Pursuant to the application of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Hellenic American Union (22 Massalias Street, 10680 Athens) (the “HAU”) would like to inform you of the following:
1. What data is processed by the HAU belonging to which natural persons: The HAU, acting as data controller, processes personal data of adults who register with the “Orfeas” system of the HAU, in their capacity as examiners or co-ordinators or supervisors of the examination centres, where the language competence examination conducted by the HAU take place (“data subjects”). Data processed by the HAU, nay include (a) personal information (e.g. full name, father’s name, mother’s name, date of birth, marital status, phone number (home/ mobile), e-mail address, home address, ID number, date of issuance and the issuing authority or passport number and date of its issuance/ expiration, social security number etc.); (b) employment information (e.g. occupation, start and end dates of employment and other information that may form part of w uploaded CV); and (c) financial data relating to the payment of any amount due to the HAU, such as bank card information, bank account numbers, billing and payment data. The disclosure of the data specified above is a legal or contractual obligation of the data subject or a requirement to conclude a contract. Where the data subject does not provide the above data or part thereof, he or she will not be able to register with the “Orfeas” system of the HAU and enter into the relevant contract with the HAU.
2. Source of data: The source of the data is the data subject himself/ herself disclosing his/ her data to the HAU as part of his/ her registration with the “Orfeas” system of the HAU.
3. Purpose and legal basis of processing data: The HAU processes data subjects’ personal data, as the case may be, for the following purposes: (a) to provide services and in general manage the contractual relationship between the HAU and the data subjects in the context of conducting language competence examinations or/ and to inform the data subjects about the date, the place, the time and manner of conducting the language competence examinations (according to the information and guidelines provided by the examination bodies). For such data processing, the legal basis is the performance of the relevant contract that HAU has signed and compliance with a legal obligation that it has HAU. In particular, in order for the HAU to be able to communicate with you for any future co-operation etc., the legal basis for such processing shall be your consent. (b) To safeguard the interests of the HAU. For such data processing, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the HAU which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data (e.g., for the establishment, exercise or support of legal claims). (c) To send marketing material via electronic mail. It should be noted that the HAU is entitled to use the data subjects’ electronic mail contact details, lawfully obtained in the context of the provision of its services or any other transaction, for the direct promotion of similar services or for the furtherance of similar purposes, even where data subjects have not given their prior consent, provided that they are given, when contact details are collected, as well with every message, a clear and transparent option to object, easily and free of charge, to the collection and use of their electronic data. For such processing of data, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the HAU (i.e., the legitimate interests relating to the promotion of its services), which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data.
4. Recipients of data: As the case may be and depending on the purpose of processing, personal data may be transmitted to the authorized employees in each department of the HAU, to companies associated with the HAU with which the HAU has executed a contract and which process the data on its behalf (e.g., IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy and compliance with the data protection legislation. In addition, the HAU in the context of the data processing purpose mentioned in clause 3 (a) above and depending on the type of the language competence examination, may transmit data subjects’ personal data to examination bodies. In particular, in respect of personal data transfers outside the European Economic Area and where the examination body of the language competence examinations is: (a) the Cambridge Assessment English, personal data are being transmitted to the Cambridge Assessment English established in the UK (The Triangle Building, Shaftesbury Road, Cambridge, United Kingdom, CB2 8EA), (b) the Hellenic American University, personal data are being transmitted to the Hellenic American University established in the USA (436 Amherst Str., Nashua, NH 03063); and (c) the Cambridge Michigan Language Assessment LLC (CaMLA), personal data are being transmitted to the Cambridge Michigan Language Assessment LLC (CaMLA) established in the USA 535 West William Str., Suite 310, Ann Arbor, Michigan 48103-4978). For the purpose of transferring data to the USA, the HAU has concluded with the above examination bodies standard contractual clauses for the protection of the personal data, which have been adopted by the European Commission and are considered to provide sufficient guarantees for the lawfulness of the data processing. If a data subject wishes to receive a copy of the standard contractual clauses that have been put in place, he/ she may contact the Data Protection Officer of the HAU using the contact information mentioned in the term 6 below.
Finally, the HAU may transmit personal data to third parties where so required by law or for the purposes of, or in connection with legal proceedings in which it participates, or otherwise for the purposes of supporting, exercising or defending its rights, or to third parties that are law enforcement authorities and have submitted a lawful transmission request, or where it considers that transmission is necessary in connection with any investigation into the suspicion or existence of any illegal activity.
5. Data retention time: The above data will be retained for a period time as required or allowed by the legislation/regulatory framework in force each time, taking into account the applicable prescription period, which may extend to up to 20 years. Specifically: (a) where processing is carried out under a relevant contract, the personal data shall be stored for as long as necessary for the performance of the contract and for the establishment, exercise and/or support of any legal claims of the HAU arising from that contract; and (b) where the processing is imposed as an obligation by provisions stemming from the applicable legal framework, personal data shall be stored for as long as the relevant provisions so require.
6. Data subjects’ rights: The data subject shall have the following rights under the GDPR: (a) to receive a copy of the personal data held by the HAU, together with other information on how data is processed; (b) to request that personal data concerning him or her be rectified and, under conditions, to request the deletion or restriction of processing, or to object to the processing of personal data; (c) to receive a copy or to request the transmission of a copy of his or her personal data to a third party in a structured, commonly used and machine-readable format (right to data portability). Where the processing of data is based on his or her consent, the data subject shall have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. If the data subject wishes to receive further information about the processing of his or her personal data or to exercise any of his or her above rights, he or she must email the HAU Data Protection Officer exclusively at: privacy@hau.gr, or send a letter to the mailing address mentioned above. Finally, the data subject has the right to file a complaint with the competent supervisory authority about how the HAU handles his or her data (www.dpa.gr).
Download the notification in .pdf format