Difference between revisions of "Mitos and Privacy"

From National Registry of Administrative Public Services
m (Σωτήρης Κυλάφης (ΕΔΥΤΕ) moved page Mitos and Privacy to Mitos and Privacy)
(No difference)

Revision as of 12:27, 15 February 2022

Policy for the protection of personal data

Policy for the protection of personal data of the National Register of Procedures, Diavlos: https://reg-diavlos.gov.gr/

Introduction

Regulation (EU) 2016/679 – the General Data Protection Regulation (‘GDPR’) has been applicable in the European Union since 25 May 2018. To access the text of the regulation, you may select the following URL: https://eur-lex.europa.eu/legal-content/EL/TXT/?uri=CELEX:32016R0679.

This personal protection data policy (‘data policy’ or ‘ΠΠΠΔ’) concerns the National Register of Procedures – Diavlos (‘Diavlos’) of the Ministry of Digital Governance (‘the Ministry’) operating under the domain name: reg-diavlos.gov.gr.

The Ministry places particular importance on the protection of personal data of citizens, as well as of visitors of the website. For this reason, the data protection policy has been developed in order to inform the above individuals on how their personal data are collected, used and disclosed.

Definitions of personal data

(NB: the definitions follow Article 4 of the GDPR)

  • ‘personal data’: any information by which a natural person is identifiable or may be identified (‘data subject’).
  • ‘controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • ‘processor’: a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.
  • ‘data subject’: natural persons, whose personal data are collected and processed by the controller (in the context of the data policy; the users of the above website, whether identified or not when making use of the service, are data subjects.

‘recipient’: a natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether a third party or not.

Collection of personal data

Whenever the user visits the Ministry’s website and as long as the user interacts with it, or uses the services to register procedures, view procedures or submit comments on the procedures, certain information may be collected, such as:

Information for the identification of the users of the electronic services

‘Service users’ are identified by the interoperability centre of the General Secretariat of Information Systems for Public Administration (ΓΠΣΔΔ) of the Ministry of Digital Governance, with the credentials given to the ‘user’ by the TaxisNet system, in accordance with Decision No 3981ΕΞ2020 by the Minister of State on ‘Provision of Authentication Service for OAuth 2.0 Users in Information Systems of Third Bodies’ (Government Gazette, Series 2, No 762/10.3.2020). The abovementioned identification may concern citizens or civil servants (‘authors’ and ‘administrators’) with the corresponding identification software (either for citizens, or for civil servants). For the sole purpose of identifying users (citizens or civil servants), who use or process the procedure, the Ministry receives through the above identifications (OAuth 2.0), and processes – as a controller – the following personal data:

  • name
  • last name
  • TaxisNet username
  • father’s name
  • mother’s name
  • year of birth
  • tax registration number

For the provision of electronic services

For the provision of the ‘service’ and for the effective and lawful provision of this service, the Ministry of Digital Governance processes – as a controller – the following personal data:

  • The IP address assigned to the device with which the ‘user’ connects to the ‘service’.
  • Browsing data within the ‘website’, through the installation of data mining programs known as ‘cookies’.
  • The timestamp relating to the use of the ‘service’.
  • Data with regard to the connection device (operating system, browser software).
  • All the information included in the comments submitted by the ‘user’.

Special categories of personal data

The Ministry of Digital Governance does not collect or process special categories of personal data, as defined in accordance with applicable law (such as race or ethnicity, religion, health data, etc.), for identification purposes or for the provision of the service. However, it is possible to process special categories of data, as long as these data are entered by the user into the ‘free text’ services’ fields, such as the comments field where citizens can freely provide their feedback.

Purpose of the personal data processing

The Ministry of Digital Governance processes your personal data in order to lawfully exercise its competences, in full compliance with all its legal obligations under national and EU law, to fulfil its duties in the public interest and to exercise the public authority that has been entrusted to it.

Legal basis for the processing

The processing of the personal data of ‘users’ is necessary for the functioning of the ‘service’ and is based on the provisions of Law 4635/2019 (Government Gazette, Series 1, No 167) and the Act of Legislative Content of 20 March 2020.

Purposes of the processing

Diavlos collects personal data for the following purposes:

a) for the provision of feedback to citizen users on how procedures are performed; b) for the provision of feedback on the procedures of Diavlos and the way these procedures are performed; and c) for the extraction of statistical data on how the website is used; d) to define the roles of authors and administrators and for the introduction of procedures in the information system by selected and designated civil servants, as authors and administrators.

In particular, the personal data collected and stored by the website in a relevant database or in the Greek State’s cloud (g cloud), are intended to be used for the purposes stated above, namely the following:

  • the identification of ‘users’ of the electronic services, for example for the identification of citizens who provide feedback (comments and reviews) in the platform;
  • the identification of citizen ‘users’ through the interoperability centre of the General Secretariat of Information Systems for Public Administration (ΓΠΣΔΔ), with the credentials given to the ‘user’ by the TaxisNet code system;
  • the identification of civil servant ‘users’ as authors and administrators through the interoperability centre of the General Secretariat of Information Systems for Public Administration (ΓΠΣΔΔ), with the credentials given to the civil servant by the specialised identification system of public administration codes;
  • the provision of electronic services and procedures, such as showing how a procedure is implemented;
  • the seamless operation of the ‘website’ and the ‘procedure’;
  • the provision of technical support to ‘administrators’ and ‘authors’ to register the ‘procedures’;
  • the functioning of the website in a user-friendly and easy manner;
  • an improved website experience during the performance of the service;
  • the creation of statistical reports and graphs for the monitoring of the procedure.

The information of statistical reports and graphs does not incorporate personal data of users, whether citizens or civil servants, as it is derived from anonymised data.

In order to present the ‘procedure/service’, the Ministry of Digital Governance collects and processes the personal data of users exclusively for the abovementioned purposes and only to the extent absolutely necessary to effectively serve these purposes. In each case, these data are relevant, suitable and limited to what is necessary in view of the abovementioned purposes, moreover they are accurate and, when necessary, updated.

Furthermore, such data are retained only during the period required to fulfil the purposes of their collection and processing and are deleted after that period, in accordance with the general terms of use.

Confidentiality

The Ministry does not provide or otherwise transmit or publish personal data of the visitors/users of the website to third parties, without the consent of the visitor/user, with the exception of the above recipients and for the functioning of the portal, as well as to competent authorities only in compliance with the relevant legal requirements.

Personal data that are maintained may be disclosed to competent judicial, policy and other administrative authorities, upon their legal request and in accordance with applicable legal provisions. Furthermore, in the case of a legal order by a public prosecutor or other authority or when criminal investigations or preliminary examinations are conducted, the Ministry is obliged to provide access to the relevant data and to make them available to the requesting authority.

The Ministry does not transmit personal data of users to third countries or international organisations.

Transfer and storage of personal data

Any transfer or transmission of the personal data of data subjects is done through electronic systems and the data are transferred encrypted.

The data are stored in servers or the cloud service provider of the Greek State (g cloud), all of which are located within the European Union.

Authorised employees of the Ministry of Digital Governance and in particular of the General Secretariat of Information Systems for Public Administration may have access to users’ data in the context of their duties and responsibilities.

GRNET S.A. (National Infrastructures for Research and Technology S.A.) acts as processor and provides support services to the Ministry and the General Secretariat of Information Systems for Public Administration with regard to the National Register of Procedures – Diavlos.

In the context of the purposes described above, if the user so chooses, the Ministry of Digital Governance may transmit certain personal data to third parties (e.g. agencies), to which the user themself chooses to send feedback on how the procedures are performed.

Rights of the data subjects

In full compliance with the provisions of GDPR, the Ministry satisfies and facilitates the exercise of the rights of data subjects, provided by the GDPR, in relation to the use of Diavlos and its services, provided that such rights can truly be exercised in the context of Diavlos’ operation, namely:

  • The right of access, so that you can be informed which of your data are processed by the Ministry of Digital Governance, for what reason and to whom.
  • The right to rectification, so that you can correct mistakes, inaccuracies and deficiencies in your data.
  • The right to erasure of this data, in accordance with the provisions of the GDPR, so that your data can be deleted from the files of the Ministry of Digital Governance.
  • The right to restriction of processing where the accuracy of the data is contested, where you have previously objected to the processing and the relevant decision is still pending and in the event that your data are no longer necessary for the initial purpose but may not be yet erased for legal reasons.
  • The right to data portability, so that you can receive your data in electronic format and transmit them to a third party.
  • The right to object to the processing of your personal data by withdrawing your consent – if such had been required – without the legality of the processing undertaken before the withdrawal of the consent being affected.

Satisfaction of rights – safeguards – duration of retention

Overall, the Ministry ensures that: Procedures are in place, which allow the easy exercise of the rights of data subjects, so that all necessary actions are immediately initiated.

It will respond to requests submitted by data subjects without undue delay and, in any event, no later than 30 calendar days. Should the Ministry be unable to satisfy a right that has been exercised by the data subject, it will ensure that specific, adequate and complete justification is provided.

Except when a request is obviously unfounded or excessive, all actions concerning the satisfaction of data subjects’ rights will be undertaken free of charge for the subjects.

Personal data that have been collected are recorded on computer systems, which provide sufficient security and are used by specially trained and authorised employees, in order to achieve the maximum protection possible of the recorded data, within the modern digital environment.

The Ministry of Digital Governance maintains and processes your personal data for the abovementioned purposes no longer than is necessary for the purpose for which they were collected under the terms of use of the service or in accordance with applicable law.

Cookies policy

General

The Diavlos website may use files known as ‘cookies’ in accordance with applicable law. ‘Cookies’ are small pieces of data (files) in simple text format, which are stored in the user’s computer (or in other devices with internet access, such as smartphones or tablets), whenever the user visits any website on the internet. Cookies do not cause damage to the user’s computer or to the files stored therein. Without cookies, the user’s preferences would be impossible to save.

Cookies help gather information which is necessary to measure the effectiveness of a website, to improve and upgrade its content, to adapt it to the demand and needs of users, and to measure the effectiveness of the website's presentation and promotion on websites of third parties. Cookie files that are used by a website do not collect information which identify the users personally and do not gain knowledge of any document or file on the user’s computer.

Data collected by cookies may include the type of browser used by the user, the type of computer, its operating system, the internet service providers (ISPs), and other such information. Furthermore, the website's information system automatically collects information about sites visited by the user and links to third party websites that may be located on the portal's website.

Cookies which may be used by Diavlos

The Diavlos website, like all websites, may use cookies in order to function smoothly and to offer users the best possible service. The following four categories may be used:

  • Necessary

Necessary cookies help render the website useful by allowing basic functions, such as browsing and access to secure areas of the website. Without these cookies, the website cannot function properly.

  • Preference

Preference cookies allow the website to remember information which changes the way that the website behaves or its appearance, such as preferred language or the region where the user is located.

  • Statistics

Statistics cookies help the website’s owners understand how the visitors interact with the website by collecting and reporting information anonymously.

Catalogue – recording – categorisation of portal cookies

  • Cookie name
  • Source
  • Cookie purpose description
  • Expiry

How to manage and delete cookies

Most browser menus provide options for the management of cookies. Depending on the options given by the browser to the users, the latter may allow the installation of cookies, the disabling/deletion of existing cookies or being notified every time that they receive cookies. Instructions for managing and deleting cookies are usually found in each browser’s menu under ‘Help’, ‘Tools’, or ‘Edit’. In addition, the user may find more detailed guidance in www.youronlinechoices.com/gr, where detailed explanations are provided on how to check and delete cookies in most browsers. The user should take into consideration that, if they reject or deactivate the website's cookies, the functionality of the websites may be lost in part. Furthermore, by deactivating cookies or a category of cookies, the respective file is not deleted from the browser. Such an action should be performed by the user themself, by modifying the internal functions of the browser they use.

Contact

You can contact the Data Protection Officer of the Ministry by sending an email to the address: dpo@mindigital.gror by post to the following address: ‘11 Fragkoudi & Al. Pantou Streets, Kallithea’, to submit any question with regard to the processing of your personal data.

If one of the abovementioned rights is exercised, the Ministry of Digital Governance will take every possible measure for its satisfaction within 30 calendar days from the receipt of the relevant application, providing written information regarding its satisfaction or the reasons preventing the exercise of the right. If this is not technically feasible, due to the complexity of the issue or a large number of requests, the deadline is extended by another 2 months after you have been notified.

If you are not satisfied with the response or consider that the processing of your personal data violates the applicable regulatory framework for the protection of personal data, you have the right to file a complaint to the Hellenic Data Protection Authority (postal address: 1-3 Kifisias Avenue, Athens 115 23, Tel. 210 6475600; email: contact@dpa.gr).

Cookies help us deliver our services. By using our services, you agree to our use of cookies.