We use cookies to make our websites more user-friendly and to continuously improve them. If you continue to use the website, you consent to the use of cookies. You can find more information in our privacy statement and our cookie guidelines.

Harmonized EU standards online

Personal Data Protection Policy

1. Introduction

Compliance of NQIS with Regulation (EU) 679/2016 and Law 4624/2019

EU Regulation 679/2016 (hereinafter referred to as the “Regulation”) lays down rules concerning the protection of individuals with regard to the processing of personal data.

The National Quality Infrastructure System (NQIS), a legal entity governed by private law and supervised by the Ministry of Development, fully complies with the Regulation and the national legislation in force (Law 4624/2019) on the protection of personal data against their processing, by applying specific procedures and the appropriate for that purpose organizational and technical measures.


2. Definitions

According to the Regulation (see in more detail article 4 thereof), the crucial concepts thereof have the following meaning:

‘personal data’: Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Personal data includes any information, in paper or electronic means, which may lead, either directly or in combination with other data, to the unique identification of a natural person. This category includes, but is not limited to, data such as Name, TIN, social security number, ID, physical & e-mail addresses (emails), fixed and mobile phone numbers, SMS/MMS recipients details, bank/debit/prepaid card details, equipment identifiers or terminal devices – computer – smartphone – tablet, your web search history (log files, cookies, etc.), and any other information that allows the identification of a person. 

The Regulation also provides for “special categories of personal data”, for which an even stricter framework is established. These are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data relating to health, genetic or biometric data for the purpose of identifying persons, data concerning sex life or sexual orientation, and criminal convictions and offences.

The personal data collected on the NQIS Web Portals in the context of their use for the provision of its services are the following:

1. Name and surname

2. Father’s name

3. Mother’s name

4. TIN

5. TAX OFFICE

6. Employer (Name)

7. Job (professional)

8. Headquarters

9. Username

10. Password

11 E-mail address

12.Home Address

13. Contact Address (only when different from home address)

14. Telephone number

15. Fax number


“data subjects” are the natural persons to whom the data refer each time.

It should be noted that natural persons, representatives of Legal Entities who communicate in this capacity with NQIS, are not subject to the Regulation and therefore subject to the application of this Policy of NQIS.

“processing”: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

— ‘controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his appointment may be provided for by Union or Member State law.

— “processor”: the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

‘consent’ of the data subject’: Any freely given, specific, informed and unambiguous indication by which the data subject indicates that he or she agrees, by a statement or by a clear affirmative action, to the personal data relating to him or her to be processed for a particular purpose. Consent must be expressed in plain and intelligible language and clearly distinct from other matters. The withdrawal of consent is always free (something about which the subject is informed in advance) and shall be easily done, at least as easy as giving it.



3. Basic Principles for the Collection & Processing of Personal Data

NQIS applies all the principles of the Regulation relating to the processing of Personal Data, the main of which are that the data:

— get collected for predetermined, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes; (“purpose principle”),

— are processed lawfully and fairly and in a transparent manner in relation to the data subject (“legality, objectivity and transparency”),

— are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”),

— are accurate and, when necessary, updated, while taking all reasonable measures to promptly delete or correct personal data which are inaccurate in relation to the purposes of the processing (“principle of accuracy“),

— are kept in a form that allows the identification of data subjects only for the period necessary for the purposes of the processing of personal data (“minimum duration principle”),

— are processed in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

Principle of Accountability

In addition to the above, a principal feature of the institutional framework that NQIS adheres to is the principle of accountability, in the sense of the Regulation.


4. Lawfulness of Processing of Personal Data

The processing of Personal Data by NQIS is carried out only if one of the legal bases for processing applies, in accordance with Articles 6 and 9 of the Regulation.

In particular, in order for NQIS to carry out any processing of personal data, as long as these are not special categories of data (see above), one of the following conditionsmust be met:

  • The data subject has consented.
  • Processing is necessary for the performance of a contract to which the data subject is party.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.


NQIS collects & processes Personal Data solely for legitimate purposes.


5. Rights of Data Subjects

5.1 General

The Data Subjects have important rights in accordance with the Regulation. NQIS undertakes to provide any assistance to the Subjects in order to make use of these rights.

5.2 Types of Rights

The rights of the data subjects according to the Regulation are as follows:

  • Right to information and access to data
  • Right to correct inaccurate data and complete incomplete data
  • Right to restriction of processing
  • Right to object to processing (e.g. in the case of “profiling” or direct marketing to third parties)
  • Right to erasure of personal data if they are not kept for any legitimate purpose.
  • Right to data portability to another controller.

5.3 Exercise of Rights

The Subjects may exercise their rights by submitting relevant requests to NQIS.

NQIS will respond in writing within one month after the submission of the request, unless otherwise provided for by the Regulation.


6. Transfer of data to third parties

As a rule, the ESYP does not transfer personal data to third parties except in the cases clearly required by the Legislation, as well as for the fulfillment of its mission and in the context of its operation, always under the conditions of the law.

Transfer of personal data to countries outside the European Economic Area (EEA) can only take place when the conditions laid down by the Regulation are met (such as EU adequacy decisions, corporate binding rules, standard contractual clauses and approved codes of conduct).

7. Security of Processing

NQIS takes appropriate organizational and technical measures for the security & protection of Personal Data and information in general, in accordance with the applicable relevant security standards and procedures, the terms of this Policy and the applicable data protection legislation.

8. Links to third party websites

NQIS websites may contain links that lead to other websites of third parties, independent bodies, which we do not control. Therefore, we bear no responsibility whatsoever for the content, actions or policies of these websites. Please carefully read the respective data protection policies on the different websites you visit, as they may differ significantly from ours.

9. Data Protection Officer

NQIS, in compliance with the Regulation and the legislation in force (Law 4624/2019), has appointed a Data Protection Officer (DPO) by decision of its Administration, who has all the responsibilities and duties defined by law.

The DPO reports directly to the management of NQIS in accordance with Article 7 of Law 4624/2019.

The DPO shall, when performing his/her duties, be bound by confidentiality, in accordance with the provisions of national and European legislation on the protection of personal data.

For any matter relating to this Policy or for the exercise of your rights, please contact the DPO of NQIS at the e-mail address dpo@esyp.eu.