Privacy Policy

(Issue Date: April 15, 2019)


AIA’s Privacy Policy presents the commitment of AIA’s Management for the protection of natural persons with regard to the processing of their personal data, in compliance with the European General Data Protection Regulation (GDPR).

This document provides you in detail, the corporate personal data privacy management framework including all privacy practices implemented during the entire lifecycle of data. Moreover, you have all information for your rights and choices, applicable per case of process. AIA reserves the right to revise its Privacy Policy from time to time as to present the current managing practices in data processing. The most recent version is always available on our Website.

AIA’s Privacy Policy applies also upon all third parties processing personal data, on behalf of AIA.

DATA PROTECTION MANAGEMENT SYSTEM

PROFILE

Data Controller:

ATHENS INTERNATIONAL AIRPORT S.A (AIA)
Administration Building (B17)
P.C. 19019, Spata Attica
Greece

Holds all rights and obligations reserved for such capacity under the General Data Protection Regulation (GDPR 2016/679) for processing personal data through the Website.

Data Protection Officer:

Manager, Data Protection & Compliance
Athens International Airport S.A.
Administration Building (B17), P.C. 190 19 Spata, Attica
Email address: privacy@aia.gr

PRINCIPLES

AIA has created a robust information governance system as to process personal data in the course of airport operational and corporate activities, remaining at the forefront of information security and data privacy developments, diligently adhering to prevailing laws and regulations, policies and procedures. Appropriate technical and organizational measures have been implemented to mitigate, to the extent possible, the risk left unattained, taking into consideration privacy risk and data protection impact assessments. All personal data are:

  1. Processed lawfully, fairly and in a transparent manner;
  2. Collected for specified purposes;
  3. Classified, stored as per the corporate retention limits and securely purged;
  4. Accurate and, where necessary, kept up-to-date;
  5. Recorded and available for data subjects and any competent, supervisory Authority;
  6. Processed with integrity and confidentiality while ensuring their availability, on demand, by applying the appropriate technical and information technology measures and controls.

Privacy culture is promoted through learning and awareness sessions within AIA and towards business stakeholders.

MAJOR AREAS OF PERSONAL DATA PROCESSING

SECURITY OF AIRPORT FACILITY AND OPERATIONS

  • Surveillance activities (CCTV system throughout the airport premises)
  • Aviation safety
  • Incident Reporting
  • Emergency contact management
  • Issuance of airport employee ID card
  • Physical access control for employees and visitors
  • Airport call center recording
  • IP network monitoring

SUPPORT OF AIRPORT OPERATIONS – SERVICE PROVISION

  • Airport infrastructure and relative core systems for passenger handling (e.g., automated boarding pass control, baggage reconciliation etc.)
  • Assistance services to passengers with reduced mobility (PRM)
  • Airport public address system
  • Comment and query management
  • Marketing activities (e.g. newsletters, campaigns, cookies)
  • Social media management
  • Airport WI-Fi system and other mobile applications
  • Guided airport tours
  • Third party training
  • Αirport parking facilities 

CORPORATE PROCESSES

  • Engagement with local community
  • Tender and contract management
  • Accounting and claim management
  • External business collaborations
  • Employment relationships
  • Document control and database management
  • Data subjects rights handling

PURPOSE AND SCOPE OF PROCESSING

AIA processes the required and relevant personal data, per case of processing, as to:

  1. Implement statutory obligations related to civil aviation safety and security
  2. Provide airport services to passengers and customers
  3. Provide on line information, communication and electronic services
  4. Management relations with all stakeholders
  5. Analyze and report for corporate systems and processes

Within each context of processing, AIA informs the involved physical persons for the entire personal data lifecycle.

Personal data is collected from various sources:

  1. During airport, departure/arrival processes
  2. Provided by the individual, as a prerequisite for the provision of a service or voluntarily on a communication basis
  3. When using our mobile applications, visiting our corporate website
  4. From state authorities and/ or other organizations that share data, within the scope of official authority or business legitimate interest.

SECURITY OF PROCESSING

AIA acknowledges and respects the importance of data subject’s privacy and commits to safeguard the availability, integrity and confidentiality of the personal data, under processing. The objective is to protect data against unauthorized access, unlawful processing, misuse, alteration, accidental loss, destruction or damage. To this extent, a series of corporate policies and procedures provide specific guidance and promote the security awareness across all operational and corporate processes.

Organizational and technical measures have been implemented to safeguard all databases physically and electronically. All data are classified and retained for predefined time periods, as set by the corporate documents and records retention policy. Our staff is properly trained on their data processing accountabilities while there is restricted access to physical storage. Technical measures may include firewalls, intrusion detection and prevention systems, unique and complex passwords, and encryption.

DATA SHARING

We share personal data with selected business partners who process data jointly or on our behalf providing sufficient guarantees – within the scope of data processing agreements – to implement appropriate technical and organizational measures in such a manner that processing meets the GDPR requirements and ensure the protection of rights of the data subjects. In certain cases, mainly for cloud storage purposes, data may be transferred to countries outside the EU, based on contractual clauses that ensure that this takes place in accordance with the relevant GDPR requirements.

DATA SUBJECT CHOICES and RIGHTS

AIA provides to data subjects the choice to revoke their initially provided consent, for AIA’s marketing activities by changing their preferences for receiving airport advertising and promotional correspondence. Moreover, in cases where data subjects create personal accounts for managing the information provided to AIA (e.g. CV submission), AIA offers the ability to access their information and make updates or delete their data and their account, accordingly.

Data subjects willing to exercise their rights, as provided by the GDPR, are requested to contact AIA’s Data Protection Officer – as presented above in this Policy – who diligently will handle each request.

Right to access data:

Refers to access to data subject’s personal data and the following information:

  • Purpose(s) of processing
  • Categories of personal data processed
  • Recipients to whom the data is disclosed, within and outside EU
  • Data retention period
  • Sources of collection, if data is not obtained by the data subject.

Right to rectify data:

Refers to correction/amendment of inaccurate/ incomplete data.

Right to be forgotten:

Applies in one of the following cases:

  • Data has been unlawfully processed
  • Data is no longer necessary in relation to the purposes initially collected or otherwise processed
  • The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.

Right to restrict processing:

Applies in one of the following cases:

  • The data subject contests the accuracy of the personal data
  • Data has been unlawfully processed and data subject opposes the data erasure and requests the restriction of their use instead.

Right to data portability:

Applies under certain circumstances and solely where technically feasible and refers to the personal data transmission to another Data Controller in a structured, commonly used and machine-readable format.

Right to object processing:

Applies on grounds of each request, in particular.

The exercise of any of the above rights is subject to applicable regulatory or operational restrictions that AIA may confront.

Data subjects have the right to lodge a complaint with the Hellenic Data Protection Authority (DPA) at www.dpa.gr, if they consider that AIA’s processing of their personal data infringes the GDPR. Furthermore, data subjects have the right to an effective judicial remedy, in case they believe that their rights under the GDPR have been infringed as a result of AIA’s data processing.