The Ε.Κ.Κ.Α. during the implementation of the Administrative Services procedures, but also during the provision of services to the beneficiaries / served by the E.K.K.A. collects and processes specific categories of personal data (or otherwise sensitive personal data).
According to the European General Data Protection Regulation (679/2016 / EU) (GDPR or GDPR) data of specific categories are defined as personal data that reveal racial or ethnic origin, political beliefs, religious or philosophical beliefs or participation in a trade union organization, as well as the processing of genetic data, biometric data for the purpose of indisputable identification of a person, data relating to health or data relating to the sexual life of a natural person or sexual orientation.
The main categories of sensitive data from the above processed by Ε.Κ.Κ.Α. in the context of its operation are:
- health data of employees, beneficiaries / served by the EKKA (eg sickness certificate, health certificate, etc.)
- religion data beneficiaries / served by the Ε.Κ.Κ.Α
- data of racial or ethnic origin beneficiaries / served by the Ε.Κ.Κ.Α
- data on sexual preferences of beneficiaries / served by the Ε.Κ.Κ.Α
The Ε.Κ.Κ.Α. Recognizing the criticality of this data and the importance of safeguarding it, it adheres to the following principles:
- Defines and collects in each case the absolutely necessary personal data, as they are specified each time in circulars, relevant laws, presidential decrees, ministerial decisions, etc. It processes these data based on the legal bases of article 9 of the GCP, which are selected each time in collaboration with the Head of the Processing Department, the Legal Service and the Data Protection Officer and are recorded in the Archive of Processing Activities.
Specifically, it processes data of specific categories in the context of:
- necessary for the performance of the obligations and the exercise of specific rights of the data controller or data subject in the field of labor law and social security and social protection law, if permitted by the law of the agreement in accordance with national law providing adequate guarantees for the fundamental rights and interests of the data subject (Article 9.2 b),
- necessary for reasons of essential public interest under Union or Member State law which is proportionate to the objective pursued, respects the substance of the data protection right and and the interests of the data subject (Article 9.2g),
- Ensures the observance of integrity and confidentiality. In particular, access to this data is available only to authorized officials from each Directorate and not to all employees. This applies to both the physical file and the electronic file. The Ε.Κ.Κ.Α. Informs the authorized officials about this Policy and their obligation to maintain the confidentiality of the data they receive and manage and the relevant consequences of non-compliance.
Inform the natural person about the processing to be carried out with the data collected, providing the following points in the information texts prepared for the data processing:
- Identity and contact details of Ε.Κ.Κ.Α.
- Identity and contact details of the Data Protection Officer (DPA)
- Purpose or purposes of processing personal data.
- Legal basis for the processing of personal data.
- Recipients or categories of recipients of personal data. In cases where the data is not transmitted to third parties, it is explicitly mentioned.
- Period of retention of personal data or the criteria that determine that period.
- Reference to the ability of the natural person to request the following rights to personal data: access to and correction or deletion of data, restriction of processing or right to object to processing, right to data portability, right to withdraw consent at any time, and right to lodge a complaint with the supervisory authority
- The existence of automated decision-making (if applicable or will be implemented in the future), including profiling, and, at least in these cases, important information about the logic followed, as well as the significance and intended consequences of such processing for the subject of the data.
- In cases where the data has not been collected directly by the natural person, in addition to the above, information should be provided on the source of data collection / receipt and on the basis of which framework.
- The Directorates of Ε.Κ.Κ.Α. comply with the provisions of the Procedure for the storage and destruction of data for the protection of both the physical and the electronic file
Establishes data retention times, in accordance with national legislation and data processing purposes, and ensures their safe destruction, based on the procedure it has developed, when the retention time has elapsed.
Citizens' requests are not answered through social media and in particular those that contain data of special categories (eg health data), but the natural person is given information on the official way of submitting his request.
This Policy is applied by all the staff of Ε.Κ.Κ.Α. and associates who undertake the processing of personal data of special categories on behalf of Ε.Κ.Κ.Α.
Personal Data Protection on the Telephone Line of Ε.Κ.Κ.Α.
Personal data collected by the Hotlines directly from the callers are: landline or mobile phone, place or address of residence, age, marital status, if needed and if you wish or for statistical reasons.
B. What rights do you have to protect your data?
You have the following rights:
a. Know the categories of your personal data that we hold and process, their origin, the purposes of their processing, the categories of their recipients, the time of their keeping, as well as your relevant rights (right of access).
b. Request the correction and / or completion of your personal data, so that it is complete and accurate (right of correction), submitting any necessary document from which there is a need for correction or completion.
c. Request a restriction on the processing of your data (restriction right).
d. Oppose any further processing of your personal data that we hold (right to object).
e. Request the deletion of your personal data from the files we keep (right to be forgotten).
Please note that:
i) The Ε.Κ.Κ.Α. has in any case the right to refuse your request for restriction of the processing or deletion of your personal data if the processing or keeping of the data is necessary for the establishment, exercise or support of its legal rights or the fulfillment of its obligations.
ii) The exercise of the rights is valid for the future and does not involve data processing already performed.
C. Right to appeal to the Personal Data Protection Authority
You have the right to appeal to the Personal Data Protection Authority (www.dpa.gr), for issues related to the processing of your personal data. For the competence of the Authority and the manner of submitting a complaint, you can visit its website (www.dpa.gr - My rights - Submit a complaint), where there is detailed information.
D. How can you exercise your rights?
The Ε.Κ.Κ.Α. will make every effort to respond to your request within thirty (30) days of receipt.
This deadline can be extended for sixty (60) additional days, if this is deemed necessary at the absolute discretion of E.K.K.A. taking into account the complexity of the request and the number of requests.
Our Organization will inform you in any case of extension of the deadline within thirty (30) days from the receipt of the request.