Terms of Service / Privacy Policy

Privacy Policy

Application Statement

The implementation of the General Data Protection Regulation (GDPR) is a priority for the Hellenic Auxiliary Pensions Defined Contributions Fund (T.E.K.A.) which is a Legal Body Governed by Public Law.

Personal data is considered any information relating to an identified or identifiable natural person alive. For instance, this information includes name, home address, ID number, Internet Protocol (IP) code, information about their health and insurance capacity, employment status and more.

Special categories of personal data, such as health, racial or ethnic origin, trade union activity etc. receive special protection.

The rules apply when collecting, using, and storing personal data digitally or in hard copy through a structured filing system.

This policy is in line with the EU General Data Protection Regulation. (GDPR), and opinions/decisions issued by the Hellenic Data Protection Authority.

Terms and Definitions

  1. “Personal data” is considered any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  2. “Processing” is considered any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. “Restriction of processing” is considered the marking of stored personal data to limit their processing in the future.
  4. “Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis,
  5. “Controller” is considered the natural or legal person, public authority, agency, or other body which, alone or jointly with others, who determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law.
  6. “Processor” is considered a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
  7. “Recipient” is considered a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry by Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.
  8. “Third party” is considered a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  9. “Consent” of the data subject is considered any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  10. “Personal data breach” is considered a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  11. “Special categories of  personal data” is considered personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union affiliation, as well as the processing of genetic, biometric data for the data relating to health or data relating to the natural sexual life or sexual orientation of a person.

Categories of Personal Data Collected

T.E.K.A. in the context of its activities and its regular operation  for the benefit of public interest, may collect personal data of its participants who use its services – applications, its employees, as well as his associates in general, but also other natural persons with whom it deals within the framework of his responsibilities.

Depending on the form and purpose of processing, T.E.K.A. may collect and process personal data, such as the following:

CATEGORIES OF DATA SUBJECTS

CATEGORIES OF DATA

PARTICIPANTS

Data included in submitted applications for registration to T.E.K.A.This category also includes data for providing answers to enquiries and for issuing certificates. These may include:

  1. Identity and demographics (e.g., name, father’s name, etc.)
  2. Insurance details (e.g., AMKA or ΑΥΠΑ and other information of the Social Security Institution Register if required)
  3. Contact details (e.g., postal address, telephone, Email, etc.)
  4. Contributions
  5. Other

SUPPLIERS/CONTRACTORS

Data of T.E.K.A.’s suppliers, in the case of personal companies or legal representatives of legal entities.These may include:

  1. Identity and demographics (e.g., name, father’s name, etc.)
  2. Insurance details (e.g., AMKA or ΑΥΠΑ and other information of the Social Security Institution Register if required)
  3. Contact details (e.g., postal address, telephone, Email, etc.)
  4. Copies of Criminal Records
  5. Professional information

DATA OF OTHER NATURAL PERSONS

Data of other natural persons who happen to visit the premises of T.E.K.A or cooperate with it.

EMPLOYEES (ACTIVE AND NON-EMPLOYED) / CANDIDATE EMPLOYEES

Data of employees of the Hellenic Auxiliary Pensions Defined Contributions Fundunder any employment relationship as well as data of former and candidate employees, which are kept in service records for the purpose of their employment relationship. These may include:

  1. Identity and demographics (e.g., name, father’s name, etc.)
  2. Insurance details (e.g., AMKA and other Social Security Authority details if required)
  3. Contact details (e.g., postal address, telephone, Email, etc.)
  4. Health data (e.g., medical certificates and opinions, blood donation data, etc.)
  5. Financial data (e.g., bank accounts, tax returns, statement of assets, etc.)
  6. Assets (e.g., statement of assets)
  7. Marital status details (e.g., certificates, number and details of children, etc.)

*Table 1. The categories of Data Subjects and their data

Purposes and legal bases of processing

The new Hellenic Auxiliary Pensions Defined Contributions Fund is a Legal Body Governed by Public Law. It was established by law 4826/2021 and is part of the first pillar of the social security system.

It is mainly geared towards new entrants to the labour market and it will gradually replace the existing auxiliary insurance scheme.

The benefits provided by T.E.K.A. complement main pensions and therefore help establish income security after retirement. The contributions paid by participants and employers are credited to each participant’s individual account. The capital, comprising the accumulated contributions, is invested and the returns are once again credited to each insured person's individual account. At the end of a person’s work life, the accumulated capital, i.e. the sum of the contributions and returns, translates into a life-long monthly auxiliary pension. The new system also provides for disability and survivor’s pensions.T.E.K.A. collects and processes personal data for the following purposes with the corresponding legal bases:

PURPOSE OF PROCESSING

LEGAL BASIS

Operation of T.E.K.A. in all its areas of responsibility, as well as the study, operation, administration, management of Information and Communication Systems, equipment, software and services respectively.

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The provision of online services to citizens in accordance with its responsibilities.

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Cooperation and interconnection with relevant bodies of the European Union

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR]

Ensuring the interoperability of the Information and Communication Systems with relevant public sector bodies.

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The provision to each service of the State and the European Union of statistics and other type of information and evaluations for the sectors of labour and social insurance in Greece.

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The study, development, operation, exploitation, management and maintenance of Information and Communication Systems.

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The collection, processing, cross-checking and transmission of data of the Tax Administration exclusively for the support and operation of the framework of its responsibilities.

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The collection and processing of image data using closed circuit cameras (CCTV), as well as the collection and processing of identification data (e.g. police ID card) by specialized security personnel, only for access in specific places

Protection of persons and assets in accordance with Directive 1/2011 of the Hellenic Data Protection Authority

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

The collection and processing of the necessary data of employees and / or candidate employees and associates of T.E.K.A. for the proper service of existing employment or co-operation relations or the consideration of possible future employment.

Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

*Table 2. The main purposes and legal bases of processing

The reference to more than one legal basis of processing does not mean T.E.K.A. changes them (lawful basis swapping), undermining data subjects’ rights, but there are cases where more than one legal processing base is applicable.

T.E.K.A. does not use the consent of the data subjects (whether they are simple data or special categories) as the primary basis for processing, recognizing the inherent inequality that exists concerning the data subjects each time and under the recommendations of its Working Group No. 29 (now European Data Protection Council). In exceptional cases, the consent of the subjects may be requested as a legal basis for processing (e.g., for sending informational messages for participation in events or the provision of additional services) when the processing cannot take place on the legal basis of fulfilling the duty in the public interest or the exercise of public authority. In these cases, the subjects are informed in advance and properly before giving their consent, are given full rights, including the withdrawal of consent.

Rights of Data Subjects

Natural persons have the right to:

  1. Be informed about the processing of their personal data.
  2. Gain access to the personal data concerning them.
  3. Request the correction of incorrect, inaccurate, or incomplete personal data.
  4. Request the deletion of personal data when it is no longer necessary or if the processing is illegal. If applied as a legal basis for processing Art.6 par.1 case. e) GDPR (processing for the fulfilment of a duty performed in the public interest or during the exercise of public power and the Art.9 par.2 case b), g), j) in most of the processes of the Hellenic Auxiliary Pensions Defined Contributions Fund (T.E.K.A.), the right of deletion is limited and will be evaluated on a case-by-case basis under strict conditions. According to Art. 4 of the Explanatory Memorandum of the GDPR, the right to personal data protection is not absolute; it must be valued concerning its functioning in society and weighed against other fundamental rights under the principle of proportionality.
  5. Oppose personal data processing for reasons related to their unique situation, subject to Art.21 par.6 of GDPR.
  6. Apply for a restriction on personal data processing in specific cases.
  7. Submit a complaint to the Hellenic Data Protection Authority (1-3 Kifissias Ave., 11523 Ampelokipi, tel. 210.647.5600, www.dpa.gr) or to the supervisory authority of the EU Member State where they live or work or to the supervisory authority of the place of the alleged violation.

Communication of Natural Persons

The above rights, as well as any rights related to personal data, are exercised upon a written request submitted to any point that is accessible to the public or via electronic communication by sending a message to info@teka.gov.gr and is also examined T.E.K.A..

Processing principles

T.E.K.A. accepts the basic principles governing the processing of personal data. According to article 5 of GDPR, personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (‘accuracy’).
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (integrity and confidentiality).

T.E.K.A. keeps a record of the processing activities for which it is responsible. That record contains all the following information:

  1. The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the Data Protection Officer.
  2. The purposes of the processing.
  3. A description of the categories of data subjects and of the categories of personal data.
  4. The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations.
  5. Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
  6. Where possible, the envisaged time limits for erasure of the different categories of data.
  7. Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Protection of Personal Data

Considering the nature, the scope, the context and the purposes of the processing, as well as the risks of the different probability of occurrence and seriousness for the rights and freedoms of Data Subjects, the T.E.K.A.applies appropriate technical and organizational measures to ensure and be able to prove that the processing is carried out under the GDPR.

During the assessment of the appropriate level of security by T.E.K.A.account shall be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

Staff Training

T.E.K.A. accepts that the protection of personal data requires the awareness of its human resources regarding personal data protection. In this regard, agrees with the adoption and implementation of the following:

  1. Appropriate training by executing Fair Information Practices (FIP), governing the collection and use of personal data, and addressing privacy and accuracy issues. Human resources cannot become experts in the field of privacy protection overnight. However, their familiarity with the international requirements of privacy protection is possible and necessary. Employees who have crucial roles in privacy need to acquire more specific knowledge. For most of the workforce, however, a thorough understanding of privacy’s general principles is essential.
  2. T.E.K.A. seeks to raise awareness of fundamental concepts of personal data protection on its human resources.

Modification

This policy may need to be amended concerning the processing of personal data. In case the modification of the terms in question is of such nature and extent that the above data processing terms do not cover it, the Hellenic Auxiliary Pensions Defined Contributions Fund (T.E.K.A.) must make public the new version of the policy.