PERSONAL DATA PROCESSING SUMMARY TABLE OF SUBSCRIBERS AND USERS OF THE TOLLWAY | |||
This Personal Data Processing Policy (hereinafter referred to as the “Policy”) describes how your personal data are processed and in particular the conditions for the collection, storage and use thereof by the Controllers.
Find below the content of the Policy, first in a table for your convenience and then in full text. |
|||
KEY DEFINITIONS:
1. CONTROLLER: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
|||
S/N | REQUIRED INFORMATION | PROVISION OF REQUIRED INFORMATION | |
1 | Identity and contact details of the controllers | CONTROLLERS
1. NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME, GCR 178847001000, VAT NO 802573600, HEAD OFFICE: 85, Mesogion Avenue, 115 26, Athens PHONE: +210 6682 200, E-mail: information@concession.naodos.gr 2. NEA ATTIKI ODOS LEITOURGIA SOCIETE ANONYME, GCR 178852001000, VAT NO 802573776, HEAD OFFICE: 85, Mesogion Avenue, 115 26, Athens, PHONE: +30 210 6682 000, E-mail: information@operation.naodos.gr |
|
2 | Data protection officer contact details | The contact details of the Data protection officer for both NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME and NEA ATTIKI ODOS LEITOURGIA SOCIETE ANONYME are: PISTIOLIS – TRIANTAFYLLOS & ASSOCIATES LAW FIRM, email: dpo@gekterna.com, tel: 2103626971 | |
3 | Collection of Personal Data | We mainly collect your personal data directly from you, when you subscribe to services or when you contact us. Such information is indicatively (full name, postal address, email, telephone, TIN, profession, vehicle registration number and subscriber transit record, credit card data if someone wishes to charge his/her card, account number (IBAN), transceiver device number, subscriber account code ). In addition, we may collect image data in the event of an incident or as you pass through the toll lane, as well as specific categories of personal data, such as medical information, where required (cases of traffic accident or accident with injury). Telephone conversations with company representatives are also recorded, where indicated in a recorded message, for the purpose of security and proof of commercial transactions. | |
4 | Cookies | We may also collect during your visit and navigation on our Website, your data from cookies that you have allowed with your consent to be used and which are detailed in the Cookies Policy link of our website. | |
5 | Purposes of processing | (i) Receiving requests / complaints / events (verbal and written) from subscribers / users and replying to them.
(ii) Conclusion and management of an application / contract for the provision of electronic toll services, in the context of the ratification of the Concession Agreement dated 12.09.2024 under Law 5141/2024 (Government Gazette, Series I, No 156). (iii) Interoperability. (iv) Monthly (electronic and non-electronic) invoicing of subscribers within the framework of Law 4308/2014 (Government Gazette, Series I, No 251). (v) Fulfillment of tax obligations (submission of income tax statement etc.) within the framework of Law 4172/2013 (Government Gazette, Series I, No 167). (vi) Invoicing and processing of subscribers’ requests / complaints under Directive EU 2019/520. (vii) E-mail processing with subscribers under the my e – PASS application posted on the website www.naodos.gr. (viii) Sending new / promotional activities (newsletter, forms, etc.). (iix) Subscriber satisfaction telephone survey. (ix) Recording via CCTV to monitor traffic flow along the motorway, protect and safeguard transactions, personnel and facilities of the Company at Stations and Toll Lanes, Subscriber Service Points and CSS. (x) Roadside Assistance for Attica Tollway users. (xi) Notification of an event to insurance companies for the exercise of a right and the fulfillment of a legal obligation of the Controllers. (xii) Toll violations. (xiii) Traffic incident management. (xxvi) Proof of transactions when recording telephone calls. Recording is carried out in order to prove the transactions and at the same time safeguard the interests of all parties in the event of a dispute. |
|
6 | Legal basis of processing | Processing is done as appropriate:
a) For the fulfillment of the contract between the Company and the subscribers. b) For compliance with the legal obligations of controllers. The fulfillment of the legal obligations arising from (a) the ratification of the Concession Agreement dated 12.09.2024 under Law 5141/2024 (Government Gazette, Series I, No 156, (b) Law 4172/2013 – ITC (Government Gazette, Series I, No 167), (c) Law 4308/2014 on Greek accounting standards (Government Gazette, Series I, No 251), (d) Directive EU 2019/520 and (e) Law 2251/1994 on consumer protection (Government Gazette, Series I, No 191). c) For the purposes of the legitimate interests pursued by the controllers. d) For the defense – legal protection of the Controllers, the protection of goods and property, as well as for statistical and historical reasons. e) Upon consent of the data subject, as appropriate. |
|
7 | Access and Transfer of your Personal Data
Categories of personal data recipients: |
Access to your personal data is provided to the absolutely necessary authorised personnel of the Controller and the companies cooperating with us, which process your Data as Processors on our behalf and in accordance with our orders. Access to your personal data may also be provided to the cooperating companies providing technical support services for information systems.
Processors are contractually obliged by us to maintain confidentiality, not to disclose data to third parties without our permission, to take appropriate security measures, to comply with the legal framework for the protection of personal data and in particular the GDPR. Furthermore, we may disclose your data when you have explicitly requested it or when required by law. The following is a non-inclusive list of categories of personal data recipients. (a) The competent police, prosecutorial and tax authorities within the framework of Law 4172/2013 – ITC (Government Gazette, Series I, No 167). (b) The services of the Ministry of Infrastructure and Transport within the context of the ratification of the Concession Agreement dated 12.09.2024 under Law 5141/2024 (Government Gazette, Series I, No 156). (c) The other companies providing road infrastructure with tolls in the context of Interoperability (Directive EU 2019/520]. (d) The cooperating companies which provide computerization and printing services, to which the monthly subscribers transfers are sent by an electronic file, in order to fulfill the printing, envelope and sending of the subscribers’ invoices. (e Companies which provide road assistance services to Passenger Vehicles and Heavy-Duty Vehicles. (f) Subscriber satisfaction telephone research companies to improve the services provided to them. (g) Insurance companies due to an obligation or right arising from insurance coverage and to third party associates of the Company who have undertaken the management of certain accidents / complaints of users on behalf of the Company on the basis of a contract (e.g. experts). (h) The cooperating companies that distribute the electronic transponder “e-pass” on behalf of the controller (indicatively banks). (i) The cooperating companies that receive on behalf of the controller either the advance amounts or the repayment amounts for the electronic crossings on Attiki Odos (indicatively gas stations and banks . (j) The cooperating companies that provide the remote conclusion of applications / contracts for subscribers registration in the commercial programs of Nea Attiki Odos (indicatively couriers). |
|
8 | Transfers of personal data to third countries or international organisations | It does not take place. | |
9 | Personal Data Safety Policy | In order to protect your personal data, we apply the appropriate level of security and we have implemented reasonable physical, electronic, and administrative procedures to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transferred, stored or otherwise processed. Our information security policies and procedures are regularly reviewed and updated whenever necessary in order to meet our business needs, changes in technology and regulatory data protection requirements. | |
10 | Time period for which personal data are kept | a) The period of validity of the indefinite period of each application / contract for the provision of electronic toll services plus five (5) years after the expiry of its validity in any way based on the provisions of Article 36 par. 1 of Law 4987/2022 – ITC (Government Gazette, Series I, No 206) on the limitation of the claims of the State and the provisions of Article 250 of the Civil Code on the limitation of claims. (b) Images obtained through CCTV shall be kept for up to three (3) days, unless an event is shown, in which case they shall be kept in a separate file pursuant to Directive 1/2011 of the Hellenic Data Protection Authority or until the event has been examined. c) The time of keeping the file of the telephone recording is fifteen (15) days and concerns the telephone calls to and from the Call Centre, the Customer Service, the emergency number 1024 and the communication with the Traffic Management Centre, d) When the processing is imposed as an obligation by the provisions of the applicable legal framework, your personal data will be stored for as long as the relevant provisions require, e) When the processing is based on your consent, your personal data will be processed until you withdraw your consent. You can withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing based on your consent in the period prior to its withdrawal. | |
11 | Rights of data subjects | As the data subject you have specific legal rights, which relate to the personal data we collect from you. These rights are as follows: Access, Rectification, Erasure, Objection, Restriction of Processing, Portability, Right to Withdraw consent.
The above rights can be exercised as long as the conditions of Regulation (EU) 2016/679 are met. In order to exercise your legal rights, please contact dpo@gekterna.com in writing by e-mail. We will try to satisfy your request within 30 days. However, the time limit may be extended for specific reasons relating to the specific legal right or complexity of your request. We may ask for proof of your identity, for identification purposes, before we respond to your request. |
|
12 | Right to lodge a complaint with a supervisory authority | You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) through its web portal (https://eservices.dpa.gr/). | |
13 | Automated decision making, including profiling | It does not take place. | |
14 | Provision of personal data on behalf of data subjects | The provision of personal data of each data subject constitutes a legal and contractual obligation for the conclusion of the application / contract for the provision of electronic toll services, for the invoicing (electronic or paper) of the electronic transit of the subscribers of NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME for the fulfillment of the tax obligations of NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME with regard to its subscribers, for the fulfillment of the legal obligations arising from the legislation on interoperability of toll systems and for compliance with consumer protection provisions. In case of non-provision of such personal data, it becomes impossible to conclude the application / contract for the provision of electronic toll services.
Recording telephone calls is carried out in order to prove the transactions and at the same time safeguard the interests of all parties in the event of a dispute. |
Full text of Personal Data Protection Policy
The companies NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME and NEA ATTIKI ODOS LEITOURGIA SOCIETE ANONYME, have adopted the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as General Data Protection Regulation) and Law 4624/2019 on the protection of personal data they maintain and fully comply with.
Please study this Privacy Policy (hereinafter referred to as the “Policy”), the Personal Data Processing Summary Table and the Cookies Policy, in order to learn more about the type, purpose of the data we collect about you and how we use such information.
- Collection and Use of Personal Data
The Companies NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME and NEA ATTIKI ODOS LEITOURGIA SOCIETE ANONYME (hereinafter referred to as the “Company”), acting together as joint controllers within the meaning of Article 26 of the General Data Protection Regulation, collect only the absolutely necessary data for each specific processing purpose. These data relate to user and third party subscribers and may be full name, postal address, email, telephone, TIN, profession, vehicle registration number, subscriber transit record, credit card data if someone wishes to charge his/her card, account number (IBAN), transceiver device number, subscriber account code.
These data are communicated by the data subjects themselves, either electronically, by fax or by filling in the special company forms, or by telephone for the conclusion of a subscription contract (Application for a Contract) or for the sending of a request / complaint, for the management of an event. The provision of personal data of each data subject constitutes a legal and contractual obligation for the conclusion of the application / contract for the provision of electronic toll services, for the invoicing (electronic or paper) of the electronic transit of the subscribers of NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME for the fulfillment of the tax obligations of NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME with regard to its subscribers, for the fulfillment of the legal obligations arising from the legislation on interoperability of toll systems. In case of non-provision of such personal data, it becomes impossible to conclude the application / contract for the provision of electronic toll services. Furthermore, data of motorway users can be recorded through a closed circuit television (CCTV) system along the motorway for traffic management as well as at the toll stations and lanes, at the Subscriber Service Points and at the Operation and Maintenance Centre (SSC) for security of transactions, security of personnel and facilities of NEA ATTIKI ODOS PARACHORISI SINGLE MEMBER SOCIETE ANONYME. Personal data are collected through CCTV during vehicle crossings with violation of tolls. In this case, the vehicle license plate number may be recorded for the management of violations by the Controllers and the imposition of an administrative fine by the competent Traffic Department. Personal data of subscribers, users and third parties are collected and recorded during their communication and conversation with representatives of the Controllers at the Customer Service Call Centre, at the emergency number 1024 and in any other case that refers to a recorded message. Recording is carried out in the context of the progress of the specific transactional relationship in order to provide evidence of our communication, for the proof of transactions and the simultaneous safeguarding of the interests of all parties in case of dispute, e.g. during telephone renewal using credit cards, remote modification of customer data, response to an incident or complaint, etc. Finally, user data of the motorway may be collected by authorised associates of the Controllers during the provision of roadside assistance services or by our staff during an event (e.g. photographic material from a traffic accident, vehicle registration number and geographical location of the parties involved). Any complaints, information and requests from users and third party subscribers are recorded in databases for quality and management purposes.
- Purposes of processing
Your personal data shall not be used for purposes other than for the purposes for which they are collected and which are detailed in Article 5 of the Summary
Table.
- Collection of Personal Data due to interoperability
Interoperability is the ability to pass through with payment of tolls via an Electronic Device of an Issuer of an electronic transit device from the specially defined lanes of the respective Motorway, bearing a special marking. The Company does not collect Personal Data of Subscribers and Users of other Motorways nor does it transmit to other Toll Management Bodies personal data of its Subscribers and Users. Nevertheless, the Toll Management Bodies that have undertaken the operation and maintenance of the road infrastructure (and / or the Operating Companies authorised under a contract to act as their direct agents for the collection of tolls) and the Issuers, retain the freedom of transmission between them the data of the Subscribers for the purpose of investigating events and / or solving problems or complaints of Subscribers from the electronic transit carried out using Interoperability and only between the Issuer and the specific Management Body, which the case under investigation concerns.
- Transfer of Personal Data to third parties
We retain your personal data, in the context of the performance of our contractual and operational obligations, in accordance with the applicable legislation.
In certain cases, the Controller may transfer personal data processed to third competent authorities, services, and Partners as specifically referred to in Article 7 of the Summary Table.
The partners of the Company who process personal data on its behalf as above are bound by a confidentiality and personal data protection agreement in accordance with the provisions of the General Data Protection Regulation.
- Consent & Rights of the Data Subject
- A) Consent and right to withdraw the consent
The Company may contact you at the e-mail address or telephone number you have provided for information purposes regarding the use of your Electronic Device or motorway, for reasons of optimisation of its services (satisfaction survey), for sending an electronic newsletter (newsletter), for the promotion of related goods and services or for other related purposes, only if you have given your consent for the above. In this case you are given the opportunity to withdraw your consent at any time by sending an email to the Company’ s Data Protection Officer to the email address dpo@gekterna.com.
- B) Rights of the Data Subject
Right of access: You have the right to be informed if and how we process your personal data at any time and without any charge. Right to rectification: You may request the correction or update of personal data, which are incomplete or incorrect. Right to erasure: You may request the erasure of your data if they are no longer necessary for the processing purposes for which they were originally collected or if you wish to withdraw your consent and there is no other legal basis for processing. The right to erasure is subject to conditions. Thus, it may be restricted if, for example, the retention of data is mandatory for the fulfillment of the legal obligations of our company, which may be based on provisions of more specific laws such as Civil and Criminal Code, tax, insurance legislation, etc. or in the relevant instructions of the competent department of the Ministry of Infrastructure and Transport, which is the supervisory authority of the Project.
Right to object: You may at any time object to the processing of your personal data, which we will respect provided that there are no other legitimate reasons. Right to restriction of processing: You can request the restriction of processing of your personal data if you contest their accuracy or the legitimacy of the processing. Portability: You can request the personal data you have provided in a structured, commonly used and machine-readable format and the right to transmit those data to another controller. Right to withdraw consent: If the processing is based on your consent, you have the right to withdraw your consent at any time without affecting the legal basis of the processing of your data by us on the basis of that consent prior to its withdrawal.
The above rights can be exercised as long as the conditions of Regulation (EU) 2016/679 are met.
- Retention of personal data
The Company shall retain your personal data for as long as is necessary for the fulfillment of our contractual relationship and however for as long as provided for by the applicable tax legislation and the more specific provisions of the Concession Agreement and the Civil Code in the event of any contractual or property claims or other disputes.
For the retention period of Personal Data, see also Article 10 of the Summary Table.
- Data security and integrity
The Company shall implement appropriate technical and organisational measures, policies and procedures for the security of personal data and their protection against accidental or unlawful destruction, loss, unathorised disclosure of, alteration or destruction.
In addition, we try to ensure that access to your personal data is limited only to the Company’s staff or external partners or to relevant ministries and authorities acting within the scope of their duties. Individuals who have access to the data are specially authorised and bound by a privacy and confidentiality obligation.
- Cookies
In order to ensure the proper functioning of its Website, the Company may use Cookies, i.e. small text files stored on the user’s computer. Please be informed of the Company’s Cookies Policy and adjust their usage.
- Changes in this policy
The Company submits this Policy to a frequent review and may modify or revise it periodically at its discretion. Each time the Company makes changes, it shall indicate the date of modification or revision in its Policy. The updated Policy will apply as from that date. We encourage you to study this Policy from time to time to see if there are any changes to the way we manage your personal data.
- Contact us
If you have any questions, comments or requests regarding the processing of your personal data or wish to update your personal data or exercise any of your rights as a Data Subject, please contact us at dpo@gekterna.com.
*The email address notifications@alphaecommerce.gr belongs to the bank’s environment. Do not send requests/contracts to this email address, as your messages will not be read and will not be replied to.