A. Introductory elements
This information is provided by the Anti-Money Laundering Authority (hereinafter “the Authority”) and explains briefly how the Authority protects the personal data (hereinafter “PII”) it holds in the performance of its functions and its operation in general.
The “Authority” is an administratively and functionally independent authority, based in Athens and consists of the Financial Intelligence Unit A, the Financial Sanctions Unit B, the Financial Disclosure Control Unit C, the Internal Audit Unit and the Independent Administrative Support Office.
Its structure and operation are governed by confidentiality and secrecy (articles 27, 49 and 50 of Law 4557/2018, article 30 of Law 5026
/2023) and has the following responsibilities, in addition to those that may be provided for by specific legislation:
a. to take and implement the necessary measures to prevent, detect and combat money laundering and the financing of terrorism,
b. to identify persons associated with terrorism and to impose financial sanctions against them and against persons designated by UN Security Council Resolutions and the The Authority consists of three (3) individual units as follows: 3213/2003 (Α` 309).
B. Data Controller for the processing of Personal Data
Under the General Data Protection Regulation and Law No. 4624/2019, the ‘Authority’ is considered responsible for the correct processing of data held by it (Data Controller):
Anti-Money Laundering Authority
Postal address: ATH.18 – Thiseio, P.O.Box 11801, P.O.Box 20001
Telephone: 2131311011
Γ. Purposes and legal basis of processing
The “Authority” shall process financial intelligence for the purpose of taking and applying the necessary measures to prevent, detect and combat money laundering and terrorist financing, the identification of persons linked to terrorism and the imposition of financial sanctions against them and against persons designated by Resolutions of the Security Council of the United Nations and its organs or by Resolutions and Regulations of the European Union, the verification of declarations made by persons linked to terrorism, the verification of the information provided by persons linked to terrorism, the identification of persons linked to terrorism and the imposition of financial sanctions against them and against persons designated by Resolutions of the Security Council of the United Nations and its organs or by Resolutions and Regulations of the European Union, the verification of declarations made by persons linked to terrorism, the identification of persons linked to terrorism and the imposition of financial sanctions against them and against persons linked to terrorism. The Authority consists of three (3) individual units as follows: 3213/2003 (A’ 309), the fulfilment of any other competence that may be conferred on it by legislative provision, as well as for the execution of its general operation (financial rules and procedures, human resources and organisation, digital governance).
The legal basis of the processing may be:
- Exercise of public authority
- Compliance with a legal obligation
- Consent of the data subject
- Contract performance
D. Origin of the data
The data processed by the Authority may come from various sources, such as public and private sector services and bodies, the Authority’s staff and persons who are or wish to work for the Authority, services of other countries and international organisations, persons who, either directly or as executives of legal persons, wish or intend to contract with the Authority, in the context of any kind of contract, as well as the internet.
Ε. Subjects of the data
The subjects of the PII processed by the Authority may be the subject of research, analysis, control, general exchange and access to information or issuance of acts, they may be part of the bodies cooperating with the Authority, whether they are located in the country or abroad, they may visit the premises or the website of the Authority, they may work, be employed by or wish to work for the Authority, they may attend events, etc. organised by the Authority and contract with the Authority, either directly or as related legal entities (e.g. suppliers, contractors).
F. Types of data
The “Authority” processes personal data such as full name, patronymic, maiden name, date and place of birth, place of residence and work, contact telephone numbers and e-mail address Tax Identification Number (TIN), Social Security Number (SSN), tax data, financial status and criminal record.
Ζ. Data protection
The ‘Authority’, when processing the CPD and with a view to protecting the rights of the data subjects, applies organisational or technical protection measures such as excluding access to documents and data for which there is no relevant authorisation, keeping the file in a dedicated area and providing access to it upon specific authorisation, using exclusively secure communication channels and approved devices for access to the Authority’s digital systems, applying multi-factor authentication (MFA) methods, operating systems for the protection of the rights of the data subjects, using the same procedures for the protection of the rights of the data subjects, using the same procedures for the protection of the rights of the data subjects, using the same procedures for the protection of the rights of the data subjects, using the same procedures for the protection of the rights of the data subjects.
H. Data retention period
The IFRS processed by the Authority shall be kept for a period of twenty (20) years. At the end of this period, they shall be deleted spontaneously, or, if deemed necessary for reasons of history, public interest or to ensure the satisfaction of the rights of the data subjects, they shall be placed in special places and access to them shall be allowed only upon specific authorisation or request.
Θ. Data collected through Cookies
The Authority uses cookies on its website only to optimise the functionality of its website. Cookies are very small text files of information that are used by browsers (Chrome, Mozilla Firefox, etc.) and help to improve the experience of using the website.
The ‘Authority’ website uses only functionality cookies which allow the performance of basic functions. These cookies do not collect information about visitors.
The user has the choice to accept or not the cookies. However, in case of non-acceptance of cookies, the visitor of the website does not have access to the correct and full display of part of the website content, especially in areas where third party web services are used over which AKNED has no jurisdiction.
The “Authority” does not request any personal information from its visitors while they are browsing the content of its website. If the use of a contact form requires contact details, these are intended exclusively for direct communication – communication of the user’s details to the Authority. These data are not disclosed to third parties and are not used for any other purpose than the one for which they were provided.
Ι. Rights of the subjects
The rights of data subjects, as they derive from the relevant legislation (Chapter III of Regulation (EU) 2016/679), are:
– Right to information
– Right of access
– Right of rectification
– Right to erasure (right to be forgotten)
– Right to restriction of processing
– Right to portability
– Right to object / opposition
– Right to refuse profiling
The rights of the data subjects are exercised by submitting written requests to the ‘Authority’, which are sent to it via the above-mentioned contact details. Requests must be clear and precise, so that they can be examined and decided upon.
The exercise of rights may be limited or excluded altogether, under the current institutional framework and in particular:
– Article 5 Paragraph 2 of Law 2690/1999 (A’ 45)
– Articles 49 and 50 of Law 4557/2018 (A’ 139)
– Article 30(4) of Law 5026/2023 (A’ 45)
– Article 2(2)(2)(d) and 23(1)(c), (d) and (e) of the GDPR
– Articles 32 et seq. and 53 et seq. of Law 4624/2019 (A’ 137)
– Articles 49 et seq. of Law 4920/2022 (A’ 74)
IA. Data Protection Officer (DPO)
The “Authority”, in application of Regulation 2016/679 and Law 4624/2019, has appointed a Data Protection Officer. His contact details are:
Anti-Money Laundering Authority (for the attention of the Data Protection Officer)
Postal address: ATH.18 – Thiseio, P.O.Box 11801, P.O.Box 20001
e–mail:dpo@aml-authority.gov.gr
IB. Right of recourse to the Personal Data Protection Authority and judicial protection
Any data subject may exercise his or her rights through the Data Protection Authority or submit a complaint to the Authority if he or she considers that there is a breach of the applicable institutional framework by the ‘Authority’ in the processing of his or her personal data. In the event of a negative decision by the Personal Data Protection Authority, the applicant may apply for annulment before the Council of State.
The contact details of the Personal Data Protection Authority are:
Personal Data Protection Authority
Postal address: Athens, 115 23, Kifissias 1-3, Athens, Greece
Telephone 21064 75600
e-mail: contact@dpa.gr
Complaint form: https://eservices.dpa.gr/wizard/?id=1331615