The purpose of this Policy.

The protection of your personal data is important for ThPA S.A. This policy aims at informing you on the personal data collection practices of ThPA S.A., through its website address www.thpa.gr including the categories of data it may collect, retain and process, the purpose of their collection, the categories of persons to whom the data are communicated and your rights. ThPA S.A. makes every possible effort to protect your personal data, on the condition that the personal data you have provided are true and accurate. It also outlines certain security measures taken by ThPA S.A. in order to protect data confidentiality and provides certain guarantees for things ThPA S.A. will not do.

 

Legal and Regulatory Framework.

The Societe Anonyme under the name “Thessaloniki Port Authority” (ThPA S.A.), which was established in 1999 (Law 2688/99, Government Gazette 40A’/1-3-99) for the purpose of the administration and exploitation of the Port of Thessaloniki, collects and processes personal data concerning you, for the exercise of its responsibilities, the performance of its electronic services and the fulfillment of its legal obligations.  For the purposes of this Policy, ThPA S.A. shall be considered to be the controller within the meaning of Article 4(7) of the General Data Protection Regulation.

The management and protection of the Website https://www.thpa.gr visitor/user’s personal data are subject to the present policy and to the provisions of the European Regulation 2016/679 on the Protection of Personal Data (GDPR). These Terms are formulated taking into account both the rapid development of technology and in particular the Internet, and the existing network of legal provisions on these issues.  The website https://www.thpa.gr will not make any unfair and unauthorized use, following the principles of protection of personal data provided by the relevant laws and international conventions.  The website https://www.thpa.gr does not in any way disclose, publicize, and exchange the personal information or any other type of information that you trust us. In addition, it does not transmit personal information and data of visitors/users to any other organization or partner that is not associated with it, email addresses or generally any other information concerning its visitors/users.

What is “GDPR” – Applicable Legislation.

The GDPR (General Data Protection Regulation General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 hereinafter referred to as “the Regulation”) aims at the establishment of a single legislative framework for the processing of personal data in the EU member states and replaces the previous Legislation (Directive 95/46/ΕP). The protection of natural persons in relation to the processing of personal data is a fundamental right. Pursuant to Article 8(1) of the Charter of Fundamental Rights of the European Union (“Charter”) and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. The Regulation is binding in its entirety and directly applicable in all Member States (ie no special adaptation of the national legislation is required, article 83 of the Regulation). However, Law 4624/2019 has also been voted.

 

What are the personal data?

The term “personal data” refers to personal information of natural persons such as your name, postal address, e-mail address, telephone number, etc. that identify or may identify your identity, hereinafter referred to as “Personal Data or Data”.

 

What is the personal data processing?

Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

What is the Controller?

“Controller” means the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

What is the Processor?

“Processor” means the natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller.

 

Is it mandatory to provide your data?

Providing data to ThPA S.A. may be necessary to achieve the purposes set forth in this Privacy Policy, or for it to be optional. If you refuse to provide the information marked as mandatory on the Website (https://www.thpa.gr), the basic purpose of collecting the particular Data required will be rendered impossible, and may for example, make it impossible for ThPA S.A. to provide the other services available on the Website (https://www.thpa.gr).

 

What kind of data does ThPA S.A. collect through its Website?

We collect the following personal data:

Identification data:  name, address, VAT number, country, city.

Communication data: email address, telephone number.

We do not collect, nor do we gain access in any way, through the Website, to special categories of (“sensitive”) personal data or data concerning criminal convictions and offenses of the subjects. The visit to the Website of ThPA S.A. (https://www.thpa.gr) does not necessarily require you to provide any kind of personal data. In many cases, however, it is necessary for you to provide some of your personal data,  which are indicated in the corresponding data entry sections on the website of ThPA S.A.  (https://www.thpa.gr).

 

Collection and purposes of use of personal data.

This Policy informs about the way and the process of collecting personal data from the website https://www.thpa.gr stating by category the data we collect, store and process, the purpose of collection-storage-processing, the categories of persons to whom the information relates, the third parties to whom the data may be disclosed, and the rights that natural persons have as subjects of the data. ThPA S.A. makes every possible effort to protect your personal data, provided that the information you provide to us is accurate and true. In addition, this Policy, describes, as far as possible, the security measures we take to protect the privacy of your personal data and lists, indicatively, the guarantees for activities and actions, from which ThPA S.A. will abstain.  The use of personal or non-personal data that we collect from you serves the following purposes:

(a) Improvement and adaptation of the website:  This information is to be used by ThPA S.A. only for the reasons for which it was collected and to provide you with information.  It will also be used to tailor the content of its website to your needs and to improve its composition, changes and dynamics.

(b) Legal use: ThPA S.A. may collect, store, disclose and, generally, process your personal data when this is required by the Personal Data Protection Regulation and/or the law or when necessary, in order to protect its own interests and your interests.

(c) Provision of electronic services through a visitor/user identification process: This information will be used by ThPA S.A. for the purpose of processing your online application and, more specifically: i) for user registration on the “BTX platform” for the issuance of “Certificate of Customs Status FZ/SA” and, ii) for user register on the “Container Terminal IIS platform”.

(d) For the registration or identification in applications of ThPA S.A.:   This information will be used by ThPA S.A. for the purpose of processing your registration or identification in an application thereof.

 

Regarding the registration forms on our site (in the event that those choosing the Registration are sole proprietorships and not Legal Persons/Companies).

(a) In: Partners > C.T.M.I.S. > Registration, those collaborating with ThPA S.A. can register on the portal for various applications/services. With the above option, the user is transferred to the portal of ThPA S.A., which is located on another server and another address (https://webportal.thpa.gr). The two links, Terms of Use and Personal Data Protection Policy, lead to the texts available on the site (https://www.thpa.gr/terms-of-use/ and https://www.thpa.gr/personal-data-protection-policy/ respectively). To register / create an account (as the services are provided by logging into the portal), the user provides the following information:

1. Company email.
2. Full name.
3. Mobile phone.

(b) In: Partners > C.T.M.I.S. > Login, login to the CTOS system. There is an option to register if there is no account. With the above option, the user is transferred to the portal of ThPA S.A., which is located on another server and another address (https://ctosxml.thpa.gr). The following information is required for registration:

1. Company email.
2. Company name.
3. VAT number.
4. Telephone.
5. Solemn declaration (art. 8 L.1599/1986) for the responsibility of the validity of the data provided.

(c) In: Partners > C.T.M.I.S. > Reservations (TAS), those collaborating with ThPA S.A. (mainly carriers) can register in the app for appointments. With the above option, the user is transferred to the portal of ThPA S.A., which is located on another server and another address (https://tas.thpa.gr). The following information is required for registration:

1. Email.
2. VAT number.
3. Company name.
4. Telephone.
5. Address (company headquarters).
6. Website – optional, if any.

(d) To register in the application service for issuing Customs Certificates (BTX, https://btx.thpa.gr), the following are requested:

User details:

1. Email.
2. Full name.

Details of company – agent:

1. Company name.
2. VAT number.
3. EORI (European Customs Company Number).
4. Country, City, Address, Postal Code.
5. Telephone.
6. Solemn declaration ( 8 L.1599/1986) for the responsibility of the validity of the data provided.

(e) Application for electronic invoices (https://portal.thpa.gr/customers). It is addressed to partners who are already registered in the electronic systems of THA S.A. as customers, who may request to receive the invoice that concern them electronically. Information requested:

1. Company name.
2. Occupation.
3. Address, Postal Code.
4. TIN, Tax Office.
5. Contact telephone number.
6. Full Name of representative.
7. Up to 5 different email addresses where invoices will be sent.

 

IMPORTANT NOTE: For the non-electronic personal data collection, through the website of ThPA S.A. and concerns the processing of personal data of employees, candidate employees, partners, contractors, suppliers, individuals, clients and, generally, natural persons, the data subjects receive separate written and detailed information during the collection of the above data, based on the relevant obligation stemming from the requirements of Articles 13 and 14 of the GDPR.

 

Data Storage

At ThPA S.A. we retain and store your personal data in a physical or electronic file, only for the period of time required to perform a service, which you requested or gave your approval for, subject to the contrary provisions of the respective Legislation. In any case, the personal data that you provide are not stored for more than 20 years (maximum legal limitation period) in the file of ThPA S.A.

 

Erasure of Data

Your data is deleted depending on the case and always based on the provisions stipulated by the relevant Legislation.

 

Transmitting personal data

ThPA S.A. does not transmit personal data to third parties, unless this is required for legitimate purposes, in order to meet your requests and/or if required or permitted by law. In any case, access to your personal data is permitted only to authorized persons, who are required to have access in order to be able to complete the purposes of their collection, use and processing, as disclosed in this Statement.

In some cases, ThPA S.A. may transmit your personal data to competent public authorities or to natural or legal entities entrusted with the execution of the processing, provided that we will notify you in advance and receive your prior consent, if required for each processing. Those individuals who have access to the data are required to maintain the confidentiality of such data.

 

Cookies.

A “cookie” is a set of parameters stored on the visitor’s/user’s hard drive and includes selected information about the visitor’s/user’s visits to an online site. A “cookie” may contain preferences, such as language selection, the visitor/user’s electronic name or other similar information, which would otherwise require frequent submission by the visitor/user. The use of a “cookie” can in no way lead to the disclosure of personal data while you are connecting to the online site of ThPA S.A. Most “cookies” are automatically deleted once you close the “session cookies”. Cookies can be deactivated in the visitor/user’s viewer, but this option may limit some of the features of our website, while the visitor/user may have to repeatedly submit the same information.

ThPA S.A. currently does not use other “cookies”, except those necessary for the operation of its Website and the identification of visitors/users, but it is likely to use this technology in the future. If this is the case, we will describe in detail what the cookie does, giving you instructions on how to control it.

 

Log Files.

We use IP addresses (Internet Protocol) to analyse trends in internet usage, to manage the resources of the computers and our network to monitor any unauthorized illegal or malicious activities (attacks) and to collect general demographic information (country of origin) for an aggregate use.

 

IP Addresses.

The IP address, through which the visitor’s/user’s computer has access to the internet and then to the Website/Application, is stored and can be exploited by the page, if necessary, in case of violation of the Terms of Use of the Website/Application by the visitor/user.  The dynamic IP address alone is not enough to enable the service provider to identify the visitor/user of its web page https://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30d523eb765182d141359033f732cf00607b.e34KaxiLc3qMb40Rch0SaxuTah10?text=&docid=178241&pageIndex=0&doclang=el&mode=lst&dir=&occ=first&part=1&cid=53586).

 

Data Security.

The Internet, like any medium used to transmit information, cannot be considered 100% secure. Internet security is a sensitive issue and relies mainly on trusted organizations and businesses that respect the confidentiality and security of its Users’ data. ThPA S.A. tries to maintain strict security and control measures to protect your personal data in order to ensure compliance with all applicable legal requirements. In ThPA S.A. we apply safety measures at a technical and organizational level to protect the data collected by you against any voluntary or unintentional attempt, manipulation, loss, destruction, or access in general by an unauthorized person. Our security measures undergo continuous controls and updates in accordance with the latest technological developments. ThPA S.A. uses the most recent encryption and information protection tools (128-bit encryption, safe pages, network protection system-firewall, digital signatures etc.).

Access to your personal data is limited only to authorized employees to provide you with products and services and who come into contact with such data.

Physical, electronic and procedural safeguards have been activated, which are in line with the regulations for the protection of your personal data.

ThPA S.A. takes every precaution possible to keep your personal data safe. However, due to the nature of the Internet, it cannot guarantee the protection of communications or data stored in its browsers from any arbitrary access by third parties.

 

Access to the Internet.

If you contact ThPA S.A online, we may occasionally use an email or telephone number to contact you provided that you have voluntarily provided them to us. You should be aware that communications over the internet, such as emails, etc., are not secure unless they have been encrypted. ThPA S.A. bears no responsibility for any unauthorized access or loss of your personal information, which is beyond its control.

 

Privacy Policy and children.

This Website has been designed and is intended for use by adults. If you are minors under the age of consent required in your country (in Greece this limit is over 15 years old), you should check the terms of this Statement, together with your parent or guardian, to ensure that you understand and accept these Terms. If it is found that we have collected information from a minor without the consent of his or her parent or guardian, when such consent should have been obtained, we will delete the information as soon as possible.

 

Communication through the platform of the Website.

In the event that a visitor/ user contacts us through the contact form or in any other way, the provision by the visitor/user of his/her personal data is done voluntarily and exclusively at the free will of the visitor/user. We will process such provided personal data only to the extent necessary for the specific purpose.

 

Social Media

Our Website may offer Social Networks sharing and other related tools that allow you to share your actions within the Website with other applications, websites or mass media, and vice versa. Using such features allows you to share information with your friends or the general public, depending on the settings you have defined in your personal profile. Please refer to the privacy policies of these social networking services for more information on how your data is handled.

 

Special Categories of Data.

We ask you not to send us through e-mail and not to disclose to us, through the use of the communication platform, your sensitive personal data. The processing of personal data of this category does not serve in any way the purpose of the processing, as defined in this Policy.

 

Interception of communications.

All communications of ThPA S.A. with you (including the telephone conversations, e-mails etc.) are neither intercepted nor recorded.

 

 

B-Level information on the processing of personal data through a video surveillance system.
Details of Data Controller.
The Société Anonyme under the name “THESSALONIKI PORT AUTHORITY S.A.” (ThPA S.A.) having its registered office in Thessaloniki (Pier 1, inside the Port PC, PC: 54625, tel.: 2310 593 118-121, email: secretariat@thpa.gr).

Processing purpose and legal basis.

We use a surveillance system for the purpose of protecting people and goods. Processing is necessary for the purposes of the legitimate interests pursued by the controller (Article 6 par. 1. f GDPR).

Analysis of Legitimate Interests.

Our legitimate interest consists of the necessity to protect our premises and assets from illegal actions, such as thefts. Moreover, the Company aims to protect life, physical integrity, health and property of our personnel and third parties that are legally in our premises. We only collect image data and we limit footage in places where we believe that there is an increased possibility of committing illegal acts e.g. theft or vandalism, also due to the strategic importance of the Port. The recording takes place before all the entrance gates of ThPA S.A., before the entrance of the main building of the Administration (including the parking space of the Administration),  before the staircase of the main building, before the elevator of the main building, before the entrance of the building of the Technical Services, before the entrance of the Guard Building, before the entrance of the pumping station of EYATH, before the entrance and above the warehouses, in the fences of ThPA S.A. (including the fencing of Vessels), above the Pillars (panoramic footage), before the entrance of the Vessels Workshop, before the entrance of the Passenger Station (passport control), before the entrance of the Nursery, at the Engine Room, at the Old Port Authority, at the Container Terminal areas (crane, building, weighing unit), at the Silo building, before the entrance of the control room, without focusing on areas where the privacy of the persons whose image is taken may be excessively restricted, including their right to respect for personal data. Closed circuit television cameras (CCTV) in some cases have the ability to zoom and do not collect sound data.

Access-Transmission.

Access to the closed circuit television system (CCTV) recorder is accessed by a specific group of persons using a unique security code that is updated at regular intervals for security reasons. RECIPIENTS ARE THE AUTHORIZED EMPLOYEES of the Department of Environment, Health & Safety, Security and PFSO, WHERE THE CONTROL ROOM IS ALSO LOCATED. The material kept is accessible through access control only by the competent/authorized personnel and the external partners contracted with us and bound by us with processing agreements of Article 28 GDPR, who are in charge of guarding and securing the site. The transmission of data collected by the CCTV to third parties is generally permitted only after your prior information and only if the conditions of the European and Greek legislation on the protection of personal data, as in force, are met.  This material is transmitted to third parties in the following cases: a) to competent judicial and law enforcement authorities when the material provides evidence that is necessary for the investigation of an illegal action, that affects people or assets related to the data controller, b) to competent judicial, prosecutorial and police authorities when they submit a request for data within the context of the exercise of their duties and c) to the victim or the perpetrator of an illegal action, when data may constitute evidence of proof.

Retention time.

We keep the data referred to in this Update (CCTV) for ten (10) days, after which they are automatically deleted. In the event that we find an incident during this period, we isolate part of the video and keep it for up to one (1) more month, in order to investigate the incident and initiate legal proceedings to defend our legitimate interests, while if the incident concerns a third party we will keep the video for up to three (3) more months.

Rights of data subjects in relation to such processing.

The Data Subjects have the following rights in relation to the processing to which this Update relates (CCTV):

• Right of Access: you have the right to be informed about the processing of your image and if this is the case to receive a copy of your data. • Right to Restriction: you have the right to request from us to limit the processing such as not to delete data that you consider necessary for the establishment, exercise, or defence of legal claims. • Right to Object: you have the right to object to the processing. • Right to Erasure: you have the right to request us the deletion of your data. You can exercise your rights by sending an e-mail to dpo@thpa.gr or by sending a letter to our postal address or by submitting your request to our offices. In order for us to review a request related to your footage, you will need to identify approximately when you were within camera range and provide us with a picture of yourself to help us locate your own data and conceal the data of third parties. Alternatively, we give you the opportunity to come to our facilities to show you the footages in which you appear. We also note that the exercise of the right to object or erasure does not imply the immediate deletion of data or modification of the processing. In any case we will reply to you in detail as soon as possible, within the deadlines set by the GDPR.

CCTV File.

The “Controller” keeps a file in its offices with requests regarding data processing of CCTV data concerning you. Also, the “Controller” keeps a file which describes and includes the following: (a) the technical characteristics of the cameras, (b) structure diagram of the camera location, (c) the place where the data collected by the CCTV are kept.

Changes in this Update.

ThPA S.A. reserves the right to modify and update this Update at any time and without notice. In any such case you will be informed of the changes as soon as possible. In case you have any query or question regarding this Update or in general regarding the protection of your personal data, you can contact the Data Protection Officer (dpo) at e-mail: dpo@thpa.gr  or with the IT Department at the e-mail: icts@thpa.gr.

Right to lodge a complaint.

If you consider that the processing of your data, collected via CCTV and concerning you, violates Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority. Competent supervisory authority for Greece is the Data Protection Authority, 1-3 Kifissias street, P.C. 115 23, Athens, https://www.dpa.gr, tel. 2106475600.

 

What are your rights regarding the protection of your personal data.

Under the Regulation, as applicable, you have the following rights:

a) the right of access,
b) the right of correction,
c) the right to erasure, under certain conditions, such as when processing is no longer necessary for the purpose for which the data were initially collected and there is no imperative reason to continue processing (or storing) your information,
d) the right to have the processing restricted,
e) the right to transmit data,
f) the right to object and the right not to be subject to a decision made solely on the basis of automated processing, including profiling,
g) the right to complain to the supervisory authority.

You have the right to receive, upon request, free information about the stored personal data concerning you, to object, on request, to the processing of your data, with effect for the future and withdrawal of your consent, as well as, in accordance with the applicable provisions, the right to rectification, restriction of processing, transfer of data, erasure of such data and complaint to a supervisory authority. In these cases, please contact in writing with a relevant original letter, by fax or e-mail to the competent Data Protection Department (dpo) of ThPA S.A., mentioned below.

 

Revisions of the Statement.

ThPA S.A. reserves the right to modify or revise this Statement from time to time, at its sole discretion. If changes are made, ThPA S.A. will record the date of modification or revision in this Statement and the updated Statement will apply to you from that date. We encourage you to periodically review this Statement to see if there are any changes in the way we handle your personal data.

 

Applicable Law and Jurisdiction.

For any dispute arising between the visitor/user and ThPA S.A., the applicable law is the Greek and competent courts to resolve the dispute are the competent Courts of the Prefecture of Thessaloniki.

 

Links.

Our website may contain links to other websites. This Privacy Statement on the protection of personal data applies only to the visitor/user’s access to this Website, but also to other websites operated exclusively by ThPA S.A. Under no circumstances is the operator of this website responsible for the terms of protection of personal data of other websites, which are under the responsibility of third parties (natural or legal persons).

Communication.

ThPA S.A. informs you that it has appointed a Personal Data Protection Officer (DPO), whom you can contact at the electronic contact address dpo@thpa.gr. If you have any questions or recommendations regarding this Policy, you may address them to the above address and contact number. Continuous developments on the Internet in general make it necessary to adapt our network data protection rules from time to time. ThPA S.A. reserves the right to make any recommended changes to these rules at any time.

 

Right to lodge a complaint.

If you consider that the processing of your data violates Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority.   Competent supervisory authority for Greece is the Data Protection Authority, 1-3 Kifissias street, P.C. 115 23, Athens, https://www.dpa.gr/, tel. 210 6475600

 

This Policy was updated on 8/7/2024.