Cairo No.3 Finance Designated Activity Company

2.1    The purpose of this Privacy Policy is to explain what Personal Data we process and how and why we process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process Personal Data will evolve over time and we will update this Policy from time to time to reflect changing practices.

2.2    In addition, in order to meet our transparency obligations under the Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us e.g. subscription application forms etc.

2.3    Pursuant to the Amended and Restated Servicing Agreement dated 5 March 2020, the Company has appointed doValue Greece Loans and Credits Claim Management Société Anonyme, a Greek law 4354/2015 Servicer incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry (GEMI) under no. 121602601000 (hereinafter referred to as the “Servicer”) to service a portfolio of Greek loans owned by the Company. doValue Greece is the new brand name of Eurobank FPS Loans and Credits Claim Management Société Anonyme.

3.1    The Company will act as a Data Controller in respect of Personal Data provided to us by:

(i) Various individuals in connection with the management, operation and administration of the Company and 
(ii) The Servicer in respect of underlying borrowers and related persons under the Greek loans owned by the Company. 

Such individuals will generally be limited to the following:

(a) Directors, assigned employees and officers of the Company;
(b) Employees of service providers who provide services to the Company; and
(c) Borrowers who have entered into lending arrangements with Eurobank SA (or a related entity).
(each, a “Data Subject”)

3.2    Personal Data is processed by the Company for the following purposes:

4.1    The Company will engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by the Data Protection Law.

4.2    The Servicer acts as a separate and distinct controller in relation to the borrowers’ data and only supplies anonymised data to the Company, unless otherwise specifically instructed.  The Servicer’s Privacy Statement should also be consulted for information on the processing of the personal data of the borrowers.

5.1    As part of our record keeping obligations under Art. 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility. This comprises the following:

6.1    The Company will not ordinarily obtain or Process Special Categories of Data (“SCD”), however, if in the very limited circumstances where it does so (for example, in relation to any data relating to the health of a director of the Company) it shall Process such Personal data in accordance with the Data Protection Law.

7.1    Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):

(a) the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);

(b) the right of access to Personal Data;

(c) the right to amend and rectify any inaccuracies in Personal Data

(d) the right to erase Personal Data (right to be forgotten);

(e) the right of data portability;

(f) the right to restrict Processing;

(g) the right to object to Processing based on legitimate interests; and

(h) the right to object to automated decision making, including profiling;

7.2    These Data Subject Rights will be exercisable by data subjects subject to limitations as provided for the Data Protection Law. In certain circumstances it may not be feasible for the Company to discharge these rights, for example because of the structure of the Company or the manner in which the Shareholder / noteholder holds Shares / notes in a Company. Data subjects may make a request relating to the servicing of their loans to the Company by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected]. Requests shall be dealt with in accordance with the Data Protection Law.

8.1    The Company undertakes to hold any Personal Data provided by Shareholders / noteholders / borrowers / the Servicer in confidence and in accordance with the Data Protection Law. Accordingly, we and our service providers have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.  Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.

8.2    The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by the Company will be dealt with in accordance with the Data Protection Law and the Company’s Data Breach Procedure.

9.1    From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data) and for the purposes of fraud prevention or investigation. In relation to Shareholders / noteholders / borrowers, the Company may be required to disclose Personal Data relating to U.S. Reportable Persons to the U.S. Internal Revenue Service for purposes of FATCA compliance.

9.2    We may also disclose Personal Data to delegates, professional advisors, service providers (e.g., investment managers, distributors, administrators and depositaries) regulatory bodies, auditors, technology providers and any of the respective related, associated or affiliated companies of the foregoing for the same or related purpose(s).

10.1    We will keep Personal Data for:

(a) the duration of the Data Subjects’ relationship with the Company and afterwards in accordance with the Company’s legal and regulatory obligations and any applicable record retention policy of the Company;

(b) such period as may be deemed by us to be necessary in light of applicable statutory limitation periods;  and

(c) otherwise only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed (as described in this Privacy Policy).

11.1    From time to time, the Company may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland. If such transfer occurs, the Company will ensure that such processing of Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Standard Contractual Clauses (as published by the European Commission).

12.1    Further information about this Privacy Policy and / or the Processing of Personal Data by or on behalf of the Company may be made available to Data Subjects being borrowers or related persons under the Greek loans owned by the Company if necessary by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected]. While Data Subjects may make a complaint in respect of compliance with Data Protection Law directly to the Irish Data Protection Commission, Data Subjects being borrowers or related persons under the Greek loans owned by the Company will be requested to contact the Servicer’s Customer Service and Complaints Management Unit at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected] in the first instance to give us the opportunity to address any concerns that they may have.

Last update: 10/07/2021

Glossary

In this Privacy Policy, the terms below have the following meaning:

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller. 

“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Act 2018 and any other laws which apply to the Company in relation to the Processing of Personal Data.

“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.

“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:

• a name, an identification number;
• details about an individual’s location; or 
• any other information that is specific to that individual. 

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

Types of Personal Data