Introduction

The City On application (cityon.gr) is a digital platform and information system developed and operated by Crowdpolicy IKE with the purpose of facilitating communication between citizens and municipalities. Through the application, citizens are able to submit requests related to everyday matters and monitor their processing by the competent municipal authorities.

This Personal Data Protection Policy (hereinafter "Policy") explains clearly and transparently the manner in which Crowdpolicy IKE and the cooperating municipal authorities collect, process, store, transmit, and protect your personal data during the use of the City On application.

This Policy fully complies with the obligations provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Law 4624/2019 on the Protection of Natural Persons with regard to the Processing of Personal Data, as well as all relevant European and Greek legislation on the protection of personal data. Furthermore, the provisions of Directive 2002/58/EC (ePrivacy Directive) and the guidelines of the Hellenic Data Protection Authority (HDPA) are taken into account.

Data Controller and Data Processor

A) CROWDPOLICY – Responsible for Technical Infrastructure and Platform Operation

Crowdpolicy bears responsibility for the development, design, operation, and maintenance of the technical infrastructure of the City On application. With respect to data processing, Crowdpolicy is responsible for: (a) the collection and temporary storage of personal data on secure servers located within Europe, (b) the creation and management of user accounts, (c) the recording of usage data and telemetry for purposes of service improvement, and (d) the implementation of technical and organizational security measures.

B) The Relevant Municipality (Operating Entity) – Responsible for Processing Requests

Each municipality or municipal authority that cooperates with the City On application is considered a data controller for data relating to requests that are submitted and processed within the scope of that municipal authority.

The municipality is responsible for: (a) the examination and processing of requests, (b) communication with the applicants, (c) storage and management in accordance with lawful obligations, and (d) the making of decisions.

For requests submitted through City On and referring to a specific municipality, that municipality is also the data controller.

Categories of Personal Data

• Identification Data: Full name and surname, which are mandatory for account creation. This information is essential for the proper functioning of the platform and for identifying users when they interact with municipal authorities.
• Contact Data: Email address is mandatory and telephone number is optional. Contact information is collected to ensure effective communication between users and the platform operators as well as the relevant municipal authorities regarding submitted requests and their status.
• Account Data: Password stored in encrypted form and the method of registration (e.g., email, social media authentication). These data are collected and maintained for authentication purposes to protect user account security and prevent unauthorized access.
• Location Data: Optional residential address and geolocation of submitted requests. Location information is collected to ensure proper routing of requests to the competent municipal authorities and to maintain accuracy of municipal service delivery.
• Request Content: Text descriptions, photographs, and categorization of submitted requests. Request content is processed to enable the examination, evaluation, and appropriate handling of user requests by municipal authorities.
• Technical Data: Internet Protocol address (IP), device type and model, operating system, web browser, and cookies. Technical data are collected for system administration, security monitoring, and to provide users with an optimized experience across different devices and platforms.
• Usage Data: Log files, navigation statistics, and visit duration. Usage data are collected for performance monitoring, service improvement, and identification of user behavior patterns to enhance platform functionality and user experience.

Purposes of Processing

• Provision of Digital Services: Processing of personal data for the purpose of creating, managing, and maintaining user accounts. This enables users to access the platform securely and utilize all available features and functionalities.
• Request Management: Processing of personal data to create, store, and route requests to the appropriate municipal authorities. This enables proper handling and tracking of citizen requests throughout the entire request lifecycle.
• User Communication: Processing of personal data to inform users of the current status of their submitted requests, including notifications and updates regarding request progress and outcomes.
• Service Improvement: Processing of usage data and telemetry to analyze user behavior, identify bottlenecks, and implement improvements to the platform's features, performance, and user interface. This enables continuous optimization of the service.
• Security and Fraud Prevention: Processing of personal data to detect and prevent unauthorized access, abuse of the platform, fraudulent activity, and other security breaches. This ensures the integrity and security of the platform and protects all users.
• Legal Obligations: Processing of personal data to comply with applicable laws, tax regulations, accounting requirements, and court orders. This enables adherence to all relevant regulatory frameworks.
• Statistical Analysis: Processing of data in anonymized or aggregated form for statistical purposes. This enables analysis of general trends and patterns without identifying individual users.
• Surveys: Processing of personal data through voluntary participation in user surveys and feedback questionnaires. This enables collection of user opinions and suggestions for service improvement.

Legal Basis for Processing

• Consent (Article 6(1)(a)): Processing is based on explicit consent of the data subject for participation in surveys, subscription to newsletters and informational communications, and for analytical and non-essential cookies. Users may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Contract Performance (Article 6(1)(b)): Processing is necessary for the performance of the contract between the user and Crowdpolicy and the relevant municipal authorities. This includes creation and management of user accounts, submission and processing of requests, and communication regarding request status.
• Legal Obligation (Article 6(1)(c)): Processing is necessary to comply with legal obligations imposed by applicable tax laws, accounting requirements, and other statutory requirements. This includes retention of records for audit purposes and response to lawful requests from public authorities.
• Public Task (Article 6(1)(e)): Processing is necessary for the performance of municipal services and the exercise of public authority. This includes the processing of requests by municipal authorities acting in their capacity as public bodies.
• Legitimate Interest (Article 6(1)(f)): Processing is based on legitimate interests pursued by Crowdpolicy, municipal authorities, or third parties. These legitimate interests include platform security, prevention and detection of fraud, business analytics, platform improvement, and protection of user rights. A balancing test ensures that these interests do not override the fundamental rights of data subjects.

Data Recipients

• Municipal Staff: Only authorized personnel of municipal authorities who are responsible for processing and responding to user requests have access to personal data. Access is strictly limited to what is necessary for the performance of their official duties.
• Crowdpolicy Technical Team: Members of the technical team at Crowdpolicy may access personal data only when necessary for the maintenance, troubleshooting, and operation of the platform infrastructure. Access is granted on a need-to-know basis and only for the purposes of system administration and security.
• Sub-processors: Personal data may be transmitted to sub-processors who provide services on behalf of Crowdpolicy, including cloud service providers, analytics service providers, and infrastructure providers. All sub-processors are bound by data processing agreements that meet GDPR requirements and ensure appropriate safeguards.
• Public Authorities: Personal data may be transmitted to public authorities, government bodies, or judicial authorities only when required by applicable law, court orders, or official requests.

Transfer to Third Countries

Personal data is primarily stored and processed within the European Union or the European Economic Area. If transfer of personal data to third countries outside the EU/EEA is necessary, such transfer is conducted in accordance with GDPR safeguards, including Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Users will be informed in advance of any such transfers, and their rights will be protected through appropriate contractual mechanisms.

Data Retention Period

• Request Data: Personal data relating to requests is retained for the duration of the service contract plus the legally required retention period, which typically ranges from three to five years depending on the nature of the request and applicable legal obligations. This ensures that requests can be properly tracked and that municipal authorities can fulfill their administrative and archival obligations.
• Account Data: Personal data in user accounts is retained until the user chooses to delete their account. Upon deletion, account data is either permanently erased or anonymized.
• Technical and Usage Data: Log files, analytics data, and other technical data are retained for a maximum of twelve months. After this period, the data is deleted or anonymized to preserve user privacy.
• Deletion or Anonymization: After the retention period expires, all personal data is either permanently deleted from all systems or converted to an irreversibly anonymized form that does not permit identification of individuals.
• Account Deletion: Users may delete their accounts at any time through the settings section of the City On application. Once deletion is requested, account data will be processed in accordance with the retention periods specified above.

Data Security

Crowdpolicy implements technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction, in accordance with Article 32 of the GDPR. These measures include the following:

• Encryption: All data transmission between user devices and Crowdpolicy servers is encrypted using TLS/SSL protocol version 1.2 or higher. This ensures that personal data cannot be intercepted or read by unauthorized parties during transmission.
• Access Control: Access to personal data is restricted to authorized personnel through role-based access control mechanisms. Multi-factor authentication (MFA) is implemented to prevent unauthorized access to user accounts.
• Security Testing: Crowdpolicy conducts regular penetration testing and comprehensive security assessments to identify vulnerabilities and ensure effectiveness of security controls.
• Incident Response: Detailed incident response procedures are in place to manage potential data breaches or security incidents. These procedures outline notification protocols and remediation steps.
• Staff Training: All personnel with access to personal data receive regular training on data protection principles, security best practices, and their responsibilities under GDPR.
• Physical Security: Servers and data storage infrastructure are protected through physical security measures, including controlled access, surveillance, and environmental controls.
• Data Location: All data storage and processing takes place within the European Union to ensure compliance with GDPR and European data protection standards.

Data Subject Rights

Under the GDPR, data subjects have the following rights regarding their personal data:

• Right of Access (Article 15): Users have the right to request a copy of the personal data held by Crowdpolicy and the relevant municipal authorities. Upon submission of a valid request, users will receive a detailed report of all personal data processed concerning them, including information about the purposes, recipients, and retention period.
• Right to Rectification (Article 16): Users have the right to request correction of inaccurate or incomplete personal data. Crowdpolicy will promptly correct or supplement any data found to be inaccurate, and will inform all recipients of the corrected data.
• Right to Erasure/Right to be Forgotten (Article 17): Users have the right to request deletion of personal data under certain conditions, such as when the data is no longer necessary, when consent is withdrawn, or when processing is unlawful. However, the right to erasure does not apply when legal obligations require retention of the data or when the data is needed for the establishment, exercise, or defense of legal claims.
• Right to Restriction of Processing (Article 18): Users have the right to request that processing of their personal data be restricted or limited while accuracy is being disputed, or while a request for deletion or objection is being considered.
• Right to Data Portability (Article 20): Users have the right to receive their personal data in a structured, commonly used, machine-readable format, such as CSV or JSON. This enables users to transmit the data to another controller without hindrance.
• Right to Object (Article 21): Users have the right to object to processing of their personal data based on legitimate interests or for direct marketing purposes. Users may also object to processing for statistical or scientific research purposes.
• Right to Withdraw Consent: If processing is based on consent, users have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
• Right to Lodge a Complaint: Users have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) if they believe that their data protection rights have been violated.

Exercise of Rights: To exercise these rights, users may contact the Data Protection Officer of Crowdpolicy at [email protected], address their request to the relevant municipality responsible for processing their request, or use the settings available within the City On application. Crowdpolicy and the relevant municipal authorities commit to responding to all requests within thirty (30) calendar days. For complex or extensive requests, the response period may be extended by an additional sixty (60) days, with notification to the user.

Cookies

Crowdpolicy uses cookies and similar tracking technologies on the City On application in accordance with the ePrivacy Directive (Directive 2002/58/EC) and applicable regulations. Cookies are classified as follows:

• Essential Cookies: These cookies are necessary for the operation of the platform and the provision of services. Essential cookies do not require prior user consent, as they are necessary for the functioning of the application.
• Analytics Cookies: These cookies are used to collect information about how users interact with the application, including pages visited, features used, and time spent on the platform. Analytics cookies require explicit user consent before deployment.
• Advertising Cookies: Crowdpolicy does NOT use advertising cookies to track users across websites or display targeted advertisements.
• IP Address Collection: Internet Protocol (IP) addresses are collected for statistical purposes only, such as analyzing user geographic location and network performance. IP addresses are not used to identify individual users in conjunction with other personal data.
• Cookie Management: Users may manage cookie preferences through their browser settings or application settings. Users can disable non-essential cookies and withdraw consent at any time without affecting the availability of essential platform functions.

Protection of Minors

The City On application is designed for adults aged eighteen (18) years or older. Crowdpolicy does not knowingly collect personal data from minors. If personal data of a minor is discovered to have been collected without parental consent, Crowdpolicy will take immediate steps to delete such data. Parents or guardians who believe that a minor's personal data has been collected are requested to contact Crowdpolicy immediately at [email protected]. For any use of the application by minors, explicit parental or guardian consent is required.

Data Breach Notification

In the event of a personal data breach, Crowdpolicy is committed to full transparency and prompt notification in accordance with GDPR requirements. The following procedures will be followed:

Crowdpolicy will notify the Hellenic Data Protection Authority (HDPA) of any confirmed data breach without undue delay and, in any case, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. The notification will include detailed information about the nature of the breach, the data affected, likely consequences, and measures taken to mitigate the impact.

If the breach creates a high risk to the rights and freedoms of individuals, Crowdpolicy will inform affected data subjects directly, without undue delay, in accordance with Article 34 of the GDPR. The notification will describe the nature of the breach in clear and plain language and include information about the measures taken or proposed to address the breach and mitigate potential harm.

All data breaches will be documented and recorded, including details about the breach, the data affected, and the response measures implemented.

Amendments to This Policy

Crowdpolicy reserves the right to modify this Personal Data Protection Policy at any time in response to changes in legal requirements, business practices, or technology. Users will be notified of any changes through the City On application, email notification, or other appropriate means. Substantial changes that increase user obligations or decrease user rights will require obtaining renewed user consent. Continued use of the application after notification of changes constitutes acceptance of the revised Policy.

Contact Information and Data Protection Officer

For questions or concerns regarding this Policy or data protection practices:

For inquiries regarding request processing:

Contact the relevant municipality directly through the contact information provided within the City On application or through the municipality's official website.

To lodge a complaint with the national data protection authority:

Applicable Law and Jurisdiction

This Personal Data Protection Policy and all matters relating to data protection are governed by and construed in accordance with the following legal framework:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), which establishes the fundamental framework for data protection within the European Union.
• Law 4624/2019 on the Protection of Natural Persons with regard to the Processing of Personal Data (Greek national implementation of GDPR), which applies the principles and requirements of GDPR within the Greek legal system.
• Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), which governs the use of cookies and electronic communications.

Any disputes or legal claims arising from the use of the City On application or the processing of personal data shall be subject to the exclusive jurisdiction of the competent courts of Athens, Greece.