Privacy Policy

DATA PROTECTION POLICY

The “Student Advocate”

National Technical University of Athens

Introduction:

The “Student Advocate” is the institution that aims to bridge communication among the students of the National Technical University of Athens and the rest of the institutions, teachers, services or executives of it.

More specifically, according to article 130 par. 4 a) of Law 4957/2022, the “Student Advocate”, among other responsibilities, investigates cases, either ex officio or following a student’s report and mediates with the University’s competent bodies for the resolution of these cases. In addition, the “Student Advocate” plans and coordinates training activities for the students and staff of the University, in collaboration with other units of it, as well as with external agencies. At the same time, the “Student’s Advocate” participates in the formulation of internal policies and the development of tools to strengthen the integrity and transparency within the University. The “Student Advocate” cooperates with the competent bodies of the Universities for the drafting of the Code of Ethics of them, of Regulations for the Management in cases of Phenomena of Conflict of Interest and the protocols for dealing with incidents of fraud and corruption.

The “Student Advocate” has no authority on issues related to exams and the students’ grades.

Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016 “on the protection of natural persons against the processing of personal data and on the free movement of such data and repealing Directive 95/46/ EC (General Data Protection Regulation (GDPR))” entered into force in May 2018 and provides the framework for the protection of personal data.

At the national level, the protection of personal data also results from Law 4624/2019.

Following this, given that the interaction with the “Student Advocate” and the relevant website includes the registration, storage and transfer of personal data of students and staff of the University, the Policy for the protection of such data is designed and implemented in accordance with the above texts.

In particular:

DEFINITIONS

Personal Data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified , directly or indirectly, in particular by reference to an identifier such as a name , an identification number,,  location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor means natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

PRINCIPLES

Personal data is always processed in accordance with the following principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

The controller bears the responsibility and is able to demonstrate compliance with the above Principles.

Lawfulness: Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes,
  2. b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
  3. c) processing is necessary for compliance with a legal obligation to which the controller is subject,
  4. d) processing is necessary to protect the vital interests of the data subject or another natural person,
  5. e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
  6. f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

METHODS OF COLLECTION OF PERSONAL DATA FROM THE Student’s Advocate OF THE NTUA

The collection of personal data is carried out, for the fulfillment of the processing purposes, by the staff of the Institution’s Student’s Advocate body that acts as a controller based on his duties.

The collection takes place during the process of students’ applications or declarations submissions, as well as when entering into another legal relationship.

  • Collection of personal data may also occur through:

The use of the website or electronic platforms or other electronic programs and means of communication with the NTUA Student’s Advocate, as well as through correspondence, whether paper or electronic.

PERSONAL DATA COLLECTED BY THE NTUA

  • Identity data (surname, father’s/mother’s name, photo, ID/passport number, issuing authority, date of issue)
  • Demographic data (gender, nationality, date/place of birth)
  • Contact data (postal address, landline/mobile phone, email address)
  • Tax data of scholars and other categories (VAT number, issuance authority, individual/family income, property status)
  • Grading performance of students
  • Resumes of students and graduates
  • Data concerning the qualifications of administrative, academic and research personnel
  • Family status data (marriage, number & ages of children)
  • Insurance data (A.M.K.A., insurance fund register no.)
  • Medical data (medical history, medical opinions, medical certificates) in special cases only to facilitate and provide special privileges and/or safeguard the vital interest of data subjects or other natural persons
  • Data from the use of electronic services (electronic user identification data, cookies, google analytics, Internet Protocol (IP) addresses, etc.)

PERIOD OF DATA STORAGE

The personal data collected by the staff of the NTUA Student’s Advocate, for the above purposes and in the above ways, are stored for as long as necessary in order for the necessary actions to be taken by the Student’s Advocate for its smooth operation and to serve the interests of those involved, especially the students.

This data is stored securely and is accessible by authorized and trained personnel of the organization in order to avoid any alteration or leakage.

THE RIGHTS OF THE DATA SUBJECT

The data subject has the following rights:

  1. The right of access

You can at any time be informed about your personal data, which have been collected and stored by the operator, and have access to them.

  1. The right to rectification

You have the possibility to contact the organization requesting the correction or completion of data that is inaccurate or incomplete.

  1. The “right to be forgotten”

On condition that the organization is not obliged by law or the de facto necessity to carry out its obligations and operation, you can request the erasure of your data.

Reasons for which you can request the erasure of your data are the following:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  • the data subject revokes the consent on which the processing is based and there is no other legal basis for the processing,
  • the data subject objects to the processing and there are no compelling and legitimate reasons for the processing,
  • the personal data were processed illegally,
  • the personal data must be deleted in order to comply with a legal obligation under Union or Member State law to which the controller is subject,
  • the personal data have been collected in relation to the offer of information society services.

If this cannot happen, the organization must respond in writing and immediately to your request with relevant justification.

  1. The right to data portability

You can request from the operator the transfer of your data to another operator.

  1. The right to object and to restrict processing

In case you disagree with the way your personal data is processed, you can request the interruption or restriction of the processing. In case this cannot happen, the organization must respond in writing and immediately to your request with relevant justification.

  1. The right to withdraw consent

You have the right to withdraw your consent to the processing of your data at any time. In the event this cannot happen, the organization must respond in writing and immediately to your request with relevant justification.

PERSONAL DATA CONTROLLER

The controller applies appropriate technical and organizational measures in order to ensure and be able to demonstrate that the processing is carried out in accordance with this regulation. These measures are reviewed and updated when deemed necessary.

Where the processing is to be carried out on behalf of a controller, the controller only uses processors who provide sufficient assurances to implement appropriate technical and organizational measures, in such a way that the processing meets the requirements of the GDPR and ensures the protection of the rights of the data subject.

The controller and the processor and, where appropriate, their representatives shall cooperate, upon request, with the supervisory authority in the exercise of its duties.

DATA PROTECTION OFFICER

The NTUA is obliged to appoint a Data Protection Officer (hereinafter DPO). Data subjects can consult the DPO on any issue related to the processing of personal data and the exercise of their rights based on the GDPR, Law 4624/2019 and other legislation on the protection of personal data. The DPO is obliged to maintain confidentiality as to the identity of the data subjects and on the circumstances that allow conclusions to be drawn regarding the data subject, unless the identity of the subject is disclosed by the DPO.

Communication with the DPO is done via e-mail, at: dpo@mail.ntua.gr or by written correspondence to ‘Privacy Officer NTUA, Zografou Polytechnic, 15780, Athens’.

See also the NTUA’s Personal Data Protection Policy in the following the link: https://www.ntua.gr/el/politiki-aporritou