INTRODUCTION
The Privacy Policy constitutes a single legal document governing all uses of personal data by the Municipality of Kymi–Aliveri, including all information systems and procedures related to the processing of personal data.
Its style and content are legal and entirely clear to ensure ease of understanding and application. It avoids specialized technical terms and references that might complicate its implementation or tie it to specific technological choices. Beyond its regular revisions, the security policy may also be modified whenever significant changes occur in at least one of the following areas: a) the organizational structure of the data controller, b) information systems, c) security requirements, d) technological developments, e) the type and/or processing of personal data.The contents of the security policy may also be amended following internal or external audits that reveal insufficient and/or ineffective security measures, or in response to a data breach incident.
Despite its clarity and specificity, the security policy is designed to be generalizable so that it can be applied to future systems that may be integrated into the Municipality’s information infrastructure without requiring major modifications in short timeframes.
Finally, the security policy has a public character and is binding on all personnel who in any way handle personal data. It fully complies with the relevant applicable legislation.
1. PURPOSE
The purpose of this document is to define the obligations and policy of the Municipality of Kymi–Aliveri for protecting the privacy of data subjects and to establish appropriate measures to prevent the leakage of personal data.
The Municipality’s administration is committed to fulfilling the requirements of the General Data Protection Regulation (GDPR) and recognizes the protection of personal data as a top priority. The document also aims to ensure a secure processing environment and to promote a workplace culture of awareness regarding the safe use of personal data, for which all necessary resources are made available.
2. SCOPE
This policy applies to the processing of personal data, in both physical and digital form, collected by any means by the Municipality for the purpose of serving its legitimate interests.
3. RESPONSIBILITIES
Responsibility for compliance with this policy lies with the Municipality’s administration and the Data Processors, under the supervision of the Data Protection Officer (DPO).
4. PRINCIPLES OF PROCESSING
The Municipality ensures compliance with the fundamental principles of the General Data Protection Regulation, both in current processing activities and in the introduction of new processing methods, such as new information systems.
Specifically, the processing principles with which compliance is ensured are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
5. RIGHTS OF THE INDIVIDUAL
The rights of data subjects are supported through appropriate procedures that enable the required actions to be taken within the time limits set by the GDPR.
The rights of data subjects are:
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- The right to object to profiling
To exercise the above rights, you may submit your request to the Municipality’s Protocol Office or via email at dimos.kimis-aliveriou@0902.syzefxis.gov.gr.
Additionally, if you believe that the processing of your personal data violates the applicable data protection laws, you may lodge a complaint with the Hellenic Data Protection Authority (postal address: 1-3 Kifissias St., 115 23 Athens, Greece, tel. +30 210 6475600, email: contact@dpa.gr.
6. LAWFULNESS OF PROCESSING
It is a primary compliance obligation of the Municipality to identify the appropriate legal basis for each processing activity (sensitive and non-sensitive data) and to document it by reference to the relevant Articles (6 & 9) of the General Data Protection Regulation.
The legal basis and other characteristics of each processing activity are recorded in the Records of Processing Activities of the Data Controller and the Processors.
7. PRIVACY BY DESIGN
The Municipality adopts the principle of Data Protection by Design and will ensure that the identification and design of all new or significantly altered systems that collect or process personal data are subject to an appropriate review of privacy protection issues.
When processing activities are likely to result in a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) will be conducted. The use of techniques such as data minimization, pseudonymization, anonymization, and encryption will be considered where feasible and appropriate.
8. TECHNICAL SECURITY MEASURES
The Municipality takes all necessary technical security measures depending on the available processing systems and infrastructures, including the following:
- 8.1. Use of strong/complex passwords for accessing systems and applications, with regular changes. Passwords must include a combination of numbers, uppercase, and lowercase letters.
- 8.2. Use of modern computer operating systems and their continuous updates.
- 8.3. Avoidance of free-download software.
- 8.4. Use of anti-malware protection software (antivirus).
- 8.5. Activation of Firewall protection on computers.
- 8.6. Disabling of storage media functions (e.g., USB) where not required (e.g., secretariat PCs).
- 8.7. Regular backups at scheduled intervals.
- 8.8. Capability to encrypt files on local computer disks through the operating system.
- 8.9. Capability to encrypt external storage devices (e.g., external hard drives, USB sticks, etc.).
- 8.10. Avoidance of use and granting of privileged access rights to ordinary users (Local Administrator rights).
- 8.11. Avoidance of using free email services, e.g., Yahoo, for sending and receiving sensitive data, such as medical examinations.
- 8.12. Automatic screen locking of employees’ computers after a period of inactivity.
9. CONTRACTS INVOLVING THE PROCESSING OF PERSONAL DATA
The Municipality shall ensure that all activities undertaken in the context of developing partnerships involving the processing of personal data of citizens, employees, and external associates/suppliers are governed by a documented contract, which includes the specific information and terms required by the General Data Protection Regulation (GDPR) and applicable legislation.
Every employee of the Municipality is required to sign the Code of Ethics and Confidentiality and is legally bound to process the Municipality’s data confidentially.
Every processor must sign a Confidentiality Agreement supplementary to the private contract pursuant to Article 28 of the GDPR, which, among other things, specifies:
- scope and duration
- purpose
- documentation of the forms and extent of processing
- prior authorization in case another processor is used
- the provision of any documentation proving compliance with the GDPR and applicable legislation
- immediate notification of any data breach or assistance in this respect
The rights of employees, contractors, and other third parties, when they no longer have authorized access to premises or resources, or when their employment contract ends, are revoked. In the event of job transfer or in any other case where required, their access rights are reassessed and re-verified.
10. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
In cases where personal data transfers outside the European Union occur, these transfers are carefully examined before being carried out, to ensure compliance with the limits imposed by the GDPR and applicable legislation. This depends partly on the European Commission’s assessment of the adequacy of data protection safeguards in the recipient country, which may change over time.
Data transfers to third countries within the Union, if and when they occur, will be subject to legally binding agreements, referred to as binding rules, which provide enforceable rights for data subjects.
11. DATA PROTECTION OFFICER
For the year 2025–26, the appointed Data Protection Officer (DPO) is the company Pontemedia, which can be contacted for any clarification at dpo@pontemedia.com.
12. REGULAR INTERNAL AUDITS
Periodic audits are carried out to review the proper implementation of the security policy and to assess the effectiveness of the security measures. The Municipality also conducts periodic Data Security Impact Assessments, in which the risk of data breach, its likelihood, and its potential impact on the Municipality and data subjects are calculated, and the necessary organizational measures are taken to minimize it.
13. PERSONAL DATA BREACH NOTIFICATION
The Municipality’s policy is fair and proportionate, and the notification of any significant breach to the supervisory authority is carried out within 72 hours from the moment the administration becomes aware of the incident, unless the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This process is described in more detail in the Security, Disaster Recovery and Data Recovery Plan, which defines the overall incident response procedure and constitutes a separate document.
14. GDPR COMPLIANCE MEASURES
The following actions are undertaken and periodically reviewed to ensure that the Municipality remains at all times compliant with the accountability principle of the General Data Protection Regulation:
- The legal basis for the processing of personal data is clear, indisputable, and documented in the Activity Records of the organization.
- All personnel and external partners handling personal data understand their responsibilities and are legally bound to comply with the Code of Ethics and the Confidentiality Agreement, respectively.
- Data protection training is provided to all staff at regular intervals.
- Rules are applied regarding the collection and management of consent for processing special category data – where required.
- Accessible channels are available for data subjects wishing to exercise their rights regarding personal data, and all requests are handled effectively.
- Procedures relating to personal data are regularly reviewed.
- The principle of privacy by design is adopted for all new or modified systems and processes.
- The following documentation of processing activities is maintained: file name and location, relevant details such as the purpose of processing personal data, categories of individuals and processed personal data, categories of personal data recipients, agreements and mechanisms for the transfer of personal data to countries outside the EU (including details of applied safeguards), data retention schedules, and the relevant technical and organizational controls implemented.
- Regular Data Protection Impact Assessments are conducted with the aim of minimizing risks.
- The Municipality takes every possible and reasonable organizational and technological measure to safeguard the confidentiality of personal data, the principles of the law, and the rights of the data subjects.
15. ENFORCEMENT OF PENALTIES
If a member, employee, or partner is found to have violated this policy, they are subject to disciplinary action, up to and including termination of their employment contract.
Finally, it should be clarified that the Municipality maintains and applies separate policies for the collection, use, and processing of personal data for each category of its stakeholders (citizens, employees, external partners) or for different categories of processing requiring specific regulation (special category data) and has made the relevant disclosures to the interested parties. If you have not received such information or wish to obtain more detailed clarification, you may submit a relevant request at dpo@pontemedia.com, stating your full name, role, contact details, and exact request.