Credit Servicing Undertaking For
Glade S.A.R.L

Credit Servicing Undertaking for Glade S.A.R.L
Credit Servicing Undertaking for Glade S.A.R.L

Important information about this notice

This Privacy Notice is issued on behalf of Glade s.a.r.l (the "Company").

This Privacy Notice provides details of the way in which we process personal data in line with our obligations under Data Protection Law.

UK and European Union citizens’ personal data are protected under the General Data Protection Regulation (“GDPR”) and this notice is drafted to provide individuals with all privacy information required under that law.

Introduction

This Privacy Notice is addressed to any living person on whom the Company collects or obtains personal data in the course of undertaking its business and providing its services. The Company is the data controller of your personal data and will make decisions about the processing of your personal data in accordance with the terms of this notice.

Personal data is defined as information relating to a living individual, from which that individual can be identified either directly or indirectly. The Company takes its data protection and privacy obligations seriously and this notice explains how your personal data will be processed and protected, as well as informing you about certain legal rights you have.

The purpose of this notice is to explain what personal data we process, how and why we process it and to describe our duties and responsibilities regarding the protection of such personal data. Please note, the manner we process Personal Data may evolve from time to time.

What type of information we collect

The Company will act as a data controller in respect of personal data provided to us by (i) various individuals in connection with the management, operation and administration of the Company and (ii) doValue Greece S.p.A (the “Servicer”) in respect of underlying borrowers and related persons under the Greek loans owned by the Company, to the extent such Personal Data is provided.

We never collect personal data from, or about, children or any person under the age of 18.

Under the GDPR, the lawful bases we rely on for processing this information are one or more of the following:

(b) We have a contractual obligation.

(c) We have a legal obligation.

(f) We have a legitimate interest.

Special Categories of Personal Data

The Company will not ordinarily obtain or process special categories of personal data, however, if in the very limited circumstances where it does so (for example, a Company directors criminal records as part of the due diligence process) it shall process such personal data in accordance with GDPR.

Individual Data Subject Rights

GDPR provides specific rights in favour of data subjects (the individuals whose data is processed). The rights in question are the following:

(a) the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the data controller);
(b) the right of access to personal data;
(c) the right to amend, rectify and complete any inaccuracies related to the personal data;
(d) the right to erase personal data (right to be forgotten);
(e) the right of data portability;
(f) the right to restrict processing personal data;
(g) the right to object to processing based on legitimate interests; and
(h) the right to object to automated decision making, including profiling.

These aforementioned rights may be exercised subject to limitations provided for in the GDPR.

Sharing or disclosing your personal data

We may need to share your personal data with various parties for specific business purposes or allow third parties access to personal data which we process (for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data or any other authorised persons) and for the purposes of fraud prevention or investigation.

We require all third parties to protect your personal data and comply with the law. They are not allowed to use your data for their own purposes and may only process it according to our instructions and for specified reasons.

Data Retention

The Company will always seek to utilise secure data transfer mechanisms for any required transfer of personal data to an external party.

We keep the personal data we obtain about you for the duration of our business relationship with you and for as long as we reasonably require it up to a maximum of 7 years after our relationship has ended, as permitted by the GDPR. In no circumstances will we retain personal data for longer than is necessary for the purpose for which it was collected, unless required to meet any legal or regulatory obligations, for example investigations or official inquiries. We will then securely dispose your information either by permanent deletion or total, irreversible anonymisation.

Record Keeping

As part of our record keeping obligations under Art. 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility.

Data Transfers outside the EEA

From time to time, the Company may transfer personal data to countries outside the EEA which may not have the same or equivalent data protection laws as Luxembourg (governed by the GDPR). If such transfer occurs, the Company will ensure that such processing of personal data is carried out in compliance with the provisions of the GDPR and the relevant standard contractual clauses in any legal agreements.

Data Security and Data Breach

The Company is committed to maintaining the confidentiality of all personal data received from shareholders, noteholders, borrowers, and the Servicer, ensuring compliance with GDPR. To safeguard this data, both the Company and its service providers implement a range of technical and organisational security measures, such as locked filing cabinets, encryption, and restricted access via approvals and passwords, to prevent unauthorized or unlawful destruction, loss, alteration, disclosure, acquisition, or access. In line with GDPR requirements, the Company will promptly notify the Commission Nationale pour la Protection des Données (CNPD) in Luxembourg and the affected individuals in the event of certain personal data breaches, handling any such incidents according to GDPR.

Further Information/Complaints Procedure

Any complaints or further information about this notice and/or the processing of personal data by or on behalf of the Company may be made available to data subjects being borrowers or related persons under the Greek loans provided by the Company if necessary by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit of doValue Greece, 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at dovaluegreece@dovaluegreece.gr.

Alternatively, complaints can be made to the Commission Nationale pour la Protection des Données (CNPD) in Luxembourg.