Organisation of Urban
Transportation of Thessaloniki
Privacy Policy

We are concerned about the protection of your privacy and in particular about your Personal Data. We have established the present Data Protection Policy in order to inform the visitors of our website oasth.gr about the type of data that we collect and process, the purpose of said collection and general processing, how your data are processed and the recipients thereof, your rights and choices, as well as how to contact us for any issue you may have in relation to your personal data.


This Data Protection Policy includes:

  • Information about the Data Controller of your personal data.
  • The type of data we collect about you.
  • The purpose for collecting and processing your personal data and the legal basis for processing it.
  • The security measures we take to protect your personal data.
  • The time period during which we store your personal data.
  • Information about your rights and how to exercise them.


Data Controller:

The ‘Thessaloniki Urban Transport Organisation’, with the distinctive title ‘O.A.S.TH. S.A.’, which has its registered office at Thessaloniki Al. Papanastasiou 90, postal code 54644,

Phone:  Thessaloniki – 2310 981100,

E-mail: oasth@oasth.gr


Information we collect

“Personal Data” is any information that can be used to identify a natural person. OASTH S.A. collects such information when you use or interact with our website. Specifically:


  • If you are a visitor to our website and official social media accounts


Through the contact form on our website, in order to pose any requests and clarification questions on issues related to the services provided by us, you will be asked to enter your full name, and your e-mail address.

Also, when you communicate with us on our company’s social media (Facebook, Youtube etc.), you provide us with your personal identification and contact data, which we process on a case-by-case basis solely for the purpose of answering your request.


Data collection by automated means

  • Log files

When you visit our website, certain data is automatically collected by our server and recorded in special files (log files).

The purpose of storing this data is to monitor the security of information and services of our website, to ensure the possibility of investigating any online attacks and incidents and to support any relevant legal claims.

The legal basis for the above processing is article 6 par. 1 (f) of the GDPR, which allows us to process data when it is necessary to achieve the legitimate interests of OASTH S.A.

Logs are kept for a period of 12 months and may be disclosed to third party processors for the purpose of website management and to the competent authorities in case it is deemed necessary for the investigation of any cyber-attack incident. Data which is being investigated or used in the context of legal claims shall be kept for the period of time required for these purposes.



Furthermore, during your interaction with our Website, certain data is automatically collected from your device or web browser (“cookies”).


Detailed information about the type of data collected by automated means can be found in our Cookies Policy.


Information related to minors

Our Website and Services are not intended to be used by minors under the age of 15. OASTH S.A. does not collect Personal Data of minors under 15 years of age, without consent from a parent or legal guardian. In any case, OASTH S.A. deletes any Personal Data of a minor under 13 years old. If you are a parent or a legal guardian of a child under the age of 13 and you are concerned that your child may have provided us with personal data, please contact us at oasth@oasth.gr.



Why do we use your Personal Data?

We use your data in order to:

  • Respond to requests for information about the services we provide to you.
  • Deal with any complaints you may have about our services.
  • Satisfy your rights in relation to your personal data.
  • Conduct business analysis and improve our business and services.
  • Carry out detection, prevention and response to fraud or other illegal activities.
  • Protect the rights, property of our own or of third parties.
  • Other purposes: we may use your data in other ways. In this case, we will provide specific notices to inform you when we collect the data, and we will obtain your consent prior to processing where required.

In order to achieve these purposes, we will only collect and generally process data that is compatible with the purpose of the processing.


To whom do we transfer your personal data?

The personal data we collect may be transferred to third parties. In particular:

  • To any competent supervisory, public or judicial authority, if required by the applicable legal framework or by a court order.
  • To other third external partners who carry out processing on our behalf and who are bound, as we are, to an equivalent level of protection of your data, such as law firms, financial advisors, advertising companies, providers of IT products and/or services and/or support for all kinds of IT and electronic systems and networks, courier companies, etc.


We do not disclose your personal data to third parties outside the European Union, and/or in countries where there is no equivalent data protection regime in force. However, should such a data transfer need to take place, we will take every possible measure to ensure that your data is treated securely, for example by using Standard Contractual Clauses (SCCs) established by the Commission.


Legal bases for processing your personal data 


OASTH S.A. relies on the following legal bases when processing your personal data:

  • Performance of a contract: when the processing of your personal data is necessary for the fulfilment of our obligations arising from the contract.
  • Legal obligation: where we are required to process your personal data in order to comply with a legal obligation, such as to keep records for tax purposes or to provide information to a public body or law enforcement authority.
  • Legitimate interest: we may process data about you where we have a legitimate interest in carrying out a lawful activity so as to ensure the continuation of that activity, as long as it does not override your interests; or
  • Your consent: we may occasionally ask for your specific consent in order to process some of your personal data. Your personal data will only be processed if you consent. You may withdraw your consent at any time, without retroactive effect, by contacting OASTH SA at oasth@oasth.gr.


Your rights


Your rights under the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) are the following:

  • Right of access to your personal data, which we process.
  • Right to rectify incomplete or inaccurate data collected and stored by OASTH S.A.
  • Right of erasure of your personal data.
  • Right to restrict the processing of data.
  • Right of portability of data to you or to third parties. You may receive, in a structured, commonly used and machine-readable format, your personal data concerning yourself, as well as transmit it, under certain legal conditions, to another controller as long as this does not adversely affect the rights and freedoms of others (only for automated processing of information, which you have willfully provided us with, or for the performance of the contract between us.)
  • Right to object to the processing of your personal data at any time. OASTH S.A. may refuse to comply with this right if it demonstrates compelling legitimate grounds for processing, that override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
  • Right to lodge a complaint with the Data Protection Authority (www.dpa.gr) if you consider that your rights are being infringed in any way (right to lodge a complaint with the Authority). Postal address: 1-3 Kifissia Avenue, P.C. 115 23, Athens, Greece, telephone +30 210 6475600, email: contact@dpa.gr.


For any further information, as well as for the exercise of the above rights, please write to Al. Papanastasiou 90 Thessaloniki, P.O. Box 54644 or to the e-mail address oasth@oasth.gr. As a rule, your request will be granted within one month of receipt. The information, any communication and all actions undertaken in accordance with Articles 15 to 22 and 34 GDPR are provided free of charge.



Security and Retention of your Personal Data

We retain your personal data only for the period of time required for the purposes of processing the data i.e. for the duration of the contract between us, your consent, our legal obligations (such as retention for tax purposes) and our legitimate interest on a case-by-case basis.

The processing of personal data is carried out in a manner that ensures its confidentiality. OASTH S.A. implements appropriate technical and organizational measures to ensure an appropriate level of security of your data against risks of accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, as well as any other form of unlawful processing.

The data you provide is protected by appropriate information security techniques in order to ensure both its secure transmission over the internet and its secure storage in Information Systems.

We require all third parties who may receive your personal data to have appropriate technical and operational security measures in place, in order to protect your personal data, in accordance with Greek and EU Data Protection legislation.


Special Categories of Data

We ask you to not disclose to us via e-mail or through the contact form, your banking as well as sensitive personal data. The processing of these categories of personal data does not in any way serve the purposes of processing, as defined above.



Our website contains links to other websites. By clicking on “Service – Links” and “Tourism – Useful Links” you can access a number of useful links of our partners, or other means of transport that you can refer to, such as the “Macedonia” Airport of Thessaloniki. This privacy statement does not apply to the user’s access to other websites. Please refer to the privacy policies of these websites for more information on how they handle your data.


The Controller is not responsible for the content and services of other third parties to which it refers through their links, hyperlinks or banners (including, without limitation, social networking sites such as Facebook, Instagram). The Data Controller does not guarantee and cannot control the availability, content and privacy policy of the linked website. Therefore, for any problem encountered when visiting/using them, you should contact the respective websites that are solely responsible for the provision of their services. Access by using the links provided to the website in question, remains the sole responsibility of the user.


By clicking on the “APP STORE” option you will be transferred from the website of O.A.S.TH. S.A. to the link https://apps.apple.com/gr/app/o-a-s-th-bus/id997693786?l=el. This website is owned by Apple and through it you can download the organization’s application. As the developer of the application, which is available to interested parties via App Store, O.A.S.TH SA has taken appropriate technical and organizational measures in order to ensure the safe use of the application. Any update and policy applied when using the application will be available at the above link.


Similarly, by clicking on the “Google Play” option you will be transferred from the interface of the website of O.A.S.TH S.A. to the link https://play.google.com/store/apps/details?id=oasth.mobile.transport. O.A.S.TH S.A., as the developer of the application which is available to interested parties via Google Play has taken appropriate technical and organizational measures for the safe use of the application. Any update and policy applied when using the application will be available at the above link.


Updating this policy

The last update of this policy was made on 29/6/2023

  • Please note that this policy may change from time to time. If we decide to change our policy we will inform you via notifications that will appear on our website.
  • In the event that we decide to substantially vary our processing of your personal data, you will receive prior notice, or where required, your consent will be sought before the new policy is implemented.



If you have any questions or comments regarding this Policy and our practices as described above, please do not hesitate to contact us at oasth@oasth.gr