a) Identification data: name, father’s name, Identity Card Number, Tax Identification Number, Social Security Number, date of birth, sex etc. The aforementioned data are collected directly from you and/or from publicly accessible sources.
b) Contact information: postal and e-mail address, fixed and mobile telephone number etc. The data are collected directly from you and/or from publicly accessible sources, as well as from debtor notification companies (Law 3758/2009), lawyers, bailiff s etc.
c) Data concerning your economic and financial situation, your profession, remuneration, dependent family members, income tax declarations (E1) and asset declarations (E9), salary statements etc. The said data are collected either directly from you/at your request, or from publicly accessible sources, such as land registries etc.
d) Data concerning the failure to perform your financial obligations (such as bounced cheques, termination of loan and credit agreements, payment orders, seizures and other relevant orders, applications for and decisions on consolidation or bankruptcy etc.) collected from the Bank within the framework of your transactions, from databases on economic behavior, such as the company TIRESIAS S.A. (see below) or from publicly accessible sources, such as Courts etc.
e) Data concerning your creditworthiness: debts towards credit and/or financial institutions arising from loans and/or credits, collected from the Bank within the framework of your transactions and/or from other credit and/or financial institutions, in cases where this is allowed and/or from databases on economic behavior such as the company TIRESIAS S.A. (see below).
f) Credit profi ling/credit scoring data, which are produced from the relevant systems of the Bank, and/or other credit and/or financial institutions, in cases where this is allowed and/or from databases on economic behavior, such as the company TIRESIAS S.A. (see below).
g) Data related to acquiring contracts which have been terminated by the credit institutions or the companies issuing and managing cards due to breaches of particular terms of the abovementioned contracts (i.e. acquiring of cards reported lost, fictitious transactions, self-fi nancing etc.), collected by the Bank and/or the company TIRESIAS S.A. (see below).
For issues regarding the aforementioned data under points d-g which are collected from the databases of the company TIRESIAS S.A. (registered office’s address: 2 Alamanas Str., 151 25 Marousi, tel. number: +30 210 3676700, website: www.teiresias.gr), which is a controller of economic behavior data, as well as for the exercise of your relevant rights, you may be informed by contacting the abovementioned number or by visiting the abovementioned website.
h) Data concerning your transaction behavior, collected from the use of products and services of the Bank, such as credit or debit cards, as well as from publicly accessible sources, including social media, internet sources etc.
i) Data related to the performance of your contract(s) with the Bank and the use of the products or services provided to you.
j) Data related to recorded communications (phone calls, face to face communication, electronic communication) provided you have been previously informed, in compliance with the law.
k) Data related to the use of electronic and/or virtual products and services of the Bank (such as cookie identifiers, IP addresses, location data or other online identifi cation data), pursuant to the specific terms governing these products and services.
l) Image data collected from the video recording systems of the premises of the Bank, within which signs have been placed pursuant to the law.
m) Data related to payments and the provision of payment services, which are collected either from you or from the provider of payment services that you have chosen. In the abovementioned cases, the transfer of your data to the Bank is deemed to be made at your request to the transferring provider, which is responsible for the integrity and accuracy of them.
n) Data concerning your knowledge and experience in the investment sector with regard to a specific type of product or service, your financial situation, including your ability to bear losses, your tolerance level towards risk and your investment objectives and needs. The abovementioned data are collected directly from you, depending on the investment service or the relevant investment product.
o) Special categories of data collected in compliance with the law directly from you, such as health data concerning you and/or dependent members of your family as well as biometric data collected from your electronic signature.
The data collection from you encompasses the data collection from a third party acting on your behalf as well as the data collection from a Bank’s client or potential client associated with you (natural or legal person).
In case you provide us with personal data of third parties you must have ensured their consent and have referred them to this Data Protection Information.
The Bank collects and processes your personal data:
A. For the execution of a contract and in order to carry our pre-contractual measures upon your request
The processing of your data as described in Section 1 serves indicatively the following purposes:
a) Your identification and the communication with you during your pre-contractual and contractual relation with the Bank, as well as during any other transaction between you and the Bank.
b) The signing of a contract (deposit, loan, investment etc.) with you, the execution and smooth functioning of said contract and the fulfilment of the Bank’s obligations towards you.
c) The provision of investment or other ancillary services for the assessment of the suitability and compatibility of said investment, your information, the governance of investment products and your admission, where possible, to the identifi ed target-market of these products.
d) In case of granting any loan or credit your data will be processed for:
i. the assessment of the credit risk to which the Bank will be or has already been exposed;
ii. the monitoring of the evolution of the debt;
iii. the prevention or mitigation of the possibility of a failure by your part to fulfill your obligations arising from your contract/contracts with the Bank;
iv. the pursuing of the collection of any possible sums owed to the Bank due to the performance of your contract/contracts.
e) The communication with you, your information on the best use of the Bank’s products and/or services (i.e. opportunities to use products/services, bonus programmes, lottery products), their amelioration as well as for sending you questionnaires regarding your satisfaction with the Bank’s products and services as well as the customer service provided by the Bank.
Said processing (under Section A) serves also the Bank’s compliance with its legal obligations (see below Section B) as well as the Bank’s or a third party’s legal interests.
B. For the Bank’s compliance with its legal obligations
The processing of your data as described in Section 1 serves indicatively the following purposes:
a) The prevention and repression of money laundering and terrorist financing, as well as the prevention, detection and repression of frauds against the Bank or its clients, as well as of any other illegal act (mainly concerning loan, deposit or investment products).
b) The compliance of the Bank with the obligations imposed by the relevant legal, regulatory and supervisory framework in force, as well as with the decisions of any authority (public, supervisory etc.) or Courts.
c) The protection of the Bank’s clients, its personnel and their property as well as the Bank’s facilities and property.
Said processing (under Section B) serves also the Bank’s or a third party’s legal interests (see below Section C).
C. For serving the Bank’s or third parties’ legal interests
The processing of data under Section 1 serves purposes such as the security of the Bank’s information systems facilities and assets, the prevention and deterrence of criminal acts or frauds, the credit risk assessment taken by the Bank, the protection of the Bank’s legal rights and interests, your information and/or participation in promotion schemes for new products and/or services, provided that your consent was not chosen as a legal basis for these actions. Prior to this processing the Bank ensures that your interests or fundamental rights imposing the protection of your data do not override the Bank’s interests.
D. Upon your consent
Where the Bank has requested and received your consent the processing of your data under Section 1 is based on this consent. In such cases you have the right to withdraw your consent at any time. However, the processing based on your consent prior to your withdrawal remains unaffected.
E. Profi ling or automated decision-making
For the fulfilment of the abovementioned purposes especially under points 2.A.c, 2.A.d, 2.B.a as well as for promotion purposes the Bank may create your profi le by using your data under Section 1.
In case the Bank makes a decision solely based on automated processing, including profiling, which produces legal effects concerning you or affecting you in a similar way, it will provide you with specific information and, if necessary, will ask for your consent.
For the purposes of fulfilling its contractual and legal/regulatory obligations, of serving its legal interests as well as in cases where the Bank is authorized or has received your consent, recipients of your personal data may indicatively be the following:
a) The Bank’s employees who are responsible for the evaluation of your requests, the management and the performance of the contract(s) with the Bank, the fulfi llment of the obligations arising from it/them, as well as of the relevant obligations imposed by the Law.
b) Entities to which the Bank delegates the performance of specific tasks on its behalf (Processors), which may indicatively be debtor notifi cation companies (Law 3758/2009), debt management companies (Law 4354/2015), lawyers, law firms, notaries, bailiffs, experts, information products and/or services providers, electronic systems and network support providers, including but not limited to online systems and platforms, companies responsible for the storage, retention, filing, management and destruction of files and data, call centers, or other natural or legal persons that process data for the purposes of controlling and updating them (including updating your communication data in case of an unnotifi ed amendment), reassessment of the credit risk, categorization of the contracts and debts arising from them, processing of debt arrangements, customers or market satisfaction surveys, promotion of products and/or services etc., provided that security conditions and confi dentiality have been met.
c) Credit and/or financial institutions, established in Greece or abroad, which have been legally licensed and are legally operating, as well as the special purpose companies or entities within the meaning of Law 3156/2003 on assets securitization, as in force.
d) Claims acquiring companies within the meaning of Law 4354/2015, as in force, as well as entities belonging to the wider financial sector, including investment companies, Greek or foreign, in the cases of concession of the claims arising from grants.
e) Entities of the Eurobank Group of the fi nancial sector for the purposes of total risk assessment, compliance with supervisory obligations and unified treatment of the Group’s clients.
f) Credit Institutions, payment services providers or entities that are necessarily involved in the execution of contracts with you or the execution of requested or activated transactions, such as SWIFT, SEPA, VISA, MASTERCARD etc.
g) Supervisory, independent, judicial, prosecution, public or/and any other authorities, entities or parties that are responsible for the supervision/monitoring of the Bank’s activities within their competence.
h) TIRESIAS S.A. for data concerning its records and specifically data regarding bounced cheques, unpaid bills of exchange and promissory notes, termination of loan, credit or approval of cards as means of payment contracts, loan or credit contracts as well as guarantee contracts etc. for the abovementioned purposes of data processing by TIRESIAS S.A. and for the purposes of the database "Tiresias System of Risk Control" as well as for data concerning the termination of a contract with acquiring companies as described in detail on the website of TIRESIAS S.A. (www.tiresias.gr).
i) Co-financing or guarantee fund bodies, if applicable, such as ETEAN, the Greek State etc.
j) Regarding data related to investment transactions and investment services recipients of your data may be wholly or partly, Eurobank Equities Investment Firm S.A., systematic internalisers, credit institutions and/or investment companies or third parties - market mediators, national or foreign Depositaries, managers of negotiation centers such as the Athens Stock Exchange or the Dematerialized Security System, operators of clearing and settlements systems of capital market instruments as well as other systems or mechanisms for the completion of such transactions, investor compensation schemes, data reporting services providers, consolidated tape providers or approved reporting mechanisms and in general any institution or body involved in providing information for the specific category of transactions and their completion.
The Bank can transfer your personal data to third countries (outside the EU zone) under the following circumstances:
a) if the Commission decides that the third country, a territory or one or more specified sectors within that third country ensure an adequate level of protection; or
b) if appropriate safeguards have been provided from the recipient, according to the law.
In the absence of the abovementioned circumstances a transfer may take place if:
a) you (the data subject) have explicitly consented to the transfer; or
b) the transfer is necessary for the execution of a contract between you and the Bank, such as for the execution of orders (i.e. execution of an order for transfer to a bank account of a third country) in which case the necessary data will be transferred to the necessarily involved operational bodies, (i.e. SWIFT,SEPA, correspondent banks etc.); or
c) the transfer is necessary for the establishment, exercise or defense of legal claims; or
d) the Bank is obliged by law or an international convention to provide the data; or
e) the Bank is obliged to comply with regulations regarding the automatic exchange of data within the tax sector, as derived from the international obligations of Greece.
In order to fulfil the objectives of points d or e the Bank may transfer your data to the competent national authorities so that the data are delivered to the respective authorities of third countries.
In case you sign a contract with the Bank, your personal data will be stored for as long as the contract stands.
In case of contract termination the Bank may store your data until the expiration of the limitation period for legal actions, as defined by law, and more precisely for up to twenty (20) years after the termination of the contract by any means.
If during said period legal actions have been taken and the Bank or any other Group entity is involved and you are directly or indirectly concerned, the abovementioned storage period will be prolonged until an irreversible judicial decision has been issued.
In case you do not sign a contract with the Bank your data will be stored for up to five (5) years of the rejection of your application.
In case a shorter or longer storage period is foreseen by the law or regulatory acts the storage period of your personal data will be amended accordingly.
Documents that have your signature and contain your personal data may be stored electronically/digitally after a period of five (5) years has passed.
You have the following rights:
a) To know the categories of your personal data that we store and process, where they come from, the purposes of their processing, the categories of their recipients, the period of storage as well as your relevant rights (right of access).
b) To demand the rectifi cation or/and to have your incomplete data completed so that they are accurate (right to rectifi cation) by providing supplementary statements that justify the need for rectification.
c) To ask for a restriction of the processing of your personal data (right to restriction of processing).
d) To object to any further processing of your stored personal data (right to object).
e) To obtain the erasure of your personal data from the Bank’s records (right to erasure).
f) To ask the transfer of your data stored by the Bank to another controller (right to data portability).
Please note the following as regards your rights:
i. Your rights as explained above (points c, d and e) may be partly or fully not satisfied if the data are deemed necessary data for the contract regardless of their source.
ii. The Bank has in any case the right to deny your request for restriction of processing or erasure of your data if their processing or storage is necessary for the establishment, exercise or defense of the Bank’s rights or the fulfilment of its obligations.
iii. The right to data portability (point f) does not include the erasure of your data. The erasure is regulated under point e.
iv. The exercise of these rights is valid for the future and does not affect previous data processing.
g) To lodge a complaint to the Data Protection Authority (www.dpa.gr) in case you consider that your rights are in any way violated.
For the exercise of your rights you may contact the Group’s Client Relations Office (7 Santaroza str.,10564, Athens) in writing or by sending an email to email@example.com.
The Bank shall use its best endeavors to address your request within thirty (30) days of its submission. The abovementioned period may be prolonged for sixty (60) more days, if deemed necessary, according to the Bank’s judgment taking into account the complexity of the issue and the number of the requests. The Bank shall inform you within thirty (30) days in any case of prolongation of the abovementioned period. The abovementioned service is provided by the Bank free of charge. However, in case the requests manifestly lack of foundation and/or are repeated and excessive, the Bank may, after informing the client, impose a reasonable fee or refuse to address his/her requests.
The Bank takes appropriate technical and organizational measures to ensure the security and confi dentiality of your personal data, their processing and protection from accidental or unlawful destruction, loss, alteration, prohibited transmission, dissemination or access and any other form of unlawful processing.