Update on Personal Data Processing
Data Controllers – Data Protection Officer (DPO)
The company NEA ODOS S.A. (hereinafter referred to as “NEA ODOS” or Company) having its registered office in Athens, 87 Themistokleous Str., 106 83, and offices in Nea Erythraia, 19 Neas Erythraias Ave., 146 71, General Commercial Registry no. 7349501000, TAX identification no. 998807387 informs that, for the purposes of the Project assigned to it by the Greek State based on the relevant Concession Agreement, processes motorway users personal data in accordance with the applicable national law and the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation”) as it is currently in force.
Furthermore, ΝΕΑ ODOS informs that the Operation and Maintenance of the Concession Project have been assigned, under the 05.03.2021 Operation and Maintenance Agreement (the “O&M Agreement”), which has been approved by the Greek State, to the company GEK -TERNA S.A. headquartered in Athens on 85 Mesogeion Avenue, PO 115 26, General Commercial Registry no. 000253001000, TAX identification no. 094005751, (hereinafter “the Operator”). Pursuant to the terms of the O&M Agreement, the Operator has undertaken to perform the day-to-day operation and maintenance of the Concession Project and in particular has undertaken, inter alia, the traffic management, routine maintenance and the periodic inspection of the Concession Project, the users and subscribers customer service, as well as the toll collection in the name and on behalf of ΝΕΑ ODOS S.A., as its proxy and direct trustee. Therefore, the Operator also processes, in the context of the provision of its services and under the O&M Agreement only, the absolutely necessary personal data of the motorway users and the subscription program subscribers and is jointly responsible for the processing of the above data with ΝΕΑ ODOS S.A.
Contact details of the joint data processors:
For any matter concerning the processing of personal data, you may contact the NEA ODOS and Operator’s Data Protection Officer directly (DPO) at the following contact details:
DPO’s name: Filippos Mitletton, Postal address: 19 Neas Erythraias Ave., 146 71, Nea Erythraia, email: email@example.com.
How and why we use your personal data
The personal data you provide to the Company by completing the Subscriber Application – Contract form (such as full name/trade name of sole proprietorship/partnership, father’s name, identity card or passport number, status/professional activity, email, mobile/fixed telephone, address details for sending monthly statements, credit card number, vehicle registration number), are processed only when the Company has legal grounds to do so.
Legal grounds for processing your personal data are:
Paid-subscription passes by the toll stations are electronically recorded for safety reasons, billing purposes, the protection of the Company’s legal interests and as proof of their making in case of doubt.
All personal data you provide by completing the Subscriber Application Form is necessary for the conclusion and execution of the contract providing the possibility of a paid-subscription-pass by the motorways managed by NEA ODOS through subscription programs. Failure to fill in or incorrectly fill in one or more of the fields of the Application Form makes it impossible to conclude a contract.
Third-party recipients of personal data
NEA ODOS sends personal data to third parties to whom it has assigned the processing of personal data on its behalf. Recipient of personal data is the company that has undertaken the provision of statements delivery services to the subscribers of the fast-pass service and the provision of related services. Also, personal data collected during the performance of the paid-subscription-pass contract is stored by a partner company. Finally, the Company cooperates with IT companies that provide related services, such as IT systems maintenance and security systems. In providing these services, IT companies may have access to personal data and, in specific cases they perform processing operations necessary for the provision of the services concerned.
In particular, NEA ODOS remains responsible for the processing of your personal data and specifies the details of the processing, signing a specific contract with the third-parties to whom it assigns processing activities in order to ensure that the processing is carried out in accordance with the applicable legal framework and that any natural person may freely and without hindrance exercise the rights conferred on him/her by the legal framework.
Furthermore, the Company forwards personal data to the competent governmental authorities when required by the applicable legal framework and for the performance of their duties in the public interest or in the exercise of the public authority entrusted to them, such as when necessary for the collection of toll charges, and/or when necessary to identify any violations of the Highway Code and generally of Greek law.
In the context of the Greek Motorways Interoperability and the consequent option provided to subscribers’ authorized vehicles to pay toll fees at toll stations on all Greek motorways by use of an electronic device of one single Provider (“interoperability”), Toll Management Authorities, Motorway Operators and Transponder Providers maintain the right to transfer amongst them data regarding their subscribers for the purposes of investigating incidents and/or solving problems or complaints made by Subscribers concerning transactions that occurred whilst making use of Interoperability. Such transfer shall be permitted only between the Provider and the particular Management Authority that the case involves.
With regard to the above processing of personal data carried out in the context of Interoperability, Providers, Toll Management Authorities and Operating Companies are jointly responsible for data processing and comply with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR) and Law 4624/2019. The Subscriber may exercise his/her rights to the respective Provider with whom he has entered an agreement; the latter may, if deemed necessary, forward it to the competent Toll Management Authority.
The data storage time is decided on the basis of the following specific criteria, as appropriate on each case:
When processing is required as a necessity under provisions of the applicable legal framework, your personal data will be stored for as long as required by the relevant provisions.
When processing is done on the basis of a contractual relationship, your personal data will be stored for as long as is necessary to perform the contract and for the foundation, exercise, and/or support of legal claims under the contract.
For promotional and marketing purposes, your personal data is retained until your consent is withdrawn. This can be done by you at any time. Withdrawal of consent does not affect the legality of consent-based processing in the period before its revocation.
To withdraw your consent, you may contact the Data Protection Officer (DPO) at the following contact details:
DPO’s name: Filippos Mitletton, Postal address: 19 Neas Erythraias Ave., 146 71, Nea Erythraia, email: firstname.lastname@example.org
You may also use the de-registration options by following (clicking) the corresponding link in our online communications.
What are your rights with respect to your personal data
Any natural person whose data is being processed by the company NEA ODOS S.A. enjoys the following rights:
Right of Access:
You have the right to be aware and verify the legitimacy of the processing. Therefore, you have the right to access the data and get additional information about how your data is processed.
Right to Rectification:
You have the right to study, correct, update or modify your personal data by contacting the Data Protection Officer (DPO) at the above contact details.
Right to Erasure (“Right to be forgotten”):
You have the right to request the erasure of your personal data only if the Company processes it based on your consent or in order to protect our legitimate interests. In all other cases (such as, for example, where there is a contract, due to an obligation to process personal data required by law, for reasons of public interest), this right is subject to specific restrictions or and may not apply, depending on the case.
Right to Restriction of Processing:
You have the right to request a restriction on the processing of your personal data in the following cases: (a) when the accuracy of the personal data is questioned and until such accuracy is verified; (b) when you oppose the erasure of personal data and request (instead of erasure) the limitation of its use; (c) when personal data is not needed for processing purposes, but is, however, indispensable for the foundation, exercise, support of legal claims; and (d) when you object to the processing and until it is verified that there are legitimate reasons that concern the Company and supersede the reasons for which you oppose processing.
Right to Oppose Processing:
You have the right to oppose at any time the processing of your personal data where, as described above, such processing is necessary for the purposes of legitimate interests we seek as processors, as well as for processing for direct marketing and consumer profiling.
Right to Data Portability:
You have the right to receive your personal data free of charge in a format that allows you to access, use, and edit them, using commonly used editing methods. You also have the right to ask the Company, if technically feasible, to pass the data directly to another processor. This right exists for the data you have provided to the Company and is processed by automated means based on your consent or for the performance of a relevant contract.
In order to exercise any of the above-mentioned rights and for any relevant information you may refer to the Data Protection Officer (DPO) Mr. Filippos Mitletton, Postal address: 19 Neas Erythraias Ave., 146 71, Nea Erythraia, email: email@example.com
Right to file a complaint with the Data Protection Authority
You have the right to file a complaint with the Data Protection Authority (www.dpa.gr): Telephone: +30 210 6475600, Fax: +30 210 6475628, email: firstname.lastname@example.org
PERSONAL DATA SECURITY
NEA ODOS S.A. implements appropriate technical and organizational measures aimed at the safe processing of personal data and the prevention of accidental loss or destruction and/or unauthorized access to them, use, modification or disclosure thereof. To ensure the appropriate level of security against risks and to select appropriate technical and organizational measures, the Company takes into account the latest technological and other developments, the cost of implementation, the nature, the scope and purposes of the processing, as well as on the one hand, the likelihood and risk of occurrences of accidental loss or destruction and unauthorized and/or illegal access to personal data, use, modification or disclosure thereof and, on the other hand, the severity of the consequences for the rights and freedoms of natural persons.