Personal data

NOTICE REGARDING PROCESSING OF PERSONAL DATA DURING THE OPERATION OF THE “INTEGRATED STATE AID MANAGEMENT INFORMATION SYSTEM (iSAMIS)” OF THE MINISTRY OF ECONOMY AND FINANCE

1. Scope of this Notice

1.1. The Ministry of National Economy and Finance, in its capacity as Controller, guarantees respect for the privacy of natural persons as well as the protection of personal data processed during the operation of the “Integrated State Aid Management Information System” (hereinafter “iSAMIS”). 
1.2. More specifically, iSAMIS aims at the fastest and most effective management of the procedure for approving and granting state aid. iSAMIS operations include receipt of applications, their evaluation, as well as all the procedures provided for by law until the completion of the procedure for granting of the aid. Retention of the personal data of users in this information system takes place in the context of Article 53(1) of Law 4914/2022 on the management of actions, as well as the exercise of evaluation and audit responsibilities with regard to said management. 
1.3. For this reason, in the framework of the applicable national and EU legal framework governing the protection of personal data, particularly the General Data Protection Regulation (EU) 2016/679 (hereinafter the “Regulation”) and Law 4624/2019 (Government Gazette 137/A/2019), the Ministry of Economy and Finance is releasing this notice on personal data protection for the purpose of providing users with adequate information about the personal data it collects and further processes in the context of operating iSAMIS.
1.4. The full details of the Ministry of Economy and Finance are:    
Ministry of Economy and Finance
Mailing address: 5-7 Nikis St., GR-10563, Athens 
By email to ministeroffice@minfin.gr
Contact number: 210 3332000

2. Purpose of and Legal Basis for processing 

The purpose of processing the personal data that are collected and processed in the context of the operationf of iSAMIS by the Ministry of Economy and Finance is the management of the Programmes for the 2021-2027 programming period, as well as the exercise of evaluation and audit responsibilities in relation to said management. The purpose of processing, as described above, is provided for in Article 53(1)(b) of Law 4914/2022. Accordingly, processing of personal data is necessary for compliance with a legal obligation to which the controller is subject [Article 6(1)(c) of the GDPR]. 

3. Categories of Personal Data Collected

Personal data processed during the operation of iSAMIS fall into the following categories:
 

The personal data processed during the operation of iSAMIS fall into the following categories:
A) User login and identification data 

B) Users’ contact data

C) Tax registration data, tax data and data on size of enterprise

D) Organisation’s identity, activity and contact data, and data from the application for funding

E) Data drawn from the IT systems with which iSAMIS interoperates (TaxisNet, GEMI, GSIS,

the OAED IT systems, the National Contact Register (EMEP), ERGANI, the “Recovery Fund” Integrated Information System (IIS), myData, ESPA IIS, RDP & IACS IIS, OAED IIS, e-EFKA, Technical Chamber of Greece, the notifybusiness.gov.gr platform, e-PDE, DIAS, Development Bank, Central Electronic Document Transmission System (KSIDE), State Aid Accumulation Information System (PSSEIS), eIDAS Service Provider, IB Information Systems, EDEL-IIS, Horizon 2020 SPARQL endpoint, APELLA GRNET system).

F) Data from the content of submitted applications-actions, documents, supporting documents, certificates, solemn declarations, and so forth.

The personal data processed during the operation of iSAMIS concern the following categories of data subjects:

• Visitors to iSAMIS: These are ordinary website visitors who can submit a request through the iSAMIS Helpdesk.
• Ordinary registered users of iSAMIS.
• Beneficiaries of state aid. 
• Coordinators: Users assigned by beneficiaries to complete an application for funding. 
• Project managers: Users who assist the Coordinator, being able to process the beneficiaries’ Funding applications. This category of Users has been developed exclusively for the calls of the “Research - Innovate” action. 
• Rapporteurs: Users appointed by the Managing Authority to make recommendations regarding the result of the objections. 
• Evaluators: Users on the Registers of Evaluators. The Evaluators may also belong to a given Management Body of the action.
• IB/MA officers: Users belonging to a Management Body.
• Call Managers: Users who can manage calls on the information system. 
• Members of an Advisory Committee - Objections Committee: Users who have been assigned a specific position on an Advisory Committee/Objections Committee.
• Experts: Users that have been assigned the role of Expert on a specific subject or call. 
• Beneficiaries: These are the persons who benefit from the Financing; in cases where they are not themselves the beneficiaries of the Financing, they are designated by the latter. 
• Auditors – Amendment Auditors: Users who audit the physical and economic scope of the project at the application stage or at the application amendment stage. 
• Certifiers: Users who validate the Auditor’s audit.
• Disbursers: Users, who, on an ex-post basis, enter the data of the payments of beneficiaries for the actions implemented.
   

4. Data sources – Interoperability

Upon entering iSAMIS, user data is drawn through interoperability with IAPR’s TaxisNet. Specifically, registration data, tax data and data on the size of the enterprise are extracted.
During submission of the funding application, the Coordinator enters the data required by iSAMIS.
For the evaluation and auditing of the funding application, the data entered by the Coordinator are confirmed through interoperability with the following information systems: TaxisNet, General Commercial Registry (GEMI), GSIS, OAED information systems, EMEP, Ergani and the “Recovery Fund” Integrated Information System.
The following IT systems provide data for cross-checking funding information during the Completeness and Correctness check: 
myData, ESPA IIS, RDP & IACS IIS, OAED IIS, ERGANI, GEMI, e-EFKA, Technical Chamber of Greece, notifybusiness.gov.gr platform, e-PDE, DIAS, Development Bank, Central Electronic Document Transmission System (KSIDE), State Aid Accumulation Information System (PSSEIS), eIDAS Service Provider, IB Information Systems, EDEL-IIS, Horizon 2020 SPARQL endpoint, APELLA GRNET system).
It is noted that the above data are obtained exclusively for the completion of the implementation procedures provided for in each call.

5. Recipients

Access to personal data that are processed in the context of the operation of iSAMIS is obtained by authorised personnel of the Ministry of Economy and Finance. The Intermediate Bodies/Managing Authorities shall act as Recipients of all information entered by the Coordinator in the context of submission of the Funding Application. This information consists of identification, contact, professional and business activity data, as well as any other information entered in the Funding Application. Evaluators (internal and external), as well as the Experts and the members of the Advisory Committee - Objections Committee are also Recipients of the information entered in the Funding Applications. The Evaluators and the members of the Advisory Committee - Objections Committee receive the data that has been entered by the Coordinators. 
Additionally, the information systems with which iSAMIS interoperates and that cross-check the data, namely TaxisNet, GEMI, GSIS, OAED information systems, EMEP, Ergani, and the “Recovery Fund” Integrated Information System, are also Recipients.
Furthermore, in the context of achieving the purposes of the processing referred to above, third parties (Processors) also have access to the personal data, on behalf of the Ministry of Economy and Finance as Controller. Processing by processors is governed by a legal act that is subject to Union or national law, which binds them in relation to the controller and determines the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the controller and processors. Finally, third parties are bound by contracts with the Ministry of Economy and Finance to ensure that confidentiality is maintained and that all of the obligations provided for by the Regulation and the Law are met. 

6. Transmission to a Third Country

Personal data processed during the operation of iSAMIS are not transmitted to a third country or international organisation. 

7. Data Retention Period 

Files regarding aid within the scope of Commission Regulations (EU) 2013/1408, 2014/717, 2014/651, 2023/1213 and 2023/2831 must be kept for ten (10) fiscal years from the date on which the aid was granted. When this period of time has passed, the data are deleted securely. 

8. Rights of Personal Data Subjects

8.1 Data subjects may exercise the rights granted to them by national and EU legislation regarding the collection and processing of their personal data. These rights are as follows:
I. The Right of access to data, so that subjects may be informed as to what personal data of theirs are being processed, why the data is processed, and any recipients thereof.
II.    The Right to rectification of data in order to correct the inaccuracy of a subject’s data. If the data subject requests rectification of his or her personal data obtained through interoperability, any corresponding Registers from which such data is drawn (in this case, TaxisNet) should be corrected.
III.    An exception exists from the right to erasure pursuant to Article 17(3)(b) of the GDPR. More specifically, processing benefits from an exemption from the right to erasure due to the legal obligation requiring processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
IV.    There is an exception from the right to restriction of processing pursuant to Article 18(1) of the GDPR, as the conditions it lays down do not apply in this case.
V. There is an exception from the right to object pursuant to Article 21(1) of the GDPR, according to which the data subject “shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.” In this case, the processing is based on an EU provision, namely Article 286(2) of Regulation (EU) 2013/575.
8.2 The Ministry of Economy and Finance, as a data controller, may refuse to grant in whole or in part a relevant request it receives from the data subject, only when such a possibility is provided for by the Regulation or national legislation.
8.3 Requests relating to the exercise of the rights under I and II above shall be examined within a deadline of one (1) month from receipt of the request. This deadline may be extended by two (2) more months, if required, if the request is complex or there are a large number of requests. 
8.4 Data subjects may address their requests to the Data Protection Officer of the NSRF - Ministry of Economy and Finance (DPO NSRF). His contact details are as follows:
Address: 10 Nikis St., 105 63, Athens
Email: dpoespa@minfin.gr

9. Right to Appeal to the Hellenic Data Protection Authority

Data subjects have the right to refer matters regarding the processing of their personal data to the Hellenic Data Protection Authority (“HDPA”). Detailed information on the Authority’s competences and how to submit a complaint is available on the HDPA websites at www.dpa.gr.