Notification regarding the processing of personal data of participants or prospective participants in training programs

Pursuant to the application of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Hellenic American Education Center (22 Massalias Street, 10680 Athens) (the “HAEC”) would like to inform you of the following:

1.What data is processed by the HAEC belonging to which natural persons:

The HAEC, in its capacity as data controller, processes personal data of natural persons that attend or will attend its training program as learners (“data subjects”). Data processed by the HAEC, may include:

(a) personal information, such as those collected during the data subject’s registration (in the program;

(b) financial data relating to the payment of fees to the HAEC, such as bank card information, bank account numbers, billing and payment data etc.;

(c) voice data (voice) and image of the data subject, when the training program is being recorded when the data subject, after receiving relevant notification by the HAEC subject chooses to enable his or her camera and microphone instead of using alternative methods to communicate with the lecturer of the program (e.g. chat);

(d) special categories of data, i.e., i.e., where applicable, health-related data that may be disclosed by the data subject (e.g. special learning difficulties, other health issues, medicines to avoid) and;

(e) image, as recorded by the CCTV system operating in the HAEC’s premises.

The disclosure of the data specified in subparagraphs (a) and (c) above is a legal or contractual obligation of the data subject or a requirement to conclude a contract. Where the data subject does not provide the above data or part thereof, he or she will not be able to participate in the HAEC training program.

2. Source of data:

The source of the data, as the case may be, is the data subject himself / herself disclosing his/ her data or the data subject’s employer (when the latter pays the data subject’s tuition fees). To the extent that the employer transmits third party personal data to the HAEC, he / she will be responsible for complying with the applicable provisions of the personal data legislation. In this context, the employer may need to obtain the data subjects’ consent before transmitting data to the HAEC.

3. Purposes and legal basis of processing data:

As the case may be, the purposes of processing personal data by the HAEC are:

(a) To register, provide services to and in general manage learners and issue certificates of attendance. For such data processing, the legal basis for the processing is the performance of the contract with the HAEC and the compliance with a legal obligation of the HAEC, while for special categories of data (as specified in clause 1 (d) above) that may have been disclosed to the HAEC, the legal basis for processing is the data subject’s relevant consent which he or she discloses personal data to HAEC and the protection of the vital interests of the data subject or of another natural person if the data subject is incapable of giving consent.

(b) To safeguard the interests of the HAEC. For such data processing, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the HAEC (e.g. for the establishment, exercise or support of legal claims, in which case the processing, if necessary, will also extend to special categories of data).

(c) With respect to the data subject’s voice and image data (as defined in the clause 1 (c) above), the legal basis is the consent that the data subject, aware that the program is being recorded, provides by enabling their camera (voice and image) during the program, instead of using alternative methods to communicate with the instructor (e.g. chat);

(d) To prevent, deter and suppress any illegal actions, through the CCTV system operating at the HAEC's premises. For such data (image) processing, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by the HAEC.

(e) To send marketing material via electronic mail. Note that the HAEC is entitled to use the data subjects’ electronic mail contact details, lawfully obtained in the context of the provision of its services or any other transaction, for the direct promotion of similar services or for the furtherance of similar purposes, even when the data subject has not given prior consent, provided the subject is given, when contact details are collected, as well with every message, a clear and transparent option to object, easily and free of charge, to the collection and use of their electronic data. For such processing of data, the legal basis is that processing is necessary for the purpose of the legitimate interests pursued by the HAEC (i.e. the legitimate interests relating to the promotion of its services).

4. Recipients of data:

Except for the recipient mentioned in the clause 5 below and depending on the case and purpose of processing, personal data may be transmitted to authorised employees of the HAEC, to the data subject’s employer (when the latter pays for the tuition fees), as well as to companies associated with the HAEC with which the HAEC has concluded a relevant contract and which processes the data on its behalf (e.g. IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy and compliance with the data protection legislation. In addition, the HAEC may transmit personal data to third parties whenso required by law (e.g., to the Greek Ministry of Education and Religious Affairs), or for the purposes of, or in connection with legal proceedings in which it participates, or otherwise for the purposes of supporting, exercising or defending its rights, or to law enforcement authorities who have made a lawful transmission request, or when it considers that transmission is necessary for an investigation into the suspicion or existence of illegal activity.

5. Transfers of data outside the European Economic Area:

Personal data may be transmitted outside the European Economic Area and in particular to Hellenic American University, established in the U.S.A. (436 Amherst Str., Nashua, NH 03063). For the transfer of data to the U.S.A., the HAEC has concluded with the Hellenic American University standard contractual clauses that have been issued by the European Commission and which are considered to ensure appropriate safeguards for the processing of data. If a data subject wishes to receive a copy of the countersigned standard contractual clauses, he/ she may contact the HAEC’s Data Protection Officer by using the contact information mentioned in the clause 7 below. 

6. Data retention time:

The above data will be retained for the period of time required or allowed by the legislation/regulatory framework in force each time, taking into account the applicable prescription period, which may extend to up to 20 years.


(a) when processing is carried out under a relevant contract, personal data will be stored for as long as necessary for the performance of the contract and for the establishment, exercise and/or support of any legal claims of the HAEC arising from that contract; and

(b) when processing is imposed as an obligation by provisions stemming from the applicable legal framework, personal data shall be stored for as long as the relevant provisions so require. In particular, with regard to personal data contained in recorded material, such data will be retained until the end of the academic year during which the material was recorded.

7. Data subjects’ rights:

The data subject shall have the following rights under the GDPR:

(a) to receive a copy of the personal data held by the HAEC, together with other information on how data is processed;

(b) to request that personal data concerning him or her be rectified and, under conditions, to request the deletion or restriction of processing, or to object to the processing of personal data;

(c) to receive a copy or to request the transmission of a copy of his or her personal data to a third party in a structured, commonly used and machine-readable format (right to data portability).

When processing of data is based on consent, the data subject has the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. If the data subject wishes to receive further information about the processing of their personal data or to exercise any of the aforementioned rights, they must email the HAEC’s Data Protection Officer exclusively at  This email address is being protected from spambots. You need JavaScript enabled to view it. or send a letter to the mailing address above. Finally, the data subject has the right to file a complaint with the competent supervisory authority about how the HAEC handles his or her data (