GENERAL DATA PROTECTION REGULATION (GDPR) PRIVACY POLICY

The General Data Protection Regulation (GDPR) contains provisions for enhanced protection of children’s data.   In compliance with these, Network for Children’s Rights has established and put into operation a comprehensive framework of personal data protection throughout the Organisation. The basic elements of this framework are as follows:

Aims
“Network for Children’s Rights” is a non-profit Organisation whose purpose is the safeguarding of children’s rights as set out in the UN Convention on the Rights of the Child (1989).  In carrying out its social work, the Organisation gathers and processes personal data of children, parents/guardians and other data subjects.

The Organisation gives absolute priority to the protection of each child’s personal data and considers respect of basic rights and freedoms of children to be of utmost importance.

Principles
In processing children’s personal data, the Organisation is guided by the following principles:

  • The child’s best interest.
  • Protection and care of children and respect of the fact that their immaturity makes them vulnerable data subjects.
  • The child’s right to a private life
  • The right of children of a certain age to express an opinion relating to the use of their personal data and their right to withdraw consent on attaining adulthood.
  • Priority to the child’s best interest when this clashes with the need to protect personal data, eg when personal data needs to be shared with a public authority for the child’s vital interests.
  • Allowance for variations according to the level of maturity of the child.
  • Involvement of children in decisions relating to the protection of their personal data

Operational framework
The Organisation has put in place appropriate operational procedures, which comprise the following

  • Appointing a data protection officer
  • Creating a data protection infrastructure
  • Keeping records of data processing activities
  • Applying a data protection policy
  • Implementing a data breach procedure
  • Empowering data subjects with certain rights
  • Evaluating consequences of data protection
  • Training and promoting awareness of staff.

Security Principle
The Organisation employs any technical means necessary for the protection of personal data:

  • Physical security measures
  • User authentication
  • Grading of rights and data
  • Separation of databases
  • Maintenance of backups
  • Reasonable security
  • Pseudonymisation
  • Encryption

The procedures and infrastructure that the Organisation has put into place ensure prompt and appropriate support of the rights of data subjects, especially those of children.

The rights of data subjects, especially children, whose personal data is processed by the Organisation are protected by law.  Specifically, data subjects have the right to:

  • access their personal data as well as any information relating to its processing by the Organisation, and they have the right to request a copy (right to access)
  • demand that the personal data kept by the Organisation be corrected and/or completed if it can be proved that there are mistakes or omissions (the right to rectification).
  • demand the erasure of personal data kept by the Organisation (right to erasure)
  • demand the restriction of processing of personal data kept by the Organisation, under certain conditions (right to restriction)
  • demand the transfer of personal data to another controller in a structured, commonly used and machine-readable format. (right to portability)
  • refuse to allow the processing of their personal data by the Organisation in certain circumstances (right to restrict processing)
  • object to a decision taken solely by automated processing, including profiling, that has legal or similarly significant effects on them (right to object to automated decision-making)

Data subjects also have the right to submit a complaint to the Hellenic Data Protection Authority (1-3 Kifisias Avenue, 11523 Athens) at complaints@dpa.gr

Data subjects wishing to exercise their data protection rights should do so in writing, either by post or email, to the Data Protection Officer (details below).

The Organisation will reply to any request within one month of receipt.  The Organisation reserves the right to extend this to a further two months, provided it has notified the data subject, if the complexity of the issue or the number of requests it has to deal with, render this necessary.  The Organisation responds to issue relating to childrens’ rights free of charge.

Contact

For any matter relating to the protection of your personal data, please contact us in writing at:

Data Protection Officer
Network for Children’s Rights
Alkamenous 11b
Near Larisa Station
Athens

or at
dpo@ddp.gr