GDPR – General Data Protection Regulation

With the exception of data under points (a) and (b) below which are absolutely necessary in any relationship with the Eurobank Holdings, the type and number of other collected and processed personal data depends in any case on the data subject’s capacity as well as on other factors, such as the type of transaction/contract/ partnership/relationship, the product or service that has been, is or will be provided and their provision is necessary for the commencement and the continuation of the transaction/contract/ partnership/relationship with you and the provision of a product or service. In view of the above, the personal data that Eurobank Holdings collects and processes may indicatively be the following and not all of them necessarily concern you:

a) Identification data: name and surname, father’s name, mother’s name, identity card or passport, Tax Identification Number, Tax Office etc.. The aforementioned data are provided directly by you and are updated with your assistance.

b) Contact data: postal and e-mail address, fixed and mobile telephone number etc.. The data are received directly by you and are verified/updated with your assistance and/or are collected/verified/updated from natural or legal persons in general that undertake on behalf of Eurobank Holdings the update of your contact data in case you have omitted to notify Eurobank Holdings of any such amendment.

c) Data for payments/transactions: indicatively bank account and card numbers etc..

d) Professional and business activity data.

e) Data deriving from supplementary and supporting documentation you provide Eurobank Holdings with, questionnaires that you fill during your contractual or relationship or transaction or partnership or at a pre-contractual stage.

f) Data deriving from the performance of your contract(s) with Eurobank Holdings, where you participate as counter party or under any other capacity, the performance of transactions (including the nature/type of transaction etc.) and the establishment of partnerships as well as the use of services that have been or are provided.

g) Recorded communication data provided you have been previously informed pursuant to the legal provisions and your communication data with Eurobank Holdings.

h) Electronic identification data and data on connection with electronic and/or digital services and applications, data related to the provision or use of Eurobank Holdings’ electronic/and or digital products and services (i.e. cookies, IP addresses or other online identification data).These data are collected either directly from you, from portable devices or applications you are using or from services providers Eurobank Holdings collaborates with.

i) Image data collected from the video recording systems of Eurobank Holdings’ premises, where signs have been placed pursuant to the law.

j) Data deriving from securities (including insurances) in the name and to the benefit of Eurobank Holdings.

The abovementioned data may be collected/verified/updated by the Eurobank Holdings, where this is allowed and appropriate, and via publicly available sources such as indicatively registers, internet etc.. The data collection directly from you includes the data collection by a third party, natural or legal, that acts on your behalf or is related to you, as well as the data collection by Eurobank Holdings’ partners that act on its mandate and behalf (such as intermediaries etc.) to which you have provided your personal data with in order for them to transfer these data to Eurobank Holdings. In case you provide Eurobank Holdings with personal data of third persons you must have in advance properly informed them (indicatively by referring them to this Information) and ensured their consent, where required.

Eurobank Holdings collects and processes your personal data that are each time necessary:

A. For the execution of a contract and in order to carry out pre-contractual measures at your request

The processing of your data as described in Section 1 above serves purposes such as:

a) Your identification, verification of your data and the communication with you during the pre-contractual and contractual stage, as well as during any other transaction/partnership between you and Eurobank Holdings.

b) The evaluation of your applications and requests in general, the assessment of the transactional risk that Eurobank Holdings has undertaken  or will undertake, the formation of a contact with you, its execution and smooth function, the debt evolution arising from the contract, the fulfillment of each counterparty’s obligations and the defense of interests and exercise of Eurobank Holdings’ rights.

c) The service, support, execution and monitoring of your transactions including the electronic ones.

d) The communication with you, your information on the best use of Eurobank Holdings’ products and/or services (i.e. new features or functionalities of these products or new opportunities to use products/services to your benefit, your information about or participation in bonus and loyalty rewards programs, lots, contests etc.).

Said processing (under Section A) serves also Eurobank Holdings’ compliance with its legal obligations (see below Section B) as well as Eurobank Holdings’ or a third party’s legitimate interests (see below Section C).

B. For Eurobank Holdings’ compliance with its legal obligations

The processing of your data as described in Section 1 above also serves purposes such as:

a) Eurobank Holdings’ compliance with obligations imposed by the relevant legal, regulatory and supervisory framework in force, or international agreements as well as with authorities’ decisions (public, supervisory, independent, prosecution etc.) or courts (regular or arbitrary).

b) The protection of the Eurobank Holdings’ clients, personnel and visitors and their property as well as Eurobank Holdings’ premises and property in general.
Said processing (under B) serves also Eurobank Holdings’s or a third party’s legitimate interests (see below under C).

C. For Eurobank Holdings’ or third parties’ legitimate interests

The processing of data under Section 1 serves, additionally, purposes such as indicatively the security and safety of Eurobank Holdings’ information systems, facilities and assets, the prevention and deterrence of criminal acts or frauds, the defense of Eurobank Holdings’ or third parties’ legal rights and interests (third parties being indicatively Eurobank Holdings Group companies, cooperating with Eurobank Holdings companies, corporate social security etc.), the retention of historical record, the transfer of claims to third parties pursuant to the legislation (indicatively Law 3156/2003, etc.) (it is hereby clarified that in the framework of this Information any reference to a certain legislative instrument is understood as said instrument is in force or has been replaced), to establish the satisfaction level from Eurobank Holdings’ provided products and services as well as the update/enhancement of its products and services and the transactional relation of Eurobank Holdings with you in general.

D. Upon your consent

In cases where we have asked and received your consent, especially when the processing cannot be based on any of the abovementioned (2.A. – 2.C.) legal bases the processing of your data under Section 1 is based on this consent (see in particular below the case of data transfer outside the EEA under 4.c.i., as well as in cases where you fill out printed or electronic application forms to receive information on Eurobank Holdings’ or other cooperating companies’ services and actions). In such cases, you have the right to withdraw your consent at any time. Please see below under Section 7 how you can withdraw your consent; where relevant, we will also inform you on specific ways to withdraw your consent depending on the way you provided us with it. However, the processing based on your consent prior to its withdrawal remains unaffected.

E. Profiling - Automated decision-making

Eurobank Holdings does not carry out solely automated individual decision-making. In case Eurobank Holdings decides in the future to carry out automated individual decision-making, including profiling, that produces legal effects or significantly affects you in a similar way, you will be provided with a specific information and, where required, will be asked for your consent.

In implemented its contractual, legal and regulatory obligations, servicing its or third parties’ legitimate interests (such as Eurobank Holdings Group companies, companies cooperating with Eurobank Holdings, corporate social responsibility etc.) as well as in cases where Eurobank Holdings is authorized or has received your consent, recipients of your personal data may for example be the following:

a) Eurobank Holdings’ competent employees and members of the administration within the framework of their duties.

b) Eurobank Holdings Group companies (explicitly included herein companies of the Group of its subsidiary company’s Eurobank S.A.) for the total risk assessment, their compliance with their supervisory obligations and the consolidated and centralized respond towards Eurobank Holdings Group’s clients.

c) Call centers.

d) Companies conducting customer satisfaction surveys or market surveys in general.

e) Companies for the promotion of products and/or services - advertising companies.

f) Companies responsible for storage, filing, management and destruction of files, records and data.

g) Natural or legal persons processing data in order to update them pursuant to the law (including the update of your contact data in case you have omitted to notify Eurobank Holdings of said amendment).

h) Lawyers, law firms, notaries, bailiffs, experts, engineers, valuers, chartered accountants and auditors, consulting providers (such as financial consultants etc.) within the framework of their duties.

i) Information products and/or services providers (including cloud services providers) and/or information and electronic systems and network support providers of any kind, including online systems and platforms. Electronic communication and information society services providers (indicatively telecommunication providers, e-mail, web hosting, viber).

j) Security companies.

k) Insurance companies and intermediaries in the framework of providing insurance services for the insurance of Eurobank Holdings.

l) Post services providers.

m) Intermediaries acting on your or our behalf, your trustees/administrators, your legal consultants or representatives.

n) Credit and/or financial institutions that have been authorized and legally operating, as well as special purpose companies and administrators pursuant to Law 3156/2003 on securitization.

o) Supervisory, independent, judicial, prosecution, police, tax, public or/and any other authorities, entities or parties that are responsible for the supervision/monitoring of Eurobank Holdings’ activities within their competence, authorized mediators and mediation centers, arbitration tribunals and alternative dispute resolution entities.

p) Companies responsible for the issuance of digital certificates and digital signatures.

q) Potential or current buyers of part or the whole of Eurobank Holdings’ activities and assets (including its rights) and/or parties that are entitled to an encumbrance on Eurobank Holdings’ assets (including its rights).

r) Eurobank Holdings’ clients, where required in the framework of services provision to them.

s) Any third parties that submit a request for information to the Eurobank Holdings, provided the legal conditions have been met.

For the personal data processing of the abovementioned recipients that act as controllers we advise you to consult their personal data notices.

Eurobank Holdings can transfer your personal data to third countries or international organizations outside the European Economic Area (EEA) under the following circumstances:

a) if the Commission decides that the third country, territory or one or more specified sectors within that third country or an international organization ensures an adequate level of protection; or

b) if appropriate safeguards for data processing have been provided, according to EU and national legislation.

c) In the absence of the abovementioned circumstances a transfer may take place if a derogation as provided for in by the relevant EU (article 49 of the Regulation) and national legislation is met, including indicatively the following:

i. You have explicitly consented to the transfer;

ii. The transfer is necessary for the execution of a contract between you and Eurobank Holdings, or for the implementation of pre-contractual measures on your request or for the signing or execution of a contract that drawn up for your benefit;

iii. The transfer is necessary for the establishment, exercise or defense of legal claims; or

iv. Within the framework of Eurobank Holdings’ compliance with obligations imposed by the legislation or international agreements and to the extent that the transfer is necessary for important reasons of public interest.

Personal data will be kept for the time necessary for the fulfillment of their processing purpose, otherwise for the time required by relevant the legal and/or regulatory framework or the time necessary for the exercise of claims or defense of rights and legitimate interests.

More precisely and indicatively:

- In case you enter into a contract with Eurobank Holdings, the relevant personal data will be stored for as long as the contract stands. In case of contract expiry or termination Eurobank Holdings may retain your data until the expiration of the limitation period for legal actions, as defined by law, and more precisely for up to twenty (20) years after the termination or expiry of the contract. If during said period legal actions have been initiated with Eurobank Holdings or any other affiliated company and you are directly or indirectly involved, the abovementioned storage period will be prolonged until an irreversible judicial decision has been issued. In case you do not sign a contract with Eurobank Holdings your data will be stored for up to five (5) years from your application rejection. In case legal actions are pending by the end of that period with Eurobank Holdings or any other affiliated company is and you are directly or indirectly involved, the data will be preserved until the issuance of an irreversible judicial decision.

- In case data processing is imposed by law personal data will be stored for the period provided by the relevant legal or regulatory provisions and in any case for the time necessary for the exercise of claims or defense of rights and legitimate interests.

Documents that have your signature and contain your personal data may be stored electronically/digitally after a period of five (5) years.

You have the following rights:

a) Ta demand to know the categories of your personal data that we store and process, where they come from, the purposes of their processing, the categories of their recipients, the period of storage as well as your relevant rights (right of access).

b) To demand the rectification or/and amendment to your data completed so that they are complete and accurate (right to rectification) by providing any necessary document justifying the need for rectification.

c) To ask for a restriction of the processing of your personal data (right to restriction of processing).

d) To object to any further processing of your stored personal data (right to object).

e) To obtain the erasure of your personal data from the records we keep (right to erasure), under certain circumstances such as in cases when the data are no longer necessary, you have withdrawn your consent or your data have been unlawfully processed etc..

f) To ask for the transfer of your data kept by the Eurobank Holdings to any other controller (right to data portability).

g) To withdraw your consent at any time. The legality of the processing based on your consent before its withdrawal remains unaffected and you can consent again to the processing.

h) Right to complain to the Data Protection Authority: You have the right to lodge a complaint with the Hellenic Data Protection authority in case you consider that your rights are in any way violated. For the Authority’s competence as well as the way to lodge a complaint you can find detailed information on its website (www.dpa.gr – Citizen rights – Complaint to the Hellenic DPA).

Please note the following as regards your abovementioned rights:

i. Your rights as explained under points c, d and e above may be not satisfied partly or fully if these data are deemed necessary for the contract formation and continuation, regardless of their source.

ii. Eurobank Holdings reserves in any case the right to deny your request for restriction of data processing or data erasure if their processing or storage is necessary for the establishment, exercise or defense of Eurobank Holdings’ legitimate rights or the fulfilment of its obligations.

iii. The right to data portability (point f) does not entail the erasure of your data. The erasure is regulated under point ii above.

iv. The exercise of these rights is valid for the future and does not affect any previous data processing.

For the exercise of your rights you may contact in writing the Personal Data Requests, Eurobank Holdings, 8 Othonos Str., 10557 Athens or send an email to gdpr-requests@eurobankholdings.gr. Eurobank Holdings will use its best endeavors to address your request within thirty (30) days of its receipt. The abovementioned period may be prolonged for sixty (60) more days, if deemed necessary, at the Eurobank Holdings absolute discretion taking into consideration the complexity of the issue and the number of the requests. Eurobank Holdings shall inform you within thirty (30) days of the request’s receipt in any case of prolongation of the abovementioned period. The abovementioned service is provided by Eurobank Holdings free of charge. However, in case the requests manifestly lack of foundation and/or are excessive and repeated, Eurobank Holdings may, after informing the client, impose a reasonable fee or refuse to address your request(s).

You may contact the Data Protection Officer for any matter regarding the processing of your personal data at the address Eurobank Holdings, 8 Othonos Str., 10557 Athens or by sending an email to dpo@eurobankholdings.gr.

Eurobank Holdings implements appropriate organizational and technical measures to ensure the security and confidentiality of your personal data and their protection from accidental or unlawful destruction, loss, alteration, prohibited transmission, dissemination or access and any other form of unlawful processing.

Eurobank Holdings may amend the present Information. In such case the date of the update will be mentioned at the end of the Information and you will be notified accordingly via a posting on Eurobank Holdings’ website.