Effective Date: 08-06-2026
The Municipality of Milos (hereinafter referred to as the “Organization” or the “Municipality”) places great importance on the lawful processing, security, and protection of your personal data, regardless of the capacity in which you communicate or cooperate with us while using our services. Before using the services of the Organization, please read this Personal Data Protection Policy carefully.
Introduction
The Organization, acting as the Data Controller, informs you about the manner in which your information is collected and processed. Your personal data includes any information that can lead, either directly or in combination with other information, to your unique identification or location as a natural person. This category may include, where applicable, information such as your full name, physical and electronic addresses, telephone numbers, email addresses, and any other information that enables your unique identification in accordance with applicable legislation (General Data Protection Regulation (EU) 2016/679, Law 4624/2019), as well as the decisions of the Hellenic Data Protection Authority (HDPA).
The following information regarding the protection of your personal data concerns the way in which we process your personal information when you communicate with us, cooperate with us, or use any of the Organization’s services.
In particular, we inform you about the following:
- the type of personal data we process;
- the purposes for which we process your personal data, how we use them, and the lawful basis under the GDPR;
- the disclosure of your data to third parties;
- the transfer of your data to third countries;
- the retention period of your data;
- the confidentiality, security, and protection of your data;
- the rights you have in relation to each processing activity and how you may exercise those rights.
We keep this Data Protection Policy under regular review to ensure that it remains up to date and accurate.
The Organization may amend this Policy at any time and without prior notice by publishing any such amendments on its website.
By browsing and using the Organization’s website, visitors/users acknowledge that they have read, understood, and unconditionally accepted this Data Protection Policy.
Contact Details of the Data Controller
For any processing of personal data carried out in the context of any interaction you may have with the Municipality of Milos, including your visit to this Website, the Data Controller is:
Municipality of Milos
Plaka Milos, Postal Code 84800, Plaka Milos, Greece
Tel.: +30 22873 60100
Email: grammatia@milos.gr
Contact Details of the Data Protection Officer (DPO)
The Data Protection Officer (DPO) is Computer Studio S.A. You may contact the DPO for any matter relating to the processing of personal data carried out by the Organization and described in this notice at the following email address: dpo@computerstudio.gr<
Personal Data Collected by the Organization
Data of Users/Visitors of the Organization’s Website
During your visit to the Organization’s website, the following information is collected automatically:
- the IP address of the visitor/user, which constitutes personal data, even if we cannot identify the individual solely on the basis of this information;
- the date and time of each request for data transfer between the browser and the server (HTTPS request) required for the operation of the HTTPS protocol;
- the server response code together with the HTTPS protocol request parameters (HTTPS response);
- the server response time, in milliseconds (ms), for each request;
- the type of browser through which the request was submitted;
- information entered in the Organization’s contact form (full name, email address, telephone number);
- information entered in the contact form for the purpose of communicating with the Organization;
- information entered when submitting requests through the website.
Data Collected in the Context of the Organization’s Activities
Within the framework of the Organization’s activities, and for the fulfillment of its purposes and duties, it may process personal data. Indicatively:
Citizens – Municipal Residents: Full name, Father’s name, Mother’s name, Landline telephone number, Mobile telephone number, Home/work address, City, Postal code, Email address, Identity Card Number (ID Card No.), Date of birth, Place of birth, Tax Identification Number (TIN), Tax Office, Social Security Number (AMKA), Social insurance provider details, Nationality, Citizenship, Official Civil Registry records, Marital status, Type of insurance – old-age pension, Military service records, Professional status, Property assets, Benefits, Grants, Compensation, Unemployment card, Tax clearance statement, Health data (medical conditions, illnesses, disabilities, medication, etc.), Marriage license information, Divorce certificate information, Birth certificate information, Baptism record information, Next-of-kin certificate information, Property title information, National Cadastre Code (KAEK), Water supply information, Fees and charges related to property, Debt information, Court decision information, Notarial deed information.
Employees: Full name, Address, Date of birth, Contact details (email, telephone number), Marital status, Education, Academic qualifications, Civil Registry records (marriages, births, and deaths), Previous employment experience, Bank account details, TIN, AMKA, Social Insurance Registration Number, Identity Card Number, Payroll information, Medical certificates (where required), Criminal record certificate (where required).
Contractors – Partners / Legal Representatives of Contractors and Partners: Full name, Address, Telephone number, TIN, Invoice details.
Minors: First name, Surname, Father’s name, Mother’s name, Date of birth, Place of birth, School grade and school attended, Nationality, Citizenship, Religion (baptism-related information), Health data, Disability information.
Use, Purpose, and Lawful Basis for the Processing of Personal Data
For data of users/visitors of the Organization’s website.
The Organization collects and processes the personal data of visitors/users exclusively within the framework of fulfilling the purposes and functions of its website. Processing is limited to personal data that are necessary and appropriate for achieving those purposes and functions. In particular, the Organization will use your information for the following lawful processing purposes, including but not limited to:
- To communicate with you and provide better service through the contact forms available on the Website.
- To process requests that you have submitted electronically through the Organization’s Website.
- To manage and protect the Organization and our Websites, including improving data security, troubleshooting data and system issues, maintaining and testing systems, data hosting, and reporting.
- To provide relevant Website content to you and to measure or understand the effectiveness of the content we provide.
- To use data analytics for the purpose of improving our Websites, our services, our relationships with citizens, and their overall experience.
The lawful bases for processing are:
The performance of a task carried out in the public interest (Article 6(1)(e) GDPR).
The pursuit of the legitimate interests of the Organization (Article 6(1)(f) GDPR), in particular:
- Ensuring the efficient and secure operation of the Website, including the maintenance of information technology services, network security, and data security.
- Providing relevant content and identifying opportunities for the development of our Organization.
- Reviewing how users interact with the Website and their feedback, improving our Website, and identifying ways to further develop our Organization.
Consent (Article 6(1)(a) GDPR).
For data collected in the context of the Organization’s activities.
Within the framework of its activities and operations, the Organization may collect and process personal data as described above. In this context, the Organization may process personal data primarily for the following purposes, depending on the category of data subjects described above:
- the performance of duties assigned to it by law,
- the examination and handling of requests submitted by citizens, as well as complaints or grievances,
- the examination and handling of requests submitted by citizens through this website,
- communication with citizens and keeping them informed about the progress of their cases,
- communication with citizens and informing them about the Organization’s activities,
- assessing eligibility criteria for inclusion in social welfare programs organized by the Organization or in co-funded actions with the European Union,
- completing procurement procedures and managing contracts entered into with contractors for works, supplies, or services, as well as the management and utilization of municipal property,
- representing the Organization before judicial and administrative authorities and providing legal support to its elected bodies and services,
- maintaining records and producing statistics where required by applicable legislation,
- recording civil status events and maintaining Civil Registry and Municipal Registry records,
- facilitating citizens’ participation in cultural or sports events organized by the Organization as part of its initiatives to promote culture and sports,
- collecting fees, charges, and other public revenues within its competencies, issuing assessment rolls, determining the exact amount of municipal taxes, imposing fines, and examining related appeals and objections,
- issuing licenses for the operation of businesses and commercial activities, open-air markets, trade fairs, gyms and sports facilities, nursery schools, and preparing opinions regarding administrative violations,
- complying with legislation concerning the adoption and care of stray animals,
- granting welfare benefits and including vulnerable social groups in welfare programs or structures,
- handling the Organization’s correspondence, keeping minutes, and issuing decisions of the Municipal Council,
- carrying out the duties of the Organization’s individual services and departments,
- maintaining cleanliness and green areas within the Organization’s jurisdiction and managing municipal cemeteries,
- complying with legal obligations imposed on the Organization by applicable legislation,
- fulfilling the Organization’s contractual obligations,
- conducting preliminary investigations, sworn administrative inquiries, and disciplinary proceedings,
- carrying out internal audits in accordance with applicable legislation,
- providing information regarding co-applicants in selection procedures (e.g., recruitment processes),
- providing information concerning a complainant to the person against whom the complaint was made, as a data subject of the information contained in a complaint submitted to a public authority.
The lawful basis for processing in these contexts, depending on the specific purpose, may be:
For ordinary personal data:
- performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR);
- compliance with a legal obligation (Article 6(1)(c) GDPR);
- protection of the legitimate interests of a third party (Article 6(1)(f) GDPR);
- performance of a task carried out in the public interest (Article 6(1)(e) GDPR);
- consent (Article 6(1)(a) GDPR).
For special categories of personal data:
- carrying out obligations and exercising specific rights of the controller or the data subject in the field of employment law and social security and social protection law (Article 9(2)(b) GDPR);
- the establishment, exercise, or defense of legal claims, or whenever courts are acting in their judicial capacity (Article 9(2)(f) GDPR);
- reasons of substantial public interest (Article 9(2)(g) GDPR);
- preventive or occupational medicine, assessment of an employee’s working capacity, medical diagnosis, provision of health or social care or treatment, or management of health and social care systems and services (Article 9(2)(h) GDPR);
- archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (Article 9(2)(j) GDPR).
Cookie Policy
While browsing this website, the Organization may collect user identification data through the use of relevant technologies, such as cookies and/or Internet Protocol (IP) address tracking. Cookies are small pieces of text sent to a browser by a website visited by the user. The use of cookies enables the website to remember information about the user’s visit, such as the preferred language, the retention of preferences regarding safe browsing, the calculation of the number of visitors, or the facilitation of registration for our services.
Cookies used while browsing the Organization’s website are employed solely for the analysis of website traffic. No further processing, transmission, or sharing of such data takes place.
How to Control Cookies:
You can control and/or delete cookies according to your preferences. Details can be found at aboutcookies.org. You may delete all cookies already stored on your computer and configure most browsers to prevent their installation. However, in this case, you may need to manually adjust certain preferences each time you visit a website. Users may browse the website without difficulty and without the use of cookies, although this may affect usability and the functionality of certain services.
Any personal data collected through cookies and capable of being associated with a specific visitor/user shall be processed exclusively for the purposes described above.
For more information about the cookies we use, you may visit the Organization’s Cookie Policy here.
Transfer / Disclosure of Data to Third Parties
As a general rule, we do not disclose or transfer data to third parties, nor do we disclose your personal data to third parties for the purpose of promoting products or services.
In certain cases, however, we are legally obliged to disclose your data, as described below. In particular:
- in compliance with a court decision or when cooperating with other supervisory authorities in the handling of complaints or inspections;
- to other auditing bodies within the scope of our duties;
- if, during the exercise of our responsibilities, a criminal offence comes to our attention, all relevant information may be transmitted to the competent judicial and prosecutorial authorities;
- to citizens, persons against whom complaints have been filed, elected officials, public officers, members of the Municipal Council, Committees, competent services of the Organization, and co-applicants;
- to other first- and second-level local authorities, Decentralized Administrations, Regions, Health Services, Health Committees, Managing Authorities of Operational Programmes, Social Security Institutions, the Athens Civil Registry Office, the Public Employment Service (OAED), Police Authorities, the Fire Service, and the Coast Guard;
- to Ministries;
- to the General Accounting Office of the State, Economic Committees, Audit Authorities, Credit Institutions, Public Utility Companies, Tax Authorities (D.O.Y.), the Hellenic Single Public Procurement Authority (E.A.A.D.I.S.Y.), Judicial Authorities, the Hellenic Court of Audit, and the General Secretariat for Information Systems (TAXISnet);
- to the Transparency Portal (DIAVGEIA), the Government Gazette, and newspapers;
- to third-party contractors and partners of the Organization (e.g. information system providers, insurance companies, etc.);
- where the Organization uses third parties to perform certain services and functions. In such cases, personal information may be transferred to those third parties only to the extent necessary for the provision of the assigned services. These parties are bound by confidentiality obligations and by requirements for the secure processing of personal data. Any processing of such personal information shall be carried out in accordance with our instructions and shall remain compatible with the original purposes for which the data were collected.
Within this framework, your data may also be disclosed to data processors with whom the Organization cooperates for the support of its systems. Specifically, the web portal is hosted on a server managed by Infosupport. When using the services of this web portal, your data are stored on servers located within the European Union and are not transferred to third countries. Access to such data may be granted to authorized personnel of the company only to the extent necessary for the provision of technical support services. The processors are not permitted to carry out any further processing of your personal data unless expressly instructed to do so by us, nor may they transfer your personal data to third parties.
Transfer of Your Personal Data to Third Countries or International Organizations
As a general rule, the Organization does not transfer your personal data to third countries or international organizations.
However, we may transfer your personal data outside the European Economic Area (EEA) in order to comply with a legal obligation or where we have a legitimate interest in doing so. Before transferring any personal data outside the EEA, we will ensure that it is protected in accordance with the same or similar standards as those applicable within the EEA. This will be achieved either through a contract between us and the overseas organization or by relying on a decision of the European Commission confirming that the relevant country provides an adequate level of data protection.
Data Retention Period
Your personal data are retained by the Organization for the period necessary and as prescribed by the applicable legal framework. By way of exception, certain personal data may be retained where deemed strictly necessary for the Organization to comply with applicable legislation, resolve disputes with various parties, or for research, historical, or statistical purposes. In all such cases, your data will not be used for any other purpose.
In particular, with regard to the information recorded in log files for each request made to the web portal server through a visitor’s/user’s browser, such information is retained for a period of twelve (12) months and may be disclosed to the data processor responsible for managing the web portal, as well as to the competent authorities where this is deemed necessary for the investigation of a cyberattack or security incident.
Data that are subject to investigation or are used in connection with legal claims shall be retained for the period required for those specific purposes.
Data of Minors
This Policy has been drafted in plain and clear language so that individuals aged 15 years and over can understand its main points. For younger individuals, we kindly ask that their parents or legal guardians also review this Policy.
Confidentiality, Security and Protection of Personal Data
We implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of your data. In particular, the personal data collected by the Organization are treated as strictly confidential and are retained solely for the purposes described above. Furthermore, the Organization maintains adequate security systems and takes all necessary and appropriate measures to prevent any breach of personal data security (including leakage, disclosure, or unauthorized access) through its systems.
The Organization has appointed a Data Protection Officer (DPO), as we recognize the importance of protecting privacy and all of your personal information. For this purpose, the Organization maintains appropriate security policies and uses suitable tools and safeguards to ensure the protection of personal data.
Your Rights in Relation to the Processing of Personal Data
According to data protection legislation, when we process your personal data, you have certain rights of which we are required to inform you. The rights you may exercise are as follows:
- Right of Access (Article 15 GDPR)
You have the right to request, at any time, information regarding the processing of your data by the Organization and/or copies of the personal data we hold about you.
Data subjects have the right to obtain:
- confirmation as to whether their personal data are being processed;
- a copy of those personal data; and
- information about the processing (Articles 12 and 15 GDPR).
The right of access enables the data subject to become aware of their personal data and the information concerning the processing, in order to verify its lawfulness. This right does not require any justification by the data subject.
The information provided to the data subject when exercising the right of access includes:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients;
- where possible, the period for which the data will be stored or, if not possible, the criteria used to determine that period;
- the rights available to the data subject;
- the source of the data where the data are not collected directly from the data subject;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing.
A reasonable fee based on administrative costs may be charged by the controller only for any additional copies requested by the data subject.
- Right to Rectification (Article 16 GDPR)
You have the right to request, at any time, that we correct information you believe to be inaccurate. You also have the right to request that incomplete information be completed.
- Right to Erasure (Article 17 GDPR)
The right to erasure (“right to be forgotten”) is the right of the data subject to request the deletion of personal data concerning them when they no longer wish those data to be processed and there is no lawful reason for the controller to retain them (Article 17 GDPR).
The data subject may withdraw their consent where processing is based on consent. In such cases, the data must be erased unless another legal basis exists for the processing.
Furthermore, where the data are no longer necessary for the purposes for which they were collected, are otherwise unlawfully processed, or where the data subject objects to the processing and there are no overriding legitimate grounds for the processing, the data subject may request their deletion.
However, this is not an absolute right. The continued retention of personal data may be lawful where necessary for reasons such as exercising the right of freedom of expression and information, compliance with a legal obligation, performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes, statistical purposes, or the establishment, exercise, or defense of legal claims.
- Right to Restriction of Processing (Article 18 GDPR)
You have the right to request that we restrict the processing of your data in certain circumstances.
Data subjects have the right to request the restriction of processing of their personal data (Articles 18 and 19 GDPR). Specifically, the data subject may request that the controller restrict processing. This right serves as an alternative to the right to erasure (Article 17 GDPR) and the right to object (Article 21 GDPR). It is not an absolute right and applies only in specific circumstances.
- Right to Data Portability (Article 20 GDPR)
This right applies only to data that you have provided to us. You have the right to request that we transfer the data you have provided to another organization or provide it directly to you. This right applies only where the processing is based on your consent or is necessary for entering into or performing a contract, and where the processing is carried out by automated means.
The right to data portability (Article 20 GDPR) provides individuals with an easy way to manage their own personal data. It facilitates the movement, copying, or transfer of personal data from one information technology environment to another.
Data subjects have the right to receive their personal data, which are processed by automated means, in a structured, commonly used, and machine-readable format (e.g. XML, JSON, CSV, etc.). They also have the right to request that the controller transmit those data to another controller without hindrance. Where technically feasible, they may request the direct transfer of their data from one controller to another.
The right to data portability may be exercised when all of the following conditions are met:
- the personal data are processed by automated means (therefore excluding paper records);
- the legal basis for processing is either the data subject’s consent (Article 6(1)(a) or Article 9(2)(a) GDPR) or the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR);
- the personal data concern the data subject and have been provided by the data subject. This includes data knowingly and actively provided, such as information entered into an account (e.g. postal address, username, age), as well as data generated and collected through the user’s activities when using a service or device (e.g. raw data from smart meters, activity logs, website usage history, or search history);
- the exercise of the right does not adversely affect the rights and freedoms of others.
The exercise of the right to data portability does not affect the exercise of any other rights available to the data subject, which may be exercised independently.
- Right to Object to the Processing of Your Personal Data (Article 21 GDPR)
You may object at any time, on grounds relating to your particular situation, to the processing of your personal data. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
Where you withdraw your consent in cases where we have previously requested it, such withdrawal will not affect the lawfulness of any processing carried out before the withdrawal took place.
Exercising Your Rights
You may exercise the above rights in the following ways:
- by sending a letter to: “Municipality of Milos, Plaka Milos, Postal Code 84800, Greece”;
- by sending an email to: grammatia@milos.gr.
Contacting the DPO
We maintain high standards for the processing of your personal data. If you have any questions or concerns, you may contact us at dpo@computerstudio.gr.
Right to Lodge a Complaint with the HDPA
If you remain dissatisfied with the way we process your personal data, you may lodge a complaint with the Hellenic Data Protection Authority (HDPA). Complaints may be submitted electronically at https://www.dpa.gr/el/polites/katagelia_stin_arxi, by email at complaints@dpa.gr, by post to 1-3 Kifisias Avenue, 115 23 Athens, Greece, or in person at the Authority’s offices (1st Floor, 09:00–13:00).
Amendment of this Personal Data Protection Policy
The Organization may amend this Personal Data Protection Policy. Please check the Effective Date at the beginning of this Policy to see when it was last revised. Any revision shall become effective as soon as the revised Policy is published.
If we make material changes to this Policy that expand our rights to use personal data that we have already collected from you, we will inform you and provide you with a choice regarding the future use of such data.
By browsing and using the Organization’s website, visitors/users acknowledge that they have read, understood, and unconditionally accepted the Organization’s Personal Data Protection Policy.

