Personal Data Processing Notice of doValue Greece

The controller of your personal data is doValue Greece, a special purpose Société Anonyme for the servicing of receivables deriving from loans and credits pursuant to the provisions of Greek law 5072/2023, duly authorised and supervised by the Bank of Greece in accordance with article 1 of Greek law 4354/2015 as applicable and in force in conjunction with article 40 of Greek law 5072/2023 (Decision no. 220/2017 of the Credit and Insurance Committee of the Bank of Greece, published in the Government Gazette’s Issue Β’ 880/16.3.2017).

This Notice refers to natural persons (debtors, co-debtors, co-obligors, guarantors etc.), whose debts are included in the receivables portfolios under the servicing of doValue Greece pursuant to the provisions of Greek law 5072/2023, following the assignment thereof by the aforesaid entities, as well as to any natural person (third parties who have provided guarantee or other collateral  in favor of the above persons, family members, legitimate representatives, attorneys at law, process agents (in Greek: antikliti), other authorised persons, employees, associates, legal representatives, shareholders and  actual beneficiaries of debtors who are legal persons or entities etc.) affiliated with the above and/or relating to the debts thereof.

It is noted that if the debtor (or co-debtor, co-obligor, guarantor, etc.) is a legal person or entity, this Notice is addressed to its administrators, representatives, partners and members of management whose personal data are processed by doValue Greece for the purposes of servicing said legal person’s debt by doValue Greece.

A. Categories of personal data processed by doValue Greece.

With the exception of data under points (i) and (ii) below which are absolutely necessary in any relationship with doValue Greece, the categories and number of other collected and processed personal data depends in any case on the data subject’s capacity, as per Section 2 above, as well as on other factors, such as the type of relationship, partnership or transaction with doValue Greece.

In view of the above, the personal data that doValue Greece collects and processes may indicatively be the following and not all of them necessarily concern you:

1. Identification data: name and surname, father’s name, mother’s name, identity card and identity card number or passport and passport number, tax identification number (T.I.N.), competent tax authority, social security number (in Greek A.M.K.A.), date and place of birth, sex, citizenship, signature data etc.
2. Contact data: postal and e-mail address, fixed and mobile telephone number, etc.
3. Data concerning your economic, financial and family status: profession and duration of occupation, remuneration, dependent family members, marital status or non/ partnership contract/widowhood, tax declarations (forms E1 and E9 etc.), salary statements, tax clearance certificates and/or insurance clearance certificates, mobile, real estate and other assets, etc.
4. Data concerning the failure to perform your financial obligations: such as, termination of loan and credit agreements, payment orders, seizures and relevant payment rulings, applications for and decisions on consolidation or bankruptcy or debt settlement in general (indicatively applications under Greek law 3869/2010, Greek law 4469/2017, Greek law 4605/2019 etc.).
5. Data concerning your creditworthiness: such as debts towards credit and/or financial institutions deriving from loans and credits etc.
6. Credit profiling/ credit scoring data from databases on economic behavior such as the company TIRESIAS S.A.
7. vii) Data concerning the performance, servicing and management of your loan or credit from which your debt derives, including the relevant contractual documents, the payment history relating to your debt, as well as letters or extrajudicial notices exchanged with regard to your debt.
8. Payment data (including, but not limited to, in the case of standing orders to debit deposit accounts and/or credit or debit card payments) and data relating to the operation, servicing and administration of the loan or credit from which your debt arises, including the relevant contractual documents, the payment history of your debt, as well as letters or extrajudicial letters exchanged in relation to your debt.
9. Data related to recorded communications (such as phone calls, face to face communications, electronic communications) in accordance with the legal requirements (including, indicatively, any complaints and requests submitted by the debtors, as well as any telephone communications made by doValue Greece for the purpose of informing the debtors for overdue debts in accordance with the provisions of Greek law 3758/2009, as applicable and in force).
10. Special categories of personal data, such as health data concerning you and/or dependent members of your family, which are collected directly from you by virtue and for the purposes of implementing the procedures of the Bank of Greece Code of Conduct (Credit and Insurance Committee Decision with no. 195/1/29.7.2016, as in force), as well as for the purposes of processing and assessing any debt-settlement requests and complaints and/or where you have provided your explicit consent and/or when the processing is necessary for the establishment, exercise or support of legal claims of doValue Greece or the respective receivables entities.
11. For further information regarding the processing of special categories of personal data by doValue Greece, please follow the link: Processing of Personal Data of Special Categories doValue Greece
12. Data related to the use of electronic and/or digital services and communications of doValue Greece (such as cookie identifiers, IP addresses, location data or other online identification data), pursuant to the specific terms governing such services.
13. Image data collected from the video surveillance systems at the premises of doValue Greece, where relevant notification signs have been placed pursuant to the law (analytical information for the processing of the personal data through the video surveillance system at your entrance in the premises of doValue Greece please follow the link:  Privacy Notice for CCTV Monitoring and Visitors’ Personal Data Entering the Premises of doValue Greece | doValue Greece).
14.  
15. Data deriving from supplementary and supporting documentation you send to or submit to doValue Greece during your contractual relationship with doValue Greece or at a pre-contractual stage.
16. Data for the assessment of the risk of money laundering and/or terrorism financing.
17. Minors’ data, only when the legal preconditions have met.

B. Sources from which doValue Greece collects your personal data.

doValue Greece collects your aforesaid personal data from the following sources:

1. The credit or financial institution which granted the loan or credit from which your debt derives
2. The entity which assigned to doValue Greece the servicing of your debt.
3. Other servicers under the provisions of Greek law 5072/2023, as applicable and in force.
4. Directly from you.
5. Credit or financial institutions with which you maintain a customer relationship for the purpose of applying due diligence measures pursuant to the applicable legal and regulatory framework on the prevention, detection and mitigation of money laundering and terrorist financing.
6. Publicly accessible sources (indicatively telephone directories, courts, land registers, cadastral offices, registers, web, open social media profiles, mass media etc.).
7. From the platform of eGov-KYC after your authorization.
8. From the databases on economic behavior held by the company TIRESIAS S.A. (registered office’s address: 2 Alamanas Str., 151 25 Maroussi, tel. number: +30 210 3676700, website: www.teiresias.gr).
   It is noted that the controller of the aforesaid economic behavior data is the company under the trade name “INFORMATION BANKING SYSTEMS SA” and distinctive title “TIRESIAS S.A.” to which you may address any request regarding the exercise of your relevant rights as well as the provision of information in accordance with the law. Such information on the processing of personal data by TIRESIAS S.A. is available at the company’s website at:  www.teiresias.gr.
9. Lawyers, law firms, court bailiffs, notaries.
10. Third (natural or legal) parties, acting on your behalf or related to you.
11. Electronic devices or applications you use or service providers doValue Greece collaborates with. 
12. Public authorities, services and bodies (including the Central Portal of the Public Administration and the tax authorities) in accordance with the legal provisions.

It is noted, that in case you provide doValue Greece with third parties’ personal data, including those of process agents and/or administrators, representatives, partners and management bodies, you must have ensured that you have duly informed such third parties with regard to the transfer of their personal data and the processing thereof by doValue Greece, prior to such transfer (indicatively via reference to this Notice of doValue Greece), and that you have obtained their necessary consent, if required.

doValue Greece processes your personal data for credit servicing purposes in accordance with Greek law 5072/2023, as applicable and in force. In particular, doValue Greece processes your personal data for the purposes mentioned below:

For the execution of a contract and in order to take pre-contractual measures at your request.

Said processing of your personal data serves, in particular, purposes such as:

1. Your identification, verification of your data and the communication with you during the management of your debt under the original loan or credit agreement or under the relevant debt-settlement agreement and during both the pre-contractual and contractual stage.
2. The management of your loan or credit agreement, from which your debt under the servicing of doValue Greece derives, and the conclusion, execution, management and, in general, smooth servicing of the agreement concluded for the settlement of your debt and for the fulfillment of the respective obligations arising therefrom.
3. The monitoring of your debt evolution, the assessment of your application and your requests.
4. The prevention or mitigation of your potential failure to fulfill your obligations arising from the loan or credit, from which your debt under the servicing of doValue Greece, derives.
5. The pursuit of the collection of any amounts you owe in relation to the loan or credit, under the servicing of doValue Greece.
6. The communication with you, and the provision of the relevant information to you in view of finding the best solution for your debt.

B. For doValue Greece’s compliance with its legal obligations

doValue Greece will process your personal data to the extent required to comply with the below legal and regulatory obligations to which it is subject and which derive from the provisions of Greek law 5072/2023 and the relevant Acts of the Bank of Greece Executive Committee, as applicable and in force:

1. the legal and regulatory framework on money laundering and terrorist financing, as in force from time to time (and in particular, Greek law 4557/2018, decision no. 281/5/17.3.2009 of the Bank of Greece Banking and Credit Committee, Directive 2005/60/ΕC, Directive 2015/849/ΕU, the Financial Action Task Force Guidelines, and all other relevant acts, decisions and implementing circulars of any competent authority),
2. the Bank of Greece Code of Conduct (decision no. 392/1/31.5.2021of the Bank of Greece Credit and Insurance Committee, as applicable from time to time, Greek law 4224/2013 and in particular articles 1 and 4 thereof, as applicable from time to time, and any other regulatory and implementing act or decision issued in relation to the above),
3. act no. 157/02.04.2019 the Bank of Greece Executive Committee, as applicable from time to time, which imposes, inter alia, obligations for the provision of information and, in general, requirements on transactions’ transparency, including, in particular, the management of debtors’ requests and complaints,
4. the submission of regulatory reports to the Bank of Greece and the conduct of audits by the Bank of Greece,
5. article 8 para. 2 of Greek law 3758/2009, as applicable and in force, which imposes the obligation to record the content of the telephone calls conducted by doValue Greece for the purposes of informing the debtors for overdue debts, and
6. the overall compliance of doValue Greece with the obligations imposed by the applicable legal, regulatory and supervisory framework including the operation of My e-servicing Portal, as well as with the decisions of any competent authorities (public, supervisory, independent, prosecution etc.) or courts (including arbitrary).

C. For the purpose of the legitimate interests pursued by doValue Greece or by a third party

The processing of your personal data serves purposes relating to:

• the defense of doValue Greece’s or the respective receivables entities’  legal rights and interests, as such entities are specified above,
• the collection and judicial pursuit of claims under the servicing of doValue Greece,
• the prevention and deterrence of criminal acts or frauds against doValue Greece,
• the security and safety of information systems, facilities and assets of doValue Greece as well as the protection of persons who do business with doValue Greece, of the personnel and visitors of doValue Greece’s premises,
• the handling of your complaints,
• the evaluation and optimization of operations, processes, security procedures and information systems,
• upgrading the services provided,
• the management of operational and financial risks of doValue Greece,
• the compliance of doValue Greece with obligations arising from contracts concluded with the receivables entities, procedures for securitization or sale of receivables from loans and credits within the applicable legal and regulatory framework and the assessment of the level of your satisfaction from the services provided by doValue Greece for the purpose of the improvement thereof and from the transactional relationship between you and doValue Greece, in general.

Prior to such processing doValue Greece ensures that your interests or fundamental rights and freedoms requiring the protection of your data are not overridden by doValue Greece’s interests or the interests of the respective receivables entities.

D. With your consent

Where doValue Greece has requested and received your consent, the processing of your personal data is based on such consent. 

In these cases, you have the right to withdraw your consent at any time. 

The withdrawal of your consent shall not affect the lawfulness of processing based on your consent provided before its withdrawal.

For more information you may access the Consent Statement for the processing of your personal data of special categories.

Ε. Profiling or automated decision-making

doValue Greece does not make decisions based solely on automated processing of personal data.

However, doValue Greece may make decision on the basis of non-solely automated decision-making by applying partially automated methods and procedures including:

1. credit profiling based on your financial data, as well as your creditworthiness and credit rating, when this is necessary for the conclusion or execution of a contract between you and doValue Greece as controller and/or where this is permitted by the European or national legal framework to which doValue Greece is subject, 
2. profiling for the risk assessment of money laundering and terrorist financing with the use of international acknowledged modes for the combined evaluation of data to ensure doValue Greece’s compliance with its legal obligations. 

The result of the above processing activities includes the approval or rejection of your debt settlement application.

As regards, the abovementioned processing activities, doValue Greece, undertakes to ensure that the relevant decision is subject to suitable safeguards for the protection of your rights, freedoms and legitimate interests as data subject, at least the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision in accordance with the relevant provisions of the GDPR.

Within the context of the processing of your personal data, doValue Greece may transfer such data to the following recipients:

i) To the respective receivables entities, as such entities are specified above (in the preamble of this Notice), i.e.:

1. The credit or financial institutions.
2. Credit Purchasers pursuant to the provisions of Greek law 5072/2023, as in force, and special purpose entities engaged in securitization transactions in accordance with the provisions of articles 10 and 14 of Greek law 3156/2003 (SPVs).

Please note that, in particular as regards your identification and communication data (details of your identity card, telephone number, address, etc.) which are collected directly from you or from publicly available sources by doValue Greece (either by doValue Greece itself or through third parties acting on its behalf as processors) for the purposes of management of your debt, the recipients of such data may be all the entities of receivables under the management of doValue Greece.

ii) To the (natural or legal) persons to which doValue Greece delegates the performance of specific tasks on its behalf (processors). In this context, your personal data may be transferred, indicatively, to:

1. Debt notification companies under the provisions of Greek law 3758/2009, as applicable and in force, as well as law firms and lawyers in case your debt has become overdue.
2. Service providers (affiliated companies and third parties), which perform data processing operations, such as the provision of data storage, filing, management and destruction of files and data services, call centers, or other natural or legal persons that process personal data for the purposes of checking and updating thereof, IT products and/or services providers and/or technical support providers of all kinds of information and electronic systems and networks, including online systems and platforms, providers of printing and sending of the periodic statements and written communications, for the purpose of recording the payments of your debt, as well as providers of other supporting services with respect to  doValue Greece's activities in the managing of your debt (collaborating service networks, receiving and processing requests, provision of back-office services, etc.).
3. Providers of consulting services with respect to the receivables portfolios under servicing and other professional consultants.
4. Providers of accounting/tax services.
5. Security companies.
6. Post services providers.

iii) Real estate management or investment companies as well as brokers.

iv) Credit Purchasers of Greek law 5072/2023 and special purpose entities engaged in securitization transactions of Law 3156/2003, in the framework of assignment of receivables under the management of doValue Greece (including the evaluation process).

v) Law firms, lawyers, court bailiffs, notaries and competent courts, experts.

vi) Certified Auditors.

vii) Other credit servicing companies under the provisions of Greek law 5072/2023, as applicable and in force.

viii) Substitutes of doValue Greece as servicer of securitized receivables within the meaning of article 10 para. 14 of Greek law 3156/2003.

ix) Security trustees in case of servicing of securitized receivables as per articles 10 and 14 of Greek law 3156/2003 as well as noteholders and/or representatives thereof pursuant to the provisions of article 10 para. 22 of Greek law 3156/2003 and the originator.

x) Supervisory authorities [including the Bank of Greece, the European Central Bank (ECB) and the Single Supervisory Mechanism (SSM)], governmental, administrative, independent, judicial, prosecution, police, tax,  public, European and/or other authorities or entities or parties entrusted with the monitoring or supervision of the activities of doValue Greece and within the competence thereof and authorised mediators and meditation centers, arbitration tribunals and alternative dispute resolution entities.

xi) Insurance companies and intermediaries in the framework of providing insurance products (indicatively for the insurance of a secured property, in case you are not fulfilling your relevant insurance obligations, for the loan insurance and its repayment in case of death, etc.).

xii) TIRESIAS S.A. as regards the data relating to the records kept by it (termination of loan and credit agreements, loan and credit agreements and the evolution thereof, contracts for the provision of guarantee etc.), for the abovementioned purposes for data processing by TIRESIAS S.A. and for the purposes of the database "Tiresias System of Risk Control" , as described in detail on the website of the aforesaid company (www.tiresias.gr), where the information of the processing of personal data by TIRESIAS S.A. as controller, is available.

xiii) To credit institutions where the deposit account is kept to service your debt as well as to card acquiring service providers.

xiv) The employees of doValue Greece, who are responsible for the processing of your personal data as well as members of doValue Greece’s administration and within the course of their duties.

xvi) Any third parties that submit a request for information to doValue Greece, when the legal conditions have been met.

doValue Greece will not transfer your personal data directly to third countries or international organisations, unless such transfer is required by the applicable regulatory or legal framework.

If applicable, doValue Greece may transfer your personal data to third countries under the following circumstances:

i) Where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country or international organisation ensure an adequate level of protection, or
ii) If appropriate safeguards have been provided from the recipient, in accordance with the national and European legislation.

In the absence of the abovementioned circumstances a transfer may take place if:

1. You have provided your express consent to doValue Greece; or
2. the transfer is necessary for the performance of a contract between you and doValue Greece, such as for the execution of your orders, or
3. the transfer is necessary for the establishment or exercise or defense of legal claims and rights of doValue Greece, or
4. there is a relevant obligation arising from a legal provision or an international convention to which doValue Greece is subject. In order to fulfill such obligation, doValue Greece may transfer your personal data to competent national authorities so that such data are delivered through them to the respective authorities of third countries.

Your personal data shall be retained for the entire time period during which your debt remains under the servicing of doValue Greece, in accordance with the relevant assignment contract with the respective receivables entity, and for as long as it is permitted by the applicable legal and regulatory framework. In any case your personal data may be stored until the completion of the general limitation period for the exercise of legal actions, pursuant to the applicable legal provisions, namely twenty (20) years from the – under any condition –  termination of your relationship.

In the event of a legal dispute with doValue Greece and/or the respective receivables entity, or relevant administrative dispute, said storage period will be extended until the issuance of an irrevocable court decision.

doValue Greece shall keep a record of all complaints received, including documents relating to each case, for a minimum period of five (5) years in accordance provisions set forth in Act no. 157 / 02.04.2019 of the Bank of Greece Executive Committee.

Finally, doValue Greece shall retain any recorded telephone communication for the purposes of informing the debtors for overdue debts (article 8 para. 2 Greek law 3758/2009, as in force), for one (1) year.

Documents that have your signature and c0ntain your personal data may be stored electronically/digitally after a period of five (5) years.

In accordance with the provisions of GDPR, you have the following rights:

i) Right of access to your personal data that are retained and processed by doValue Greece, as well as to information concerning the processing thereof (origin of the data, purposes of processing, categories of recipients, storage period).

ii) Right to rectification of your personal data, in the event of inaccurate data or for the purposes of completing incomplete personal data by providing any necessary document justifying the need for rectification.

iii) Right to object on grounds relating to your particular situation unless the processing is necessary for the purposes of the legitimate grounds of doValue Greece or a third party.

iv) Right to restriction of processing of your personal data where the accuracy of the personal data is contested by you or the processing is unlawful or doValue Greece no longer needs your personal data for the purposes of processing, or you have objected to the processing and the verification whether the legitimate grounds of doValue Greece override yours, is pending.

v) Right to erasure of your personal data from doValue Greece’s records.

vi) Right to data portability of your personal data and transfer thereof to another controller, provided that the processing is based on your consent or on a contract and is carried out by automated means.

Please note the following with regard to your abovementioned rights:

i) The right of access may not be fully or partially satisfied if the disclosure of the data would jeopardize national defense, national security and public safety as well as if the data cannot be deleted due to legal or regulatory provisions that require their retention or the retention serves exclusively data protection or control purposes, the provision of information would require disproportionate effort and the necessary technical and organizational measures make it impossible to process for other purposes.

ii) Your rights to object, restriction of processing and erasure (points iii, iv and v, above) may not be satisfied, partially or fully, if they are necessary for the performance of your contract and regardless the source thereof.

iii) doValue Greece has in any case the right to reject your request for restriction of processing or erasure of your personal data (points iv and v, above), if the processing or storage thereof is necessary for the establishment, exercise or defense of the rights of doValue Greece or the respective receivables entities or for the fulfillment of the obligations of doValue Greece. In particular, the right to delete your data may not be satisfied if your data is processed without automated means, provided that due to the special nature of the storage it is not possible to delete it or it is possible only with disproportionately large effort, given that your interest in deletion is not considered important or if the deletion is in conflict with the retention periods provided for in the law or terms of contract.

iv) The right to data portability (point vi above) does not include the erasure of the personal data from the records of doValue Greece. The erasure is subject to the conditions of point (iii) above.

v) The exercise of the rights above is valid for the future and does not affect the processing already performed on your personal data.

vi) In cases where doValue Greece manages receivables under assignment by credit or financial institutions, doValue Greece is responsible to respond, as controller, solely to queries relating to: 

1. recording of telephone communications made by doValue Greece for the purposes of informing debtors with respect to overdue debts, pursuant to the provisions of Greek law 3758/2009, as in force, and
2. the record of complaints and requests you address to doValue Greece. 

For any other issue, you should contact the relevant credit or financial institution, which is the controller of your personal data.

For the exercise of your rights, you may address your relevant requests in writing, to the Customer Service and Complaints Management Unit of doValue Greece, 27 Kyprou & Archimidous Streets, 18346 Moschato, Greece or via email at [email protected].

doValue Greece shall use its best endeavors to address your request within thirty (30) days from its submission. The abovementioned period may be extended by two (2) further months, if deemed necessary at reasonable discretion of doValue Greece, taking into account the complexity and number of requests. doValue Greece shall inform you in case of such extension within one month from the receipt of the request.

The abovementioned service is provided by doValue Greece free of charge. However, where requests are manifestly unfounded, excessive or repetitive, doValue Greece may, after informing the person who has submitted the request, either charge a reasonable fee or refuse to act on the request/requests.

You may contact the Data Protection Officer of doValue Greece for any matter regarding the processing of your personal data, in writing at 27 Kyprou & Archimidous Streets, 18346 Moschato, Greece or via email at [email protected].

You have the right to lodge a complaint before the Hellenic Data Protection Authority for any matter regarding the processing of your personal data. For the respective competence of the Authority and the procedure to be followed for filing a complaint, you may visit the Hellenic Data Protection Authority website (Citizen Rights > Complaint to the Hellenic DPA), where detailed information is available.

doValue Greece implements appropriate technical and organisational measures to ensure the lawful protection and processing, as well as the effective protection of your personal data from unauthorised access to, disclosure of, processing, loss, alteration, accidental or unlawful destruction or corruption, prohibited transmission by third parties as well as any other form of unlawful processing.

doValue Greece may in accordance with its applicable policy on the protection of personal data and pursuant to the applicable legal and regulatory framework, modify or amend this Notice, the updated version of which will always be posted on the doValue Greece website at www.dovaluegreece.gr.

Last update: 29.03.2024