O L Y M P I A C O S   1 9 2 5
O L Y M P I A C O S   1 9 2 5

TICKET HOLDERS’ PRIVACY NOTICE

Ticket Holders’ Privacy Notice

OLYMPIACOS F.C.

OLYMPIACOS F.C. (hereinafter referred to as the “Club” or “we”) takes the protection of the privacy of its ticket holders (hereinafter referred to as “you”) very seriously and makes every effort to ensure its continuous compliance with the applicable National and European legal and regulatory framework for the protection of personal data.

  1. Scope

The purpose of this Notice is to describe the types of personal data we collect when issuing your tickets, the purposes for which we use and process your personal data, the legal basis for such processing, as well as your rights as data subjects, in compliance with the transparency and information obligations provided by the General Data Protection Regulation (hereinafter “GDPR”), as incorporated into Greek law by Law No. 4624/2019 and currently in force, including any amendments thereto.

The Club reserves the right to amend and revise this Notice whenever deemed necessary, with any such changes becoming effective upon their notification to you, either via email, or by being posted online, or through any other means the Club deems appropriate.

This Policy should be read in conjunction with the terms and conditions of ticket issuance and use, which you can read at the following link: TERMS OF USE

  1. Data Collected
  2. Upon issuance of season tickets

When issuing season tickets, the following personal data may be collected about you:

  • Full name
  • Age
  • Contact details (phone number, address, e-mail)
  • Social Security Number (AMKA)
  • Police Identity Card Number (ID)
  • Tax Identification Number (AFM)
  • Tax Office (D.O.Y.)
  • Other identification details (e.g. membership card information)
  1. Upon issuance of single tickets

When issuing single tickets, the following personal data may be collected about you:

  • Full name
  • Age
  • Contact details (phone number, address, e-mail)
  • Other identification details (e.g. fan card information)
  • Social Security Number (AMKA)
  1. Upon your entry into the sports facility

When you enter the sports facility premises, the following personal data may be collected and/or requested from you:

  • Full name
  • Age
  • Contact details (phone number, address, e-mail)
  • Other identification details (e.g. fan card information, police ID card or passport number and/or residence permit details)
  • Photographic and video footage (including date and time) of your entrance into areas monitored by closed-circuit television (CCTV)
  1. Sources of Data Collection

Your personal data are primarily collected from you or automatically. Automatically collected personal data include:

  • Video footage (including date and time) of your entry into areas monitored by closed-circuit television (CCTV)
  1. Purposes of Processing

The Club collects and processes your personal data, as outlined above, for the following purposes:

  • To fulfill its contractual obligations and to ensure the smooth operation of our relationship in relation to the issuance of tickets;
  • To manage business-related risks;
  • To protect its property;
  • To comply with obligations arising from sports legislation;
  • For tax purposes, invoicing, and evidence of service provision;
  • For the establishment, exercise, or defense of its legal claims.

The Club collects and processes your personal data solely for the aforementioned purposes and only to the extent strictly necessary for effectively serving these purposes. Such data are always relevant, appropriate, and not excessive in relation to the above-mentioned purposes. They are also accurate and, where necessary, kept up to date.

  1. Legal Basis

The Club lawfully processes your personal data and, for each type of processing it performs, relies on at least one of the following legal bases:

  • Processing is necessary for the performance of contractual obligations of the parties involved.

In order to fulfill the Club’s contractual obligations to you, and to ensure that your own contractual obligations to the Club are upheld, the legal basis for processing your data is Article 6(1)(b) of the GDPR, which provides that processing is lawful when “it is necessary for the performance of a contract to which the data subject is party.”

  • Processing is necessary for the Club’s compliance with its legal obligations.
    In addition to its contractual obligations, the Club must comply with various obligations stemming from the applicable legal framework. According to Article 6(1)(c) of the GDPR, processing is lawful when “it is necessary for compliance with a legal obligation to which the controller is subject.”
  • Processing is necessary for the purposes of the Club’s legitimate interests.
    Under Article 6(1)(f) of the GDPR, the Club may process personal data when such processing is “necessary for the purposes of the legitimate interests pursued by the Club, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data”.

In this context, examples of legitimate interest pursued by the Club include: the establishment, exercise, or defense of legal claims, the safeguarding of your safety and protection, and the protection of the Club’s property—all of which are essential for successfully achieving the Club’s corporate objectives.

  • You have provided your consent for the processing of your personal data.

In very limited circumstances, we may seek your explicit consent (opt-in) prior to conducting specific types of data processing. For example, we may request your consent to send you informational or promotional material, or to publish your information in corporate publications or other media for promotional purposes.

  1. Data Retention Period

The Club retains your personal data in accordance with applicable legal provisions and only for as long as necessary to fulfill the purposes outlined in the preceding sections, or for the period required by law, or to defend the Club against potential legal actions to pursue claims.

Once the purpose for which the personal data were collected (as stated in this Notice) has been fulfilled and the applicable retention period has expired, the Club proceeds to delete the data.

  1. Information Security

The processing of your personal data by the Club is carried out in a manner that ensures its confidentiality. Specifically, the Club has adopted appropriate organizational and technical security measures to prevent any loss, alteration, disclosure, or unauthorized access to or other unlawful processing of your personal data.

Moreover, the Club has restricted access to your personal data only to those individuals who need to be aware of it in order to perform their assigned duties. In any case, such individuals process your personal data only under the instructions of the Club and in accordance with its directives.

  1. Disclosure to Third Parties

The Club does not disclose your personal data or interconnect its database with any third-party private entities, natural or legal persons, public authorities or services, or other organizations, in exchange for financial or other compensation.

The Club may grant access to or transfer your personal data to:

Third-party service providers, who perform various functions on behalf of the Club (including site security and insurance), as well as external advisors, partners, lawyers, accountants, auditors, and providers of technical and support services, including IT consultants.

Financial institutions: We may exchange data with financial institutions where you hold a bank account in order to process payments.

Processing of your personal data by the aforementioned third-party associates is carried out under our control and solely under our instructions and is subject to the same privacy policy or a policy offering an equivalent level of data protection.

In the event the Club assigns the processing of your personal data to a third party on its behalf (i.e., as a “data processor”), it is obligated to enter into a written agreement, select a processor that offers sufficient guarantees in regard to the technical and organizational security measures governing the relevant processing, and require that the processor acts solely on behalf of the Club and in accordance with its instructions.

Furthermore, the Club must contractually ensure that the data processors provide appropriate safeguards for the protection and security of your personal data.

In addition, the Club may disclose your data in compliance with its regulatory obligations to:

Tax authorities, audit bodies, and other public authorities, when, in good faith, we believe that the law or another regulatory act requires us to provide access to or transfer such data.

Competent law enforcement authorities: We may disclose your data to the Police or other law enforcement or administrative authorities, where this is required by law or by any other lawful, enforceable act or order.

Any transfer of data to third countries outside the European Economic Area (i.e., outside the EU Member States, Norway, Iceland, and Liechtenstein) shall only take place in accordance with the applicable data protection framework (Article 49 of the GDPR) and when adequate safeguards exist for the protection of your personal data.

  1. Storage

Your personal data may be stored on servers located outside the countries of the European Economic Area and may be transferred to third countries (i.e., countries outside the EU/EEA).

The countries within the European Economic Area are considered to provide the same level of personal data protection as Greece. In cases where the Club transfers your personal data outside the European Economic Area, it is legally required to notify you of the purposes of such transfer and to provide appropriate safeguards for the protection of the personal data being transferred (Chapter 5, Articles 44–49 of the GDPR).

  1. Your Rights as a Data Subject

One of the core principles of the GDPR is the protection of the rights of natural persons with regard to the processing of their personal data. In this context, you have a set of rights concerning your personal data that are processed by the Club. Specifically, and in accordance with the GDPR, you have the right to:

  • Information, Access, Rectification, and Erasure:

You may request at any time to be informed about the personal data the Club holds about you and request the modification, correction, updating, or deletion of that information. We may request additional information in order to process your request. However, if we provide you with access to the information we hold about you, such access will be provided free of charge unless your request is “manifestly unfounded or excessive.”

If you request additional copies of the information, we may charge you a reasonable administrative fee. If we have a lawful basis to refuse your request, we will inform you of the specific reasons for such refusal.

  • Objection:
    You may object at any time to the processing of your personal data, particularly when such processing is carried out for the Club’s legitimate interests. If the processing is based on our legitimate interests, the Club will respect your objection and cease the specific processing unless it can demonstrate compelling and legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of the Club’s legal claims.
  • Restriction of Processing:

In certain circumstances, you have the right to “block” or restrict further use of your personal data. Practically, this means that we may store your data, but will not be permitted to process it further unless:

– you give your consent,

– processing is necessary for the establishment, exercise, or defense of the Club’s legal claims,

– processing is necessary to protect the rights of another individual, or

– processing is necessary for important public interest reasons.

We maintain lists of individuals who have asked to “block” the further use of their personal data to ensure that this restriction is respected in the future.

  • Data Portability:

You have the right to transfer your personal data to other data controllers. In practice, this means that you can obtain the personal data we hold about you and transfer it to any third party. To facilitate this right, we will provide your data in a structured, commonly used, and machine-readable format, allowing you to transfer your data to another controller. Alternatively, we may transfer the data directly on your behalf. This right applies to (a) data processed automatically (i.e., without human intervention), (b) personal data you have provided to us, and (c) personal data processed based on your consent or where processing is necessary for the performance of a contract.

  • Lodging a Complaint with the Competent Authorities:

You have the right to lodge a complaint with the competent supervisory authority. In Greece, this is the Hellenic Data Protection Authority (HDPA). You may contact the Authority using the following means:
(a) Postal Address: Hellenic Data Protection Authority, Offices: 1-3 Kifisias Ave., P.C. 115 23, Athens,

(b) Telephone Center: +30-210 6475600,

(c) Fax: +30-210 6475628,

(d) Email: contact@dpa.gr

  • Withdrawal of Consent:

In cases where the processing of your personal data is based on your prior consent, you have the right to withdraw your consent at any time. The Club will cease the specific processing activity for which you had previously given consent, unless there is an alternative legal basis justifying the continuation of the processing for that purpose, in which case you will be informed accordingly.

  1. Data Controller

The Club acts as the Data Controller of your personal data. The contact details of the Data Controller are as follows:

Corporate Name:

  

Olympiacos Club of Fans of Piraeus Football Société Anonyme
Trade Name: Olympiacos FC
G.E.MI. (General Commercial Registry) Number: 44327807000
Tax Identification Number (TIN): 094079531 – Tax Office: FAE Piraeus
Registered Address: Alexandras Sq., Postal Code 18534, Piraeus, Attica
Legal Representative: Evangelia Koutsavtaki
Data Protection Officer (DPO): Liza Kostarlidou
Telephone:   2169002520-2
Fax:   2169002519
E-mail: lkostarlidou@olympiacos.org

Do you have questions? Contact us

If you have any questions regarding this Notice, please contact the Data Protection Officer.

Definitions

“General Data Protection Regulation (GDPR)” – A regulation of the European Union aimed at harmonizing European legislation on the protection of personal data. It has been in effect since May 25, 2018, and any reference to it should be interpreted to include national implementing legislation.

“Personal data”: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be established, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing”: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Sensitive personal data”: Personal data that includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as physical and mental health, genetic and biometric data, data concerning a person’s sex life or sexual orientation, and information about criminal convictions and offenses. Due to the nature of sensitive personal data, the legislation is much stricter regarding how such data must be processed. The Company processes sensitive personal data only in accordance with the law.

“Personal data breach”: A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“Restriction of processing”: The marking of stored personal data with the aim of limiting its future processing.

“Controller”: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

SUBSCRIBE TO OUR NEWSLETTER All the latest news from our team in your e-mail
SUBSCRIBE
I wish to receive Club newsletters, updates on competitions, new products and services, ticket distribution and offers by official sponsors and partners of Olympiacos FC; ; I have also read and accepted the terms of use.
This website uses cookies and in some cases, third-party cookies for marketing purposes and to provide improved services in line with your preferences. By clicking OK or by continuing to browse our website you agree to our use of cookies in accordance with our Cookies Policy. View our Cookies Policy by clicking here.
OK