Introductory elements

This information is provided by the Anti-Money Laundering Authority (hereinafter: “Authority no. 47 of Law 4557/2018” or “Authority”) and briefly explains how the Authority protects personal data (hereinafter: ” VAT”) which it observes during the execution of its powers provided for by law and its operation in general.

The Authority of no. 47 of Law 4557/2018 is an independent Authority, with headquarters in Athens. Its responsibilities, as analyzed in more detail below, concern a) the prevention and treatment of money laundering from criminal activities, b) the treatment of terrorist financing and c) the control of asset declarations.

The Authority, from the entry into force of Law 3932/2011, which was replaced by Law 4557/2018, operates under the principle of confidentiality – secrecy (No. 27 Law 4557/18, as well as No. 2A item 17 and 3B par. 5 of 3213/03).

Personal Data Controller

Based on the General Data Protection Regulation (hereinafter: “GDPR” – no. 4 par. 1. para. 7) and Law 4624/2019 (no. 44 par. 1 para. g’) the Authority is considered responsible for the correct processing Personal data in its possession (Data Controller). It collects, keeps and processes Personal Data for specified, explicit and legal purposes, for the fulfillment of a duty performed in the public interest or in the exercise of public authority assigned to it and only in the context of the exercise of its powers expressly provided for by law. This data is not further processed in a manner incompatible with these purposes.

Competent employees for the handling of VAT are the Head of the respective Unit of the Authority that keeps the data, the Head of Department as the case may be and the relevant employee.

Sources – origin of Personal Data

The Authority keeps and may process VAT collected by supervised and non-supervised, national and foreign entities and the persons authorized by them, such as indicative executives of financial institutions, legal representatives of companies responsible for dealing with Money Laundering, whistleblowers, etc. natural persons, lawyers, authorized persons of Central and General Government bodies, credit institutions and other bodies, with specific obligations to submit information in the context of laws 4557/18, 3213/03 and always in the context of conducting analyzes and regular and extraordinary controls.

Furthermore, a lot of information is drawn from existing databases, mainly of the tax administration, prosecuting authorities and related foreign institutions and authorities.

Data Subjects Respected by the Authority

The Authority processes and investigates personal data, which concern:

  • or domestic and foreign persons for whom confidential information is transmitted, in respect of which investigations, analyzes and extraordinary controls are carried out,
  • or domestic and foreign persons, in respect of whom regular or targeted controls are carried out, as well as
  • natural persons, legal representatives or authorized persons of Central and General Government bodies, credit institutions and other bodies that communicate or cooperate with the Authority within the framework of its powers,
  • persons who visit the Authority’s website electronically,
  • persons who come in physical presence, as visitors to the building facilities of the Authority,
  • persons who participate – attend events organized by the Authority,
  • persons who are related or are candidates to be related to the Authority through an employment relationship,
  • persons with another contractual relationship (suppliers, contractors and other collaborators in the context of entering into contracts for supplies, works or services).

Categories of Personal Rights – What kind of information the Authority collects and processes

The Authority, within the framework of the powers assigned to it, processes a number of data, such as the following, as the case may be:

Identification data (surname, social security number), residence data, business address, contact information, guarantor relatives, family and financial situation, VAT number, regular and extraordinary income and expenses, employment and business status, business interests, information of criminal interest, etc. .

Legal basis for the processing of personal data

The personal data are collected and processed by the Authority based on article 6 par. 1 of the GDPR and in particular based on no. 5 of Law 4624/2019, that is, to fulfill a duty performed in the public interest or in the exercise of public authority assigned to the Authority as controller. More specifically, any processing of personal data must be based on one of the following legal bases:

  • Fulfillment of a public interest duty/ exercise of public authority by the data controller,
  • Consent of the subject,
  • contractual relationship,
  • legal obligation,
  • Safeguarding the vital interest of a natural person,
  • Legal interest.

Purpose of processing

The personal data collected, kept and processed by the Authority, as data controller, are used to achieve the express and legitimate purposes defined by law and to fulfill its delegated powers in accordance with no. 47 of Law 4557/18, concerning a) the taking and implementation of the necessary measures to prevent, detect and combat money laundering and the financing of terrorism b) the identification of persons related to terrorism and the imposition of financial sanctions against them and against persons determined by Decisions of the UN Security Council and its bodies or by Decisions and Regulations of the EU c) in the control of the asset declarations referred to in case aa’ of par. 1 of No. 2 of Law 3213/03.

How the Authority protects the rights of subjects

The processing of personal data is carried out by the Authority with respect to the provisions of the GDPR and Law 4624/2019 “Principle of Protection of Personal Data, implementing measures of Regulation (EU) 2016/679”, as applicable, as well as in accordance with the security rules of the information systems sector and the confidentiality commitments of the Authority.

In particular, the Authority implements appropriate organizational and technical measures for data security, ensuring privacy, processing and protecting it from accidental or unlawful destruction, accidental loss, alteration, prohibited dissemination or access and any other form of unlawful processing.

Only authorized Members of the Authority and certain competent employees have access to personal data. The IFIs are kept and are the subject of processing by the Authority exclusively within the framework of its competences and are not communicated to anyone, outside the context of the audit process, apart from prosecutors, etc. competent authorities and any cases specifically defined by law.

Data retention time

Personal data is processed only for the period of time required for the purposes of its processing.

The Authority stores the personal data for 25 years, with the possibility of further retention for archiving purposes, for the fulfillment of a duty performed in the public interest and/or in the exercise of public authority assigned to the Authority, as data controller.

Electronic data collected through “Cookies”

The Authority uses “cookies” on its website only to optimize the functionality of its website.

“Cookies” are very small text files of information that are used by browsers (Chrome, Mozilla Firefox, etc.) and help to improve the experience of using the website.

On this website, only functionality cookies are used which allow the execution of basic functions. These cookies do not collect information about visitors.

The user has the option to accept cookies or not. However, in the case of non-acceptance of “cookies”, the website visitor does not have access to the correct and complete display of part of the content of the website, especially in areas where third-party web services are used over which the Authority has no jurisdiction.

The Authority does not request personal information from its visitors while browsing the content of its website. Since the use of a contact form requires contact information, these are intended exclusively for direct communication – sharing information of each user with the Authority. The above information is not shared with third parties and is not used for any purpose other than the one for which it was provided.

Data Protection Officer

The Authority has appointed a Data Protection Officer (DPO). The contact details of the Data Protection Officer are: dpo@hellenic-fiu.gr or by post at the address “Anti-Money Laundering Authority ATH.18 – Thisio, P.O. 11801, P.O. 20001 (Contact of the Data Protection Officer Data)”.

Possibilities – Rights of data subjects, vis-à-vis the Authority

The Authority is constantly harmonizing and complying with the terms of the GDPR and Law 4624/19 and is constantly making every possible effort to comply with them, always in the light of the aforementioned, that since the entry into force of Law 3932/2011 , which was replaced by Law 4557/2018, the operation of the “Authority” is governed by the principle of confidentiality (secrecy). Therefore, the Authority cooperates and exchanges information only with prosecuting etc. competent authorities based on law (based on article 34 of Law 4557/2018).

In addition, in specific and limited cases, out of all the functions and responsibilities of the Authority, in particular in the context of administrative functions not related to the Authority’s main work of prevention, investigation, detection or referral of cases of criminal interest, the personal data subjects character are the rights provided for by nos. 15 ff. of the GDPR and 53 et seq. of Law 4624/2019.

Every exercise of a legal right of a subject is carried out by submitting a written application addressed to the Authority.

Finally, every interested party has the right to file a complaint with the competent supervisory authority, the Personal Data Protection Authority, in case it is considered that there is a violation of the GDPR or Law 4624/2019 during the processing of the personal data concerning them.

Details of the Personal Data Protection Authority (PDPA): Offices: Kifisias 1-3, P.O. 115 23, Athens Call Center: +30-210 6475600 Fax: +30-210 6475628 Email: contact@dpa.gr