Home / Privacy Policy
Privacy Policy

1. Data Controller

1.1. The data controller of personal data for all processing carried out by the services of the Internal Service Organization of the Municipality is the Municipality of Almyros, a legal entity of public law (local government organization), as legally represented (according to the definition of Article 4, No. 7 of the General Data Protection Regulation). The Municipality of Almyros determines the purpose and manner of data processing by the aforementioned services.
1.2. Employees, under any type of employment relationship, in the aforementioned services who process personal data are “persons acting under the authority of the data controller” (according to the definition of Article 29 of the GDPR).
1.3. Other natural or legal persons who process personal data on behalf of the data controller are “processors” (according to the definition of Article 4, No. 8 of the GDPR).

2. Data Protection Officer

2.1. The DPO’s duties are:

  1. Informing and advising the data controller or the processor and the employees processing data on their obligations arising from the GDPR and other provisions regarding data protection,
  2. Monitoring compliance with the GDPR, other provisions regarding data protection, and the policies of the data controller or processor regarding the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of employees involved in processing activities, and related audits,
  3. Providing advice, when requested, regarding data protection impact assessments and monitoring their implementation according to Article 35 GDPR,
  4. Cooperating with the Data Protection Authority,
  5. Acting as a contact point for the Data Protection Authority on issues related to processing, including prior consultation referred to in Article 36 GDPR, and conducting consultations, as appropriate, on any other matter.

3. Lawfulness of Data Processing by the Municipality

3.1. The processing of personal data by the Municipality is permitted only if provided for by relevant provisions, in the following cases.
3.2. Processing is permitted if necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (Article 6(b) GDPR).
3.3. Processing is permitted if necessary for compliance by the Municipality with a legal obligation. Primarily, the Municipality processes only the data it is obliged to process to exercise the powers provided by law (Article 6(c) GDPR). All powers already provided by law for the Municipality continue to be exercised with the legal basis of data processing being the provision that already provides for them.
3.4. Processing is permitted if necessary to protect the vital interests of the data subject or another natural person (Article 6(d) GDPR).
3.5. Processing is permitted if necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Municipality (Article 6(e) GDPR).
3.6. In principle, processing of personal data by the Municipality based on the “consent” of the data subject is not permitted. Such consent is not considered to be provided by the citizen to the Municipality. Citizens who provide their data to exercise rights or receive services from the Municipality do so not on the basis of their consent, but within the Municipality’s obligation to exercise its powers, following prior information to the citizens. However, in cases where a municipal service is provided to the citizen as an “additional value service,” meaning the citizen can access the service in its contractual form without consent or even without providing personal data, but the additional value lies in the possibility of electronic activation or monitoring, in these cases, the processing of personal data is permitted based on “consent.”
3.7. Processing of personal data by the Municipality based on a “legitimate interest” that overrides the rights and freedoms of the individual is not considered lawful (Article 6 GDPR).

4. Transparency and Information

4.1. With the publication of this Municipality of Almyros Data Protection Policy, data subjects are informed of the terms under which the Municipality processes their personal data (Article 12 GDPR).
4.2. In cases where the Municipality collects data directly from the data subject, e.g., when the subject submits an application or provides their information to access a municipal service or exercise a related right, the municipal service provides the following information to the data subject, clearly indicated on the application form or electronic communication:

  1. The identity and contact details of the data controller and, where applicable, their representative,
  2. the contact details of the data protection officer, if applicable,
  3. the purposes of processing for which the personal data are intended, as well as the legal basis for processing,
  4. the recipients or categories of recipients of personal data, if any,
  5. where applicable, the intention of the data controller to transfer personal data to a third country or international organization and the existence or absence of a Commission adequacy decision or, where transfers are referred to in Articles 46, 47, or 49(1) second subparagraph, reference to appropriate or suitable safeguards and how to obtain a copy or where they have been made available,
  6. the period for which personal data will be stored or, if not possible, the criteria used to determine that period,
  7. the existence of the right to request from the data controller access, rectification, or erasure of personal data or restriction of processing concerning the data subject, as well as the right to object to processing, and the right to data portability,
  8. where processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal,
  9. the right to lodge a complaint with the Data Protection Authority,
  10. whether the provision of personal data is a statutory or contractual requirement or obligation for the conclusion of a contract, and whether the data subject is obliged to provide personal data and any possible consequences of failing to provide such data,
  11. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

4.3. In cases where the Municipality collects data from sources other than the data subject, it provides the following information to the data subject, unless collection is explicitly provided for by law, in which case the Municipality is not obliged to inform the subject:

  1. The identity and contact details of the data controller and, where applicable, their representative,
  2. the contact details of the data protection officer, if applicable,
  3. the purposes of processing for which the personal data are intended, as well as the legal basis for processing,
  4. the relevant categories of personal data,
  5. the recipients or categories of recipients of personal data, if any,
  6. where applicable, that the data controller intends to transfer personal data to a recipient in a third country or international organization and the existence or absence of a Commission adequacy decision or, where transfers are referred to in Articles 46, 47, or 49(1) second subparagraph, reference to appropriate or suitable safeguards and how to obtain a copy or where they have been made available,
  7. the period for which personal data will be stored or, if not possible, the criteria used to determine that period,
  8. the existence of the right to request from the data controller access, rectification, or erasure of personal data or restriction of processing concerning the data subject, as well as the right to object to processing, and the right to data portability,
  9. where processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal,
  10. the right to lodge a complaint with the Data Protection Authority,
  11. the source from which the personal data originate and, if applicable, whether the data came from publicly accessible sources,
  12. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

4.4. The Municipality is obliged to provide all the information provided by these rights to the data subject within one month of receiving the request. The period may be extended by a further two months if necessary, considering the complexity of the request and the number of requests. The Municipality informs the data subject of the extension within one month of receiving the request, as well as the reasons for the delay. If the data subject submits the request electronically, the information is provided electronically.

5. Right of Access

5.1. The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and, if so, the right to access the personal data and the following information:
a) The purposes of processing,
b) the relevant categories of personal data,
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations,
d) if possible, the period for which personal data will be stored or, if not possible, the criteria used to determine that period,
e) the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing concerning the data subject, as well as the right to object to processing,
f) the right to lodge a complaint with a supervisory authority,
g) where personal data is not collected from the data subject, any available information as to its source,
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in such cases, significant information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
5.2. When personal data is transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards under Article 46 regarding the transfer.
5.3. The data controller provides a copy of the personal data undergoing processing. For additional copies requested by the data subject, the data controller may charge a reasonable fee for administrative costs. If the request is submitted electronically and unless the data subject requests otherwise, the information is provided in a commonly used electronic format.
5.4. The right to receive a copy referred to in paragraph 5.3 does not adversely affect the rights and freedoms of others.

6. Right to Rectification

The data subject has the right to require the data controller to rectify inaccurate personal data concerning them without undue delay. Considering the purposes of processing, the data subject has the right to require the completion of incomplete personal data, including by means of a supplementary statement.

7. Right to Erasure (“Right to be Forgotten”)

7.1. The data subject has the right to request the data controller to erase personal data concerning them without undue delay, and the data controller is obliged to erase personal data without undue delay if one of the following reasons applies:

  • Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  • The data subject withdraws consent on which the processing is based and there is no other legal basis for the processing,
  • The data subject objects to the processing pursuant to Article 21(1) GDPR (processing for the performance of a task carried out in the public interest or in the exercise of official authority) and there are no compelling legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR (direct marketing of products or services),
  • Personal data have been unlawfully processed,
  • Personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the data controller is subject,
  • Personal data have been collected in relation to the offer of information society services with consent from a child.

    • 7.2. Where the data controller has made personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the data controller, taking account of available technology and the cost of implementation, takes reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested the erasure of any links to, copies, or replications of those personal data.
    7.3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

    1. For exercising the right of freedom of expression and information,
    2. To comply with a legal obligation which requires processing under Union law or the law of a Member State to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
    3. For reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i), and Article 9(3) GDPR,
    4. For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
    5. For the establishment, exercise, or defense of legal claims.

    8. Right to Restriction of Processing

    8.1. The data subject has the right to obtain from the data controller restriction of processing when one of the following applies:

    1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
    2. Processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
    3. The controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims,
    4. The data subject has objected to processing pursuant to Article 21(1) GDPR, pending the verification of whether the legitimate grounds of the controller override those of the data subject.

    8.2. Where processing has been restricted pursuant to paragraph 8.1, such personal data, apart from storage, shall only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of significant public interest of the Union or a Member State.
    8.3. The data subject who has obtained restriction of processing pursuant to paragraph 8.1 shall be informed by the controller before the restriction of processing is lifted.

    9. Right to Data Portability

    9.1. The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, as well as the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, when:

    1. Processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) GDPR, and
    2. Processing is carried out by automated means.

    9.2. When exercising the right to data portability pursuant to paragraph 9.1, the data subject has the right to request the direct transmission of personal data from one controller to another where technically feasible.
    9.3. The right referred to in paragraph 9.1 shall be exercised subject to Article 17 GDPR (right to erasure). This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
    9.4. The right referred to in paragraph 9.1 shall not adversely affect the rights and freedoms of others.

    10. Right to Object

    10.1. The data subject has the right to object, at any time and on grounds relating to their particular situation, to the processing of personal data concerning them which is based on Article 6(1)(e) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
    10.2. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.
    10.3. Where data subjects object to processing for direct marketing purposes, personal data shall no longer be processed for such purposes.
    10.4. At the latest during the first communication with the data subject, the right referred to in paragraphs 10.1 and 10.2 shall be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
    10.5. In the context of the use of information society services and subject to Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.
    10.6. Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), the data subject has the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

    11. Automated Decision-Making

    11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
    11.2. Paragraph 11.1 shall not apply if the decision:

    1. Is necessary for entering into or performance of a contract between the data subject and the data controller,
    2. Is authorized by Union law or the law of a Member State to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, or
    3. Is based on the explicit consent of the data subject.

    11.3. In the cases referred to in points (a) and (c) of paragraph 11.2, the data controller shall implement appropriate measures to safeguard the rights, freedoms, and legitimate interests of the data subject, at least the right to obtain human intervention from the controller, to express their point of view, and to contest the decision. 11.4. The decisions referred to in paragraph 11.2 shall not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures exist to safeguard the rights, freedoms, and legitimate interests of the data subject.

    12. Records of Processing Activities

    12.1. The Municipality of Almyros maintains a “Record of Processing Activities.” This record documents each specific instance of data processing, under the terms of Article 30 of the GDPR. The “Record of Processing Activities” is kept at the IT Department.
    12.2. When a municipal service intends to initiate a new processing of personal data, on any legal basis, it is obliged to ensure the relevant update of the “Record of Processing Activities.” Specifically, it is required to submit a document including the following information:

    1. The name and contact details of the service and, where applicable, of the joint controller, the controller’s representative, and the data protection officer,
    2. The purposes of the processing,
    3. A description of the categories of data subjects and the categories of personal data,
    4. The categories of recipients to whom the personal data will be disclosed or have been disclosed, including recipients in third countries or international organizations,
    5. Where applicable, the transfers of personal data to a third country or international organization, including identification of the relevant third country or international organization and, in the case of transfers referred to in Article 49(1) second subparagraph, documentation of the appropriate safeguards,
    6. Where possible, the envisaged deadlines for erasure of the various categories of data,
    7. Where possible, a general description of the technical and organizational security measures referred to in Article 32(1) GDPR.

    13. Notification of Personal Data Breach to the Data Protection Authority

    13.1. A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed (Article 4(12) GDPR). In the event of a personal data breach, the controller shall notify the Personal Data Protection Authority without undue delay and, where feasible, within 72 hours from becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification to the Authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Any person employed by the Municipality, upon detecting such a breach, must immediately report it to the IT Department. The IT Department is responsible for notifying the breach to the Authority.
    13.2. The processor shall inform the controller without undue delay upon becoming aware of a personal data breach.
    13.3. The notification referred to in paragraph 13.1 shall at a minimum:

    1. Describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records affected,
    2. Provide the name and contact details of the data protection officer or other point of contact where more information can be obtained,
    3. Describe the potential consequences of the personal data breach,
    4. Describe the measures taken or proposed to be taken by the controller to address the personal data breach, and, where appropriate, measures to mitigate possible adverse effects.

    13.4. Where it is not possible to provide the information simultaneously, it may be provided in phases without undue delay.
    13.5. The controller shall document every personal data breach, consisting of the facts relating to the breach, its consequences, and the remedial measures taken. This documentation enables the Personal Data Protection Authority to verify compliance with this article.
    13.6. This article is applied taking into account the “Guidelines on Personal Data Breach Notification under Regulation 2016/679” of the Article 29 Working Party (issued 3.10.2017, revised and issued 6.2.2018).

    14. Notification of Personal Data Breach to the Data Subject

    14.1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the personal data breach to the data subject without undue delay.
    14.2. The notification to the data subject referred to in paragraph 14.1 shall clearly describe the nature of the personal data breach and shall include at least the information and measures referred to in Article 13(3)(b), (c), and (d).
    14.3. Notification to the data subject referred to in paragraph 14.1 is not required if any of the following conditions are met:

    1. The controller has implemented appropriate technical and organizational protection measures, and such measures were applied to the personal data affected by the breach, particularly measures that render personal data unintelligible to unauthorized persons, such as encryption,
    2. The controller has subsequently taken measures ensuring that it is no longer likely that the high risk to the rights and freedoms of data subjects will materialize,
    3. Notification would require disproportionate effort. In this case, a public communication or a similar measure is made to inform data subjects in an equally effective manner.

    14.4. If the controller has not already notified the personal data breach to the data subject, the supervisory authority may, after assessing the likelihood of a high risk resulting from the breach, require the controller to do so or may decide that any of the conditions in paragraph 3 are met.
    14.5. This article is applied taking into account the “Guidelines on Personal Data Breach Notification under Regulation 2016/679” of the Article 29 Working Party (issued 3.10.2017, revised and issued 6.2.2018).

    15. Data Protection Impact Assessment

    15.1. When a type of personal data processing is to be implemented for the first time, especially using new technologies (e.g., software, camera operation), and considering the nature, scope, context, and purposes of the processing, which may result in high risk to the rights and freedoms of natural persons, the municipal service shall inform the IT Department. The Municipality shall carry out, prior to processing, an assessment of the impact of the planned processing operations on the protection of personal data. A single assessment may consider a set of similar processing operations that involve similar high risks.
    15.2. The Municipality shall seek the opinion of the Data Protection Officer when conducting a data protection impact assessment.
    15.3. The data protection impact assessment referred to in paragraph 1 is particularly required in the following cases:

    1. Systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions producing legal effects concerning the natural person or similarly significantly affecting the natural person are based,
    2. Large-scale processing of special categories of data referred to in Article 9(1) GDPR or personal data relating to criminal convictions and offenses referred to in Article 10 GDPR, or
    3. Systematic monitoring of publicly accessible areas on a large scale.

    15.4. The assessment shall contain at least:

    1. A systematic description of the envisaged processing operations and their purposes, including, where applicable, the legitimate interest pursued by the controller,
    2. An assessment of the necessity and proportionality of the processing operations in relation to their purposes,
    3. An assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1, and
    4. The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other interested parties.

    15.5. The Municipality shall seek the opinion of the Personal Data Protection Authority prior to processing when the impact assessment referred to in this article and in Article 35 GDPR indicates that processing would result in a high risk in the absence of risk mitigation measures by the controller.

    16. Data Security

    16.1. Taking into account the latest developments, the cost of implementation, and the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons, the Municipality shall implement appropriate technical and organizational measures to ensure an adequate level of security against risks, including, inter alia, as applicable:
    a) Pseudonymization and encryption of personal data,
    b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services,
    c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
    d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
    16.2. When assessing the appropriate level of security, particular consideration shall be given to the risks arising from processing, especially from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.
    16.3. The Municipality shall take measures to ensure that every natural person acting under its authority who has access to personal data processes them only on instructions from the controller, unless required to do so by Union or Member State law. In particular, such measures shall ensure that, by design, personal data are not made accessible without intervention by the natural person to an indefinite number of natural persons.