The purpose of this Policy is to determine the framework and set the basic principles applied by “EGNATIA ODOS SOCIETE ANONYME” with the distinctive title “EGNATIA ODOS A.E.” (hereafter the “Company”) regarding the lawful and fair processing of personal data and the protection of their security, confidentiality, integrity, as well as their availability.
This Data Protection Policy is applied for all personal data managed by the Company within the framework of its activities, as these are determined in its statutes and the applicable legislation.
The Company acknowledges and respects the importance of all personal data managed within the framework of its activities. To this purpose, this Policy is adapted to the relevant European and national legal framework, including the requirements of the General Data Protection Regulation nr (ΕΕ) 2016/679/EE (hereafter «Regulation» and/or «GDPR») as well as the Greek Law 4624/2019.
The Company herewith aims at:
• informing third parties, with transparency, in what capacity, for which purpose and on which legal basis it processes the personal data necessary to fulfill the said purpose
• determining the categories of the personal data collected, the sources from which the personal data originate (when these data are not provided directly by data subject person itself), the data recipients and the criteria for determining how long these data shall be kept
• informing the data subjects that they can exercise their right to access, rectification and, where applicable, erasure, restriction of and objection to data processing, as well as their right to lodge a complaint for a breach of their personal data to the Hellenic Data Protection Authority
• determining the principles governing the implementation of all relevant protection policies and safeguards ensuring the protection of personal data by the Company.
The Company “Egnatia Odos Société Anonyme”, seated at the 6th km Thessaloniki-Thermi, PC 57001, tel. 231 047 0200, email: eoae@egnatia.gr, as legally represented, aims, according to its Articles of Association, at the design, construction, expansion, maintenance, organization, furniture, exploitation, management, supervision and monitoring of the Egnatia Motorway, which starts at the port of Igoumenitsa, it runs through the cities of Thessaloniki, Kavala, Alexandroupoli, and ends on the Greek-Turkish borders, at Kipoi, Evros, as well as of the road network servicing or connected with the Egnatia Motorway.
This statement aims at providing full and transparent information about the use of all necessary personal data by the Company in exercising its above-described activities, including its presence on websites, platforms and third parties applications.
Name : «Egnatia Odos Société Anonyme», distinctive title «Egnatia Odos S.A.»
Headquarters: 6th km Thessaloniki-Thermi Road, PC 57001, Thessaloniki
Contact info: tel.: +30 231 047 0200, email: eoae@egnatia.gr
Full name: Despoina Styl.Vezakidou
Address: 6th km Thessaloniki-Thermi Road, PC 57001, Thessaloniki
Contact info : tel.: 231 047 0200, email : dpo@egnatia.gr
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Due to the nature of the Company’s activities, the personal data collected concern the following:
• its employees (as well as candidate employees or students during the selection and recruitment process), i.e., personal data referring to the employment contract between the Company and the said employee or relating to measures that need to be taken at the request of the data subject prior to entering the said contract. These may comprise, in certain cases, employees’ health data relating to their sick leaves and other legal purposes for compliance with labor and social legislation,
• third-party suppliers and collaborators, i.e., personal data referring to the employment contract between the Company and the said supplier or collaborator, or relating to steps that need to be taken at the request of the data subject prior to entering the said contract,
• users of the Company services (such as drivers, motorway users, EgnatiaPass subscribers), i.e. personal data when communicating in any way with the Company (by mail, electronically or by phone), when transacting with it or interacting with it through different social media (Facebook, YouTube, LinkedIn), as well as personal data necessary for the Company to meet its legal obligations, perform a task carried out in the public interest and exercise the official authority assigned to it. Such data may be the following:
o Full name and identity data (Identity Card nr, vehicle registration card, car license)
o Contact info (address, email, telephone number)
o Tax and financial data (Tax Identification Number, IRS, profession, ΙΒΑΝ)
o Vehicle data (such as registration number, category)
o In addition, image data and video footage may be collected via the CCTV system in case of a road event or during a user’s trip along the motorway and through toll stations or other infrastructures servicing the motorway
o Special categories of data, in exceptional circumstances, such as medical information that is considered necessary (injury in a road accident) and in cases of exemptions or discounts in tolling (People with Disabilities, etc.)
o Sound data obtained from recordings during emergency calls (1077), calls at the Traffic Control Centers or other calls after you have been informed through a recorded message
o In certain cases, data are collected regarding the EgnatiaPass subscribers’ trips for billing purposes or for the resolution of tolling disputes, as well as for the enforcement of law in toll violations.
It should be noted that, when visiting the Company website, data are collected, following your consent, regarding your interaction with the website and the acceptance of cookies that are indicated in detail in the relevant link on our website.
Our website may include links or hyperlinks to third-party websites. The Company does not have any control over such third-party websites and is in no way responsible for their content or for any further links they provide, for which the corresponding Terms of Use shall apply.
We may collect only the absolutely necessary personal data directly from you or from third parties. In particular:
• Personal data provided to our Company directly from the data subjects, such as data provided by employees and candidate employees, third-party suppliers, and collaborators, as well as users of the Company services, within the framework of our contractual or other legal relationship.
• Personal data collected directly from the EgnatiaPass service users through the in-person or online submission of the application for a subscription contract, as well as through any communication regarding tolling charges and invoicing of the relevant services.
• Furthermore, personal data collected when users subscribe or log in their MyEgnatiaPass account.
• Digital trip data may be collected for our subscribers moving on specially designated toll lanes from companies participating in the integrated Greek Interoperable Tolling System. It should be noted that our Company does not collect data on other motorways’ subscribers.
• When you travel along the Egnatia Motorway, as well as when you pass through Toll Stations οr move along toll lanes, image or video data may be collected, such as your vehicle’s details, through the legally operated CCTV system that is installed, with the aim to monitor traffic flow, handle road events, protect persons or facilities, ensure toll collection in cases of vehicles crossing the toll stations without paying the legal toll fee (unlawful vehicle crossings) and, in general, survey the surrounding area of Toll Stations and Subscriber Service Points for safety reasons.
• Personal data are collected during the legal process of accident investigation and damage repair under a relevant insurance contract.
• Personal data are collected when you voluntarily contact our Company, in any way, calling its switchboard or submitting the relevant contact form “Contact us”, as well as when you submit all kinds of requests in any way.
• Similarly, emergency 1077 voice calls and calls at Traffic Control Centers are also recorded.
• Personal data are collected when you use the available Egnatia Odos SA online services and applications, such as the VPMS application for online submission of the overweight/oversize vehicles permit application and the receipt of the relevant permits, or the application for Maintenance Service Requests.
• Given your consent, the Company may process the email you entered into the relevant online subscription form for promotional actions in the form of newsletters, as well for satisfaction surveys aiming at the improvement of the provided services, following your written consent, which can be recalled any time by clicking on the “unsubscribe” link.
It should be noted that we do not collect certain types of personal data, such as data concerning racial or ethnic origin, religious beliefs, sexual orientation, genetic data, biometric data, etc., which constitute a special category of personal data and require additional protection, pursuant to the European legislation on data protection.
The data collected are processed only for certain written purposes, which result from the statutory function of the Company and the laws or contracts applicable. In particular, data are processed for the following legitimate purposes:
• Video footage from CCTV cameras along the motorway, in tunnels, for which you are informed before entering the recorded area through adequate warning signs. In addition, CCTV cameras are installed at the Company toll stations, which record only the necessary data, i.e. the registration number of vehicles passing through toll stations and moving on toll lanes, aiming at recording violations (unlawful vehicle crossings), controlling/managing traffic (both under normal conditions and in cases of emergencies or accidents), protecting persons (road users, operation and maintenance employees, etc.) or goods and facilities (road infrastructure, etc.). For such cameras you are informed before entering the area recorded through adequate warning signs.
• Archiving an event / image and video data log.
• Recording of calls directed to the emergency hot line 1077 and management of road assistance for the Egnatia Motorway users.
• Insurance companies’ notification of road accidents for the provision of insurance coverage.
• Keeping a register of court cases.
• Commercial communication, promotion of the services provided, client satisfaction surveys, dispatch of newsletters and brochures, following your consent.
• Response to requests through the “Contact us” form and emails, including any communication through our official accounts on different social media (Facebook, YouTube, LinkedIn)
• Charges and invoicing for the services provided to the EgnatiaPass subscribers.
• Settlement of taxing, accounting and social security obligations.
• Recording of transits that are toll-exempt.
• Recording of Special Transits (Persons with Disabilities) and persons that are entitled to toll fee discounts.
• Management of company correspondence (both in hard-copy and digital format).
• Ensuring the smooth operation and safety of its website www.egnatia.eu
The Company lawfully processes personal data, pursuant to the GDPR provisions and in compliance with the principles governing personal data processing stipulated in article 6 of the above Regulation. In particular, personal data processing shall be lawful if the following apply, as appropriate:
a) ) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
b) the Company’s compliance with its legal obligations arising from the applicable legal framework (such as the current tax legislation), its compliance with warrants, provisions of competent authorities and court rulings (Hellenic Police, prosecution authorities, custom offices, revenue authorities, etc.)
c) on grounds of the legitimate interest of the Company, such as the protection of goods, infrastructures and public property, on grounds of the Company’s legal protection, promotion of its services, fulfillment of its statutory purposes or for statistical purposes. In this case, a necessary weighing up has been made between our interests and your rights and freedoms regarding your personal data, in order to achieve a balancing of interests
d) the performance of our task carried out in the public interest or in the exercise of the official authority vested in the Company. Namely, in this case, the recording of violations (unlawful vehicle crossings) at the Toll Stations and the control of vehicle traffic along the Egnatia Motorway, taking into account the nature of the company “Egnatia Odos S.A.”, which operates in the public interest on the basis of the rules of private economy (article 11 of Law 2229/1994),
e) the processing is necessary, in order to protect the vital interests of the data subject or of another natural person (article 6, par. 1d of the GDPR), i.e., in this case, to protect persons and goods
f) the prior written, clearly distinguishable and updated consent. In cases where the lawfulness is based on a consent, the data subject shall have the right to easily withdraw it at any time without having the obligation to justify this withdrawal.
The Company does not carry out automated individual decision-making nor does it use personal data for profiling purposes.
The Company shall not transfer personal data to third parties, except for certain necessary cases. In particular, examples of personal data recipients are the following:
• Competent public services [the ERGANI Information System for employees, the National Social Security Entity (EFKA), the Transparency Program Initiative (DIAVGEIA), the Ministry for Infrastructure & Transport, the relevant Authorities, etc.), in compliance with its corresponding legal obligations.
• Police, prosecution, judicial, custom, tax and other authorities, which act within the framework of their responsibilities and powers.
• Related road infrastructure companies operating within the framework of toll interoperability (as per Presidential Degree 177/2007).
• Companies selected on the basis of adequate criteria, which operate as personal data processors on behalf of Egnatia Odos SA, are under an appropriate statutory obligation of confidentiality and provide guarantees regarding the protection of personal data, such as banks, auditory, tax, information technology, recycling, computerization and courier companies, as well as companies conducting subscriber satisfaction surveys for the improvement of the services provided, etc.
The Company does not transfer the personal data it processes to third countries outside the European Union (EU) and the European Economic Area (EEA).
Personal data are kept in written and/or digital format for a specified and limited time period, no longer than is necessary for the fulfillment of any legal obligations and for the legal purposes for which these data have been collected, depending on the specific processing purpose. After the said period has elapsed, personal data are safely deleted from the Company records, unless the standing legislation provides for a longer storage period. In particular:
• The Company keeps the data for as long as is necessary, in order to fulfill any contractual obligations (between the Company and its subscribers, suppliers, collaborators)
• Image data and video footage from the CCTV cameras installed at Toll Stations are kept for a period of up to fifteen (15) days, without prejudice to more specific provisions laid down for specific categories of processors. In case of an event against persons or goods, the data that are related to the said event are kept in separate files for a period of up to 30 days, while, in case of an event that concerns a third party, data are kept for a period of up to 3 months. After the aforementioned time has elapsed, the processor may keep the data for a longer period only in exceptional cases, where the event requires further investigation.
• The time that call recording data files are kept is up to fifteen (15) days and concerns calls to and from the Customer Support Service lines, the emergency hotline 1077 and any communication with the Traffic Control Centers.
• Cookies files are kept for a time period that is determined according to their nature, their origin and the purpose to which they are used. For more information, please click on the relevant Cookies link.
• Data collected through the “Contact us” form found on the Company website are kept for a time period of up to 3 months after the termination of communication.
• Personal data are kept for the time period stipulated by the standing legislation, such as tax legislation, accounting legislation, legislation on the confidentiality of communication, as well as the corresponding provisions.
• In cases of violation or outstanding amounts or users’ inability to pay the toll fee, personal data are kept up to the payment of the corresponding fine. In such cases, data may be kept up to the final court ruling if charges have been contested or other claims have been raised, or up until the relevant claims are lapsed pursuant to the standing legislations.
• Data obtained through the Company social media accounts, such as Facebook, YouTube and LinkedIn, are kept for us long as you stay connected in any possible way to such accounts and according to the terms and conditions included in the personal data protection policy of the corresponding social medium.
• In case of civil claims, the Company may keep personal data up until such claims are lapsed according to law.
Personal data can be stored for longer periods for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, pursuant to article 89, paragraph 1 of the Regulation and given that all adequate technical and organizational measures provided for in the Regulation are in place to ensure the rights and freedoms of the data subjects. So, the Company is entitled to keep the data anonymized, thus not permitting the identification of data subjects for historical and research purposes.
Η Εταιρεία δεν διαβιβάζει τα προσωπικά δεδομένα που επεξεργάζεται σε τρίτες χώρες εκτός της Ευρωπαϊκής Ένωσης (ΕΕ) και εκτός του Ενιαίου Οικονομικού Χώρου (ΕΟΧ).
The processing of your personal data is linked to corresponding rights, which, subject to any provisions limiting their exercise thereof, are:
• Right to information. You have the right to receive clear, transparent and comprehensible information about the use of personal data and your rights. To this purpose, we hereby provide all necessary information and we encourage you to contact us for any clarifications.
• Right of access and to rectification. You have the right to access, rectify and be informed about any of your personal data in case they are incomplete or wrong.
• Right to data portability. You have the right to request and receive in machine-readable format the personal data you provided, or to request their transmission to another controller.
• Right to erasure. You have the right, under conditions that are stipulated in the Regulation, to request the erasure of your personal data if they are no longer necessary in relation to the purposes for which they were initially collected or if you wish to withdraw consent where there is no other legal ground for the processing.
• Right to restriction of processing. You have the right to obtain restriction of your personal data processing where the accuracy or lawfulness of processing of such data is contested.
• Right to withdraw consent. If you have consented to the processing of your personal data, you have the right to withdraw your consent any time by contacting us using the communication channels stated herein.
• Right to object. Under conditions that are stipulated in the Regulation, you have the right to object to the processing of your personal data, including processing for direct marketing purposes (e.g., receipt of newsletters).
• Right to lodge a complaint to the Hellenic Data Protection Authority. You have the right to directly lodge a claim to the supervisory Hellenic Data Protection Authority at the contact details given in section 4.17 further down.
For any further queries or for a copy of this statement or for exercising any right related to personal data, the person concerned may contact the Data Protection Officer of our Company, Ms Despoina Vezakidou, at 6th km Thessaloniki-Thermi, PC 57001, Thessaloniki, tel. +30 231 047 0200, email: dpo@egnatia.gr .
If you wish to exercise any of the above rights, all necessary measures shall be taken to meet your request within a reasonable time, which shall be no longer than one (1) month from the verification of the submitted request, notifying you in writing that your request has been met or for the reasons that may impede the exercise of the relevant right or that one or more rights have been granted, according to the General Data Protection Regulation. The said deadline may be extended by two more months, if deemed necessary, taking into account the complexity of the request and the number of requests. In this case, you shall be informed about the said one-month extension, as well as for the reasons of this delay.
It should be noted that, in certain cases, meeting your request may not be possible, when, e.g., granting a right contradicts a legal obligation or conflicts with the contractual legal basis for the processing of your personal data.
In order to be able to respond to your request in a lawful manner, we may request some proof of identification.
We shall make every effort to respond to your requests. If, nevertheless, you believe that any of your rights is violated or that any legal obligation on the part of the Company regarding the protection of personal data is not fulfilled, and provided that you have first contacted the Data Protection Officer (DPO) for this issue, namely you have exercised your rights against the Company and either you did not receive any response within a month (a period extended by two months depending on the complexity of your request) or you consider the response you have been given by the Company inadequate and your issue has not been resolved, you are entitled to lodge a complaint to the competent supervising authority, the Hellenic Data Protection Authority, Kifisias Avenue 1-3, PC 115 23, Athens, email: complaints@dpa.gr, fax: 2106475628.
The Company has established a series of Policies and Operating Procedures for the Security and Protection of Personal Data. These Policies are regularly updated according to legislative changes or technological developments to achieve data security. Adequate organizational and technical measures are implemented to protect your personal data against loss, unauthorized access, alteration or publication. These measures aim at access control and technical security of information.
Your personal data can be accessed by authorized and adequately trained employees and collaborators only, to the extent that this is necessary to support the activities of our Company and provided that it is subjected to strict confidentiality contractual obligations when data processing is assigned and executed by third parties.
You may contact the Company either by visiting its headquarters, at the 6th km Thessaloniki-Thermi, PC 570 01, by calling at +30 231 047 0200, by sending an email at eoae@egnatia.gr or by filling in the communication form on the Company website [Egnatia Odos SA | Contact us (egnatia.eu)].
This Policy may be revised according to legislative changes or directives on the part of the Hellenic Data Protection Authority, in order to meet the needs of data subjects and respond to changes in the services and internal procedures of the Company.
When an update is published, the date of revision indicated at the top of this Personal Data Protection Policy will also be revised.
For the purposes of this Personal Data Protection Policy, there follow definitions of certain terms, in line with the corresponding GDPR terminology:
«Personal data» or «Data»: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
«Special categories of personal data»: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or concerning a natural person’s sex life or sexual orientation.
«Processing»: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, search of information, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
«Controller»: the natural or legal person, public authority, service, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by Union or Member State law.
«Processor» means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
«Consent» of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
«Personal data breach» means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
«Supervisory authority» means an independent public authority which is established by a Member State pursuant to Article 51;