1. Purpose

The purpose of this Personal Data Protection Policy (hereinafter “the Policy”) is to regulate the way in which the Municipality of Hydra, a Local Government Organization (N.P.D.D.) based on Hydra Island and legally represented, respects and protects the personal data it holds and processes in the context of its activities. In particular, this Policy aims to ensure that the Management and the staff of the Municipality (regardless of their employment status) understand the basic concepts and the framework of responsibilities that the processing of personal data entails in accordance with the General Data Protection Regulation 679/2016/EU (hereinafter “the GDPR”), the national legislation, the opinions, decisions and acts of the National Authority for Personal Data Protection (hereinafter “the DPA”) and the adoption of lawful and correct personal data management practices, based on the provisions of this Policy.

The Personal Data Protection Policy has the additional status of informing the data subjects to whom it is communicated in accordance with Articles 13-14 GDPR and consists of all the individual policies of the Municipality of Hydra that concern:

Α. The obligations, roles and responsibilities of the bodies of , the City Council and the staff of the Municipality of Hydra.
Β. The Personal Data Security Policy.
Γ. The Records Retention and Destruction Policy.
Δ. The Policy for the Proper Receipt, Management and Recall of Consents.
Ε. The Data Subjects’ Request Management Policy for the exercise of data subjects’ rights.
F. The Data Breach Incident Management Policy.
Ζ. The Policy on the use of communication and electronic processing media.
Η. The Clean Office and Screen Policy.

The employees of the Municipality of Hydra take note of the Policy and undertake to study it, to raise any questions to the Management and to strictly comply with the provisions of the Policy, throughout the period of their work/employment in the Municipality of Hydra, regardless of their status.

2. Scope of application

The provisions of this Policy must fully comply with the provisions of this Policy, its supreme bodies, the Municipal Council and the employees of the Municipality of Hydra, regardless of rank, status or speciality, currently employed under fixed-term or indefinite employment contracts, the fully or partially employed staff, as well as any external collaborators, if applicable, who provide monthly services to the Municipality of Hydra, provided that they are employed on its premises and/or on its behalf and process personal data.

The Municipality of Hydra undertakes to notify this Policy to each current or new employee, partner, processor in accordance with the above and to ensure by any appropriate means the knowledge and commitment of these for the proper observance of the Policy and the practices described therein, as regards the processing of personal data.

3. Basic Definitions – Principles of lawful processing

3.1. The Municipality of Hydra is committed to respect and protect the personal data that it collects and processes in the context of its activities, fully complying with the obligations arising from both the European and the internal Regulatory Framework for the protection of personal data. For the purposes of the proper implementation of the Policy, the Municipality of Hydra informs those responsible for compliance with the Policy of the following definitions in accordance with the legislation:

“Personal data” (hereinafter “personal data”) is any information relating to the data subject. Aggregated data of a statistical nature, from which the data subjects can no longer be identified, shall not be regarded as personal data.

“Sensitive data” or “special categories of data” means data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, social welfare, sexual life or sexual orientation, membership of associations/unions of persons related to the above, as well as data relating to criminal prosecutions or convictions. Also included are genetic and biometric data, for the purpose of unambiguous identification of a person.

“Health data” means information relating to the physical or mental health of an individual, including the provision of health care services, which discloses information about the health status of an individual. Health-related data includes information about the individual collected during registration for and during the provision of health services. Such information may be a number, a symbol or an identification attribute assigned to a natural person for the purpose of fully identifying the natural person for health purposes, information resulting from tests or analyses on a body part or substance, including genetic data and biological samples, and any information, for example, concerning an illness, disability, disease risk, medical history, clinical treatment or the physiological or biomedical condition of the data subject, irrespective of the source.

‘Data subject’ means a natural person to whom the data refer and whose identity can be directly or indirectly identified, in particular by reference to an identification number or to one or more factors specific to his or her physical, biological, mental, economic, cultural, political or social identity.

“Data Controller”, the natural or legal person who determines the purpose and manner of processing of personal data, in this case the Municipality of Hydra.

“Processor” is any natural or legal person who processes personal data on behalf of the Controller.

“Processing of personal data” means any operation which is performed on personal data, such as collection, recording, organisation, storage or retention, alteration, extraction, use, disclosure, transmission, dissemination, alignment or combination, interlinking, blocking, erasure, destruction.

“Profiling” is any form of automated processing consisting of the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyse/predict aspects relating to the job performance, financial situation, health, personal preferences, interests, interests, reliability, behaviour, location or movements of a natural person.

“Personal data breach” means a breach of security leading to the accidental or malicious destruction, loss, alteration, unauthorised disclosure of or access to personal data transferred, stored or otherwise processed.

3.2. Principles of lawful processing of personal data:

Any processing of personal data by the Municipality of Hydra must comply with the following principles in order to be considered lawful and to meet the requirements of the GDPR and the national legal framework for data protection:

1.Data are processed lawfully and fairly in a transparent manner in relation to the data subject (under the principles of “lawfulness, objectivity and transparency”),

2. Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest or for scientific or historical research or statistical purposes (“purpose limitation”) shall not be considered incompatible with the original purposes,

3. They are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”),

4. It shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure the prompt erasure or rectification of personal data which are inaccurate in relation to the purposes of the processing (“accuracy”),

5. They shall be kept in a form which permits identification of the data subjects only for the period necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, provided that the personal data will be processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that appropriate technical and organisational measures are implemented to ensure that the personal data are processed in a form which permits identification of the data subjects.

6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

4. Lawful bases for processing personal data

Any processing of personal data takes place by the Municipality of Hydra in the context of its purposes and activities under the provisions of the legislation governing the operation and organization of the Municipality, the Code of Municipalities and Communities and the general regulatory framework governing Local Authorities (O.T.A.), and should be based on a legal basis for processing.
The purposes for which the Municipality of Hydra processes personal data are the following:

1. The receipt and control of all kinds of requests submitted by citizens/citizens addressed to the respective services of the Municipality as well as their transmission to other competent services.

2. The issuing and issuing of certificates and certificates to citizens/public by the competent department of the Municipality.

3. The licensing (as well as the renewal of the license) of shops – businesses of sanitary interest, nurseries, etc.

4. The diligence and handling of all issues related to the employment relationship of the staff of the Municipality (recruitment, verification of the authenticity of qualifications, attendance record, maintenance of the employment file, promotion, retirement, granting of leave, payroll, termination of employment, etc.).

5. The management of personal data for the implementation of the voluntary programmes of the Municipality

6. The conduct of auctions, tenders, and the lawful collection of tenders and selection of suppliers in accordance with the legislation

7. To service the contractual relationship with suppliers and pay them in compliance with the contractual obligations of the Municipality.

8. The compilation of lists (financial debts, budget, balance sheet) in the context of the responsibilities and activities of the Municipality.

9. The posting on the online platform “DIAYGEIA” – for reasons of transparency – personal data of contractors, project contractors and the decisions of the Municipality’s Board of Directors.

10. The evaluation of the staff working in the Municipality.

11. The drafting of recommendations for the purpose of imposing fines for any violation concerning establishments of sanitary interest.

12. The compilation and editing of a telephone directory for the purpose of communication of the employees of the Municipality with other public services.

13. The management of personal data within the responsibilities of the Urban Planning Service and the Municipality’s Sanitation Service.

14. The receipt and forwarding of complaints submitted by citizens / citizens on issues related to the responsibilities – activities of the services of the Municipality.

15. The receipt, management and record keeping of requests – complaints submitted through the online service and through the call center

16. The preparation of an aggregated list of invoices , the preparation and editing of payment orders of suppliers.

17. The granting of social and welfare benefits upon request by the beneficiaries.

18. The promotion and promotion of the actions of the Municipality, through the filming and the keeping of audiovisual material of the events – activities held.

19. The operation of the school committee and the management of data within the framework of its responsibilities – actions.

20. The defence of the legal interests and rights of the Municipality before the courts (e.g. urban planning disputes, claims etc.).

21. The management of electronic and paper correspondence.  The compilation and posting of the financial statements of the elected bodies of the Municipality.

22. The determination and collection of municipal fees and the acceleration of the payment procedure in case of third party debts to the Municipality.

23. The Editing and processing of submitted Naturalization applications. The maintenance, editing and compilation of the Recruitment Rolls, the editing of the process of sending the Recruitment Rolls to the Recruitment Service and the handling of the Recruitment Search Process.

24. The compilation and updating of electoral rolls .

25. Data management in the context of the Registry’s responsibilities.

26. The management, diligence and processing of requests submitted for the certification of all kinds of Registry Events by the Public Prosecutor’s Office, the Insurance Funds, the Recruitment Office and the various public services.

The lawful bases for processing under the GDPR are:

Α. The consent of the data subject for one or more purposes.
Β. The performance of a contract to which the data subject is a party or the taking of measures at the request of the data subject at the pre-contractual stage.
Γ. Compliance with a legal obligation of the controller.
Δ. Safeguarding the vital interest of the data subject or another natural person.
Ε. The performance of a task carried out in the public interest or in the exercise of official authority by the Controller.
F. The legitimate interests of the Data Controller or third parties, provided that those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

The lawful bases for processing sensitive personal data are:

Α. The explicit consent of the subject for one or more specific purposes.
Β. The performance of obligations and the exercise of specific rights of the controller or the data subject in the field of labour law and social security and social protection law, where permitted by Union or Member State law or by collective agreement in accordance with national law, providing appropriate safeguards for the fundamental rights and interests of the data subject.
Γ. The protection of the vital interests of the data subject or another natural person, if the data subject is physically or legally incapable of giving consent.
Δ. Processing in the context of the legitimate activities of an institution, organisation or other non-profit body with a political, philosophical, religious or trade union aim and provided that the processing concerns exclusively the members or former members of the body or persons who have regular contact with it in relation to its purposes and that the personal data are not disclosed outside the body in question without the consent of the data subjects.
Ε. The processing of personal data that are manifestly made public.
F. The establishment, exercise or maintenance of legal claims or when the courts are acting in their judicial capacity.
Ζ. Processing for reasons of substantial public interest, which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
Η. Processing for the purposes of preventive or occupational medicine, assessment of a worker’s fitness for work, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services or under a contract with a health professional.
Θ. Processing for reasons of public interest in the field of public health.
Ι. Processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes which are proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard fundamental rights and
interests of the data subject.

The Municipality of Hydra collects and processes personal data on the basis of the fulfilment of tasks in the public interest, compliance with legal obligations, the fulfilment of contractual relations, as well as the consent of the data subjects.