Greek
Contact

Personal Data

The Municipality of Patras, committed to safeguarding your personal and sensitive personal data, has implemented all necessary technical and organizational measures as defined by the General Data Protection Regulation (EU) 2016/679. The protection of your privacy and the preservation of the confidentiality of your information and data constitute our fundamental priority.

This policy sets forth the legal framework under which your data is collected and processed, the types of data we collect and process, the procedure and purpose of their collection, their retention period, as well as the reasons for their disclosure to third-party partners if required. Additionally, all your rights are disclosed and analyzed, along with the actions you may take to exercise them.

This informational document provides every person who receives or is interested in receiving services from the Municipality with concise, accurate, and transparent information regarding the practices followed for the management and protection of personal data.

The Municipality reserves the right to modify and adjust this Policy whenever deemed necessary, with any changes taking effect upon their public display on the website www.e-patras.gr and at the reception points of our facilities.

The Municipality has appointed a Data Protection Officer (DPO), whom you may contact directly for any related matter at telephone: 2613610200 and at email address dpo@patras.gr

Introduction

Personal Data

Personal data is any information relating to an identified or identifiable natural person (e.g., name, identity number, address, etc.) (“Data Subject”). Data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data, sex life, sexual orientation, etc., for the purposes of this document are included in the general term “personal data,” but constitute a special category of data, which will hereinafter be referred to as “sensitive personal data.”

Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller

Data Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or Member State law, the controller or the specific criteria for its nomination may be provided for by Union law or Member State law.

Data Processor

Data Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Data Protection Officer (DPO)

The Data Protection Officer (DPO) independently oversees the strategy and compliance of the data controller and data processor with the provisions of the EU GDPR 2016/679 and mediates between various stakeholders (e.g., supervisory authorities, data subjects). Their role is advisory (not decision-making) and they bear no personal liability for non-compliance with the Regulation.

Legal Framework for Personal Data Protection

At the Municipality, we collect and process your personal data in accordance with this personal data protection notice and

  • in compliance with EU Regulation 2016/679,
  • the applicable Greek legislation on data protection,
  • the current legislative framework governing the provision of services offered by the Municipality,
  • as well as the consents we obtain (in cases where there is no legal basis for processing).

This notice provides you with the necessary information regarding your rights and obligations and explains how, why, and when we collect and process your personal data.

Personal Data We Collect

During your visit and for the provision of services by the Municipality, various personal data and sensitive personal data are collected, which are collected:

  • In electronic form.
  • In paper form.
  • In a combination of the above.

in order to provide you with our services. This information will henceforth constitute part of the Municipality’s records and will be retained for the period specified by applicable legislation, depending on the category of data/documents to which they belong.

Our Municipality’s personnel will access your personal data as necessary for the performance of their duties; however, this access will be limited in scope and extent according to their responsibilities. All Municipality staff are bound through their employment contracts by confidentiality, trust, and privacy clauses regarding information they become aware of, while all employees adhere to the Civil Service Code of Conduct, which aims to protect information confidentiality. Due to the importance of privacy and the protection of your private life, we conduct strict regular audits to protect your data, as well as periodic regular training of our personnel on the proper observance of procedures as defined by applicable legislation.

The Municipality processes only your personal information required to fulfill its legal, regulatory, and contractual obligations and to provide you with its services. We will never collect unnecessary personal data from you and will not process your data in any manner beyond that stated in this notice. We take every possible and appropriate measure to ensure that data collection and processing include only what is absolutely necessary. We acquire, maintain, and process only data that is essential for the performance of our services to you and the fulfillment of our legal obligations, and we retain it only for as long as necessary.

Our systems, employees, procedures, and activities aim to limit the collection of personal information to the extent necessary and for achieving the specified purpose. Minimizing the processing of personal data allows us to control and reduce data protection risks and breaches and to support compliance procedures with applicable personal data protection laws and regulations.

Categories of Personal Data Collected

  • Personal and Sensitive Data of Children/Minors
  • Personal and Sensitive Data of Employees
  • Personal and Sensitive Data of Partners/Suppliers/Contractors
  • Personal and Sensitive Data of Municipal Residents/Citizens

Including but not limited to:

  • Contact information: name/surname, marital status, home address, personal email, home telephone, mobile telephone, etc.
  • Demographic and identity information: date of birth, identity card number, passport number, Tax Registration Number (AFM), Social Security Registration Number (AMKA), etc.
  • Special Categories of Personal Data: racial or ethnic origin, medical information, religious beliefs, trade union membership, genetic data, citizenship, income information, etc.
  • Photographic and Video material (following obtaining relevant consent).
  • Video Surveillance material for public safety purposes

Method of Obtaining Personal Data

The personal data processed and stored by the Municipality may be obtained:

  • Verbally, upon your arrival at the Municipality’s reception and service points.
  • By completing the documents and applications necessary for handling your matters.
  • Through the special form available on the Municipality’s website (www.e-patras.gr) which is received in email message format.
  • From persons accompanying you or who have the legal right to act on your behalf (your personal representative) if you are under 16 years of age or are unable to provide this information yourself.
  • Through the capture of Photographic and Video material.
  • Through closed-circuit Video Surveillance.

Legal Basis for Processing

The Municipality, within the framework of its operation and for the fulfillment of its objective purpose (provision of services for the benefit of municipal residents and the public interest), receives and processes a multitude of personal and sensitive personal data based on the following legal bases.

  • Article 6 / paragraph 1 / point (b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Article 6 / paragraph 1 / point (c) of the GDPR: processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Article 6 / paragraph 1 / point (e) of the GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The necessity for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of employment law and social security and social protection law.
  • Article 9 / paragraph 2 / point (f) of the GDPR: processing is necessary for the establishment, exercise, or defense of legal claims or whenever the courts are acting in their judicial capacity.
  • Article 9 / paragraph 2 / point (c) of the GDPR: processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
  • the necessity of fulfilling archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on Union or Member State law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
  • Consent, in cases where it is explicitly required for the processing of sensitive personal data where not covered by the aforementioned legal bases. It is emphasized that this is obtained through written consent. Please note that you may withdraw your consent by submitting a relevant request either to the protocol office or to dpo@patras.gr.

The purposes and reasons for processing your personal data are detailed below:

We collect and store your personal data and data falling within special categories for the provision of services to you based on the legal bases set forth in the previous section, and specifically for:

  1. Contractual agreement with you
  2. Data retention for historical reasons and for future need for documentation of the cooperation
  3. Our legitimate interest from the provision of services
  4. Data retention for the purpose of enabling the Municipality to respond to audits by supervisory authorities regarding the legality of procedures and payments
  5. The execution of rights and obligations arising from social security law
  6. The maintenance of employee records and their processing in accordance with labor legislation
  7. Your interest in receiving these services
  8. The fulfillment of a task carried out in the public interest
  9. The establishment, exercise, or defense of legal claims or when the courts are acting in their judicial capacity
  10. Compliance with a legal obligation

Additionally:

  • We retain your special category data for as long as required by law.

We may share your information with third parties (outside the Municipality) only when required and:

  • When an official court decision has been issued.
  • When sharing information with the police may prevent a serious crime.
  • When you give us explicit instruction and authorization to do so.
  • When we must safeguard legitimate interests of the Municipality or third parties, such as the collection of our claims through third-party agents (e.g., Tax Office, appointed lawyers) or named complaints, etc.
  • When it constitutes our legal obligation (e.g., Tax authorities, social security funds) after you have been informed.
  • When there exists and is documented a specific legitimate interest, following relevant prior notification to you after you receive a reasonable deadline for potential submission of objections to the transfer.
  • When the transfer is necessary to protect the vital interests of the data subject or other persons, where the data subject does not have the physical or legal capacity to provide their consent

Sharing and Disclosure of Your Personal Data

We do not share or disclose your personal data without your consent for any purpose other than those defined in this notice or where required by law. The Municipality uses selected partners (acting as “data processors” under the GDPR) for the provision of the following services and business functions; however, all processors acting on our behalf process your personal data in accordance with the instructions they receive from us and comply fully with this privacy notice, the principles of the General Data Protection Regulation (EU) 2016/679, and any other appropriate confidentiality and security measures. Specifically, all selected partners have fully accepted the confidentiality and trust clauses set by the Municipality regarding data processing. Indicative categories of processors with whom we may share your data are:

  • External partners providing accounting support.
  • Providers of IT systems and applications.
  • External partners providing IT support.
  • External audit partners (Internal Auditors, Certified Auditors, etc.).
  • External Legal Advisors.
  • Occupational Physician
  • Safety Technician
  • Public Entities (DIAVGEIA Transparency Portal, KIMDIS Central Registry for Public Contracts, e-governance platforms, etc.)

Protection Measures

At the Municipality, we take every reasonable technical and organizational measure and precaution for the protection and safeguarding of your personal data. We work to protect you and your data from unauthorized access, modification, disclosure, destruction, or any other processing, and have established the necessary levels of security measures such as: specific policies and procedures, role-based access management, strong password controls, network security controls, logical access perimeter security equipment and software (firewall), business continuity measures, incident/event management, encryption, continuous staff training on technical and organizational security measures.

How Long We Retain Your Data

At the Municipality, we retain personal data only for as long as necessary and have implemented strict policies and procedures for reviewing and retaining your data in order to meet our commitments. According to Greek legislation, the archives of Local Government Organizations are considered public archives. Therefore, their retention is determined by Presidential Decree 480/1985 «Εκκαθάριση των αρχείων των Οργανισμών Τοπικής Αυτοδιοίκησης και των ιδρυμάτων, νομικών προσώπων δημοσίου δικαίου και συνδέσμων αυτών». Βάσει του ΠΔ τα αρχεία τηρούνται από δύο (2) χρόνια έως το διηνεκές αναλόγως τη χρησιμότητα και αναγκαιότητά τους. Εν συνεχεία ελέγχονται από το Γενικό Αρχείο του Κράτους και είτε καταστρέφονται, είτε μεταφέρονται στις αποθήκες του Γ.Α.Κ. εφόσον χαρακτηριστούν ως ιστορικά.

If you have consented to our use of your data for promotional activities and to inform you about events and other Municipality activities, we will retain this data until you notify us otherwise and/or withdraw your consent by sending a relevant request to the email address dpo@patras.gr.

Tax records are retained in accordance with tax legislation.

Cookies

Our website, as is standard with almost all websites, operates using electronic cookie technology.

Exercising Your Rights

Regarding your personal data, you have the right to exercise the following rights by submitting a relevant written request either in person or through a duly authorized representative to the Municipality, or by sending the request via post with a certified signature.

(a) Right to information and access: You have the right to be informed about and access all personal data held and processed by the Municipality concerning you, including the type of processing, the purposes of processing, the recipients or categories of recipients of your personal data, as well as the retention period.

(b) Right to rectification: If you believe that we hold any incomplete or inaccurate data about you, you have the right to request that such information be corrected and/or completed.

(c) Right to erasure: You have the right to request the deletion of your personal data strictly and only under the following circumstances:

  • when your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
  • when you withdraw your consent on which the processing was based, and there is no other legal ground for the processing
  • when the deletion of your personal data is required by law, or the data was processed without the necessary legal basis.

(d) Right to restriction of processing in the following cases:

  • when you contest the accuracy of your personal data and until the Municipality verifies their accuracy
  • when, instead of erasure, you request the restriction of the processing of your personal data
  • when the Municipality no longer needs your personal data for processing purposes, but you require them for the establishment, exercise or defence of legal claims.

(e) Right to data portability, meaning you have the right to request the transfer of your personal data to another organization, either within Greece or abroad, or to receive your data in a standardized electronic format (e.g. CD, DVD) on a portable storage medium.

f) Right to object to the processing of your personal data, unless there are compelling and legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims by the Municipality.

(g) Right to object to direct or indirect marketing activities conducted by us, and/or to any automated decision-making processes we may use.

The right to erasure does not apply when the processing or retention of data by the Municipality is mandatory and/or necessary under applicable law, as well as for the establishment, exercise, or defense of legal claims and rights, or for the fulfillment of its obligations.

To exercise any of the above rights, identification is required (via an official identification document or a lawfully signed authorization), in order to ensure that your personal data is protected and kept secure.

The Municipality will respond to your request free of charge, without undue delay and in any case within one month of receiving the request. In exceptional cases, this deadline may be extended by an additional two months, if necessary, taking into account the complexity of the request, the volume of material to be processed and/or the number of requests. The Municipality will inform you of any such extension within one month of receiving the request, as well as of the reasons for the delay.

If your request cannot be fulfilled, the Municipality will inform you without delay and no later than one month from the date of receipt, explaining the relevant reasons. You will also be informed of your right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), as well as your right to seek judicial remedy before the competent courts.

Submission of Complaint / Report

The Municipality processes your personal data solely in accordance with this Privacy Statement and the relevant data protection laws. However, if you wish to lodge a complaint regarding the processing of your personal data, or if you are dissatisfied with the way we have handled your data, you have the right to submit a complaint either to the Municipality’s Data Protection Officer via email at: dpo@patras.gr, or in writing through the Municipality’s Secretariat. You also have the right to file a complaint with the Hellenic Data Protection Authority (HDPA) [1-3 Kifisias Avenue, GR-115 23 Athens, Tel: +30 210 6475600, Email: contact@dpa.gr] if you believe your rights regarding the protection of your personal data are being violated. Additionally, you have the right to seek judicial remedy before the competent courts.