Data protection policy statement

Data protection policy statement

Fraport Greece (FG) is increasingly interacting with various categories of individuals, including but not limited to employees, airport passengers, business partners and airport staff not belonging to FG workforce. It is therefore processing personal data from various categories of data subjects across the entire spectrum of its corporate and operational activities, particularly in the areas of:

• Human resources and training management
• Aviation security and safety
• Airport video surveillance systems
• Passenger and customer communication management
• Services to reduced mobility passengers (PRM)
• Airport access controls and issuance of Airport ID cards
• Provision of Airport Wi-Fi service
• Corporate communications management
• Stakeholder and local community engagement
• Procurements, contracts and accounting management
• Document control, IT systems and data center management

In this context, FG is committed to comply with the applicable data protection law, to enhance and improve the lawfulness, fairness and transparency of its personal data processing operations, and to protect the rights of data subjects in an effective manner.

Purpose

This Policy sets out the commitment of FG’s Management Board on the protection of natural persons with regard to the processing of their personal data in compliance with the General Data Protection Regulation (GDPR) and the generally applicable legal framework on privacy and the protection of personal data. FG ensures that:

• we communicate this Policy statement to all employees and persons working on our behalf;
• we communicate this Policy and the results of our implementing measures and actions to our Shareholders, third parties and to the general public, as appropriate;
• we develop, implement, review and systematically improve this Policy and our implementing measures and actions seeking for continual improvement;
• we publish this Policy statement on FG websites;
• we review this Policy on an annual basis to keep pace with applicable law developments.

Scope

This Policy applies to all FG organisational units and employees and concerns personal data processed by them in any format including paper and electronic records (including archived information) processed or stored in hard copy folders, information technology systems, software tools, platforms, applications and removable storage media. It also applies to all third parties processing personal data on behalf of FG.

Principles

FG collects personal data only for specified, explicit and legitimate purposes, and does not further process such data in a manner that is incompatible with such purposes. In addition, it takes reasonable steps to ensure that the personal data collected be accurate, updated, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Personal data shall be processed lawfully, fairly and in a transparent manner. FG shall not process personal data absent a legal basis for the processing and it shall not process special categories of personal data or personal data relating to criminal convictions and offences unless it is necessary in strict compliance with the GDPR and applicable law.

FG shall take appropriate technical and organisational measures to ensure and to be able to demonstrate compliance with data protection rules and principles.

Policy Actions

To further implement and support this Policy in compliance with the applicable law, FG ensures that:

• it appoints its Data Protection Officer to monitor compliance with the GDPR and this Policy and to act as the contact point for data subjects and the supervisory authority;
• it observes the lawfulness of processing and obtains data subject consent where necessary;
• it implements appropriate data protection procedures, indicatively on facilitating the exercise of data subject rights and on information security breach management;
• it handles effectively data subject requests for exercising their rights under articles 15-22 GDPR;
• it provides transparent information on personal data processing to various categories of data subjects via data protection notices;
• it maintains a central register (record of processing activities) for its processing operations;
• it uses technical and organisational measures to ensure appropriate data security, including specified access rights and controls, firewalls, IT systems testing, other information security measures, and the pseudonymisation and encryption of personal data;
• it notifies timely the supervisory authority and affected individuals of a personal data breach as applicable under the law;
• it carries out data protection impact assessments for high risk areas prior to the processing and consults with the supervisory authority where necessary;
• it takes measures to include data protection by design and by default in its procurements of new systems and services;
• it secures effective third party management and data processing agreements subject to appropriate safeguards with contractors carrying out processing on its behalf;
• it complies with rules on international transfers of personal data (outside the EU/EEA);
• it keeps personal data for no longer than is necessary for the purposes for which they are processed each time pursuant to predefined retention periods and/or in order to comply with legal and statutory requirements on data and records preservation; and
• it fosters a privacy and data protection culture across the organisation through awareness-raising and staff training.

Approved by the Management Board on 24.09.2019

Alexander Zinell
Chief Executive Officer

Ilias Maragakis
Chief Operating Officer

Vangelis Baltas
Chief Financial Officer

William Fullerton
Chief Technical Officer