INTRODUCTION

As of 25 May 2018 the General Data Protection Regulation – EU Regulation 2016/679 applies in the European Union (hereinafter referred to as “GDPR”). For the text of the Regulation you may choose the address URL: https://eur-lex.europa.eu/legal-content/EL/TXT/?uri=CELEX:32016R0679

This Personal Data Protection Policy (hereinafter referred to as “Data Policy”) concerns the Organization under the name “Athens Urban Transport Organization S.A.” and the distinctive title “OASA” (hereinafter referred to as OASA), based in Athens, 15, Metsovou str. in Greece. OASA is the creator and holder of all the rights attached to the following webpages under the domain names:

OASA pays special attention to the protection of personal data of its customers and officers as well as any persons visiting the websites of the Organization.
To that effect, it has prepared this Data Policy in order to inform the above persons about the method of collection, usage and notification of their personal
data. Also, OASA has established a General Data Protection Policy as well which is available on the webpage.

This website may include links to other websites, which are under the responsibility of third parties (natural or legal persons). Additional websites
may be added in the future, for the terms of personal data protection and management of which OASA shall assume no responsibility.

DEFINITIONS OF PERSONAL DATA

((Note: Definitions follow art. 4 of GDPR))

  • “Personal Data”: any information through which a natural person is identifiable or may be identified (“Data Subject”).
  • “Controller”: the natural or legal person, the public authority, the service or any other body who, individually or jointly with others, determine(s) the purposes and the manner of personal data processing and in this case, it is OASA.
  • “Processor”: the natural or legal person, the public authority, the service or any other body who processes personal data on behalf of the data controller.
  • “Data Subject”: the natural persons, for whom the data controller collects and processes personal data (in this Data Policy, Data Subjects shall be the users of the OASA websites and the services that the Organization provides and in general all interested parties and third persons – visitors of the websites).
  • “Recipient”: the natural or legal person, the public authority, the agency or any other body, to whom the personal data are disclosed, whether or not it concerns a third party or not.

COLLECTION OF PERSONAL DATA

Personal data is collected where the visitor/user visits the websites of OASA and

  1. interacts with them or
  2. fills out standard communication webpages (forms) or
  3. submits a request for the issuance of a card, multiple ticket. It is possible to collect certain information such as:
    name, surname, SSN (AMKA), month and year of birth, address, group of eligible person, eight-digit personal code for the encryption of the user data.

Personal data collected for the issuance of personalized cards are deleted upon completion of the procedure in accordance with the Opinion 4/2017 of the Hellenic Data Protection Authority.

Additionally, information may be collected by automated means including:

  • the user’s IP address. The IP address is determined by the provider of the connection, through which the visitor / user may access the internet and then the website. The IP address is maintained only under the statutory requirements. Also, information that is collected encompasses the type of browser and the operating system, the websites and the connections selected (by clicking) within the page, the basic information of connection to the server, the information collected through software such as HTML cookies, Flash cookies, web beacons and other similar
    technologies.

PURPOSE OF PERSONAL DATA PROCESSING

The personal data collected is solely used for reasons concerning the fulfillment of the activity purpose of OASA, which is to render transport services
by means of transport in the area of competence falling under OASA and for statistical reasons as well as for reasons relating to improvement of the services – information provided and may not be used by
any third party.
Specifically, Personal Data collected by the websites of Data Controller and are stored in the relevant database are intended to be used for the
purposes mentioned above, i.e.:

  1. for the issuance of electronic cards for all means of transport (buses, trolleybuses, metro, tramway and suburban railway) in the broader region of Athens,
  2. so that the study of anonymized statistical data by OASA and third parties be possible, however in a manner by which they cannot identify the personal
    data subjects,
  3. 3. for the management of websites and any type of communication be possible,
  4. 4. for the forwarding of updates or notifications upon previous relevant selection of the users.

The legal basis of processing for purpose (1) is the contract with the customer-passenger / person applying for the issuance of a card.

The legal basis of processing for purposes (2) and (3) is the compliance with the legal obligation of OASA, the performance of duty related to the exercise of official authority assigned to
OASA and the legal interest thereof.

The legal basis of processing for purpose (4) is the consent of the Subject to any data entry. OASA will ensure that, in this limited case, the particular consent meets the consent conditions pursuant to the GDPR and legislation.

According to the General Personal Data Protection Policy of OASA , the information of users who have contacted OASA are kept in the Organization’s servers for a
period of two (2) years.

DATA RECIPIENTS AND PURPOSE OF TRANSMISSION

Personal data of OASA website shall be transmitted to partners and / or subcontractors of OASA, but always under the requirements fully ensuring that the personal
information of Data Subjects are not subject to any illegal processing, other than the purpose of transmission. The main recipients of user personal data are:

  • Electronic Ticket Services S.A. – Hellas Smarticket under the distinctive title “HST S.A.”. HST has undertaken the study, funding, installation, operational
    support, maintenance and technical management of the Single Automatic Fare Collection System for the companies of OASA Group. The company shall perform the role of “Processor” within the meaning of art. 4 point 8 of GDPR.
  • The company INFORM P. LYKOS S.A. to whom the requests for issuance of cards are sent in the form of an electronic file to cover the needs for printing, placing in envelopes and sending. Similarly, the
    Company shall perform the role of “Processor” within the meaning of art. 4 point 8 of GDPR.
  • E-Government for Social Security S.A. (“IDIKA”), who has undertaken the automatic verification of the data entered by the Data Subject for the personalization of the pass card that provides the entitlement of free transportation or transportation by means of a discount fare (unemployed, disabled persons). It is noted that these data are not entered in the records of OASA. The Company shall also perform the role of “Processor” within the meaning of art. 4 point 8 of GDPR.
  • The company The Records Hub SA who has undertaken the digitization and storage of the physical files of the Organization. The Company shall also perform the role of “Processor” within the meaning of art. 4 point 8 of GDPR./li>

The above recipients are third parties who provide services of electronic ticketing products control and issuance, customer services, for the usage of which the processing of personal data is required.

PROCESSING OF PERSONALIZED CARD DATA

To issue a Personalized Card, identification of the Data Subject is required. The purpose is to:

  1. to provide products for unlimited journeys (monthly, annual cards etc.),
  2. to provide the discount entitlement to groups of passengers eligible for it (e.g. discount because of a monthly card issuance, student status etc.),
  3. not to issue multiple cards per person,
  4. to allow users to request the cancellation of a lost or stolen card,
  5. to address more effectively the avoidance of boarding a means of transport without paying the prescribed fare,
  6. 6. to provide OASA the possibility to know exactly the number of movements for those passenger groups, whom the Public
    Agencies, under the supervision of which are the said eligible persons, to pay OASA for the (e.g. the Ministry of Education for the students etc.).

For the issuance of an unlimited-journey card for the users of the Single Automatic Fare Collection System, OASA chooses to use hashing
for the personal data of users, so that the identification of the person be avoided. Any record of traffic data of the personalized card does not refer to any particular person, but to a “digital fingerprint” “hash value”, as this is estimated by a hash function. The digital fingerprint derives from the combination of SSN (AMKA) and the 8-digit security code (for Greek citizens) or the passport number and the 8-digit security code (for aliens).

CΟNFIDENTIALITY

For the access to personal data of website users, OASA has appointed competent officers who are committed to discretion and confidentiality, whereas access without authorization is prohibited. Also, the Processors, on behalf of OASA have contractually agreed and committed to confidentiality, not to transmit any personal data to third parties without the authorization of OASA, to take appropriate security measures and to comply with the legal framework on personal data protection.

OASA will not sell or otherwise transmit or publish any personal data of the visitors/users of its websites to third parties, save the abovementioned recipients, without the consent of the visitor/user, with the exception of implementing relevant legal requirements and only before the competent Authorities.

The personal data kept may be notified to the competent judicial, police and other administrative Authorities upon legal request and pursuant to the legislative provisions in force. Moreover, in the event of a legislative provision under the public prosecution service or any other authority, or the conducting of an ordinary or preliminary examination, OASA shall be obliged to provide any relevant evidence to the requesting Authority.

OASA will not transmit any personal data of users to a third country or international organization.

The websites may offer the possibility to share through social networks and other similar tools that enable sharing the activities of the users within the Webpage / Application with other applications, webpages or media and vice versa. The use of such features enables exchange of information with the friends of the users or the public, depending on the settings selected in their personal profile. The users / visitors are requested to refer to the privacy policies of the individual social media for more information regarding their data management.

CONSENT OF USER

The users by accepting this Personal Data Protection Policy, in accordance with the procedure below, acknowledge that:

  1. Processing relating to acts resulting in deception: The Data Subject has been informed and agrees that, in the event of existence of sufficient indications and if the specific occasion requires it, OASA has the right to collect, process and use personal data necessary for the disclosure of acts resulting in deception, as well as any evidence suggesting any other illegal or unconventional use of its websites.
  2. Transmission required by law: The Data Subject has been informed and consents to a possible transmission of its personal data to prosecution and supervisory Authorities for the necessary protection from risks concerning the state and public safety, as well as the prosecution of criminal acts.

TRANSFER AND STORAGE OF PERSONAL DATA

Any transfer or transmission of personal data of Data Subjects is carried out through electronic systems and the data is transferred in encrypted form.

The data is stored in the servers of OASA located in the Organization premises and the servers of the contractors – recipients installed in the premises of OASA group.

RIGHTS OF DATA SUBJECTS

OASA as a Controller, in full compliance with the provisions of GDPR, enables and facilitates the exercise of the statutory rights of the Subjects:

  1. Right to access
    The Data Subjects have the right to be informed, at any time, about whether OASA is processing their personal data and, if so, to ask to be informed about the purpose of the processing, the type of Data being processed, the recipients to whom OASA transmits it, the period of its storage and if decisions are made automatically. In addition to this, the Subjects will be given access to the said personal date without any undue delay.
  2. Right to rectification
    The Data Subject has the right to request from OASA the rectification of any inaccurate or obsolete personal data concerning it. Also, it has the right to request the completion of any incomplete personal data, inter alia, through a supplementary statement. Furthermore, OASA undertakes to notify each recipient of any personal data rectification, to whom the personal data has been disclosed, unless this proves impossible or involves a disproportionate efforts. OASA undertakes to inform the Data Subject regarding the said recipients, if requested to do so.
  3. Right to erasure
    The Data Subject has the right to request from OASA the erasure of personal data concerning it, if is not necessary any more for the abovementioned purposes and under the requirements set out in art. 17 of the GDPR.
  4. Right to restriction of processing
    The Data Subject has the right to request from OASA the restriction of the processing of personal data concerning it. Should the processing of personal data be restricted, the said personal data, except for storage, are processed only under specific exceptions.
  5. Right to data portability
    The Data Subject has the right under the requirements set out in art. 20 of GDPR to receive the personal data concerning it and which has provided to OASA in a structured, commonly used and machine-readable format.
  6. Right to object
    The Data Subject has the right to object, at any time, on grounds relating to its particular situation, to the processing of personal data concerning it under the requirements prescribed in art. 21 of the GDPR. As soon as the right to object is exercised, personal data is not processed any more, unless the existence of legitimate and imperative grounds for processing, which supersede the interests, rights and freedoms of the Data Subject, or for the establishment, bringing or support of legal claims, is demonstrated. OASA guarantees that, where the Data Subject objects to the processing of data concerning it, the Organization will not process the said data anymore, unless the latter proves that there are imperative and legitimate reasons for processing, which supersede the interests and rights of the Data Subject.
  7. Automated individual decision-making including profiling
    O OASA shall not proceed for the time being to an automated individual decision-making. Nevertheless, in any case and if the Organization in the future decides to proceed to an automated individual decision-making, the Data Subject has the right to object to a decision that is taken based solely on an automated processing, including profiling, where this decision produces legal effects concerning the latter or affecting it significantly.
  8. Fulfillment of rights

Overall, OASA ensures that:

  1. Procedures enabling the easy exercise of rights of the Data Subjects are in place, so that all actions are initiated immediately.
  2. it will respond to the request submitted by the Data Subject without any undue delay and in no more than thirty (30) calendar years.
    In the event that the Organization cannot fulfill the right exercised by the Data Subject, OASA will ensure that a specific, sufficient and full justification is provided.
  3. Except in the case of manifestly unfounded or excessive requests, all actions relating to the satisfaction of the Data Subjects’ rights will be provided free of charge to the Subjects.

Data Protection Officer

OASA Data Protection Officer, based at 15, Metsovou str. Athens, email address:dpo@oasa.gr. The visitors/users of OASA websites may contact the Officer for any questions they have in connection with this Privacy Policy as well as any matter relevant to the processing of their data and the exercise of their rights.

In the event that the Data Subjects consider that the processing of their personal data violates the applicable regulatory framework for the protection of personal data, they have the right to lodge a complaint to the Hellenic Data Authority (address 1-3, Kifissias Avenue, P.C. 115 23, Athens, tel. 210.6475600, email address: contact@dpa.gr).

«COOKIES» POLICY

General information

The websites of the Organization use Cookies (“treat” – program) in accordance with the relevant legislation. Cookies are small pieces of information (files), in plain text format, that are stored in the user’s computer (or other devices with access to the internet, such as a smartphone or tablet) when the latter visits any page on the internet. Cookies do not cause any damage to the user’s computer nor in the files stored in it. Without these, it would be impossible for the personal preferences of the user to be stored. Cookies enable the collection of information necessary for the measurement of visitors of websites, the improvement and upgrade of their content, the adjustment to demand and the needs of users as well as the measurement of effectiveness of website presentation in third-party websites. Cookies used in the websites of OASA do not collect information that personally identify the users and do not take note of any document or file from the users’ computer.

The information collected by Cookies may include the browser used by the user, the type of computer, its operating system, the internet service providers and any other relevant information. Moreover, the information system of the website automatically collects information regarding the sites which the user visits and the links in third-party websites that may be found in the websites of OASA.

«Cookies» used by OASA

The websites of OASA, like all webpages, use cookies to run smoothly and provide the best service possible to the user. The four categories used are analyzed below:

  • Strictly necessary cookies
    Strictly necessary cookies make the page more useful, enabling basic features such as navigation and access to secure areas of the webpage. The webpage cannot run properly without these cookies.
  • Preference cookies
    Preference cookies allow the webpage to remember information that change the way the webpage functions or its display, such as the preferred language or the region you are located.
  • Statistics cookies
    Statistics cookies help the owners of the webpage understand how the visitors interact with webpages by collecting and reporting information anonymously.
  • Marketing
    Marketing Cookies are used for the tracking of website visitors. Our intention is to display ads that are relevant and attractive to users and, therefore, more valuable for third-party publishers and advertisers.

Management and deletion of «Cookies»

The menus of most browsers provide choices in relation to the method of cookie management. Depending on the choices the users are offered by the browser, the latter may allow the installation of cookies, deactivate / delete the existing Cookies or be notified each time they receive Cookies. Instructions on the management and deletion of Cookies may usually be found in the “Help”, “Tools” or “Edit” menu of the relevant browser. Also the user may find a more detailed guidance at www.youronlinechoices.com/gr, where the way to control and delete Cookies in most browsers is explained. The user must bear in mind that in case they reject or deactivate cookies of the OASA websites, the functionality of the webpages may be partly lost. Also, when you deactivate a cookie or a category of cookies, the relevant file is not deleted from the browser. Such an action must be carried out by the user itself, by modifying the internal functions of the browser they use.

Amendment to this policy

OASA reserves the right, where it considers it appropriate, to amend to this Policy, in whole or in part, at its absolute discretion and post such amendment on its websites. Any amendment hereto will take effect as soon as the amended Policy is posted on the websites. In any case, where the user continues to use the websites of OASA following the amendments, it means that the latter accepts them. Otherwise, the will have to discontinue the use of the OASA websites or to notify any objections. The users must take note of the Policy on a regular basis, in order to be sure that they are aware of the recent edition.

Contact information

For any inquiry regarding this Policy, the users may contact OASA through the email address oasa@oasa.gr.