In SETE we respect your privacy and undertake to protect your personal data. The purpose of this policy is to inform you about the personal data we collect and process in the course of our operation and communication with you. Our full particulars are:
GREEK TOURISM CONFEDERATION – SETE Εmail address:
[email protected] Postal Address: 34 Amalias Ave., 10558 Athens, Greece Tel.: +30 210 3217165
Scope and objectives of the personal data protection policy The scope of the present Policy is to determine the basic rules and principles according to which SETE collects, processes and stores personal data, as defined by the applicable Greek and EU legislation in force and, in particular, Regulation (EU) 2016/679 (hereinafter “the Regulation” or “GDPR”).
Personal Data Concepts / Definitions For the purposes of the present Policy, the following concepts shall be construed as follows:
“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special categories of personal data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Anonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject.
“Pseudonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
“Applicable law”: The provisions of the Greek, EU or other law to which SETE is subject and which prescribe personal data protection issues, such as:
- Law 2472/1997 on the protection of individuals with regard to the processing of personal data;
- Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector and the amendment of Law 2472/1997;
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on the protection of privacy and electronic communications) as amended;
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any implementation laws thereof.
General Principles of Personal Data Processing When SETE processes personal data, it ensures that:
- It collects and processes such data lawfully, in accordance with the provisions of the applicable laws and the conditions thereby prescribed.
- It processes personal data only for specified, explicit and legitimate purposes.
- It implements appropriate technical and organizational measures to ensure that personal data are processed in such manner as to warrant the appropriate level of security for personal data, including, inter alia, their protection with regard to unauthorized or illegal processing and accidental loss, destruction or damage. Moreover, to periodically review the adequacy and efficacy of such measures.
- It makes the required effort so that the personal data it keeps and processes are always accurate and updated.
- It does not keep the personal data it collects for a longer time than necessary for the purposes for which they were collected and processed. However, it may keep such data for a longer time, if their processing is required:
I. for complying with the legal obligation which imposes such processing pursuant to the provisions of a law; II. for fulfilling a duty discharged in the public interest; III. in the context of the lawful activities of SETE as a trade association and a social institutional partner and on condition that such processing pertains to Members or former Members of SETE or persons that are in regular contact with SETE in relation to its purposes and that personal data are not disclosed to any third party without the consent of the data subjects; IV. for archiving purposes in the public interest or for scientific or historical research purposes or for statistical purposes; V. for substantiating, exercising or supporting legal claims.
Purposes for processing In the context of its activities, SETE may collect personal data of its Members, its employees, its partners in general, and of natural persons with whom it transacts in the context of its institutional responsibilities as a social partner. Such persons may be SETE Members, independent partners, sole traders, legal or other representatives of legal entities, employees, third parties, and in general partners of parties with which SETE transacts. In principle, SETE may collect and process personal data for the following purposes: 1. In order to meet its obligations as imposed by the law and by the provisions of its Charter for its objectives and actions, such as the study, protection and promotion of the status and contribution of tourism in the national economy and in the country’s cultural setting and in particular: I. The study and research of the particular aspects of tourism in Greece, especially in relation to the protection and promotion of the country’s historic features and natural environment. II. The study of tourism policy and applications and the submission of pertinent proposals to the competent authorities for the introduction of measures and rules aimed at the provision of high-standard tourism services. III. The active involvement of the Confederation in the country’s promotion in a tourism and national context. IV. The study, protection and promotion of the ethical, professional and economic interests of its Members and the fostering of a spirit of solidarity and mutual support among its Members. V. The representation of the Members of the Confederation in Greece and abroad. VI. The participation in organizations, associations, chambers, unions and events in Greece and abroad which are in pursuit of the same or of similar purposes or which are related to the purposes which the Confederation pursues. VII. The provision of scientific, organizational or administrative support and assistance of all types (technical, professional, educational, organizational and other special consultation and advice) in Greece and abroad in relation to and/or in support of the promotion of the tourism sector and businesses. VIII. The introduction of ethics and conduct rules to protect the consumer and safeguard the high standards of tourism businesses and the spirit of cooperation among the Members of the Confederation. IX. Any other responsibility which may be conferred upon it by the provisions of any law and/or regulation. 2. In order to meet its obligations as imposed by the law and in particular by the social security and taxation laws in force with regard to its employees and suppliers and to meet its obligations as a modern social institutional partner. 3. In order to be able to recruit staff or to contract with independent partners. 4. In order to ensure its smooth operation in line with the objectives set out in its Charter and with the applicable laws. 5. In order to ensure the safety of its staff, facilities and equipment. 6. In order to lawfully execute contracts and meet the legal obligations therein prescribed. 7. In order to represent the interests of its Members. 8. In order to perform its tasks as a peer social institutional partner. 9. In order to organize and conduct events and congresses and the General Meetings of its Members. 10. In order to undertake research and studies in the context of the objectives set out in its Charter.
Legal basis for personal data processing SETE shall process your personal data with transparency in accordance with the principles of lawfulness, proportionality, confidentiality and integrity, the limitation with regard to the purpose and accuracy, the specific time that data are kept and the minimization of data. The legal basis for the processing of your personal data may consist in any of the following, as the case may be: (a) your consent; (b) the requirement to process your data in the context of our contractual obligations; (c) the requirement to process your data in the context of our compliance with a legal obligation; (d) the requirement to process your data in the context of safeguarding our lawful interests.
What data are processed With regard to the aforesaid objectives, SETE may collect and process personal data which may include, without being limited to, the following:
SETE Members (natural persons or sole traders): full name, postal address, post office box, email address, contact telephone numbers, capacity, profession, VAT number (Greek AFM), bank account number (IBAN).
Purposes – Legal basis for processing: – SETE’s obligation in accordance with its Charter to keep the required data of candidate Members in order to proceed to their registration; – SETE’s obligation in accordance with its Charter to keep data of Members in order to monitor the fulfilment of their economic obligations (subscription); – SETE’s lawful interests in keeping data of Members in order to inform them about its actions, events, General Meetings and congresses, and to send them newsletters with information of interest to Members in the context of SETE’s objectives set out its Charter.
Employees and/or independent partners: full name, father’s name, mother’s name, year of birth, place of birth, gender, citizenship, postal address, post office box, email address, contact telephone numbers, identity card number, VAT number (Greek AFM), social security number (Greek AMKA) and other social security fund numbers, bank account number (IBAN), particulars about family status, education and training of employee/partner, previous experience, curriculum vitae.
Purposes – Legal basis for processing: – The management of the employment relationship. The processing of data is essential for the implementation of the employment contract. – The fulfilment by SETE of its obligations as employer. The processing of data is essential for SETE’s compliance with legal obligations.
Candidate employees: SETE collects and processes data of candidate employees upon a candidate’s submission of a pertinent application for a vacant post. In such cases, SETE collects and processes only the personal data that are required for the assessment of the candidate’s appropriateness for the specific post (e.g. name, surname, contact details, education, previous experience, etc.). Such data shall be collected on submission of an application in any manner (e.g. by dispatch of an email message to SETE’s email address provided with the relevant announcement, by means of recruitment platforms) and from the curriculum vitae which the candidate attaches to his/her application. Moreover, for the assessment of applications for a post, SETE may use additional questionnaires which disclose information about candidates in order to facilitate the further assessment of the candidate’s appropriateness for a specific post.
Purposes – Legal basis for processing: Candidates’ data are collected for the purpose of: – assessing a candidate’s appropriateness for a specific post. The legal basis for processing is SETE’s lawful interest. – keeping on file a candidate’s application for potential job vacancies. The legal basis for processing is SETE’s lawful interest.
Participants, speakers and guests in congresses and events: i. full name, postal address, post office box, email address, contact telephone numbers, capacity, profession. If a congress or event involves a subscription or registration cost, in addition to the above data the processing of data shall also include VAT number (Greek AFM), bank account number (IBAN), student registration number (where required), credit or other card number, etc. ii. Visual Data (Photographic Material/ Video Recording): In the context of the organization of events, conferences, congresses and General Meetings of SETE’s Members, such events may be recorded in photographs and/or on video and such material may be uploaded in SETE’s social media accounts (Facebook, LinkedIn, Twitter, YouTube, Flickr).
Purposes – Legal basis for processing: Management of events. The processing of data is essential for the management of events and of their purposes.
Contact data of persons: who are in regular contact with SETE with regard to its objectives in the context of the lawful activities of SETE as a trade association and a social institutional partner, contact data of journalists for the communication of Press Releases and updates about SETE’s institutional actions, positions and events, and contact data of persons who have declared their wish and have provided their consent to receive updates from SETE (full name, email address, post office box, capacity, profession, contact telephone numbers).
Purposes – Legal basis for processing: – the requirement to process data in the context of safeguarding SETE’s lawful interests as a social institutional partner; – the consent of persons who wish to receive updates from SETE about its events and actions and about developments in the tourism sector. Moreover, in the context of the
realization of any co-financed programmes (National Strategic Reference Framework/NSRF, etc.), SETE may collect personal data of participants in co-financed actions, any particulars voluntarily included in the tenders of candidates and of concessionaires in the context of the awarding of contracts to same, and any other items that may be required by the relevant laws for the implementation of co-financed programmes.
Purposes – Legal basis for processing: the requirement to process data in the context of SETE’s legal obligations (indicatively, Law 4314/2014 and other regulatory provisions with regard to the implementation of co-financed programmes).
Special categories of personal data SETE may collect and process data which belong to special categories of personal data (“sensitive data”), such as data concerning the health of its employees, in order to meet its social security obligations. Also, in exceptional cases and when prescribed by the applicable laws (e.g. laws concerning NSRF programmes and public contracts), SETE may collect and process data concerning criminal convictions and offences, such as criminal records, invariably respecting the principle of proportionality.
Purposes – Legal basis for processing: the requirement to process data in the context of SETE’s legal obligations.
Transmission of Data SETE may transmit data to third parties (legal or natural persons) acting as processors, in support of its operation (e.g. accounting support, technical support, payroll purposes) and in support of its actions. As the case may be, SETE may process such data both as controller and as processor on behalf of third parties.
SETE may transmit personal data to the legal persons on which it has control, such as its Institute (INSETE) and the company under the name “Marketing Greece TOURISM PROMOTION AND DEVELOPMENT S.A.”, which are –respectively– SETE’s education & training and communication arms, both for internal administrative purposes, including the processing of personal data of partners and/or employees, and for the purpose of informing subjects about the activities and actions of the said legal persons on which SETE has effective control. SETE may also transmit such data to third parties when this is prescribed by the applicable laws, in accordance with the guarantees prescribed by the applicable laws. In the event that such transmission should involve a country outside the European Union (EU) or the European Economic Area (EEA), SETE should check whether:
- the Commission has issued a pertinent adequacy decision for the third country to which data shall be transmitted;
- appropriate guarantees are in place in accordance with the Regulation about the transmission of such data.
If not, transmission to a third country is prohibited and SETE may not transmit personal data to such country, unless one of the special derogations prescribed in the Regulation should apply (e.g. express consent of the subject and information of same about the risks the transmission entails, the transmission is necessary for the implementation of a contract upon the subject’s request, there are reasons of public interest, it is required to support legal claims and vital interests of the data subjects, etc.).
Rights of Personal Data Subjects SETE shall ensure that data subjects are able to exercise the rights provided for same by the law with regard to the collection and processing of personal data. Said rights are:
- The right of access to data.
- The right of rectification of data.
- The right of erasure of data (“right to be forgotten”).
- The right of restriction of processing of data.
- The right of portability of data.
- The right to object to the processing of data.
All requests by the person/subject shall be submitted to SETE at the following email address:
[email protected] In the event that any of the above rights should be exercised, SETE shall take all possible steps to satisfy your request within a reasonable time and in any event within one (1) month from submission of your request and its/your identification. That period may be extended by two further months where necessary, in the event that your request is complex or if there is a great number of requests. In such case, SETE is obliged, within one month of identifying the request, to notify you about the delay and the reasons for such delay. Within the said time, SETE is obliged to inform you of any refusal on its part to satisfy, in whole or in part, the request you submitted and about the reasons of such refusal. SETE may refuse to satisfy, in whole or in part, a request received by the data subject only when this option is provided for under the General Data Protection Regulation (EU 2016/679). If SETE is processing personal data as processor, it shall transmit such requests to the controller, who is responsible for examining and satisfying such requests.
Right to Appeal to the Personal Data Protection Authority Moreover, if you believe that there is a breach of any of your rights with regard to the protection of Personal Data, you may file a complaint with the competent supervising authority, viz. the Hellenic Data Protection Authority. For more information, please visit the website
http://www.dpa.gr .
Personal Data Breach A “personal data breach” is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized communication, disclosure of, or access to, personal data collected, stored or in any way processed by SETE. In the event that any employee or partner of SETE should become aware of or suspect any breach of personal data, s/he shall inform SETE at the following email address:
[email protected]. If SETE is processing data as processor, it shall notify without delay the controller and shall not make any disclosures.
Data retention period Your personal data shall be retained for a limited time period depending on the purpose of their processing and upon expiry of such period personal data shall be deleted from our files, unless a different retention period is prescribed or allowed by the applicable laws.
Training SETE shall make arrangements for the staff involved in the collection and processing of personal data to be adequately informed and trained, taking into consideration available training and information methods in order to select the most appropriate ones at each instance.
Personal Data Protection Policy Updates SETE may from time to time amend the present Policy in order to comply with changes in regulations, for operational reasons or in order to respond to the needs of its Members and its institutional role. Updated versions of the present policy shall be posted on SETE’s website and shall indicate the date, so that you may identify the most recent updated version. The present policy was posted on 25.05.2018 and was updated on 17.05.2019.
