ZEUXIS NGO
The contact details of ZEUXIS NGO (data controller) are email: info@zeuxis.org.gr, tel: 210 3809870, address: Veranzerou 15, 10677, Athens. The contact details of the Data Protection Officer are dpo@zeuxis.org.gr, tel: 210 3809870, address: Veranzerou 15, 10677, Athens.
 
DATA PROTECTION POLICY
 
About us
ZEUXIS NGO is a non-profit civil company that implements actions aimed at supporting and protecting vulnerable groups. For the implementation of these actions, it is funded by the Public Investment Program (co-funded by the European Union), national resources, international organizations, and private entities. Established in 2018, it is registered in the General Electronic Commercial Registry and is based in Athens, Veranzerou 15, 10677.
ZEUXIS NGO belongs to the "Registry of Greek and Foreign Non-Governmental Organizations (NGOs) operating on issues of international protection, migration, and social inclusion" of the Ministry of Migration and Asylum and has been certified by the Ministry of Labor and Social Affairs as a provider of social care services.
 
ZEUXIS NGO as Data Controller
In the context of carrying out its activities, ZEUXIS NGO acts as the Data Controller in accordance with the legislation, as it maintains records and processes personal data, determining the purpose and defining the means of processing them. Specifically, ZEUXIS NGO is the Data Controller – including but not limited to - of its employees, the vulnerable individuals it serves, external collaborators, and any potential suppliers/persons.
 
Personal Data and Sensitive Personal Data
Personal data is defined as any information concerning natural persons, the identity of which is determined or can be determined directly or indirectly, such as name, identification number, home address, email address, online identification identifiers (e.g., cookies, IP address), or characteristics that identify the physical, genetic, psychological, economic, cultural, or social identity of the individual, including the image of a natural person (photographic material, video).
 
Sensitive Personal Data refers to personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life, sexual orientation, as well as criminal convictions and offenses.
 
Health data refers to information "relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status" [Article 4 (15) of the General Data Protection Regulation]. Health data includes "information concerning a natural person collected in the course of registering for health services and in the course of providing such services as referred to in Directive 2011/24/EU to that natural person." Such information may consist of a number, a symbol, or an identifier assigned to a natural person for the purpose of fully identifying the natural person for health purposes, information resulting from examinations or analyses of a part or substance of the body, including genetic data and biological samples, and any information, for example, relating to disease, disability, risk of disease, medical history, clinical treatment, or the physiological or biomedical state of the data subject, irrespective of the source, such as from a doctor or other healthcare professional, a hospital or clinic.
 
What constitutes personal data processing
The term "processing of personal data" refers to any operation or set of operations performed, with or without the use of automated means, on personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of provision, alignment or combination, restriction, erasure, or destruction of personal data, whether they are in electronic form (electronic file) or in printed form (physical file).
 
Obligation to protect and safeguard personal data
ZEUXIS NGO collaborators and all employees and volunteers of ZEUXIS NGO are obliged to protect and safeguard the confidentiality, security, and integrity of the personal data maintained by ZEUXIS NGO, following its guidelines and instructions.
 
 
Principles of lawful personal data processing
 
1. Legality, fairness, and transparency: Personal data processing is lawful when conducted lawfully and fairly, with transparent means concerning the data subject ("lawfulness, fairness, and transparency").
 
2. Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is not considered incompatible with the initial purposes according to Article 89(1) ("purpose limitation").
 
3. Data minimization: Data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed ("data minimization").
 
4. Accuracy: Data is accurate and, when necessary, kept up to date. All reasonable steps are taken to promptly erase or rectify inaccurate personal data in relation to the purposes of processing ("accuracy").
 
5. Storage limitation: Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods provided that the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject ("storage limitation").
 
6. Integrity and confidentiality: Data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality").
 
 
 
The legal bases for processing non-sensitive personal data by ZEUXIS are as follows:
1. Consent of the data subject: Processing is lawful when the data subject has given consent for one or more specific purposes.
2. Performance of a contract: Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
3. Compliance with a legal obligation of ZEUXIS: Processing is necessary for compliance with a legal obligation to which ZEUXIS is subject.
4. Protection of vital interests of the data subject or another natural person: Processing is necessary to protect the vital interests of the data subject or another natural person.
5. Pursuit of legitimate interests of ZEUXIS: Processing is necessary for the purposes of the legitimate interests pursued by ZEUXIS, provided that such interests do not override the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.
 
The legal bases for processing sensitive personal data by ZEUXIS are as follows:
1. Explicit consent of the data subject: Processing is lawful when the data subject has given explicit consent for one or more specific purposes.
2. Performance of obligations and exercise of specific rights of ZEUXIS or the data subject in the field of labor law and social security law and social protection law: Processing is lawful if allowed by Union or Member State law or by a collective agreement, providing appropriate safeguards for the fundamental rights and interests of the data subject.
3. Protection of vital interests of the data subject or another natural person: Processing is lawful if it is necessary to protect the vital interests of the data subject or another natural person, especially when the data subject is physically or legally incapable of giving consent.
4. Processing within the legitimate activities of ZEUXIS: Processing is lawful if it solely concerns members or former members of the organization or individuals who have regular contact with it for the organization's purposes, and if the personal data are not disclosed outside ZEUXIS without the consent of the data subjects.
5. Establishment, exercise, or defense of legal claims: Processing is lawful when it is necessary for the establishment, exercise, or defense of legal claims, or when courts are acting in their judicial capacity.
6. Processing for substantial public interest: Processing is lawful if it serves a substantial public interest that is proportionate to the intended purpose, respects the essence of the right to data protection, and provides appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
7. Processing for preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, provision of health or social care or treatment, or management of health or social systems and services, or on the basis of a contract with a health professional: Processing is lawful for these purposes.
8. Processing for reasons of public interest in the area of public health: Processing is lawful for these purposes.
9. Processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes: Processing is lawful if it serves purposes that are proportionate to the intended goal, respects the essence of the right to data protection, and provides appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
 
Purpose of Processing - Categories of Data Subjects and Retention Periods
1. Purpose of Processing:
   ZEUXIS maintains records and processes personal data to fulfill its objectives as an NGO, including:
   - For the administration of its human resources and the fulfillment of any obligations arising from labor law or employment contracts, including (but not limited to) payroll processing, granting sick leave to staff, training, allowances, etc.
   - For providing housing, food, medical care, and treatment to beneficiaries and communicating with their companions, relatives, and legal representatives.
   - For invoicing its services.
   - For monitoring and certifying the financial and physical assets of the actions it implements.
   - For collaborating with any suppliers or external partners within the scope of its operations and objectives.
   - For any actions related to the above purposes.
 
 
Data Subjects
To fulfill the above purposes, ZEUXIS maintains a record and processes personal data of the following individuals ("data subjects"):
- Employees in general (regardless of the form of their employment contract), including job applicants and those applying for voluntary work.
- Members of the Administration.
- External collaborators and suppliers.
- Beneficiaries and their relatives, acquaintances, and/or legal representatives, including those applying to participate in ZEUXIS activities.
- Other individuals on a case-by-case basis.
 
Categories of Personal Data
ZEUXIS collects and processes the necessary personal data of the above-mentioned data subjects for the fulfillment of the aforementioned processing purposes, including (indicatively and not limited to) the following data:
- Name and surname of beneficiaries, relatives, acquaintances, legal representatives, employees, suppliers, etc.
- Contact details (address, telephone, email, etc.).
- Health data of beneficiaries/employees.
- Data related to the social insurance of beneficiaries/employees.
- Data related to the family and legal status of beneficiaries.
 
Regarding specifically the Personnel, ZEUXIS maintains a record and processes the personal data of employees that are necessary for the execution of the employment contract and the fulfillment of the social security obligations of the employees, including health data of employees, and transmits personal data to comply with the obligation arising from Law 4686/2020 (Article 58) for NGOs operating in the field of international protection, migration, and social inclusion, as defined in the provisions of decision No. 10616/2020 Ministerial Decision (Government Gazette 3820 tB).
 
 
ZEUXIS does not profile employees to make legally binding decisions for them. ZEUXIS may use closed-circuit television solely for the security purposes of the premises and beneficiaries, informing individuals entering its area accordingly. Closed-circuit television is not used to monitor the behavior and/or evaluate the performance of employees, except in cases where evaluating their behavior is necessary for taking contractual or disciplinary measures against them, or for exercising legal remedies against them due to unconventional and/or illegal behavior.
 
Access to data within ZEUXIS is provided on a case-by-case basis and depending on their duties by Administrative Personnel, Accounting, Management, ZEUXIS IT Support, and Scientific Personnel, which collects personal data from beneficiaries as necessary. Recipients of employee data outside ZEUXIS include Public Authorities on a case-by-case basis (e.g. National Health Services Organization, ERGANI, National Statistical Authority, Prosecutorial and/or Judicial Authorities), and funding bodies that control the implementation of the physical and financial object of the actions implemented by ZEUXIS following the signing of the relevant agreement.
 
ZEUXIS does not transfer personal data of employees outside the European Union.
 
Retention Period
- Employee Data:Personal data of employees are retained for the entire duration of the employment relationship, as well as for the necessary period required by labor, tax, and social security legislation, which cannot be less than the legal prescription period.
- Job Applicant Resumes: Job applicant resumes are retained for a period of five years.
- Beneficiary Personal Data:Personal data of beneficiaries are retained for ten years, a deadline that starts from the entry of the beneficiary into the structures of ZEUXIS. ZEUXIS reserves the right to retain medical records beyond the aforementioned period for archival, scientific research, or statistical purposes, taking necessary measures to minimize and anonymize the data.
After the expiration of the above deadlines, ZEUXIS takes care to destroy the data using the safest methods of destruction and to permanently delete electronic records from its electronic systems.
 
 
 
How do we ensure data protection?
ZEUXIS is committed to applying effective technical and organizational measures during the planning and execution of any type of data processing to ensure compliance with current legislation and the protection of the rights of data subjects. This commitment applies to management, staff, and collaborators regardless of status.
It implements security technologies to protect data from unauthorized access, improper use, alteration, illegal or accidental destruction, and accidental loss to ensure the integrity and confidentiality of personal data. This obligation for secure management of personal data extends to:
- Physical files of personal data (such as forms, personnel files, beneficiary files, etc.)
- Electronic files of any kind.
- Photographs, audio recordings, and any visual or auditory material used for events and activities of any kind.
- Any other types of personal data that may be subject to processing.
 
Specifically, within the framework of this Policy, among other things:
- Physical files of personal data are kept in protected and locked spaces (locked cabinets, locked drawers, etc.), the keys of which are held only by personnel members authorized to access them based on their duties. Special attention is given to the safekeeping and protection of the confidentiality of physical files containing data of special categories (sensitive personal data).
- Data processing outsourcing to third-party processors is done with the necessary contractual commitments, and the acquisition of the necessary security measures by them is regularly checked according to contractual terms and GDPR requirements.
- Electronic files are stored and accessible only by authorized users with specific access rights. They are stored in a way that allows for the restoration of availability and access in case of a physical or technical event. The electronic file is stored remotely using cloud technology and accessible from authorized terminals regardless of geographic location. The electronic file has specific access levels depending on the authorization granted to the user.
- Pseudonymization and/or encryption of personal data are used on a case-by-case basis.
- A procedure is followed for the regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure processing security.
- In case of any data breach, the incident management process provided for in the GDPR is followed.
The visit of each visitor to the website implies acceptance of the cookie policy (when used), within which everyone has the right to freely provide or not their consent, according to case-by-case distinctions and options provided.
Cookies are small text files stored on your computer or mobile device when you visit a website. The term "cookies" is used as an umbrella term to describe techniques. Cookies are mainly used to facilitate your visit to our website.
At present, during your visit and navigation on our website, we do not collect any other data, except for the automatic recording of the user's Internet Protocol (IP) address and connection data, without revealing identifiable elements of the user's physical identity. Other data is not collected unless you have explicitly provided your consent. The aforementioned processing is carried out in order to provide you with access to our website and the information contained therein.
Regarding data security specifically, we use a secure connection (https://) and security measures to prevent the risk of loss, misuse, unauthorized access, and disclosure of data.
 
How do we ensure that data processors respect the data?
ZEUXIS provides its personnel access to personal data submitted for processing only to the extent that is absolutely necessary for the performance of its lawful activities. Access to the data is strictly limited to authorized individuals, and those authorized to process the received personal data have undertaken a commitment to confidentiality or are subject to regulatory confidentiality obligations, ensuring that they:
- Provide sufficient guarantees in terms of knowledge and personal integrity to maintain confidentiality.
- Adhere to appropriate protection measures.
- Have been informed and committed in advance to the confidentiality of the data.
- Are familiar with and follow the instructions of the Data Controller regarding data processing and will be informed of any updated guidelines issued by the Data Controller.
- Are aware of and comply with applicable legislative and regulatory provisions for data protection and have been informed that any breach of their obligations may incur personal liability (civil and criminal).
 
The contact details of ZEUXIS NGO (Data Controller) are email: info@zeuxis.org.gr, tel: 210 3809870, address: Veranzerou 15, 10677, Athens. The contact details of the Data Protection Officer are dpo@zeuxis.org.gr, tel: 210 3809870, address: Veranzerou 15, 10677, Athens.
 
Basic rights of data subjects based on the GDPR
1. Right to information (Articles 13-14) and access (Article 15) to data.
2. Right to rectification (Article 16): You have the right to request from the data controller the correction of inaccurate data concerning you, as well as the completion of incomplete data concerning you.
3. Right to erasure ("right to be forgotten") (Article 17): When you no longer wish for the processing and retention of your personal data, you have the right to request their erasure, provided that the data are not kept for a specific lawful purpose (such as obligations arising from labor legislation, insurance legislation, obligations for checks by competent authority or competent body to verify the implementation of actions, any civil or criminal claims).
4. Right to restriction of processing (Article 18): You are entitled to obtain from the data controller restriction of processing under certain conditions. The data subject is entitled to obtain from the data controller restriction of processing when one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use,
c) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims, or
d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR, pending the verification of whether the legitimate grounds of the data controller override those of the data subject.
When processing has been restricted in accordance with paragraph 1, such personal data, apart from storage, shall only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. The data subject who has obtained restriction of processing shall be informed by the data controller before the restriction of processing is lifted.
 
5. Right to data portability (Article 20): You have the right to receive or request the transfer of your data, in a machine-readable format, from one data controller to another under specific conditions, if you wish.
6. Right to object to processing (Article 21): You have the right to object to the processing of your data under specific conditions. The data subject has the right to object, at any time and for reasons related to their particular situation, to the processing of personal data concerning them, including profiling. The data controller no longer processes the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
7. Right to lodge a complaint or report to the competent supervisory authority, the Hellenic Data Protection Authority (www.dpa.gr).
 
Furthermore, ZEUXIS undertakes the obligation to inform you, without undue delay, and in any case within 72 hours, of any breach of your personal data, which may pose a high risk to your rights and freedoms, provided that such breach is not subject to one of the exceptions explicitly provided by law. In any case, if you discover a breach of the protection of your personal data, you have the right to appeal to the Hellenic Data Protection Authority.