Privacy Policy

Privacy Policy INTRODUCTION This Privacy Policy is a unified legal document that governs all processing of personal data by the Municipality of Katerini, covering all information systems and procedures involved. The tone and content are legal and clearly articulated to ensure ease of understanding and application. It avoids specialized technical terms or references that might hinder implementation or make it dependent on specific technologies. The security policy is subject to regular reviews and may be modified when significant changes occur in any of the following: a) the organizational structure of the data controller, b) the information systems in use, c) security requirements, d) technological developments, e) the nature and/or method of data processing. The policy may also be updated following internal or external audits that reveal insufficient or ineffective security measures or after a data breach. Though the policy is clear and concise, it is designed to be general enough to apply to future systems without requiring frequent revisions. The security policy is public and binding for all personnel handling personal data and complies with applicable legislation.  

1. PURPOSE

The purpose of this document is to define the obligations and policies of the Municipality of Katerini regarding the protection of data subjects’ privacy and to implement suitable measures to prevent data leaks. The Municipality commits to fulfilling the requirements of the General Data Protection Regulation (GDPR) and prioritizes the protection of personal data. It also aims to create a secure processing environment and foster a data protection culture, allocating all necessary resources.  

2. SCOPE

This policy applies to the processing of personal data in both physical and digital formats, collected by any means by the Municipality for the fulfillment of its legitimate interests.  

3. RESPONSIBILITIES

The Municipality’s management and Data Processors, under the supervision of the Data Protection Officer (DPO), are responsible for implementing this policy.  

4. PRINCIPLES OF PROCESSING

The Municipality ensures compliance with the fundamental principles of the GDPR in both current processing and the introduction of new systems. These principles include: – Lawfulness, fairness, and transparency – Purpose limitation – Data minimization – Accuracy – Storage limitation – Integrity and confidentiality – Accountability  

5. DATA SUBJECT RIGHTS

Data subjects’ rights are supported by appropriate procedures that allow timely action in accordance with GDPR. These rights include: • Right to information • Right of access • Right to rectification • Right to erasure (“right to be forgotten”) • Right to restrict processing • Right to data portability • Right to object • Right to object to profiling To exercise any of the above rights, you may contact the Municipality’s Registry or email: gkantaras@uth.gr. You may also lodge a complaint with the Hellenic Data Protection Authority (1-3 Kifisias Ave., 115 23 Athens, Tel. +30 210 6475600, Email: contact@dpa.gr).  

6. LAWFULNESS OF PROCESSING

The Municipality must determine and document the lawful basis for each processing activity (sensitive or not), referring to Articles 6 and 9 of the GDPR. These legal bases are recorded in the Records of Processing Activities maintained by the Data Controller and Data Processors.  

7. PRIVACY BY DESIGN

The Municipality adopts the principle of privacy by design, ensuring that any new or significantly modified system that processes personal data undergoes a privacy assessment. When processing activities pose high risks to individuals’ rights and freedoms, a Data Protection Impact Assessment (DPIA) is conducted. Techniques like data minimization, pseudonymization, anonymization, and encryption are applied when appropriate.  

8. COOKIE POLICY

8.1. What are cookies? Cookies are small text files stored in a user’s browser when visiting a website. They may contain data such as visited pages, visit time and date, and a unique identifier. They help enhance the user experience by remembering preferences and enabling a cohesive browsing session. 8.2. What cookies do we use? We use cookies for session management, customized web content, and analytics. Cookies may also help tailor ads to your interests. The main categories of cookies used include:

• Strictly Necessary Cookies: Essential for basic site functionality. They cannot be disabled.
• Functional Cookies: Remember user preferences and provide enhanced features.
• Performance / Analytics Cookies: Collect anonymized data on site usage to improve functionality.
• Personalization Cookies: Provide content tailored to your interests and previous interactions.
• Targeting / Advertising Cookies: Deliver personalized ads and limit ad repetition.
• Third-Party Cookies: Set by external services (e.g., social media, advertising platforms).

You may adjust your browser settings to reject some or all cookies, except those that are strictly necessary. 8.3. How can you control cookies? You can withdraw or modify your consent and delete cookies at any time using your browser settings. 8.5. Where can you find more information? For data protection information and your rights, refer to the Privacy Policy. For general cookie use: • https://cookiepedia.co.uk/all-about-cookies • https://www.allaboutcookies.org/ 8.7. Changes to the Cookie Policy This Cookie Policy may change at any time. Please check regularly for updates. The current version is effective as of August 23, 2024. 8.8. How to disable cookies Visit the following pages based on your browser to manage cookie settings: • Internet Explorer: http://support.microsoft.com/kb/278835 • Firefox: http://support.mozilla.org/en-US/kb/delete-cookies • Chrome: http://support.google.com/accounts/answer/61416 • Opera: http://www.opera.com/browser/tutorials/security/privacy/ • Safari: http://support.apple.com/kb/PH5042 • Safari (iOS): http://support.apple.com/kb/HT1677

9. TECHNICAL SECURITY MEASURES

The Municipality implements technical security measures, including: • Strong passwords with regular updates • Updated operating systems • Avoidance of unauthorized software • Antivirus and firewall protection • USB and external media control • Regular backups • Encryption of local and external storage • Limited user privileges • Secure email practices • Auto-locking screens after inactivity  

10. CONTRACTS INVOLVING PERSONAL DATA PROCESSING

The Municipality ensures that all partnerships involving the processing of personal data (of citizens, employees, or third-party associates/suppliers) are governed by formal contracts that include all mandatory information and terms required by the GDPR and applicable legislation. Each municipal employee must sign a Code of Conduct and Confidentiality Agreement and is legally bound to process personal data with discretion. Each data processor signs a Confidentiality Agreement, supplementary to a private agreement under Article 28 of the GDPR, which includes: – Scope and duration – Purpose of processing – Documentation of the forms and extent of processing – Prior authorization for sub-processors – Provision of proof of compliance with the GDPR – Obligation to report any data breach without delay When employees, partners, or third parties no longer have authorized access to systems or resources (e.g. upon contract termination or role change), their access rights are revoked, and a reassessment of permissions is conducted as needed.  

11. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

When personal data is transferred outside the European Union, such transfers are carefully assessed to ensure they fall within GDPR-compliant safeguards. This includes verifying whether the European Commission recognizes the recipient country as providing adequate protection. Such transfers are only made under legally binding agreements (e.g. Binding Corporate Rules), ensuring enforceable data subject rights.  

12. DATA PROTECTION OFFICER (DPO)

The appointed Data Protection Officer is Yiannis Gkantaras, who can be contacted for any clarification at: +30 699 446 49919, gkantaras@uth.gr  

13. REGULAR INTERNAL AUDITS

Periodic audits are conducted to verify proper application of the security policy and to evaluate the effectiveness of implemented security measures. The Municipality also performs Data Protection Impact Assessments (DPIAs), estimating the risk and potential consequences of data breaches. Based on these assessments, appropriate organizational measures are taken to mitigate risk.  

14. PERSONAL DATA BREACH NOTIFICATION

The Municipality’s policy ensures that any significant data breach is reported to the supervisory authority within 72 hours of becoming aware of the incident, unless it can be demonstrated that the breach is unlikely to result in a risk to the rights and freedoms of individuals (accountability principle). This process is outlined in the Municipality’s Security, Disaster Recovery, and Data Recovery Plan, which is a separate document detailing incident response procedures.  

15. GDPR COMPLIANCE MEASURES

To ensure ongoing GDPR compliance and accountability, the Municipality has implemented the following: – Clearly documented lawful bases for all data processing activities – Mandatory legal commitment by all staff and external collaborators to data protection obligations – Ongoing training for all personnel on data protection – Proper consent collection and management for processing of special categories of data – Established communication channels for data subjects to exercise their rights – Regular review of data protection procedures – Privacy by design in all new systems and processes – Full documentation of processing activities, including: • Purpose and type of data processed • Data subject categories • Data recipient categories • Cross-border data transfer mechanisms • Retention schedules • Technical and organizational security controls – Regular DPIAs to minimize risk – Implementation of all reasonable and appropriate technical and organizational measures to ensure data confidentiality, legal compliance, and protection of individual rights.

16. SANCTIONS

Any employee, partner, or collaborator who violates this policy may face disciplinary action, including contract termination. The Municipality maintains separate data protection policies tailored for each stakeholder group (e.g., customers, employees, suppliers) and for specific types of processing (e.g., special categories of data). These policies are communicated to the relevant parties. If you haven’t received or would like more detailed information, you may submit a request to: gkantaras@uth.gr (Please include your full name, role, contact information, and specific request).