Privacy Policy
Privacy Policy of the Agricultural University of Athens under the General Data Protection Regulation (EU) 2016/679
1. Introduction - Preamble
As part of the University's compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), this Privacy Policy on the processing of personal data has been drawn up. In addition to the above General Regulation, this Policy took into account the provisions of Law 4624/2019, Law 3471/2006 on the protection of personal data and privacy in the field of electronic communications and the guidelines, opinions and decisions of the Hellenic Data Protection Authority (DPA).
The purpose of this document is to delineate the general principles regarding the processing of personal data by the Agricultural University of Athens (hereinafter: the University). The Protection Policy aims to contribute to the correct implementation of the GDPR by clarifying and specifying the obligations arising from it for the University, taking into account its specific higher education characteristics.
This text reflects and strengthens the fundamental principles of the processing of personal data and creates a transparent framework, which should be respected by all stakeholders of the University. Furthermore, it is the basis for the processing of data by the University's employees (administrative, academic and other teaching staff) while it also helps each new employee or associate in general to understand the environment in which they must be integrated and the general culture of cooperation, regarding the protection of personal data that will be processed in each activity.
2. Definitions
Personal Data: Any information concerning a natural person, who is either identified or identifiable, i.e. whose identity can be directly or indirectly verified.
Data Subject: The natural person to whom the personal data concern.
Processing of personal data: Any operation carried out on personal data. Indicatively, any collection, registration, organization, structure, storage, adaptation, alteration, retrieval, search for information, use, disclosure by transmission, dissemination or other form of disclosure, association, combination, restriction, erasure or destruction, are considered as processing of personal data. Therefore, according to the General Data Protection Regulation, even the simple processing of personal data, collection or storage of data constitutes processing.
Controller: The person or entity that determines the purposes and manner of processing personal data.
Processor: The person or entity that processes personal data on behalf of the controller.
Data subject's consent: Any indication of intent by which the data subject indicates that he or she agrees, by a statement or by a clear affirmative action, to the processing of personal data concerning him/her.
Recipient: the natural or legal person, public authority, agency or other body, to whom the personal data are disclosed, whether it is a third party or not. However, public authorities requesting to receive data in the context of a specific investigation, in accordance with EU or Member State law, are not considered recipients.
Personal Data Breach: The breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access to personal data processed in any way.
3. Scope
2.1 The General Data Protection Regulation covers all educational and administrative structures of the University and the legal entities controlled by it (e.g. the University Property Management and Development Company).
2.2 The General Regulation applies to the processing of personal data, which are included or are to be included in a file, regardless of whether this system is computerized or not.
2.3 The General Regulation does not apply to the processing of personal data, when it concerns exclusively personal/family activity of professors and employees of the University, without connection to the University.
3. Basic Principles of Processing
3.1 The University processes personal data, in accordance with the provisions of Article 5 of the GDPR. Such processing is governed by lawfulness and transparency, subject to the limitation of the purpose of processing, the minimization of data, its accuracy and up-to-dateness, the determination of retention times, integrity, confidentiality and accountability.
3.2 In particular, any processing of personal data by the University should follow the following principles:
a. Principle of legality, objectivity and transparency
The data must be processed lawfully and fairly in a transparent manner in relation to the data subject. In other words, the subject must know what data is being collected from him. This transparency requires that the information of the subject be concise, easily accessible, understandable, with clear and simple wording.
B. Purpose limitation principle
The data must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes.
c. Principle of proportionality – Data Minimisation
The data must be suitable, relevant and necessary for the intended processing purposes. Their processing should be kept to a minimum.
D. Principle of data accuracy
The data must be accurate and up-to-date and appropriate measures must be taken to promptly correct or delete inaccuracies in relation to the intended purposes of data processing.
e. Principle of integrity and confidentiality
The data must be processed in a way that guarantees its security and protection against unlawful processing, loss, destruction or damage.
F. Principle for determining the duration of the processing
The data must be kept in a format that allows the identification of data subjects only for the period necessary to achieve the purposes of the processing.
g. Controller Accountability Authority
The controller is responsible and should be able to demonstrate compliance with the Regulation before supervisory authorities and courts.
4. Purposes of Processing
The University ensures that the processing of personal data is carried out for specific purposes, which are determined by the University in the context of its activity. These purposes are determined by the institutional framework under which Universities operate, and in this case the Agricultural University of Athens as well (Law 4957/2022). The legal basis for each processing carried out by the University is also determined by the University in such a way that the legitimate interests and freedoms of natural persons are not unduly affected.
5. Legitimizing processing bases
5.1 Legitimate bases for the processing of personal data by the
University are the following:
- Exercise of public authority
- Public interest
- Compliance with a legal obligation
- Execution of a contract
- Consent of the natural person, where required;
- Safeguarding a vital interest
-
- In cases of processing of personal data of special categories by the University, the processing is based either on the legal basis of establishing, exercising or supporting legal claims, or on the performance of obligations or the exercise of rights in the context of labour law and social security and social protection law, or for the purposes of preventive or occupational medicine, the assessment of the employee's ability to work; medical diagnosis, provision of health or social care or treatment or management of health and social systems and services by law or under a contract with a health professional with an obligation of professional secrecy, or the fulfilment of archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89(1); either for the vital interest of the natural person (if the natural person is incapable of consenting) or for the public interest.
-
- For the fulfillment of the above processing purposes, the collection of personal data is carried out by AUA personnel.
-
- The collection of personal data is carried out during the process of submitting student registration declarations, as well as during the submission of applications (by students, professors, employees or collaborators with the AUA), during the conclusion of contracts or during the conclusion of another legal relationship. Collection of personal data may also occur through the use of the website or the electronic means/communication programs of the AUA. It can also be carried out through participation in a research project or through participation in a University event.
5.6 Personal data collected by the AUA:
- Identity Card data
- demographic data (gender, nationality, date and place of birth, etc.)
- Contact details data (home address, phone number, email)
- tax and financial data (V.T.M., D.O.Y., individual income, property status),
- students' grades data,
- CVs of students, graduates, candidate associates, contract holders with ELKE, etc.
- data relating to the qualification of administrative, academic and research staff
- marital status data (marriage, number of children, etc.)
- Social Security Data (AMKA)
- Medical data, (medical history, medical opinions, medical certificates),
- data from the use of electronic services (electronic user identification data, cookies, google analytics, Internet Protocol addresses, etc.).
6. The consent of natural persons
6.1 During the process of obtaining consent from the personal data subject, the University takes care of the following:
- consent to be freely given, with a clear positive action, for each processing purpose separately and to be specific, explicit and in full knowledge;
- consent to be given in any appropriate way that allows proof of the manifestation of the will of the subject, taking into account the principle of proportionality;
- consent not to be subject to conditions or restrictions, and
- consent must be accompanied by appropriate information for the processing of personal data of the natural person.
6.2 The consent text should include the following points:
- Name of the Data Controller and the Joint Controllers (where applicable). In the case of processing activities of the University, the Data Controller is the University.
- Purpose(s) of the processing of the personal data collected in each case
- Legal basis for the processing of personal data
- The type of personal data collected in the context of the processing purpose
- Period of retention of the personal data or the criteria determining that period
- Information on the right to withdraw consent and how to withdraw it
- Reference to the possibility for the natural person to make a request regarding the following personal data rights: access and rectification or erasure of data, restriction of processing or right to object to processing, right to data portability, right to withdraw consent at any time, as well as the right to lodge a complaint with the supervisory authority
- Data recipients (e.g. Ministry of Education and Religious Affairs) or general categories of potential recipients of personal data (e.g. public authorities). In the event that it is a critical recipient for the processing, the information is provided by name
- Silence, pre-filled boxes or inaction of the natural person do not constitute legal consent.
-
- The University keeps records of consents and monitors its validity or possible revocation by natural persons.
-
- The withdrawal of consent does not affect the lawfulness of the processing based on the consent prior to its withdrawal.
7. Information provided to natural persons
7.1 The University ensures that natural persons are adequately informed about the processing of their data and in particular that they receive the following information:
- the identity and contact details of the University, as a data controller,
- the contact details of the Data Protection Officer (DPO),
- the purposes of the processing, for which the personal data are intended, as well as the legal basis for the processing;
- if the processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- the intention of the controller to transfer personal data to a third country or international organisation and the existence or absence of appropriate safeguards for the transfer;
- the period for which the personal data will be stored or, where this is not possible, the criteria determining that period;
- the existence of the right to request to the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, as well as the right to data portability;
- where the processing is based on the consent of the natural person, the existence of the right to withdraw his or her consent at any time, without affecting the lawfulness of the processing based on the consent prior to its withdrawal;
- the right to lodge a complaint with a supervisory authority, and
- whether the provision of personal data constitutes a legal or contractual obligation or requirement for the conclusion of a contract, and whether the data subject is obliged to provide the personal data and what the possible consequences of not providing such data would be.
7.2 Information to natural persons is provided in any appropriate way prior to any processing of personal data, such as, indicatively, by means of an information form, an e-mail, a contract, an annex with terms of personal data processing, etc. The University has adopted and implements a procedure regarding the updating and adaptation of the information it provides to natural persons.
8. Recipients of personal data of natural persons
8.1 The main recipients of the personal data of the natural persons processed by the University are:
- employees of the University, who are responsible for the performance of a specific task,
- public services and public bodies, such as supervisory authorities, e.g. Ministry of Education and Religious Affairs, Ministry of Finance, Court of Auditors, ASEP, Diavgeia, National Printing Office, State Scholarship Foundation, etc.
- Associates to whom the University assigns the execution of tasks or the execution of projects on its behalf, such as: software development and support companies, etc.
- Banks
- third party collaborating with the University or Research Institutions or other bodies of the public or private sector, in the context of the research programs carried out through the Special Account for Research Funds (ELKE).
- European Union bodies (e.g. Erasmus)
-
- The University ensures that all appropriate technical and organizational measures are taken and implemented by the recipients of the data it processes, where possible. Where the University outsources the processing to a third party, i.e. the processor, the latter should provide sufficient assurances, in particular in terms of reliability and resources, of technical and organisational measures corresponding to the processing entrusted to it. The processor is contractually bound to the University for the lawfulness of the processing it will carry out.
-
- The University acts as a joint Data Controller with other bodies for specific processing. In this case, the University determines together with the other body the purposes and means of the processing.
9. Rights of natural persons
9.1 The University shall ensure that it provides natural persons with the rights regarding the processing of their data, as provided for in the GDPR, as well as to their satisfaction within legal deadlines. The University grants natural persons the following rights for the processing of their data:
(a) Right of access:
The University informs the natural person whether or not it processes personal data belonging to him/her. The natural person has the right to request to be informed about the categories of data being processed (e.g. basic data, financial data, unique identifiers), the purpose of the processing (e.g. student management in the context of an educational program), the categories of recipients (e.g. public bodies), any transfer of data to an international organization or a non-EEA country, the source of their receipt (e.g. directly from the natural person or from another third source such as public authorities in the right to submit a request to the University for the correction or deletion of personal data and/or restriction of the processing of personal data concerning the natural person and/or the right to object to such processing and the right to object to such processing and the right to lodge a complaint with the DPA. The natural person is entitled to request a copy of the above personal data. The University reserves the right not to satisfy the right of access of the natural person, in case it is established that the information sought by the natural person is not directly related to him/her.
b) right to rectification:
The University satisfies the right to rectify personal data, at the request of the natural person, in order to keep his/her physical and electronic record up-to-date. Depending on the purpose of the processing, natural persons may be asked to provide the necessary information for the full documentation of the updating of personal data.
c) right to erasure:
The University satisfies the right of natural persons to have their personal data deleted, provided that:
- such personal data is no longer necessary to achieve specific purposes;
- the natural person validly withdraws his/her consent and there is no other legal basis for the processing;
- personal data the deletion of which is requested has been unlawfully processed;
- there is no legal obligation on the part of the University under EU or national law to retain the data;
- there is no establishment, exercise or support of legal claims of the University or rebuttal of existing or potential legal claims of the natural person or third parties directed against the University;
- It is not processed for archiving purposes in the public interest and
- It is not processed for scientific or historical research purposes or statistical purposes, as long as it is likely to make it impossible to achieve the statistical purposes and if the data is anonymised.
If the conditions for deletion of personal data are met, the University proceeds with the deletion of its physical and electronic files, while in case of transmission of personal data to recipients outside the University, the latter are informed by the University about the deletion from their file.
d) right to restriction of processing:
The University satisfies the right to restriction of processing in cases where:
- the accuracy of the data is disputed by the natural person and for as long as it is necessary for the University to verify the accuracy of the data;
- the processing is unlawful and the natural person does not wish to have their data deleted, despite the restriction of their use;
- the University no longer needs specific personal data, except for the establishment, exercise or support of legal claims;
- The natural person exercises the right to object, pending its verification.
The University shall notify any restriction of the processing of personal data to any recipient to whom the personal data has been disclosed, unless this proves impossible or involves a disproportionate effort.
e) Right to portability:
The University satisfies the right to the portability of personal data to another controller, at the request of the natural person in a structured, commonly used and machine-readable format. The University assesses the risks involved in portability and takes measures to mitigate them.
(f) Right to object:
The University satisfies the right of the natural person to object to the processing, at any time and for reasons related to the particular situation of the natural person. Once this right has been exercised, the University will no longer process such data, unless it proves that there are compelling and legitimate grounds for the processing, which override the interests and rights of the natural person.
9.2 The University shall provide the natural person with information on the action taken pursuant to the above rights without delay and in any case within one month from the receipt of the request. This deadline may be extended by a further two months, if necessary, taking into account the complexity of the request and the number of requests. The University shall inform the data subject of such extension within one month of the receipt of the request, as well as the reasons for the delay.
9.3 Any person who is connected in any way with the AUA, and whose data is collected by it, may at any time send a message to dpo@aua.gr address in order to object to the collection, processing or use of his or her personal data, or to make a request or observation. The person authorised to receive and manage such messages (DPO); judging on a case-by-case basis depending on the seriousness of the case, it undertakes to carry out a relevant investigation and proceed to inform the subject.
10. Record of Processing Activities
The University prepares and monitors the need for any update of the Processing Activities Archive, as required by art. 30 of the GDPR for the processing it carries out in its role as a Data Controller or as a joint Data Controller with another entity. The University keeps the file in electronic form, while it is made available to the Personal Data Protection Authority, upon its request. The University has adopted a relevant procedure for the systematic updating of the Archive of Processing Activities.
11. Impact Assessment for the Protection of Personal Data Processing
The University has prepared an Impact Assessment Study on data protection, which covers the requirements of Article 35 of the GDPR, the relevant WP 29 directive, ISO 29134 and the directives of the English and French supervisory authorities, and monitors the need for any update. The University has adopted a relevant procedure for the systematic updating of the Impact Assessment Study.
12. Data Protection Officer (DPO)
The University has appointed a Data Protection Officer, who is available for privacy issues. According to art. 39 of the GDPR, the duties of the Data Protection Officer are as follows:
- informs and advises the University and staff on their obligations under the GDPR and other provisions of the Union or the Member State relating to data protection;
- monitors compliance with the GDPR, with other EU or Member State provisions on data protection and with the University's policies and procedures in relation to the protection of personal data, including the delegation of responsibilities, awareness raising and training of officials involved in processing operations, and related controls;
- provide advice, when requested, on data protection impact assessment and monitor its implementation;
- cooperates with the supervisory authority and
- acts as a point of contact for the supervisory authority and natural persons on issues related to processing.
13. Data Transmission to Non-EEA Countries
The University may transmit personal data to specific recipients outside the EEA, always taking appropriate security measures and guarantees for the respective transfer. Specifically, personal data of natural persons may be transferred:
- in countries considered by the European Commission to provide an adequate level of protection for personal data, based on the protections provided by the legislation of the country to which the data will be transferred.
- to U.S.-based organizations if they are part of the EU-US Data Privacy Framework (DPF);
- to organisations with the consent of the natural persons to the transfer, after being informed of the potential risks due to the lack of an adequacy decision and appropriate safeguards;
- whenever it is necessary for the performance of a contract (between the person to whom the data relate and the University) or the implementation of the pre-contractual measures taken at the request of the natural person.
- for the Execution of a contract between the University and another person for the benefit of the natural person
- in the context of a disclosure of data to an administrative or judicial authority of a third country, based on an international agreement
14. Disclosure of personal data breaches
14.1 The University shall notify the Hellenic Data Protection Authority of any incident of personal data breach, which, after a risk assessment, is determined to cause a risk to the rights and freedoms of natural persons, within seventy-two (72) hours. If the notification is made after 72 hours, the University must be able to justify the delay. In the event that the University deems that the violation may seriously endanger the rights of natural persons, they shall also be informed by any appropriate means.
14.2 The University keeps a record of the incidents of breach, their consequences, the respective actions of the University and the relevant documentation on a case-by-case basis, while the corresponding forms of the Personal Data Protection Authority are used for the notification of the incident of breach.