Privacy Policy
DATA PRIVACY POLICY
«HELLENIC TRAIN - TRANSPORT SERVICES»
Scope of the Privacy Policy
“Hellenic Train”, member of the FS Group, with postal address 41 Syggrou Ave. & Petmeza 13, P.C. 11743, Athens, in its role as Data Controller, commits to the protection of privacy of natural persons and ensures the protection of their personal data, whether they are kept electronically in its databases or physically at its premises. In this respect and in accordance to the existing national and EU legal framework for the protection of personal data, in particular the General Data Protection Regulation (EU) 679/2016 (hereinafter “the Regulation”), the Greek Law 4624/2019 and the Greek Law 3471/2006 , Hellenic Train publishes the present lawful, fair and transparent Privacy Policy, in order to provide sufficient information to the natural persons (“data subjects”) on the personal data it collects and further processes in the context of provisions of its services to the public.
The present Privacy Policy shall apply to all premises and/or digital environments and applications of Hellenic Train which are relevant to its activities (indicatively: www.hellenictrain.gr, tickets.hellenictrain.gr).
Definitions
For the purposes of this Policy, the following definitions should apply:
‘Personal data’: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Special categories of personal data’: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
‘Processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Anonymisation': the processing of personal data in such a way that data can no longer be attributed to a particular data subject;
‘Pseudonymisation’: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘Controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Data subject’: any living individual whose personal data is collected, held or processed ‘Consent’: of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘Existing legislation’: The provisions of the existing Greek, EU or other legislation which is applicable to Hellenic Train which regulates matters of data protection, such as the General Data Protection Regulation (EU) 679/2016 (hereinafter “the Regulation”), the Greek Law 2472/1997, the Greek Law 3471/2006 Law, the case law of the Court of Justice of the European Union (hereinafter "CJEU”) as well as the Decisions, Directives and Opinions of the European Data Protection Board (hereinafter "the EDPB") and the Hellenic Data Protection Authority (hereinafter "DPA").
Collection of Personal Data
Hellenic Train, in the framework of its activities and operation, may collect personal data of its passengers, as well as its employees and its associates in general. Hellenic Train processes personal data with transparency according to the principles of lawfulness, proportionality, confidentiality and integrity, limitation of purpose and accuracy, specific data retention time and data minimization.
In principle, Hellenic Train may collect and process personal data for the following purposes:
1. To fulfill the task assigned by the legislation, but also the provisions of its statute (article 6
(1) (c)), such as:
- the provision of passenger and freight rail transport,
- the development, organization and operation of urban, suburban, regional, longdistance and international passenger and freight rail transport, as well as transport of all kinds and means
- any further activity that aims at the development of transport services and the provision of services to the public.
- To comply with its legal obligations (e.g. social security and tax legislation), regarding its employees and partners (article 6 (1) (c)).
- For recruitment purposes or in order to sign/execute contracts with third parties. In such cases, we collect and process personal data in accordance with article 6 (1) (b), for the performance of a contract the data subject of which is a party or to take action at the request of the data subject prior to the conclusion of a contract. In particular, the processing of special categories of personal data on prospective employees, such as health data, is based on Article 9 (2) (b) and Article 9 (2) (h) for the assessment of the employee 's ability to work and to fulfill our obligations regarding employment and the protection of the fundamental rights of prospective employees.
- To ensure its proper functioning and operation, pursuant to its statutory objectives and the existing legislation (article 6 (1) (c)).
- To guarantee the security of its employees, its establishments and its equipment. In this case, the collection and processing of personal data the legal interests of the Company, processing is necessary for the purposes of the legitimate interests pursued by the Company, in accordance with article 6 (1)(f).
- For the lawful performance or signing of contracts and in order to be able to meet the legal and contractual obligations they impose. In this case, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (article 6 par. (b)).
- For the management of passengers’ requests/complaints. In this case we collect and process the data submitted by the data subjects either through the electronic platforms of the Company, or in writing at the Company's premises for the purposes of legitimate interests. If some of the information you provide to us through your requests/complaints contains special categories of personal data, the legal basis for processing is your prior explicit consent.
- For the management and registration of ticket booking, including payment management, your data is processed in the context of the performance of a contract (article 6 (1) (b) and for the purposes of the legitimate interests pursued by the Company (article 6 (1 (f)).
- To give our customers the opportunity to participate in contests or to complete questionnaires in the context of the contract between us (article 6 (1) (b)), as well as in the context of serving our legal interests for the evaluation of the services provided.
- In order to manage our websites, in the context of protecting our legal interests for the protection and security of our networks and the improvement of their content and the services provided from us (article 6 (1) (c).
- To contact you in order to suggest our products or services that you may be interested in, only after receiving your prior consent. In such cases, you have the right to withdraw your consent at any time.
Processing Purposes - Legal basis for processing
In principle, Hellenic Train may collect and process personal data for the following purposes:
- Issuance of tickets/ cards
Hellenic Train collects and processes passenger data in order to issue tickets, through the regional booking desks as well as through its website and its relevant mobile application (Hellenic Train App).
Personal Data |
Purpose of processing |
Legal basis |
Passenger’s name, passenger’s surname Discount beneficiaries (eg. Students, children, persons with disabilities) Charge details (country, postal code , town, address) Contact details (country, postal code, town, address, phone, email)
|
-Servicing passengers during ticket issuance -Managing payments, fees and charges -Change of itinerary - Change of trip schedule |
-Processing is necessary for the performance of the contract – Article 6 (1) (b) GDPR -In compliance with a legal obligation – Article 6 (1) GDPR & Regulation (ΕU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 -Processing in the context of the legitimate interests of Hellenic Train – Article 6 (1)(f) GDPR
|
Contact details (country, postal code, town, address, phone, email)
|
-Informing you in case of itinerary modifications/delays/cancellations |
Processing in the context of the legitimate interests of Hellenic Train – Article 6 (1)(f) GDPR |
Email address |
Newsletter subscription |
The data subject’s consent; –Article 6 (1)(a) GDPR |
Title, Name, Surname, date of birth, email, phone number, password, address, city. PC |
Creation of ticketing account |
Processing is necessary for the performance of the contract- Article 6(1) (b) GDPR |
Name, Surname, email
|
Issuance and delivery of gift card |
Processing is necessary for the performance of the contract- Article 6(1) (b) GDPR |
It is noted that especially for the ticket issuance via our website or the HellenicTrain App, Hellenic Train does not keep any credit card details you may register during the issuance procedure, since the payment takes place via bank's secure web-environment.
- Members
In the context of taking part in the Hellenic Train HT Card program, Hellenic Train collects and processes the following personal data from its members:
Personal Data |
Purpose of processing |
Legal basis |
Member’s name and surname Contact details Discount beneficiaries (country, postal code, town, address, mobile phone, email address) |
Subscription to the Hellenic Train HT Card program
|
Processing is necessary for the performance of the contract – Article 6 (1) (b) GDPR |
Contact details (email address /mobile phone) |
Communication with the members for their information about offers and news |
The data subject’s consent; –Article 6 (1)(a) GDPR |
Ticket Details |
Passenger services during the issuance of tickets/ ticket cancelation/money reimbursement -Managing payments, fees and charges
|
Processing is necessary for the performance of the contract – Article 6 (1) (b) GDPR |
- Transportation of persons with disabilities (PWD)
Hellenic Train collects and processes the following personal data when submitting the relevant application:
Personal Data |
Purpose of processing |
Legal basis |
Passenger’s name, surname |
Better servicing passengers needs
|
Processing is necessary for the performance of the contract – Article 6 (1) (b) Processing in the context of the legitimate interests of Hellenic Train – Article 6 (1) (f) |
Contact details (country, postal code, town, mobile phone, email address) |
Informing passengers in case of itinerary modifications/delays/cancellations |
The data subject’s consent; –Article 6 (1)(a) GDPR |
Date and time of transport Departure and arrival station- itinerary
|
Better servicing passengers needs
|
Processing is necessary for the performance of the contract – Article 6 (1) (b) Processing in the context of the legitimate interests of Hellenic Train – Article 6 (1) (f) |
Any data the passenger could submit |
Better servicing passengers needs
|
The data subject’s consent; –Article 6 (1)(a) GDPR |
- Contact Hellenic Train
In the context of passenger services (handling with requests/complaints), either via the contact form available at our website or by phone call to Hellenic Train, the Company may collect:
Personal Data |
Purpose of processing |
Legal basis |
Description of the incident (topic, date and time of transportation, etc.), name, surname, email address, address, town, prefecture, postal code, country, mobile phone, phone number, fax, any data the passenger could submit in the request, image |
Communication with Hellenic Train |
– Direct communication with website users/passengers – Article 6 (1) (f)
-The data subject’s consent; –Article 6 (1)(a) GDPR |
Phone call |
Communication with Hellenic Traincommunication security and better passenger servicing |
The data subject’s consent; –Article 6 (1)(a) GDPR |
- Lost items
Personal Data |
Purpose of processing |
Legal basis |
Name, Surname, Date and time of the incident, station – itinerary Contact information (Address, Town, Postal code, Country, Prefecture, telephone contact numbers, Fax) Methods of communication Any data included in the request
|
Communication with Hellenic Train regarding lost items
|
-Direct communication with passengers - Article 6 (1)(f)
-The data subject’s consent; –Article 6 (1)(a) GDPR |
- Freight Transport
If you choose to use the services of Hellenic Train for the goods and parcels we will collect the following personal information of sender and recipient:
Personal Data |
Purpose of processing |
Legal basis |
Sender’s/recipient’s name/surname Contact details (Country, Postal code, town, address, telephone number, email)
|
Transfer of goods and parcels |
Processing is necessary for the performance of the contract – Article 6 (1) (b) GDPR |
Name, surname, telephone contact number, professional status, sender’s address, recipient’s address charge details ((ΙΒΑΝ, any further information requires by national legislation (tax and insurance law) |
Completion of order |
Processing is necessary for the performance of the contract – Article 6 (1) (b) GDPR |
7. Automatically collected data:
We automatically obtain information, some of which may be personal data, that you provide by using this website. These include items such as: language settings, IP address, location, device settings, device operating system, activity details, usage time, redirect URL, status report, user information (information about browser version), operating system, browsing result (guest or member), browsing history, type of data you saw. We may also collect data via cookies. For information about the use of cookies, in the webpage Cookies Policy at www.hellenictrain.gr.
Transfer of personal data
Hellenic Train does not transfer the personal data collected through the website to third parties outside FS Group. Your personal data are disclosed the employees of the related department and the associates, who have been entrusted by Hellenic Train with the processing of personal data as well as to associated partners/Company.
In particular, for the purposes of processing mentioned above, data may be transferred to (indicatively):
- Third companies which provide to Hellenic Train relevant services (eg ticket agencies, finance and technical support, payroll, etc.).
- Companies of OSE group, to the extent that this transfer is necessary for the satisfaction of data subject’s requests and fulfillment of Hellenic Train’s purpose and upon prior data subjects’ consent (where necessary).
- Public authorities and other supervisory authorities, (eg. tax authorities, etc.) In the context of issuance of fines or upon relevant request, following the legal procedures.
In any case, the third parties to whom the personal data are transferred, are contractually bound to the Hellenic Train with a Non-Disclosure Agreement - Confidentiality Clause and fulfill their obligations provided by the Existing Legislation on the data subjects’ rights.
Transfer of personal data outside the European Economic Area (EEA)
In principle, Hellenic Train does not transfer your personal data to third countries and/or International Organizations. Whether the transfer of data concerns a country outside and the European Economic Area (EEA) or an International Organization, Hellenic Train first confirms that one of the legal bases of article 6 or article 9 of the Regulation is fulfilled and whether:
- The Commission has issued an adequacy decision on the third country for the transfer of such data (Article 45); or
- Appropriate safeguards are in place in accordance with the Regulation for the transfer of such data (Article 46) or
- Specific derogations provided for in the Regulation (Article 49) apply, e.g. explicit consent of the data subject, upon informing him/her on the risks of the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons of public interest, it is necessary to support legal claims and the vital interests of the data subject, etc.
Data Retention Period
All personal data are collected and processed for a pre-determined and limited period of time, depending on the purpose of the processing. When this time period expires, the personal data are safely deleted.
When processing is imposed as an obligation by provisions of the current legal framework or a specific retention period is provided, your personal data will be stored for as long as the relevant provisions require.
The personal data of the data subjects that are collected and processed for the performance of the contract, are kept for as long as it is necessary for the performance of the contract and the establishment, exercise or defense of legal claims based on the contract.
The personal data of the subjects that are processed for promotional purposes based on the data subjects’ consent (eg. by subscribing to the Company’s Newsletter) are collected until the withdrawal of the consent, without this withdrawal affecting the lawfulness of processing performed based on consent before its withdrawal.
Personal Data Breach
In case a data breach occurs, Hellenic Train applies a specific Data Breach Policy.
In case you realize or suspect that a data breach may have occurred, we kindly ask you to inform without delay Hellenic Train at: dpo@hellenictrain.gr.
Personal Data Security
Taking into account the latest technological developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity, for the rights and freedoms of personal data subjects, Hellenic Train implements the necessary technical and organizational measures to ensure the protection of relevant rights. Although no method of transfer over the Internet and electronic storage of information is completely secure, Hellenic Train takes all necessary digital data security measures (eg. antivirus) in compliance with the rules of the Existing Legislation.
Data Subjects’ Rights
Hellenic Train ensures and takes the appropriate measure for the data subjects to be able to exercise their rights in accordance with the Existing Legislation.
Each data subject has the following rights:
- The right to request access to the personal data Hellenic Train maintains for the data subject. More specifically, he can request to receive a copy of the file kept by Hellenic Train with his personal data and verify the lawfulness of their processing (“the Right of Access and
Information”)
- The right to rectify his personal data in case of inaccurate or incomplete collection by
Hellenic Train (“the Right of rectification”)
- The right to submit a request for erasure of his personal data, if he does not wish his data to be processed and if there is no legitimate reason for further retention by Hellenic Train (“the Right to be forgotten”):
- The right to request restriction on the processing of his personal data (“the Right to restriction of processing”)
- The right to request the portability/ transfer of his personal data either to data subject or to third parties (“the Right to data portability”)
- The right to withdraw his/her consent concerning the processing of his personal data at any time data. Withdrawal of consent does not affect the lawfulness of processing performed based on consent before its withdrawal.
In addition, the data subject has the right to object to the processing of his/her personal data by Hellenic Train.
Hellenic Train provides the data subject with information on the processing operations within one (1) month from the submission of the data subject’s relevant request and following the data subject’s identification.
Data subjects have the right lodge a complaint with the Hellenic Data Protection Authority (DPA) for issues concerning the processing of their personal data. via the following link: www.dpa.gr.
Data Protection Officer (DPO)
To exercise any of the above rights, as well as for any issue regarding the processing of your personal data by Hellenic Train, you can contact the Data Protection Officer of the Hellenic Train at e-mail dpo@hellenictrain.gr.
Disclaimer for Third Party Websites – Social Media Buttons
At the present Website there are social media buttons - Social media widgets (eg. Google, Twitter, LinkedIn). When the user connects to a social media platform, a special digital footprint is created for which Hellenic Train and the social network act as joint controllers. For Hellenic Train, the purpose of processing this data is to improve the functionality of the website and the services provided as well as the analysis of its traffic. The legal basis for the processing of personal data is the achievement of the legitimate interest of interoperability with applications used by the client.
Hellenic Train does not control and is not responsible for any subsequent processing by the Joint controllers.
To find out more information about Privacy Policy and managing networks’ privacy settings, you may visit the following websites:
Updates to the Privacy Policy
This Privacy Policy may be amended/revised in the future, in the context of the Company's regulatory compliance as well as the optimization and upgrade of the Website services. We therefore recommend that you refer to the updated version of this Policy each time, for your adequate information.
October 2024
Useful links