Policy on the processing of personal data

Policy on the processing of personal data by “BODOSSAKI FOUNDATION”, a private-law legal person, in its capacity as Fund Operator of the “Active Citizens Fund” Programme in Greece
[as per articles 13 and 14 of Regulation (EU) 2016/679
(General Data Protection Regulation – GDPR), hereinafter “GDPR”]

1. Introduction

1.- The Financial Mechanism Office (FMO) of the European Free Trade Association (EFTA), as Secretary of the European Economic Area (EEA), has undertaken the Management of the “Active Citizens Fund” Programme in Greece, which forms part of the EEA Financial Mechanism for the period 2014 – 2021 (“EEA Grants 2014 – 2021”), funded by the following donor countries: Iceland, Lichtenstein and Norway.

 2.- The main objective of the “Active Citizens Fund” (ACF) Programme in Greece, hereinafter also referred to as the “Programme” for the sake of brevity, is to strengthen Civil Society and active citizenship, as well as to empower vulnerable groups. The Programme seeks to support civil society, to fund non-governmental organisations (NGOs) eligible for the implementation of projects, to create a positive environment for the NGO sector, to strengthen the NGOs’ capabilities and structures and to increase their contribution to social equality and justice, to democracy and to sustainable development.

 3.- The Financial Mechanism Office, hereinafter also referred to as “FM Office” or simply “FMO” for the sake of brevity, acting as Manager of the Programme in Greece, has entered into an agreement with “BODOSAKI FOUNDATION”, which acts in cooperation – consortium with the Association “SolidarityNow”, as Fund Operator, for the purposes of developing, managing and implementing the Programme (NGO Programme Implementation Agreement). BODOSSAKI FOUNDATION acts as principal member and representative of the above consortium.

 4.- With the present information document, BODOSAKI FOUNDATION informs, in accordance with articles 13 and 14 of the GDPR, the natural persons – data subjects that in exercising its responsibilities and tasks as Fund Operator of the Programme, it processes personal data of members of the project promoters and of their partners, subcontractors, employees and associates in general of the project promoters and/or their partners; of the beneficiaries of the projects; of the persons with parental responsibility or the persons charged with the legal guardianship of the beneficiaries; and in general, of the natural persons directly or indirectly related to the evaluation and implementation of projects under the Programme.

1. Controller – Contact details

1.- Controller means the natural or legal person who determines the purposes and means of the processing of personal data in paper and/or electronic form. In particular, the notion of processing includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.- The Public Benefit Foundation under the name “BODOSSAKI FOUNDATION” (hereinafter the “FOUNDATION”), a private-law legal person, is the Controller jointly with the non-profit association under the name “SolidarityNow” (“Joint Controllers”, as defined in art. 4 case (7) and art. 26 of the GDPR).

3.- The contact details of the FOUNDATION, which has been designated as a point of contact with the natural persons – data subjects, are the following:

• Address: 14 Mourouzi str., GR-106 74 Athens, Greece
• Tel.: +30 2103237973
• E-mail: info@bodossaki.gr

III. Categories of personal data

1.- According to article 4 of the GDPR, personal data include any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be disclosed, directly or indirectly, in particular by reference to an identifier. Subsequently, according to art. 9 of the GDPR, the special categories of personal data include those concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data allowing to uniquely identify a natural person, and data concerning a natural person’s sex life or sexual orientation.

2.- In principle, the FOUNDATION collects and in general processes:

• identification data (such as name, ID card number, etc.);
• legalisation data (such as authorizations, power of attorney deeds, etc.),
• contact details (such as postal address, e-mail address, telephone number, etc.);
• economic, property and marital status data (such as occupation, income, real estate property, marital status, dependants, etc.);
• professional activity data (start, winding-up and activities of sole proprietorship, income, expenditure etc.);
• bank data (IBAN, interest amounts on deposits, bank account balances);
• image and audio data (photographs, audiovisual material collected in the framework of the actions implemented by the projects).

3.- Furthermore, the FOUNDATION may collect and may in general process personal data of special categories and in particular data concerning health, racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, and data concerning a natural person’s sex life or sexual orientation.

1. Purposes of the processing of personal data

1.- In its capacity as Fund Operator of the “Active Citizens Fund” Programme in Greece, the FOUNDATION processes personal data for the purpose of fulfilling its obligations regarding the development, management and implementation of the aforementioned Programme.

2.- More specifically, in the context of developing, managing and implementing the Programme, the FOUNDATION processes personal data for the following purposes:

i) evaluating grant applications submitted by candidate project promoters for funding by the Programme;communicating decisions
ii) approving or rejecting the funding by the Programme of the projects submitted by candidate project promoters, as well as decisions excluding from further funding projects already approved for funding by the Programme;
iii) examining any objections against rejecting the approval for funding by the Programme;
iv) concluding contracts for the award of grants to projects;
v) supervising, verifying and evaluating the implementation of the projects, in terms of both physical and financial scope, against the terms of the grant agreement concluded;
vi) implementing grant agreements and in particular disbursing the grant provided for;
vii)preparing and issuing project audit and evaluation reports, for submission to the FMO;
viii) issuing and applying acts on financial corrections;
ix) taking legal action to recover grant funds already paid out;
x) implementing public communication actions for the projects’ actions and results;
xi) organising and implementing “pre-defined projects”;
xii) reporting to the FMO of the EFTA, to the EFTA donor countries (Iceland, Liechtenstein and Norway) and to any other competent body or organisation, whether international or national;
xiii) complying with its legal obligations in general and establishing, exercising or defending legal claims related to the Programme.

1. Legal bases for the processing of personal data

1.- The FOUNDATION:

1. processes personal data for fulfilling its above obligations and in general for satisfying its own legitimate interests as well as those of third parties (FMO, EFTA donor countries, project promoters, project promoters’ partners, etc.), in the context of the development, management and implementation of the Programme [art. 6 par. 1(f) of the GDPR];
2. processes personal data because their processing is necessary for its compliance with its legal obligations [art. 6 par. 1(c) of the GDPR], such as tax, administrative etc., related to the development, management and implementation of the Programme;
3. if the personal data to be processed fall within any of the special categories of art. 9 par. 1 of the GDPR, the Foundation shall process such data after obtaining the prior explicit consent of the data subjects or of the parents, persons having parental responsibility or legal guardians thereof, as the case may be (art. 6 par. 1(a) and art. 9 par. 2(a) of the GDPR), unless the special data are necessary in order for the Foundation to establish, exercise or defend legal claims [art. 9 par. 2(a) of the GDPR];

2.- Should the FOUNDATION be processing your personal data based on your consent, you have the right to revoke this consent at any time, without prejudice to the lawfulness of the processing performed based on your consent prior to its revocation [art. 14 par. 2 of the GDPR].

3.- For the FOUNDATION to be able to fulfil its obligations for the development, management and implementation of the Programme, it needs to collect and further process your personal data. Otherwise, the FOUNDATION may not be able to fund projects of candidate project promoters and their partners, aimed at strengthening Civil Society and active citizenship, as well as at empowering vulnerable groups.

VΙ. Personal data extraction sources

1.- The FOUNDATION extracts personal data about you from the (candidate) project promoters under the Programme, with the strict application of secure transmission mechanisms.

2.- Additionally, in the context of the public communication of the actions and results of the projects, the FOUNDATION extracts personal data (mainly photographic and audiovisual material) from publicly accessible sources on which the data have been already posted, such as the websites of the project promoters and/or their companies, social media and/or audiovisual material sharing media, in which the project promoters and/or their partners publish relevant material from the actions of the projects, etc.

VΙI. Retention time of personal data

1.- The FOUNDATION retains your personal data for as long as required for the fulfilment  of the above purposes it pursues, the fulfilment of its legal obligations, the satisfaction of its legitimate rights and in any case at least until 30.04.2028, when a period of three (3) years from the approval by the FMO of the final report of the Program shall be completed.

VIIΙ. Automated decision-making

1.- The FOUNDATION’s decision-making is not based solely on the automated processing of personal data, as this is defined in the provisions of art. 22 of the GDPR.

IX. Recipients of your personal data

1.- The FOUNDATION ensures that your personal data are processed in a manner compatible with the aforementioned purposes and are disclosed solely to the natural and/or legal persons to whom such disclosure is necessary.

2.- In particular, your personal data will be accessed by the FOUNDATION’s competent departments charged with the development, management and implementation of the Programme, the fulfilment of the Foundations legal obligations related to the Programme and the satisfaction of its legal rights related to the Programme, such as the Programmes & Grants Management and Coordination Department, the Finance Department, the Legal Department, the Administration Department , etc.

3.- The administrative staff of the competent departments involved in the management of your personal data are bound by confidentiality clauses and obtain classified and restricted access only to the data that they need for fulfilling of their (work) duties.

4.- In addition, we select as processors reliable partners and providers, natural and/or legal persons, who operate in accordance with our instructions and may have access to your personal data, such as external/independent grant application evaluators, audit firms, IT service providers, etc.

5.- Furthermore, for the purposes of public communication of the actions and results of the projects, of surveys, and only in cases where you have given your explicit consent, we may share your personal data with natural and/or legal persons who will operate as processors in accordance with our instructions, such as public relations – communication companies, public opinion polling companies, communication consultants, audiovisual production companies, etc., and always in accordance with the applicable legislation.

6.- All the natural and/or legal persons mentioned above are contractually bound, should personal data be transferred to them, by confidentiality clauses and by strict provisions on the protection of your personal data and the implementation of the most appropriate technical and organisational measures to achieve and maintain an advanced level of information security. We also ensure that the above obligations of the processors are met, by providing for the exercise of the right of auditing them, as part of contractual provisions.

7.- With regard to the personal data transferred to the processors, these are the minimum and absolutely necessary ones for performing the intended lawful processing and, as stipulated in a relevant contractual commitment, under no circumstances are they to be used for purposes other than the purpose of the processing, for the processor’s own benefit.

8.- Moreover, in line with our compliance with the legislative and regulatory frameworks as well as when a complaint is lodged, we may and, where appropriate, will transfer your personal data to Supervisory Authorities, Public Services or Organizations, natural or legal persons of public or private law, to fulfil our legal obligations.

Χ. Transfer of personal data outside Greece

1.- The FOUNDATION may transfer your personal data solely within the European Economic Area (EEA) and in particular to the FMO and/or to other EFTA agencies in line with its duty of accountability as Fund Operator, always in accordance with the data protection laws and regulations in force and taking appropriate technical and organizational measures to protect your personal data.

XI. Rights of data subjects

1.- Where permitted by the applicable regulatory framework and under the conditions so permitted, you have the following rights:

• The right of access to and information about your personal data and the processing we perform on them. You can also request us to provide you with copies of your personal data kept in our records.
• The right to rectification of your personal data, so that they are always accurate, complete and up to date.
• The right to erasure (“right to be forgotten”) of your personal data from the FOUNDATION’s records, if the conditions provided for by the law are met.
• The right to restriction of the processingof your personal data in certain cases, such as where their accuracy is contested, the processing is unlawful, or when the purpose of the processing no longer applies and there is no legitimate reason to retain them.
• The right to portabilityfor your personal data, obtaining a copy of them in electronic form so that they can be reused or transferred to another Controller, provided that the processing is based on your consent and performed by automated means.
• The right to objectionto the processing of your personal data for reasons related to your particular situation and when such objection is based on your legitimate interests. However, if the FOUNDATION demonstrates compelling legitimate grounds for the processing of your personal data which override your interests, rights and freedoms or if the FOUNDATION needs your personal data for the establishment, exercise or defence of legal claims, then the FOUNDATION retains the right to continue the processing, otherwise it is obliged to erase them.

2.- You can exercise your above rights at no cost to you, by sending a relevant application / letter / e-mail to the Legal Department of Bodossaki Foundation, which is responsible for handling matters concerning the protection of personal data. Abusive exercise of the above rights, especially as demonstrated by unjustifiably repeated requests or by conduct which may be considered in bad faith, may burden you with the corresponding costs.

3.- The FOUNDATION uses its best endeavours to respond to your requests within thirty (30) days from their receipt, so that during this period we can either proceed to grant your request or report to you the reasons that do not allow us to do so.

4.- You are reminded once again that where the processing your personal data is based on your consent, you have the right to revoke this consent at any time, without prejudice to the lawfulness of the processing performed based on your consent prior to its revocation.

5.- In addition, you have the right to submit a complaint to the FOUNDATION’S Legal Department, which is as responsible for handling matters concerning the protection of personal data.

6.- You may exercise your rights, as detailed in this personal data privacy statement, by sending a relevant request to the FOUNDATIONS ’s Legal Department by e-mail at legal@bodossaki.gr,  by calling +30 210 3237973 or by post at the following address: 14 Mourouzi str., GR-106 74 Athens, Greece.

XII. Right to lodge a complaint

1.- For matters relating to the processing of your personal data, you have the right to appeal to the Hellenic Data Protection Authority (HDPA). For the responsibilities of the HDPA (1-3 Kifissias Ave., 115 23 Athens, Greece ) and for instructions on how to lodge a complaint, you can visit the HDPA website (www.dpa.gr → Individuals → Complaint to the Hellenic DPA), where detailed information is provided.

XIII. Security & Confidentiality

1.- The security and confidentiality of personal data are extremely important for the FOUNDATION.

2.- In compliance with the legal framework in force, the FOUNDATION takes all the technical and organizational measures required for the secure processing of your personal data, to ensure that they are protected in every way possible against loss, leakage, alteration, transmission or other unlawful processing.

The FOUNDATION may update/supplement the present information document on the protection of personal data (issued in November 2022), in accordance with the legislative and regulatory frameworks, as in force. In such cases, the updated/supplemented issue of the data privacy statement shall be posted on the website www.activecitizensfund.gr/en, where it shall be available.