1. Controller Particulars

The Controller is the Association for Regional Development and Mental Health, whose registered seat is in Amaroussion, at No. 36, Salaminos St., GR-151 24, tel. no. +30 210 8056920 (hereinafter “EPAPSY” or “NGO”). EPAPSY is a non-governmental organization that has the necessary scientific, legal and moral guarantees for the smooth operation of guest and boarding houses, day centers and mental health service providers. In this context, it collects and processes the personal data of its legal representatives, psychiatrists, social workers, psychologists and administrative team, of the scientific and other personnel of its facilities, BoD members, partners, employees and suppliers, as well as of the users and candidate users of treatments or mental healthcare service, their relatives or legal guardians, when deemed necessary for the mental health protection of the service users, in accordance with the principles defined in the Regulation (EU) 2016/679 of the European Parliament and the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “General Data Protection Regulation”) and the applicable national and EU legislation on personal data protection. Moreover, it implements all necessary and appropriate technical and organizational measures for the protection of the collected and processed personal data.

2. Scope

The present Personal Data Protection Policy (hereinafter “Protection Policy” or “Policy”) specifies the terms and conditions to which EPAPSY complies for the protection of the personal data of the data subjects processed for the purpose or on the occasion of the implementation of the objectives assigned to it. The aim of this Policy is to provide information on the personal data collected and processed by the NGO, as well as on the way and purposes for which it collects, stores, uses and transmits the personal data in question, where appropriate. It also aims to provide information on the data subjects’ legal rights. EPAPSY reserves the right to amend, update, review or otherwise change the present Policy at any time deemed necessary, without prior notice and in accordance with the law. Therefore, you are advised to review the present Policy regularly, in order to be cognizant of any amended editions.

3. Definitions

For the purposes hereof, the following terms are defined: “Personal data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Controller”: a natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of said processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law. “Processor”: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. “Recipient”: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. “Third party”: any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. “Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed “Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. The other terms mentioned in the present Policy have the meaning defined in the General Regulation for the Protection of Personal Data and in the national and community law governing the Mental Health Units and the psychiatric reform.

4. Data collection sources

Personal data are collected by the subject themselves. EPAPSY does not collect data from third parties, unless authorized by the subject for the specific processing.

5. Subjects and personal data categories that are processed

EPAPSY processes personal data that have been disclosed for the purposes of the performance of its duties either by the related natural persons (data subjects) or third parties, like hospitals, health centers, research institutions or others, relating to the following natural persons categories. More specifically, the Authority processes: (a) Personal data of patients living in the EPAPSY boarding and guest houses, as required in the framework of the Articles of Association of EPAPSY, i.e. identity and contact details of a) patients, such as their name, postal address, telephone number, email address, ID Card No., Tax ID No., Social Security No. (AMKA) etc., (simple personal data) and health data, such as their medical history, examinations, and procedures, as well as other medical information arising from examinations or analyses related to a disease, disability, disease risk, medical history, clinical therapy, laboratory or other tests results etc., medical certificates, diagnostic tests, medication and evidence of (in)voluntary hospitalization etc., financial and asset data, such as bank accounts, benefits provided by the National Organization for the Provision of Health Services (EOPYY), tax data, data relating to criminal convictions and offenses, such as criminal records, disciplinary certificate etc., (special category data) b) patients’ relatives or legal guardians, such as their name, postal address, telephone number, email address, ID Card No., Tax ID No., etc., (b) Personal data of employees and BoD members of EPAPSY, i.e., identity and contact details, such as their name, postal address, telephone number, email address, ID Card No., Tax ID No. etc., employment information, such as their payroll, job description, sick leaves etc., (c) Personal data of suppliers and service providers, i.e., identity and contact details, such as their name, postal address, telephone number, email address, ID Card No., Tax ID No. etc., financial information and data, such as an IBAN, invoice details etc., (d) Personal data of the beneficiaries, such as Day Centers and Mobile Units visitors and their relatives, i.e. identity and contact details, such as their name, postal address, telephone number, email address, ID Card No., Tax ID No. etc., their age, sex, special category data related to the physical and mental health of the beneficiaries and their relatives, including information like their medical history, examinations and procedures, as well as other medical information arising from examinations or analyses related to a disease, disability, disease risk, medical history, clinical therapy, laboratory or other tests results etc., (health data), other special category data, such as data regarding the sex life and sexual orientation of the above mentioned subjects, solely for the purposes of mental health service provision etc., (e) Interns and volunteers data, such as studies certificates, identity and contact details, such as their name, postal address, telephone number, email address, ID Card No., Tax ID No. etc.

6. Purposes and legitimate grounds for processing

EPAPSY processes the personal data of the above-mentioned natural persons solely on legitimate grounds. Therefore, EPAPSY processes personal data for the purposes and legitimate grounds listed below, i.e., the processing is necessary: (a) for the purposes of legitimate interests pursued by EPAPSY as the controller, the performance of agreements, the fulfillment of its contractual obligations and exercise of its rights, i.e., for the management of third-party vendor payments, the management of its employees’ salaries and overtime payments, and the overall management and evaluation of its employees and partners. (b) for reasons of public interest in the public health sector, such as the protection against serious cross-border threats to health or the assurance of high quality and safety standards in healthcare, pharmaceuticals and medical devices, under Union or Member State law, which provides for appropriate and specific measures for the protection of the rights and freedoms of data subjects, in particular professional secrecy. (c) for health related purposes, when necessary for the achievement of the relevant objectives, to the benefit of natural persons and society as a whole, in particular in the context of health  management and social care services and systems, including the processing of their data for the quality control purposes , information management and overall national and local health and social care system supervision, and ensuring the continuity of health and social care and of cross-border healthcare or healthcare security, such as for licensing and audit of the Medically Assisted Reproduction Units and Cryopreservation Banks. (d) for archiving purposes of public interest, for scientific or historical research or statistical purposes under Union or Member State law, which are proportional to the objective pursued, thoroughly respect the data protection right, provide for appropriate and specific measures for the assurance of the data subjects’ fundamental rights and interests, with the ultimate objective of serving the public interest in the public health sector, such as for the mental health indicators and the efficiency of the health services provided in Greece. EPAPSY processes all collected personal data in lawful and legitimate ways. It does not collect nor processes more information or data than is necessary for the processing purposes. The collection and processing of natural persons’ data is carried out exclusively for the stated processing purposes.

7. Categories of personal data recipients

EPAPSY may, in some cases, transmit the natural persons’ personal data to the BoD or staff members, its facilities or public services, such as the Ministry of Health and Social Solidarity, the National Printing Press, and public agencies, such as Public Prosecutors, Public Administration Auditors and the National Commission for Bioethics, to software and application providers, such as companies providing evaluation and improvement services for the EPAPSY website, data and technical support companies, finance, human resources and accounting support companies, courts, administrative or judicial authorities, legal advisors, etc. The transmission occurs solely for the purposes stated hereof and always on condition that the above-mentioned individuals accept and comply with the terms of the present Policy and the legislation. In these cases, the Authority remains responsible for the personal data processing and ensures that the processing complies with the applicable legal framework and that all natural persons can exercise their rights according to the applicable law.

8. Personal data retention period

The data storage retention period is determined on each occasion upon the following specific criteria: (a) When processing is carried out under a relevant agreement, personal data are stored for as long as it is necessary for the performance of the agreement and for the establishment, exercise and/or defense of legal claims deriving from the said agreement or for the defense of rights before courts, judicial authorities, etc. (b) When processing is carried out for the purposes of public interest in the public health sector or is imposed as an obligation by the provisions of the applicable legal framework, personal data are stored for as long as it is imposed or allowed by the relevant provisions or is required for the pursue of the said public interest. (c) When processing is carried out upon the data subject’s consent, personal data are stored for as long as the data subject’s consent is in force or is required for the establishment, exercise and/or defense of legal claims deriving from the said consent or for the defense of rights before courts, judicial authorities, etc. or is imposed or allowed by the relevant provisions. (d) When processing is carried out under the controller’s legitimate interest, personal data are stored for as long as it is required for the pursue of the legitimate interest or imposed or allowed by the relevant provisions.

9. Subject Rights

All natural persons whose data are processed by the Authority have the following rights, which are subjected to restrictions depending on the type of personal data, the purpose, and the legal basis of the processing:

• Right of information and access: You are entitled to be informed on and have access to your data and get additional information on their processing.
• Right of rectification: You are entitled to request the rectification, modification, supplementation or update of your data.
• Right of erasure: You are entitled to request the erasure of your personal data in the course of processing under your consent or on the basis of our legitimate interests. In any other case (such as in the occasion of a contract, exercise of official authority, a lawful obligation to personal data processing, a public interest), the said right shall be subject to restrictions or shall be withdrawn, as the case may be.
• Right to restrict processing: You are entitled to request the restriction of your personal data processing when: (a) the accuracy of the personal data cannot be established and until the data is verified, (b) the processing is unlawful and you object to the personal data erasure and request the restriction of their use instead, (c) the personal data are not required for processing purposes, but are necessary for the establishment, exercise or defense of legal claims, and (d) you object to the processing and until verifying that there are legitimate grounds concerning us that supersede the reasons for which you are objecting the processing.
• Right to withdraw consent: You are entitled to withdraw your consent any time, insofar as it was given in the context of the processing purposes.

To exercise any of the above-mentioned rights, you may send an email at dpo@epapsy.gr.

10. Right to object the processing

All subjects are entitled to object their personal data processing at all times, when it is deemed necessary on the legitimate interests grounds as pursued by the Office, as the controller.

11. Right to data portability

You are entitled to receive your personal data free of charge in a format that allows you to access, use, and edit them, as well as request, if technically feasible, to transmit your data directly to another controller. Such right is granted for the data you have provided to us and are subject to processing by automated means based on your consent or execution of a relevant contract.

12. Personal data security

EPAPSY has adopted and implements appropriate organizational and technical measures for the purpose of the secure personal data processing and the prevention of accidental loss or destruction, unauthorized and/or unlawful access to, use, amendment or disclosure, and ensures the lawfulness of the collection, processing and safekeeping of the personal data, in accordance with the provisions of national, European and international law on the protection of individuals against personal data processing and especially taking into consideration the provisions of the General Data Protection Regulation. For more information you may contact the Data Protection Officer (DPO) of EPAPSY, Varvara Karadede, email: dpo@epapsy.gr

13. Contact Details

For any further information on the processing of personal data or the exercise of any of the above rights, subjects can contact the Controller via email at dpo@epapsy.gr.

14. Right to lodge a complaint before the Personal Data Protection Authority

All subjects reserve the right to file a complaint before the Personal Data Protection Authority (www.dpa.gr): Call Center: +30 210 6475600, Fax: +30 210 6475628, Email: complaints@dpa.gr.