Effective Date: 22/12/2023
1. Update on the Processing of Personal Data
For the Hellenic Olympic Committee (HOC), the protection of the personal data of its Athletes,
suppliers, partners and staff is of primary importance. For this reason, it takes the appropriate
technical and organizational measures to protect the personal data it processes and to ensure
that its processing is always carried out in accordance with the obligations set by the legal
framework, both by HOC itself, and from third parties who may process personal data on its
behalf.
This current Privacy and Personal Data Protection Policy applies to the data we provide to our customers, to the communication with each interested party and to the website https://panathenaicstadium.gr and its online services.
2. What is GDPR?
General Data Protection Regulation (GDPR) 2016/679(EE) constitutes the new regulatory
framework of the European Union (EU) in the field under consideration. The object of the law
is the establishment of the conditions for the processing of personal data, the protection of
the rights and freedoms of individuals and in particular the right to the protection of personal
data.
Personal data, according to the definition given in Article 4 of the GDPR, is the information
that can be used to identify you, communicate and transact with you, such as your name,
postal address, email address, your phone number, your computer’s IP address, as well as
other information when combined with your personal information.
3. Definitions
a. Privacy:
The information that concerns a living individual and identifies him directly
or indirectly, such as indicatively the name, the tax identification number, the contact details
(addresses, telephone numbers), identity number, location data, (online) identity identifier,
the physical characteristics, age, etc. Information concerning legal entities is not “personal
data” and is not protected by the relevant legislation. A subset of personal data are the socalled
special categories of personal data (or sensitive data), which relate to the individual’s
intimate personal situation (for example religious beliefs, political opinions, membership in
trade unions, health, racial origin, sexual life, administrative or criminal prosecutions and
convictions, etc.). The physical persons to whom the personal data concern are called “data
subjects”.
b. Processing: The collection and use of personal data by any means, such as storage, transmission to third parties, their modification, deletion, etc.
c. Controller: The natural or legal person who determines the purposes and manner of processing, either alone or jointly with others (“joint controllers”).
d. Processing: The physical or legal person who processes personal data on behalf of the controller.
e. Consent: Clear, free, specific, express and fully aware explicit declaration or other positive action of the data subject, with which he directly agrees to the processing of his personal data and its existence should always be able to be proven by the data controller.
4. HOC as data controller
HOC as the controller of personal data, under the name “Hellenic Olympic Committee“, based in Chalandri, 52 Vikela, Postal Code 15233, for the purposes of carrying out its business activities, collects and processes personal data of Athletes, suppliers, partners and its staff, in accordance with the applicable national legislation Law 4624/2019 and the European Regulation 2016/679 for the protection of individuals against the processing of personal data and for the free circulation of such data as applicable. Therefore, HOC acts as a data controller, in accordance with article 4 par. 7 of the GDPR.
5. HOC as the processor
HOC in the context of its activity as a processor:
- Processes personal data only on the basis of written instructions from the data controller,
- Ensures that the persons authorized to process the personal data have undertaken an obligation of confidentiality
- Takes the required technical and organizational security measures
- Does not hire another processor (“subcontractor”) except with the permission of the controller, which may be general or specific (in the case where there is a general permission, the “processor” is informed in case a replacement/addition of a subcontractor is required so that the controller to be able to object to these changes).
- Takes into account the nature of the processing and assists the controller with the appropriate technical and organizational measures, to fulfill the controller’s obligation to respond to requests to exercise the data subject’s rights.
- Assist the controller in ensuring its compliance with the obligations of record keeping of processing activities, processing security, breach notification and impact assessment study (taking into account the nature of the processing and the information available to the processor),
- At the controller’s option, delete or return all personal data to the controller after the end of processing services and delete existing copies,
- Makes available to the data controller all necessary information to demonstrate compliance with the obligations established in this article and allows and facilitates controls.
6. The personal data processed by HOC
HOC processes personal data only for a legitimate purpose, as long as one of the conditions of article 6 par. 1 or article 9 par. 2 of the GDPR is met. The website https://panathenaicstadium.gr designed in such a way that users can visit it without being required to reveal their identity and without having to give personal data. In carrying out its activities, it may process certain personal data in order to provide specific services to meet the needs of its business operation and its customers. Specifically:
6.1 Athletes’ personal data
HOC collects and processes personal data of the athletes such as first and last name, father’s name, mother’s name, contact numbers, email, address, identity information if any.
Legal bases for the above processing are the execution of its contractual obligations (GDPR article 6 par.1΄b) and the legitimate interest of HOC GDPR article 6 par.1΄f).
6.2 Personal data of staff and prospective employees
- HOC staff is well trained and aware of their obligations regarding the protection of personal data as well as the professional confidentiality of Athletes, suppliers, partners and the staff themselves. There is always a contractual relationship between HOC and the of its employees, with the necessary commitments of confidentiality and taking the appropriate organizational and technical measures to protect personal data.
- When a new job position is created, HOC collects CVs of prospective employees. At this stage, HOC collects and processes personal data of the candidates, such as name, identity / passport details, age, marital status, address, phone, email, CV details, degrees, certifications, previous service, requested job, etc. The collection of CVs of candidate employees is done by sending an electronic file.
- HOC ensures that the personal data of each candidate is kept intact and secure, for 1 year from the receipt of the CV, in order to be considered for future employment opportunities. Legal bases for the above processing are the performance of the contract (GDPR article 6 par. 1 b’), the performance of its legal obligations (for example compliance with tax, insurance and labor obligations defined by law) (GDPR article 6 par. 1c) and the legitimate interest of HOC GDPR Article 6 par. 1f), as well as the consent of the prospective employees for the sending of their CVs (GDPR Article 6 par. 1a).
6.3 Personal data of our third-party partners/suppliers
HOC collects and processes personal data of its partners/suppliers (for example website hosting manager,
Information Systems support, building security, accountants/tax technicians, legal advisors, business advisors, security technicians, occupational physicians, etc.) such as name, email, phone, address, VAT number, ID number, Social Security Registration Number, IBAN, invoices, documents, contracts, etc. These details are necessary in order to be in position to communicate, direct and supervise its partners, always aiming at perfect cooperation and the satisfaction of its customers. Legal bases for the above processing are the performance of the contract (GDPR article 6 par. 1 b’), the performance of our legal obligations (for example compliance with tax, insurance and labor obligations defined by law) (GDPR article 6 par. 1 c) and the legal interest of HOC GDPR article 6 par.1f).
6.4 Personal data from video surveillance
The security cameras and closed-circuit CCTV that HOC has, have as their main objective, in principle,
prevention and then keeping records that help the company draw safe conclusions, in order to have complete knowledge of the risks it must protect against human life and property. HOC ensures that the points of installation of the cameras and the method of receiving the data are determined in such a way that the data collected is not more than is absolutely necessary to fulfill the purpose of the processing and fundamental rights are not affected of its customers, partners, suppliers and staff. Also, HOC makes sure to inform the interested parties, before they enter the range of the video surveillance system, in a visible and understandable manner (sign), that they are going to enter an area that is being videotaped. The video surveillance system is not used for the purpose of monitoring the employees inside the workplaces, but only in the entry-exit area. The personal data resulting from the use of control and monitoring methods will not be used to the detriment of customers, partners, suppliers and its staff if they have not been previously informed about the introduction of control and monitoring methods and the use of this data. The maximum storage time of video surveillance files is 14 days.
The legal basis for the above processing is the legitimate interest of EOE (GDPR article 6 par. 1f).
7. Purposes of personal data processing
- The communication with the Athletes and suppliers/partners of the HOC
- The recruitment, payroll of the employees and all the general obligations ofHOC towards the employees as well as the processing of the personal data of the employees for tax and insurance reasons and as required by law (for example announcing their employment in the ERGANI information system, granting legal permits, etc.)
- The management and training of human resources, in the context of the legal interest for the proper and efficient Administration of HOC as well as for the continuous improvement of its operation and efficiency.
- The video surveillance of the entry-exit area at HOC headquarters for reasons of safety for human life and property.
- The management of judicial and/or extrajudicial disputes of HOC, based on its relevant obligations arising from the Law.
- The personal data of the above-mentioned data subjects will not be submitted to any other processing other than those mentioned above, only after there has been prior relevant information or if the resulting needs require it.
8. Basic principles of personal data processing
- The processing of personal data takes place in a legal, fair and transparent manner.
- The collection of personal data is carried out only for specified, clear and lawful purposes.
- The storage time of personal data is limited and is done only to fulfill the purpose of the processing.
- Personal data is accurate and up-to-date.
- Personal data that is not accurate is corrected or deleted.
- Personal data is kept confidential and stored securely.
- Personal data is not disclosed to third parties unless it is necessary to offer them services upon agreement.
9. Sharing of personal data
HOC may transmit the personal data provided by individuals to third parties, in the following cases and for specific purposes.
9.1 To its employees or external partners
These are experienced professionals, who are sufficiently informed about the confidentiality obligations
regarding the personal data of Athletes, partners, suppliers and employees. The employees/external partners of HOC only have access to the personal data of Athletes, partners, suppliers and employees that are deemed absolutely necessary for the performance of their duties. There is always a contractual relationship between HOC and its employees/external partners, with the necessary commitments of confidentiality and taking the appropriate organizational and technical measures to protect the personal data of customers, partners, suppliers.
9.2 Other third parties, due to legislation
HOC may share your necessary personal data with social security agencies, the Ministry of Labour, the
competent tax authorities as well as any administrative, judicial or other public authority, as defined in the
applicable legislation or in a court order to comply with the legislation or to respond to a mandatory legal
process (for example for tax purposes), or to protect the rights or safety of HOC.
9.3 Other third parties with your consent
In addition to the sharing described in this Privacy and Personal Data Protection Policy, HOC may transmit
information about you to third parties, provided you give us your free and express consent.
9.4 Transfer of Personal Data outside the EEA
HOC does not transmit personal data to third countries outside the European Economic Area (European Union, Iceland, Liechtenstein and Norway). However, if such a case arises, it will only transfer the personal data to third countries that provide an adequate level of data protection and for which a relevant adequacy decision of the European Commission has been issued. Otherwise, HOC may transmit the data only if the data subject has expressly consented to the transmission or if the transmission is subject to appropriate guarantees, as regulated in articles 46 et seq. of the General Regulation (for example Standard Contractual Clauses, Binding Corporate Rules). Also, HOC will inform the data subjects on this matter and in particular will explicitly mention the third countries to which the data will be transferred as well as the aforementioned mechanisms that allow this transfer in accordance with the General Regulation (for example adequacy decision of the European Commission, Standard Contractual Clauses, Binding Corporate Rules, etc.). For the avoidance of doubt, where the United Kingdom is no longer part of the EEA, references in this paragraph to the EEA shall mean the EEA and the United Kingdom.
10. Storage Period
The period of data storage is decided based on the following specific criteria depending on the case:
When the processing is imposed as an obligation by the provisions of the applicable legal framework, the personal data of the Athletes, partners, suppliers will be stored for as long as the relevant provisions impose.
When the processing is performed on the basis of a contract, the personal data of customers, partners, suppliers is stored for as long as is necessary for the execution of the contract and for the establishment, exercise, and/or support of legal claims based on the contract.
The resumes of the candidate employees are kept up to 1 year from their receipt. After this period, they are deleted without notice.
The resumes of HOC employees are stored in the Information Systems and in a physical file until the end of their contract for management purposes (for example participation in tenders, subsidy programs)
As regards the personal data of the customers and employees of EOE, they are kept for 20 years from the end of the contractual cooperation, for the possibility of presenting ancillary claims of the subjects in question, which are subject to the 20-year statute of limitations.
11. Security of Personal Data
HOC implements appropriate technical and organizational measures aimed at the safe processing of personal data and the prevention of accidental loss or destruction and unauthorized and/or illegal access to them, use, modification or disclosure. These technical and organizational measures are taken both during the design of the means of processing (for example encryption of server and computer data, etc.), and by definition, so that only personnel data is processed that are necessary for the respective purpose of processing (principle of minimizing personal data). HOC does not rest on the technical security measures it has taken so far, but is constantly looking for new and modern methods in order to protect the personal data it collects and processes. In any case, the way the internet works and the fact that it is free to anyone, does not allow guarantees to be provided that unauthorized third parties will never be able to breach the applied technical and organizational measures, gaining access and possibly using personal data for unauthorized and/or illegal purposes.
12. Actions in case of breach of personal data
A personal data breach means a violation of security rules that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed. The person who discovers a breach of personal data will take appropriate measures to protect the personal data from any further negative impact and will report the breach without delay to the DPO, who will record the breaches found and assess their causes.
In the event that a violation of the subjects’ personal data is found and this violation may cause a risk to their rights and freedoms, HOC undertakes to notify without delay and in any case within 72 hours from the moment it becomes aware of the fact of the violation, to the Personal Data Protection Authority (PDPA).
Furthermore, if the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the data subject should be informed by the HOC without delay.
13. Your rights
Every individual whose data is subject to processing by HOC has the following rights:
13.1 Right to information
You have the right to be informed about the identity and contact details of us, or our representatives, the
purposes of the processing for which the personal data is intended, as well as the legal basis for the
processing, the recipients or categories of recipients of the personal data. Within the framework of the
principle of transparency that governs the operation of the HOC, you can contact us requesting further
information on how your personal data is processed and how to exercise your rights, by submitting the
respective requests. Your requests will be answered without delay and in any case within a month of
receiving the request. This deadline can be extended by another two months, if necessary, taking into
account the complexity of the request and the number of requests.
13.2 Right of Access
You have the right to be aware of and verify the lawfulness of the processing and to ask us for copies of the personal data being processed. Therefore, you have the right to access the data and receive additional information about its processing. You also have the right to access more specific information about the content and how to exercise your individual rights.
13.3 Right to Rectification
You have the right to study, correct, update or modify your personal data.
13.4 Right to erasure
You have the right to request erasure of your personal data when we process based on your consent or in
order to protect our legitimate interests. In all other cases (such as indicatively when there is a contract, an obligation to process personal data imposed by law, public interest), the right in question is subject to specific restrictions or does not exist depending on the case (for example we are entitled to refuse the deletion of your personal data in order to establish, exercise or support our legal claims).
13.5 Right to restrict processing
You have the right to request restriction of the processing of your personal data in the following cases: (a)
when you dispute the accuracy of the personal data and until verification is made, (b) when you object to the deletion of personal data and request instead of deletion the restriction of its use, (c) when the personal data is not needed for the purposes of processing, but is nevertheless necessary for the establishment, exercise, support of legal claims, and (d) when you object to the processing and until it is verified that there are legitimate reasons for continuing the processing that we relate to and override the reasons for which you object to processing.
13.6 Right to object to processing
You have the right to object at any time to the processing of your personal data in cases where, as described above, this is necessary for the purposes of legitimate interests pursued by us as controllers, as well as to the processing for the purposes of direct informational promotion. In particular, you have the right to object to any decision made solely on the basis of automated processing, including profiling, which produces legal effects concerning you or significantly affects you. Exceptionally, you may not object to automated decision making concerning you, when this decision, whether it is necessary for the conclusion or performance of the contract we have concluded with you, or is based on your express and free consent.
13.7 Right to Portability
You have the right to receive your personal data free of charge in a format that will allow you to access it, use it and process it with the commonly used processing methods. You also have the right to ask us, if technically possible, to transfer the data directly to another data controller. This right of yours exists for the data you have provided to us and their processing is carried out by automated means based on your consent or in execution of a relevant contract.
13.8 Right to Withdraw Consent
Where the processing is based on your express and free consent, you have the right to withdraw it freely,
without prejudice to the lawfulness of the processing that was based on your consent before you withdrew it. To withdraw your consent you can contact the Data Protection Officer DPO of HOC.
13.9 Right of complaint to PDPA
In the event of a breach of your personal data, you have the right to submit a complaint to the Personal Data Protection Authority (www.dpa.gr):
Call Center: +30 210 6475600
Email: contact@dpa.gr
14. Third party websites
Our Website may provide links to other Websites that are not owned or controlled by us, but which we believe may be useful or interesting to visitors of our Websites. In this case, we are not responsible for the privacy practices used on the Websites of others or for the validity of their content or for the collection of information by the parties who own and control such websites, or their use of Cookies. So, consequently, we are not responsible for any damage or problem that occurs to any of you who will use this foreign website and ultimately, it is up to you whether or not to use any link of another Website, provided by our website, in case you don’t trust it completely.
15. Updates and changes
We may change or modify this Privacy Policy in order to comply with the evolving legislative environment or the needs of the HOC. You are responsible for checking this Privacy Policy when you visit the Website so that you are aware of any changes and updates to this Policy. All amended terms are automatically effective 30 days after their initial posting on the Website.
16. Data Protection Officer (DPO) contact details:
For any matter related to the processing of personal data, you can contact the Personal Data Protection Department of EOE at the following contact details:
E-mail : dpo@hoc.gr
Address: Vikela 52, Postal Code: 15233, Chalandri, Attica
Phone:+30 210 6878815
Effective Date: 22/12/2023
The Administration of the Hellenic Olympic Committee