Personal Data Protection Policy

Πsecurity and data protection policy of the Municipality of Lefkada

The protection of personal data is a key concern of the Municipality of Lefkada. In the context of the General Data Protection Regulation (EU) 2016/679 (GDPR), which entered into force on 25/05/2018, as amended and in force until today, this document provides useful information on the processing of personal data and the rights of the data subjects of the processing, in accordance with Article 13 of the above Regulation.

According to the above Regulation, Article 4 states that the following definitions shall apply:

«data personal nature»any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one whose identity can be established, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person, while
«processing»: any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

The protection concerns all personal data that have come or will come to the knowledge of the services of the Municipality of Lefkada and the Municipality's legal entities, in the context of its legal operation and its cooperation with citizens and public or private sector entities.

The Data Security and Protection Policy defines the commitment of the Municipal Authority and the overall approach of the Municipality and its NPAs regarding the security of information systems and networks and the protection of personal data.

The Personal Data Security and Protection Policy has universal validity and applies to all types of processing of all types of personal data held by the Municipality of Lefkada and the NPOs, regardless of the way the data is collected.

Personal data is used only under the following conditions and must not be used for purposes other than those for which it was originally collected. The use of the collected data for other purposes is only permitted if the conditions of acceptable use are met.

Personal data may be used if one or more of the following conditions are met:

Current legislation clearly allows the collection and processing of personal data for this purpose.
processing is necessary for compliance with a legal obligation of the controller;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
the data subject has consented to the processing of his or her personal data for one or more specific purposes;
It is necessary to use the data in this way in order for the Municipality and/or the NPAs to fulfil its contractual obligations towards the data subject.
It is necessary to use the data to safeguard the vital interests of the data subject.

The Municipality of Lefkada and its NPAs take special care for the protection of special categories of personal data of citizens / citizens / staff.

In this context, the processing of personal data that they disclose is prohibited:

the racial or ethnic origin of the data subject
the political opinions of the data subject
the data subject's religious or philosophical beliefs or trade union membership;
genetic and biometric data of the data subject ,
data concerning the health of the data subject
data concerning the sexual life of a natural person or the sexual orientation of the data subject;

An exception to the above is the satisfaction of one or more of the conditions described in par. 2 of Article 9 of the General Data Protection Regulation. The adoption of measures for the pseudonymisation or encryption of personal data, in particular in the case of sensitive data, is also provided for.

The controller must always be able to demonstrate that the data subject has consented to the processing of his or her personal data. To this end:

The consent has been given explicitly, voluntarily and after informing the data subject, in such a way that the data subject is aware of the purpose of the consent.
Where the data subject's consent is given in the context of a written statement which also concerns other subjects, the request for consent shall be made in a way that is clearly distinguishable from the other subjects, in an intelligible and easily accessible form, using clear and simple wording.
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.
In all calls / notices of individual Actions / Programmes implemented by the Municipality, a standardised template for the consent of the data subject is included.
In all data subjects' requests to the Municipality and/or its NDAs, a standard template for the data subject's consent and assent is included.

When receiving the personal data and where the data are collected from the data subject, the controller will voluntarily provide specific information to the data subjects, in full compliance with the requirements of Article 13 of the General Data Protection Regulation.

In this direction:

A standardised template of invitations / notices has been prepared and is used in all new actions / programmes / processes implemented by the Municipality and/or its NPAs, with the necessary information for the processing of citizens' personal data.
A personal data protection statement has been prepared and posted on the website of the Municipality of Lefkada

At the same time, the Municipality of Lefkada and its NPAs are obliged to respond within a specific period of time that may not exceed one (1) month (under certain conditions this period may be extended to three (3) months) and will provide clear and comprehensive responses to requests submitted by data subjects.

In this direction, the Municipality and the NPAs have developed, communicated among those directly involved and implement a specific procedure «Responding to requests from individuals» with the Data Protection Officer in charge.

In full alignment with Article 28 of the General Data Protection Regulation, the Municipality of Lefkada and its NPOs will use and outsource data processing only to those processors (external partners, suppliers, etc.) who can provide sufficient assurances that they meet the requirements of the Regulation.

In this direction, the Municipality and its NPAs have taken the following actions:

Have prepared and will include in each procurement notice/call for tender, where the subject matter relates to the processing of personal data, a relevant requirement/provision
They have drawn up model contracts with external partners/suppliers, with specific reference to their obligation to ensure confidentiality, secrecy and full compliance with the requirements of the General Data Protection Regulation.

Personal data shall only be transferred if the recipient of the data assumes responsibility for the data received or if the recipient uses the data exclusively in accordance with the instructions and requirements of the sender.

The transfer of personal data from the Municipality and/or its NPOs to parties based in a third country or an international organisation is subject to full compliance with the conditions expressly set out in Article 45 of the General Regulation for the Protection of Personal Data.

In this case, the controller shall take all appropriate measures to ensure that the data are transferred appropriately.

Data subjects have a number of rights, which may include the right to exercise

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, the right of access to the personal data and to all the information set out in Article 15 of the General Data Protection Regulation.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Having regard to the purposes of the processing, the data subject shall have the right to require the completion of incomplete personal data, including by means of a supplementary declaration.

The data subject shall have the right to request the controller to erase personal data concerning him or her without undue delay and the controller shall be obliged to erase personal data without undue delay if one of the grounds referred to in Article 17 of the General Data Protection Regulation applies.

The data subject shall be entitled to obtain from the controller the restriction of the processing of data where one of the criteria mentioned in Article 18 of the General Data Protection Regulation is met.

The data subject shall have the right to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without objection from the controller to whom the personal data were provided, where one of the criteria referred to in Article 20 of the General Data Protection Regulation is met.

The data subject shall have the right to object, at any time and on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, including profiling.

The controller shall no longer process personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for establishing, exercising or supporting legal claims.

The data subject has the right not to be subject to a decision taken solely on the basis of automated processing (unless the exceptions in Article 22 of the General Data Protection Regulation are met), including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way.

The controller shall communicate any rectification or erasure of personal data or restriction of processing of data to each recipient to whom the personal data have been disclosed, unless this proves impracticable or involves a disproportionate effort. The controller shall inform the data subject about those recipients, if requested by the data subject.

Any request regarding personal data and the exercise of your rights must be addressed in writing to the Municipality of Heraklion and the Data Protection Officer (DPO).

Data Protection Officer for the Municipality of Lefkada:

Konstantinos Gogakis, MA Municipal Police Officer

Contact Details:

Address: Lefkada Administration Building, 311 00 Lefkada

Phone: 2645360603

e-mail: dpo@lefkada.gov.gr

You have the right to appeal to the Data Protection Authority on issues relating to the processing of your personal data. For the Authority's competence and how to lodge a complaint, you can visit its website (www.dpa.gr®CUSTOMERS®My rights under the GDPR®Submitting a complaint), where detailed information is available.

The above terms and any modification thereof are governed and supplemented by Greek law, the law of the European Union and the relevant international treaties. Any provision of the above terms that is contrary to the law, shall automatically cease to apply and shall be removed from the present, without in any way affecting the validity of the other terms.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.