Capitalised terms used in this Policy shall have the meaning given to them in the Glossary attached as Annex A.
Purpose - Legal Framework
The purpose of this Policy is to explain what Personal Data we process, how and why we process it and to describe our duties and responsibilities regarding the protection of such Personal Data. The manner we process Personal Data may evolve from time to time. Therefore this Policy will need to be updated in order to reflect changing practices accordingly.
In order to meet our transparency obligations under the Data Protection Law, we will incorporate this Policy by reference to various points of collection of data used by us.
In accordance with the provisions of the Servicing Agreement dated 22.03.2022, the Company has appointed the company under the corporate name “doValue Greece Loans and Credits Claim Management Société Anonyme”, a Greek law 4354/2015 Servicer incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry (GEMI) under no. 121602601000 (hereinafter the “Servicer”) to service certain receivables owned by the Company.
The Company as a Data Controller
The Company will act as a Data Controller in respect of Personal Data provided to us by: (a) various individuals in connection with the management, operation and administration of the Company; and (b) the Servicer in respect of each borrower and its related persons within the context of debt management. Indicatively, such individuals are (a) members of the administration, employees and officers of the Company; (b) employees who provide services to the Company; and (c) each borrower that has entered into a lending arrangement as well as any third parties that have provided guarantees / securities for each relevant arrangement as well as individuals related to each borrower - legal entity (each a “Data Subject”).
Personal Data is processed by the Company for the following purposes:
(a) To comply with legal and regulatory obligations applicable to the Company from time to time, including, without limitation, applicable tax, anti-money laundering and countering the financing of terrorism legislation (lawful basis: to comply with legal obligations to which the Company is subject); and
(b) To administer and manage the receivables acquired by the Company and to exercise the relevant rights under which the Company acquired them and appointed the Servicer for their service. The operation of the employment or service provider agreements and in general the relationship between the Company and the employees, executives, officers, members of administration as well as service providers of the Company (lawful basis: for the purposes of complying with contractual obligations).
The Company and Data Processors
The Company will engage specific service providers to perform certain services on its behalf which may involve activities with processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by an agreement which includes the data protection provisions prescribed by the Data Protection Law.
As part of our record keeping obligations under Article 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility in accordance with the provisions of the said Article.
Personal Data - Special Categories of Data
The Company will not ordinarily obtain or process Special Categories of Data. Nevertheless, in the very limited circumstances where it does so, it shall process such Personal Data in accordance with the provisions of the Data Protection Law.
Individual Data Subject Rights
The Data Protection Law provides specific rights in favour of data subjects. The rights in question are the following (hereinafter the “Data Subject Rights”):
(a) the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
(b) the right of access to Personal Data;
(c) the right to amend, rectify and complete any inaccuracies related to the Personal Data;
(d) the right to erase Personal Data (right to be forgotten);
(e) the right of data portability;
(f) the right to restrict Processing;
(g) the right to object to Processing based on legitimate interests; and
(h) the right to object to automated decision making, including profiling.
These Data Subject Rights may be exercised subject to limitations provided for in the Data Protection Law. In certain circumstances it may not be feasible for the Company to fulfill relevant rights. Data Subjects may address a written request to the Company relating to the management of their personal data, by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected] Relevant requests shall be dealt with in accordance with the provisions of the Data Protection Law.
Personal Data - Data Security and Data Breach
The Company undertakes to hold confidential any Personal Data provided by the Servicer in accordance with the provisions of the Data Protection Law.
Respectively, we and our service providers use and apply technical and organizational measures in order to protect Personal Data from unlawful or unauthorized destruction, loss, change, disclosure, acquisition or access. Personal Data is held securely using a range of appropriate security measures.
Data Controllers must notify the Data Protection Authority and affected Data Subjects in case of certain types of personal data security breaches. Personal Data Breach means the breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed. A Data Breach incident that may occur regarding Personal Data under the control of the Company will be dealt with in accordance with the provisions of the Data Protection Law.
Disclosing Personal Data
We may disclose Personal Data (a) to third parties, or allow third parties to access Personal Data we process for the purposes of complying with applicable law; and (b) to authorized persons, consultants, service providers, bodies, statutory auditors, providers technology services, and to any affiliated companies or subsidiaries of the foregoing for the same or respective purposes.
We will keep Personal Data:
(a) throughout the duration of the Data Subjects’ relationship with the Company and after its expiry in accordance with the Company’s legal and regulatory obligations and any applicable record retention policy of the Company;
(b) for such period as may be deemed by us to be necessary in light of applicable statutory limitation periods; and
(c) in any other case, only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed.
Data Transfers outside the EEA
From time to time, the Company may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Cyprus or an equivalent Data Protection Law. If such transfer occurs, the Company will ensure that such processing of Personal Data is carried out in compliance with the provisions of the Data Protection Law.
For further information about this Policy and / or the Processing of Personal Data by or on behalf of the Company, you may address your requests in writing to the Servicer’s Customer Service and Complaints Management Unit of doValue Greece at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected] and thereafter, if you wish, to the competent Authority.
Data Controller means the entity which, alone or jointly with others, determines the purposes and the means of the processing of Personal Data.
Data Protection Law means the General Data Protection Regulation 2016/679 (GDPR) and any other law on Data Protection as well as any other laws which may apply to the Company in relation to the Processing of Personal Data.
European Economic Area or EEA means Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein and Norway. Personal Data means any information relating to a living individual which allows the identification of that individual.
Personal Data can include: (a) the name and identification information; (b) details about an individual’s location; or (c) any other information that is specific to that individual.
Processing means each action or set of actions performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms Process and Processing are interpreted accordingly.
Special Categories of Personal Data are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data or data concerning sex life and any Personal Data relating to criminal convictions or offences.
Types of Personal Data means for each borrower and its related parties-individuals, the name, the postal and residential address, the e-mail address, the telephone number, the name of the beneficiary, the nationality, the date of birth, the account number, the bank account details, the debt details, the tax identification number, etc.