Privacy Notice

  • Home
  • Privacy Notice
Privacy Notice HCFA TEAM May 13, 2023

This Privacy Notice sets the rules and explains how personal data is collected and processed by the Hellenic Cystic Fibrosis Association (H.C.F.A.) established in 1983 in Greece (Tax Ιdentification Number 099524287) and located in Athens (Karaiskaki 28, +30 6944255853, and is legally represented by the President Mrs. Anna Spinou.

Hellenic Cystic Fibrosis Association (H.C.F.A.) is a non-profit patient association. Its purpose is the protection and welfare of Cystic Fibrosis patients and their families throughout Greece through unified, multifaceted, and nationwide representation. The Association is registered in the National Register of Non-Profit Private Sector Bodies that provide social care services and in the Special Register of Voluntary Non-Governmental Organizations.

The Association is bound to protect the data processing activities and the personal data it collects and uses according to this Privacy Policy, the General Data Protection Regulation/GDPR (EU) 2016/679 and the Greek legislation for the protection of personal data (L. 4624/2019) and the protection of the privacy of electronic communications (L. 3471/2006).

With this Privacy Policy, the Association, as Personal Data Controller, informs about the way and purpose of collecting and processing personal data, about their retention time, the conditions for their transmission to third legal recipients, and about how to exercise your rights under the General Data Protection Regulation and the applicable Greek legislation. 



The Association processes the personal data in a lawful, fair, and transparent manner; to collect them for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. The personal data that the Association request and collects are adequate, relevant, and limited to what is necessary for the purposes for which they are processed. The personal data are accurate and, where necessary, kept up to date. The Association takes every reasonable step to ensure the appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.

‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.



The Association advocates for patients and their families’ rights, provides support and accurate information, and promotes public awareness, clinical research, and collaboration with health professionals, the State, and public and private entities. 

Patients, parents/guardians, and caregivers are registered as members following the procedures laid down in the statutes after being informed of the purposes of the Association, filling out an application form, and paying the membership fee. The Association is supported by a Scientific Committee, which consists of specialized doctors and health professionals in Cystic Fibrosis from all hospitals and Cystic Fibrosis Units and dedicated Centers in Greece where patients are monitored and treated. Honorary members of the Association are exempt from the obligation to pay a subscription.

The data collected and processed by the Association are used for:

  • Its operation and the fulfillment of its statutory objectives Registration of new members
  • Communication with its members and the public
  • The free provision of medical equipment, e.g., personal spirometer, portable oxygen, nebulizer, at the request of the patient or his caregiver
  • Informing Institutions and the Press
  • The exchange of views in patient forums and closed groups on online social media
  • Participation in psychological support groups 
  • Processing job applications and monitoring employment relationships
  • Assisting the participation and registration of events through the completion of paper and online forms
  • Responding to inquiries, applications, and incoming requests 
  • Sending electronic communication via mail, email, telephone, fax, multimedia messages, internet-based communication platforms, and applications (Viber, WhatsApp, Skype, Facebook Messenger, Facetime, etc.)
  • Notifying about disruptions of services
  • Complying with legal and regulatory obligations
  • Establishing, exercising, and defending its legal rights 


The Association collects personal data from the data subject’s interaction through correspondence, phone, mail, email, printed and online contact forms, social media, or through its website. More specifically: 

– When you fill and submit forms in print or electronically 

– When we communicate with you via mail, email, social media, internet-based communication platforms (Viber, WhatsApp, Messenger, etc.), and video calls. 

– During events 

– From third parties to whom you have consented to transfer your data to us.

– From the device or the browser you use to access our website and social media pages.   





(Includes without limitation)





Identification data (name, surname,) identity card, financial data (Tax ID), communication data (address, e-mail address, telephone numbers), Payment data (membership, bank accounts, credit cards numbers), Membership application, profession, category of membership (patient, parent/guardian)

Health data for the patients: data of birth, health information, Health unit where the patient is treated.

Zoom accounts: Video and audio data during video conferences via the Zoom platform, email participant in the video conference.

Comments and questions through the closed member communication group on Facebook and other online platforms.

Consent according to the Article 6 (1) (a) GDPR


Compliance with a legal obligation according to the Article 6 (1)(c) GDPR.


The legitimate interests pursued by the Association or by a third party, according to Article 6 (1)(f) GDPR and Article 11 (3) of the Greek Law 3471/2006


Processing of special categories of personal data

The explicit consent to the processing according to Article 9 (2)(a) GDPR


Health Professional, Medical staff, students

Identification data (name, surname,) identity card, communication data (address, e-mail address, telephone numbers), job descriptions.

Consent according to the Article 6 (1) (a) GDPR

Partners, third party providers and suppliers

identification, communication, and financial data (name, surname, email address, address, phone number, job title, identity card number, Tax ID No, bank accounts).


The performance of services, a contract, or an agreement according to the Article 6 (1)(b) GDPR.

Compliance with a legal obligation according to the Article 6 (1)(c) GDPR

Employees, job applicants, interns

Identification data (name, surname, father’s name, mother’s name, date of birth, identity card/passport number, (Tax ID No., photo, citizenship), communication data (address, e-mail address, telephone numbers), financial data (bank accounts, salary, additional fees), family status, social security data (social insurance registration number/AMKA, social security number/AMA, Single Agency of Social Insurance/ EFKA), studies (degrees and vocational training data), letters of references. Health data is collected and processed when required by law.

The performance of services, a contract, or an agreement according to the Article 6 (1)(b) GDPR, and Article 27 of the Greek Law 4624/2019.


Compliance with a legal obligation according to the Article 6 (1)(c) GDPR.







Identification and communication data (name, surname, email address, address, phone number)

Consent according to the Article 6 (1) (a) GDPR

Event participants

Identification (name, surname,) communication (email address, address, phone number), financial data (PayPal accounts, proof of payments), job title, studies.

Consent according to the Article 6 (1) (a) GDPR, and Article 11 (1) of the Greek Law 3471/2006 for the protection of personal data and privacy in the electronic communication.

Invited speakers


Identification (name, surname,) communication (email address, address, phone number), biographical information, photograph, employer, physical work address, work email address, link to company website and/or professional LinkedIn page available to the public

Consent according to the Article 6 (1) (a) GDPR.


Identification data (name, surname, identity card), communication data (address, e-mail address, telephone numbers)

Donation information: amount, bank payment details (bank, account number, IBAN), credit/debit card numbers

Consent according to the Article 6 (1) (a) GDPR.


Compliance with a legal obligation according to the Article 6 (1)(c) GDPR.

Website and social media pages visitors

Browser information, IP address, Internet Service Provider, type of device, operating systems, navigation information, and other relevant identifications of the computer used to access the website.

Consent according to the Article 6 (1) (a) GDPR, and Article 11 (1) of the Greek Law 3471/2006.

The legitimate interests pursued by the Association or by a third party, according to Article 6 (1)(f) GDPR

Electronic communication recipients (newsletters)

Name, surname, email address.

Consent according to the Article 6 (1) (a) GDPR, and Article 11 (1) of the Greek Law 3471/2006 for the protection of personal data and privacy in the electronic communication.


The Association, as Data Controller, is obliged to carry out an identity check during the registration process of its new members, to check the accuracy of their data and to update them at regular intervals.



Registered members of the Association can participate in closed online social media groups (e.g., Facebook) and groups with a physical presence. Posts and discussions are confidential, reflect the views of individuals, and are not shared with third parties. The official positions of the Association are communicated announcements. 


The registered members of the Association agree to receive news from the Board of the Association with content related to their subscription or automatic emails sent from the website for proper use. 

The Association will seek and obtain the relevant consent for any other electronic communication recipient category.


CF Greece does not share, sell, rent, transfer, or trade personal information with third parties. A transfer may occur only under the following circumstances:

– If you have given your free and explicit consent, having been informed in advance of the purposes of the transfer

– To public authorities if required by law or a statutory obligation and if the transfer is necessary to protect its rights and comply with legal or judicial procedures and court decisions. 

– to service providers and subcontractors (processors and subprocessors) who process personal data on behalf of the Association, such as accounting, IT, and cloud services. 

The data transfer will be under Article 28 of GDPR, which sets the data processors’ responsibilities. The data processors are bound to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. If the sub-contractor processes Personal Data outside the EU/EEA area, such processing must be under the provisions and conditions of the GDPR, including the EU Standard Contractual Clauses for transfer to third countries or another specifically stated lawful basis for the transfer of personal data to a third country.


The Association uses cookies and other relevant technologies to give the user the best possible experience, navigate the website efficiently, perform certain functions, analyze traffic, and optimize its services. 

More information on the cookie policy can be retrieved here.


The Association implements appropriate technical and organizational measures to ensure the necessary level of personal data protection against risks, misuse, or unauthorized access to them. All information related to the personal data of persons is regarded confidential. 

The Association has established procedures for data access by authorized members of the Board of Directors and appointed individuals for specific processing purposes, use secure security codes, technology to detect network interference, encryption, verification technologies, procedures for secure connections, and protection from malware.


The Association uses and stores personal data for as long as necessary to fulfill the collection and processing purpose. It may keep it for a reasonable period after your last interaction with the Association. The retention period is defined and may be extended by law to establish, exercise, or defend legal claims and security purposes. 

If personal data is no longer necessary for purposes, it will be deleted or destroyed securely.

The personal data of the electronic communication recipients will be automatically deleted if the individual unsubscribes from the list.

The Association may keep data for statistical purposes, but data will be anonymized.

If the data retention period has expired, the Association may notify the individuals via electronic communication, phone message, or any other proper means (e.g., an announcement to the Press) that it will proceed to delete or destroy the specific files. In addition, the persons have the right to receive a copy of their files.


The data subjects shall have 

  • The right to obtain confirmation as to whether and how personal data concerning them are being processed and access to the personal data. (Right of Access). 
  • The right to obtain the rectification of inaccurate or out-of-date personal data concerning them. (Right to Rectification).
  • The right to restrict the processing of personal data if the provisions of Article 18 GDPR apply. (Right to Restriction of Processing).
  • The right to request the deletion of personal data when it is no longer necessary, under the conditions set in Article 17 GDPR. (Right to Erasure). The Association shall delete the personal data unless Law or the personal data prohibit the deletion are necessary to exercise a legal right.  
  • The right to withdraw consent to personal data processing at any time, without prejudice to the lawfulness of the consent-based processing before the withdrawal in question. In case the natural person is a member of the Association, the withdrawal of consent that entails the refusal to provide personal data, which are prerequisites for the registration of members, makes membership impossible. 
  • The right to request that the Association as Data Controller pass on personal data directly (in a portable format) to another data controller when the processing is based on consent or contract. (Right to Data Portability)
  • The right to object to the processing if the data processing has been based on legitimate interest. (Right to Object)
  • The right not to be subject to a decision based solely on automated processing, including profiling
  • The right to be informed in case of a data breach if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.


Queries about Privacy Rights should be sent to, + 30 6944255853. 

The Association shall provide information on action taken on a request without undue delay and, in any event, within one month of receipt. That period may be extended by two further months where necessary, considering the complexity and number of the requests. The Association shall inform the data subject of any such extension within one month of receipt of the request and the reasons for the delay. 

The information is provided for free unless the requests are manifestly unfounded or excessive, in particular, because of their repetitive character. In this case, the Association has, also the right to 

answer to the request.

For further actions, you may contact the Hellenic Data Protection Authority, Kifissias 1-3, PC 115 23, Athens, Greece, Telephone: +30-210 6475600, Ε-mail:

Last Update May 2023