Privacy Policy

BACK TO HOMEPAGE

Eurognosi is committed to protecting your privacy and the confidentiality of your personal data. This Privacy Policy explains how we collect, use and safeguard your personal data in the context of:

our language and IT training services,
our internal information systems,
our PC Reservation System for training and certification practice,
our remote-access educational computers,
our online classroom platform,
our use of the Daily.co video-conferencing platform and related token-generation backend services,
as well as any other related digital services we may provide.

By reading this policy, you will be informed about:

Who we are
What personal data we collect
How we process your personal data
The purpose of each processing activity
How long we retain your personal data
When we ask for your consent
The recipients of your personal data
Your rights and how you can exercise them
Automated decision-making
Closed-circuit television (CCTV)

For any additional information or clarifications, you can contact our Data Protection Officer (DPO):

FILOTHEI – KALOGREZA | +30 210 27 24 183 | gdprfilothei@eurognosi.info
NEA IONIA | +30 211 18 29 694 | gdprneaionia@eurognosi.info

This Privacy Policy applies to all natural persons who interact with our Eurognosi centres in Filothei and Nea Ionia, such as students, parents, guardians, employees, teachers, suppliers and partners.

By this policy we commit to complying with all provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR), as well as all applicable national and EU legislation on the protection of personal data.

Who we are

Eurognosi operates in the field of foreign language and IT training, through an extensive franchising network. The franchisor provides all franchisees with appropriate know-how and information systems support so that they can effectively manage all aspects of their activities.

For the purposes of personal data processing within the meaning of the GDPR, the franchisor and the franchisees act as joint controllers.

This policy applies to all Eurognosi centres in Filothei and Nea Ionia. Contact details for each centre can be found at:
https://www.eurognosi-fni.com/contact

What personal data we collect

“Personal data” within the meaning of the GDPR (2016/679) means:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

At Eurognosi we collect the following categories of personal data:

Student data: full name, date of birth, home address, phone number, email, school grade (for minors), profession (for adults), ID number for participation in certification exams, information on any learning difficulties, language competence level.
Parent/guardian data (for minor students): full name, home address, contact phone number, email address, profession.
Employee data: full name, father’s and mother’s name, ID card, Tax Identification Number (AFM), Tax Office (DOY), social insurance numbers, address, phone number, email, ethnic origin, bank account number, educational level, years of work experience, marital status, number of children.
Supplier data: company name, Tax Identification Number (AFM), Tax Office (DOY), address, phone number, email.
Third-party data: full name, phone number, address (details you provide to us as a reference/contact).

In addition, in the context of our digital services (PC Reservation System, remote-access PCs, online classroom platform, Daily.co), we may collect:

computer reservation details (date, time, selected PC, type of lesson/exam)
email address for sending booking confirmations and connection instructions (where required)
technical device data (IP address, browser type, device type) strictly for security and anti-abuse purposes
connection details to online classrooms (e.g. participant display name, role such as “teacher” or “student”)
temporary encrypted access tokens for online classrooms (Daily.co), which are generated securely and have a limited validity period.

We do not collect or store:

the content of conversations
audio or video of the lessons
screen content
chat content within the video-conferencing platform
any data beyond what is strictly necessary for the functioning of the service.

We collect the above data directly from you when you express interest in attending our courses or applying for employment at our centres, through telephone contact, physical presence or electronic application via the franchisor’s website. We do not retain data that we have not received from the data subjects themselves.

How we process your personal data

“Processing” within the meaning of the GDPR means
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

In the context of the PC Reservation System and our online services, processing includes in particular:

collecting and recording reservation data in a secure database
organising reservations by centre, date, time and computer
using reservation data to ensure availability and avoid double bookings
generating or assigning temporary credentials for remote access to educational computers (where such service is used)
generating and using encrypted tokens for access to online classrooms
storing technical logs (e.g. IP address) for a limited period solely for security purposes, to investigate incidents of misuse or unauthorised access.

Purposes of processing

For all processing operations, Eurognosi centres, acting as data controllers, ensure lawfulness, fairness and transparency. Personal data are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes. The lawful bases for processing are the legitimate interests of the centres and the performance of the contract for the provision of educational services.

Indicatively, the purposes of processing include:

registration, attendance monitoring and assessment of students’ progress
management of studies and our financial relationship
participation in language and IT certification exams
communication with parents and guardians.

Additionally, for our digital services, the purposes include:

managing reservations for physical or remote educational computers
providing secure access to online educational platforms
generating secure access tokens for online classrooms (Daily.co)
protecting the security of our systems, users and networks against unauthorised use or malicious activity.

For any new processing purpose, we will obtain your explicit consent after first providing full information on the terms and conditions of such processing.

Data minimisation

Eurognosi applies the principle of data minimisation. Personal data we process are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Data accuracy

Data accuracy is a key element of our Privacy Policy. The personal data we process are accurate and we take every reasonable step to ensure that personal data that are inaccurate are rectified or erased without delay. We also periodically update your data to keep them current and correct.

Data retention period

We limit the storage period to what is strictly necessary for the purposes of processing. In particular:

physical files of applications and re-enrolment forms are destroyed at the end of the school year
language certificates, following your successful participation in the exams, are kept at our centres for up to 2 years for your convenience and then destroyed
annual progress reports are kept until the start of the new school year and then destroyed
documents relating to learning difficulties are destroyed immediately after your participation in the relevant exam session, unless you explicitly consent to their retention until a later exam session
student records are retained until the end of the following school year and then destroyed.

Additionally, for our digital systems:

PC reservation data (date, time, computer, name) are kept for up to 12 months for organisational, monitoring and service-improvement purposes and are then deleted or anonymised
temporary remote-access credentials are deleted immediately after the end of the session
encrypted access tokens for online classrooms have a short validity period and are not stored beyond what is strictly necessary for connection
technical security logs (e.g. IP address, browser info) are retained for up to 90 days, unless a longer retention period is required to investigate a security incident.

Please note that certain personal data are stored for longer periods for archiving in the public interest. This includes tax and social insurance data, for which we apply appropriate organisational and technical measures.

Integrity and confidentiality

Processing is carried out in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

Among other things, we ensure:

authorised access only
monitoring of access to personal data
secure destruction
and other relevant technical measures.

For our digital services, we also implement:

encryption during transmission and, where feasible, in storage
the use of firewalls, security mechanisms and protection services (e.g. Cloudflare)
strict role-based access to systems by authorised personnel only
regular assessment of the security of our information systems.

When we request your consent

For any processing activity other than the performance of the educational services contract and compliance with our legal obligations, we will request your explicit consent after first providing all necessary information. We may request your consent for:

sending you informational emails about our services, when you have expressed interest in them
sending you informational SMS about our services, when you have expressed interest in them
taking photos and videos during school events
posting photos and videos on our website
posting photos and videos on social media with clear descriptions
printing photos in commemorative or promotional material
displaying your full name on lists of successful candidates on our website
displaying your full name on lists of successful candidates in commemorative or promotional material
recording video during the educational process as part of exam preparation.

Additionally, for online services we may request your consent for:

creating an account on an online educational platform
installing/using a dedicated application (e.g. WebView app) on your personal device to access online classrooms
using remote access to educational computers from home.

Your consent is stored by our centres as part of our compliance with the GDPR.

You may withdraw your consent at any time by contacting us. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Recipients of your personal data

Your personal data are entered into the information system of the franchisor (Eurognosi), as required by law. The franchisor has taken all necessary technical and organisational measures to ensure a high level of security.

We seek to ensure an appropriate level of security by implementing suitable technical and organisational measures, always in line with technological developments, to protect your data against unauthorised access, misuse, alteration, prohibited dissemination, disclosure, loss or accidental/unlawful destruction and any other form of unlawful processing. In particular, we use encryption and ensure the confidentiality, integrity, availability and resilience of processing systems. We maintain the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident. The franchisor regularly assesses and evaluates the effectiveness of these measures.

Your personal data are shared with foreign language certification bodies, for the sole purpose of fulfilling our contractual obligations towards you, after informing you.

Your personal data are also shared with IT certification bodies, for the same purpose, after informing you.

Where we cooperate with third parties or use relevant software to support our purposes, we obtain all necessary guarantees for the secure processing of your personal data.

In particular, with respect to our digital services and platforms, data may be transmitted to:

Daily.co, as provider of the video-conferencing platform, solely for the creation and operation of online classrooms
Wix.com Ltd., as provider of our website hosting and related forms/applications
Cloudflare, Inc., or equivalent providers of security/CDN services, for the protection of our website and infrastructure.

These providers are contractually bound to protect your data, not to use them for their own purposes, and to comply with GDPR requirements.

Your rights

We respect all your rights arising from the processing of your personal data. Under the GDPR (Regulation (EU) 679/2016), you have the following rights:

Right of access (Article 15): you may obtain confirmation as to whether or not we process your personal data and, if so, access them and obtain information about the categories of data, purposes of processing, legal basis, recipients, retention period or the criteria used to determine that period, your rights and the source of the data if not collected directly from you.
Right to rectification (Article 16): you may contact us at any time to correct or update your personal data. We also periodically update your data to keep them accurate.
Right to erasure (‘right to be forgotten’, Article 17): you may request the deletion of your personal data at any time. We will delete the data we hold, provided that they are no longer necessary for the purposes for which they were collected, there is no other legal basis for processing, you have withdrawn your consent (where relevant), and you no longer wish us to process them. Please note that personal data may be retained where necessary for the establishment, exercise or defence of legal claims, for archiving in the public interest, or to comply with tax and social security law.
Right to restriction of processing (Article 18): you have the right to request that we restrict processing. In this case, apart from storage, your data will only be processed with your consent or for the establishment, exercise or defence of legal claims or for reasons of important public interest.
Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time.
Right to data portability (Article 20): you may request that we provide your personal data in a structured, commonly used and machine-readable format and/or transmit them to another controller, where processing is based on consent or carried out by automated means.
Right to object (Article 21): you may object at any time to the processing of your personal data where the legal basis is our legitimate interests or the public interest.
Right to lodge a complaint with the supervisory authority: if we do not respond to your request within the time limits set by the GDPR, you have the right to lodge a complaint with the supervisory authority. In Greece, this is the Hellenic Data Protection Authority (HDPA), dpa.gr.

When you exercise your rights, we will notify each recipient to whom the personal data have been disclosed of any rectification or erasure or restriction of processing, where feasible. Upon your request, we will inform you about those recipients (Article 19 GDPR).

How to exercise your rights

We have ensured that you can easily exercise your rights.
To restrict processing for marketing purposes or withdraw your consent, you can click “unsubscribe” in any email we send you, or adjust your phone settings to block push/SMS messages.

For all your rights, we comply with the requirements of Article 12 GDPR. You can email us at: filothei@eurognosi.info. You can also exercise your rights orally, provided that your identity can be verified by other means. For security reasons, we may ask you for additional information to confirm your identity.

Cost and response time

We will process your request without undue delay and free of charge and, in any event, within one month of receipt. In exceptional cases, this period may be extended by a further two months, taking into account the complexity and number of requests. In such cases, we will inform you within one month of receipt of your request, explaining the reasons for the delay.

All information provided in response to your requests is free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12(5) GDPR.

If we do not act on your request, we will inform you without delay and at the latest within one month of receipt of the reasons for not taking action and of your possibility to lodge a complaint with the Hellenic Data Protection Authority and seek a judicial remedy.

Automated decision-making

Eurognosi centres do not use automated decision-making systems, including profiling, that produce legal effects concerning you or similarly significantly affect you (for example, fully automated grading or profiling of students).

Any automated processes we use are limited to technical security functions (such as access control, anti-abuse mechanisms, rate limiting) and do not affect the substance of the educational process or your rights.

Closed-circuit television (CCTV)

Our centres may use CCTV systems in order to protect people and property from damage and unlawful acts.

The CCTV system operates in accordance with applicable legislation and the guidelines of the Hellenic Data Protection Authority.

Cameras are not installed in classrooms or staff working areas, but only in common areas, storage rooms, the cashier area and the external perimeter of the premises, without capturing images of public spaces.

Warning signs are placed before entering the monitored areas.

Monitoring screens are located in secure areas and are accessible only to authorised staff and the General Director. Where we work with an external security company, we ensure that it is bound by confidentiality obligations and applies all necessary security measures.

Cameras do not record sound.

Footage is kept for up to 15 days and is then destroyed. In case of an incident, relevant footage is stored in a separate locked storage medium and provided to the competent police authorities.

Access to recorded footage, for as long as it is retained, may be granted to persons who appear in it and to third parties who demonstrate an overriding legitimate interest, upon written request. The General Director assesses such requests and may refuse access if no overriding legitimate interest is established, or if access by the data subject could hinder the investigation of an incident.

General commitments

Personal data in each category are kept for as long as necessary for the purpose of processing.

All Eurognosi centres, employees and external partners are bound by a duty of confidentiality regarding personal data they become aware of in the course of their duties. They are subject to all obligations laid down in the GDPR.

Updates to this Policy

We reserve the right to update this Policy where there are changes in the personal data we process, new processing activities are introduced, or any other change occurs that is deemed significant for the protection of personal data. Any updates will be posted on our website and we will notify you by any appropriate means.

For any matter relating to personal data, you may contact us at: