Personal Data Protection Policy
- Dec 04, 2020
- Last Updated: Sunday, 06 December 2020 15:07
The policy objective.
The protection of your personal data is important for ThPA SA This policy informs you about ThPA SA personal data collection practices, through ThPA SA website www.thpa.gr including the categories of data collected, retained and processed, the purpose of their collection, the categories of data subjects to whom data are disclosed and your rights. ThPA SA uses its best endeavours to protect your personal data on the condition that the personal data you provide are accurate and true. In addition, this Policy describes some of the safety measures taken by ThPA SA to protect the confidentiality of data and provides some guarantees for actions that ThPA SA will fail to accomplish.
Legal and regulatory framework
The Societe Anonyme under the name Thessaloniki Port Authority (ThPA SA) that was established in 1999 (Law 2688/99, GG 40A’/1-3-99) with a view to managing and operating the port of Thessaloniki, collects and processes personal data concerning you, within the framework of the exercise of its competence, the performance of its electronic services and the fulfilment of its legal obligations. For the purposes of this Policy, ThPA SA will be referred to as “Processor” within the meaning of Art. 4, Art. 7 of the General Data Protection Regulation.
The management and protection of the personal data of visitors of the website www.thpa.gr is subject to these rules, and the relevant provisions of the European Regulation 2016/679, on the Personal Data Protection (GDPR). The present terms are set out taking into account both the radical development of technology and, especially, Internet, and the existing set of legal regulations regarding these issues. The website https://www.thpa.gr will not make any misuse and use without your prior approval, in conformity with the personal data protection principles provided for by the relevant laws and international conventions. The websitewww.thpa.gr will by no means disclose, publish, exchange the personal data and the information you entrust with us. Also, it will not transmit users’ personal information and data or, in general, e-mail addresses and any other information regarding its users to any other not affiliated organization or partner.
What is “GDPR” - Applicable Legislation
The GDPR (General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter the “Regulation”) aims at the establishment of a single legislative framework for the processing of personal data in the EU member states and replaces the previous Legislation (Directive 95/46/ΕC). The protection of natural persons with regard to the processing of personal data is a fundamental right. Article 8, par. 1 of the EU Charter of Fundamental Rights (the “Charter”) and Article 16, par. 1 of the Treaty on the Functioning of the European Union (TFEU) stipulate that everyone has the right to the protection of personal data concerning him. The Regulation shall be binding in its entirety and directly applicable in all Member States (i.e. no special adaptation of the national legislation is required, Article 83 of the Regulation)
What is personal data?
The term "personal data” refers to a natural person's information, such as their full name, postal address, e-mail address, telephone number, etc. that establish or may establish your identity, directly or indirectly, hereinafter referred to as "Personal Data or Data”.
What is the processing of personal data?
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who is the Controller?
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Who is the Processor?
A Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Is it compulsory to provide your Data?
Providing your Data to ThPA SA may be compulsory with a view to achieving the goals set out in this Policy or optional. If you decline to provide the data marked as mandatory to the website, (https://www.thpa.gr), it will be impossible to achieve the main objective of collecting specific Data and, it could, for example, become impossible for ThPA SA to provide the services available on the website (https://www.thpa.gr).
What type of data does ThPA collect through its website?
We collect the following personal data:
Identification data: Full name, address, TIN, country, city.
Contact details: E-mail address, telephone number.
We do not collect, or have by no means access, through the website, to special categories (“sensible”) of personal data or data relating to criminal convictions and offences of data subjects. When visiting the ThPA SA website (https://www.thpa.gr) you will not be requested to provide any type of personal data. In a few cases, however, you will be requested to provide some personal data, which are indicated in the respective data fields on the ThPA SA website. (https://www.thpa.gr).
Personal data collection and intended use
This Policy informs about the personal data collection method and procedure from the website https://www.thpa.gr, stating each category of data that we may collect, store and process during our exchanges with the purpose of collection-storage-processing, the categories of persons concerned by the data and the third parties to whom the data and the rights that natural persons enjoy as data subjects. ThPA SA uses its best endeavours to protect your personal data on the condition that the data you provide us are accurate and true. Moreover, this Policy describes to the extent possible the safety measures we adopt to protect the confidentiality of the personal data and lists examples of guarantees for activities and actions from which ThPA SA will abstain. The use of personal or non-personal data collected by ThPA SA serves the following goals:
Improvement and adaptation of the website: ThPA SA is going to use these data exclusively for the purposes for which they were collected and for providing you information. Also, it will use them to adjust the content of the website to your needs and improve its composition, its changes and its potential.
Legal use: ThPA SA can collect, store, disclose and, generally, process your personal data when it is so required by the General Data Protection Regulation and/or by Law, or, when it is necessary, in order to protect or defend its own or your interests.
Supply of electronic services through a user identification procedure: ThPA SA will use this information in order complete your electronic application. More precisely:
a) to register a User on the “BTX platform” in order to issue a Customs Attestation Form FZ/AE, and,
b) to register a user on the “CT IIS platform”
DISCLAIMER: As regards the collection of personal data not through the ThPA SA website which applies to personal data of employees, candidate employees, single clients and, natural persons, in general, a separate written and detailed information is provided to the data subjects, during the collection of the above data, in line with the relevant requirement set by Art. 13 and 14 of the GDPR.
In ThPA SA, we retain and store your personal data in a physical or electronic archive, only for the period required for performing the service you requested or gave your consent for, subject to any contrary provisions in the corresponding applicable legislation. In any case, the personal data you provide us shall not be stored for more than 20 years (maximum limitation period for claims) at the ThPA SA archive.
Your data are erased depending on the case and always based on the provisions laid down by the relevant Legislation.
Personal Data Transmission.
ThPA SA does not transmit personal data to third parties unless it is required for legal purposes in order to reply to your requests and/or provided that it is required or permitted by law. In any case, access to your personal data is only allowed to authorized persons, who are required to have access to allow the attainment of their collection, use and processing, as hereby notified.
In some cases, ThPA SA may transmit your personal data to competent Public Authorities or natural or legal persons entrusted with the processing, on the conditions that we will inform you in advance and will get your prior consent, if it is so required for the processing. Persons with access to the data shall respect their confidentiality.
A “cookie” is a set of parameters stored on the User’s hard disc and includes selected data about the User’s browsing activity. A ‘cookie’ may include preferences such as the language selection, the user’s e-name or other similar data, which, otherwise, would have to be frequently submitted by the User. The use of a ‘cookie’ can by no means disclose personal data at the moment you connect with ThPA SA website. Most “cookies” are automatically deleted when you close the session cookies. The “cookies” can be deactivated at the User’s programme but this option may restrict some of our website’s possibilities while the User may be requested to submit repeatedly the same data.
ThPA SA currently does not use other cookies; except for those required for the functioning of its website and identifying the users, but could possibly use this technology in the future. In such a case, we will describe to you in detail what “cookies“do and will give you instructions about how you can control them.
We use IP (Internet Protocol) addresses to analyse trends in the use of Internet, manage the resources of our computers and our network, monitor any unauthorized illegal or malicious activity (attacks) and collect general demographic data (country of origin)
for an aggregate use.
Internet, just like any other tool used to transmit information cannot be considered 100% safe. Security on the Internet is a sensitive issue and relies mostly on reliable organizations and companies respecting confidentiality and safety of its Users data. ThPA SA tries to keep strict safety and control measures to protect your personal data in order to ensure compliance with all applicable legal requirements. In ThPA SA, we apply safety measures at a technical and organizational level in order to protect the data we collected from you against any voluntary or involuntary attempt, handling, loss, destruction or access by an unauthorized person. Our safety measures are continuously subject to re-audits and reforms, in line with the latest technological developments. ThPA SA uses the most advanced encryption and data protection tools (128-bit encryption, secure pages, firewall, digital signatures etc).
Access to your personal data is only limited to the duly authorized employees in order to provide you products and services and come in contact with these data.
Natural, electronic and procedural safeguards have been put in place in line with the personal data protection regulations.
ThPA SA takes any possible precaution to protect your data. However, due to the nature of the Internet, it cannot guarantee the protection of communications or data stored in its browsers against any unauthorized access by third parties.
Access on Internet.
If you contact ThPA SA online, we may occasionally use e-mail or postal address or telephone number to contact you, provided that you have provided them to us voluntarily. Please note that online communications such as emails etc. are not safe, unless they are encrypted. ThPA SA does not bear any responsibility for any unauthorized access or loss of your personal data beyond its control.
Communication through the website platform:
If a user contacts us through the Contact Form or in any other way, the provision of his personal data is done voluntarily and exclusively at the user’s free will. We will process the personal data provided only to the extent required and for this specific goal.
Our Website may offer the possibility to share on Social Networks and other similar tools that allow you to share your actions on the Website with other applications, websites or media and vice versa. The use of such features allows the exchange of data with your friends or the general public, depending on the settings of your personal profile. Please consult the Privacy Policies of the social network services for more information about the processing of your data.
Special Category Data:
You are requested not to send us by e-mail or disclose using a contact platform your sensitive personal data. The processing of personal data under this category does by no means serve the purpose of processing, as defined in this Policy.
All communications of ThPA SA with you (including phone calls, e-mails etc.) are neither monitored nor recorded.
2nd Level Update on the processing of personal data through a video surveillance system
1. Controller’s data
2. Purpose of processing and legal basis
We use a surveillance system for the purpose of protecting people and assets. The processing is necessary for the purpose of the legitimate interests that we pursue as Controller (Article 6 par. 1. f GDPR).
3. Legitimate interest analysis
Our legitimate interest consists of the need to protect our space and the assets in that space against illegal actions, such as thefts. The same applies for the protection of life, physical integrity, health and property of our personnel and the third parties found in the supervised space. We collect only image data and we record only in places, which, in our view, are risky for illegal action e.g. robbery or vandalism, also due to the Port’s strategic importance. The recording takes place at all ThPA SA entry gates, at the entrance of the main Administration building (including the parking area of the Administration), in front of the stairway of the main building, at the lift of the main building, at the entrance of the Technical Service building, at the entrance of the Guarding Building, at the entrance of the Pump House of EYATH, at the entrance and above the warehouses, at the fencing of ThPA SA. (including the fencing of the Vessels), over the Pillars (panoramic view), at the entrance of the Vessels workshop, at the entrance of the Passenger Terminal (passport control), at the entrance of the Nursery, at the Machinery house, at the Old Coast Guard, at the Container Terminal facilities (gantry crane, building, weighting system), at the silo building, at the entrance of the control room, without focusing on areas where the privacy of those captured by the camera, including their right to the protection of personal data, is excessively restricted. The closed circuit television cameras (CCTV) in some cases may also have zooming capability and do not collect sound data.
4. Access - Transmission
Access to the recorder of the CCTV system is restricted to a specific group of people using a unique identifier which is updated regularly for security reasons. RECIPIENTS ARE THE AUTHORIZED EMPLOYEES of the Environment, Health & Safety, Guarding- Port Facility Security Department, WHERE THE CONTROL ROOM IS LOCATED. The stored material is accessible through access control only by our competent/authorized personnel and outside contracted and bound to us by processing contracts of Article 28 GDPR partners, who are in charge of guarding and security of the space. The transmission of the data collected by the closed circuit television (CCTV) to third parties is generally allowed subject to the prior notification to you and provided that the requirements of the applicable European and Greek legislation on the protection of personal data are met. This material is transmitted to third parties in the following cases: a) to the competent judicial, prosecuting and police authorities, when it includes data necessary for the investigation of a criminal offense involving persons or assets of the Controller, b) to the competent judicial, prosecuting and police authorities, when such data are lawfully request by them during the exercise of their duties, and c) to the victim or the offender of a criminal offence, in case of data that may constitute evidence of the offence.
5. Retention time
We retain the data referred to in this Update (CCTV), for ten (10) days; after the elapse of this period, data are automatically deleted. If during this period, we detect an incident, we single out the footage of the video concerned and retain it for up to one (1) more month, in order to investigate the incident and initiate legal proceedings to defend our legitimate interests; if the incident involves a third party, we will retain the video for up to three (3) more months.
6. Data subjects rights regarding the said processing
Data Subjects have the following rights in relation to the processing concerned by this Update (CCTV):
7.- CCTV record
The “Controller” keeps in his/her office records of requests regarding the processing of CCTV data involving you. Also, the “Controller” keeps records describing and including the following: (a) the technical characteristics of the cameras, (b) diagrammatic representation of the cameras’ location, (c) the place where the data collected by the closed circuit television (CCTV) are kept.
8. Changes in this Update
9. Right to lodge a complaint.
If you consider that the processing of data concerning you infringes the Regulation (ΕU) 2016/679, you have the right to lodge a complaint with a supervisory authority. The competent authority for Greece is the Data Protection Authority, at 1-3 Kifissias str., Athens,115 23 https://www.dpa.gr, tel. 2106475600.
What are your rights with regard to the protection of your personal data
According to the Regulation, as in force, you have the following rights:
a) right of access,
b) right to rectification,
c) right to erasure, under some conditions, e.g. when the personal data are no longer necessary in relation to the purposes for which they were collected and where there is no other legal ground for the processing (or storage),
d) right to restriction of processing,
e) the right to data portability
f) the data subject right to object and not to be subject to a decision based solely on automated processing, including profiling,
g) right to lodge a complaint with a supervisory authority
i.e. you have the right to receive, upon request, free information about your stored personal data or to object, upon request, the processing of your personal data with future validity and withdrawal of your consent and also, according to the applicable provisions, the right of rectification, right of restriction to processing, right of data portability, right to erasure of such data and the right to lodge a complaint with a supervisory authority. In such cases, you are requested to address to the competent Personal Data Protection Department of ThPA below in writing, by an original letter, by fax or e-mail.
ThPA SA reserves the right to amend or review periodically this Policy in its sole discretion. In case of changes, ThPA SA will record the date of the modification or revision on this Policy and the updated Policy will apply for you as from this date onwards. We encourage you to examine from times to times this Policy in order to identify any changes in the way we manage your personal data.
Applicable Law and Jurisdiction
For any dispute that may arise between a user and ThPA SA, the applicable law is the Greek one and the competent courts for resolving the dispute are the competent courts of Thessaloniki.
Our website may contain links to other websites. This Policy on personal data protection applies only for the user’s access to this website and other websites that are exclusively managed by ThPA SA. The administrator of this website shall in no way be held liable for the protection terms of the personal data of other websites under the responsibility of third parties (natural or legal persons).
Right to lodge a complaint
If you consider that the processing of data concerning you infringes the Regulation (ΕU) 2016/679, you have the right to lodge a complaint with a supervisory authority. The competent authority for Greece is the Data Protection Authority, at 1-3 Kifissias str., Athens, https://www.dpa.gr/, tel. 2106475600.
This Policy was updated on 04/12/2020