PERSONAL DATA PROCESSING SUMMARY TABLE OF SUBSCRIBERS AND USERS OF THE TOLLWAY
This Personal Data Processing Policy (hereinafter referred to as the “Policy”) summarises how your personal data are processed and in particular the conditions for the collection, storage and use thereof by the Controllers.
To read the full text of our policy please select: “PROTECTION POLICY”.
1. CONTROLLER: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
|S/N||REQUIRED INFORMATION||PROVISION OF REQUIRED INFORMATION|
|1||Identity and contact details of the controller and his / her representative||CONTROLLERS
1. ATTIKI ODOS S.A., GCR 2230901000, VAT NO 094421389, HEAD OFFICE: Peania Attica GR 19002, 41.9 km. of Attiki Odos Motorway, Exit 18, Operation Centre, PHONE: +302106682200, E-mail:[email protected]
2. ATTIKES DIADROMES S.A., GCR 3534001000, VAT NO 099360227, HEAD OFFICE: Peania Attica GR 19002, 41.9 km. of Attiki Odos Motorway, Exit 18, Operation Centre, PHONE: +302106682000, E-mail:[email protected]
|2||Data protection officer contact details||PHILIP MIDDLETON of MICHAEL, E-mail:|
|3||Collection of Personal Data||We mainly collect your personal data directly from you, when you subscribe to services or when you contact us. Such information is (full name, postal address, email, telephone, TIN, vehicle registration number and subscriber transit record). In addition, we may collect image data in the event of an incident or as you pass through the toll lane, as well as specific categories of personal data, such as medical information, where required (cases of traffic accident or accident with injury).|
|4||Cookies||We may also collect during your visit and navigation on our Website, your data from cookies that you have allowed with your consent to be used and which are detailed in the Cookies Settings link of our website.|
|5||Purposes of processing||(i) Receiving requests / complaints / events (verbal and written) from subscribers / users and replying to them.
(ii) Conclusion and management of an application / contract for the provision of electronic toll services, in the context of the ratification of the Concession Agreement dated 23.5.1996 under Law 2445/1996 (Government Gazette, Series I, No 274).
(iv) Monthly (electronic and non-electronic) invoicing of subscribers within the framework of Law 4308/2014 (Government Gazette, Series I, No 251).
(v) Fulfillment of tax obligations (submission of income tax statement etc.) within the framework of Law 4172/2013 (Government Gazette, Series I, No 167).
(vi) Invoicing and processing of subscribers’ requests / complaints under Directive 2004/52/EC and Presidential Decree 177/2007 (Government Gazette, Series I, No 216).
(vii) E-mail processing with subscribers under the my e – PASS application posted on the website www.aodos.gr.
(viii) Sending new / promotional activities (newsletter, forms, etc.).
(iix) Subscriber satisfaction telephone survey.
(ix) Recording via CCTV to monitor traffic flow along the motorway, protect and safeguard transactions, personnel and facilities of the Company at Stations and Toll Lanes, Subscriber Service Points and CSS.
(x) Roadside Assistance for Attica Tollway users.
(xi) Notification of an event to insurance companies for the exercise of a right and the fulfillment of a legal obligation of the Controllers.
(xii) Toll violations.
(xiii) Traffic incident management.
|6||Legal basis of processing||Processing is done as appropriate:
a) For the fulfillment of the contract between the Company and the subscribers.
b) For compliance with the legal obligations of controllers.
The fulfillment of the legal obligations arising from (a) the ratification of the Concession Agreement dated 23.5.1996 under Law 2445/1996 (Government Gazette, Series I, No 274), (b) Law 4172/2013 – ITC (Government Gazette, Series I, No 167), (c) Law 4308/2014 on Greek accounting standards (Government Gazette, Series I, No 251), (d) Directive 2004/52/EC and Presidential Decree 177/2007 (Government Gazette, Series I, No 216) and (e) Law 2251/1994 on consumer protection (Government Gazette, Series I, No 191).
c) For the purposes of the legitimate interests pursued by the controllers.
d) For the defense – legal protection of the Controllers, the protection of goods and property, as well as for statistical and historical reasons.
e) Upon consent of the data subject, as appropriate.
|7||Access and Transfer of your Personal Data
Categories of personal data recipients:
Collection of Subscriber data through cooperating companies (processors):
|Access to your personal data is provided to the absolutely necessary authorised personnel of the Controller and the companies cooperating with us, which process your Data as Processors on our behalf and in accordance with our orders. Access to your personal data may also be provided to the cooperating companies providing technical support services for information systems.
Processors are contractually obliged by us to maintain confidentiality, not to disclose data to third parties without our permission, to take appropriate security measures, to comply with the legal framework for the protection of personal data and in particular the GDPR. Furthermore, we may disclose your data when you have explicitly requested it or when required by law.
The following is a non-inclusive list of categories of personal data recipients.
(a) The competent police, prosecutorial and tax authorities within the framework of Law 4172/2013 – ITC (Government Gazette, Series I, No 167).
(b) The services of the Ministry of Infrastructure and Transport within the context of the ratification of the Concession Agreement dated 23.5.1996 under Law 2445/1996 (Government Gazette, Series I, No 274).
(c) The other companies providing road infrastructure with tolls in the context of Interoperability (Directive 2004/52/EC and Presidential Decree 177/2007 (Government Gazette, Series I, No 216)].
(d) The companies (indicatively the company INFORM P. LYKOS SA) to which the monthly subscribers transfers are sent by an electronic file, in order to fulfill the printing, envelope and sending of the subscribers’ invoices.
(e) INTERAMERICAN and OBBO Companies for the provision of Road Assistance services to Passenger Vehicles and Heavy-Duty Vehicles.
(f) Subscriber satisfaction telephone research companies to improve the services provided to them (INVISION / METRON ANALYSIS / SSA).
(g) Insurance companies due to an obligation or right arising from insurance coverage and to third party associates of the Company who have undertaken the management of certain accidents / complaints of users on behalf of the Company on the basis of a contract (e.g. experts).
The following is a non-inclusive list of the cooperating companies:
(a) The companies that distribute the electronic transponder “e-pass” on behalf of the controller (indicatively PIRAEUS BANK, EUROBANK, AUTECO, NATIONAL BANK OF GREECE).
(b) The companies that receive on behalf of the controller either the advance amounts or the repayment amounts for the electronic crossings on Attiki Odos (indicatively EKO – BP, SHELL, EUROBANK, ALPHA BANK, NATIONAL BANK OF GREECE, PIRAEUS BANK).
(c) The companies that provide the remote conclusion of applications / contracts for subscribers registration in the commercial programs of Attiki Odos (indicatively the company GENIKI TAXYDROMIKI COMMERCIAL COURIER SA).
|8||Transfers of personal data to third countries or international organisations||It does not take place.|
|9||Personal Data Safety Policy||In order to protect your personal data, we apply the appropriate level of security and we have implemented reasonable physical, electronic, and administrative procedures to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transferred, stored or otherwise processed. Our information security policies and procedures are regularly reviewed and updated whenever necessary in order to meet our business needs, changes in technology and regulatory data protection requirements.|
|10||Time period for which personal data are kept||a) The period of validity of the indefinite period of each application / contract for the provision of electronic toll services plus five (5) years after the expiry of its validity in any way based on the provisions of Article 36 par. 1 of Law 4987/2022 – ITC (Government Gazette, Series I, No 206) on the limitation of the claims of the State and the provisions of Article 250 of the Civil Code on the limitation of claims. (b) Images obtained through CCTV shall be kept for up to three (3) days, unless an event is shown, in which case they shall be kept in a separate file pursuant to Directive 1/2011 of the Hellenic Data Protection Authority or until the event has been examined. c) The time of keeping the file of the telephone recording is fifteen (15) days and concerns the telephone calls to and from the Call Centre, the Customer Service, the emergency number 1024 and the communication with the Traffic Management Centre.|
|11||Rights of data subjects||As the data subject you have specific legal rights, which relate to the personal data we collect from you. These rights are as follows: Access, Rectification, Erasure, Objection, Restriction of Processing, Portability, Right to Withdraw consent.
The above rights can be exercised as long as the conditions of Regulation (EU) 2016/679 are met.
In order to exercise your legal rights, please contact [email protected]* in writing by e-mail. We will try to satisfy your request within 30 days. However, the time limit may be extended for specific reasons relating to the specific legal right or complexity of your request. We may ask for proof of your identity, for identification purposes, before we respond to your request. As regards access to personal data of third parties, the prior written authorisation of the data subject is a necessary condition.
|12||Right to lodge a complaint with a supervisory authority||You have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr). Contact details: 1-3 Kifissias Avenue, PC 115 23, Athens Call Centre: + 30-210 6475600 Fax: + 30-210 6475628 E-mail:[email protected]|
|13||Automated decision making, including profiling||It does not take place.|
|14||Provision of personal data on behalf of data subjects||The provision of personal data of each data subject constitutes a legal and contractual obligation for the conclusion of the application / contract for the provision of electronic toll services, for the invoicing (electronic or paper) of the electronic transit of the subscribers of ATTIKI ODOS S.A. for the fulfillment of the tax obligations of ATTIKI ODOS S.A. with regard to its subscribers, for the fulfillment of the legal obligations arising from the legislation on interoperability of toll systems and for compliance with consumer protection provisions. In case of non-provision of such personal data, it becomes impossible to conclude the application / contract for the provision of electronic toll services.|
Personal Data Protection Policy
The companies ATTIKI ODOS S.A. and ATTIKES DIADROMES S.A., have adopted the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as General Data Protection Regulation) and Law 4624/2019 on the protection of personal data they maintain and fully comply with.
- Collection and Use of Personal Data
The Companies ATTIKI ODOS S.A. and ATTIKES DIADROMES S.A.(hereinafter referred to as the “Company”), acting together as joint controllers within the meaning of Article 24 of the General Data Protection Regulation, collect only the absolutely necessary data for each specific processing purpose. These data relate to user and third party subscribers and may be (full name, postal address, email, telephone, TIN, vehicle registration number, subscriber transit record).
These data are communicated by the data subjects themselves, either electronically, by fax or by filling in the special company forms, or by telephone for the conclusion of a subscription contract (Application for a Contract) or for the sending of a request / complaint, for the management of an event. The provision of personal data of each data subject constitutes a legal and contractual obligation for the conclusion of the application / contract for the provision of electronic toll services, for the invoicing (electronic or paper) of the electronic transit of the subscribers of ATTIKI ODOS S.A. for the fulfillment of the tax obligations of ATTIKI ODOS S.A. with regard to its subscribers, for the fulfillment of the legal obligations arising from the legislation on interoperability of toll systems. In case of non-provision of such personal data, it becomes impossible to conclude the application / contract for the provision of electronic toll services. Furthermore, data of motorway users can be recorded through a closed circuit television (CCTV) system along the motorway for traffic management as well as at the toll stations and lanes, at the Subscriber Service Points and at the Operation and Maintenance Centre (SSC) for security of transactions, security of personnel and facilities of Attiki Odos. For the collection and use of Personal Data, see also Articles 3 and 5 of the Summary Table. Personal data are collected through CCTV during vehicle crossings with violation of tolls. In this case, the vehicle license plate number may be recorded for the management of violations by the Controllers and the imposition of an administrative fine by the competent Traffic Department. Special mention is made that the transit through tolls without payment of tolls is a violation of Article 29 par. 10 and 11 of the Road Traffic Code. Personal data of subscribers, users and third parties are collected and recorded during their communication and conversation with representatives of the Controllers at the Customer Service Call Centre, at the emergency number 1024 and in any other case that refers to a recorded message. The recording of this data is necessary for security and quality reasons (e.g. credit to subscription account, update of subscription program, event or complaint). Finally, user data of the motorway may be collected by authorised associates of the Controllers during the provision of roadside assistance services or by our staff during an event (e.g. photographic material from a traffic accident, vehicle registration number and geographical location of the parties involved). In addition, data are transmitted by the Controller to third Partners in accordance with Article 7 of the Summary Table. Any complaints, information and requests from users and third party subscribers are recorded in databases for quality and management purposes. See Article 5 in the summary table.
- Purposes of processing
Your personal data shall not be used for purposes other than for the purposes for which they are collected and which are detailed in Article 5 of the Summary
- Collection of Personal Data due to interoperability
Interoperability is the ability to pass through with payment of tolls via an Electronic Device of an Issuer of an electronic transit device from the specially defined lanes of the respective Motorway, bearing a special marking. The Company does not collect Personal Data of Subscribers and Users of other Motorways nor does it transmit to other Toll Management Bodies personal data of its Subscribers and Users. Nevertheless, the Toll Management Bodies that have undertaken the operation and maintenance of the road infrastructure (and / or the Operating Companies authorised under a contract to act as their direct agents for the collection of tolls) and the Issuers, retain the freedom of transmission between them the data of the Subscribers for the purpose of investigating events and / or solving problems or complaints of Subscribers from the electronic transit carried out using Interoperability and only between the Issuer and the specific Management Body, which the case under investigation concerns.
- Transfer of Personal Data to third parties
We retain your personal data, in the context of the performance of our contractual and operational obligations, in accordance with the applicable legislation.
In certain cases, the Controller may transfer personal data processed to third competent authorities, services, and Partners as specifically referred to in Article 5 of the Summary Table.
The partners of the Company who process personal data on its behalf as above are bound by a confidentiality and personal data protection agreement in accordance with the provisions of the General Data Protection Regulation. For categories of recipients, see also Articles 7 and 8 of the Summary Table.
- Rights of the Data Subject
- A) Consent and right to object
In addition to the data processed by the Company in the context of the processing purposes referred to in this Policy, the Company may request your consent to the use of your personal data for other relevant purposes, so you can either consent or refuse such use. The Company may contact you at the e-mail address or telephone number you have provided for information purposes regarding the use of your Electronic Device or motorway, for reasons of optimisation of its services (satisfaction survey), for sending an electronic newsletter (newsletter), for the promotion of related goods and services or for other related purposes. In this case you are given the opportunity not to answer the phone call or to be deleted from the relevant list of recipients at any time following the instructions contained in each communication and in accordance with Article 11 of the Summary Table.
Nevertheless, we will not delete you from some communications which are necessary for the performance of our contractual obligations or are imposed by the tax law or the Concession Agreement.
- B) Rights of the Data Subject
Right of access: You have the right to be informed if and how we process your personal data at any time and without any charge. Right to rectification: You may request the correction or update of personal data, which are incomplete or incorrect. Right to erasure: You may request the erasure of your data if they are no longer necessary for the processing purposes for which they were originally collected or if you wish to withdraw your consent and there is no other legal basis for processing. The right to erasure is subject to conditions. Thus, it may be restricted if, for example, the retention of data is mandatory for the fulfillment of the legal obligations of our company, which may be based on provisions of more specific laws such as Civil and Criminal Code, tax, insurance legislation, etc. or in the relevant instructions of the competent department of the Ministry of Infrastructure and Transport, which is the supervisory authority of the Project.
Right to object: You may at any time object to the processing of your personal data, which we will respect provided that there are no other legitimate reasons. Right to restriction of processing: You can request the restriction of processing of your personal data if you contest their accuracy or the legitimacy of the processing. Portability: You can request the personal data you have provided in a structured, commonly used and machine-readable format and the right to transmit those data to another controller. Right to withdraw consent: If the processing is based on your consent, you have the right to withdraw your consent at any time without affecting the legal basis of the processing of your data by us on the basis of that consent prior to its withdrawal.
The above rights can be exercised as long as the conditions of Regulation (EU) 2016/679 are met.
- Retention of personal data
The Company shall retain your personal data for as long as is necessary for the fulfillment of the contractual relationship between the Company and the subscribers, users, suppliers, partners or third parties (Data Subjects) and however for as long as provided for by the applicable tax legislation and the more specific provisions of the Concession Agreement and the Civil Code in the event of any contractual or property claims or other disputes.
For the retention period of Personal Data, see also Article 10 of the Summary Table.
- Data security and integrity
The Company shall implement appropriate technical and organisational measures, policies and procedures for the security of personal data and their protection against accidental or unlawful destruction, loss, unathorised disclosure of, alteration or destruction.
In addition, we try to ensure that access to your personal data is limited only to the Company’s staff or external partners or to relevant ministries and authorities acting within the scope of their duties. Individuals who have access to the data are specially authorised and bound by a privacy and confidentiality obligation.
For the Cookies policy followed by the Company, see the Cookies Settings section.
- Requests for Incidents
The controller shall inform the data subjects that for requests relating to the incident of 24 January2022, the controller has developed a platform for the registration of requests in which the data subject consents to the provision of his or her personal data and declares that they are correct.
- Categories of Personal Data: Email, name, surname, TIN, mobile phone, IBAN – beneficiary – account bank, vehicle registration number (brand, colour and category), name of owner, entrance – exit from motorway (direction, date and time), vehicle geographic location, telephone conversation, payment method and photo or video file.
- The purpose of the processing is to investigate the event for any satisfaction of the data subject’s request.
- Retention Period: The data subject, by completing and registering his/her application, consents to the processing and retention of his/her Personal Data for as long as necessary and in any case in accordance with the provisions of Article 250 of the Civil Code and otherwise until the issuance of a final and irrevocable decision in case of judicial resolution of any dispute that may arise.
- Access to the data is provided by the competent departments of the Controller, the Financial Advisor and InVision Consulting SA.
- Data subjects have the right to information, access, objection, rectification and erasure of their personal data and restriction of processing, as defined by Law, and always in accordance with the General Policy of the Controller for Personal Data on the website.
- Changes in this policy
The Company submits this Policy to a frequent review and may modify or revise it periodically at its discretion. Each time the Company makes changes, it shall indicate the date of modification or revision in its Policy. The updated Policy will apply as from that date. We encourage you to study this Policy from time to time to see if there are any changes to the way we manage your personal data.
- Contact us
If you have any questions, comments or requests regarding the processing of your personal data or wish to update your personal data or exercise any of your rights as a Data Subject, please contact us at [email protected] or / and [email protected]*.
*The email address [email protected] belongs to the bank’s environment. Do not send requests/contracts to this email address, as your messages will not be read and will not be replied to.
Data Protection Officer of the Company: PHILIP MIDDLETON
Date of last revision: 13.07.2022