E-nomination form for Erasmus+ International Staff

INFORMATION AND ACCESS TO PERSONAL DATA

Aristotle University of Thessaloniki is the data controller in accordance with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

The collection and processing of personal data are carried out with the view to meeting the prerequisites and legal obligations entailed for the implementation of the programme ERASMUS +. Substantial element of the processing of personal data constitutes the electronic transmission of transcript of grades of the student concerned, carried out between the Secretary Department and the Department of European Educational Programmes with the view to assessing the application form.

Recipient of the personal data is the host University, which can be in the European Union or outside the European Union (third country).

Personal data must not be kept longer than ten (10) years, which is necessary for the purposes for which it was originally collected.

The data subject has the following rights according to the GDPR and the legal framework of ERASMUS+ :

• The right of access to personal data, which entitles the data subject to obtain from the controller information about the categories of personal data concerned, confirmation as to whether or not personal data concerning the data subject are being processed, the ways this processing takes place as well as the purposes of the processing.
• The right to rectification of his/her personal data in case they are inaccurate or incomplete.
• The right to erasure (right to be forgotten) entailing the right to request from the controller to erase his/her personal data when the legal conditions are met.
• The right to restriction of processing entailing the right to request from the controller restriction of processing when the legal conditions are met.
• The right to data portability entailing the right to transmit his/her personal data to another controller.
• The right to withdraw consent when the lawfulness of processing is based on consent.
• The right to lodge a complaint with a supervisory authority.
• If the transfer of personal data concerns a third country for which the European Commission has issued an adequacy decision, the transmission of personal data takes place in accordance with the legislation referring to the transfer of personal data in the European Union.

The European Commission has so far issued adequacy decisions regarding the following countries: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, the United States of America (limited to the Privacy Shield framework) and Japan https://ec.europa.eu/info/sites/info/files/research_and_innovation/law_and_regulations/documents/adequacy-japan-factsheet_en_2019_1.pdf as providing adequate protection.

• Information about the existing adequacy decisions can be found in the following link https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
• In the absence of an adequacy decision, the transfer of personal data to a third country outside the European Union shall take place only in case that the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
• In any case the data subject shall be informed of the risks involved in transferring data, which comprise: material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles.

Further access to information concerning the protection of personal data can be found at https://www.auth.gr/en/gdpr