(In accordance with Regulation (EU) 2016/679 – GDPR)

1. Data Controller

The Data Controller pursuant to Article 4(7) GDPR is the Panhellenic Puzzle Association.

2. Legal Bases for Processing (Article 6 GDPR)

The processing of personal data is based on:

• The data subject’s consent (Article 6(1)(a) GDPR)
• The performance of a membership contract (Article 6(1)(b))
• Compliance with legal obligations (Article 6(1)(c))
• The legitimate interests of the Association (Article 6(1)(f))

3. Categories of Data

The Association processes:

• Full name
• Email address
• Telephone number
• Postal address
• Billing details
• Payment history (via Stripe)
• IP address
• Browsing data and cookies

4. Purposes of Processing

Personal data is used for:

• Managing registrations and memberships
• Financial management and issuance of receipts/invoices
• Communication with members
• Organization of events
• Sending updates and newsletters
• Promotional activities of the Association
• Promotional activities of cooperating third parties, sponsors, and supporters

5. Advertising & Analytics Services

The website uses:

• Google Analytics
• Google Ads
• Facebook Ads

These services may use cookies, tracking pixels, remarketing technologies, and conversion tracking tools.

Personal data may be transferred outside the European Economic Area in accordance with Articles 44–49 GDPR.

6. Processors

The Association cooperates with third-party service providers (e.g., Stripe, hosting providers, advertising platforms), with whom Data Processing Agreements are concluded in accordance with Article 28 GDPR.

7. Obligation to Update Personal Data

Members are required to ensure that their personal data remains accurate and up to date.

For any change, correction, or update of personal data, members must contact the Association directly using the contact details provided on the website.

8. Data Retention Period

Personal data is retained:

• For the entire duration of membership
• For as long as required by tax and accounting legislation
• For up to five (5) years after termination of membership for legal protection purposes
• Until withdrawal of consent where consent constitutes the legal basis

9. Data Subject Rights (Articles 12–22 GDPR)

Members have the right to:

• Access
• Rectification
• Erasure
• Restriction of processing
• Data portability
• Object to processing
• Withdraw consent

Requests must be submitted in writing to the Association.

Data subjects also have the right to lodge a complaint with the competent Data Protection Authority.

10. Data Security

The Association implements appropriate technical and organizational security measures in accordance with Article 32 GDPR, including:

• Encryption (SSL)
• Restricted access controls
• Internal data protection procedures