The Company acknowledges and respects the importance of all personal data managed within the framework of its activities. To this purpose, this Policy is adapted to the relevant European and national legal framework, including the requirements of the General Data Protection Regulation nr (ΕΕ) 2016/679/EE (hereafter «Regulation» and/or «GDPR») as well as the Greek Law 4624/2019.
The Company herewith aims at:
• informing third parties, with transparency, in what capacity, for which purpose and on which legal basis it processes the personal data necessary to fulfill the said purpose
• determining the categories of the personal data collected, the sources from which the personal data originate (when these data are not provided directly by data subject person itself), the data recipients and the criteria for determining how long these data shall be kept
• informing the data subjects that they can exercise their right to access, rectification and, where applicable, erasure, restriction of and objection to data processing, as well as their right to lodge a complaint for a breach of their personal data to the Hellenic Data Protection Authority
• determining the principles governing the implementation of all relevant protection policies and safeguards ensuring the protection of personal data by the Company.

The Company “Egnatia Odos Société Anonyme”, seated at the 6th km Thessaloniki-Thermi, PC 57001, tel. 231 047 0200, email: eoae@egnatia.gr, as legally represented, aims, according to its Articles of Association, at the design, construction, expansion, maintenance, organization, furniture, exploitation, management, supervision and monitoring of the Egnatia Motorway, which starts at the port of Igoumenitsa, it runs through the cities of Thessaloniki, Kavala, Alexandroupoli, and ends on the Greek-Turkish borders, at Kipoi, Evros, as well as of the road network servicing or connected with the Egnatia Motorway.
This statement aims at providing full and transparent information about the use of all necessary personal data by the Company in exercising its above-described activities, including its presence on websites, platforms and third parties applications.

Name : «Egnatia Odos Société Anonyme», distinctive title «Egnatia Odos S.A.»
Headquarters: 6th km Thessaloniki-Thermi Road, PC 57001, Thessaloniki
Contact info: tel.: +30 231 047 0200, email: eoae@egnatia.gr

Full name: Despoina Styl.Vezakidou
Address: 6th km Thessaloniki-Thermi Road, PC 57001, Thessaloniki
Contact info : tel.: 231 047 0200, email : dpo@egnatia.gr

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Due to the nature of the Company’s activities, the personal data collected concern the following:
• its employees (as well as candidate employees or students during the selection and recruitment process), i.e., personal data referring to the employment contract between the Company and the said employee or relating to measures that need to be taken at the request of the data subject prior to entering the said contract. These may comprise, in certain cases, employees’ health data relating to their sick leaves and other legal purposes for compliance with labor and social legislation,
• third-party suppliers and collaborators, i.e., personal data referring to the employment contract between the Company and the said supplier or collaborator, or relating to steps that need to be taken at the request of the data subject prior to entering the said contract,
• users of the Company services (such as drivers, motorway users, EgnatiaPass subscribers), i.e. personal data when communicating in any way with the Company (by mail, electronically or by phone), when transacting with it or interacting with it through different social media (Facebook, YouTube, LinkedIn), as well as personal data necessary for the Company to meet its legal obligations, perform a task carried out in the public interest and exercise the official authority assigned to it. Such data may be the following:
o Full name and identity data (Identity Card nr, vehicle registration card, car license)
o Contact info (address, email, telephone number)
o Tax and financial data (Tax Identification Number, IRS, profession, ΙΒΑΝ)
o Vehicle data (such as registration number, category)
o In addition, image data and video footage may be collected via the CCTV system in case of a road event or during a user’s trip along the motorway and through toll stations or other infrastructures servicing the motorway
o Special categories of data, in exceptional circumstances, such as medical information that is considered necessary (injury in a road accident) and in cases of exemptions or discounts in tolling (People with Disabilities, etc.)
o Sound data obtained from recordings during emergency calls (1077), calls at the Traffic Control Centers or other calls after you have been informed through a recorded message
o In certain cases, data are collected regarding the EgnatiaPass subscribers’ trips for billing purposes or for the resolution of tolling disputes, as well as for the enforcement of law in toll violations.

It should be noted that, when visiting the Company website, data are collected, following your consent, regarding your interaction with the website and the acceptance of cookies that are indicated in detail in the relevant link on our website.

The data collected are processed only for certain written purposes, which result from the statutory function of the Company and the laws or contracts applicable. In particular, data are processed for the following legitimate purposes:
• Video footage from CCTV cameras along the motorway, in tunnels, for which you are informed before entering the recorded area through adequate warning signs. In addition, CCTV cameras are installed at the Company toll stations, which record only the necessary data, i.e. the registration number of vehicles passing through toll stations and moving on toll lanes, aiming at recording violations (unlawful vehicle crossings), controlling/managing traffic (both under normal conditions and in cases of emergencies or accidents), protecting persons (road users, operation and maintenance employees, etc.) or goods and facilities (road infrastructure, etc.). For such cameras you are informed before entering the area recorded through adequate warning signs.
• Archiving an event / image and video data log.
• Recording of calls directed to the emergency hot line 1077 and management of road assistance for the Egnatia Motorway users.
• Insurance companies’ notification of road accidents for the provision of insurance coverage.
• Keeping a register of court cases.
• Commercial communication, promotion of the services provided, client satisfaction surveys, dispatch of newsletters and brochures, following your consent.
• Response to requests through the “Contact us” form and emails, including any communication through our official accounts on different social media (Facebook, YouTube, LinkedIn)
• Charges and invoicing for the services provided to the EgnatiaPass subscribers.
• Settlement of taxing, accounting and social security obligations.
• Recording of transits that are toll-exempt.
• Recording of Special Transits (Persons with Disabilities) and persons that are entitled to toll fee discounts.
• Management of company correspondence (both in hard-copy and digital format).
• Ensuring the smooth operation and safety of its website www.egnatia.eu

The Company lawfully processes personal data, pursuant to the GDPR provisions and in compliance with the principles governing personal data processing stipulated in article 6 of the above Regulation. In particular, personal data processing shall be lawful if the following apply, as appropriate:
a) ) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
b) the Company’s compliance with its legal obligations arising from the applicable legal framework (such as the current tax legislation), its compliance with warrants, provisions of competent authorities and court rulings (Hellenic Police, prosecution authorities, custom offices, revenue authorities, etc.)
c) on grounds of the legitimate interest of the Company, such as the protection of goods, infrastructures and public property, on grounds of the Company’s legal protection, promotion of its services, fulfillment of its statutory purposes or for statistical purposes. In this case, a necessary weighing up has been made between our interests and your rights and freedoms regarding your personal data, in order to achieve a balancing of interests
d) the performance of our task carried out in the public interest or in the exercise of the official authority vested in the Company. Namely, in this case, the recording of violations (unlawful vehicle crossings) at the Toll Stations and the control of vehicle traffic along the Egnatia Motorway, taking into account the nature of the company “Egnatia Odos S.A.”, which operates in the public interest on the basis of the rules of private economy (article 11 of Law 2229/1994),
e) the processing is necessary, in order to protect the vital interests of the data subject or of another natural person (article 6, par. 1d of the GDPR), i.e., in this case, to protect persons and goods
f) the prior written, clearly distinguishable and updated consent. In cases where the lawfulness is based on a consent, the data subject shall have the right to easily withdraw it at any time without having the obligation to justify this withdrawal.

The Company does not carry out automated individual decision-making nor does it use personal data for profiling purposes.

The Company shall not transfer personal data to third parties, except for certain necessary cases. In particular, examples of personal data recipients are the following:
• Competent public services [the ERGANI Information System for employees, the National Social Security Entity (EFKA), the Transparency Program Initiative (DIAVGEIA), the Ministry for Infrastructure & Transport, the relevant Authorities, etc.), in compliance with its corresponding legal obligations.
• Police, prosecution, judicial, custom, tax and other authorities, which act within the framework of their responsibilities and powers.
• Related road infrastructure companies operating within the framework of toll interoperability (as per Presidential Degree 177/2007).
• Companies selected on the basis of adequate criteria, which operate as personal data processors on behalf of Egnatia Odos SA, are under an appropriate statutory obligation of confidentiality and provide guarantees regarding the protection of personal data, such as banks, auditory, tax, information technology, recycling, computerization and courier companies, as well as companies conducting subscriber satisfaction surveys for the improvement of the services provided, etc.

The Company does not transfer the personal data it processes to third countries outside the European Union (EU) and the European Economic Area (EEA).

Personal data are kept in written and/or digital format for a specified and limited time period, no longer than is necessary for the fulfillment of any legal obligations and for the legal purposes for which these data have been collected, depending on the specific processing purpose. After the said period has elapsed, personal data are safely deleted from the Company records, unless the standing legislation provides for a longer storage period. In particular:
• The Company keeps the data for as long as is necessary, in order to fulfill any contractual obligations (between the Company and its subscribers, suppliers, collaborators)
• Image data and video footage from the CCTV cameras installed at Toll Stations are kept for a period of up to fifteen (15) days, without prejudice to more specific provisions laid down for specific categories of processors. In case of an event against persons or goods, the data that are related to the said event are kept in separate files for a period of up to 30 days, while, in case of an event that concerns a third party, data are kept for a period of up to 3 months. After the aforementioned time has elapsed, the processor may keep the data for a longer period only in exceptional cases, where the event requires further investigation.
• The time that call recording data files are kept is up to fifteen (15) days and concerns calls to and from the Customer Support Service lines, the emergency hotline 1077 and any communication with the Traffic Control Centers.
• Cookies files are kept for a time period that is determined according to their nature, their origin and the purpose to which they are used. For more information, please click on the relevant Cookies link.
• Data collected through the “Contact us” form found on the Company website are kept for a time period of up to 3 months after the termination of communication.
• Personal data are kept for the time period stipulated by the standing legislation, such as tax legislation, accounting legislation, legislation on the confidentiality of communication, as well as the corresponding provisions.
• In cases of violation or outstanding amounts or users’ inability to pay the toll fee, personal data are kept up to the payment of the corresponding fine. In such cases, data may be kept up to the final court ruling if charges have been contested or other claims have been raised, or up until the relevant claims are lapsed pursuant to the standing legislations.
• Data obtained through the Company social media accounts, such as Facebook, YouTube and LinkedIn, are kept for us long as you stay connected in any possible way to such accounts and according to the terms and conditions included in the personal data protection policy of the corresponding social medium.
• In case of civil claims, the Company may keep personal data up until such claims are lapsed according to law.
Personal data can be stored for longer periods for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, pursuant to article 89, paragraph 1 of the Regulation and given that all adequate technical and organizational measures provided for in the Regulation are in place to ensure the rights and freedoms of the data subjects. So, the Company is entitled to keep the data anonymized, thus not permitting the identification of data subjects for historical and research purposes.

Η Εταιρεία δεν διαβιβάζει τα προσωπικά δεδομένα που επεξεργάζεται σε τρίτες χώρες εκτός της Ευρωπαϊκής Ένωσης  (ΕΕ) και εκτός του Ενιαίου Οικονομικού Χώρου (ΕΟΧ).

The processing of your personal data is linked to corresponding rights, which, subject to any provisions limiting their exercise thereof, are:
• Right to information. You have the right to receive clear, transparent and comprehensible information about the use of personal data and your rights. To this purpose, we hereby provide all necessary information and we encourage you to contact us for any clarifications.
• Right of access and to rectification. You have the right to access, rectify and be informed about any of your personal data in case they are incomplete or wrong.
• Right to data portability. You have the right to request and receive in machine-readable format the personal data you provided, or to request their transmission to another controller.
• Right to erasure. You have the right, under conditions that are stipulated in the Regulation, to request the erasure of your personal data if they are no longer necessary in relation to the purposes for which they were initially collected or if you wish to withdraw consent where there is no other legal ground for the processing.
• Right to restriction of processing. You have the right to obtain restriction of your personal data processing where the accuracy or lawfulness of processing of such data is contested.
• Right to withdraw consent. If you have consented to the processing of your personal data, you have the right to withdraw your consent any time by contacting us using the communication channels stated herein.
• Right to object. Under conditions that are stipulated in the Regulation, you have the right to object to the processing of your personal data, including processing for direct marketing purposes (e.g., receipt of newsletters).
• Right to lodge a complaint to the Hellenic Data Protection Authority. You have the right to directly lodge a claim to the supervisory Hellenic Data Protection Authority at the contact details given in section 4.17 further down.

For any further queries or for a copy of this statement or for exercising any right related to personal data, the person concerned may contact the Data Protection Officer of our Company, Ms Despoina Vezakidou, at 6th km Thessaloniki-Thermi, PC 57001, Thessaloniki, tel. +30 231 047 0200, email: dpo@egnatia.gr .
If you wish to exercise any of the above rights, all necessary measures shall be taken to meet your request within a reasonable time, which shall be no longer than one (1) month from the verification of the submitted request, notifying you in writing that your request has been met or for the reasons that may impede the exercise of the relevant right or that one or more rights have been granted, according to the General Data Protection Regulation. The said deadline may be extended by two more months, if deemed necessary, taking into account the complexity of the request and the number of requests. In this case, you shall be informed about the said one-month extension, as well as for the reasons of this delay.
It should be noted that, in certain cases, meeting your request may not be possible, when, e.g., granting a right contradicts a legal obligation or conflicts with the contractual legal basis for the processing of your personal data.
In order to be able to respond to your request in a lawful manner, we may request some proof of identification.

We shall make every effort to respond to your requests. If, nevertheless, you believe that any of your rights is violated or that any legal obligation on the part of the Company regarding the protection of personal data is not fulfilled, and provided that you have first contacted the Data Protection Officer (DPO) for this issue, namely you have exercised your rights against the Company and either you did not receive any response within a month (a period extended by two months depending on the complexity of your request) or you consider the response you have been given by the Company inadequate and your issue has not been resolved, you are entitled to lodge a complaint to the competent supervising authority, the Hellenic Data Protection Authority, Kifisias Avenue 1-3, PC 115 23, Athens, email: complaints@dpa.gr, fax: 2106475628.

The Company has established a series of Policies and Operating Procedures for the Security and Protection of Personal Data. These Policies are regularly updated according to legislative changes or technological developments to achieve data security. Adequate organizational and technical measures are implemented to protect your personal data against loss, unauthorized access, alteration or publication. These measures aim at access control and technical security of information.
Your personal data can be accessed by authorized and adequately trained employees and collaborators only, to the extent that this is necessary to support the activities of our Company and provided that it is subjected to strict confidentiality contractual obligations when data processing is assigned and executed by third parties.

You may contact the Company either by visiting its headquarters, at the 6th km Thessaloniki-Thermi, PC 570 01, by calling at +30 231 047 0200, by sending an email at eoae@egnatia.gr or by filling in the communication form on the Company website [Egnatia Odos SA | Contact us (egnatia.eu)].

This Policy may be revised according to legislative changes or directives on the part of the Hellenic Data Protection Authority, in order to meet the needs of data subjects and respond to changes in the services and internal procedures of the Company.
When an update is published, the date of revision indicated at the top of this Personal Data Protection Policy will also be revised.