Terms of Use – Ath.ena Card

ATHENS URBAN TRANSPORT ORGANIZATION (OASA)

1. Privacy Policy Statement

OASA’s https://www.athenacard.gr/TermsAndConditions.dev explain how we treat your personal data and protect your privacy when you use our services online. This webpage also describes the information collected and procedures followed in order to protect your privacy.

This privacy policy statement applies to all data collected by the websites of OASA Group S.A., and its subsidiaries including the following entities:

Urban Rail Transport (STASY)
Road Transport (OSY)
ATHENA CARD

Collection of Personally Identifiable Information (PPI)
You may visit our website without disclosing any of your personal information.

By registering any of your personally identifiable information data such as name, surname, date/ year of birth at any of the required fields, you allow us to provide you with the selected OASA’s services.

In all other cases, you will be required to provide only the information that is necessary to us in order to render you the service that you requested.
Use of Personally Identifiable Information (PPI)
Each time we collect information from you, you will be informed accordingly and asked whether you would like to receive information regarding our products and services or public transport in general.
You will always be given the possibility to leave our website.
If we want to use your personal information for marketing purposes, we will inform you accordingly and request your prior consent to such use.
You may leave our website at any time.
OASA may also share your personal information with the police and other law enforcement bodies in order to assist in the prevention and detection of crime.
In case that your personal information is disclosed, you may ask OASA to prove that your disclosed data will assist in the prevention and detection of crime or that OASA is lawfully under the obligation to disclose it.
This is strictly applicable per case and following an also strictly controlled procedure in order to assure our compliance with the provisions of Law regarding the Personal Data Protection.
Protection of Personally Identifiable Information (PII)
In order to protect your personal information data, we use the most updated relevant procedures by complying with the rules for acceptable use of personal information as defined by the Personal Data Protection Authority. We also protect your personal information by deploying Secure Sockets Layer (SSL) cryptographic technology. We have implemented all appropriate security measures in order to protect you from loss, misuse or alteration of your data collected via our web pages. However, internet is not considered to be a safe communication mean in general, and therefore, we cannot guarantee the safety of any information shared online or via this website.
Cookies
A cookie is a small text file that a website asks your browser to store on your computer in order to remember your actions and preferences. Cookies are generally used in order to control use of websites and improve users’ online experience, without allowing us access to any other part of your computer or use for personal identification reasons.

Changes to this Privacy Policy Statement
OASA may update and modify this statement at any time. By keeping accessing this website, you accept such updates and modifications.

2. Cookies

This chapter contains information regarding cookies and similar technologies that may be installed into your device when accessing an OASA’s website and how to handle them.

This policy concerning Cookies applies to data collected from OASA’s websites.
What are cookies?
Our aim is to provide services in the most reliable and useful way. Sometimes, rendering our services online implies storage of small-sized information on your device (e.g. computer or mobile phone). Such information includes cookies and other similar technologies deployed for the recognition of users’ attitudes when visiting websites or using mobile applications. Such technology cannot be used for personal identification purposes.

Cookies help us, for instance, in simplifying and improving the services rendered to you by:

Allowing a service to recognize your device in order to avoid re-entering the same information data many times during a single process.
Recognizing that you have already signed up with a certain username and password, so that there is no need for repeating sign-in when linking to other web pages.
Counting how many people make use of our services, so that we facilitate access by providing sufficient capacity and speed.
Analyzing anonymous data in order to understand how people interact with our website, so that we are able to improve our website’s functionality and user experience.

May I be excluded from cookies’ use?
We use cookies based on your “silent consent”. This means that if you continue accessing our website, we will assume that you consent to the use of cookies. Otherwise, you are given a few alternatives, such as the following:

You may set up your browser (e.g. Chrome, Firefox, Internet Explorer etc.) so that it disables all cookies and allows them only for “trusted” websites or you may allow cookies from a single website only during your visit to it. Select “Help” feature from your browser’s menu and follow the instructions. However, you should keep in mind that if you chose to clear or block cookies, certain services of our website might not be available to you.

For more information on cookies and how to handle them, you may also visit our “About Cookies” web page.

Sometimes, we use external providers for our services which means that third party cookies may be installed into your device. We do not control such cookies. Therefore, should you need more information on how to block third party cookies, please read the individual privacy notices listed below.
Cookies on our website and how we use them
Strictly Necessary Cookies
Without these absolutely necessary cookies, our website would simply not function properly. These cookies provide you safe access to our website’s pages and enable certain actions.
Google AdSense
This a cookie used by Google in order to provide us with information on the effectiveness of online marketing campaigns, using only anonymous user data.

Visit Google’s advertising privacy page
Visit Google’s advertising preferences page

It is pretty much similar to the aforementioned cookies (both owned and controlled by Google) yet it is specially intended for advertising purposes on our website. The cookie only collects anonymous user data.

Visit Google’s advertising privacy page
Visit Google’s advertising preferences page

Embedded Content
We sometimes embed images or videos from other websites such as YouTube or Flickr. So, additional cookies may be installed into your device by visiting the said websites. We neither control such cookies nor are able to prevent these websites from collecting data regarding the use that you make of such content. Therefore, we encourage you to check the third party website’s relevant privacy policy for the cookies that they use and how to block them. If you will not be identified unless you are connected with their services. However, they may collect anonymous user data (e.g. number of views, games, loadings etc.).

Social Media Networks
Certain pages of our website contain embedded “Share” buttons or web widgets that allow you to share content with your friends via many and very popular social media websites (e.g. Google + 1, Twitter, Facebook ‘Like’ etc.). These websites may have set up certain cookies in order to identify you when connected with their services. This means that they may collect information on your activity throughout the web, including your visits to the OASA Group S.A.’s websites. We do not control such cookies and we, therefore, encourage you to check the third party website’s relevant privacy policy for the cookies that they use and how to block them.

3. Website

We make every effort in order to assure our websites’ proper functioning and accurate information sharing. This is not always possible and therefore, we limit our liability to the following disclaimer statement.
Disclaimer
The information contained in this website is provided per se without making any representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services or related graphics on the website for any purpose. We take no responsibility for, and will not be liable for the website being temporarily unavailable due to technical issues beyond our control.

To the extent permitted by law, we expressly disclaim any liability for any loss or damage including without limitation, indirect or consequential loss or damage or any loss or damage whatsoever arising out of or in connection with the use of this website either due to inaccuracy, error, defect, mistyping, viruses, omission, outdated information or other reason.

Any reliance you place on the information and content retrieved from this website is therefore strictly at your own risk. This means that you, and not OASA S.A., shall be solely and fully responsible for any loss or damage arising from loss of data or damage of software and/ or hardware. This applies even if we have explicitly issued a warning about such potential damages.
Links to other websites
Through this website you are able to link to other websites which are neither under our control nor our liability in terms of their nature, content and availability. The inclusion of any links is exclusively intended for our users’ convenience and does not necessary imply a recommendation or endorse the views expressed within them.

Third party websites may contain links to this website pages, without OASA’s prior consent. However, third part websites may not embed the referred OASA’s website content in i-frames or any other form of embedded content whatsoever. Instead such links may only open in new windows or tabs on the user’s browser.

No party may use any of OASA Group S.A. and/ or its affiliates and subsidiaries’ logo for advertising or linking purposes without our prior written consent. For more information on how to submit a relevant request, please contact OASA’s Customer Service Centre.
Governing Law & Jurisdiction
These terms and conditions are governed and interpreted by Greek law. Users and OASA agree to submit to the exclusive jurisdiction of the competent Greek courts for any dispute that may arise from accessing or using this websites’ pages. Our failure to insist upon or enforce any provision of these terms and conditions shall not be construed as a waiver of any our rights or provision, unless otherwise and expressly stated in writing by OASA S.A..
Copyright
All rights reserved. Unless otherwise stated, all copyrights and other intellectual property rights (such as rights in designs, trademarks, patents etc.) for all contents of this website are reserved by OASA (or by any third party following relevant agreement or by their legal holders). This website and its content is copyright of OASA. Any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not print, download, copy, reproduce, republish, alter, upload, present to any third party, modify or reuse any of this website’s contents, unless it is for your personal and non-commercial use only. For any other use, you need our prior written consent. To find more about OASA’s Copyright, please contact our Customer Service Centre.

Privacy Policy
We fully respect the confidentiality of your personal information data by strictly implementing the OASA privacy policy. So, by entering this website, you consent to the terms and conditions of our privacy policy statement.
Special Terms of Use

using any data from the OASA, Urban Rail Transport (STASY), Road Transport (OSY) and ATH.ENA Card websites in any other media (i.e. to update any other software and/ or data base);
engaging in any data mining, data harvesting, data extracting, trawling and screen scraping or any other activity in relation to the said websites.

4. Privacy and Personal Data Protection Policy

We process personal information data in compliance with L. 2472/ 1997 on the Protection of Individuals with regard to the Processing of Personal Data and we ensure that our staff are aware of their obligations when processing personal data on behalf of OASA.
Purpose
1. The objective of this policy is to ensure that:

a. Personal Data are processed by OASA in compliance with the provisions of Law 2472/ 1997 on the Protection of Individuals with regard to the Processing of Personal Data and the requirements of all other relevant legislation as applicable for information management and,
b. OASA’s staff are aware of their obligations when processing personal data on behalf of OASA.

Definitions
2. Cyber Security and Incident Response Team (CSIRT): a business unit within the Information Management department of Customers, Communication and Technology.
3. Data Controller: the organization (alone, jointly or in common with other organizations) which determines the manner and purposes for which Personal Data is to be processed.
4. Data Processor: processes data on behalf of the Data Controller (other than an employee).
5. Data Protection Legislation: the Law 2472/ 1997 on the Protection of Individuals with regard to the Processing of Personal Data, together with all secondary legislation made under it. Law 2472/ 1997 governs the way in which Data Controllers such as OASA can process an individual’s Personal Data. It also gives individuals certain rights regarding the information that is held about them and obliges OASA to respond to any requests from an individual to access their own Personal Data.
6. Data Protection Principles: a set of statutory requirements, which all Data Controllers are obliged to adhere to. The Principles balance the legitimate need for organizations such as OASA to process Personal Data against the need to protect the privacy rights of the Data Subject.
7. Data Subject: an individual who is the subject of Personal Data.
8. Personal Data Protection Authority: the regulatory body established by the Greek State to promote public access to official information and protect personal information. Compliance with the Data Protection Legislation is enforced by the Personal Data Protection Authority.
9. Internal Audit: a department within OASA’s organizational structure.
10. Personal Data: information which relates to a living individual who can be directly identified from either the information itself, or by combining the information with other data available to OASA. Personal Data includes expressions of opinion and indications of intention, as well as factual information.
11. Personal Data Breach: the loss, theft, inappropriate use or unauthorized disclosure of Personal Data.
12. Personal Information Custodians: senior managers, who are responsible for the Processing of Personal Data within their assigned area of control.
13. Privacy and Data Protection Team: a business unit within the Information Governance department of OASA’s organizational structure.
14. Privacy Risk: that part of OASA’s overall risk portfolio which relates to the integrity, availability and confidentiality of Personal Data.
15. Processing/Processed: includes collecting, recording, storing, retrieving, transmitting, amending or altering, disclosing, deleting, archiving and destroying Personal Data.
16. OASA Personnel: includes all OASA employees as well as all temporary staff, contractors, consultants and any third parties with whom special arrangements (such as Data Processor, confidentiality or non-disclosure agreements) have been made.
17. Athens Urban Transport Organization (OASA): the statutory corporation under Law 3920/ 2011 and its operating subsidiaries.
Scope
1. This policy applies to all OASA Personnel and to all Personal Data Processed by OASA at any time, by any means and in any format.
Policy Statement
19. OASA will:
(a) Comply with Data Protection Legislation and adhere to the eight Data Protection Principles, as described in the Annex to this policy
(b) Comply with the statutory requirement to maintain accurate entries on the Personal Data Protection Authority’s public register of Data Controllers which describes the purposes for which Personal Data is processed
(c) Comply with all other relevant legal requirements which apply to its processing of Personal Data, including:

1. The Greek Constitution and the requirement to act in a way which is compatible with the right to respect for private and family life in the European Convention of Human Rights and Fundamental Freedoms
2. The Privacy and Electronic Communications (EC Directive) Regulations 2003

iii. The applicable EU legislation on duty of confidentiality
(d) Adhere to the requirements set out in the following standards, policies and guidance in order to support its compliance with Data Protection Legislation:

1. The Personal Data Protection Authority’s guidance documents and Codes of Practice
2. The Payment Card Industry Data Security Standard (PCI DSS)

iii. OASA’s Policy on the Disclosure of Personal Data to the Police and other Statutory Law Enforcement Agencies

1. OASA’s Information and Records Management Policy
2. OASA’s Information Security Policy

(e) Implement appropriate structures, systems and processes to manage all Personal Data fairly and lawfully and in a way that ensures its integrity, accuracy, relevance and security
(f) Be open and transparent about how Personal Data is Processed, providing clear privacy notices at the point at which it is collected, with access to additional supporting information provided via the OASA website
(g) Ensure that its procurement processes and contractual arrangements with external service providers include adequate measures to ensure compliance with the Data Protection Principles and associated requirements outlined in this policy
(h) Approach the identification, control, mitigation and elimination of Privacy Risk in the same way as financial and operational risk. This will be reflected in corporate and local risk registers
(i) Give customers/ consumers an opportunity to opt in to receiving future marketing communications at the point at which their Personal Data is first collected; and within any marketing communications, provide a simple and transparent process to unsubscribe
(j) Ensure that requests from customers to change the use of their data for the purposes of marketing and/or the provision of service updates will be acted on promptly
(k) Install and use Closed Circuit Television (CCTV) and similar equipment, in accordance with the requirements of the currently applicable guidelines of the Personal Data Protection Authority and the additional requirements of the Ministry of Citizen Protection, if applicable.

(l) Not disclose Personal Data to third parties except where disclosures are permitted by, or required by law
(m) Label Personal Data in accordance with its Information Security Classification Standard for protectively marking Information
(n) Ensure that any complaint about OASA’s processing of Personal Data or non-compliance with this policy will be passed to the Privacy and Data Protection Team. The complaint will be dealt with promptly and in accordance with OASA’s Privacy and Data Protection Complaints Handling Procedure
(o) Require all OASA employees directly involved in the Processing of Personal Data to complete appropriate training on an annual basis
(p) View serious or repeated breaches of this Policy by a OASA employee as misconduct which will be managed and resolved in accordance with relevant disciplinary and judiciary – if applicable by law – policies and procedures.
Responsibility for privacy and data protection compliance

20. All OASA Personnel are responsible for actively supporting compliance with this policy and should only process Personal Data for legitimate business purposes directly related to the performance of their duties.
21. Personal Information Custodians are responsible for:

(a) Ensuring that OASA Personnel within their area of control are aware of this policy and are adequately trained in the handling of Personal Data
(b) The assessment and reporting of Privacy Risk linked to the Processing of Personal Data within their area of control
(c) Ensuring that Privacy Impact Assessments are carried out as part of the development and implementation of any new business process or IT system which is to be used to Process Personal Data
(d) Implementing appropriate procedures to ensure compliance with restrictions on the Processing of Personal Data within their area of control

22. The Privacy and Data Protection Team is responsible for:

(a) Providing advice and guidance on the implementation and interpretation of this Policy and/or Data Protection Legislation
(b) Promoting and enforcing compliance with this Policy, Data Protection Legislation and any other related legal, statutory or regulatory requirements which apply to OASA
(c) Investigating and resolving complaints about OASA’s non-compliance with Data Protection Legislation and/or this Policy
(d) Liaising with the Personal Data Protection Authority’s Office on any matter relating to OASA’s compliance with Data Protection Legislation and/or this Policy
(e) Maintaining OASA’s entries on the Personal Data Protection Authority’s public register of Data Controllers. All OASA Personnel are responsible for reporting actual or suspected Personal Data Breaches to Cyber Security and Incident Response Team (CSIRT) so that they can coordinate OASA’s response and help to implement any required remedial actions. Cyber Security and Incident Response Team (CSIRT) will notify the Privacy and Data Protection Team and Internal Audit of any such Personal Data Breach and keep them informed during its management and resolution.

23. Cyber Security and Incident Response Team (CSIRT) is responsible for advising the business on the technical measures and controls required to protect the security and integrity of Personal Data Processed by OASA using electronic information and communications systems.
24. Internal Audit is responsible for auditing the business processes, operating procedures and working practices of OASA and its service providers which involve the Processing of Personal Data, for the purposes of monitoring compliance with this policy and alerting the Privacy and Data Protection Team to any instances of non-compliance.

Procedures/Guidelines/Processes

25. This policy will be supported by corporate instructions and guidance published via the OASA Management System.

Approval and amendments

26. This policy was first approved by virtue of the relevant Personal Data Protection Authority’s Opinion no.
27. Every update to the policy shall be approved by the Personal Data Protection Authority, following preparation and submission of a relevant Privacy Impact Assessment by OASA documenting at least the following: a) a systematic description of the standard processes and their purpose; b) an assessment on the necessity and proportionality of the processing of personal data in function with the objectives; c) a risk assessment on rights and freedoms of individuals whose personal data are processed and, d) the required measures for addressing such risks along with the safety guarantees, measures and mechanisms (such as anonymization and/ or pseudonymization) in order to assure personal data protection. The said Privacy Impact Assessment shall be available until May 25, 2018.
28. This policy will be subject to periodic review as considered appropriate by OASA’s Board of Directors and following relevant approval by the Personal Data Protection Authority.

Policy ownership

29. OASA’s Board of Directors is the designated owner of this policy

Annex: The Data Protection Principles (Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data)

1. Personal data should be processed fairly and lawfully.

OASA will use Personal Data both fairly and lawfully. In any circumstance in which individuals provide OASA with their Personal Data for the first time, or for a new purpose, they will be informed of the identity of the Data Controller, the use to which their data will be put and whether any disclosure may be made to third parties.
This is known as a Privacy Notice and any such wording must be approved by the Privacy and Data Protection Team.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

OASA will only process Personal Data for the purpose(s) which the Data Subject was previously informed of and it will not be used for any other purpose that is incompatible with the original purpose(s).

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

OASA will ensure that only the minimum Personal Data necessary for the purpose is processed and will not collect or hold Personal Data solely on the basis that it might be useful in the future. There should always be a legitimate business reason for the Processing of Personal Data linked to a specific ongoing purpose.

4. Personal data shall be accurate and, where necessary, kept up to date.

This Principle covers the integrity of Personal Data. Data will be inaccurate where it is incorrect or misleading as to any matters of fact.
There must be processes in place to maintain the quality of data capture at the point data is first collected or obtained by OASA, and to accurately amend, update or correct Personal Data.

5.Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Business areas must ensure that Personal Data is securely destroyed once the purpose(s) for processing the Personal Data has come to an end; and there is no legal requirement or valid business/operational reason for its continued retention.

6. Personal data shall be processed in accordance with the rights of data subjects under Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data.

These rights are to:
(a) Gain access to their data
(b) Seek compensation for substantial damage or distress caused by their data not being processed in accordance with Law 2472/ 1997
(c) Prevent their data being processed in certain circumstances
(d) ‘Opt out’ of having their data used for direct marketing at any time
(e) Have automated decisions reconsidered
Requests from Data Subjects to access their Personal Data will be managed in accordance with the Personal Data Protection Authority’s Data Subject Access Code of Practice.

7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

OASA’s standard contractual clauses on data protection must be used in any circumstances where Processing of Personal Data on behalf of OASA is carried out by a service provider or other third party.
The Privacy and Data Protection Team must be consulted in the early stages of any project or proposed change to a business process that has any significant implications for the Processing of Personal Data.
Personal Data will be managed in accordance with OASA’s Information Security Policy.
OASA Personnel must report any actual or suspected incident, which either has or is likely to, result in the loss, theft, unauthorized disclosure, accidental destruction or other compromise of Personal Data directly to Cyber Security and Incident Response Team (CSIRT).

8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

OASA will comply with the restrictions in Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data on the transfer of Personal Data outside the European Economic Area (which consists of the 28 member states of the European Union plus Norway, Iceland and Lichtenstein). The Privacy and Data Protection Team must be consulted in advance of any such transfers being undertaken or agreed.

5. ATH.ENA CARD & ATH.ENA TICKET

5.1 General Information
5.1.1 You can buy an ATH.ENA Card and/ or Ticket from the following vending points:

Personalized ATH.ENA Card (https://www.athenacard.gr/jsp/smartafc/general/customers/ekdotiria-pros.jsp)
Anonymous ATH.ENA Card (https://www.athenacard.gr/jsp/smartafc/general/customers/ekdotiria.jsp)
ATH.ENA Tickets (https://www.athenacard.gr/jsp/smartafc/general/customers/ekdotiria-multiple.jsp)

ATH.ENA Cards are available at the aforementioned points. We disclaim any responsibility for ATH.ENA Cards bought by any other vending point other than those aforementioned.

5.1.2 If you use the Personalized ATH.ENA Card, you shall need to top it up with either a regular or discount long term fare product (i.e. 30/90/180/365-day pass). Such fare product must be available for the entirety of your travel or a sufficient balance for covering either your entire travel or the part not covered by the long term fare product. If you use the Anonymous ATH.ENA Card, then you may top it up with either a regular ticket at the price of €1,40 , a 5-ticket pack (5 x€ 1.40) at the total price of € 6,50, a 10-ticket pack + 1 bonus ticket (10+1 x € 1,40) or with any of the regular airport travel tickets, valid for either bus or subway, or with a 24-hour pass at the price of € 4,50, or a 5-day pass at the price of € 9,00, or a 3-day (tourist) pass at the price of € 22,00, and/ or with a stored of up to € 50.

5.1.3 You may lend your Anonymous ATH.ENA Card, loaded with any balance of regular tickets, to someone else, who must bear the ATH.ENA Card with them in order to use public transport.

If your ATH.ENA Card is registered under your name (i.e. it is a personalized card), this means that we are to answer any potential question regarding your ATH.ENA Card only to you personally. This happens because you are the sole responsible for your ATH.ENA Card and any use made of it. We disclaim any responsibility for any potential loss or damage whatsoever arising from unlawful lending and non-personal use of your Personalized ATH.ENA Card.

The same applies in case that you hold a Personalized ATH.ENA Card potentially loaded with discount fare products. You may not lend or pass your Personalized ATH.ENA Card to anyone else. If you do so, we reserve the right to cancel your ATH.ENA Card without refunding you for any unused long term fare product or stored value balance and/ or potentially available guarantee. The person found to use your Personalized ATH.ENA Card might pay a fine and/ or be prosecuted, depending on the provisions of applicable laws by the time they are found to unlawfully use the Personalized ATH.ENA Card.

5.1.4 We reserve the right to prohibit the use of your Personalized ATH.ENA Card. We also reserve the right to withhold your Personalized ATH.ENA Card due to improper use or if used outside the framework of the applicable Transport Rules and we might not return it, regardless whether such improper or unlawful use was made by its registered holder or any third party. All ATH.ENA Cards remain the property of OASA and are not to be deliberately destroyed, modified, altered or hacked whatsoever. We reserve the right to withhold, deactivate or cancel any ATH.ENA Card at any time. If we cancel your ATH.ENA Card for any reason without notifying you, you must contact the OASA’s Customer Service Centre in order to find out why and to be informed of what to do next.
5.2 Personalized ATH.ENA Cards and e-Services Accounts
5.2.1 Personalized ATH.ENA Cards.
If you want to register your ATH.ENA Card in order to protect it from loss, theft or because you are required to do so when buying a long term fare product with a more than 30-day validity time, you shall need to fill out the ATH.ENA Card registration form. If you hold an unregistered Personalized ATH.ENA Card, you may register it by filling out the relevant registration form at https://www.athenacard.gr/smartafc/sysadmin/user/signup/InitSignUpLoad.dev. You must always register your ATH.ENA Card if used along with a certification document for your entitlement to discount fare.
You shall also need to sign in your ATH.ENA Card account or contact the OASA’s Customer Service Centre in order to update them, in case that any of your personal data changes after the registration of your ATH.ENA Card.
The registration of the Personalized ATH.ENA Cards forms an integral part of their issue procedure.
5.2.2 Protection of ATH.ENA Card
If you want to register your ATH.ENA Card because you buy long term fare products with more than a 30-day validity time, you shall need to fill out the ATH.ENA Card registration form.

You shall also need to sign in your ATH.ENA Card account or contact the OASA’s Customer Service Centre in order to update them, in case that any of your personal data changes after the registration of your ATH.ENA Card.
5.3 Anonymous ATH.ENA Cards
Anonymous ATH.ENA Cards are not be registered. We cannot provide you with any information related to Anonymous ATH.ENA Cards, since they do not bear any user’s profile information.
5.4 Obligation to present your ATH.ENA Card
You must always be ready to present your ATH.ENA Card (along with an identification document if applicable), if you are requested to do so during your travel. You must allow any OASA Group or any other competent public authority member of staff to examine it at any time during your travel, if you are requested to do so. Otherwise, you might pay a fine and/ or be prosecuted.

5.5 Use of long term fares loaded on ATH.ENA Cards
5.5.1 When you use the urban rail or road transport means, you must validate your ATH.ENA Card each time you board a bus, trolley-bus or tramway and each time you pass (enter and exit) through a subway station gate, by passing it at a few centimeters distance from the ticket readers. The same applies even when entrance and exit Urban Rail Transport (STASY) station gates are open.

You may also use available and valid long term fare products loaded on your ATH.ENA Card, even when ticket readers are out of order, as you may be instead requested to present your ATH.ENA Card σας (along with identification certificate, where applicable).

You may use any long term fare product (unlimited travel pass) loaded on your ATH.ENA Card, provided that it is available and valid at the time you want to use it.

5.5.2 If you loaded a long term fare product (unlimited travel pass) on your ATH.ENA Card that it only covers the beginning or the end of your travel or just an intermediate part of it, you may use the stored value on your ATH.ENA Card for those parts of your travel not covered by your long fare product, provided that there is enough stored value on your ATH.ENA Card to do so. The important is to always bear an ATH.ENA Card loaded with a valid long term fare product and/ or enough stored value for your travel. Otherwise and for as long as paper tickets are still valid, you may also buy a ticket for that part of your travel that is not covered by the long term fare product loaded on your ATH.ENA Card.

5.5.3 When you buy a fare product for your ATH.ENA Card, we will issue a receipt for you indicating the details of the product that you bought. This receipt is not valid for boarding and travel.
5.6 Stored money value on ATH.ENA Cards
5.6.1 You may use the stored value balance on your ATH.ENA Card at all Urban Rail Transport (STASY) and Road Transport (OSY) means.

5.6.2 Only one person at a time may travel using the stored value on the ATH.ENA Card. You must bear your ATH.ENA Card with you, each time you want to travel using public transport means.

5.6.3 If you want to know the fare prices before using a public transport mean, visit https://www.athenacard.gr/komistra.dev. For single ticket prices, visit https://www.athenacard.gr/komistra.dev.
5.6.4 Use of stored value balance in Buses, Trolley – Buses and Tramways
When boarding a bus, trolley – bus or tramway, you must validate your ATH.ENA Card by passing it at a few centimeters distance from the blue ticket reader right opposite the spot marked with the 4 curved lines.
If you travel by using the balance of the stored value on your ATH.ENA Card, your fare shall be validated upon your first boarding but you shall still need to validate your ATH.ENA Card for as long as your fare is valid, EACH TIME you board on a bus, trolley – bus or tramway and EACH TIME you pass (enter and exit) through the subway station gates.

If you travel by not properly validating your ATH.ENA Card or paper ticket, you might pay a fine and/ or be prosecuted. Special provisions apply for those passengers accompanying persons on wheel – chairs. In the event that a blue ticket reader on a bus, trolley – bus or tramway is out of order, you must present your ATH.ENA Card to the vehicle’s driver.
5.7 Blue Ticker Readers (on Buses, Trolley – Buses and Tramways)
When you pass your ATH.ENA Card at a few centimeters distance from the blue ticker reader right opposite the spot marked with the 4 curved lines , you will

either see a green flashing light on the ticket reader and hear a beep sound indicating that your card is accepted and valid for travelling, or
you will get a red flashing light or an annoying sound like two beeps instead, which means that your ATH.ENA Card is rejected

In such case you are not to keep on travelling until your ATH.ENA Card is accepted or you buy a separate fare for your travel.

A light on the blue ticket reader indicates that the machine is ready to read your ATH.ENA Card. If there is a red light on or no light at all before passing your ATH.ENA Card in front of the blue ticket reader, this means that the reader is out of order. In such case, you shall need to talk to the vehicle driver. When on bus, you may try another blue ticket reader as there are more than one due to the fact that boarding is possible via almost all bus doors. If none of the blue ticket readers on the bus is working, then you shall need to talk to the bus driver.

ATH.ENA Cards cannot be validated at the readers of the Automatic Ticket Vending Machines (ATVMs).
5.8 Athens Metro Stations – Gate Ticket Readers
The ticket readers of the subway are located at the entrance / exit station gates. Gates shall open upon validation of fare (ATH.ENA Card or Ticket) via the ticket reader.

Gates shall open upon validation of fare (ATH.ENA Card or Ticket) via the ticket reader.
5.9 ATH.ENA TICKET
The Multiple ATH.ENA Ticket is a reloadable ticket useful passengers who want to use public transport for a limited period of time or occasionally use public transport. There are special terms and conditions applicable to ATH.ENA Tickets as follows:

ATH.ENA TICKET may be used by loading only the following fare products on it:
Daily pass at € 4,50

5-day pass at € 9,00
3-day (tourist) pass at € 22,00
5-ticket pass (5x €1,40) at the total price of € 6,50
10-ticket pack + 1 bonus ticket (10 + 1 x € 1,40) at the total price of € 13,50
Airport Travel Tickets for airport bus and metro lines, provided that their price equals to or exceeds the amount of € 4,50.

ATH.ENA TICKET cannot be registered as it cannot be personalized.

ATH.ENA Cards and Tickets may be issued in different designs from time to time, yet without affecting their availability and validity term.
5.10 Personal Data Protection
By registering your ATH.ENA Card or creating an e-Services Account, you accept that we keep your personal data in order to use it as described here below.
5.11 Collection of travel itinerary personal data
OASA’s ticketing system keeps data of the travel itineraries performed by use of your ΑΤΗ.ΕΝΑ Card for a 3-month period of time.
5.12 How we use your personal information data
In specific cases, OASA may share personal information data with the police and other law enforcement bodies in order to assist in the prevention and detection of crime.
OASA shall also use the data collected from you in order to verify them before issuing your ATH.ENA Card and shall not use or keep them for any other purpose whatsoever.
You personal information data shall be appropriately protected and processing in compliance with the requirements of Law 2472/ 1997 on the Protection of Individuals with regard to the Processing of Personal Data and the instructions of the Personal Data Protection Authority.

6. Replacement of ATH.ENA CARD and ATH.ENA TICKET

6.1 Replacement of ATH.ENA Card
In the event that your Personalized ATH.ENA Card is damaged or not working when passing it in front of the blue and subway station gate ticket readers, you may replace it at a cost of € 2, by visiting the nearest Ticket Counter for Personalized ATH.ENA Card
You may be requested to state your name, surname and address for identification reasons. Also, please note that the Anonymous ATH.ENA Card is not replaceable as it does not bear any user profile information.

Your Personalized ATH.ENA Card might also not work when approaching it a ticket reader, if it is defective. If there is no visible wear and tear like scratches, cracks or bends, visit a Ticket Counter for Personalized ATH.ENA Card and replace it for free. In any case, you shall need to hand over the defective ATH.ENA Card, for defect verification purposes.

You may declare the loss, theft or damage of your Personalized ATH.ENA Card at any Ticket Counter for Personalized ATH.ENA Card. Your card shall be replaced upon declaration and you shall need to pay the handling fees for its replacement.

Before replacing your Personalized ATH.ENA Card, you shall also need to settle any potential debit balance of it.
6.2 Multiple ATH.ENA Tickets are neither replaceable nor refundable
6.3 Anonymous ATH.ENA Card
The Anonymous ATH.ENA Card is neither replaceable nor refundable in case that it is lost or stolen, since it does not bear any user profile information. This means that you are not to be refunded for any fare product or stored value balance that happened to be loaded at the time that your Anonymous ATH.ENA Card is lost or stolen. Likewise, you are not to be refunded for any fares paid after your Anonymous ATH.ENA Card is lost or stolen.
Registered ATH.ENA Card: In the event that your registered ATH.ENA Card is lost or stolen, you must report it as soon as possible to us. You may declare loss or theft of your registered ATH.ENA Card either online via your e-Services Account or by calling the OASA’s Customer Service Centre. Once your personal data are confirmed, we shall deactivate your ATH.ENA Card. If, in the meantime, you find your lost or stolen ATH.ENA Card or if it is returned to you, you may not use it again. Instead, you must return it to us or destroy it and then dispose it off.
Long Term Fare Products: Our aim is to replace all remaining either regular or discount long term fare products found to be stored in your Personalized ATH.ENA Card, at the time that you declared that it is lost, stolen or damaged. To do so, we first need to issue anew Personalized ATH.ENA Card and then transfer all remaining fare products, remaining validity time and/ or stored money value of your old card, in accordance with certain applicable transfer terms and conditions.

7. Limitation of Liability – Disclaimer

If you are a holder of an ATH.ENA Card, do not publish or post online any photo where your personal or your ATH.ENA Card data are shown.
OASA draws your attention to such potential risk and disclaims any responsibility for infringement of any of your personal data that might arise from public disclosure of such personal and/ or ATH.ENA Card holder’s data.

6. Athena Card

This page explains how OASA uses your personal data information collected when you apply for issue or when you use your registered ATH.ENA Card. It also describes the time period that such personal information is kept, along with the specific circumstances under which may disclose such information to any third party.

If you are a holder of a discount ATH.ENA Card, please see the page referring on the personal data protection rules applicable to your case.
Personal data kept for signing up to our website
In most cases, the registration of your ATH.ENA Card data is optional. If you chose to register your ATH.ENA Card or add it to your e-Services Account, the personal information data to be kept are as follows:

ATH.ENA Card number and password (this is information that you also need to remember)
Date (Month/ Year) of birth
Passenger Category (i.e.

We do not store any details concerning pay cards used for purchasing long term fare products (unlimited travel pass) as such payment using your credit or debit card is realized via our special “Buy Now” web application page. Such information is encrypted and stored in compliance with the applicable payment card industry (PCI) security standards.

OASA’s ticketing system records the transport mean, the location, date and time that the ATH.ENA Card is validated for a certain travel itinerary.

For training and quality assurance reasons, you calls to the OASA Customer Service Centre might be recorded.

When you sign in your e-Services Account, we record your IP address, for crime prevention and fraud detection purposes.
How we use your personal data
OASA may use your personal data for customer service and management purposes, including customer surveys, prevention and detection of crime and fraud and travel itinerary data collection.
Information tracking & tracing capacity term
We track and trace data for individual travel itineraries realized by use of your ATH.ENA Card for a three-month period of time. By the end of the three-month period, your travel itinerary data are separated from out ticketing system (that is they become anonymous). The time period of three (3) months is considered to be reasonable so that it allows our customers to check or submit their questions regarding their travel itineraries (e.g. in case that they request for a refund).

Certain travel itinerary information is stored on the ATHENA CARD itself. Such information includes the most recent travel itineraries and relevant charges. If you are not a frequent ΑΤΗ.ΕΝΑ Card user, the information stored on your ATH.ENA Card might be older than three months.
We keep your personal data safe
Taking our customers’ personal data protection very seriously, we implement the most updated relevant policies and procedures, while also deploying all the necessary security measures and cryptographic technologies in order to assure appropriate access, control and use of your personal information data related to the ATH.ENA Card.

Personal Data Disclosure
In certain cases, we disclose personal identifiable information (PII) data to the police (and other law enforcement bodies) to the extent allowed by the applicable Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data and provided that such information is related to the prevention or the detection of crime and / or the arrest or prosecution of the offenders. Before we disclose such information, the police is required to prove that the relevant personal data will assist in the prevention or detection of crime. All relevant police requests to OASA are strictly handled per case, so that any disclosure of the kind is lawful and in compliance with Law 2472/1997.
Personal Data Processing Abroad
OASA is currently processing personal information data related to ΑΤΗ.ΕΝΑ Card inside Greece and the European Union. All relevant processes are subject to the contractual assurance policies and performed in compliance with the provisions of Greek and EU legislation on personal data protection.
Confidentiality Notice of ATHENA CARD
The Athens Urban Transport Organization (OASA) may use your personal data for customer service and management purposes and even for the prevention and/ or detection of crime and fraud.

In certain cases, OASA may also share your personal data with the police and other law enforcement bodies for prevention or detection of crime purposes.

7. e-Services Accounts

These terms and conditions cover ATH.ENA Card and ATH.ENA Ticket.
OASA’s Terms and Conditions for e-Services Accounts
Chapter 1 – Introduction

1. These terms and conditions concern customers creating and use an ATH.ENA Card account.
2. By creating and using such an account, you accept these terms and conditions.
3. The most update version of these terms and conditions shall always be available at https://www.athenacard.gr/TermsAndConditions.dev
4. No content of these terms and conditions shall affect whatsoever any of your legal rights.

Chapter 2 – Create an e –Services Account

1. You may create an e-Services (My ATH.ENA Card) Account at https://www.athenacard.gr/smartafc/sysadmin/user/signup/InitSignUpLoad.dev
2. To create your account, you need to enter your ATH.ENA Card number and a password.
3. Once you created your account, you may add (connect) your ATH.ENA Card to it.
4. You may connect one additional ATH.ENA Card with your account.

Chapter 3 – What you can do by connecting your ATH.ENA Card with your e-Services Account

1. In order to secure your credit/ debit card data, we deploy a safe payment cryptographic technology in compliance with the applicable payment card industry (PCI) security standards. We accept American Express, Maestro, MasterCard, Visa και Visa Electron cards.
We also accept all cards that are acceptable by the Greek Banks (i.e. Piraeus Bank, Alpha Bank, Eurobank and Ethniki Bank), in accordance with the provisions of the applicable laws, as well as all other cards issued by any approved Bank.
2. All payments made by credit/ debit cards are subject to the approval of the card issuers.
3. You may have a read-only access to your profile.
4. You may retrieve your ATH.ENA Card from any Ticket Counter for Personalized and Anonymous ATH.ENA Card
5. In the event that your Personalized ATH.ENA Card is lost, stolen or damaged, you must report it to any Ticket Counter for Personalized ATH.ENA Card as soon as possible, and ask to replace it with a new one. You are not responsible for any potential use of your card made after your documented declaration of loss or theft and the confirmation of your data on our behalf and until the moment that the ATH.ENA Card is deactivated.
6. OASA shall refund you for transport disruptions and strikes, in accordance with our relevant policies and procedures and the applicable provisions of law.
7. ATH.ENA Card and ATH.ENA Ticket use is subject to the OASA’s Transport Terms and Conditions. For more information, you may visit our website at https://www.oasa.gr/wp-content/pdf/xyk_gr_rev_19.pdf
8. You may be asked whether you would like OASA or OASA Group’s member companies to communicate with you in order to notify you of offers and other marketing campaigns related to our products and services. OASA may also ask you whether you would like any third party to communicate with you in order to inform you of their offers or marketing campaigns.

1. Charges shall be listed on the detailed bank account statement report of your bank account.
2. In the event that your Personalized ATH.ENA Card is lost or stolen, it shall be still activated until you declare loss or theft and we confirm your personal data. The Anonymous ATH.ENA Card is neither replaceable nor refundable in case that it is lost, stolen or damaged, since it does not bear any user profile information. The same also applies to the Multiple ATH.ENA Ticket, as again, the Multiple ATH.ENA Ticket does not bear any user profile information. Therefore, any fare product or money value stored on the Anonymous ATH.ENA Card or the Multiple ATH.ENA Ticket may be used by anyone. In any case, when your Personalized ATH.ENA Card is lost or stolen, you must report it to us as soon as possible.
3. You may declare that your Personalized ATH.ENA Card is lost or stolen at any Ticket Counter for Personalized ATH.ENA Card and ask for its replacement. Upon declaration, we shall deactivate your Personalized ATH.ENA Card as well as your Direct Debit.

Chapter 5. – Statements of Confidentiality
On behalf of ATH.ENA Card and its e-Services Accounts, the Athens Urban Transport Organization (OASA) shall use your date (month and year) of birth along with your passenger category for customer service and management purposes as well as for the prevention and the detection of crime and fraud. You personal data shall be appropriately protected and processed in compliance with the provisions of Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data. In certain cases, OASA may also share your personal data with the police and other law enforcement bodies for prevention or detection of crime and fraud purposes, in compliance with the provisions of the applicable laws.

Athens Urban Transport Organization (OASA) S.A.
15, METSOVOU STREET, GR – 106 82 ATHENS
i. 11 185
t. 210 82 00 999