This Privacy Policy concerns the processing of personal data carried out in the context of customer service, either through telephone channels or via the automated artificial intelligence voice system (AI VoiceBot) used by the Attica Group (hereinafter the “Company”).
The Company places particular importance on the protection of privacy and personal data and ensures that such processing is carried out with transparency, security, and in accordance with the applicable regulatory framework.
Information on the Use of Artificial Intelligence in Telephone Communications
Attica Group informs customers and prospective customers contacting its call center that services may be provided either by authorized representatives or through the AI VoiceBot.
The AI VoiceBot is an automated artificial intelligence voice assistant that answers incoming calls, understands requests through natural language processing, and either resolves the request automatically or routes the call to the appropriate representative.
In this context, telephone conversations may be recorded and/or transcribed (speech-to-text) for the purposes of serving passengers, managing requests, and improving the quality of services. A verbal notification will be provided at the beginning of the call.
At the start of the call, callers are informed that they may interact with an artificial intelligence system, in compliance with applicable transparency obligations.
The AI VoiceBot system may provide automated responses based on the content of requests, without constituting automated decision-making producing legal effects within the meaning of applicable legislation.
Callers may, at any time, request to be transferred to a customer service representative without delay.
Data Controller
The Data Controller is Attica Group. Contact details are available on its official website.
For data protection matters, you may contact the Data Protection Officer (DPO) at:
Purposes of Processing
Personal data are processed for the following purposes:
- customer service provision
- identity verification and fraud prevention
- management and routing of requests
- improvement of service quality
- technical support and system security
Categories of Personal Data
Within the framework of call center operations and AI VoiceBot services, the Company may process the following categories of personal data:
- identification data (e.g. full name)
- contact details (e.g. phone number, email address)
- service-related data (e.g. travel information, port of departure/destination, travel date)
- communication content, including voice data (call recordings) and transcripts
- call metadata (e.g. date, time, duration, request category)
- data relating to service requests and technical usage data
Processing is limited to data strictly necessary for the above purposes.
As a rule, the Company does not collect data concerning private life or special categories of data under Article 9 GDPR.
Legal Basis for Processing
Processing is based on:
- performance of a contract or pre-contractual measures
- the Company’s legitimate interest in organizing and improving customer service
- compliance with legal obligations
- Processing within telephone communications is carried out in accordance with the General Data Protection Regulation (GDPR) and Greek Law 3471/2006.
Processors and Data Recipients
For the provision of call center services and operation of the AI VoiceBot, the Company cooperates with third-party providers acting as data processors on its behalf and processing personal data strictly in accordance with its instructions.
Recipients of data may include:
- providers of AI and voice processing technologies
- call center service providers
- IT infrastructure providers (including cloud and hosting services)
- subcontractors of the above providers, subject to applicable law
- Additionally, data may be disclosed to public authorities, judicial authorities, or other competent bodies where required by law or upon lawful request.
The Company ensures that all partners are bound by appropriate contractual obligations regarding confidentiality and data protection.
Data Retention Period
Personal data collected through telephone communications and AI VoiceBot services are retained only for as long as necessary to fulfill the purposes of processing, in accordance with the storage limitation principle (Article 5(1)(e) GDPR).
By exception, data may be retained for longer periods where necessary for the establishment, exercise, or defense of legal claims or for internal investigations.
Specifically:
- call recordings and transcripts are retained for a maximum period of one (1) year, unless otherwise required by law
- in exceptional cases, and following a request by a competent authority, retention may be extended up to five (5) years
After the expiration of these periods, data is securely deleted or anonymized.
Access to Personal Data
Access to recorded data is strictly controlled and limited to authorized personnel within the Company and authorized personnel of external partners responsible for call center operations.
Access is role-based and granted strictly on a “need-to-know” basis, without unrestricted or uncontrolled access.
Automated Decision-Making
Processing personal data through the call center and AI VoiceBot does not involve decisions based solely on automated processing that produce legal effects or similarly significantly affect individuals, within the meaning of Article 22 GDPR.
Data Security
The Company implements appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data, and to protect them against unauthorized access, loss, alteration, or unlawful processing.
Such measures include, indicatively:
- access controls
- encryption
- information security procedures
- incident management policies
The Company ensures that its partners and service providers apply equivalent security measures and comply with applicable standards and regulatory requirements (such as PCI DSS).
Data Transfers Outside the EEA
As a rule, personal data are not transferred outside the European Economic Area (EEA).
Where such transfers are necessary, the Company ensures compliance with applicable legal requirements and the implementation of appropriate safeguards, such as:
- adequacy decisions of the European Commission
- Standard Contractual Clauses (SCCs)
- or other lawful transfer mechanisms
Data Subject Rights
In accordance with the GDPR, you have the rights provided under applicable law, including:
- right of access
- right to rectification
- right to erasure
- right to restriction of processing
- right to object
- right to data portability (where applicable)
Specifically, within the context of telephone services, you have the right to access recorded conversations and request a copy thereof, subject to applicable legal conditions.
To exercise your rights, you may contact the Company’s DPO at: dpo@attica-group.com
You also have the right to lodge a complaint with the Hellenic Data Protection Authority via its online portal or website.
Amendments to this Policy
We reserve the right to amend or update this Policy where necessary due to changes in processing activities, applicable legislation, or business operations.
Last updated: April 2026