Personal Data Protection Policy

This Personal Data Protection Policy (the “Policy”) intends to provide you with information on how your personal data is being processed though the website https://www.snfnostos.org. Data Controller is the Greek office of the Stavros S. Niarchos Foundation for Charity (the “SNF”), located in Athens at 86A, Vassilissis Sofias Avenue, P.O. Box 11528, tel. +30 2108778300 (the “Data Controller”). SNF is incorporated in Bermuda as a nonprofit organization for charitable purposes and has offices in New York, Monaco and Athens.

References in this Policy to “you” or “your” are references to individuals whose personal data the Data Controller processes, i.e. individuals browsing the website, completing their personal data in order to receive newsletters, registering to attend SNF Nostos events, etc. (collectively the “users”).

The processing of personal data of the users of this website is governed by this Policy and the Cookie Policy, which is also available on the website, the relevant provisions of the applicable legislation on personal data, including the General Data Protection Regulation EU 2016/679 (the “GDPR”), Law 4624/2019, Law 3471/2006, and by the relevant decisions and guidelines of the Hellenic Data Protection Authority (the “HDPA”).

SNF Nostos is an international, multidimensional festival bursting with avant-garde art, scintillating conversation, daring ideas, irresistible music, moving dance, delightful performances, participatory entertainment, and lively sports activities for visitors of all ages. SNF Nostos 2026 marks the celebration of three decades of SNF’s global grantmaking, taking place from June 21-28, 2026, at the Stavros Niarchos Foundation Cultural Center (the “SNFCC”) in Athens and at other sites across Greece (the “SNF Nostos”). SNF Nostos features a week‑long program of signature events, including the SNF Nostos Conference curated together with SNF’s partners at the journalism nonprofit iMEdD (incubator for Media Education and Development), the SNF Dialogues, the SNF Nostos RUN, alongside concerts, performances, and participatory activities. SNF Nostos 2026 will also feature additional programming, including tours, open days, and other curated experiences, inviting the public to engage with SNF’s work and mission in diverse ways.

WHICH PERSONAL DATA DOES THE DATA CONTROLLER COLLECT AND FOR WHICH PURPOSE?

The Data Controller collects only the necessary and appropriate personal data, which is necessary in relation to the purposes for which it is processed, and it is not subject to any further processing in any way incompatible with the purposes originally collected. The types of personal data that the Data Controller collects and further processes about you are collected directly from you and depend on the context of your interaction with the Data Controller and the website.

In particular, by browsing the website, the Data Controller will collect and further process certain personal data, to be able to offer access to the website and its functionalities, such as information collected by the use of trackers. Also, the Data Controller will collect and further process the following personal data categories:

  • When you register to attend and participate in various SNF Nostos events, the Data Controller processes personal data, including your full name, email address and mobile phone number, as well as, where provided, your organization and role, for the purpose of participating in the event and for the information you need to receive about it.
  • When you subscribe to the list of Data Controller’s newsletters recipients, the Data Controller collects and further processes personal data, including your full name and email address, in order to inform you in the future about the events, activities and news of SNF. By subscribing to this list and providing your consent for the processing of your personal data, you acknowledge that you will receive newsletters and other additional informational material regarding SNF’s activities. You can withdraw your consent at any time and request the cessation of receiving updates and processing of your personal data for this purpose by selecting the “unsubscribe” link, available on each update you receive.
  • When the Data Controller needs to establish, exercise or defense legal claims, the Data Controller processes your personal data, including your full name, your interaction with the Data Controller, etc.

In addition, photos and videos may be taken throughout SNF Nostos. This material, as such or embedded into other audiovisual materials, may be posted on SNF’s official websites and its social media accounts for the purpose of documenting and communicating SNF Nostos events and SNF’s activities. The events may also be livestreamed on SNF’s websites and/or its official social media accounts. Both the submission of the registration application and the entry of each registered person to each event’s premises is taken as his/her consent for the aforementioned processing purposes.

The Data Controller does not knowingly collect personal data via its registration forms from children under the age of fifteen (15) without the consent of the person exercising parental responsibility. If we become aware that such data has been collected without the required consent, we will take appropriate steps to delete it.

WHAT IS THE LEGAL BASIS FOR THE PROCESSING OF YOUR PERSONAL DATA?

  • The execution of a contract to which you are a party or in order to take steps at your request prior to entering into such contract (i.e., to enable you to access the website, to register for and participate in an event and to manage your participation) (Contract),
  • Your consent, where appropriate, for one or more purposes (i.e., when subscribing in Data Controller’s newsletter, when you agree to the use of cookies and tracking technologies) (Consent),
  • The overriding legitimate interest of the Data Controller (i.e., monitoring how you use the website in order to ensure the efficient and secure operation, for the establishment or defense of legal claims as well as for documenting and communicating about SNF Nostos events) (Legitimate interest).

WITH WHOM DOES THE DATA CONTROLLER SHARE YOUR PERSONAL DATA?

Your personal data may be transmitted to third-party services providers of the Data Controller, who process your personal data solely for the fulfilment of their obligation towards the Data Controller. In this case, the third parties (such as IT support services providers, marketing communication services providers, etc.) act as Data Processors on behalf of the Data Controller and are contractually bound to implement adequate technical and organizational security measures in accordance with applicable legislation. The Data Controller may also share your personal data with iMEdD, ensuring absolute confidentiality.

Your personal data may be shared with other recipients outside the EU/EEA for the purpose of achieving the above processing purposes only if adequate protection is ensured, e.g., via European Commission-approved safeguards. For details or a copy of these safeguards, please contact the Data Controller at gdpr@snf.org.

Additionally, the Data Controller may disclose your personal data (a) with your explicit consent, or (b) if required to exercise SNF’s rights.

HOW LONG DOES THE DATA CONTROLLER KEEP YOUR PERSONAL DATA?

The Data Controller ensures that the personal data it collects is processed no longer than it is required for the fulfilment of the purpose of processing e.g., for as long as needed to manage your event registration and participation and any follow-up, always in conjunction with the applicable legislation. Once the data processing purpose is completed, the Data Controller will either delete or anonymize your personal data, unless statutory retention requirements apply (e.g., for the establishment or defense of legal claims). Where the legal basis for processing your personal data is your consent, upon withdrawal of your consent, your personal data will be deleted or anonymized, unless statutory retention requirements apply.

WHAT ARE YOUR RIGHTS?

  • Right of access: This means that you have the right to be informed by the Data Controller if it is processing your personal data. If the Data Controller is processing your personal data, you can ask for information about the purpose of processing, the type of data the Data Controller holds, with whom the Data Controller shares it, how long the Data Controller stores it, but also about your other rights, such as rectification, erasure, and lodging a complaint to the HDPA.
  • Right to rectification: If your personal data is inaccurate or incomplete, you can request that the Data Controller rectifies them (for example, a name correction or an update of an address change).
  • Right to erasure: You may ask the Data Controller to erase your personal data if one of the reasons provided by the applicable legislation is in force (e.g., when the data is no longer necessary or if you have withdrawn your consent).
  • Right to data portability: Under certain circumstances, you may ask the Data Controller to receive, in a structured, commonly used and machine-readable format, the data concerning you, or ask the Data Controller to transmit it to another controller.
  • Right to restriction of processing: You may ask the Data Controller to restrict the processing of your personal data, if you believe that your personal data are inaccurate or that processing is unlawful or that the Data Controller no longer needs the personal data or you have objections to the automated processing (if applicable).
  • Right to object: In certain cases, you may object to the processing of your personal data and the Data Controller will stop processing your personal data, unless, inter alia, there are compelling legitimate grounds for the processing which override your interests, rights and freedoms. You also have the right to object when a decision concerning you is based solely on automated processing, including profiling, and this decision produces legal effects concerning you or significantly affects you (exceptions provided by law).
  • Right to withdraw your consent: You may withdraw your consent at any time, without your withdrawal affecting the lawfulness of the processing based on your consent before its withdrawal.
  • Right to lodge a complaint with HDPA: If you believe that the Data Controller infringes the applicable legislation for the protection of your personal data, you have the right to lodge a complaint with the HDPA, registered in 1-3 Kifissias Ave., 11523, Athens, Greece. More information on the competence of the HDPA and how to lodge a complaint, you can find at www.dpa.gr.

MODIFICATION OF THIS POLICY

The Data Controller monitors the policies and procedures for the collection and processing of your personal data that it implements and may at any time make any modifications in order to ensure the most effective protection of your personal data and the adoption of new practices. For this reason, please visit this page regularly for any changes.

CONTACT

To access your personal data, to exercise your rights as per the above, as well as for any comments, questions or requests regarding the use of your personal data or about this Personal Data Protection Policy, please contact the Data Controller’s Contact Person: Ms. Lina Giotaki, Phone Number: +30 210-8778300, email: gdpr@snf.org, Address: 86A, Vasilissis Sofias Avenue, Athens, P.O. Box 11528.

The Personal Data Protection Policy was last updated in January 2026.