Introduction

The Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), has been in effect as of May 25, 2018. You can find the regulation here.

This Personal Data Protection Policy regarding the issuance of a personalized card (hereinafter referred to as the “Policy”) applies to the Organization named "Thessaloniki Public Transport Authority S.A." with the trade name "OSETH" (hereinafter referred to as OSETH, the organization, or the entity). The organization is headquartered in Thermi, Thessaloniki, at Plot 51, Building B1 Ganas & Ganas, Postal Code 57001, Greece.

OSETH places great importance on protecting the personal data of its clients, employees, and any individuals who visit its websites. To this end, the organization has developed this Policy to inform these individuals about how their personal data is collected, used, and shared. For any inquiries, you can contact the Data Controller using the following contact details: Phone number: +30 2310 483070, Email address: info@oseth.com.gr.

Key Definitions

Below are key definitions in accordance with Article 4 of the GDPR:

Personal Data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, me tal, economic, cultural, or social identity of that natural person.

Processing: Any action or set of actions performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or d struction.

Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are dete mined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law.

Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. 

Recipient: A natural or legal person, public authority, agency, or other body to which personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a particular inquiry in accordance with EU or Member State law shall not be regarded as recipients. The processing of such data by those public authorities shall comply with applicable data protection rules according to the purposes of the processing.
 

Third Party: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

How We Collect Your Personal Data.

Your personal data is collected by OSETH:

1. When you visit ticket offices and submit a request for the issuance of a personalized card. 
2. When you submit a request for the issuance of a personalized card through OSETH's website.

Purpose of Processing Your Personal Data.

Your personal data is used exclusively to fulfill the operational purposes of OSETH, which include providing public transportation services within the organization’s jurisdiction. Specifically, your personal data is processed for issuing personalized cards.

Personal Data Processed

For the purpose of issuing personalized cards, the following personal data is processed:

1. Contact Information: Surname, first name, email address, postal address, phone number.
2. Personal Information: Social Security Number (AMKA) or Passport Number, month/year of birth.
3. Image Data: Photograph.
4. Transaction Data: Transaction codes.

Processors Acting on Behalf of OSETH

Your personal data is shared with OSETH's partners under conditions that ensure its protection and prevent unauthorized processing. Specifically, the following have access to your data:

1. AMCO ABEE: Responsible for developing and maintaining the Automated Fare Collection System. The company acts as a “Processor” (as per Article 4, point 8 of the GDPR).
2. EDYTE S.A.: Provides the G-Cloud data center hosting the subsystem. This entity also acts as a “Processor” (Article 4, point 8 of the GDPR).
3. Indigital: Develops and maintains OSETH's online portal, also acting as a “Processor” (Article 4, point 8 of the GDPR).

Legal Basis for Processing

The processing of your personal data is necessary for the execution of a contract to which the data subject are a party (Article 6(1)(b) of the GDPR).

Retention Period

Your personal data is retained for a reasonable period of time, specifically:

1. As long as your account is active, meaning until you delete it yourself.
2. Alternatively, for as long as required by specific legislation.
3. Photographs are deleted upon card issuance.

After the retention period, your personal data is destroyed in accordance with applicable laws and organizational procedures. In certain cases, personal data may be retained for longer to comply with legal obligations.

Confidentiality and Transfer of Personal Data

Access to your personal data is restricted to designated OSETH personnel who are bound by confidentiality agreements. Unauthorized access is strictly prohibited. Additionally, processors acting on behalf of OSETH have contractually agreed to maintain confidentiality, refrain from transferring personal data to third parties without OSETH's consent, implement a propriate security measures, and comply with the legal framework for personal data protection.

No data is transferred outside the European Economic Area (EEA). Data may be transferred to the competent Greek authorities in the event of an investigation. Specifically, personal data maintained by OSETH may be disclosed to judicial, police, or other administrative authorities upon their lawful request and in accordance with applicable legal provisions. Furthermore, in the case of a lawful order from a prosecutor or another authority, or during a regular or preliminary investigation, OSETH is obligated to provide the requested information to the requesting authority.

Technical and Organizational Measures for Data Protection

In compliance with Articles 24, 32, and other provisions of the GDPR, OSETH, as the Data Controller, implements appropriate technical and organizational measures to ensure an adequate level of security against risks. Examples of such measures include the appointment of a Data Protection Officer (DPO), as required by Article 37(1)(a) of the GDPR, the implementation of technical and organizational measures to protect both physical and digital records and the conducting a Data Protection Impact Assessment (DPIA) for processes where required, such as for digital fare collection, in accordance with Article 35 of the GDPR and Decision 65/2018 of the Hellenic Data Protection Authority (HDPA).

Data Subject Rights

In accordance with Article 12 of the GDPR, OSETH, as the Data Controller, facilitates the exercise of data subject rights. Additionally, the Data Controller provides data subjects with information on actions taken in response to their requests without undue delay and in any case within one month of receiving the request. This period may be extended by an additional two months if necessary, taking into account the complexity and number of requests.

Specifically, as a data subject, you may request the following:

1. Right of Access: You may request information at any time from OSETH regarding whether your personal data is being processed. If so, you may request details about the purpose of the processing, the type of data being processed, to whom it is disclosed, the retention period, and whether automated decision- making is involved, as outlined in Article 15 of the GDPR.
2. Right to Rectification: You may request OSETH to correct inaccurate or outdated personal data concerning you. Additionally, you can request the completion of incomplete personal data, including by providing a supplementary statement, as per Article 16 of the GDPR.
3. Right to Erasure: You may request the deletion of personal data under the conditions described in Article 17 of the GDPR.
4. Right to Restriction of Processing: You may request a restriction on the processing of your personal data under the conditions described in Article 18 of the GDPR.
5. Right to Data Portability: Under the conditions of Article 20 of the GDPR, you may request to receive your personal data which you have provided to the controller in a structured, commonly used, and machine-readable format.

The fulfillment of these rights will also be considered in conjunction with any applicable specific legislation.

How to Exercise Your Rights

You may submit your requests to the Data Controller (OSETH) via email at info@oseth.com.gr or by calling 2310 483070. If the Data Controller has reasonable doubts about your identity, additional information may be requested to confirm your identity. Once your identity is verified, the Data Controller will provide information on the actions taken in response to your request without undue delay and within one month of receipt. This period may be extended by an additional two months if necessary, considering the complexity and number of requests. You will be informed of the extension within one month of the request's receipt, along with the reasons for the delay. If the request is submitted electronically, the response will be provided

Contacting the Hellenic Data Protection Authority (HDPA)

If your request remains unresolved after communicating with OSETH, you may file a complaint with the Hellenic Data Protection Authority (HDPA) through the following means: Online: HDPA Complaint Form Email: complaints@dpa.gr, Postal Address: 1- 3 Kifisias Avenue, 115 23 Athens, Greece, In-Person: At the HDPA offices (1st floor) between 09:00 and 13:00.

Contacting the OSETH DPO

The Data Protection Officer (DPO) for OSETH is COMPUTER STUDIO SYSTEMS INFORMATICS AND IT SERVICES S.A., located at 223 Vouliagmenis Avenue, Dafni, Attica, Postal Code 17237. You can always reach the DPO at dpo@oseth.com.gr.