PERSONAL DATA PROTECTION POLICY 2024 K.E.P.E.A. NAOUSSA

As an educational organization responsible for the digital security of students, it is essential that staff take the necessary and appropriate measures to protect data and information systems from viruses, unauthorized access, damage, loss, misuse, and theft. All staff members are responsible for using the school’s computing systems in a professional, legal, and ethical manner. To ensure that staff members are fully aware of their professional responsibilities when handling personal data, they are required to read and sign this Acceptable Use Policy.

Compliance with GDPR Regulations

From May 25, 2018, data protection regulations in Greece changed in accordance with the General Data Protection Regulation (GDPR) of the European Union, announced in 2016. This represents a significant shift in legislation and replaces Law 2472/1997 on the protection of individuals from the processing of personal data, which has been repealed.

Are educational institutions in Greece required to comply with the Regulation? The answer is affirmative. Any natural or legal person, public authority, agency, or other entity that processes personal data is considered a “data controller.” Given the nature of schools and the personal data required in various forms for the operation of an educational institution, this means that every public educational organization must comply.

Data Storage and Access Security

The Naoussa Center for Environmental Education and Sustainability (K.E.P.E.A.) and its educational team will have access to a wide range of personal information and data. Data may be stored in digital or paper form. Personal data is defined as any combination of data elements that identify an individual and provide specific information about them, their families, or their circumstances. This includes:

  • Personal information regarding school community members, including students, teaching staff, and parents, such as names, addresses, contact details, legal guardians’ information, medical records, and files.
  • Educational data, such as student class lists, reports, and evaluations.
  • Professional records, such as employment history, tax information, insurance records, evaluation files, and reports.
  • Any other information disclosed by parents or other organizations collaborating with families or staff members.

The K.E.P.E.A. must ensure that systems are configured so that the existence of protected files is concealed from unauthorized users and that access permissions define which files are accessible. Access to protected data will be controlled according to the user’s role. Certain staff members will have access to information systems.

Best practices dictate that all users should use strong passwords composed of a combination of simpler words. User passwords must never be shared.

Personal data should only be accessible on securely protected computers. Any device that may be used to access personal data must be locked if left unattended (even for short periods) and should be set to automatic locking if inactive for more than five minutes.

All storage media should be kept in a secure environment to prevent physical risk, loss, or electronic degradation.

Secure Handling of Personal Data

Personal data should only be stored on K.E.P.E.A. equipment. Private equipment (i.e., user-owned devices) should not be used to store personal data related to schools or other entities.

When personal data is stored on any portable computer system, USB stick, or any other removable medium:

  • Data must be encrypted and password protected.
  • The device must be password protected.
  • The device must have approved antivirus and malware protection software installed.
  • Data must be securely deleted from the device following K.E.P.E.A.’s policy once it has been transferred or is no longer needed.

K.E.P.E.A. should establish its own policy regarding whether data storage on removable media is permitted, even if encrypted.

K.E.P.E.A. must have clear policies and procedures for automatic backups, data access, and data recovery, including off-site backups.

Cloud Storage Policies

K.E.P.E.A. must establish clear policies and procedures for using cloud-based storage systems (e.g., Dropbox, Microsoft 365, Google Drive). Data stored remotely in the cloud must still be protected according to data protection laws. K.E.P.E.A. must ensure it is satisfied with the security controls implemented by cloud-based data service providers.

Data Access Requests

Data subjects have specific rights regarding their personal data:

  • Right to Information – Privacy notices.
  • Right to Access – Subject access request.
  • Right to Rectification – Correction of errors.
  • Right to Erasure – Deletion of data when there is no compelling reason to retain it.
  • Right to Restrict Processing – Blocking or suppressing data processing.

It is clear that these rights impact educational institutions, particularly the right to access. There must be procedures in place to handle subject access requests (i.e., a written request to view all or part of the personal data held by the data controller in relation to the data subject).

Data Disposal

K.E.P.E.A. must implement a document retention schedule outlining the duration for which data is kept before secure destruction. Personal data must be securely destroyed when no longer required.

The disposal of personal data, whether in print or electronic form, must be conducted in a manner that makes reconstruction highly unlikely. Electronic records must be securely deleted, and other media must be destroyed accordingly.

A destruction log should be maintained, recording the document identifier, classification, destruction date, method, and authorization.

Data Mapping

The data mapping process is designed to help schools identify with whom they share their data to implement appropriate contractual agreements. If a third party processes personal data on behalf of the school regarding students, that processor has obligations on behalf of K.E.P.E.A. to ensure processing is carried out in compliance with data protection laws.

Responsibilities of Staff Members

  • I will ensure that students’, staff’s, and parents’/guardians’ personal data are maintained in compliance with Regulation 2016/679 of the European Parliament and the Council on the protection of individuals regarding the processing of personal data.
  • Any data removed from K.E.P.E.A. (e.g., via email or removable storage) must be encrypted using an approved method.
  • Any photos or videos of students will be used only as stated in K.E.P.E.A.’s policy and with parental consent.
  • Workplace-provided equipment is for educational purposes only and must be used exclusively by the Pedagogical Team.
  • I will report any accidental access to inappropriate material or security breaches to the designated data protection officer as soon as possible.
  • Electronic communication with students, parents/guardians, and other professionals will be conducted only through approved school communication channels (email: mail@kpe.ima.sch.gr, phone: 2332025111).
  • I will not store professional documents containing sensitive or personal information on personal devices unless secured and encrypted.
  • Unauthorized access to information systems or personal data will be prevented by logging out appropriately.
  • Data use and information systems will always be consistent with my professional role.
  • Any concerns about safe and professional online practices should be reported to the digital security coordinator.

If K.E.P.E.A. suspects unauthorized or inappropriate use of the information system or unacceptable behavior, disciplinary action may be taken. If K.E.P.E.A. suspects that the system has been used for criminal purposes or for storing illegal text, images, or videos, the matter may be referred to the Cyber Crime Unit.

General Data Protection Regulation (GDPR)