PERSONAL DATA CONFIDENTIALITY AND SECURITY POLICY
This Personal Data Confidentiality and Security Policy is applied by the Société Anonyme under the name CITY CONTACT SMLLC (Hereinafter the “Company”)
The Company commits on the one hand to maintain confidentiality and the security of Personal Data (PD) collected in the course of its activities and, on the other hand, to comply with the applicable laws and regulations on the processing of PD, including Sensitive Data.
This policy aims to ensure that personal data is handled in accordance with:
The Company, acting as data controller and/or as data processor, ensures that this policy will be updated and will be communicated by any appropriate means both to its employees, as well as to third parties doing business with it.
In the context of its activities, the Company processes personal data and vows to process them in accordance with the applicable laws and regulations on the protection of PD. For that purpose, the Company has adopted and implements various policies and procedures for the lawful processing of personal data, by ensuring PD confidentiality and the security, and for the protection of the rights of the Data Subject.
This policy summarizes all the procedures and principles governing the lawful processing of personal data in order to ensure compliance with the laws and regulations on the protection of personal Data within the Company.
The contents of this policy include the following:
This policy is binding, it is implemented by all departments of the Company and its branches and relates to each activity in the context of which personal data are collected, stored and used.
According to the definition of personal data, as per below, the personal data may pertain to employees of the Company, natural persons connected in any way with the Company as associates, and to Company suppliers and customers.
Here are the definitions of all the terms appearing in capital letters in the policies and procedures followed by the Company.
1) “Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is a person whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier, such as a name, an ID number, location data, an online ID or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person,
2) “Processing”: any action or number of actions carried out with or without the use of automated means, involving personal data or personal data sets, such as collection, registration, organization, structure, storage, adaptation or change, retrieval, search for information, use, disclosure by transmission, dissemination or any other form of transmission, association or combination, restriction, deletion or destruction,
3) “Restriction of Processing”: the labeling of stored personal data in order to limit its processing in the future,
4) “Creating a Profile”: any form of automated processing of personal data consisting in the use of personal data for the assessment of certain personal aspects of a natural person, in particular for the analysis or prediction of aspects relating to performance at work, the economic situation, health, personal preferences, interests, reliability, behavior, position or the movements of that natural person,
5) “Pseudonymization”: the processing of personal data in such a way that data can no longer be attributed to a particular data subject without the use of supplementary information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that it cannot be attributed to an identified or identifiable natural person,
6) “Archiving System”: any structured set of personal data accessible with the use of specific criteria, whether this set is centralized or decentralized or built on an operational or geographical basis,
7) “Controller”: the natural or legal person, the public authority, the service or another body which, alone or in conjunction with others, determines the purposes and the manner that personal data are processed; where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for the appointment thereof may be specified in Union law or the law of a Member State,
8) “Processor”: the natural or legal person, the public authority, the service or another entity processing personal data on behalf of the controller,
9) “Recipient”: the natural or legal person, the public authority, the service or other entity, to which personal data are disclosed, whether that is a third party or not. However, public authorities likely to receive personal data in the context of a specific investigation in accordance with Union law or the law of a Member State are not considered as recipients; the processing of such data by such public authorities shall be carried out in accordance with the applicable data protection rules depending on the purposes of the processing,
10) “Third party”: any natural or a legal person, public authority, service or body other than the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, are authorized to process personal data,
11) “Consent” of the data subject: any indication of will, free, specific, explicit and in full awareness, by which the data subject agrees by way of a statement or with affirmative action, that his/her personal data be processed,
12) “Personal data breach”: the security breach that leads to accidental or illegal destruction, loss, change, unauthorized disclosure or access to personal data that has been transmitted, stored or otherwise processed,
13) “Health data”: personal data related to physical or mental health of a natural person, including the provision of health care services, and which reveal information about the state of his health,
14) “Supervisory Authority”: an independent public authority set up in accordance with Article 51 of the Regulation,
15) “Regulation”, “General Regulation”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
According to the General Data Protection Regulation, the Company as Controller, but also when acting as Processor, is required to apply data protection principles throughout the processing of the data.
The security measures that the Company must take to ensure the correctness and lawful processing of personal data, fall into the following three main categories:
The Company must appoint a Security Officer and a Data Protection Officer, who will be in charge of supervising and monitoring the implementation of the policies and safety measures adopted by the Company for the protection of PD.
The Data Protection Officer of the Company is responsible for PD confidentiality and security issues and plays a key role in preserving the Company’s compliance as regards data protection obligations.
This means, among other things, that the Data Protection Officer of the Company:
Physical records containing personal data (sensitive or not) should be stored in cabinets or other key locks, which will be kept by the employee authorized, in accordance with the Organizational Chart, to have access to such records. A copy of the key will be kept by the Data Protection Officer. For security reasons, a copy of the physical file will also be kept in electronic form.
Electronic files containing personal data (sensitive or not) will be stored on the Company’s servers and appropriately authorized employees as per the Company’s Organizational Chart will have access to them. These records will be accessed with a username and password, which will be unique to each of the employees with access to the records.
III.1.C.ii. Classification of information
The data must be classified depending on its type (sensitive or not) and criticality. The management of physical and electronic files containing personal data shall be carried out as described above, regardless of their classification.
III.1.C.iii. Movement of information goods
Where equipment (such as a computer or a USB) with personal data is transferred outside the Company’s premises, this action must be recorded (date and time of exit, person using the equipment, return of the equipment) and be subject to the approval of either the legal representative of the Company or the Data Protection Officer and, if the latter is absent, to the approval of the Security Officer.
The Company is required to keep a list of all processors who handle personal data on its behalf within or outside its premises.
In the event that the Company assigns data processing to a processor, within the meaning of the relevant provisions of the Regulation, the assignment must be in writing and prescribe that the processor should carry out the processing only by order of the Company and that the other obligations detailed in Article 28 of the Regulation are undertaken by the processor.
Written assignments-contracts must contain a minimum description of the personal data,the purpose, location and mode/process of processing, the level of services that the processor must achieve (in terms of security and data quality), as well as the obligations of the processor, as referred to in Article 28 of the Regulation.
The processor has to take the appropriate organizational and technical measures for the safe keeping and processing of the personal data, in accordance with this Company Policy. The Company must ensure that the processor complies with the policies adopted by the Company for the protection of personal data in so far as it concerns the processor.
Rights of access to the Company’s systems are granted to the processor’s staff only when it is necessary for the fulfillment of their contractual obligations. The minimum required authorizations should be granted, which in turn should be abolished upon expiry of the contractual obligation.
The possibility to carry out the maintenance/upgrading of personal data equipment at the Company’s premises, where practical and appropriate, should always be considered.
When processing is carried out outside the Company’s facilities, the Company must ensure that the processor provides a level of security at least equivalent to that set forth in this Policy.
Before destroying forms or electronic files containing personal data, appropriate steps should be taken to ensure the complete and permanent deletion of such data, so as to exclude further unlawful and unfair processing, such as any form of communication thereof to third parties. More specifically, at least the provisions of Directive 1/2005 of the Data Protection Authority on the safe destruction of personal data should be complied with after the expiry of the period required for satisfying the purpose of processing. Secure ways of destroying data involve any set of procedures and measures which, once implemented, the data subjects cannot be identified and the destruction caused is irreversible, i.e. it is not possible to recover the data after the destruction by technical or other means.
The Data Protection Officer is required to implement appropriate mechanisms to control the proper compliance with the Company’s destruction process. The inspection will be entrusted to Company employees authorized specifically for this purpose.
If the destruction of data is performed on behalf of the Company by a person not dependent on it (processor), the Company is required to make the related assignment only in writing. The awarding contract should specify the measures to be applied by the processor for the safe transfer of the data to the site of destruction, the site of destruction, any interim storage sites, the mode of destruction, as well as the maximum time allowed from the date of delivery of the data by the Company to the processor until their final destruction. Also, the awarding contract should specify any additional suggestions by the Company regarding technical and organizational destruction measures, as well as the exact details of any third parties (subcontractors) who are to perform, in part or in whole, the destruction of the data on behalf of the processor. Also, it must be ensured that the Company has the power to dispose and control the data until it they are permanently destroyed. Hence, the processor must keep separately any data to be destroyed which pertains to the Company, with which the processor signs a relevant contract. The processor must be able to apply the appropriate technical and organizational means for the safe destruction of the data, and to have planned a destruction and destruction control process similar to that of the Company. Natural persons - employees of the processor carrying out the destruction must be specifically bound by the confidentiality of the processing.
The Company may apply inter alia the following data destruction measures:
(a) shredding of documents by authorized Company employees, with the use of specialized in-house document shredders, (b) pulping/recycling of documents, (c) incineration of the data substrate material.
After the destruction of data, a Data Destruction Protocol should be drafted, containing at least the following information: (a) date of destruction of the data,(b) a description of the data destroyed, (c) method of destruction, (d) the name of the Company employee responsible for the destruction, (e) the person who carried out the destruction (if the destruction is assigned to a processor).
To safely destroy electronic data, it is not enough to simply delete them (e.g. with the “DELETE” command), as this deletes only the reference to the data, while the data itself may be recoverable with the use of specific software.
The indicated way of safely destroying the data stored in rewritable media (e.g. hard disks, floppy disks, rewritable DVDs and CDs) is to alter the data by replacing them with random characters (overwrite). This alteration may be achieved with the use of special programs (fileerasers, fileshredders, filepulveritizers). In the case of daily data destruction, an alternative mode of destruction is the formatting of the substrate material.
In the case of a planned destruction of all data, an alternative way of destruction (for data of paramount significance) is also the natural destruction of the substrate material itself (e.g. by crushing, pulverization, incineration, subject to specific provisions on special waste management / environmental protection).
The destruction of the data also includes the destruction of all the backup that the Company keeps, where practical and technically feasible.
A scheduled data destruction must be accompanied by a Data Destruction Protocol, as outlined above.
The Data Protection Officer must train the Company’s employees with regard to the procedure and methods of destroying personal data.
This policy and the procedures it involves are subject to regular revisions to ensure that they are properly implemented and fully in line with the legislation in force. Indicatively, they may be amended in cases where significant changes occur in at least one of the following: (a) the organizational structure of the Company, (b) information systems, (c) safety requirements, (d) technological developments, (e) the nature and/or processing of personal data. The policy and the procedures provided herein may also be altered following an internal or external audit which finds inadequate and/or ineffective security measures, or following a security breach incident.
The Security Officer, together with the Data Protection Officer, is responsible for making the necessary updates/revisions to this policy and the procedures contained herein, which will enter into force following a written approval by the Company’s management.
The Company should conduct an annual assessment of the level of effectiveness to determine whether the policies and procedures applied ensure the appropriate level of protection required by the Regulation.
This effectiveness assessment will be coordinated by the Company, with the support of the heads of the Company’s departments and the Data Protection Officer.
Morning Walking Food Tour This is an amazing company. In fact, company is not the right word. They are family right from the start. Alexandra took care of me from the moment I made my first reservation. Due to covid and all the new restrictions, things were up in the air a bit but she was right there making sure I didn’t miss a thing. ...I’m so thankful I booked with Athens Walking Tours. I look forward to my Acropolis tour tomorrow!!
nmlover | May 21 | Athens Food Tour
Premium experience for a premium tour! I had a wonderful time going on this tour with Despina. She has a certain verve and passion when explaining and discussing the historical elements from the sights that made you feel that you have travelled back in time and made the experience feel alive, while at the same time dispelling some of the beliefs I've had for a long time about the Acropolis! There was enough information without it feeling like a boring history lesson, and I appreciated the balance.
Shahab A | May 21 | Acropolis Premium Tour
History comes alive "Our wonderful and knowledgeable guide, Despina, taught us so much!! Due to Covid we had a unique experience to see and learn In an environment free of crowds. I would totally recommend this tour without hesitation. The Massey family"
Toni T | Sep 20 | Acropolis & City Tour
Great tour with Vicky!!! This is a great way to see the Acropolis so that you know exactly what you are looking at. Vicky was an amazing local guide. We got queue skip tickets, the tour starts at 11.30 am and last for around 1.5 hrs. You get to visit the Acropolis, Parthenon, Erechtheion, Propylaia, Nike Temple, the Dionysus Theater and Sanctuary. Our group was 10 people from all over the world! Vicky answered all my questions and even gave me some great Greek recommendations too! I did the Walking Food Tour with Despina previously and I HIGHLY RECOMMEND both for
hilifeliving | Oct 20 | Acropolis Tour
Awesome tour Very knowledgeable and thorough. Would rate as one if the BEST tours we’ve experienced! Brought history to life!
Brigid Z | Oct 19 | Acropolis Tour
Great Tour! This was an awesome tour! Our guide, Georgia, was excellent! She was energetic, informative, and excited to pass on all the history and traditions of Greek food as well as city of Athens. We saw parts of the city we would not have seen on our own. We highly recommend this tour.
KKPorter | Oct 19 | Athens Food Tour
Highly recommend food tour! I highly recommend the food tour of Athens with Athens Walking Tours. Our guide, Rena, was so sweet and fun. We learned a lot and she showed us so many amazing places we never would have discovered otherwise! She was really accommodating and we had the best time!
ddehaven06 | Dec 19 | Athens Food Tour
Terrific Experience Our guide was terrific. He was an archaeologist and was able to explain what was found, what the places represented and what the reconstructions that were taking place would look like. Very well worth the experience.
ryegrad | Oct 19 | Acropolis Tour
A really informative tour of the Acropolis I would highly recommend the Skip the Line tour of the Acropolis. Our guide Katrina was highly informative, patient and entertaining.
Deepika S | Nov 19 | Acropolis Tour
Highly recommend! We really enjoyed our 1.5 hour tour of the Acropolis and 1.5 hour tour of the museum. Our guide, Kimon, was really funny and knowledgeable and helpful! We learned so much and I really recommend booking this tour to make the most out of the experience at the Acropolis!
ddehaven06 | Dec 19 | Acropolis Tour
This class was something different that will stick with us. Fofi is so nice and walks you through everything. Rather than just go through the motions, she genuinely seems to care if everyone is having a good time. The food was incredible and we made way more than the 12 of us could eat. This is an absolute must and well worth the money.
J S | 17.07.2018 | Greek Small-Group Cooking Class in an Athens Tavern
Gods and myths walking tour. Loved this tour. We learned so much and our teenage boys really enjoyed it. They are 15yo. We got to see parts of Athens we would never have discovered on our own. I love walking tours. Such a great way to get to know the city.
donnaparker2463 | 13.07.2018 | Athens Food Tour
Wonderful Acropolis Evening Tour! Climbing the Acropolis was the highlight of our trip to Athens. Our guide was a wealth of information. He was engaging, scholarly, and fun! A perfect trifecta for any tour!The Acropolis is truly awe inspiring. Thank you!
LizabethRose | 01.08.2018 | Afternoon Acropolis Museum and Acropolis Tour
Our teenage daughter had requested a Greek cooking class during our stay in Athens and it was a great experience.Small group of 16 guests and very hands on. Fofi, the instructor, was engaging and taught us how to make the specific dishes on the menu, but also gave us tips and insights into Greek cuisine, ingredients, culture.
Jodi H | 30.06.2018 | Greek Small-Group Cooking Class in an Athens Tavern
Celebrating 21!!Our guide was so generous with his depth of knowledge and passion for Greece! He invited us to be part of history! We loved it!!!
Jane O | 29.06.2018 | Private Walking Tour: The Acropolis