Personal Data
The following information about the protection of your personal data concerns the way in which we process your personal information when you contact us or use any of our services.
The information is categorised. You may therefore easily choose among categories of data processing and see the relevant information.
The information we provide is the following:
- For what purpose do we process your personal data?
- Are you obliged to provide us with the relevant data?
- For how long do we keep your personal data?
- Which are the categories of recipients, if any, of your personal data?
- Do we intend to transfer this information to another country?
- Do we carry out automated decision-making or profiling?
- What rights do you have in relation to the processing? How can you exercise those rights?
We keep this data protection policy under regular review to make sure it is up-to-date and accurate.
More information on the processing carried out by the National Transparency Authority (hereinafter the Authority) and your rights, classified by category of processing, can be found further below.
Contact Details of the Controller
For any processing of personal data carried out when you use any of our services or visit this Portal, the Controller shall be:
National Transparency Authority
195, Lenorman Av. & Amfiaraou str., P.C. 104 42 Athens, Greece, Telephone number: +30 213 2129 700, email:
Contact details of the Data Protection Officer
The Data Protection Officer (DPO) of the Authority is Eleni Balasopoulou. In order to exercise your rights or for any other reason regarding the processing of data carried out by the Authority and included in this information note, you may contact her at
When and how do we collect your personal data?
Most of the personal information we process is provided directly by you for one of the following reasons:
- You have filed a complaint or a request.
- You have asked us for information.
- You wish to attend or have attended an event, discussion, action or seminar, either live or online.
- You have subscribed to our e-Newsletter.
- You have contacted the Authority directly.
- You represent a natural or legal person before the Authority.
- You have provided us with your data in the framework of the Authority’s financial obligations (e.g. supplier data).
Details on these data processing cases can be found in the “Processing data provided by natural persons” section.
We may also receive your personal information from other sources, in the following cases:
- We have contacted a complainee for clarifications regarding a complaint submitted to the Authority and he/she gives us your personal information in his/her reply.
- A complainant refers to you in the text of his/her complaint or in the accompanying documents submitted to the Authority.
- We have confiscated documents or storage media containing your personal data during the course of an audit.
- In the exercise of our duties your data is communicated to us by other audit authorities or law enforcement bodies.
Details of these data processing cases can be found in the “Processing data provided by third parties or legal persons” section.
We collect and publish statistics, such as the number of requests received, but not in a form that allows the identification of persons.
In the exercise of our duties, if we need to process special category data, such as data concerning health, racial origin, sexual life, trade union membership, etc., provided to us because you consider it absolutely necessary to substantiate your complaint, the legal basis for processing is Article 9(2)(g) of the GDPR, which relates to our public duty and to safeguarding your fundamental rights.
Disclosure and transfer of data
As a rule, we do not share or transfer data to third parties. In some cases, however, we are legally obliged to disclose your data, for example, in the execution of a court’s judgment, in the context of investigating and processing complaints or when working with other audit authorities in dealing with complaints or audits. We can also exchange information with other audit bodies in the exercise of our duties. In case a criminal offence is detected, all relevant information may be forwarded to the competent judicial and public prosecutor’s authorities.
In our capacity as an audit authority, in accordance with our founding law (Law 4622/2019), as well as the Greek Anti-Fraud Coordination Service (AFCOS), in accordance with Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 (EU L248), as amended by Regulation (EU, Euratom) 2020/2223 of the European Parliament and of the Council of 23 December 2020 (EU L437) (OLAF Regulation), we are the institution responsible for coordinating all structures and services related to the protection of the EU’s financial interests and the proper management of European funds. In this context, we are in direct cooperation, among others, with the European Anti-Fraud Office (OLAF), and we act in support of the European Public Prosecutor. This may lead to the exchange of personal information among the audit authorities involved, if related to the complaint or auditWe do not share your personal data with third parties for the purposes of promoting products or services.
Your data may be communicated to the processors with whom the Authority cooperates to support its systems. In particular, the portal is hosted in the Public Sector Network “Syzefxis” of the Information Society S.A., which is managed by the General Secretariat of Information Systems and Digital Governance of the Ministry of Digital Governance. When using the services of this Portal and registering as a user of the Authority’s electronic services, your data is stored on servers in Greece and is not transferred abroad. The processors may not further process your personal data unless we have explicitly instructed them to do so, nor transfer your personal data to third parties.
More about the terms of use of the Portal is available here.
Minors’ data
We do not provide services directly to minors, nor do we collect proactively their personal data. However, we are sometimes provided with minors’ data when examining a complaint or conducting audits. In so far as it relates to these cases, this information applies just as much to minors as to adults.
This policy is written in simple language, so that a person at least 15 years of age can understand its main points.
Log files
During your visit to the Portal certain data are automatically collected from our server and recorded in log files. Detailed information on the type of data collected can be found in our Cookie Policy.
The purpose of storing this information is to check the security of the information and services of the Portal, to ensure the possibility of investigating any online attacks and incidents and to support any relevant legal claims.
The legal basis for the above processing is Article 6(1)(e) of the GDPR, which allows us to process data when this is necessary for the performance of our tasks. In particular, the Authority was established and operates under the provisions of Articles 82-103 and 118-119 of Law 4622/2019 (A' 133), and exercises, for the performance of its mission, all the powers, rights and obligations conferred on it, in accordance with the above provisions, as well as the powers conferred on it by any other general or specific provision.
The log files shall be kept for a period of 12 months and may be notified to the competent authorities if necessary to investigate any online attack and incident. The information investigated or used in the context of legal claims shall be kept for the period required for those purposes.
Your rights over your personal data
In accordance with the data protection law, when we process your personal data you have certain rights that we need to inform you about. The rights you can exercise towards the Authority are as follows:
The right of access
You have the right to request, at any time, information about the processing of your data by the Authority or even copies of your personal data that we keep (Art. 15 GDPR).
The right to rectification
You have the right to request, at any time, the rectification of the information you consider to be inaccurate. You also have the right to request the completion of the information you consider to be incomplete (Article 16 of the GDPR).
The right to erasure (‘right to oblivion’)
You have the right to request the erasure of your personal data in certain cases (Article 17 GDPR).
The right to restriction of processing
You have the right to request the restriction of the processing of your data under certain circumstances (Articles 18, 19 GDPR).
The right to data portability
This applies only to the data provided by you. You have the right to request the transfer of the data you provide to another entity or directly to you. This right can be exercised only if the processing is done on the basis of your consent or for the purpose of concluding or executing a contract, and is carried out by automated means (Article 20 GDPR).
The right to object to processing
Since we process your personal data within the framework of our competences as an independent authority, i.e. in order to fulfil our duty to act in the public interest, you have the right to object to the processing of your personal data. If, however, there are compelling and legitimate reasons for processing which override your rights and interests, we can reject your objection, depending on the reason for processing (Article 21 GDPR).
The right to complain about the processing of your data by the Authority
We apply high standards for processing your personal data. If you have any questions or concerns, you may contact us at
either to exercise your rights (access, objection, etc.) or to request information and we will reply to you.
If you consider that we have not sufficiently satisfied your request and the protection of your personal data is affected in any way, you may submit a complaint via a special web portal to the Personal Data Protection Authority (1-3, Kifisias Av., P.C. 115 23 Athens, Greece, Telephone number: + 30 210 6475600). Detailed instructions for submitting a complaint are provided on the website of said Authority www.dpa.gr.
Clarifications about your rights
For any matter related to the processing of personal data by the Authority, as controller, and assistance in the exercise of these rights, you may contact the Authority’s Data Protection Officer (DPO) at
For the exercise of the rights provided for in Articles 15, 16, 17 and 18 of the GDPR (access, rectification, erasure and restriction) in relation to the processing of your data carried out by the Authority, please contact
You can exercise the above rights free of charge and we will reply to you within one month upon receiving your request.
Processing of data provided directly by natural persons
In this section you will find information about the various reasons you contact us as a data subject and the processing we do in each of these cases.
The information shall relate to the following cases of data processing:
Registration to the Authority’s electronic services
What data are we processing?
When you register to the Authority’s electronic services, we receive your basic identification information, such as name and e-mail address, from the request you have submitted to us or from the corresponding electronic registration form if it is available depending on the electronic service.
Purpose and legal basis for processing
The purpose of processing your data is to create a user account on the Authority’s electronic services.
The legal basis for processing your personal data in the context of your registration to the Authority’s electronic services is Article 6(1)(e) of the GDPR, which allows us to process personal data when necessary for the performance of our tasks as an independent authority. In particular, the Authority was established and operates under the provisions of Articles 82-103 and 118-119 of Law 4622/2019 (A' 133), and exercises, for the fulfillment of its mission, all the powers, rights and obligations conferred on it, in accordance with these provisions, as well as the powers conferred on it by any other general or specific provision.
For how long do we keep your personal data?
Your personal data shall be kept in the Authority’s records for a period of 20 years from the processing of the cases/actions you have submitted using your account to our electronic services, except for the relevant administrative acts of the Authority which are retained for archiving purposes.
Who are the recipients of your personal data?
For information on the disclosure of personal data, please consult section “ Disclosure and Transfer of Data ”. The processors acting on behalf of the Authority, referred to in said section, may have access to your data.
What rights do you have in relation to the processing?
We process your personal data so that we can act to fulfill our public duty as an independent authority, therefore, you have the right to object to the processing of your personal data. However, on a case-by-case basis, there may be compelling and legitimate reasons beyond your interests and rights, for which we may refuse your objection, depending on the reason for processing. In addition, you have the right, at any time, to access your data, have it erased or rectified, if it is inaccurate or incomplete, obtain restriction of processing under conditions, as well as submit a complaint.
For more information on your rights, refer to section “Your rights over your personal data”.
Submission of a request for information or for the provision of documents
What data are we processing?
When you submit a request to the Authority, we process your name and contact details, the details of your representative and any other personal data you may provide with your request. We also store in our system our response to your request.
The provision of the above data is necessary to satisfy your request.
If your request concerns the provision of third party’s documents, we also process any relevant document you provide us with to prove your legitimate interest, in accordance with Article 5 of the Code of Administrative Procedure.
Purpose and legal basis for processing
Our purpose of processing your personal data is to be able to respond to your request for information within our responsibilities or for the provision of documents.
The legal basis for processing your personal data for this purpose is Article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary for the fulfilment of the Authority’s duty to respond to citizens’ requests, which has been put in the public interest. Our task derives from the following provisions:
- Articles 82-103 and 118-119 of Law 4622/2019 (A' 133).
- Law 3448/2006 on the Further Use of Public Sector Information.
- Article 5 (Access to Documents) of the Code of Administrative Procedure (Law 2690/1999).
- Directive 2003/4/EC on the freedom of public access to information.
For how long do we keep your personal data?
Your personal data is kept in the Authority’s records for a period of 20 years from the closing of the case/action, with the exception of the relevant administrative acts of the Authority which are retained for archiving purposes.
Who are the recipients of your personal data?
For information on the disclosure of personal data, please consult section “Disclosure and Transfer of Data”. The processors acting on behalf of the Authority, referred to in said section, may have access to your data.
What rights do you have in relation to the processing?
We process your personal data in the context of providing information and documents, based on our respective duty towards the public interest as an independent authority, so you have the right to object to our processing of your personal data. However, on a case-by-case basis, there may be compelling and legitimate reasons beyond your interests and rights, for which we may refuse your objection, depending on the reason for processing. In addition, you have the right, at any time, to access your data, have it erased or rectified, if it is inaccurate or incomplete, obtain restriction of processing under conditions, as well as submit a complaint.
For more information on your rights, refer to section “Your rights over your personal data”.
Submitting a complaint to the Authority
What data are we processing?
When you submit a complaint, we need information from you in order to examine it. For this reason, through the complaint form and its accompanying documents, we ask you to provide us with the information required to understand what has happened. When we receive a complaint, we record it in a file which usually includes your name and contact details and any other information you have given us about the reported incidents. If you do not provide us with the relevant information we will not be able to examine your complaint.
Purpose and legal basis for processing
The purpose of processing your data is to investigate your complaint and carry out our audit work in accordance with our institutional tasks.
The legal basis for processing your personal data in the context of the examination of your complaint is Article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary for the performance of our duties as an independent authority. The relevant task of the Authority derives from articles 82-103 and 118-119 of Law 4622/2019 (A' 133).
For how long do we keep your personal data?
The information contained in your complaint file is kept in the Authority’s records for a period of 20 years after the closing of the case, with the exception of the relevant administrative acts of the Authority which are retained for archiving purposes.
Who are the recipients of your personal data?
As a rule, we do not share or transfer data to third parties. In some cases, however, we are legally obliged to disclose your data, for example, in the execution of a court’s judgment or when working with other audit authorities in dealing with complaints or audits. We can also exchange information with other audit bodies in the exercise of our duties. In case a criminal offence is detected, all relevant information may be forwarded to the competent judicial and public prosecutor’s authorities.
In our capacity as an audit authority, in accordance with our founding law (Law 4622/2019), as well as the Greek Anti-Fraud Coordination Service (AFCOS), in accordance with Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 (EU L248), as amended by Regulation (EU, Euratom) 2020/2223 of the European Parliament and of the Council of 23 December 2020 (EU L437) (OLAF Regulation), we are the institution responsible for coordinating all structures and services related to the protection of the EU’s financial interests and the proper management of European funds. In this context, we are in direct cooperation, among others, with the European Anti-Fraud Office (OLAF), and we act in support of the European Public Prosecutor. This may lead to the exchange of personal information among the audit authorities involved, if related to the complaint or audit.
If you are acting as the complainant’s representative, we request information about your identity and, if necessary, information proving that you have the authority to act on behalf of the complainant.
The access of third parties to documents related to a case is governed by the provisions of the Greek legislation on access to public and private documents.
Finally, the processors acting on behalf of the Authority may have access to your data. For information on the disclosure of personal data, please refer to section “Disclosure and Transfer of Data”
What rights do you have in relation to the processing?
We process your personal data so that we can act to fulfil our public duty as an independent authority, therefore you have the right to object to the processing of your personal data. However, on a case-by-case basis, there may be compelling and legitimate reasons beyond your interests and rights, for which we may refuse your objection, depending on the reason for processing. In addition, you have the right, at any time, to access your data, have it erased or rectified, if it is inaccurate or incomplete, obtain restriction of processing under conditions, as well as submit a complaint.
For more information on your rights, refer to section “Your rights over your personal data”.
Subscribe to our e-Newsletter
What data are we processing?
We use your email address to send you e-Newsletters and Authority updates.
Once you subscribe to e-Newsletter, you will receive a confirmation message and then you will be receiving our e-newsletters and updates.
Purpose and legal basis for processing
The purpose of data collection and processing is to send e-Newsletters and our updates.
The legal basis for this processing is your consent, in accordance with Article 6(1)(a) of the GDPR.
How long do we keep your personal data?
We retain your personal data for as long as you remain on our list of recipients and delete them in case your consent is withdrawn.
Who are the recipients of your personal data?
For information on the disclosure of your data, please refer to section “Disclosure and Transfer of Data”.
What rights do you have in relation to the processing?
We rely on your consent to process the personal data you give us in order to receive our electronic newsletters and news. However, you have the right to withdraw your consent at any time, resulting in your data being deleted.
In addition, you have the right to access your data, have it rectified if it is inaccurate or incomplete, have it erased if you withdraw your consent, obtain restriction of processing under conditions, have the data transferred, as well as submit a complaint.
For more information on your rights, refer to section “Your rights about your personal data”.
Telephone calls to the Authority
What data are we processing?
When you call the Authority, we collect calling line identification information, namely the caller’s line identity (if it is not classified). In some cases and for the sake of better communication with you, we keep a calendar of the phone number, date, time and duration of the call and we may take notes on the conversation, but the call itself is not recorded.
Call recording shall be performed when calling the telephone lines of the internal and external reporting channel of the NTA. In these cases, no caller line identification (telephone number) shall be performed. Any data collected will relate to the information you choose to communicate to the Authority via the recorded message.
Purpose and legal basis for processing
The purpose of processing your data is to record your request and be able to use your number to call you back, if you so request, in case the connection fails or there is a problem with the phone line. We can also use your number to check how many calls we have received from you.
The legal basis for processing your personal data for this purpose is Article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary for the fulfilment of the Authority’s duty to respond to citizens’ requests, which has been put in the public interest. Our task derives from articles 82-103 and 118-119 of Law 4622/2019 (A' 133).
For how long do we keep your personal data?
We retain the above information for as long as it takes to deal with the issue on which your phone call relates.
For the retention period of the data you provide to us through the recorded call of the NTA's internal and external reporting channel, please refer to the data protection policies of the internal and external reporting channel.
Who are the recipients of your personal data?
Your data shall not be communicated to any third party recipient.
For information regarding sharing the data you provide us through the recorded call of the NTA's internal and external reporting channel, you can refer to the data protection policies of the internal and external reporting channel.
What rights do you have in relation to the processing?
You have the right, at any time, to access your data, have it erased or rectified, if it is inaccurate or incomplete, obtain restriction of processing under conditions, as well as submit a complaint. We may, on a case-by-case basis, refuse your objection if there are compelling and legitimate reasons beyond your interests and rights, depending on the reason for processing.
For more information on your rights, consult section “Your rights over your personal data”.
Conducting audits and investigations
What data are we processing?
In the context of investigating a complaint or carrying out an ex officio audit, we collect information from the person subject to the complaint/audit. This information may include all types of identification, contact details, and any other information relating to the natural persons subject to audit.
If you are subject to an audit, you are required by law to provide us with the information and data we require. Otherwise, the administrative penalties provided for by law may be imposed against you.
Purpose and legal basis for processing
We process the personal data we collect as part of an audit, whether it concerns the examination of a complaint or an ex officio audit, in order to investigate the case and carry out our audit work in accordance with our institutional tasks. As an independent authority, we must determine whether the law has been violated, so that we can exercise the audit powers provided for in Law 4622/2019, if necessary.
The processing of data carried out in this context is necessary for the performance of a task carried out in the public interest [Article 6(1)(e) GDPR]. The relevant task of the Authority derives from articles 82-103 and 118-119 of Law 4622/2019 (A' 133).
For how long do we keep your personal data?
We keep your personal data for 20 years and in any case for as long as it takes until the investigation and possible review of the case by the competent courts is completed, with the exception of the relevant administrative acts of the Authority, which are retained for archiving purposes.
Who are the recipients of your personal data?
For information on the disclosure of your data, please refer to section “Disclosure and Transfer of Data”. The processors acting on behalf of the Authority, referred to in this section, may have access to your data.
The complainant’s data may be communicated to the complainee after the investigation of the case has been completed and if the complainee so requests. In some cases, we may disclose your personal information to the competent prosecuting authorities or other audit authorities during a complaint investigation or an audit.
As a rule, we do not publish the identity of the natural persons involved in a complaint, unless their details have already been made public.
What rights do you have in relation to the processing?
We process your data to fulfil our public duty as an independent authority, so you have the right to object to this processing. However, it is very likely that there are compelling and legitimate reasons beyond your interests and rights, for which we may deny your objection. In addition, you have the right to access your personal data retained by us in the framework of audits and investigations on infringements of the law. Finally, you have the right to have inaccurate data rectified or incomplete data completed, request the erasure of data in some cases or restriction of processing under conditions.
For more information on your rights, consult section “Your rights over your personal data”.
Suppliers to the Authority
What data are we processing?
If you are a freelancer or single-person business that provides services or products to the Authority, we process your business information (name, registered address, VAT number), contact details, payment data (account number, etc.) and the information of the transactions between us.
Some of the information you provide to us is included in a register of paid-unpaid liabilities. This register comprises the name and address of your business. We also include some of the information you provide to us in a project management information system called “ePMO”.
We collect and process your personal data in order to execute payments, communicate with you, manage the projects, issue the necessary supporting documents or other tax data and enable the completion and submission of requisite declarations.
The legal basis for processing your personal data is Article 6(1)(c) of the GDPR, which allows us to process personal data when this is necessary for the fulfilment of our legal obligations under tax law.
For how long do we keep your personal data?
We retain your personal data for as long as is required by tax or administrative legislation, namely until the limitation period of claims expire.
Who are the recipients of your personal data?
Your data is communicated to the competent tax authorities (Independent Authority for Public Revenue - IAPR) through the submission of the requisite regular declarations and statements concerning our suppliers. Recipients of your data may also be the banking institutions used to pay you. The processors referred to in section “Disclosure and Transfer of Data” may also have access to your data.
What rights do you have in relation to the processing?
You have the right, at any time, to access your data, have it erased or rectified, if it is inaccurate or incomplete, obtain restriction of processing under conditions, as well as submit a complaint.
For more information on your rights, refer to section “Your rights over your personal data”.