---

1. PURPOSE

The purpose of this Policy is to define and outline the general framework and fundamental principles adopted and implemented by the Athens School of Fine Arts (hereinafter referred to as the “Organisation”) regarding the processing of personal data, and to safeguard their security, confidentiality, integrity, and availability.

2. SCOPE

This Policy applies to all personal data managed by the Organisation in the course of its operations.

3. RESPONSIBLE PARTIES FOR POLICY IMPLEMENTATION

• The Administration
• All staff members of the Organisation
• All partners who process or have access to personal data

4. DESCRIPTION

4.1         General Information

The Organisation acknowledges and respects the importance of personal data it processes in the context of its activities and has fully aligned its policy with the requirements of the General Data Protection Regulation (GDPR) 2016/679/EU.

Through this statement, the Organisation aims to:

• Inform individuals engaging with the Organisation about the capacity in which their personal data is processed, the purposes of such processing, and the legal basis on which it is carried out. “Personal data” refers to any information that may directly or indirectly identify an individual.
• Specify the categories of data collected, the sources of such data (when not provided directly by the data subject), and the criteria for determining the retention period of personal data.
• Notify individuals of any transfers of their personal data to third parties or to countries outside the EU.
• Inform data subjects of their right to contact the Organisation regarding any matter related to the processing of their personal data, and to exercise their rights of access, rectification, and, where applicable, erasure, restriction of processing, or objection to processing. Additionally, individuals have the right to lodge a complaint with the Hellenic Data Protection Authority in the event of a violation of their data protection rights.
• Define the principles that govern the implementation of data protection policies and the security safeguards adopted by the Organisation to protect personal data.

For any questions or concerns, or to obtain a copy of this statement or exercise any of the rights related to personal data, individuals may contact the Data Protection Officer (DPO) of the Athens School of Fine Arts at +30 210 6216 997 or via email at dpo@asfa.gr.

4.2         Contact Details of the Data Controller, Its Representative, and the Data Protection Officer

Data Controller:

Name	Athens School of Fine Arts
Address	256 Peiraios str., 18233, Aghios I. Rentis
Tel. No.	210 4801 260
Email	dpo@asfa.gr

Data Protection Officer:

Name	Advanced Quality Services Ltd.
Address	1Α Tyrnavou & Sarantaporou Str., 14565
Tel. No.	210 6216 990
Email	dpo@aqs.gr

4.3         Who Collects Personal Data?

The Athens School of Fine Arts is an autonomous legal entity governed by public law.

This statement applies to the collection of personal data by our Organisation in the context of its operations, including its presence on third-party websites, platforms, and applications, in accordance with the Terms of Use of our website.

Please note that when you visit our website, basic data related to your interaction with the site is collected, including the installation of cookies (see our Central Cookie Policy for more details). Third-party websites generally apply their own privacy statements and terms and conditions. We encourage you to read these carefully before using such websites

4.4         How Is My Personal Data Collected?

We may collect personal data from a variety of sources, including:

• Personal data provided directly to the Organisation by the data subjects, for one of the following reasons:

1. Information you provide during the initiation, development, or termination of a contractual relationship with us.
2. Information you provide when participating in the Organisation’s events and activities.
3. Information you provide in the course of your transactions with the School, your communication with us, or when submitting a request.
4. Information you provide when interacting with the School’s websites in the context of completing your transactions.

• In addition, we automatically receive and store certain types of personal data whenever anyone interacts with us online. This includes the use of cookies and tracking technologies to collect data, as well as data made available through the user’s web browser when accessing our website, our listings, or any content displayed by or on behalf of the Organisation on third-party websites.

4.5         What Personal Data Is Collected?

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Due to the nature of the Organisation’s activities, the personal data collected primarily concerns the following categories of data subjects:

• Organisation Employees: This includes personal data strictly related to their employment relationship with the Organisation, such as identification and contact details, financial information, and health data (of the employee or dependents), collected in compliance with labor and social security legislation.
• Organisation Partners (suppliers and other external collaborators): This includes personal data relevant to our contractual relationship, such as identification and contact details, transaction data, and financial information, collected in order to fulfill our legal and contractual obligations.
• Individuals interacting with the Organisation (students, citizens, and other individuals communicating with the Organisation): This includes personal data related to the School’s legally mandated activities, any existing contractual relationship, or general communications with the Organisation. These may include identification and contact details, transaction data, login credentials for online applications, and financial information, processed in accordance with our legal and contractual obligations.

Note: As a general rule, we do not collect special categories of personal data, such as information concerning race, ethnic origin, religion, sexual orientation, or genetic/biometric data. These are protected under EU data protection laws and are only processed when explicitly required by law.

4.6         Children’s Privacy

The Organisation may collect personal data of children only in the context of employment relationships—specifically, to describe an employee’s family status for salary, employment rights, and related matters. Such information is provided with the consent of the individual holding parental responsibility for the child (see also below).

4.7         For What Purposes Is My Data Used?

The purpose of processing depends on the function performed. Specifically:

• Employees’ personal data is processed for the purposes of entering into, executing, or terminating employment or collaboration contracts. Data related to attendance, leave, medical certificates, and performance evaluations are processed for administrative and personnel assessment purposes.
• Personal data of students, citizens, partners, and other individuals interacting with the Organisation is collected and processed to ensure compliance with legal obligations, to establish or manage a contractual relationship (where applicable), and to respond to requests or facilitate the provision of services, such as registration on an online platform.

4.8         What Is the Legal Basis for Processing?

Personal data collection and processing are based on the following legal grounds:

• Article 6(1)(b) GDPR: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This legal basis applies to the processing of the above-mentioned personal data of employees, collaborators, and, in general, individuals engaging in transactions with the Organisation who are in a contractual relationship with it. It covers the purposes related to the conclusion and performance of the contract, the management of hiring and terminations, the management of employee ID cards, leave and payroll, staff training, employee performance evaluation, and the management of medical records, among others.
• Article 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation to which the controller is subject, as arising from Union or national law. We rely on this legal basis to fulfill our statutory obligations in our capacity as a legal entity governed by public law (NPDD), an employer, or a contracting party, including the payment of our employees and collaborators, the maintenance of employee medical records, the notification of hiring to the competent authorities (e.g. ERGANI, Labour Inspectorate, EFKA), and similar obligations.
• Article 6(1)(e) GDPR: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 6(1)(a) GDPR: The data subject has given consent to the processing of his or her personal data for one or more specific purposes. This legal basis is relied upon, by way of exception, for certain activities that may not be explicitly provided for by law (e.g., participation in educational activities, registration in an online application, etc.).
• Article 9(2)(b) GDPR: Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
• Article 9(2)(h) GDPR: Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services pursuant to Union or Member State law or pursuant to a contract with a health professional.
• Article 9(2)(g) GDPR: Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

4.9       Profiling

The Organisation does not use personal data for profiling purposes.

4.10     Disclosure of Data to Third Parties:

The Organisation may collaborate with third-party service providers (e.g. IT services, consultants) who may process personal data on its behalf. In general, data is not disclosed to third parties, except as outlined above.
All third-party partners are contractually bound to the Organisation to process data solely for the purposes defined, to maintain confidentiality, and to comply with GDPR provisions.

4.11     How Long Is My Personal Data Retained?

The retention period for personal data depends on the purpose of processing. Retention itself constitutes a form of processing and must comply with relevant data processing principles. After the retention period expires, the data is deleted. Specifically:

• Twenty (20) years after an employee’s departure, in accordance with the Civil Service Code..
• Twenty (20) years (indicative statute of limitations for legal claims), during which legal or regulatory reasons may necessitate data retention (e.g. civil or criminal proceedings, tax audits, etc.).

4.12     What Are My Rights?

You have the following rights regarding the processing of your personal data, subject to any legal limitations:

• Right to be informed: You have the right to clear, transparent, and understandable information about how your data is used. This Privacy Policy provides such information, and you may contact us for further clarification.
• Right of access: You can request access to your personal data.
• Right to rectification: You can request correction or completion of inaccurate or incomplete data.
• Right to data portability: You can request a copy of your data in electronic form or request its transfer to another service provider.
• Right to erasure: You may request the deletion of your data, particularly if it is no longer necessary for the purposes for which it was collected.
• Right to restrict processing: You can request limited processing of your data under certain conditions.
• Right to withdraw consent: If processing is based on your consent, you may withdraw it at any time by contacting us using the details provided in this statement.
• Right to object: You may object to data processing based on our legitimate interests.
• Right to lodge a complaint: You have the right to lodge a complaint with the Hellenic Data Protection Authority if you believe your data rights have been violated.
• Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing with legal or similarly significant effects. Specifically, you have the right:

1. to request human intervention,
2. to express your point of view,
3. to obtain an explanation of the decision after an evaluation conducted,
4. to contest this decision.

Upon exercising your rights, we will take all reasonable measures to respond within one (1) month from the identification of your request. You will be informed in writing of the outcome or the reasons why your request could not be fulfilled. In complex cases, this deadline may be extended by an additional two (2) months.

If, however, you believe that any of your rights or a legal obligation of our Organisation regarding the protection of Personal Data has been violated, and after having first contacted the Organisation’s Data Protection Officer (DPO) on the matter – meaning you have exercised your rights with the Organisation and either have not received a response within one (1) month (extendable by an additional two (2) months in the case of a complex request), or you consider that the response provided by the Organisation is unsatisfactory and the issue remains unresolved – you have the right to lodge a complaint with the competent supervisory authority, namely the Hellenic Data Protection Authority (HDPA), located at 1–3 Kifisias Avenue, 115 23 Athens, Greece, email: complaints@dpa.gr, fax: +30 210 6475 628.

4.13     How Is My Personal Data Protected?

We have implemented appropriate technical and organisational measures to protect your personal data against misuse, interference, loss, unauthorized access, alteration, or disclosure. These measures include access controls, information security protocols, and, where necessary and feasible, data encryption, pseudonymisation, and anonymisation.

Access to your personal data is granted only to authorised employees and partners, strictly on a need-to-know basis, and is subject to strict confidentiality obligations, especially when processing is performed by third parties.

4.14     How Can I Contact the Organisation?

You may contact us at our headquarters:
Address: 256 Pireos Street, 18233 Ag. I. Rentis, Greece
Phone: +30 210 4801 260
Email: dpo@asfa.gr

4.15     Updates to This Privacy Policy

This statement may be revised to reflect legislative changes, feedback from data subjects, or changes in the Organisation’s services and internal procedures. Any updates will be published along with the revised “last updated” date at the top of this Privacy Policy.