Privacy Notice - Cystic Fibrosis

PRIVACY POLICY

This Privacy Notice sets the rules and explains how personal data is collected and processed by the Hellenic Cystic Fibrosis Association (H.C.F.A.) established in 1983 in Greece (Tax Ιdentification Number 099524287) and located in Athens (Karaiskaki 28, +30 6944255853, info@cysticfibrosis.gr and is legally represented by the President Mrs. Anna Spinou.

Hellenic Cystic Fibrosis Association (H.C.F.A.) is a non-profit patient association. Its purpose is the protection and welfare of Cystic Fibrosis patients and their families throughout Greece through unified, multifaceted, and nationwide representation. The Association is registered in the National Register of Non-Profit Private Sector Bodies that provide social care services and in the Special Register of Voluntary Non-Governmental Organizations.

The Association is bound to protect the data processing activities and the personal data it collects and uses according to this Privacy Policy, the General Data Protection Regulation/GDPR (EU) 2016/679 and the Greek legislation for the protection of personal data (L. 4624/2019) and the protection of the privacy of electronic communications (L. 3471/2006).

With this Privacy Policy, the Association, as Personal Data Controller, informs about the way and purpose of collecting and processing personal data, about their retention time, the conditions for their transmission to third legal recipients, and about how to exercise your rights under the General Data Protection Regulation and the applicable Greek legislation.

PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

The Association processes the personal data in a lawful, fair, and transparent manner; to collect them for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. The personal data that the Association request and collects are adequate, relevant, and limited to what is necessary for the purposes for which they are processed. The personal data are accurate and, where necessary, kept up to date. The Association takes every reasonable step to ensure the appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.

‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

PURPOSE OF COLLECTION AND PROCESSING

The Association advocates for patients and their families’ rights, provides support and accurate information, and promotes public awareness, clinical research, and collaboration with health professionals, the State, and public and private entities.

Patients, parents/guardians, and caregivers are registered as members following the procedures laid down in the statutes after being informed of the purposes of the Association, filling out an application form, and paying the membership fee. The Association is supported by a Scientific Committee, which consists of specialized doctors and health professionals in Cystic Fibrosis from all hospitals and Cystic Fibrosis Units and dedicated Centers in Greece where patients are monitored and treated. Honorary members of the Association are exempt from the obligation to pay a subscription.

The data collected and processed by the Association are used for:

Its operation and the fulfillment of its statutory objectives Registration of new members
Communication with its members and the public
The free provision of medical equipment, e.g., personal spirometer, portable oxygen, nebulizer, at the request of the patient or his caregiver
Informing Institutions and the Press
The exchange of views in patient forums and closed groups on online social media
Participation in psychological support groups
Processing job applications and monitoring employment relationships
Assisting the participation and registration of events through the completion of paper and online forms
Responding to inquiries, applications, and incoming requests
Sending electronic communication via mail, email, telephone, fax, multimedia messages, internet-based communication platforms, and applications (Viber, WhatsApp, Skype, Facebook Messenger, Facetime, etc.)
Notifying about disruptions of services
Complying with legal and regulatory obligations
Establishing, exercising, and defending its legal rights

POINTS OF COLLECTION

The Association collects personal data from the data subject’s interaction through correspondence, phone, mail, email, printed and online contact forms, social media, or through its website. More specifically:

– When you fill and submit forms in print or electronically

– When we communicate with you via mail, email, social media, internet-based communication platforms (Viber, WhatsApp, Messenger, etc.), and video calls.

– During events

– From third parties to whom you have consented to transfer your data to us.

– From the device or the browser you use to access our website and social media pages.

CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA AND LEGAL BASIS OF PROCESSING

CATEGORIES OF DATA SUBJECTS	TYPE OF PERSONAL DATA (Includes without limitation)	LEGAL BASIS OF PROCESSING
Members	Identification data (name, surname,) identity card, financial data (Tax ID), communication data (address, e-mail address, telephone numbers), Payment data (membership, bank accounts, credit cards numbers), Membership application, profession, category of membership (patient, parent/guardian) Health data for the patients: data of birth, health information, Health unit where the patient is treated. Zoom accounts: Video and audio data during video conferences via the Zoom platform, email participant in the video conference. Comments and questions through the closed member communication group on Facebook and other online platforms.	Consent according to the Article 6 (1) (a) GDPR Compliance with a legal obligation according to the Article 6 (1)(c) GDPR. The legitimate interests pursued by the Association or by a third party, according to Article 6 (1)(f) GDPR and Article 11 (3) of the Greek Law 3471/2006 Processing of special categories of personal data The explicit consent to the processing according to Article 9 (2)(a) GDPR
Health Professional, Medical staff, students	Identification data (name, surname,) identity card, communication data (address, e-mail address, telephone numbers), job descriptions.	Consent according to the Article 6 (1) (a) GDPR
Partners, third party providers and suppliers	identification, communication, and financial data (name, surname, email address, address, phone number, job title, identity card number, Tax ID No, bank accounts).	The performance of services, a contract, or an agreement according to the Article 6 (1)(b) GDPR. Compliance with a legal obligation according to the Article 6 (1)(c) GDPR
Employees, job applicants, interns	Identification data (name, surname, father’s name, mother’s name, date of birth, identity card/passport number, (Tax ID No., photo, citizenship), communication data (address, e-mail address, telephone numbers), financial data (bank accounts, salary, additional fees), family status, social security data (social insurance registration number/AMKA, social security number/AMA, Single Agency of Social Insurance/ EFKA), studies (degrees and vocational training data), letters of references. Health data is collected and processed when required by law.	The performance of services, a contract, or an agreement according to the Article 6 (1)(b) GDPR, and Article 27 of the Greek Law 4624/2019. Compliance with a legal obligation according to the Article 6 (1)(c) GDPR.
Volunteers	Identification and communication data (name, surname, email address, address, phone number)	Consent according to the Article 6 (1) (a) GDPR
Event participants	Identification (name, surname,) communication (email address, address, phone number), financial data (PayPal accounts, proof of payments), job title, studies.	Consent according to the Article 6 (1) (a) GDPR, and Article 11 (1) of the Greek Law 3471/2006 for the protection of personal data and privacy in the electronic communication.
Invited speakers	Identification (name, surname,) communication (email address, address, phone number), biographical information, photograph, employer, physical work address, work email address, link to company website and/or professional LinkedIn page available to the public	Consent according to the Article 6 (1) (a) GDPR.
Donors	Identification data (name, surname, identity card), communication data (address, e-mail address, telephone numbers) Donation information: amount, bank payment details (bank, account number, IBAN), credit/debit card numbers	Consent according to the Article 6 (1) (a) GDPR. Compliance with a legal obligation according to the Article 6 (1)(c) GDPR.
Website and social media pages visitors	Browser information, IP address, Internet Service Provider, type of device, operating systems, navigation information, and other relevant identifications of the computer used to access the website.	Consent according to the Article 6 (1) (a) GDPR, and Article 11 (1) of the Greek Law 3471/2006. The legitimate interests pursued by the Association or by a third party, according to Article 6 (1)(f) GDPR
Electronic communication recipients (newsletters)	Name, surname, email address.	Consent according to the Article 6 (1) (a) GDPR, and Article 11 (1) of the Greek Law 3471/2006 for the protection of personal data and privacy in the electronic communication.

The Association, as Data Controller, is obliged to carry out an identity check during the registration process of its new members, to check the accuracy of their data and to update them at regular intervals.

MEMBERS FORUM

Registered members of the Association can participate in closed online social media groups (e.g., Facebook) and groups with a physical presence. Posts and discussions are confidential, reflect the views of individuals, and are not shared with third parties. The official positions of the Association are communicated announcements.

ELECTRONIC COMMUNICATION

The registered members of the Association agree to receive news from the Board of the Association with content related to their subscription or automatic emails sent from the website for proper use.

The Association will seek and obtain the relevant consent for any other electronic communication recipient category.

DISCLOSURE/TRANSFER OF PERSONAL DATA TO THIRD RECIPIENTS

CF Greece does not share, sell, rent, transfer, or trade personal information with third parties. A transfer may occur only under the following circumstances:

– If you have given your free and explicit consent, having been informed in advance of the purposes of the transfer

– To public authorities if required by law or a statutory obligation and if the transfer is necessary to protect its rights and comply with legal or judicial procedures and court decisions.

– to service providers and subcontractors (processors and subprocessors) who process personal data on behalf of the Association, such as accounting, IT, and cloud services.

The data transfer will be under Article 28 of GDPR, which sets the data processors’ responsibilities. The data processors are bound to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. If the sub-contractor processes Personal Data outside the EU/EEA area, such processing must be under the provisions and conditions of the GDPR, including the EU Standard Contractual Clauses for transfer to third countries or another specifically stated lawful basis for the transfer of personal data to a third country.

USE OF COOKIES AND SIMILAR TECHNOLOGIES

The Association uses cookies and other relevant technologies to give the user the best possible experience, navigate the website efficiently, perform certain functions, analyze traffic, and optimize its services.

More information on the cookie policy can be retrieved here.

SECURITY OF THE PROCESSING

The Association implements appropriate technical and organizational measures to ensure the necessary level of personal data protection against risks, misuse, or unauthorized access to them. All information related to the personal data of persons is regarded confidential.

The Association has established procedures for data access by authorized members of the Board of Directors and appointed individuals for specific processing purposes, use secure security codes, technology to detect network interference, encryption, verification technologies, procedures for secure connections, and protection from malware.

DATA RETENTION PERIOD

The Association uses and stores personal data for as long as necessary to fulfill the collection and processing purpose. It may keep it for a reasonable period after your last interaction with the Association. The retention period is defined and may be extended by law to establish, exercise, or defend legal claims and security purposes.

If personal data is no longer necessary for purposes, it will be deleted or destroyed securely.

The personal data of the electronic communication recipients will be automatically deleted if the individual unsubscribes from the list.

The Association may keep data for statistical purposes, but data will be anonymized.

If the data retention period has expired, the Association may notify the individuals via electronic communication, phone message, or any other proper means (e.g., an announcement to the Press) that it will proceed to delete or destroy the specific files. In addition, the persons have the right to receive a copy of their files.

DATA SUBJECTS RIGHTS

The data subjects shall have

The right to obtain confirmation as to whether and how personal data concerning them are being processed and access to the personal data. (Right of Access).
The right to obtain the rectification of inaccurate or out-of-date personal data concerning them. (Right to Rectification).
The right to restrict the processing of personal data if the provisions of Article 18 GDPR apply. (Right to Restriction of Processing).
The right to request the deletion of personal data when it is no longer necessary, under the conditions set in Article 17 GDPR. (Right to Erasure). The Association shall delete the personal data unless Law or the personal data prohibit the deletion are necessary to exercise a legal right.
The right to withdraw consent to personal data processing at any time, without prejudice to the lawfulness of the consent-based processing before the withdrawal in question. In case the natural person is a member of the Association, the withdrawal of consent that entails the refusal to provide personal data, which are prerequisites for the registration of members, makes membership impossible.
The right to request that the Association as Data Controller pass on personal data directly (in a portable format) to another data controller when the processing is based on consent or contract. (Right to Data Portability)
The right to object to the processing if the data processing has been based on legitimate interest. (Right to Object)
The right not to be subject to a decision based solely on automated processing, including profiling
The right to be informed in case of a data breach if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

EXERCISE OF DATA SUBJECT RIGHTS

Queries about Privacy Rights should be sent to info@cysticfibrosis.gr, + 30 6944255853.

The Association shall provide information on action taken on a request without undue delay and, in any event, within one month of receipt. That period may be extended by two further months where necessary, considering the complexity and number of the requests. The Association shall inform the data subject of any such extension within one month of receipt of the request and the reasons for the delay.

The information is provided for free unless the requests are manifestly unfounded or excessive, in particular, because of their repetitive character. In this case, the Association has, also the right to

answer to the request.

For further actions, you may contact the Hellenic Data Protection Authority, Kifissias 1-3, PC 115 23, Athens, Greece, Telephone: +30-210 6475600, Ε-mail: contact@dpa.gr, www.dpa.gr

Last Update May 2023