The public benefit non-profit private legal entity under the name “Neraida Floating Museum” (hereinafter referred to as “Museum”) sets as high priority the protection of privacy and is committed to provide sufficient guarantees, securing the protection of the collected personal data. This Data Protection Policy provides information about the nature of personal data collected through the Museum’s official website, www.neraida.org, (hereinafter referred to as "Website”) or through the Museum’s contact e-mails, the data processing purposes, the way of managing data as well as the rights of data owners according to the General Data Protection Regulation (GDPR) EU 2016/679 (hereinafter “the Regulation”), the Law 4624/2019 and the Regulatory Acts of the Hellenic Data Protection Authority.
Who is the Data Controller?
The Data Controller is the public benefit non-profit private legal entity under the name “NERAIDA FLOAING MUSEUM” based at Kifissia, 59 Diligianni Street, post code 14562.
In which cases and what personal data do we collect;
The Museum collects personal data in the following cases:
i. When you contact the Museum through the Website’s online Contact Form, or when you contact the following email address: [email protected], entering data such as your name and surname, e-mail address and/or postal address and phone number.
ii. When you submit an application for participation in the guided tours and educational programmes of the Museum, either as individual visitor, or as an entity/organisation representative, entering data to the specially designed online application forms such the name and surname of the representative of the organization, profession, postal address and/or e-mail address and contact phone number. Please note that the Museum does not collect personal data of minors, unless it has obtained explicit consent by the holder of parental responsibility, according to Article 8 of the Regulation.
iii. When you voluntarily subscribe to the newsletter: you fill in your e-mail address to the specific area of the Website in order to receive updates about the news, the themed or group guided tours, the educational programmes, the events and the non-profit activities of the Museum in general. The newsletter is sent via the “Mailchimp” platform, which guarantees the protection of the e-mail addresses and other personal data, by being member of the “ΕU – US Privacy Shield” programme.
iv. When submitting supporting documents to us, as part of your participation in a guided tour, an education programme, an event or other activity of the Museum.
v. When you visit the Website we use Cookies and Google Analytics to collect data in order to improve user’s experience and monitor the Website’s traffic and the pages you visit. For more information about Cookies used by the Website, read the Terms of Use.
vi. When you visit the Website, the server logs your IP address into a log file, which is deemed personal data, even if we are unable to identify the data subject. Log files help us record information about the type of browser you are using and other information, such as the date and time of your visit on Website. The above data is stored for fifty-two (52) days in order to ensure the network security and safety of data from accidental events and illegal or malicious conduct which may risk the availability, authenticity, integrity and confidentiality of the stored data and the operation of the Website. During the fifty-two (52) days, only the authorized server administrator has access to the files. At the expiration of the retention time, the data are automatically deleted.
For what purposes do we collect your personal data?
The Museum collects personal data only to the extent that is necessary in relation to the processing purposes and these data are not subject to further processing in any incompatible way with the purpose originally collected. The Museum does not transmit or disclose in any way subject’s personal data to third parties except for specific cases and always in relation to the purpose for which were initially collected. These specific cases are mentioned in the following section.
We process your personal data for the following purposes:
i. In order to contact you upon your request or question or in case of comments through the Website.
ii. In order to send you updates about the news, the themed or group guided tours, the educational programmes, the events and the non-profit activities of the Museum in general, upon newsletter registration.
iii. In order to process the application forms for participation in guided tours and educational programmes that we receive through the Website and schedule the respective visits.
iv. In order to carry out annual reports.
v. In order to retain historical archive and conduct statistical analyses.
vi. In order to secure and protect the exhibits and premises of the Museum.
vii. In order to submit the data to the competent authorities that monitors the Museum’s operation.
viii. In order to protect the legitimate interests of the Museum, as well as to fulfill contractual or statutory obligations.
Who are the recipients of your personal data?
The recipients of your personal data are the authorized employees and/or authorized external partners of the Museum and/or independent consultants/experts of recognized standing, who are involved in a specific programme or activity of the Museum, acting in the name and on behalf of the Museum, while all the aforementioned natural persons or legal entities are bound by confidentiality and personal data protection statements for the data they may receive and/or process in any way, always in accordance with the purpose for which the data were collected. As a rule, collected data are not disclosed to third parties under no circumstances, not made public and not be exploited in any way, except for specific third parties who are strictly mentioned in this Policy.
The Museum may disclose your personal data to the public benefit foundation under the name “John S. Latsis Public Benefit Foundation”, which funds the Museum’s operation, in relation to the originally collection purposes. The collection and data processing by the John S. Latsis Public Benefit Foundation is performed within the scope of retaining an archive of the Museum’s activities and managing administrative issues.
By way of exception, the Museum may transmit collected personal data, being processed according to the purposes of this Policy, to third parties in the following cases:
i. When it has obtained explicit consent from the data subjects to disclose their personal data in any way.
ii When transmitted to third parties, who process your personal data solely for the fulfillment of their obligations arising from their contractual relationship with the Museum, and from their capacity as Processors, provide guarantees regarding their compliance with the appropriate security measures enforced by the current legislation. Third-party providers may be natural persons or legal entities, that provide consulting or applications development and maintenance services and are used by the Museum.
iii. When it complies with current legislation or orders of a Public or an Independent Administrative Authority.
iv. When it defends legitimate interests and the rights of the Museum.
Where and for how long do we keep your data?
Your data is stored in the Museum’s electronic system, hosted on a server within a specially configured and predefined computing center (hereinafter referred to as “Data Center”), which is located in the Koropi region of Attica, Greece. Server management is carried out by a service provider company bounded to apply all the appropriate methods and international best practices, ensuring that only its authorized personnel has access to the data collected by undertaking an explicit obligation of confidentiality and protection of personal data.
As a general principle, the Museum holds the subject's personal data in an identifiable form only for the absolute necessary period required, which is defined by the purposes of the processing for which they are collected, as well as the fulfillment of tax and other legal or contractual obligations. Each category of personal data has a different retention period. For instance, data processed under a contractual relationship are retained for a longer period, even after the fulfillment of the contract, in order to protect the Museum’s legitimate interests. In other cases, the Museum may retain non-identifiable personal data for statistical and research purposes.
Retention periods are in compliance with the current legislation about Personal Data Protection, international best practices and the Museum’s Retention Policy in order to minimize and erase the personal data collected.
What guarantees do we take to protect your data?
The Museum is implementing the necessary technical and organizational security measures providing technical protection mechanisms of content in order to ensure as much as possible a safe environment for your data, according to the relevant legislative provisions. In this scope, the Museum regularly monitors security systems and restricts access to the subject's personal data only to the authorized personnel, who need to be aware of those data and are committed with confidentiality and personal data protection statements.
What are your rights regarding the protection of your personal data and how can you exercise them?
In accordance with the Regulation and the Greek Law 4624/2019, you have the following rights regarding the personal data collected and processed by the Museum:
a) Right to Access: you are entitled to ask the Museum if your data is being processed, and if so, request access to your data being processed, the recipients of your data, the purpose of processing etc.
b) Right to Erasure (“the right to be forgotten”): you have the right to ask for rectification of inaccurate data or erasure of your data, under certain conditions according to the Regulation and the Law 4624/2019.
c) Right to Restriction of Processing: you have the right to ask for restriction of processing of your personal data in particular cases explicitly mentioned in the Regulation and the Law 4624/2019.
d) Right to Data Portability: you have the right to obtain the personal data you provided to the Museum, in a structured commonly used and machine-readable format, according to the Regulation and the Law 4624/2019.
e) Right to Object: you are entitled to object to the processing of your data any time.
f) Right to Lodge a Complaint: you have the right to lodge a complaint with the supervisory authority in case of unlawful processing of your data.
Data Protection Officer (DPO)
The Museum has designated a DPO who is responsible for the implementation of the present Privacy Policy, the sub-policies and procedures applied by the Museum and the compliance with the current European and national legislation.
For any matter relating to the management of your personal data or in case you wish to exercise any of your rights above you can contact our DPO by sending an email to [email protected] or at the address of the Neraida Floating Museum, 59 Diligianni Street, post code 14562, Kifissia or by phone at +30-210-6282253.
Data Protection Supervisory Authority
The Greek supervisory authority monitoring the application of the Regulation and the Law 4624/2019 is the Hellenic Data Protection Authority. You can contact the above authority directly for personal data management issues through the following contact details:
by post: 1-3 Kifisias Av.,11523, Athens
by phone: +30-210-6475600
by e-mail: [email protected]
Website: www.dpa.gr
Amendments to Data Protection Policy
The present Policy, which has been published on the Website www.neraida.org, aims at the protection of your privacy in the most effective way. Being respectful and dedicated to personal data protection, we thoroughly monitor the implementation and update our policies and procedures, aiming at continuous improvement of our operations as well as the development of new, best internationally recognized practices. This Policy may be modified at any time without prior notice of data subjects. You are, therefore, advised to review it regularly in order to ensure you are aware of any modifications.
The present Data Protection Policy is effective as of January 1st, 2019.