Skip to main content

Πολιτική προστασίας δεδομένων προσωπικού χαρακτήρα EN

1. Subject of the Privacy Policy

1.1. The company under the name «ELECTRONIC GOVERNANCE OF HEALTH AND SOCIAL INSURANCE S.A.» (IDIKA S.A.) guarantees respect for the privacy of natural persons and the protection of their personal data, whether maintained in digital or printed form, within or outside its premises. For this reason, within the framework of the applicable national and EU legal framework governing the protection of personal data, and in particular the General Data Protection Regulation 2016/679 EU (hereinafter «the Regulation»), IDIKA S.A. publishes this lawful, fair and transparent personal data protection policy, with the aim of providing natural persons («data subjects») with adequate information about the personal data it collects and further processes in the course of providing its services.

1.2. This privacy policy also applies to all applications and/or digital environments developed and supported by IDIKA S.A. or owned by IDIKA S.A. and related to its activities, as presented on IDIKA S.A.’s website.

1.3. The subject of this Policy is to define the basic principles and rules according to which IDIKA S.A. collects, stores and generally processes personal data, both in the context of its activities and in the context of the operation of its website (www.idika.gr) (hereinafter «the Website»).

1.4. The full details of IDIKA are:
IDIKA – ELECTRONIC GOVERNANCE OF HEALTH AND SOCIAL INSURANCE S.A.
Postal address: 10 Lykouργou St., P.C. 10551, Athens
Email: info@idika.gr
Phone: 11131

2. Definitions

For the purposes of this Policy, the following terms are understood as follows:

«Personal data»: any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

«Special categories of personal data»: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

«Processing»: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

«Anonymisation»: the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject.

«Pseudonymisation»: the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures.

«Controller»: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

«Processor»: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

«Consent» of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

«Personal data breach»: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

«Applicable legislation»: the provisions of the applicable Greek, EU or other legislation governing the protection of personal data, in particular Regulation (EU) 2016/679 (GDPR), implementing Law 4624/2019 (Government Gazette Α’137) and Law 4623/2019 (Government Gazette Α’134).

3. General Principles of Personal Data Processing

When processing personal data, IDIKA S.A. applies the following basic principles:

(a) Lawfulness, fairness and transparency: IDIKA S.A. ensures that it collects and further processes data lawfully, in a transparent manner in relation to the data subject.

(b) Purpose limitation: IDIKA S.A. processes personal data only for specified, explicit and legitimate purposes.

(c) Data minimisation: IDIKA S.A. takes appropriate technical and organisational measures to ensure that the personal data collected are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

(d) Accuracy: IDIKA S.A. ensures that the personal data it collects and further processes are always accurate and kept up to date.

(e) Storage limitation: IDIKA S.A. does not retain personal data for a period longer than is necessary for the purposes for which they were collected. However, data may be retained for a longer period where processing is necessary:

  • for compliance with a legal obligation,
  • for the performance of a task carried out in the public interest,
  • for archiving purposes in the public interest, or for scientific or historical research or statistical purposes,
  • for the establishment, exercise or defence of legal claims.

(f) Integrity and confidentiality: IDIKA S.A. ensures that personal data are processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4. Purposes and Legal Bases for Processing

4.1. IDIKA S.A., in the context of its e-governance activities and its operation in the public interest, may collect and process personal data of citizens/natural persons who use its services and applications, its employees, and its collaborators generally.

4.2. IDIKA S.A. may collect and further process personal data for the purposes set out below, with their corresponding legal bases for processing.

4.3. For any other form of processing where the above legal bases do not apply, IDIKA S.A. requests the consent of the data subjects prior to the commencement of processing.

5. Categories of Personal Data Collected and Processed

5.1. IDIKA S.A. in the context of its activities may collect personal data of both citizens or professionals who use its services and applications, and its employees, collaborators, and other natural persons with whom it deals within the scope of its responsibilities.

5.2. Depending on the form and purpose of processing, IDIKA S.A. may collect and process the following categories of data:

Categories of Data Subjects Categories of Data
Citizens
  • Identity and demographic data (name, surname, father’s name, etc.)
  • Insurance details (AMKA or AUPA and other Social Insurance Registry data)
  • Contact details (postal address, phone, email, etc.)
  • Health data (medical certificates, diagnoses, prescriptions, etc.)
  • Financial data (bank accounts, tax statements, etc.)
  • Family status information
Doctors & Pharmacists
  • Identity and demographic data
  • Insurance details (AMKA or AUPA, etc.)
  • Contact details
  • Professional data (profession, medical specialty, etc.)
  • Health data (prescriptions, medical procedures, etc.)
  • Financial data
Employees / Job Applicants & Collaborators
  • Identity and demographic data
  • Insurance details
  • Contact details
  • Health data (medical certificates, blood donation data, etc.)
  • Financial data (bank accounts, tax statements, asset declarations, etc.)
  • Asset information
  • Family status information

6. Data Collected through the Website

Data collected via the contact form
When you choose to contact us using the electronic contact form available on the Website, you will be asked to provide certain information, such as your name, surname and email address, as well as any further information you provide by completing the «Message» field. We collect this information solely for the purpose of serving you and contacting you to fulfil your request. The legal basis for processing is the legitimate interest of IDIKA S.A. in facilitating communication with the public and handling requests received in the course of its operation.

Web Technologies
During your browsing on the Website, IDIKA S.A. may collect only certain necessary information related to website traffic, such as the Internet Protocol address (IP address), the type of browser used by the visitor, and cookies. For more information regarding the use of cookies on this website, please read the IDIKA S.A. Cookies Policy.

7. Disclaimer for Third-Party Websites

The Website may provide links to third-party websites. IDIKA S.A. does not control these third-party websites and is not responsible for the content posted on them or their privacy practices.

8. Transfer to Third Parties

IDIKA S.A. may transfer the above data to other public and/or private entities for the implementation of its purposes, in particular where this is required by applicable legislation. Specifically, data may be transferred to:

  • Third-party partner companies providing related services, which are contractually bound to ensure confidentiality and full GDPR compliance,
  • Authorities and independent authorities (e.g. General Secretariat for Information Systems, Police, Prosecution authorities, etc.).

In the event of a transfer to a country outside the EU or EEA, IDIKA S.A. must verify that the appropriate safeguards are in place in accordance with the Regulation.

9. Data Protection and Security

To prevent unauthorised access, maintain data accuracy and ensure the appropriate use of personal data, IDIKA S.A. has taken reasonable technical and organisational measures, including antivirus and firewall protection. It should be noted that no method of transmission over the Internet is 100% secure.

10. Rights of Data Subjects

10.1. IDIKA S.A. ensures that data subjects can exercise the rights recognised by law regarding the collection and processing of their personal data. Each data subject has the right to:

  • Request information about their personal data held by IDIKA S.A.
  • Request access to their personal data and obtain a copy thereof.
  • Request the correction of incomplete or inaccurate data.
  • Request the erasure of their personal data, where their retention is not supported by a legal basis.
  • Request the restriction of the processing of their personal data.
  • Request the portability/transfer of their personal data in a commonly used, machine-readable format.
  • Withdraw consent at any time, without this affecting the lawfulness of processing carried out prior to withdrawal.

To exercise the above rights, please contact IDIKA S.A. at: dpo@idika.gr

IDIKA S.A. will endeavour to fulfil your request within one month of submission. For any complaints, you may contact the Hellenic Data Protection Authority at: www.dpa.gr.

11. Data Retention Period

Personal data collected are retained for a predetermined and limited period of time, depending on the purpose of processing, after which they are deleted from our records, unless otherwise provided or permitted by applicable legislation.

12. Updates to the Privacy Policy

IDIKA S.A. may amend this Privacy Policy from time to time for reasons of compliance with regulatory changes and/or for the optimisation of its operations and services. Updated versions will be posted on IDIKA S.A.’s websites.

Last revised: June 2024