Personal Data Protection

PERSONAL DATA PROTECTION POLICY

Data Controller:

SOS Children’s Villages Greece

sosathens@sos-villages.gr – 210 33 13 661

Data Protection Officer (DPO):

Maria Maniati

mariamaniati@sos–villages.gr – 210-33 13 661

Deputy Data Protection Officer:

Ms. Marianna Moschoviti

dataprotection@sos–villages.gr – 210-3238048

SOS Children’s Villages, in order to safeguard the personal and sensitive personal data they collect, have implemented all necessary technical and organizational measures as defined by the General Data Protection Regulation (EU) 2016/679 (GDPR). The protection of the privacy of data subjects and the confidentiality of your information and data constitute a fundamental priority for us.

This Policy analyzes the legal framework under which your data are collected and processed, the types of data we collect and process, the procedure and purpose of their collection, the retention period, as well as the reasons for disclosure to third cooperating parties, where required. In addition, all your rights and the actions you may take to exercise them are described.

This information notice provides every person who receives or is interested in receiving services from SOS Children’s Villages with concise, accurate, and transparent information regarding the practices followed for the management and protection of personal data.

SOS Children’s Villages reserve the right to amend and update this Policy whenever deemed necessary. Any changes enter into force upon their publication on the website http://www.sos-villages.gr
and at our offices’ secretariats.

A Data Protection Officer (DPO) has been appointed within our Organization. You may contact the DPO directly for any related matter at +30 210 331 3661 or via email at dataprotection@sos-villages.gr. dataprotection@sos–villages.gr

Introduction

• Personal Data

Personal data are any information relating to and describing an individual, such as identification details (full name, age, residence, profession, marital status, etc.), physical characteristics, education, employment (work history, professional conduct, etc.), financial status (income, assets, financial behavior), interests, activities, and habits. The individual (natural person) to whom the data relate is referred to as the “data subject.”

Sensitive personal data are those relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, social welfare, sexual life, criminal prosecutions and convictions, as well as participation in related associations.

Within the scope of their operations, SOS Children’s Villages collect and process a significant amount of sensitive personal data, such as racial or ethnic origin, religious beliefs, medical data, and others.

• Processing

Processing means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

• Data Controller

The Data Controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.

• Processor

A Processor is the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

• Data Protection Officer (DPO)

The Data Protection Officer (DPO) independently oversees the strategy and compliance of the Data Controller and the Processor with the provisions of GDPR (EU) 2016/679 and acts as an intermediary between the various stakeholders (e.g. supervisory authorities, data subjects). The role of the DPO is advisory (not decision-making) and the DPO does not bear personal responsibility for non-compliance with the Regulation.

Legal Framework for Personal Data Protection

SOS Children’s Villages collect and process personal data in accordance with this Personal Data Protection Notice and

• in compliance with Regulation (EU) 2016/679 (GDPR),
• applicable Greek data protection legislation,
• decisions issued by judicial authorities,
• the applicable legal framework governing the provision of health services,
• the Code of Medical Ethics and Deontology,
• the consents we obtain.

This notice provides you with the necessary information regarding your rights and obligations and explains how, why, and when we collect and process your personal data.

Personal Data We Collect

Within the scope of their operations, SOS Children’s Villages collect as much personal data as possible regarding hosted minor children and their families, in order to provide the best possible care. Indicatively, the following categories of data are collected:

• Demographic data
• Medical history and other medical data
• Personal and family history

These data are collected:

• In electronic form
• In hard copy form
• Or in a combination of the above

The information forms part of the individual file and is retained for forty (40) years. This period may be extended where there is a legal obligation or legitimate interest.

The data contained in the individual file constitute sensitive personal data and are therefore confidential. They are processed by authorized staff exclusively for the provision of accommodation and care services and are not accessible to unauthorized personnel.

All SOS Children’s Villages staff are bound by confidentiality, secrecy, and non-disclosure clauses through their employment contracts and are subject to a Code of Ethics emphasizing the importance of confidentiality and data protection.

SOS Children’s Villages process only the personal information required to meet their legal, regulatory, and contractual obligations, as well as to provide services, in accordance with international standards and best practices. Unnecessary personal data are never collected, and data are not processed in any way other than as described in this notice. Every possible and appropriate measure is taken to ensure that data collection and processing are limited strictly to what is absolutely necessary. We collect, retain, and process only the data required to provide our services to you and to fulfil our legal obligations, and we retain them only for as long as necessary.

Our systems, employees, procedures, and activities aim to limit the collection of personal information to what is necessary and for the achievement of the defined purpose. Minimizing the processing of personal data allows us to control and reduce risks and data protection breaches, and to support compliance processes with applicable data protection laws and regulations.

Categories of Personal Data Collected

• Contact details: name/surname, home address, personal email, mobile phone, and contact details of relatives.
• Demographic and identification data: date of birth, ID number, passport number, tax ID number, social security number, etc.
• Special categories of personal data: medical health information, psychological profiling, medical history, etc.

Legal Basis for Processing

In the course of their operations and for the fulfilment of their mission, SOS Children’s Villages collect and process a range of personal and sensitive personal data, based on the following legal grounds.

• Article 6(1)(e) GDPR: processing necessary for the performance of a task carried out in the public interest.
• Article 6(1)(d) GDPR: processing necessary to protect the vital interests of the data subject or another natural person.
• Article 6(1)(b) GDPR: processing necessary for the performance of a contract.
• Article 9(2)(f) GDPR: processing necessary for the establishment, exercise, or defense of legal claims or when courts act in their judicial capacity.
• Consent, in cases where it is explicitly required for the processing of sensitive personal data and where such processing is not covered by the aforementioned legal bases. It is emphasized that such consent is obtained through written authorization.

The purposes and reasons for processing your personal data are detailed below:

Your personal data, including data falling under special categories, are collected and stored based on the legal grounds outlined in the previous section, specifically for:

1. the contractual agreement with you
2. our legitimate interest
3. the substantial and vital interest in receiving these services
4. the performance of a duty carried out in the public interest
5. the establishment, exercise, or defense of legal claims, or when courts act in their judicial capacity
6. compliance with a legal obligation
7. the exercise of rights and fulfillment of obligations arising from social security law

Additionally:

• We also collect and store your personal data as part of our legal obligation for accounting and tax purposes.
• We retain your special category data for as long as required by law.

Finally, the data collected are not shared with third parties unless required by law or by a judicial authority, or with their explicit written consent.

Sharing and Disclosure of Your Personal Data

Your personal data are not shared or disclosed without consent for any purpose other than those outlined in this notice or as required by law. SOS Children’s Villages use selected partners (acting as “data processors” under the GDPR) to provide services and support business operations. However, all processors acting on behalf of SOS Children’s Villages process personal data according to the instructions received from the organization and fully comply with this privacy notice, the principles of the General Data Protection Regulation (EU) 2016/679, and any other appropriate confidentiality and security measures.

Protection Measures

At SOS Children’s Villages, every reasonable technical and organizational measure and safeguard is taken to protect and secure personal data. Data are processed to protect you and your information from unauthorized access, alteration, disclosure, destruction, or any other form of processing. Appropriate layers of security measures have been implemented, including:
specific policies and procedures
role-based access management
strong password controls
network security checks
perimeter security hardware and software (firewalls)
business continuity measures
incident/event management
encryption
continuous staff training on technical and organizational security measures.

For how long we retain your data

SOS Children’s Villages retain personal data only for as long as necessary and have implemented strict policies and procedures for reviewing and retaining your data to meet their obligations. The standard retention period is 40 years; however, due to the specific nature of the organization, this period may be extended. Once this period has expired, the data are either anonymized or destroyed using approved destruction procedures (shredding or recycling for paper records and irreversible deletion for electronic data), with a destruction protocol prepared in all cases.

Specifically for résumés collected by the Human Resources – Payroll Department from individuals interested in working at SOS Children’s Villages, these are retained for one year and are then destroyed.

Tax records are retained in accordance with tax legislation.

Exercising Your Rights

Regarding your personal data, you have the right to exercise the following rights by submitting a written request in person or through a legally authorized representative to SOS Children’s Villages, or by sending the request by mail with a notarized signature.

a) Right to information and right of access to all personal data held and processed by SOS Children’s Villages concerning you, including the type of processing, the purposes of processing, the recipients or categories of recipients of your personal data, and the duration of their retention.

b) Right to rectification. If you believe that any incomplete or inaccurate data concerning you are being retained, you have the right to request that they be corrected.

c) Right to erasure of your personal data, exclusively and only in the following cases:

• when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• when you withdraw your consent on which the processing of your personal data was based, and there is no other legal ground for the processing (e.g., clinical studies, statistical data, etc.)

d) Right to restriction of processing in the following cases:

• when you contest the accuracy of your personal data, until SOS Children’s Villages verify their accuracy
• when, instead of erasure, you request the restriction of the processing of your personal data
• when SOS Children’s Villages no longer need your personal data for the purposes of processing, but you require the data to establish, exercise, or defend legal claims

e) Right to data portability, meaning you have the right to request the transfer of your data to another organization, either in Greece or abroad, or to receive them yourself in a standardized electronic format on a portable storage medium (e.g., CD, DVD).

f) Right to object to the processing of your personal data, unless there are compelling and lawful grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims by SOS Children’s Villages.

g) Right to object to direct or indirect marketing activities by us and/or to any automated decision-making processes that may be used by SOS Children’s Villages.

To exercise any of the above rights, identification is required (through an official identity document or a legally signed authorization) in order to ensure that your personal data are protected and kept secure.

SOS Children’s Villages respond to your requests free of charge, without delay, and in any case within one month of receiving the request, except in exceptional circumstances. In such cases, the above period may be extended by an additional two months if necessary, taking into account the complexity of the request, the volume of material to be processed, and/or the number of requests. SOS Children’s Villages will inform you of any extension within one month of receiving the request, as well as the reasons for the delay.

If it is not possible to fulfill your request, SOS Children’s Villages will inform you without delay, and no later than one month from receipt of the request, of the reasons for this and of your right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), as well as your right to seek recourse before the competent judicial authorities.

Submitting a Complaint

SOS Children’s Villages process your personal data only in accordance with this privacy statement and the applicable data protection laws. However, if you wish to file a complaint regarding the processing of your personal data, or if you are not satisfied with the way your personal data are managed, you have the right to submit a complaint either to the Data Protection Officer of SOS Children’s Villages at dataprotection@sos-villages.gr or in writing through the secretariat. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) [1-3 Kifisias Ave, P.C. 115 23, Athens, Tel.: +30 2106475600, Email: contact@dpa.gr] if you believe your personal data protection rights have been violated. Additionally, you have the right to seek recourse before the competent judicial authorities for the protection of your personal data.