used, and machine-readable format.

8.7. Right to objectThe Data Subject is entitled to object at any time and for reasons related to their particular situation to the processing of personal data concerning them, under the conditions of Article 21 of the GDPR. Once the right to object is exercised, the personal data shall no longer be processed, unless it is demonstrated that there are legitimate and compelling grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defence of legal claims. The Company ensures that if the Data Subject objects to the processing of data concerning them, the said data will no longer be processed unless it demonstrates that there are compelling and legitimate grounds for the processing that override the interests and rights of the Data Subject.

8.8. Automated individual decision-making, including profilingThe Company is not currently engaged in automated individual decision-making. However, should it decide in the future to engage in automated individual decision-making, the Data Subject has the right to object to a decision based solely on automated processing, including profiling, when that decision produces legal effects concerning them or significantly affects them.

9. SATISFACTION OF RIGHTS
Overall, the Company ensures that:
Procedures are in place that allow for the easy exercise of Data Subjects’ rights, so that all necessary actions are initiated immediately.
It will respond to any request submitted by the Data Subject without undue delay and in any case no later than thirty (30) calendar days. If it is unable to satisfy any exercised right by the Data Subject, the Company will ensure that a specific, adequate, and complete justification is provided.
Except in the cases of manifestly unfounded or excessive requests, all actions regarding the satisfaction of the rights of Data Subjects will be carried out free of charge.
The Company retains and processes personal data for the purposes mentioned above for as long as is dictated by the purpose for which they were collected, based on the Company’s terms of use or under applicable legislation, and in any case for as long as the Company exists.
If Data Subjects believe that the processing of their personal data violates the applicable regulatory framework for the protection of personal data, they have the right to lodge a complaint with the Data Protection Authority (Postal Address: Kifisias Avenue 1-3, Postal Code 115 23, Athens, Tel: 210.6475600, Email address: contact@dpa.gr).

 

10. AMENDMENT OF THIS POLICY
The Company reserves the right, when deemed appropriate, to amend this Policy, either in whole or in part, at its sole discretion and to post such amendment on this website. Any amendment to this Policy will take effect immediately upon its posting on the Company’s website. Users are advised to consult this Policy periodically to ensure they are aware of the most recent version.

11. CONTACT

For any questions regarding this Policy, users can send us an email at info@unityinphilia.gr.