Introduction
The General Data Protection Regulation (EU) 2016/679 strengthens the framework for the protection of data subjects with regard to the processing of personal data in the European Union.
By Law 4624/2019 (Government Gazette A΄137/2019), implementation measures of the General Data Protection Regulation are defined and Directive (EU) 2016/680 is incorporated into national legislation.
The National Technical University of Athens, with respect to personal data, complies in the context of its purpose, actions and activities with all legislation related to the Protection of Personal Data, emanating from Regulation 2016/679 of the European Parliament and of the Council, of the 27 April 2016, and Law 4624/2019 and it takes the required technical and organizational measures to effectively ensure the protection of personal data at the time of determining the means of processing as well as at the time of processing.
Notification to ensure protection of Personal Data, in accordance with current legislation
The institutional framework of the protection of Personal Data
The protection of natural persons against the processing of personal data is governed by the General Data Protection Regulation (EU) 2016/679, which establishes general rules in order to protect natural persons against the processing of Personal Data and ensure the free movement of personal data in the Union.
Furthermore, Directive 2016/680 of the European Parliament and of the Council establishes specific rules in order to protect natural persons against the processing of Personal Data and ensure the free movement of Personal Data in the Union in the areas of judicial cooperation in criminal matters and police cooperation.
By Law 4624/2019 (Government Gazette A΄137/2019), implementation measures of the General Data Protection Regulation are defined and Directive (EU) 2016/680 is incorporated into national legislation.
The collection and processing of personal data
The National Technical University collects and processes only the personal data you have provided and which are necessary for the specific and clearly defined purpose.
The processing that takes place concerns the personal data provided to NTUA during your registration, or when submitting an application such as:
- Identity Data such as User Code, First Name, Surname, Middle Name, Photo, Identity or Passport Number, Issuing Authority, Date of Edition
- Contact data such as postal address, contact numbers, email address
- Demographic Data such as Nationality, Citizenship, Religion, Date of Birth, Place of Birth, Country of Birth, Citizen Registration Protocol
- Health Data such as Medical Opinions, Medical certificates
- Biographical data
In those cases where the processing is based on obtaining consent, the NTUA follows the procedures provided by law for obtaining this consent.
Protection of personal data
All personal data collected by the NTUA in full compliance with European and National Legislation, they are processed lawfully and legitimately in a transparent manner in relation to the data subject and only the necessary personal data which are each time required for the respective purpose of the processing, are collected exclusively for special and legal purposes and they are kept exclusively within the specified time frame, determined by the applicable legal and regulatory framework and are processed in such a way as to ensure their necessary protection.
The rights of the Data Subject
The data subject has the following rights:
- The right to information and transparency, according to articles 12-14 of Regulation 2016/679
- The right of access, according to article 15 of Regulation 2016/679
- The right to rectification, according to article 16 of Regulation 2016/679
- The "right to be forgotten", also known as the right to erasure, according to article 17 of Regulation 2016/679
- The right to data portability, according to article 20 of Regulation 2016/679
- The right to object, according to article 21 of Regulation 2016/679
- The right to limit the processing, according to article 18 of Regulation 2016/679
- The right to withdraw consent, according to article 14 of Regulation 2016/679
The NTUA Data Protection Officer
What is a Data Protection Officer
The Data Protection Officer is an independent expert in the field of personal data, with proven knowledge and experience in the legislation and practical application of Personal Data, who reports directly to the head of the institution.
The definition and content of the role of the Data Protection Officer are provided for by the General Regulation of Personal Data (Regulation (EU) 2016/679) (No. 37-39), as well as by Directive (EU) 2016/680 (No. 32- 34).
In Greek Legislation, the role and function of the DΡΟ, especially in public bodies, is provided for in the provisions of Articles 6-8 of Law 4624/2019.
The role of the Data Protection Officer (DPO)
The Data Protection Officer is appointed by the controller and the processor in the following cases, according to the GDPR (No. 37):
- If the processing is carried out by a public authority or body, other than courts acting within their jurisdiction,
- If the core activities of the controller or processor constitute processing operations which, due to their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or
- If the main activities of the controller or processor constitute large-scale processing of special categories of personal data according to Article 9 and data relating to criminal convictions and offenses referred to in Article 10 of the GDPR.
In addition, if the controller or processor is a public authority or public body, a single Data Protection Officer may be appointed for multiple authorities or bodies of a similar nature, taking into account their organizational structure and size.
The Data Protection Officer is appointed on the basis of professional qualifications and in particular on the basis of his/her expertise in the field of data protection law and practices, as well as on the basis of his/her ability to fulfill his/her duties, and may be a member of the staff of the controller or the person performing the processing or performing its duties under a service contract.
In addition to:
The Data Protection Officer should have the assurance of the controller and the processor to participate promptly in all matters of the institution related to the protection of personal data.
In addition, they should have the support of the above in the exercise of his/her duties by providing the necessary resources and information.
The Data Protection Officer is directly accountable to the highest administrative level of the controller or processor and in this case to the Deanery of the National Technical University of Athens.
The Data Protection Officer may perform other duties and obligations as long as it is ensured that said duties and obligations do not entail a conflict of interest.
Contacting the Data Protection Officer (DPO)
The controller or processor shall publish the contact details of the Data Protection Officer and notify the relevant supervisory authority.
Data subjects may contact the Data Protection Officer for any issue related to the processing of their personal data and the exercise of their rights under this regulation.
Obligation of secrecy and confidentiality
The DPO is bound by the observance of secrecy or confidentiality regarding the performance of his/her duties, in accordance with Union or Greek law.
What are the duties of the Data Protection Officer:
The Data Protection Officer, in accordance with Article 39 of the GDPR, has at least the following duties, which (s)he performs with due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing:
- informs and advises the controller or processor and the employees who process data about their obligations arising from GDPR, European Directive (EU) 2016/680, Law 4624/2019, and other provisions of the Union or Member State, regarding data protection,
- monitors compliance with the GDPR, with other Union or Member State provisions on data protection and with the policies of the controller or processor in relation to the protection of personal data, including delegation of powers, awareness raising and training of employees involved in processing operations, and related controls,
- provides advice, when requested, on the data protection impact assessment and monitors its implementation,
- cooperates with the supervisory authority,
- act as a point of contact for the supervisory authority on issues related to processing, including prior consultation, and consult, as appropriate, on any other matter.
The NTUA Data Protection Officer
The Assistant Professor of Law of the School of Applied Mathematical and Physical Sciences of NTUA and Attorney at the Supreme Court, Evgenia Giannini, has been appointed Data Protection Officer for the National Technical University of Athens.
Communication with the Data Protection Officer is done via e-mail, at e-mail: or by written correspondence to 'Data Protection Officer NTUA, Zografou Polytechnic, 15780, Athens.