1. PURPOSE

The purpose of this Policy is to define and set out the general framework and basic principles established and applied by the Athens School of Fine Arts (hereinafter referred to as the "Organization") with regard to the processing of personal data and the protection of their security, confidentiality, integrity, and availability.

2. SCOPE OF APPLICATION

This Policy applies to all personal data managed by the Agency in the course of its activities.

3. RESPONSIBLE FOR IMPLEMENTING THE POLICY

• Administration
• All the staff of the Organization.
• All partners who manage and/or have access to personal data

4. DESCRIPTION

4.1 General

Our Organization recognizes and respects the importance of personal data that it handles in the course of its activities, and for this reason has fully adapted its policy to the requirements of the General Data Protection Regulation (hereinafter GDPR) 2016/679/EC.

With this statement, our Organization wishes to:

• inform those with whom it transacts in what capacity, for what purpose, and on what legal basis it processes personal data, i.e., information that can be used to directly or indirectly identify individuals.
• specify the categories of data, the sources of the data (when the data is not provided by the person themselves) and the criteria for determining the period of time for which personal data will be retained.
• inform those with whom it transacts business regarding the transfer of their personal data to third parties or third countries.
• inform them of their right to contact our Organization for any issue relating to the processing of their personal data, their right to exercise their rights of access, rectification, and, where applicable, erasure, restriction, and objection to processing, as well as the right of individuals to report any violation of their personal data rights to the Personal Data Protection Authority.
• to establish the principles governing the Agency's compliance with the relevant policies on the protection and security of personal data.

For any questions or concerns, or if anyone wishes to receive a copy of this statement, or wishes to exercise any of their rights relating to their personal data, the interested party may contact the Data Protection Officer (DPO) of the Athens School of Fine Arts at 210 6216 997 and at dpo@asfa.gr.

4.2 Details of the Data Controller, its Representative, and the Data Protection Officer

ResponsibleresponsibleresponsibleresponsibleProcessing Processing:

Brand name	School of Fine Arts
Address	256 Piraeus Street, Postal Code 18233, Ag. I. Rentis
Telephones	210 4801 260
Email	dpo@asfa.gr

ResponsibleresponsibleresponsibleresponsibleData Data Protection Officer:

Full name	Advanced Service Systems Ltd.
Address	Tyrnavou & Sarantaporou 1A, 14565
Telephones	210 6216 990
Email	dpo@aqs.gr

4.3Who collects personal data?

The Athens School of Fine Arts is a self-governing legal entity under public law.

This statement covers the collection of personal data byour Organization inthe course of its business, including its presence on third-party websites, platforms, and applications under the Terms of Use of our website.

Please note that when you visit our Organization's Website, we simply collect data related to your interaction with the website and the installation of cookies (see our Central Cookie Policy). Third-party websites generally apply their own privacy statements and terms and conditions. We encourage you to read them before using these websites.

4.4 How is my personal data collected?

We may collect personal data from various sources, namely:

• Personal data provided to our Organization directly by data subjects, for one of the following reasons:

1. Information you provide us with during the conclusion, development, and termination of our contractual relationship.
2. Information you provide us with when participating in our Organization's events and activities.
3. Information you provide to us during your transactions with the School, your communication with us, or the submission of a request.
4. Information you provide when interacting with the School's websites for the purpose of conducting your transactions

• We also receive and store certain types of personal data whenever anyone interacts with us online, i.e. when we use cookies and tracking technologies to receive personal data, and also the web browser used by the internet user accesses our website or entries, as well as other content displayed by or on behalf of the Organisation on other websites.

4.5 What personal data is collected?

Personal data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identity number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Due to the nature of our Organization's activities, the Personal Data it collects mainly concerns the following categories of subjects:

• Organization Employees: i.e., their personal data and information relating solely to their employment relationship with our Organization, which includes, indicatively, identity and contact details, financial information, and health data of themselves or additional members related to our Organization's compliance with labor and insurance legislation.
• Partners of the Organization(suppliers and other partners in general): i.e. their personal data and information relating to our contractual relationship, which includes, indicatively, identity and contact details, transaction data, and financial information relating to our Organization's compliance with its legal contractual obligations.
• Those who interact with the Organization(students, citizens, and individuals who communicate with our Organization in general): i.e. their personal data and information relating to the School's activities arising from legal obligations, our contractual relationship, where applicable, or used for their communication with our Organization, which includes, indicatively, identity and contact details, transaction data, access credentials to online applications, and financial data related to our Organization's compliance with its legal contractual obligations.

We would like to point out that, as a rule, wedo notcollect special categories of personal data, such as personal data relating to race, ethnic origin, religion, sexual orientation, or genetic biometric data, etc., which are classified as special categories of data and receive additional protection under European personal data protection legislation, beyond the data expressly provided for by law.

4.6 Particularly with regard to children's privacy

Personal data of children may be collected exclusively in the context of the employment relationship of our employees, i.e. for the purpose of describing the family status of employees for matters relating to remuneration, employment rights, etc. It is understood that this information is provided with the consent of the person who has parental responsibility for the child (see also below).

4.7 For what purposes is my data used?

The purpose of the processing is proportional to the operation performed in each case. Specifically:

• Employees' personal data is provided to our Organization for the purpose of concluding, executing, or terminating the respective employment/cooperation contract. In addition, employees' personal data regarding attendance, absences, hours of attendance, leave, medical certificates for sick leave are kept for the purpose of granting leave, including sick leave, while personal data relating to employee performance is provided by the heads of the individual departments for the purpose of staff evaluation by the Organization.
• The personal data ofstudents,citizens,associates, and, in general, those who interactwith the Organization, which they themselves provide to our Organization, are collected and processed for the purpose of complying with our legal obligations, the conclusion and development of our contractual relationship, where applicable, and, where appropriate, our communication with them at their request or for the provision of requested services such as registration in an online application.

4.8 What is the legal basis for processing?

The collection and processing of personal data of the above subjects is based on:

• Article 6(1)(b) GDPR:Processing necessary for the performance of a contract to which the data subjects are party or in order to take steps at the request of the data subjects prior to entering into a contract. This basis constitutes the legal basis for the processing of the above personal data of employees, associates and, in general, persons transacting with the organisation with whom there is a contractual relationship, in the context of achieving the purposes related to the conclusion of the contract, its performance, the management of employee recruitment and departures, the management of cards, permits, and payroll, the management of staff training, the management of staff evaluation, and the management of medical records, etc.
• Article 6(1)(c) GDPR:processing is necessary for compliance with a legal obligation to which we are subject under Union or national law. We rely on this basis to comply with our legal obligations in our capacity as a public entity in general, employer or contractor, the payment of our employees and associates, the maintenance of medical records of employees, the notification of the recruitment of employees to the competent authorities (Ergani, Labor Inspectorate, EFKA, etc.), and so on.
• Article 6(1)(e) GDPR:processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 6(1)(a) GDPR: thedata subject has given consent to the processing of his or her personal data for one or more specific purposes. We rely on this basis exceptionally for certain activities that may not be expressly provided for by law (e.g., participation in educational activities, registration in an online application, etc.).
• Article 9(2)(b) GDPR: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
• Article 9(2)(h) GDPR: processing is necessary for the purposes of preventive or occupational medicine, assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services based on Union or Member State law or pursuant to a contract with a health professional.
• Article 9(2)(g) GDPR: processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.

4.9 Profile Creation

The Agency does not use personal data for profiling.

4.10 Transfer of Data to Third Parties: Who will my data be shared with?

The Organization may cooperate with third-party service providers (e.g., IT services, consulting services, etc.), who may process personal data on behalf of the School, such as IT support companies, but as a rule does not disclose data to third parties, except in the above cases.
We would like to point out that the above partners have previously committed to our Organization regarding their obligations not to use the data for any purpose other than processing, to maintain confidentiality, and to comply with the Regulation in general.

4.11 How long is my personal data retained?

The retention period for personal data depends primarily on the purpose of the processing, and simply storing it constitutes an act of processing, which is only permitted if it is governed by the principles of processing. After the retention period has expired, personal data is deleted. Specifically:

• twenty years after the employee's departure, in accordance with the Civil Service Code.
• twenty years (indicative limitation period for any resulting legal claims), a period during which any legal case for processing them may arise, such as civil cases or investigations of criminal offenses, tax audits, etc.

4.12 What are my rights?

The processing of your personal data is linked to your corresponding rights, which, subject to any provisions that may restrict their exercise, are:

The processing of your personal data is linked to your corresponding rights, which, subject to any provisions that may restrict their exercise, are:

• The right to information. You have the right to receive clear, transparent, and understandable information about how we use personal data and what your rights are. To this end, we provide you with the information in this Privacy Policy and encourage you to contact us for any clarification.
• The rightof access. You can request that we correct or complete your data if it is incomplete or contains inaccuracies.
• The rightto rectification. You may request that we correct or complete your data if it is incomplete or contains inaccuracies.
• The right to data portability. You may request that we provide you with, or transfer to a third-party provider in electronic format, certain information that you have provided to us.
• The right to erasure. In certain circumstances, you may request that all or part of your data be erased (e.g., if the data is no longer necessary for the purposes for which it was collected, etc.).
• The right to restrict processing. You have the right to restrict the processing of your personal data.
• The right to withdraw consent. If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time by contacting us at the details provided herein.
• The right to object. You may object to the processing of your data carried out in pursuit of our legitimate interests, as set out above.
• The right to lodge a complaintwith the Personal Data Protection Authority. You have the right to lodge a complaint directly with your local supervisory authority, the Personal Data Protection Authority, regarding how we process your personal data.
• Rights related to automated decision-making. You have the right not to be subject to a decision based solely on automated processing that produces legal or other significant effects on you. Specifically, you have the right:

1. human intervention should be involved,
2. express your opinion,
3. receive explanations for the decision that resulted from an assessment,
4. to challenge this decision.

If you exercise any of the above rights, we will take all possible measures to satisfy your request within a reasonable time and no later than one (1) month from the identification of your request, informing you in writing of the satisfaction of your request, or the reasons that may prevent the exercise of the relevant right, or the satisfaction of one or more of your rights, in accordance with the General Data Protection Regulation. Please note that in certain cases, it may not be possible to satisfy your requests, such as when the satisfaction of the right is contrary to a legal obligation or conflicts with a contractual legal basis for the processing of your data.

However, if you believe that any of your rights or legal obligations of our Organization regarding the protection of Personal Data have been violated, and after you have previously contacted the Organization's Data Protection Officer (DPO) about the relevant issue, i.e. you have exercised your rights towards the Organization and either you have not received a response within a month (extended to two months in the case of a complex request), or you consider that the response you received from the Organization is not satisfactory and your issue has not been resolved, you may submit a complaint to the competent supervisory authority, i.e., the Hellenic Data Protection Authority (HDPA), 1-3 Kifissias Avenue, TK 115 23 Athens, email: complaints@dpa.gr, fax 2106475628.

4.13 How is my personal data protected?

We have taken appropriate organizational and technical measures to protect your personal data from misuse, interference, loss, unauthorized access, modification, or disclosure. The measures we use include implementing appropriate access control measures, technical information security measures, and ensuring that personal data is encrypted, pseudonymized, and anonymized where necessary and feasible.

Access to your personal data is only permitted to authorized employees and associates and only when necessary to support the activities of our Organization, subject to strict contractual confidentiality obligations, when processing is outsourced and carried out by third parties.

4.14 How can I contact the Agency?

You can contact us at our headquarters address, 256 Piraeus Street, Postal Code 18233, Ag. I. Rentis, tel: 210 48 01 260 or via email at dpo@asfa.gr.

4.15 Updating – Updating this Privacy Policy Statement

This statement will be revised as necessary to comply with legislative changes, to respond to comments and needs of data subjects, and to changes in our Organization's products, services, and internal procedures. Any changes will be published with a simultaneous revision of the last update date at the top of this statement – Privacy Policy.