Athens
International Airport
Privacy Notice

Data Protection Notice for Investors

Date of Issue: April, 2024 

The Company "Athens International Airport S.A." (AIA or the Company) recognises the importance of the privacy and security of the personal data (PD) disclosed to it by the data subjects in every interaction with the Company and the services it provides to the public. To this end, the Company follows a robust system of security of its information technology infrastructure and processing of personal data in compliance with the applicable National and European legislation. Further details are provided in the Company's Privacy Policy by following the link: Athens International Airport - Privacy Policy (aia.gr)

In the context of our above Policy, and following the listing of the Company’s shares on the Main Market of the Athens Stock Exchange, this notice is specifically addressed to our Company's Shareholders, as such are registered in the Registry maintained according to Law 4514/2018 and the Dematerialised Securities System and provides them with the pertinent information regarding the manner in which it processes the personal data of its current and former registered Shareholders and of their representatives, of persons who benefit from and/or exercise rights on the shares of the Company (e.g. usufructuaries or debtor holding a lien on voting shares, etc.)  as well as of their representatives, and of those who participate, under any capacity, in the General Meetings of Shareholders of the Company (hereinafter the “Shareholders”).

1. Data Controller:  Athens International Airport S.A. (AIA)     

                                            Administration Building (17) 

                                            Postal Code 190 19  

                                            Spata, Attica, Greece

Investor Relations Officer:   Manager Investor Relations, Shareholder Services and Corporate Announcements Department 

                                             Email: ir@aia.gr 

                                             Tel. 2103536493  

AIA holds all rights and obligations attributable to that capacity, in relation to the processing of any Personal Data, under the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and Law 4624/2019.

2. Data Protection Officer:   Manager, Regulatory Compliance, Data Protection & Ethics 

                                                                 Athens International Airport S.A. (AIA)   

                                                                 Administration Building (17), Spata, Attica, Greece

                                                                 Postal Code 190 19  

                                                                Email: privacy@aia.gr 

3. Data Processing Categories 

AIA, in its capacity as the Data Controller, in the context of enabling its Shareholders to exercise their capacity and in order to carry out the tasks required under its relationship with them as specifically set out in Article 4 "Investor Share" of the Operating Rules of the Dematerialised Securities System ("DSS" - Resolution 3/304/10.6.2004 of the Board of Directors of the Hellenic Capital Market Commission, Government Gazette B' 901/16.6.2004), collects the following personal data:

1. Data Subject Share No.; 
2. Name/surname/father’s name of the Data Subject; 
3. Identity Document; 
4. Nationality; 
5. Address; 
6. Telephone number; 
7. Email; 
8. TIN and Tax Office, Tax Residence;
9. Occupation, etc. 

Additionally for the preparation, participation and voting at General Meetings of Shareholders the processing of personal data is required:

• As per the Intangible Assets System (SAT) – indicatively:  for the creation and use of an electronic account of the Shareholder, or any representative on the online platform developed by the Hellenic Stock Exchanges Group- Athens Stock Exchange, as per applicable terms and conditions,
• The recording of image and/or voice of Shareholders during a hybrid Shareholder Meeting (video recording at the venue, or processing via the online platform www.athexgroup.gr/ AXIAeShareholdersMeeting, which is provided by the Company "Hellenic Central Securities Depository S.A.".
• Records are retained pertaining to the Number of Shares of the Data Subject, the date of their acquisition and payment of dividends, as well as other personal data, which may become required by applicable Market Regulations, as in force from time to time.

4. Categories of Data Subjects: 

1. The Shareholders of the Data Controller;
2. The proxies of the Shareholders of the Data Controller; 
3. The legal representatives of legal entities being Shareholders of the Data Controller;
4. Natural persons with any other kind of right to the Shares (e.g. usufructuaries, debtors holding a lien on voting shares);
5. The heirs of the Shareholders of the Data Controller;
6. Other persons interacting with the Company through the Contact Form, or the email address: ir@aia.gr 

5. Sources of collection of personal data

Shareholders’ personal data are collected through electronic records provided to AIA on a regular, or on a case by case basis, by the Hellenic Central Securities Depository, pursuant to the applicable provisions of the Law and the Regulation of the Dematerialized Securities System (DSS), issued by the Hellenic Capital Market Commission, which contain information related to the Company’s shareholder structure and any transactions on the shares thereof.

Furthermore, Shareholders or their legally appointed representatives or proxies may also directly provide their personal data, for the performance of tasks that concern them, including, but not limited to, matters of succession, participation in General Meetings of Shareholders etc.

In the event of any changes to their personal data, Shareholders are advised to ensure the timely update of their personal information (e.g., change of address or ID), so that the Shareholders Registry remains up-to-date and accurate. This procedure is performed through the Operator of their Securities Account within the Dematerialized Securities System (DSS) of the Depository.

Personal data are also collected through the website Contact Form or through direct emails to the address: ir@aia.gr

6. Purposes of processing of personal data  

The Company collects and processes the aforementioned Shareholders’ personal data for the following purposes: 

• to enable the participation of Shareholders in the General Meetings and the exercise of their rights therein upon confirmation of their respective capacity;
• to facilitate the settlement of Company’s corporate actions (e.g., dividend distribution, share capital increase);
• to manage and maintain the Shareholder Register, in accordance with the applicable legal provisions;
• to respond to requests submitted by Shareholders in connection with the services provided by the Company (e.g., issuance of certificates);
• to provide clarifications and reply to specific inquiries, or requests addressed to the Company by its Shareholders;
• to monitor transactions on its shares;  
• to facilitate Shareholders' access to the Company's information resources (e.g., the corporate website for shareholder information, the contact form, the transmission and receipt of newsletter);
• to fulfil its obligations under prevention of financial crime, anti-money laundering and counter fraud legislation;
• to perform over the counter (OTC) transfers of its shares, due to inheritance or legacy, in accordance with the provisions of the Greek Civil Code and the DSS Regulation;
• to disclose transactions of liable individuals and entities to the Athens Stock Exchange;
• to publish acts and information of the Company in the General Commercial Registry (GEMI-ΓΕΜΗ), the Athens Stock Exchange or on the website of the Company, as required by law;
• to fulfil its legal and/or contractual obligations;
• to comply with the orders of the competent police, public and judicial authorities;
• to defend its legitimate interests, to protect its property and its rights.
• For the purpose of facilitating interaction and communication to Shareholders and the public investors through the website contact form or through direct emails to the address: ir@aia.gr

7. Legal basis for processing 

Processing of Shareholders’ personal data by the Company is lawful, and before proceeding to processing, the Company ensures that it relies on one of the following Legal Bases:

1. Processing is necessary for the compliance of the Company with the legal obligations to which the Company is subject (article 6 § 1 point (c) of the GDPR), in particular under the Stock Exchange Law and the Dematerialised Securities System.
2. Processing is required for the purposes of the legitimate interests pursued by the Company, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects, which require protection of personal data (article 6 § 1 point (f) of the GDPR).
3. Processing is necessary for the fulfilment of contractual obligations of the Company towards Shareholders (article 6 § 1 point (b) of the GDPR), such as the distribution of dividends on their shares, or for actions connected or related to them.
4. Processing is performed on the basis of the respective Data Subjects’ consent, who give such consent by means of a statement or an explicit action (opt - in) after the Company has provided them with sufficient information as to the purpose and parameters of the processing (article 6 § 1 point (a) and article 7 of the GDPR). The withdrawal of the consent does not affect the lawfulness of the processing performed on the basis of the consent given prior to its withdrawal.

8. Retention period for personal data 

1. The retention period of Shareholders’ personal data by the Company in the context of their shareholder capacity, as described in the paragraphs hereinabove, is determined for the whole duration of the Company and in accordance with the applicable regulatory framework as in force.
2. Any additional personal information provided for the performance of specific tasks, such as in the case of inheritance succession, shall be retained for the period determined by Law.
3. Personal data submitted in the website contact form or through direct emails to the address ir@aia.gr are retained for a period of seven (7) years as of the end of submission calendar year.
4. Personal Data relating to the transmission of commercial information and newsletters, besides the capacity of Shareholder, will be retained until the recipient requests not to receive them, i.e., until the recipient withdraws his/her consent in this regard.
5. Shareholders' personal data may be retained for longer than it is needed according to the above i) if it is so required by law, ii) if the Company considers that such data are related to existing and/or potential legal disputes, iii) to defend its legitimate interests, or iv) to safeguard the vital interest of the Shareholder as data subject, or of another natural person.

9. Security of Personal Data Processing 

The Company recognizes and respects the importance of protecting the data of Shareholders, as data subjects, and is committed to ensuring the availability, integrity and confidentiality of the personal data processed. The aim is to protect data from unauthorized access, unlawful processing, misuse, alteration, accidental loss, destruction or damage. 

Organizational and technical measures are implemented to secure all physical and electronic databases. All data are classified and retained for predetermined periods of time, as set out in this Notice as well as in other Company Policies.  

Technical measures may include firewalls, intrusion detection and prevention systems, unique and complex passwords and encryption.

In addition, the Company ensures that the persons and Processors, who process personal data on its behalf comply with the applicable data protection legislation, act under authorization from the Company and in accordance therewith and they commit to keeping their actions confidential. The Company has established procedures to handle data security infringements, in order to comply with its legal obligations in such cases.

Personal data submitted to the website contact form by data subject consent are automatically extracted and securely transmitted to ir@aia.gr mailbox.

10. Transfer of data to third parties              

The Company may grant access or transfer its Shareholders’ personal data to: 

1. Third party service providers, who provide various services on behalf of the Company, acting either independently as data controllers or jointly with the Company, such as banks, providers of financial services, external advisers, partners, lawyers, accountants, auditors, as well as technical and support services providers. In such cases, processing is performed under the Company’s control and direction, in compliance with the Company’s Privacy Policy or a Policy providing same level of protection.
2. Tax, regulatory and other public authorities, the Athens Stock Exchange, the Greek Central Securities Depository, the Hellenic Capital Market Commission, the Deposits and Loans Fund and the General Commercial Registry, where the Company considers in good faith that there is a legal or regulatory requirement to provide access or to transfer personal data, or where the provision of information is required for the purposes of the legitimate interests pursued by the Company.
3. Competent Police, Prosecution or Judicial authorities, to the extent required by Law or any other enforceable act or order.
4. The Company applies the policy of not transferring personal data to countries outside the European Economic Area (EEA) and seeks to maintain databases on digital cloud computing resources based in the European Union under contracts with providers.  Any transfer of such data to third countries outside the European Economic Area will only take place in compliance with the legal framework relating to the protection of personal data and only when adequate safeguards are provided for their protection.

11. Processors  

The personal data of Shareholders are processed exclusively on the basis of the relevant legislation and for the purposes intended. 

In addition, the Company ensures that the persons and processors, who process personal data on behalf of the Company, comply with the applicable data protection legislation.

• Service provider for the preparation and facilitation of Shareholders Meetings:  “Greek Central Securities Depository S.A.”, Athens, 110, Athinon Ave., Postal Code 104 42
• Provider performing Shareholders’ File Management:
  " Eurobank S.A.", with TIN 996866969, General Electronic Commercial Registry (GEMI) 154558160000 with its registered office at 8 Othonos Street, Municipality of Athens
• Support of information resources/website: “DOPE STUDIO", 451, Mesogeion Ave., Postal Code 153 43, Ag. Paraskevi, Attica (hello@wearedope.com)

12. Rights of the Shareholders 

Shareholders enjoy certain rights with regard to the processing of their personal data by the Company. More specifically:

a) Access, rectification and erasure rights

Shareholders may request, at any time, information on their personal data which are kept by the Company and request the modification, rectification, update or erasure of this information, to the extent that these data are collected directly by the Company. Shareholders may be requested to provide additional information to enable the Company to carry out their request; however, access to personal data is provided free of charge, unless the request is manifestly unfounded or abusive. In the event that a large number of copies of data is requested, the Company may charge a reasonable fee based on administrative costs. Where the Company has the right to refuse to carry out a request, it must provide Shareholders with a detailed justification for such refusal. 

b) Right to object

Shareholders have the right to object to the processing of their personal data, especially where processing is performed for the purposes of a legitimate interest of the Company. In such a case, the Company shall comply with the objection and shall no longer process the data in question unless the Company demonstrates compelling legitimate grounds for continuing the processing, which override the interests, rights and freedoms of Shareholders, such as in the case of processing for the establishment, exercise or defence of legal claims of the Company. In the event that Shareholders object to their personal data processing relating to benefits granted to them by the Company and therefore, request the cessation of such processing, this may, as a result, prevent the Company from granting such benefits overall.

c) Right to restriction of processing

In some cases, Shareholders have the right to restrict processing or to cease further use of their personal data. In practice, this means that the Company may store the personal data, but may not process them any further, unless processing is based on the Shareholders’ consent or where processing is required for the establishment, exercise or defence of legal claims of the Company or for the protection of the rights of another natural or legal person or for reasons of important public interest.

d) Right to data portability

Shareholders have the right to transfer the personal data which they have provided to the Company for the purposes of processing, to other data controllers. To allow Shareholders to exercise this right, the Company shall provide the data in a structured, commonly used and machine-readable format. Alternatively, data controllers may directly receive the personal data on behalf of the Shareholders.

e) Right to file a complaint with the competent Authority

Shareholders have the right to file a complaint with the competent supervisory Authority for Greece, namely the Hellenic Data Protection Authority.

The Hellenic Data Protection Authority may be contacted in the following ways: Address: Hellenic Data Protection Authority, Head Office: 1-3 Kifissias Ave. Postal Code 115 23, Athens, Call center: +30-210 6475600, email: complaints@dpa.gr