Skip to main content

PERSONAL DATA PROTECTION POLICY

This Personal Data Protection Policy (hereinafter the “Policy”) intends to provide you with information on how your personal data is being processed through the website https://www.snf.org. Data Controller is the Greek SNF office, located in Athens at 86A Vasilissis Sofias Ave., PO Box 115 28, tel. +30 2108778300 (hereinafter the “Data Controller”).

References in this Policy to “you” or “your” are references to individuals whose personal data the Data Controller processes, i.e. individuals browsing the website, completing their personal data in order to receive newsletters, etc. (collectively the “users”).

The processing of personal data of the users of this website is governed by this Policy and the Cookie Policy, the relevant provisions of the applicable legislation on personal data, including the General Data Protection Regulation EU 2016/679 (the “GDPR”), Law 4624/2019, Law 3471/2006, and by the relevant decisions and guidelines of the Hellenic Data Protection Authority (hereinafter the “HDPA”).

 2. Which personal data does the Data Controller collect and for which purpose?

The Data Controller collects only the necessary and appropriate personal data, which is necessary in relation to the purposes for which it is processed, and it is not subject to any further processing in any way incompatible with the purposes originally collected. The types of personal data that the Data Controller collects and further processes about you, are collected directly from you and depend on the context of your interaction with the Data Controller and the website. In particular, by browsing the website, the Data Controller will collect and further process certain personal data, to be able to offer access to the website and its functionalities, such as information collected by the use of trackers (for further details please see our Cookie Policy).

Also, the Data Controller will collect and further process the following personal data categories: 

  • When you register to participate in various Data Controller’s events, e.g., SNF Dialogues, SNF Nostos or other events that may be organized in the context of SNF’s mission, the Data Controller processes personal data, including your name, last name, email address and professional status, in order to confirm your participation in the events and to plan them accordingly.
  • When you subscribe to the list of Data Controller’s newsletters recipients, the Data Controller collects and further processes personal data, including your name, last name and email address, in order to send marketing material and promote new SNF grants, initiatives and events. By subscribing to this list and providing your consent for the processing of your personal data, you acknowledge that you will receive newsletters and other additional informational material regarding SNF’s activities. You can withdraw your consent at any time and request the cessation of receiving updates and processing of your personal data for this purpose by selecting the “unsubscribe” link, available on each update you receive. 
  • In the context of our grantmaking activities, the Data Controller collects and further processes your personal data, in order to receive grant requests, evaluate them, accept grants and ensure correct management of SNF grants by grantee organizations, pursuant to the “Notice on the Processing of Personal Data Collected in the Context of Grant Making Activities”, which can be found uploaded here. 
  •  When you submit your application for a job opening or participation in the Internship Program, the Data Controller collects and further processes personal data, including the information of your Curriculum Vitae (CV) and application form, in order to evaluate candidates (trainees/employees), and/or examine a possible collaboration with you.
  • When the Data Controller needs to establish, exercise or defense legal claims, the Data Controller processes your personal data, including your name, your last name, your interaction with the Data Controller, etc. 
  •  When the Data Controller is required to comply with legal obligations, the Data Controller may process your name, your last name and information provided during grantmaking activities in order to comply with tax legislation and/or requests from administrative/judicial authorities.

The Data Controller may also process aggregated data, such as statistical or demographic data, for any purpose. While aggregated data may be derived from your personal data, these are not considered personal data, as they do not directly or indirectly reveal your identity (e.g., the Data Controller may aggregate your usage data to calculate the percentage of users accessing a specific website feature); however, if the Data Controller combines aggregated data with your personal data so that it can directly or indirectly identify you, the Data Controller shall treat the combined data as personal data, which will be used in accordance with this Policy.

2. What is the legal basis for the processing of your personal data? 

  • The execution of a contract to which you are a party or in order to take steps at your request prior to entering into such contract (i.e., to enable you to access the website, to apply for a job position/trainee position, to participate in an event, to receive a grant) (Contract),
  • Your consent, where appropriate, for one or more purposes (i.e., when subscribing in Data Controller’s newsletter, when you agree to the use of cookies and tracking technologies) (Consent), 
  • Compliance with the obligations imposed by the applicable legislation (i.e., when the Data Controller is requested to provide information to tax authorities) (Obligation by law), and
  • The overriding legitimate interest of the Data Controller (i.e., monitoring of how you use the website in order to ensure the efficient and secure operation, for reasons of fraud and misuse detection and prevention, and for the establishment or defense of legal claims) (Legitimate interest).

Where the Data Controller has a statutory duty to collect your personal data (for instance, for purposes of compliance with applicable legislation) or under the terms of a contract that the Data Controller has with you and you fail to provide the personal data when requested, the Data Controller may not be able to perform the contract and offer you access to the website functionalities.

3. How long does the Data Controller keep your personal data?

The Data Controller ensures that the personal data it collects is processed for no longer than it is required for the fulfilment of the purpose of processing e.g., for as long as needed to provide you with website functionalities, always in conjunction with the applicable legislation. Once the data processing purpose is completed, the Data Controller will either delete or anonymize your personal data, unless statutory retention requirements apply (e.g., to comply with regulatory and accounting requirements, or for the establishment or defense of legal claims). Where the legal basis for processing your personal data is your consent, upon withdrawal of your consent, your personal data will be deleted or anonymized, unless statutory retention requirements apply (e.g., to comply with regulatory and accounting requirements, or for the establishment or defense of legal claims).

With regard to the retention of information collected via cookies and other trackers, please read our Cookie Policy. 

4. With whom does the Data Controller share your personal data?

Your personal data may be transmitted to third-party service providers of the Data Controller, who process your personal data solely for the fulfillment of their obligations towards the Data Controller. In this case, the third parties (such as security services consultants, IT support services providers, marketing communication services providers, etc.) act as Data Processors on behalf of the Data Controller and are contractually bound to implement adequate technical and organizational security measures in accordance with applicable legislation.

To the extent required, the Data Controller may share personal data with law enforcement authorities, government authorities, competent independent regulatory/supervising authorities, competent courts and other judicial authorities, our professional external advisers, counsels or consultants, including lawyers, auditors, accountants and insurers providing relevant services to the Data Controller.

Also, the Data Controller may share your personal data with offices of Stavros Niarchos Foundation in third countries. In this framework the Data Controller has already signed data transfer agreements based on standard contractual clauses approved by the European Commission with offices of Stavros Niarchos Foundation in New York and Monaco. In order to obtain a copy of such standard contractual clauses, please contact the Data Controller at [email protected].

In addition, in the framework of cooperation with other recipients, any transfer of your personal data outside the EU/EEA for the purpose of achieving the above processing purposes, due to sharing of personal data with them, will be based on an adequacy decision issued by the European Commission or subject to suitable and appropriate safeguards and conditions to ensure an adequate level of data protection, e.g., data transfer agreements based on standard contractual clauses approved by the European Commission. For further information on how the Data Controller protects personal data when transferred outside the EU/EEA or in order to obtain a copy of the safeguards the Data Controller implements to protect personal data when transferred outside the EU/EEA, please contact the Data Controller at [email protected].

Also, the Data Controller may disclose your personal information in the following cases: (a) When it has your explicit consent to publish your data in any way or (b) if such disclosure is required to exercise SNF’s rights.

5. What are your rights? 

  •  Right of access: This means that you have the right to be informed by the Data Controller if it is processing your personal data. If the Data Controller is processing your personal data, you can ask for information about the purpose of processing, the type of data the Data Controller holds, with whom the Data Controller shares it, how long the Data Controller stores it, but also about your other rights, such as rectification, erasure, and lodging a complaint to the HDPA.
  • Right to rectification: If your personal data is inaccurate or incomplete, you can request that the Data Controller rectifies them (for example, a name correction or an update of an address change).
  • Right to erasure: You may ask the Data Controller to erase your personal data if one of the reasons provided by the applicable legislation is in force (e.g., when the data is no longer necessary or if you have withdrawn your consent).
  • Right to data portability: Under certain circumstances, you may ask the Data Controller to receive, in a structured, commonly used and machine-readable format, the data concerning you, or ask the Data Controller to transmit it to another controller.
  • Right to restriction of processing: You may ask the Data Controller to restrict the processing of your personal data, if you believe that your personal data are inaccurate or that processing is unlawful or that the Data Controller no longer needs the personal data or you have objections to the automated processing (if applicable).
  • Right to object: In certain cases, you may object to the processing of your personal data and the Data Controller will stop processing your personal data, unless, inter alia, there are compelling legitimate grounds for the processing which override your interests, rights and freedoms. You also have the right to object when a decision concerning you is based solely on automated processing, including profiling, and this decision produces legal effects concerning you or significantly affects you (exceptions provided by law).
  • Right to withdraw your consent: You may withdraw your consent at any time, without your withdrawal affecting the lawfulness of the processing based on your consent before its withdrawal.
  • Right to lodge a complaint with HDPA: If you believe that the Data Controller infringes the applicable legislation for the protection of your personal data, you have the right to lodge a complaint with the HDPA, registered in 1-3 Kifissias Ave., 11523, Athens, Greece. More information on the competence of the HDPA and how to lodge a complaint, you can find at www.dpa.gr.

6. Contact

To access your personal data, to exercise these rights, as well as for any comments, questions or requests regarding the processing of your personal data or the present Personal Data Protection Policy, please contact the Data Controller’s Contact Person: Ms. Lina Giotaki, Phone number: +30 210-8778300, email: [email protected], address: 86Α Vasilissis Sofias Ave., 115 28 Athens, Greece.

7. Modification of this Policy

The Data Controller monitors the policies and procedures for the collection and processing of your personal data that it implements and may at any time make any modifications in order to ensure the most effective protection of your personal data and the adoption of new practices. For this reason, please visit this page regularly for any changes.

The Personal Data Protection Policy was last updated in April 2024.