Privacy Policy
Privacy Policy
1. Purpose, Scope
PASS makes every effort to comply with the legislation related to the Protection of Personal Data in the sector in which it operates. This Policy sets out the basic principles by which PASS processes the personal data of customers, employees, suppliers, partners and other persons. This Policy applies to PASS and its directly or indirectly controlled subsidiaries based in Greece. All employees, whether permanent or fixed-term, as well as all subcontractors working on behalf of PASS are bound by this Policy.
2. Key Definitions
The following are the key definitions of the terms used in this document, as set out in Article 4 of the General Data Protection Regulation, in order for the data subject to familiarise himself with the terminology of the Regulation:
Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Personal Data of special categories: Personal data which are by nature particularly sensitive in relation to fundamental rights and freedoms need special protection, as the context of their processing could create significant risks for fundamental rights and freedoms. This personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of indisputable personal identification, data relating to health or data relating to a natural person’s sex life or sexual orientation.
Controller: the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing.
Processor: the natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.
Processing: any operation or series of operations carried out with or without the use of automated means, on personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
Authority: The Personal Data Protection Authority
3. Basic principles concerning the Processing of Personal Data
PASS as a data controller strictly adheres to the data protection principles set out in Article 5 of the General Data Protection Regulation.
3.1. Lawfulness, Objectivity and Transparency
PASS processes personal data lawfully, objectively and transparently towards data subjects.
3.2. Purpose limitation
Personal data is collected only for specific, explicit and legitimate purposes and is not processed for any other purpose.
3.3. Data minimization
PASS keeps accurate personal data of the subjects and ensures that their retention is limited to what is necessary in relation to the purposes of the processing. At the same time, it implements appropriate technical measures in order to achieve the above objectives.
3.4. Accuracy
The personal data held by PASS are accurate and up to date. Steps are taken to ensure that personal data that are inaccurate, regarding the purposes for which they are processed, are erased or rectified within a reasonable time.
3.5. Limitation of the Storage Period
Personal data is kept for no longer than is necessary for the purposes for which PASS processes them.
3.6. Integrity and confidentiality
Taking into account the technological level and other available security measures, the cost of implementation, as well as the likelihood and severity of the risks to personal data, PASS uses appropriate technical or organizational measures for the processing of Personal Data, in a manner that guarantees the appropriate security of personal data and their protection against accidental destruction, loss, damage, unauthorized or unlawful processing.
3.7. Accountability
PASS is responsible for and is able to demonstrate compliance with the General Data Protection Regulation to the competent Personal Data Protection Authority.
4. Privacy Notice, Consent and Rights of Data Subjects
4.1. Notice to Data Subjects
Before or during the collection of personal data for any processing activity undertaken by PASS, including but not limited to the sale of products, services, or marketing activities, PASS is responsible for providing appropriate information to data subjects, specifically regarding the types of personal data collected, the purposes of processing, processing methods, data subjects’ rights in relation to their personal data, the retention period, any international data transfers, whether personal data is provided to third parties in the context of cooperation, and PASS‘s security measures for personal data protection. This information is provided through the Privacy Notice.
4.2. Consent – Free Withdrawal
When the collection of personal data has the data subject’s consent as its legal basis, PASS is responsible for ensuring that data subjects provide their consent freely, by a clear affirmative action, explicitly, and with full knowledge of the content of the text to which they consent. PASS provides data subjects with the ability to withdraw their consent at any time. Where personal data of children under 16 years of age is collected, PASS ensures that parental consent has been given prior to collection. The processing of personal data must only be for the purpose for which it was originally collected. If PASS wishes to process collected personal data for another purpose, it must seek the consent of the data subjects in an explicit and specific written manner. Any such request must include the original purpose for which the data was collected, as well as the new or additional purpose(s).
4.3. Collection
PASS makes every effort to ensure that the number of personal data collected is as minimal as possible. If personal data is collected from a third party, PASS ensures that such data is collected lawfully.
4.4. PASS‘s Relationship with Third Parties
In cases where PASS uses a third-party supplier or business partner to process personal data on its behalf, it ensures that the processor will provide appropriate security and personal data protection measures to address potential associated risks. PASS makes every effort to ensure that its suppliers or business partners process personal data only for the fulfillment of their contractual obligations towards PASS, always in accordance with its instructions and for no other purpose.
4.5. Data Subjects’ Access Rights
PASS, as the Controller, is responsible for providing data subjects with a mechanism to access their personal data, which will also allow them to review, correct, delete, or transfer it.
4.6. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they have provided to PASS in a structured format and to transfer this data to another controller. PASS is responsible for ensuring that these requests are processed within one month, provided that these requests are not manifestly unfounded. When exercising the right to data portability, the data subject has the right to request the direct transmission of personal data from one controller to another, if technically feasible.
4.7. Right to Erasure (‘Right to be Forgotten’)
Upon request, Data Subjects have the right to ask PASS to erase their personal data. PASS will immediately take the necessary actions (including technical actions) to satisfy the request and will ensure the same from any third parties that use or process personal data on its behalf.
4.8. Right to Object
The Data Subject has the right to object at any time to the processing of personal data concerning them, including profiling.
4.9. Right to Restriction of Processing
Upon request, Data Subjects have the right to ask PASS to restrict the processing of their data in accordance with Article 18 § 1 a-d of the General Data Protection Regulation (EU) 2016/679.
4.10. Method of Exercising all Data Subjects’ Rights and Withdrawal of Consent
The Data Subject exercises their rights and withdraws their consent by submitting a written request to the company PASS. The Data Subject may also freely withdraw their consent without affecting the lawfulness of processing based on that consent before its withdrawal. By sending a written request/letter or email to: info@pass.edu.gr
The Controller of the data subject’s personal data is PASS, based at Anogeion 73, PC 184 50, Nikaia, Greece.
The data subject may also contact the Hellenic Data Protection Authority at the following details: www.dpa.gr, email: contact@dpa.gr, telephone: 210 6475600, Address: Kifisias Ave 1-3, P.C. 115 23, Athens
5. Response to Personal Data Breach Incidents
When PASS becomes aware of a potential or actual personal data breach, it will immediately conduct an internal audit and take appropriate remedial measures within a reasonable timeframe, in accordance with the Personal Data Breach Policy. Where there is a risk to the rights and freedoms of data subjects, PASS must notify the Authority of the breach without undue delay and, in any case, within 72 hours.
6. Contact
If you still have any questions or require any clarification regarding the processing of your personal data by PASS, please contact us and PASS will be happy to assist you promptly.
Data Protection Officer
You can contact the Data Protection Officer of PASS for issues concerning the processing of your personal data via email at: dpo@pass.edu.gr