Privacy Statement

Privacy Statement regarding the protection of personal data in the context of “GR-IX services”

GR-IX is a neutral and independent Internet Exchange, the mission of which is to facilitate the exchange of Internet traffic and to accelerate Internet growth in Greece. GR-IX constitutes a critical national Internet infrastructure as it interconnects all major Internet players in Greece, such as Internet service providers, content providers, cloud service providers etc. GR-IX is owned by the National Infrastructures for Research and Technology (hereinafter referred to as “GRNET S.A.”), which, being a non-profit, state-owned company, guarantees the neutrality and independence of the Internet Exchange.

Data Controller details:

GRNET S.A.

Competent Processing Project:

GR-IX’s support team

Controller’s Contact Details:

info@gr-ix.gr

Scope of this Privacy Statement:

“GRNET S.A.” is bound by European Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – hereinafter referred to as “the GDPR”) and Law 4624/2019 (Government Gazette 137/A/2019) on “Data Protection Authority, measures for the implementation of Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and  for the  incorporation into national law of Directive(EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 and other provisions”, as in force at any  time (hereinafter referred to as “the Law”). This Privacy Statement details all information necessary for the processing of personal data for the provision of GR-IX services as well as the policies and procedures implemented by GRNET SA for the protection of the user’s privacy. This Privacy Statement sets out  the criteria  as well as the terms and conditions under which GRNET SA collects, processes,uses, stores and transmits the personal data of the project users, how it ensures the confidentiality of such information,including any law and/or regulation implemented or enacted in accordance with Union and national laws on personal data protection and electronic privacy, as well as any law and/or regulation amending,  replacing,  issuing or consolidating any of the latter, including any other applicable EU and national laws on the processing of personal data and privacy, which may exist in accordance with applicable law.

For the purposes of this Privacy Statement, the terms “data processor”, “data controller”, “third party”, “supervising authority”, “personal data”, “processing”, “data subject” shall have the meaning ascribed to them by applicable legislation on the protection of personal data.

In addition, for the purposes of the present, the following definitions shall also apply:

“GR-IX”: The Greek Internet Exchange, a neutral Platform for exchange of Internet traffic in Greece.

“Website” – the website accessible via domain names https://www.gr-ix.gr/,including the entirety if the web pages thereof.

“Services”: The services provided by GR-IX to its Members.

“Member”: Any legal entity that connects to GR-IX Platform and uses GR-IX Services in order to exchange Internet (IP) traffic with other Members.

“Member’s portal”: The restricted (non-public) area of the GR-IX website

In the context of this Privacy Statement, the term “user” is used to describe

 “User”- the online user of the “GR-IX” services to whom the data refers and whose identity is known or can be ascertained, that is, it can be determined immediately or indirectly.

For the “GR-IX” services, two distinct categories of “Users” are supported, differentiated in terms of the usage rights granted to them:

  • “User of the Member Portal” – The employees/partners/staff of the members of “GR-IX”.
  • “GR-IX User” – the visitor of the page that is publicly available on the internet.
  1. Purpose/s for processing the data collected:

“GRNET S.A.”– as data controller- within the framework of the “GR-IX services” collects and processes the personal data of the next paragraph , for the following purpose / purposes:

  1. Providing the “GR-IX services”
    1. Exchange internet traffic,
    2. Debugging,
    3. Development and evolution of the service.
  2. Communicate with “Members” and “Users”
    1. Announcements of general interest (eg new members, new services, changes to the price list, etc.), about problems/issues in the infrastructure and about any other matter related to “Members” and “Users”
    2. Technical support of “Users”.
  3. Authentication of “GR-IX” “Users”
    1. Authentication with the credentials that each User has for entering the portal.gr-ix.gr website.
  4. Creation of statistical reports and charts to monitor “GR-IX services”
    1. The information of the statistical reports is publicly available and does not contain any personal data. Charts either contain general information about the member and are available only to the respective customer, or are about general non-private infrastructure elements and are publicly available.

“GRNET S.A.” collects and processes “users” personal data in the context of providing the “GR-IX services” solely for the abovementioned purposes and only to the extent strictly necessary to effectively serve such purposes. These data shall be relevant, appropriate and not more than those required in view of the aforementioned purposes. They shall also be accurate and, if necessary, updated.

Furthermore, the aforementioned data shall be retained only during the period required as mentioned hereinabove, in order to accomplish the purposes of their collection and processing and shall be deleted after the end thereof (see below “Personal data retention period”).

  1. Categories of personal data processed:

In the context of contact for the “GR-IX services” and for following information, the personal data that are being processed are:

  1. Providing the “GR-IX services”:
  • Network traffic samples
  1. Communicate with “Members” and “Users”:
  • Name and Surname of the “User”
  • Email
  • Phone number
  1. Authentication of “GR-IX” “Users”:
    • Name
    • Last name
    • Role in the Organization (Legal Representative, Administrative Representative, Technical Representative)
  1. Legal bases for processing

For the aforementioned purposes, the processing of users΄ personal data is necessary for the performance of the contract subject to “GR-IX” services, according to art. 6 par. 1b GDPR and for the purposes of the legitimate interests pursued by the controller, in accordance with Article 6, par. 1 para. f GDPR.

  1. Access to personal data:

For the implementation of the dispatch and processing of the “GR-IX services” access to the personal data of users is provided to the following:

  • The support team of “GR-IX”, which consists of staff that maintains a contractual relationship of project leasing and provision of services with “GRNET S.A.”
  • The finance services department of the Directorate of Administrative Operations and Financial Management “GRNET S.A.”
  • The head of the Directorate of Research and Development of “GRNET S.A.”
  • The CEO of “GRNET S.A.”

The above are personnel who maintain a contractual relationship with “GRNET S.A.”  “partners of GRNET S.A.” and are bound by a private confidentiality agreement with “GRNET S.A.

  1. Recipients of collected personal data:

“GRNET S.A.” shall in no way transmit or in any way disclose the “users’” personal data to any third-party entities, private businesses, natural persons or legal entities, public authorities, agencies or other organizations, other than as expressly set out herein.

The “Users’” personal data may be disclosed or transmitted to governmental authorities and/or law enforcement officials, only if necessary for the abovementioned purposes, in the context of enforcement of a court decision or a provision of law or if necessary to secure the legitimate interests of “GRNET S.A.” in its capacity as controller, in compliance with the terms and conditions of applicable law.

  1. Rights of data subject

As regards the data processed in the context of providing the workshop “GRNET S.A.”  as data controller – takes all necessary action, pursuant to the terms of this Privacy Statement, both during the collection as well as  in every  subsequent stage of processing of the “Users’” personal data,  so that every “user” may exercise his/her rights, as laid out in applicable legislation on the protection of personal data, namely the rights of Access, Rectification, Erasure, Restriction of Processing, data  Portability, as detailed hereinbelow and in accordance with the terms and conditions of applicable law:

  • Right of access: The data subject is entitled to request and obtain from “GRNET S.A.”, a confirmation on whether or not his/her personal data are processed and, if so, to exercise the right to access such personal data pursuant to applicable legislation. The data subject may also request a copy of the personal data undergoing processing, as described in this Privacy Statement, Finally, it should be noted that the right to obtain a copy of the personal data undergoing processing shall not adversely affect the rights and freedoms of others in accordance with applicable law.
  • Right of rectification: The data subject shall have the right to request “GRNET S.A.” to rectify any inaccurate personal data concerning him/her. Considering the purposes of the processing, the data subject shall have the right to request that any incomplete personal data be completed, including by means of providing a supplementary statement, in accordance with applicable legislation.
  • Right of erasure: The data subject has the right to delete all his/her personal data that have been collected and processed in the context of his/her participation in the “workshop” in accordance with the terms of the current legislation and the terms of this.
  • Right to restriction of processing: The data subject is entitled to ensure that “GRNET S.A.” restricts the processing of his/her data, if any of the conditions laid down by applicable legislation on the protection of personal data, is met.
  • Right to data portability: The data subject has the right to obtain any personal data concerning him/her, which he/she has provided to “GRNET S.A.” in a structured, commonly used and machine-readable format, as well as the right to transmit such data to another data processor, without any objection from the processor to which the personal data have been provided, in accordance with the provisions of the applicable legislation on personal data.

To exercise any of the above rights, the “User” may contact the GR-IX Support Team at the following email address: info@gr-ix.gr by completing the following form: Form for the exercise of Data Subject’s Rights.

The aforementioned rights of the data subjects are subject to restrictions in accordance with the applicable legislation.

“GRNET S.A.” provides the data subject with information on the action taken upon his request to exercise any of the above rights within one (1) month of receipt of the request. The aforementioned deadline may be extended by two (2) more months, in accordance with the terms of the existing legislation.

  1. Personal data retention period

The personal data of the “Users” in the context of the provision of the “GR-IX services” are kept for the necessary period of time for the needs of the provision of the service and the controls to which the service is subject. The personal data processed for the provision of “GR-IX” services are kept for a period of maximum six (6) months.  The personal data processed for communication with the “Members” and “Users” of the “GR-IX” services and for the authentication of the “Users” to enter the “Members’ Portal” are kept until the deletion of each “Member”.

  1. Technical and Organisational Measures:

The processing of personal data by “GRNET S.A.” is carried out in such a way as to ensure its confidentiality and security. Specifically, it is carried out exclusively by authorized associates of “GRNET S.A.”, while all appropriate organizational and technical measures are taken for data security and protection against accidental or unlawful destruction, accidental loss, alteration, prohibited dissemination or access and any other form of unfair treatment.

  1. Contact:

For any questions or clarifications regarding the present Privacy Statement and as well as in the event of any violation related to personal data issues, “users’” may contact the Competent Department of “GRNET S.A.” at the e-mail address mentioned hereinabove.

They may also contact the Data Protection Officer (DPO) of “GRNET S.A.”, at the e-mail address: dpo@grnet.gr.

  1. K. Recourse/Complaint

In the event that any “User” request is not satisfied by the processor,  the  “User” may at any time address to/ file recourse with the Competent Supervisory Authority, namely the Data Protection Authority  https://www.dpa.gr .