Personal Data Protection Policy
The scope of this policy is to provide information about how GEFYRA SA and GEFYRA LITOURGIA SA jointly and as joint data controllers handle, or are intending to handle, personal information, as defined herein and in the legislation in force (GDPR 2016/679, Law 4624/2019).
If you are aged 15 or under, please get your parent/guardian’s permission before you provide any personal information to us or enter into any agreement with us.]
About GEFYRA SA and GEFYRA LITOURGIA SA
The concession company GEFYRA S.A. (hereafter “GEFYRA”) established in 1995 is responsible for the design, construction, financing, maintenance and operation of the Rion-Antirion Bridge “Charilaos Trikoupis” during the Concession Period, in accordance with the Concession Agreement which was ratified by the law 2395/1996. GEFYRA has subcontracted the operation of the Bridge to GEFYRA LITOURGIA SA (hereafter “GEFYRA LITOURGIA”) which operates the Bridge and is responsible for the toll & traffic management, as well as the routine maintenance of the Bridge. Moreover GEFYRA LITOURGIA collects, for the account of GEFYRA, tolls through monetary transactions with drivers, owners or operators of vehicles.
GEFYRA and GEFYRA LITOURGIA are committed to jointly and in their capacity as joint data controllers protect and respect your privacy in accordance with the principles of the General Data Protection Regulation 2016/679 (GDPR) and the relevant Greek data protection laws (L. 4624/2019).
Please read the following carefully to understand our views and practices regarding your personal data and how we will process it.
Collection of personal data
GEFYRA and GEFYRA LITOURGIA collect or otherwise obtain and process the following information and subscription data about you such as:
- Name, address, contact details, phone, email, vehicles’ license plates, etc. that you provide to us by filling in forms while registering for activities and making purchases on our websites or in the Customer Service centers (e-pass, prepaid cards, etc.) or capturing photos of the passengers and the transactions performed at the Toll Plaza when you pass from it.
- Data necessary for administering and managing our commercial products and services provided to you, including calculating and collecting tolls, fees and charges prescribed by law or otherwise payable for our products and services or services provided to you by other Greek toll road operators within the framework of the Greek interoperability system for the electronic tolls of the Greek motorway network.
- We may also ask you for information when you report a problem, a road accident or make a complaint and, if you contact us, we may keep a record of that correspondence upon your prior information by means of a recorded voice message informing you that your call is being recorded for proof purposes and to improve the services we provide.
- We may also keep video streaming from our surveillance system (CCTV), in the Toll Plaza or along the Bridge within the limits of the Concession Area, for traffic regulation and incident detection management (relevant information signs are installed).
- We may keep data related to incidents / accidents incurred within the limits of the Concession area, that may include health data in case of incidents/accidents with injuries.
- Moreover, only in specific cases of toll violation (i.e. crossing the toll plaza without paying the toll fee corresponding to the vehicle category on the basis of the pricelist each time applicable), we record the toll violators (name, contract particulars, type and license plate of the vehicle) through our toll collectors and/or the cameras installed on the toll lanes (relevant information signs inform you about this).
- In addition, we may also ask you to participate in optional surveys on usage, customer satisfaction, consumer preferences and provide other data that we may use for road safety and research purposes and to improve your customer experience.
- Information about emails and other communications we have sent to you and your interaction with them. Information from your social media accounts but only where you have given us permission to use it. For example, if you choose to participate in social media (e.g. as Facebook / Twitter) when you post on our website, our company may have access to your personal data on your social media account.
- Information from other Greek toll road operators where you consent to those organizations (Attiki Odos, Olympia Odos, Aegean Motorway, Ionia Odos, Moreas, Kentriki Odos, Egnatia Odos) sharing information they hold on you with us, and where these operators lawfully share your information with us.
Uses made of your information and the basis of processing
GEFYRA will use your personal information for lawful purposes (according to Articles 5 and 6 of the GDPR) i.e. to:
- Authenticate you when you register for a commercial product, cross the Bridge and make a toll transaction;
- Carry out our obligations arising from Gefyra e-pass contract entered into between you and our company;
- Fulfil the obligations arising from the Concession Agreement entered into with the Greek State (Law 2395/1996);
- Proceed with the collection of tolls and prove their collection in case of an audit by the State, the Awarding Authority or to compensate legal claims against violators or even to comply with an order given by the pursuing and the Public Prosecution authorities;
- Provide you with information, products or services that you request from our company or which we feel may interest you, where we are legally entitled to do so;
- Inform people to join events and other initiatives as well as groups and communicate with each other via our company system;
- Invite you to participate in interactive events and initiatives of our company’s service, when you choose to do so;
- Notify you about changes to our service and/or commercial products;
- Notify you about events which may have an impact on the operation of the Bridge
- Gather statistics about road traffic.
- Segment your personal data to make sure that you only receive information that is relevant to you.
- Publish and maintain a comprehensive set of results and statistics for road traffic
Our company will not use any of the personal information we collect from you to make automated business decisions that affect you as data subjects.
Legal basis of personal data processing
The legal basis on which we collect and process the personal data described above depends on the personal information concerned and the specific context in which we collect it. However, we will only use your personal information where we:
- Have your explicit written or electronic consent to do so;
- Need your personal data to conclude a contract with you or to provide you with precontractual information;
- Need to process your personal information for our legitimate interests and only where our legitimate interests are not overridden by your data protection interests or fundamental rights and freedoms;
- Have a legal or fiscal obligation to collect personal information from you; or
- Need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to conclude a contract with you, we will make this clear at the relevant time, and advise you whether the provision of your personal information is mandatory or not (as well as the possible consequences if you do not provide your personal information).
GEFYRA will take all steps reasonably necessary including policies, procedures and security features to ensure that your data is treated securely and protected from unauthorized and unlawful access and/or use, and in accordance with this Policy. Unfortunately, the transmission of information via the internet is not completely secure and, although we will do our best to protect your personal data transmitted to us via the internet, we cannot guarantee the security of your data transmitted to our website from your device(s). Consequently, it is to be noted that such transmission(s) is at your own risk.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of the website, you are responsible for keeping this password confidential. We ask you not to share such a password with anyone. You are exclusively liable for any loss or misuse of such password.
Where any payments are being collected on our behalf, we require our payment providers to be compliant with the Payment Card Industry’s Data Security standards (PCI-DSS).
Recipients of personal data
We will share information about you with our suppliers who process data on our behalf to help us to provide services to you. We undertake this data sharing on the basis of our legitimate interests in accordance with the terms of the GDPR Regulation and Law 4624/2019.
Categories of organizations and purpose
- Toll Collection Systems Suppliers – to operate the toll system of the Bridge and the equipment: central computer systems, plaza computer systems, manual and automatic entry and exit toll lanes which accept all forms of payment (cash, currency, traffic violations).
- Supervisory Authority
- Public Authorities, Institutional Authorities, Independent Public Authorities, Judicial Authorities, Police Authorities
- Database hosting companies - to host our company digital platforms, websites and associated customer databases to enable customers to seamlessly log in and interact with our digital services
- Marketing agencies - to provide relevant digital content to our customers
- Advertising companies - to send letters, emails and SMS messages to our customers so as to undertake research of our own customers
- Social media companies (e.g. Facebook/Twitter) - to verify your identity when you register on our web site using 'register with' functions and to provide you with relevant social media posts
- Online learning hosting companies - to enable our customers to take part in online training and learning campaigns (e.g. road safety)
- Supervisory bodies of road traffic inspection- to assist police or traffic police in crime and accident investigation, healthcare, disciplinary issues and supervision activities
- Greek Toll Road Operators
- Hellenic Association of Toll Roads Network (HELLASTRON) – to promote road transport in Greece
- Observatories (e.g. Observatory of the Western Greece Road Network) – to perform researches and studies on the socioeconomic effects of the road network.
- Traffic Management Systems - to record traffic data, incidents, accidents, etc.
- Customer Relationship Management Systems – to record incoming and outgoing communication
International transfer of personal data
GEFYRA does not envisage transferring any information about or relating to individuals to anyone who is located outside of the European Economic Area (EU27 and Lichtenstein, Norway and Iceland).
However, on some occasions, the information we collect may be transferred to organizations which may store and use such data at premises in other countries. Where we allow an organization to process your personal information outside of the European Economic Area, we will ensure that we create and maintain appropriate safeguards with those organizations so that your personal information is subject to the same standards and protections as when we are processing your personal information inside the European Economic Area.
If you choose to sign-up with social networks (e.g. Facebook/Twitter) when you post personal data on our website, our company may access your personal data in your social media account, depending on your settings, and we may post information submitted on our websites to social network storing such information in the United States. These are certified under the EU:US Privacy Shield Agreement.
Data retention period
We will hold information about you in our data processing systems only, in electronic and printed files, for as long as we need it by the law and for the purpose for which we collected it. In particular we will retain and process information about:
- You for as long as you continue to log into our website or use our services (including engaging with emails, events, initiatives, making purchases, entering prize draws or downloading content). In such cases, you will be considered to be an ‘active’ customer. If you have not been ‘active’ as a customer for a period of three years, our company may deactivate your customer account and anonymize any personal data relating to you.
- Any data relating to the obligations of our company to maintain a comprehensive, published index of clients as per the Greek tax and supervisory authorities’ requirements.
- Personal data linked to the processing of investigations, insurance claims, subject access requests, disputes, safeguarding investigations, disciplinary or police matters will only be kept for as long as it necessary for those purposes, as each is applicable.
Your rights as the data subject
The European General Data Protection Regulation (GDPR 2016/679) and Greek applicable law (L. 4624/2019) grant you, as a Data Subject, certain rights, which are summarized below:
- Right of access - You have the right to have access and obtain a copy, upon your request, of information we hold about you
- Right of rectification or erasure - If you feel that any data that we hold about you is inaccurate, you have the right to ask us to correct or rectify it, as for instance where the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data. Please note that we may be entitled to retain your personal data despite your request, for example if we are under a legal or tax obligation to retain it. Your right of rectification and erasure extends to anyone we have disclosed your personal information to and we will take all reasonable steps to inform those with whom we have shared their data about your request for erasure.
- Right to restriction of processing - You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we do not need to hold your data any longer but you need us to in order to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.
- Right to Portability - You have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller where the processing is based on consent and is carried out by automated means. This is called a data portability request.
- Right to Object - You have a right to object to our processing your personal data where the basis of the processing is our legitimate interests including but not limited to direct marketing and profiling.
- Right to Withdraw Consent - You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent. Any prior processing are still considered to be legal.
- Right of Complaint - You also have the right to lodge a complaint about any aspect of how we are handling your data with the Greek Data protection Authority (www.dpa.gr).
- Right to Opt-out of Marketing Communications - You have the right to opt-out of marketing communications we send to you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you. To opt out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided below. At the same time, you can read our Cookies Policy posted on our website..
Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you.
How to contact us
If you wish to contact us about your personal data or exercise any of the rights described above please contact:
2 Rizariou str., 15233 Chlandri, Greece
Attn.: Data Protection Officer
Tel. +30 210 6858196
GEFYRA LITOURGIA SA
Administration Building, Antirio, Greece
Attn.: Data Protection Officer
Tel. +30 26340 39010 & -011
Last update: March 15, 2020