PRIVACY POLICY
HOME PRIVACY POLICY

ΠΡΟΣΩΠΙΚΑ ΔΕΔΟΜΕΝΑ

HASP Privacy and Personal Data Protection Statement


1. Introduction
The Hellenic Aviation Servise Provider (HASP) is committed to protecting your personal data. Our goal is to process your data lawfully, fairly, securely, and only when it is truly necessary.
We comply with:
  • the EU General Data Protection Regulation (GDPR) 2016/679,
  • Law 4624/2019, and
  • all other rules that apply to public authorities regarding personal data.
This privacy statement explains:
  • what personal data we collect,
  • why we collect and use it,
  • how we keep it safe,
  • who may receive it, and
  • what your rights are.
2. Why we process personal data
As a public authority, the HASP processes personal data in order to carry out tasks assigned to it by law.
This includes activities performed in the public interest and the exercise of official authority.
Our legal basis comes mainly from:
  • Article 6(1)(e) GDPR (public interest/official authority)
  • Article 5 of Law 4624/2019
We only collect the minimum amount of data needed for each purpose, and we do not use your data for reasons that are incompatible with the original purpose.
In some cases, the law allows us to use your data for:
  • archiving in the public interest,
  • scientific or historical research,
  • statistical purposes.
In exceptional situations, we may also process data for purposes relating to:
  • national security,
  • national defence,
  • public safety,
  • the detection of serious crimes,
    as provided in Articles 29–30 of Law 4624/2019.
We do not need your consent
The HASP, as a public sector authority, normally does not rely on consent to process personal data, because the law requires or authorises us to do so.
Consent is used only in exceptional and optional cases, such as:
  • informing you about participation in events,
  • publishing your photograph on our website,
  • or other future activities that are optional and not required by law.
3. What types of personal data we process
Below are the main categories of people whose data we process and examples of the data involved.
HASP employees, former employees, and job applicants
We may process:
  • identification data (name, family details),
  • demographic data (birth date/place, education, marital status),
  • contact details,
  • AFM, AMKA, bank account numbers,
  • employment-related data required by the Civil Servants’ Code,
  • health data when required by law.
Citizens who contact or interact with the HASP
For applications, requests, complaints, and similar matters, we may process:
  • identification data,
  • contact details,
  • other information required by administrative law.
Suppliers, contractors, and commercial partners
We may process:
  • identification data of natural persons or legal representatives,
  • financial and tax details,
  • criminal record certificates when required by law,
  • contact details,
    as part of public procurement or commercial leasing procedures.
Trainees and instructors of the Civil Aviation Training School (SPOA)
We may process:
  • identification, demographic, and contact details,
  • information necessary for participation in training and examination programmes.
Visitors entering HASP facilities
For security purposes, we may process:
  • identification data,
  • ID document numbers,
  • vehicle licence plate numbers.
Important note
The HASP:
  • does not sell or trade personal data,
  • does not use automated decision-making,
  • does not create profiles based on your data.
4. Who receives your data
We share personal data only with recipients authorised by law and only when necessary. These may include:
External partners (processors)
They process data strictly under our instructions and are bound by confidentiality agreements and data protection obligations.
Health committees
When staff are absent for long periods due to health reasons.
Participants in procurement or leasing procedures
In accordance with public procurement legislation.
Public authorities and courts
Such as:
  • ASEP
  • Ombudsman
  • Inspectorates
  • Prosecutorial and judicial authorities
  • The Hellenic Data Protection Authority (HDPA)
    when they legally request information necessary for their duties.
Citizens with a legitimate interest
When access to documents is allowed under Law 2690/1999 and other relevant legislation.
5. How long we keep your data and where it is stored
We keep personal data only for as long as required by law or for as long as needed to complete the purpose of processing.
For example, in the case of a legal dispute, data may be kept until the final court decision.
Data are stored:
  • in secure physical files (locked offices, filing cabinets), and/or
  • in secure electronic systems located within HCAA premises (servers, computer rooms, authorised workstations).
Only authorised staff have access.
6. How we protect your personal data
We take organisational and technical measures to keep your data safe. These include:
Physical security
  • fire protection systems,
  • extinguishers,
  • flood/temperature detectors,
  • backup power generators,
  • secure access to areas where data are stored.
Digital security
  • protected server and computer configurations,
  • regular backups and secure backup management,
  • access control to prevent unauthorised access.
Archive management
  • structured and documented organisation of physical files,
  • secure storage (locks, restricted access).
 
Confidentiality
All staff who handle personal data are bound by confidentiality obligations, which continue even after they stop working for the HASP.
If a data breach occurs
If a personal data breach occurs:
  • We notify the Hellenic Data Protection Authority within 72 hours, unless there is no risk to your rights.
  • We notify you if the breach could affect you — except when the law requires confidentiality to protect other individuals or overriding public interests.
We also take corrective actions to address the breach and reduce any consequences.
7. Your rights
You can exercise your rights by submitting a written request to the HASP.
These include:
Information and Access
Articles 13–15 GDPR
You can ask for information on how we process your data and request access to it.
Correction
Article 16 GDPR
You can request that we correct inaccurate or incomplete data.
Restriction of processing
Article 18 GDPR
You can ask us to restrict processing under certain conditions.
Objection
Article 21 GDPR and Article 35 of Law 4624/2019
Public authorities are not required to accept objections when processing is necessary for an overriding public interest or mandated by law.
However, you may still submit an objection if you consider the processing unlawful, and the HCAA will examine your request.
If you believe your data are not protected
You may:
  • contact the HASP Data Protection Officer (DPO), or
  • submit a complaint to the Hellenic Data Protection Authority (HDPA).
8. Contact
For information or questions about your personal data, you may contact:
HASP Data Protection Officer (DPO)
Phone: +30 210 8916409
Email: dpo@hasp.gov.gr
9. Updates to this policy
This privacy policy may be updated.
If major organisational or operational changes occur, the HASP will issue a new, updated version.