Privacy Policy

Contents

Application Statement

Terms and Definitions

Categories of Personal Data Collected

Purposes and Legal Basis of Processing

Rights of Data Subjects

Communication

Processing principles

Record of the Processing Activities

Protection of Personal Data

Staff Training

Modification

 

Application Statement

The General Data Protection Regulation (GDPR) implementation is a priority for the Hellenic Labour Inspectorate and its Offices.

Personal data means any information relating to an identified or identifiable natural person. For example, this information includes name, home address, ID number, Internet Protocol (IP) code, employment status information, and more.

Special categories of personal data, meaning data disclosing racial or ethnic origin, political views, religious or philosophical beliefs or trade union affiliation, genetic data, biometric data for unambiguous identification, concerning health or sexual life or sexual orientation, receive special protection.

The protection rules apply when the collection, use, storage, and any other transaction on individuals’ data is being performed with or without the use of automated means that are or are to be included in an archiving system.

This policy is in line with the EU General Data Protection Regulation (GDPR) and the applicable domestic law, as well as with the opinions, instructions, guidelines, recommendations, and decisions of the Hellenic Data Protection Authority.

Terms and Definitions

  • ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,
  • ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
  • ‘Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future,
  • ‘Filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis,
  • ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law,
  • ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,
  • ‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing,
  • ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data,
  • ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,
  • ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed,
  • ‘Special categories of personal data’, meaning data disclosing racial or ethnic origin, political views, religious or philosophical beliefs or trade union affiliation, genetic data, biometric data for unambiguous identification, concerning health or sexual life or sexual orientation.

Categories of Personal Data Collected

The Hellenic Labour Inspectorate (HLI), in the context of its activities and operation for the sake of the public interest, collects personal data of both citizens or professionals who fall within its responsibilities or use its services – applications, as well as his employees, as well as his associates in general, but also other natural persons with whom he deals within the framework of his responsibilities.

Depending on the form and purpose of processing by competence, the Hellenic Labour Inspectorate collects and processes personal data, such as the following:

CATEGORIES OF DATA SUBJECTS CATEGORIES OF DATA
EMPLOYEES – EMPLOYERS Data included in labour/conciliation claims, certification requests, requests for information and access to documents, notifications, complaints, administrative appeals against administrative sanctions, reports,  statements submitted by employees or employers electronically with various supporting documents, written explanations, and other documents concerning their work, family, professional, and personal status in the services of HLI, in the context of meeting HLI’s responsibilities and legal obligations. This category also includes the certificates that have been issued and the answers that have been given in the context of investigations conducted by the HLI. These may include:

1. Identity and demographics (name, patronymic, etc.),

2. Work and insurance details (AMKA or AYΠΑ and other Social Security Organization Register details if required),

3. Contact details (postal address, telephone, email, etc.),

4. Health data (medical certificates and opinions, reports of illnesses of employees due to work, prescriptions for medical treatment, data on accidents at work, etc.),

5. Financial data (bank accounts, tax returns, etc.),

6. Marital status details.

SUPPLIERS / CONTRACTORS Data of HLI’s suppliers, in case of natural persons or of the legal representatives of legal entities. These may include:

1. Identity and demographics (name, patronymic, etc.),

2. Work and insurance details (AMKA or AYΠΑ and other Social Security Organization Register details if required),

3. Contact details (postal address, telephone, email, etc.),

4. Copies of Criminal Records

5. Professional details

DATA OF OTHER NATURAL PERSONS Data of other natural persons (eg representatives of employees / employers) who visit HLI’s infrastructure or cooperate with it.
EMPLOYEES (ACTIVE AND NON-EMPLOYED) / CANDIDATE EMPLOYEES Data of employees in the services of HLI, under any employment relationship, and data of former and candidate employees, which are kept in service files or any other services to operate their employment relationship. These may include::

1. Identity and demographics (name, patronymic, etc.),

2. Work and insurance details (AMKA or AYΠΑ and other Social Security Organization Register details if required),

3. Contact details (postal address, telephone, email, etc.),

4. Health data (medical certificates and opinions, reports of illnesses of employees due to work, prescriptions for medical treatment, data on accidents at work, etc.),

5. Financial data (bank accounts, tax returns, statement of assets, etc.),

6. Assets (statement of assets)

7. Marital status details (certificates, number and details of children, etc.)

Table 1. The categories of Data Subjects and their data.

Purposes and Legal Basis of Processing

The Hellenic Labour Inspectorate, as a control mechanism, controls the implementation of labour legislation, collects and processes personal data of citizens (employees, employers) and other natural persons mentioned in the above paragraph who use its provided services – applications and its partners in general. In principle, the HLI collects and processes personal data for the following purposes with the corresponding legal processing bases:

PURPOSE OF PROCESSING LEGAL BASIS
Functioning of the Hellenic Labour Inspectorate in all areas of its responsibilities, as well as study, operation, administration, management of Information and Communication Systems, equipment, software and services respectively. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Provision of online services in their transactions Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Cooperation and liaison with relevant bodies of the European Union. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR]
Ensuring the interoperability of Information and Communication Systems with other public sector bodies. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Consolidation and management of all information in the field of Occupational Safety and Health. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Advise others on the above issues. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Providing to every service of the State and the European Union statistics and other type of information and evaluations for the sectors of work and Occupational Safety and Health in Greece. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Design, development, operation, exploitation, management and maintenance of Information and Communication Systems. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Supervision of HLI’s Departments Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Collection, processing, cross-referencing and transmission of data of the Tax Administration for the support and operation of the framework of its responsibilities. Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Collection and processing of image data using closed circuit cameras (CCTV), as well as collection and processing of identification data (eg police ID) by specialized security personnel, for access to specific areas. Protection of persons and goods according to the Directive 1/2011 of the Hellenic Data Protection Authority

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Collection and processing of the necessary data of employees and / or prospective HLI’s employees and associates. for the proper service of existing employment or co-operation relations or the consideration of possible future co-operation Processing is necessary for compliance with a legal obligation [Art. 6 §1 case. c) GDPR] and/or

 

Processing is necessary for the performance of a contract [Art. 6 §1 case. b) GDPR] where it exists and / or

Processing is necessary for the performance of a task carried out in the public interest [Art. 6 §1 case e) GDPR]

Table 2. The main purposes and legal bases of processing

The reference to more than one legal processing base does not mean that the Hellenic Labour Inspectorate changes them (lawful basis swapping) undermining the rights of data subjects, but that there are cases where more than one legal processing base is applicable.

Furthermore, since the Labor Inspectorate, as an Independent Administrative Authority, is part of the Central Government and in particular the Central Administration bodies (according to no. 14 of law 4270/2014 but also the Register of Services and Bodies of the Greek Administration), further process is applied after the end of elabouration to archive in the public interest or for scientific or historical research or statistical purposes, which is not considered incompatible with the original purposes according to Art. 5 paragraph 1, case b) and Art. 89 paragraph 1 of GDPR.

Finally, the Hellenic Labour Inspectorate does not use as the main processing base the consent of the data subjects (whether it is simple data or for special categories), according to the recommendations of the Working Group of No. 29 (now European Data Protection Council). In exceptional cases, the subjects’ consent may be sought as a legal basis for processing (e.g., providing additional services) when the processing cannot be performed under a different legal basis. In these cases, too, the subjects are informed in advance and appropriately before giving their consent and retain full rights, including the withdrawal of consent.

Rights of Data Subjects

Data Subjects have the right to:

  1. Be informed about the processing of their personal data.
  2. Gain access to the personal data concerning them.
  3. Request the correction of incorrect, inaccurate, or incomplete personal data.
  4. Request the deletion of personal data when it is no longer necessary or if the processing is illegal. If applied as a legal basis for processing Art.6 par.1 case. e ) GDPR (processing for the fulfilment of a duty performed in the public interest or during the exercise of public power and the Art.9 par.2 case b ), g), j) in most of the processes of the HLI, the right of deletion is limited and will be evaluated on a case-by-case basis under strict conditions. According to Art. 4 of the Explanatory Memorandum of the GDPR, the right to personal data protection is not absolute; it must be valued concerning its functioning in society and weighed against other fundamental rights under the principle of proportionality.
  5. Oppose personal data processing for reasons related to their unique situation, subject to Art.21 par.6 of GDPR.
  6. Apply for a restriction on personal data processing in specific cases.
  7. Submit a complaint to the Hellenic Data Protection Authority (1-3 Kifissias Ave., 11523 Ampelokipi, tel. 210.647.5600, www.dpa.gr) or to the supervisory authority of the EU Member State where they live or work or to the supervisory authority of the place of the alleged violation.

Communication

The above rights, as well as any right regarding personal data, are exercised upon a written request submitted to any place accessible to the public, or via electronic communication, sending a message to dpo@yeka.gr and is also examined by the Data Protection Officer, whom the Hellenic Labor Inspectorate has appointed.

Processing principles

The Hellenic Labour Inspectorate complies with the principles governing the processing of personal data. Personal data (article 5 GDPR):

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Record of the Processing Activities

The Hellenic Labour Inspectorate keeps a record of the processing activities for which it is responsible. That record contains all of the following information:

  1. The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer.
  2. The purposes of the processing.
  3. A description of the categories of data subjects and of the categories of personal data.
  4. The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations.
  5. Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
  6. Where possible, the envisaged time limits for erasure of the different categories of data.
  7. Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Protection of Personal Data

Taking into account, the nature, the scope, the context, and the purposes of the processing, as well as the risks of the different probability of occurrence and seriousness for the rights and freedoms of natural persons, the Hellenic Labour Inspectorate implements appropriate technical and organizational measures to ensure and be able to prove that the processing is carried out under the GDPR, adopting and applying a holistic policy of security on personal data.

In assessing the appropriate security level, provisions are taken in particular of the risks arising from the processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

To prevent violation of personal data, the Hellenic Labour Inspectorate of the Ministry of Labour and Social Affairs has adopted and implements a policy against attacks on its information systems and a specific policy for managing cases of a personal data breach.

Staff Training

The Hellenic Labour Inspectorate accepts that the protection of personal data presupposes the awareness of its human resources regarding personal data protection. In this regard, agrees with the adoption and implementation of the following:

  1. Appropriate training by executing Fair Information Practices (FIP), governing the collection and use of personal data and addressing issues of privacy and accuracy.
  2. The Hellenic Labor Inpectorate seeks to raise awareness of fundamental concepts of personal data protection on its human resources.

Modification

This policy may need to be amended concerning the processing of personal data. In case the modification of the terms in question is of such nature and extent that the above data processing terms do not cover it, the Hellenic Labour Inspectorate must make public the new version of the policy.

Skip to content