AIA Parking

The present Policy demonstrates the commitment of “Athens International Airport S.A.” (“AIA” or “the Company”) as regards the protection of natural persons in the processing of their personal data, by the Company during the performance of its statutory and business activities, in compliance with the Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR) and domestic legislation.

This document outlines:

(A) The principles of AIA’s privacy management system,

(B) The major areas of personal data processing by AIA,

(C) Useful information on the rights available to you, as regards the processing of your personal data, as well as applicable limitations or conditions, as set out by the law.

AIA reserves the right to revise this Privacy Policy from time to time, so as to reflect regulatory and operational developments in data processing. The most recent version is always available on our Website.

Α. DATA PROTECTION MANAGEMENT SYSTEM

Data Controller:

ATHENS INTERNATIONAL AIRPORT S.A.
Administration Building (B17)
P.C. 19019, Spata Attica
Greece

Data Protection Officer:

Manager, Data Protection & Compliance
Athens International Airport S.A.
Administration Building (B17), P.C. 190 19 Spata, Attica
Email address: privacy@aia.gr

Note: In most cases AIA processes personal data as a Data Controller, holding all rights and obligations reserved for such capacity under the General Data Protection Regulation (GDPR). However, there are processes that AIA acts as Data Processor to other Data Controllers (e.g. Airlines operating through the Airport) as may be necessary. More information is provided in the respective Privacy Notices issued per processing activity.

PRINCIPLES

AIA has created a robust information governance system, applying appropriate technical and organizational measures to the processing of personal data, as required, in the course of Airport operational and corporate activities. ..

Personal data are:

Processed lawfully, fairly and in a transparent manner;
Collected for specified purposes;
Classified, stored as per the corporate retention limits and securely purged;
Accurate and, where necessary, kept up-to-date;
Recorded and available for data subjects and any competent, supervisory Authority;
Processed with integrity and confidentiality while ensuring their availability, on demand, by applying the appropriate technical and information technology measures and controls.

Privacy culture is promoted through learning and awareness sessions within AIA and towards business stakeholders.

B. MAJOR AREAS OF PERSONAL DATA PROCESSING

B.1. Security of Airport Facility and Operations

Surveillance activities (CCTV system throughout the airport premises);

Airport Security & Passenger Screening;

Aviation Safety & Incident Reporting;

Emergency contact management;

Issuance of ID cards to Airport Community staff;

Physical access control for employees and visitors;

Airport call center recording;

IP network monitoring.

B.2. Support of Airport Operations – Service Provision

Airport infrastructure and relative core systems for passenger handling (e.g., automated boarding pass control, baggage reconciliation etc.)

Airport Management Operations;

Airport Community members training;

Assistance services to passengers with reduced mobility (PRM);

Operation of Αirport parking facilities, e-bookings & Terminal curbside access management;

Airport public address system;

Comment and query management;

Website & Corporate Communication (e.g. Marketing activities, newsletters, campaignssocial media management );

Airport WI-Fi system and other mobile applications;

Guided airport tours.

B.3. Corporate Processes

Employment relations;

Document control and database management;

Tender and contract management;

Accounting and claims management;

External business collaborations;

Investor Relations;

Data Subjects’ rights handling;

Collection and review of Whistleblowing reports

Engagement with local communities;

B.4. Purpose and Scope of Processing

AIA processes the required and relevant personal data, per case of processing, as to:

Implement statutory obligations related to civil aviation safety and security;
Provide airport services to passengers and customers;
Provide on line information, communication and electronic services;
Manage relations with all stakeholders;
Analyze and report for corporate systems and processes.

Within each context of processing, AIA informs the involved physical persons for the entire personal data lifecycle.

Personal data is collected from various sources:

During departure/arrival processes and presence at the airport,
Provided by the individual, as a prerequisite for the provision of a service, or voluntarily on a communication basis,
When using our mobile applications, visiting our corporate website,
From state authorities and/ or other organizations that share data, within the scope of official authority or business legitimate interest.

B.5. Security of Processing

AIA acknowledges and respects the importance of data subject’s privacy and commits to safeguard the availability, integrity and confidentiality of the personal data, under processing. The objective is to protect data against unauthorized access, unlawful processing, misuse, alteration, accidental loss, destruction or damage. To this extent, a series of corporate policies and procedures provide specific guidance and promote the security awareness across all operational and corporate processes.

Organizational and technical measures have been implemented to safeguard all databases physically and electronically. All data are classified and retained for predefined time periods, as set by the corporate documents and records retention policy. Our staff is properly trained on their data processing accountabilities while there is restricted access to physical storage. Technical measures may include firewalls, intrusion detection and prevention systems, unique and complex passwords, and encryption.

B.6. Data Sharing

We share personal data with public authorities and selected business partners who process data jointly or on our behalf providing sufficient guarantees – within the scope of data processing agreements – to implement appropriate technical and organizational measures in such a manner that processing meets the GDPR requirements and ensure the protection of rights of the data subjects. In certain cases, mainly for cloud storage purposes, data may be transferred to countries outside the EU, based on contractual clauses that ensure that this takes place in accordance with the relevant GDPR requirements.

C. DATA SUBJECTS’ CHOICES AND RIGHTS

AIA provides to data subjects the choice to revoke their initially provided consent, for AIA’s marketing activities by changing their preferences for receiving airport advertising and promotional correspondence. Moreover, in cases where data subjects create personal accounts for managing the information provided to AIA (e.g. CV submission), AIA offers the ability to access their information and make updates or delete their data and their account, accordingly.

Data subjects willing to exercise their rights, as provided by the GDPR, are requested to contact AIA’s Data Protection Officer – as presented above in this Policy – who diligently will handle each request. The exercise of any of the above rights may be subject to applicable regulatory or operational restrictions.

C.1. Right to access data:

Refers to access to data subject’s personal data and the following information:

Purpose(s) of processing

Categories of personal data processed

Recipients to whom the data is disclosed, within and outside EU

Data retention period

Sources of collection, if data is not obtained by the data subject.

Transfer of data outside EU

Whether data are subject to automated decision making and profiling

The filing of a compliant to a supervising Authority

C.2. Right to rectify data:

Refers to correction/amendment of inaccurate/ incomplete data.

C.3. Right to erasure data:

You have the right to submit a request for the erasure of your personal data, and such request shall be granted provided no other legal grounds for processing are in place (such as compliance with a legal obligation to process personal data)..

C.4. Right to restrict processing:

It’s the right to request the restriction of the processing of your personal data in the following cases: (a) when you contest the accuracy of your personal data, and pending verification of the accuracy of your data; (b) when you oppose the erasure of your personal data and you request the restriction of their use instead; (c) when your personal data are no longer needed for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, and (d) when you have objected to the processing and pending verification that our legitimate grounds for processing override those for which you object to the processing.

C.5. Right to data portability:

Applies under certain circumstances and solely where technically feasible and refers to the personal data transmission to another Data Controller in a structured, commonly used and machine-readable format.

C.6. Right to object processing:

Applies to the processing of personal data whose processing is based on the legal basis of Article 6 (1) (e) or (f) of the General Regulation) and such objection shall be granted unless the Company demonstrates compelling legitimate grounds for the processing.

C.7. Right to oppose automated decision-making

You have the right to request that you be excluded from decision-making which is based on automated processing, including profiling.

C.8 Right to lodge a complaint with the competent Authority

Data subjects have the right to lodge a complaint with the Hellenic Data Protection Authority (DPA) at www.dpa.gr, if they consider that AIA’s processing of their personal data infringes the GDPR. Furthermore, data subjects have the right to an effective judicial remedy, in case they believe that their rights under the GDPR have been infringed as a result of AIA’s data processing.

PRIVACY POLICY