Current Students Faculty & Staff Alumni Giving
EN / EL Directory
Graduate School of Business Department of Accounting & Finance
Home/Privacy Statement
Department

Privacy Statement

This Privacy Statement describes how the Department of Accounting & Finance of the University of Macedonia processes the personal data of visitors and users of accfinmsc.com. It is issued pursuant to Articles 12, 13 and 14 of Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), Greek Law 4624/2019 on the protection of personal data, and the programme’s Regulation of Studies. If you have questions about any section, please contact the Department’s Data Protection Officer at the address given at the end of this document.

1. Who we are (data controller)

The data controller for personal data processed through this website is:

  • University of Macedonia — Department of Accounting & Finance
  • Address: 156 Egnatia Street, 54636 Thessaloniki, Greece
  • Phone: +30 2310 891 693
  • General email: msc-accfin@uom.edu.gr
  • Data Protection Officer (DPO): dpo@uom.edu.gr (served by the central University of Macedonia DPO office)

For data jointly processed with our academic partner, the Cyprus University of Technology (CUT), a joint-controller arrangement is in place under Article 26 GDPR. A summary of that arrangement is available on request from the DPO.

2. What personal data we collect

We collect only the data necessary for the specific purpose for which it was given to us:

  • Applicants. Name, date of birth, nationality, ID or passport number, contact details, academic transcripts, degree certificates, language certificates, CV, reference letters, motivation statement, and any supporting documentation you upload through the application form.
  • Enrolled students. All of the above plus your student ID, academic record, enrolment status, tuition payment history, Paddle transaction identifiers, Open eClass activity, and communications with the Department.
  • Faculty and staff. Name, academic title, contact details, CV, publications, teaching and examining record, and administrative decisions relevant to the programme.
  • General visitors. Technical data automatically collected by our web server (IP address, browser type, operating system, referring URL, pages visited, timestamps) — logged for security, statistical and operational purposes.
  • Newsletter & enquiry forms. Only the fields you voluntarily complete (typically name and email).
  • Special categories. When strictly necessary (for example, reasonable accommodations for students with a disability), we may process special-category data under Article 9(2) GDPR on the legal basis of your explicit consent or of a substantial public interest provided for in Greek law.

We do not knowingly collect personal data of children under 16.

3. Why we process your data and on what legal basis

  • Processing applications and enrolments — Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(c) (legal obligation under Greek higher-education law).
  • Teaching, assessment and conferral of degrees — Article 6(1)(e) GDPR (performance of a task carried out in the public interest) and the Greek Higher Education Act.
  • Tuition billing and payment reconciliation — Article 6(1)(b) (contract) and Article 6(1)(c) (tax, accounting and public-sector audit obligations).
  • Fraud prevention, network and information security — Article 6(1)(f) GDPR (legitimate interest in protecting our infrastructure and users), including the processing of server logs and Cloudflare Turnstile human-verification challenges.
  • Statistical and analytical purposes — Article 6(1)(a) GDPR (consent given via the cookie banner) for Google Analytics 4, and Article 6(1)(f) (legitimate interest) for first-party, strictly necessary statistics.
  • Newsletters and programme announcements — Article 6(1)(a) GDPR (consent), revocable at any time.
  • Responding to your enquiries — Article 6(1)(b) or (f) depending on whether a contract is being negotiated.

4. Who has access to your data

Within the University, access is limited to the Programme Secretariat, the admissions committee, the academic staff teaching on the MSc, the Department’s IT team, and — for jointly delivered modules — the corresponding Programme Secretariat of the Cyprus University of Technology. Outside the University we rely on the following processors, bound by written data-processing agreements under Article 28 GDPR:

  • Hostinger International Ltd. — hosting and managed WordPress infrastructure (EU data centre). Processes server logs and database contents.
  • Paddle.com Market Ltd. — merchant of record for tuition payments. Processes billing and transaction data under its own controller status for payment purposes.
  • Google Ireland Ltd. — Google Analytics 4 (pseudonymised statistics), Google Search Console, Google Fonts. Processing limited by IP anonymisation and EU standard contractual clauses.
  • Cloudflare Inc. — Turnstile human-verification challenges on public forms. Data transferred under EU standard contractual clauses.
  • Brevo, Mailgun or equivalent — transactional email delivery for application confirmations and programme notices.

We never sell your personal data and we do not allow our processors to use it for their own purposes beyond what is strictly necessary to provide the contracted service.

5. International transfers

Most of our processing takes place within the European Economic Area. Where a processor (for example Google or Cloudflare) transfers data outside the EEA, the transfer is protected by the European Commission’s Standard Contractual Clauses (SCCs) adopted by Decision (EU) 2021/914, supplemented by the relevant supplementary measures assessed under Schrems II. Copies of these agreements are available from the DPO on request.

6. How long we keep your data

  • Application files of rejected candidates — one year after the admission cycle closes, then securely deleted.
  • Files of enrolled students — for the full duration of studies plus the statutory archival period prescribed by Greek higher-education law and the University’s archival policy.
  • Financial and billing records — ten years, as required by Greek tax and accounting legislation.
  • Web server logs — thirty days, then anonymised or deleted, except where retained for longer on the basis of a demonstrable security incident investigation.
  • Newsletter records — until you unsubscribe, plus ninety days to evidence the withdrawal of consent.
  • Cookie consent logs — for the statutory record-keeping period of the cookie banner provider (currently Complianz), not exceeding twelve months.

7. Your rights under the GDPR

Subject to the conditions set out in Articles 15–22 GDPR, you have the right to:

  • obtain confirmation of whether we process your personal data, and a copy of the data (right of access);
  • have inaccurate data corrected or completed (right to rectification);
  • have your data erased in the circumstances listed in Article 17 (right to erasure / “right to be forgotten”);
  • restrict processing in the circumstances listed in Article 18 (right to restriction);
  • receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller (right to data portability);
  • object to processing based on legitimate interests or public interest, including profiling (right to object);
  • withdraw your consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal (right to withdraw consent);
  • not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you — we do not carry out such decisions on this website.

To exercise any of these rights please write to dpo@uom.edu.gr. We will respond within one month of receipt, extendable by a further two months when necessary in light of the complexity and number of the requests.

8. Your right to lodge a complaint

If you believe your rights under the GDPR have been infringed, you may lodge a complaint with the Hellenic Data Protection Authority — 1–3 Kifisias Avenue, 11523 Athens, +30 210 6475 600, www.dpa.gr — or with the supervisory authority of your Member State of habitual residence.

9. Security measures

We apply technical and organisational measures appropriate to the risk, including HTTPS-only transport with HSTS, content-security headers, server-side input validation and rate limiting on public forms, multi-factor authentication for administrative access, access controls on a least-privilege basis, routine daily backups with periodic restoration tests, scheduled vulnerability patching through a staging environment, and training for staff handling student records. Payment card data is handled exclusively by Paddle and is never stored on our own servers.

10. Cookies and similar technologies

Our use of cookies and related technologies is described in detail in the Cookie Policy. You can change your consent at any time by clicking “Cookie Settings” in the footer or by using the floating Manage Consent tab.

11. Changes to this statement

We review this Privacy Statement at least once a year and whenever there is a material change in the way we process personal data. Updated versions are published on this page with a new “last updated” date; substantive changes affecting your rights are additionally communicated to registered users by email.

Last updated: 23 April 2026.