With the following notice, OPAP S.A. having its registered seat at Leoforos Athinon 112 in Athens (hereinafter “OPAP S.A.”) and acting as personal data controller with regard to the Corporate Social Responsibility mobile application available under the name Contribution Squad OPAP (hereinafter “CSR app”), intends to provide information on personal data collected by visitors/users and further processed while using CSR app. The present notice refers to the nature of personal data, the means and purposes of collection, any third parties with which this data is being shared, as well as the rights that you have, according to Regulation 2016/679 of the European Union [General Data Protection Regulation] and any applicable data protection legislation.
OPAP employs the UUID (Universally Unique Identifier) system/technology, which ascribes a unique number to each visitor/user when downloading the CSR app. You have the possibility to either remain anonymous when using the CSR app or login with your Facebook or Google account. Only the option of logging with your Facebook/Google account enables the use of all functionalities of the CSR app, such as the ability to join or create “teams”.
All data collected via the CSR app (listed below) is linked to the UUID of a given visitor/user. If you log in with your Facebook/Google account at first use or later, all data already collected and linked to the UUID will be linked also to your Facebook/Google account. In case you uninstall the CSR app, the UUID will lapse as well and in case of reinstallation, the data can be assembled again under a different UUID that will be ascribed anew upon reinstallation.
Which Personal Data We Process
Personal data, as provided by you via the CSR app is processed by the responsible and authorized employees of OPAP. Specifically, OPAP:
A. collects and further processes the following personal data of visitors (i.e. non-logged-in users), generated while using CSApp:
- UUID (mobile app user identifier);
- Browsing data (e.g. average time spent, sessions, screen viewed, actions and clicks etc.);
- Points collected and interaction with “teams”.
B. collects and further processes the following personal data of registered users:
- E-mail address, username/ full name, password, when 1st party log-in is enabled or Apple / Facebook / Google log-in data (e-mail address, username/name, profile photo), when 3rd party log-in is enabled;
- Pictures, if you choose to upload any on the CSR app;
- Postal address, full name, phone number, e-mail address, gift sent, when you participate in the "Efhostolidia" - Wishing Ornaments activity and wish to receive the original drawing of the child;
- Technical information relating to the use of the CSR app, such as: game preferences, software bugs reports, geo-location data, information collected from cookies/SDKs, connection date and time, IP address;
- Data relating to other device permissions, including sports activity (steps), device contacts, location data, when such permissions are enabled by you in the context of a specific game or activity.
Why We Collect It
In the context of installing and using the CSR Aapp, we process the abovementioned personal data, for the following purposes and lawful bases:
Moreover, it is noted that the CSR app may have access inter alia to the following operating system permissions: GPS with precise location, access to contact list, access to physical activity (steps), camera access. A relevant permission will pop-up when trying to use functionalities that require these permissions (e.g. a specific game or CSR activity such as digital running events). The processing of relevant personal data under such permissions is considered contractually necessary, when the features enabled form an intrinsic element of a specific game or activity.
B. Legal Obligation
Given the fact that OPAP operates in the gaming industry, which is a highly regulated one, even if the CSR App does not offer betting functionalities, the processing of users’ personal data is also necessary for OPAP’s compliance with legal obligations arising under the current applicable legislation regulating the gaming market in Greece either regarding the offer of gaming services offline or online, including provisions for Responsible Gaming and Commercial Communication. Pursuant to the above legal provisions, the processing of users’ personal data is also necessary for adult age confirmation.
C. Legitimate Interests
In addition, it is in OPAP’s legitimate interests to process personal data for its internal operations aiming at the overall improvement of user engagement and business development of the CSR app. In this respect, OPAP creates users’ profile, through segmentation based on the users’ behavior data, via automated processing, without resulting to any significant (legal or other) results for users. This is done by analyzing aspects of users’ navigation in the CSR app and specifically the average time they spend per session, their actions and clicks inside the application, in order to generate anonymized statistics on the usage of the CSR app that aim to improve UX (user experience).
Pursuant to the legislative framework on electronic communications and according to your specific consent, we will place on your device software applications (developed by us or third parties), which function as trackers, in order to be able to better customize the CSR app to your specific preferences, to analyze its use, as well as for advertising purposes. For more information, please consult our Trackers Notice, where you can also review, change or withdraw your consent.
In case we need to process your personal data for purposes other than the ones described above, we will notify you accordingly and in advance and will seek for your consent, if so required.
With Whom We Share It
We would also like to inform you that, in the context of providing the full functionalities of the CSR app, recipients of your personal data are:
- the mobile app developer and maintenance company;
- technology vendors, such as companies engaged in third-party log-in, analytics, crash reporting, troubleshooting, measurement and advertising services, including through device trackers;
- BTL (Below The Line) agencies, supporting for example the logistics of the "Efhostolidia - Wishing Ornaments” CSR activity;
- any other administrative, judicial or other public authority, or generally any legal or natural person to which this data shall or may be disclosed, pursuant to applicable legislation or a judicial decision.
The CSR app uses trackers which enable us to better advertise and develop our products, including Facebook Business Tools. Please note that specifically in the context of the Facebook Business Tools, we operate as Joint Controllers along with Meta Platforms Ireland Ltd, according to our data sharing agreement, which sets -among others- our responsibilities for compliance with the obligations under the GDPR with regard to the Joint Processing. Meta Ireland is responsible for enabling Data Subjects’ rights under Articles 15-20 of the GDPR, with regard to the Personal Data stored by Meta Ireland after the Joint Processing. You can find more information in Meta Ireland’s data policy.
In the recipients described above, there are also vendors which are based outside the EU/EEA and specifically in the USA. Therefore, some of your personal data are internationally transferred. For this reason, we have taken increased due diligence measures, such as data minimization, anonymization and encryption techniques, as well as signature of strict standard contractual clauses.
If you decide to login using your Facebook/Google/Apple account, your personal data (name, points collected, teams joined, pictures uploaded, score achieved) will be visible by other users/visitors of the CSR app.
How Long We Keep It
Your personal data is retained for 2 years after your latest interaction with the CSR app. We may keep your data longer than this period, if so required by applicable legislation. The data collected in the context of the "Efhostolidia - Wishing Ornaments" CSR activity is retained for 3 months.
In any case, we wish to inform you that, according to applicable legislation and in the context of using the CSR app, you have and can exercise the following rights:
- right of access to your personal data, as well as to the information relating to their processing,
- right to rectification of inaccurate or incomplete personal data,
- right to request deletion of your personal data (right to erasure),
- right to restriction of the processing of your personal data,
- right to data portability in a structured, commonly used and machine-readable format (e.g. USB stick),
- right to have your data (directly) transmitted to another controller,
- right to object to the processing when the processing is based on our legitimate interests, as well as
- right to withdraw any consent given at any time and with no cost
In case you exercise the rights of rectification, deletion or restriction of your personal data, these requests will be communicated to any third-party recipients to whom this data has been disclosed in the context of the CSR app’s functioning.
You can exercise any of the abovementioned rights, including the right to request deletion of your personal data (right to erasure), by submitting a written request to OPAP DPO, using the contact information below.
You can expect a reply to such a request within one (1) month following its receipt by OPAP. This period may be extended by two (2) additional months, if the complexity of your request or in general the number of requests received, so requires.
CSR app may contain links to other websites that are under the responsibility of third parties. In this case, OPAP is not responsible for the protection of personal data terms, which these websites follow. The personal data protection terms provided with the present notice may be updated at any given moment. In such case, you will be notified accordingly with a push notification or with a dialogue box when opening CSR app.
In order to reassure the minimization, accuracy and completeness of your personal data, OPAP undertakes to periodically review the data, in order to rectify it or safely delete the data that is no longer necessary for the purposes of CSR app’s functioning. OPAP reassures that it has taken all adequate technical and organizational measures, according to current technological standards and applicable laws and regulations, so as to guarantee that the processing of your personal data (by OPAP or by any third parties on behalf of OPAP) is lawful, adequate and secure against any unauthorized or accidental access, disclosure, processing, erasure, modification or other use.
For any request regarding the processing of your data and in case you find that we have not complied with the principles included in the present privacy notice, please contact the Data Protection Officer of OPAP S.A. as soon as possible, using the following contact details:
Website: www.opap.gr/gdpr | Address: 112 Leoforos Athinon, P.C. 10442 Athens |Phone: +30 210 5498888 | Email: email@example.com
In case you deem that we have not duly satisfied your request and the protection of your personal data is somehow affected, you may lodge a complaint through the dedicated online portal of the Hellenic Data Protection Authority (Athens, 1-3 Kifissias Avenue, 11523 Athens, Greece | +30 210 6475600). You may find detailed guidelines on how to lodge a complaint on the DPA’s website.