2. Background and Purpose
2.3 Pursuant to a servicing agreement dated 13 July 2020, the Company has appointed DOVALUE GREECE LOANS AND CREDITS CLAIM MANAGEMENT SOCIÉTÉ ANONYME, a Greek law 4354/2015 Servicer incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry (GEMI) under no. 121602601000 (hereinafter referred to as the “Servicer”) to service a portfolio of Greek loans owned by the Company.
3. The Company as a Data Controller
3.1 The Company will act as a Data Controller in respect of Personal Data provided to us by:
(i) Various individuals in connection with the management, operation and administration of the Company and
(ii) The Servicer in respect of underlying borrowers and related persons under the Greek loans owned by the Company.
Such individuals will generally be limited to the following
(a) Directors, assigned employees and officers of the Company;
(b) Employees of service providers who provide services to the Company; and
(c) Borrowers who have entered into lending arrangements with Eurobank SA (or a related entity).
(each, a “Data Subject”)
3.2 Personal Data is processed by the Company for the following purposes:
|Purpose of Processing||Lawful Basis under GDPR|
|To comply with legal and regulatory obligations applicable to the Company from time to time, including, without limitation, applicable tax, anti-money laundering and other counter terrorist financing legislation. In particular, in order to comply with the Common Reporting Standard (as implemented in Ireland by Section 891E, Section 891F and Section 891G of the Taxes Consolidation Act 1997 (as amended) and regulations made pursuant to those sections), Shareholders’ personal data (including financial information) may be shared with the Irish tax authorities and the Revenue Commissioners. They in turn may exchange information (including personal data and financial information) with foreign tax authorities (including foreign tax authorities located outside the European Economic Area). Please consult the AEOI (Automatic Exchange of Information) webpage on www.revenue.ie for further information in this regard.||To comply with legal obligations to which the Company is subject (per Art. 6(1)(b) GDPR).|
|To administer and manage the portfolio of credit agreements originated by Eurobank SA and sold to the Company and exercise its rights under the transaction documents pursuant to which the Company purchased the mortgages and appointed the Servicer to service the mortgage loans.||For the purposes of performing a contract.|
4. The Company and Data Processors
4.1 The Company will engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.
4.2 The Servicer acts as a separate and distinct controller in relation to the borrowers’ data and only supplies anonymised data to the Company, unless otherwise specifically instructed. The Servicer’s Privacy Statement should also be consulted for information on the processing of the personal data of the borrowers.
5. Record Keeping
5.1 As part of our record keeping obligations under Art. 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility. This comprises the following:
|Art. 30 GDPR Requirement||The Company’s Record|
|Name and contact details of the Controller||ERB Recovery Designated Activity Company|
|The categories of recipients to whom the Personal Data have been or will be disclosed.||
|Where applicable, transfers of personal data to a third country outside of the EEA.||See Sections Policy 9 and 11 of this Privacy|
|Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).||See Section 8|
6. Special Categories of Data
6.1 The Company will not ordinarily obtain or Process Special Categories of Data (“SCD”), however, if in the very limited circumstances where it does so (for example, in relation to any data relating to the health of a director of the Company) it shall Process such Personal data in accordance with Data Protection Law.
7. Individual Data Subject Rights
7.1 Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):
(a) the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
(b) the right of access to Personal Data;
(c) the right to amend and rectify any inaccuracies in Personal Data;
(d) the right to erase Personal Data (right to be forgotten);
(e) the right of data portability;
(f) the right to restrict Processing;
(g) the right to object to Processing based on legitimate interests; and
(h) the right to object to automated decision making, including profiling;
7.2 These Data Subject Rights will be exercisable by data subjects subject to limitations as provided for the Data Protection Law. In certain circumstances it may not be feasible for the Company to discharge these rights, for example because of the structure of the Company or the manner in which the Shareholder / noteholder holds Shares / notes in a Company. Data subjects may make a request relating to the servicing of their loans to the Company by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected]. Requests shall be dealt with in accordance with the Data Protection Law.
8. Data Security and Data Breach
8.1 The Company undertakes to hold any Personal Data provided by Shareholders / noteholders / borrowers / the Servicer in confidence and in accordance with the Data Protection Law. Accordingly, we and our service providers have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
8.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by the Company will be dealt with in accordance with the Data Protection Law and the Company’s Data Breach Procedure.
9. Disclosing Personal Data
9.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data) and for the purposes of fraud prevention or investigation. In relation to Shareholders / noteholders / borrowers, the Company may be required to disclose Personal Data relating to U.S. Reportable Persons to the U.S. Internal Revenue Service for purposes of FATCA compliance.
9.2 We may also disclose Personal Data to delegates, professional advisors, service providers (e.g., investment managers, distributors, administrators and depositaries) regulatory bodies, auditors, technology providers and any of the respective related, associated or affiliated companies of the foregoing for the same or related purpose(s).
10. Data Retention
10.1 We will keep Personal Data for:
(a) the duration of the Data Subjects relationship with the Company and afterwards in accordance with the Company’s legal and regulatory obligations and any applicable record retention policy of the Company;
(b) such period as may be deemed by us to be necessary in light of applicable statutory limitation periods; and
11. Data Transfers outside the EEA
11.1 From time to time, the Company may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland. If such transfer occurs, the Company will ensure that such processing of Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Standard Contractual Clauses (as published by the European Commission).
12. Further Information / Complaints Procedure
Last update: 10/07/2021
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Act 2018 and any other laws which apply to the Company in relation to the Processing of Personal Data.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:
- a name, an identification number;
- details about an individual’s location; or
- any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.
Types of Personal Data
|Categories of Data Subject||Type of Personal Data|
|1. Shareholders / Noteholders / Borrowers and related persons||Name, mailing and residential addresses, email address, telephone number, beneficiary name, nationality, date of birth, account number, bank account details, tax identification number, etc.|
|2. Directors, designated persons and other individuals performing “controlled functions” within the Company under the Central Bank of Ireland’s Fitness & Probity regime.||Name, mailing and residential addresses, email address, telephone number, date of birth, nationality, etc.|
|3. Employees of Company service providers.||Name, mailing address, email address and telephone number, etc.|