The personal data collected by the Bank fall primarily within the following categories; some of the categories may not concern you:
a) Identification data: name and surname, father’s name, mother’s name, Identity Card number/Passport number, Tax Identification Number, Social Security Number, citizenship, profession, etc.
b) Contact information: postal and/or e-mail address, fixed and/or mobile telephone number, etc.
c) Number and type of shares.
d) For the shareholders that are also users of the “e-General Meeting” application the following personal data are also collected: connection data, the Share Code in the Dematerialized Securities System (DSS), date of birth, whether you are a Greek resident or not, data deriving from the use of the application (such as indicatively instructions to vote) etc.
e) As regards the persons with voting rights and the representatives, data regarding your capacity in which you are entitled to vote and relevant supporting documentation are also collected.
f) Correspondence and communication data as well as data deriving from documents you may provide the Bank with.
The aforementioned data are either collected directly from you or from third authorized by you persons or from the company “Greek Central Securities Depository S.A.”. Moreover, in case you provide the Bank with personal data of third parties you must have in advance properly informed them (indicatively, by referring them to this Data Protection Information) and have ensured their consent, where necessary.
The aforementioned (under Section 1) personal data are processed in order for the Bank to comply with its obligations, as imposed by the legal, regulatory and supervisory framework, as in force from time to time, as well as by the decisions of any public authority or court (see especially purposes under e, a, c, d, and g below), to protect its or third parties’ legal rights and interests (see especially purposes under b, g and h below) and in order to serve your relationship as shareholder or user of the “e-General Meeting” application (see especially the purposes under a, b, c, d, f and g below) for the below mentioned purposes (it is explicitly stated that the processing for the purposes mentioned below may be based on more than one legal bases):
a) To identify you.
b) To communicate with you.
c) To check the correctness and legality of exercising your rights in your capacity as shareholders and/or persons with voting right according to the legislation and regulatory framework on limited liability companies and/or companies with shares or securities admitted to trading on a regulated or organized market (participation in General Meetings, exercise of the voting right in these Meetings, drawing up a shareholders’ list, keeping records of meetings and decisions of the General Meetings etc.).
d) To fulfil its obligations towards you as shareholder or as person with voting right (i.e. dividend distribution).
e) To comply with its legal obligations.
f) For the users of the “e-General Meeting” application: In order to register you, provide you with the application services as well as for the proper function and support of the application.
g) To keep an archive of the Bank’s shareholders.
h) To defend the Bank’s legal rights and interests.
In cases where we have requested and received your consent, the processing of your personal data (as listed in Section 1) is based on your consent. Reliance in consent will be considered only in case the processing of your data cannot be attributed to any of the aforementioned legal bases. In such cases you have the right to withdraw your consent at any time. However, the processing based on your consent prior to your withdrawal remains unaffected.
Recipients of your personal data may be the following persons:
a) The Banks’s administration and/or Bank’s employees who are responsible for your identification and for monitoring the lawful exercise of your rights.
b) Lawyers, law firms, notaries, bailiffs, experts in any case of judicial acts (including preliminary investigation proceedings, interrogations or prosecution).
c) Natural persons and companies who process data for supervision and updating purposes (including updating your contact details in case of an unnotified amendment) as well as information services and support providers, subject in any case to confidentiality.
d) The company “Greek Central Securities Depository SA”.
e) Supervisory, independent, judicial, prosecution, public and/or any other authorities/entities within their competence (i.e. Hellenic Capital Market Commission).
f) Other shareholders or persons who have voting power and persons responsible for the Bank’s General Meetings.
The Bank may transfer your personal data to third countries, outside the E.E.A., under the following circumstances:
a) if the European Commission decides by an implementing act that the third country, a territory or one or more specified sectors within that third country ensure an adequate level of protection; or
b) if appropriate safeguards have been provided from the recipient, according to the Greek and European Union legislation.
In the absence of the abovementioned circumstances a transfer may take place in case a derogation for a specific situation is foreseen from the EU and/or national legislation. Some of these derogations may indicatively be the following:
a) you have explicitly consented to the transfer; or
b) the Bank is obliged by law or an international convention to provide the data; or
c) the Bank is obliged to comply with regulations regarding the automatic exchange of data within the tax sector, as derived from the international obligations of Greece (i.e. FATCA); or
d) the transfer is necessary for the establishment, exercise or defense of legal interests.
Please note that in order to fulfil the obligations particularly listed in points c or d above, the Bank may transfer your data to the competent national authorities so that the data are delivered to the respective authorities of third countries.
Your personal data will be stored for the period of time necessary for the fulfillment of their processing purpose, otherwise for the necessary period of time required by the legal and/or regulatory framework in force or for the time required for the Bank to exercise its claims and defend its rights and legal interests.
As regards especially the personal data collected through the “e-General Meeting” application, these will be stored only for the time necessary for the fulfillment of the purpose of their collection. If you choose to delete your registration in the application, your personal data collected through the application will be deleted with the exception of the data whose storage is imposed by the legal and regulatory framework in force or is necessary for the exercise and defense of the Bank’s rights and legal interests.
You have the following rights:
a) To know the categories of personal data that the Bank stores and processes, their sources, the purpose of their processing, the categories of their recipients, the retention period as well as your rights (right of access).
b) To demand the rectification and/or to have your incomplete data completed so that they are accurate (right to rectification) by providing supplementary statements that justify the need for rectification.
c) To ask for a restriction of the processing of your personal data (right to restriction of processing).
d) To object to any further processing of your stored personal data (right to object).
e) To obtain the erasure of your personal data from the Bank’s records (right to erasure).
Please note the following as regards your rights:
- The Bank has in any case the right to deny your request for restriction of processing or erasure of your data, if their processing or storage is necessary in order for your to be shareholder and/or have the right to vote as well as in case they are necessary for the establishment, exercise or defense of the Bank’s rights or the fulfilment of its obligations towards you as shareholder and/or person having the right to vote.
- The Bank reserves in any case the right to deny the deletion of your personal data because some of them cannot be deleted and are maintained for archiving purposes according to the above-mentioned 2g provision or in any case their processing is necessary for the establishment, exercise of legal rights or fulfillment of the Bank’s legal obligations.
- The exercise of said rights has future effect and does not affect the processing up to that point.
f) To lodge a complaint with the Data Protection Authority (www.dpa.gr) in case you consider that your rights are in any way violated.
For the exercise of your aforementioned rights you may contact in writing the Investor Information Services Division, 8 Iolkou Str. & Filikis Etaireias Str., Nea Ionia, 14234, Athens or send an email to firstname.lastname@example.org.
The Bank shall use their best endeavours to address your request within thirty (30) days of its receipt. The abovementioned period may be prolonged for sixty (60) more days, if deemed necessary, taking into account the complexity of the issue and the number of the requests. You shall be informed within thirty (30) days after receipt of your request in any case of prolongation of the abovementioned period.
The abovementioned service is provided free of charge. However, in case the requests manifestly lack of foundation and/or are repeated and/or excessive, a reasonable fee may be imposed after you have been informed or you may not receive an answer to address your requests.