PANCRETA BANK S.A. (hereinafter “the Bank”), as data controller reassures you that the protection of your personal data is of paramount importance and informs you pursuant to the General Data Protection Regulation (EU) 2016/679 and the respective provisions of the applicable Greek legislation on the protection of personal data, that it or third parties, at its request or on its behalf, shall process your personal data, either in view of the establishment of your contractual relationship with the Bank or as part of your existing contractual relationship therewith, for a banking product or a banking service, as per the below:

1.  Your identification data: such as surname, name, father’s name, mother’s name, sex, ID number, passport details, tax registration number, social security number (AMKA), date and place of birth and nationality
2. Your contact data: such as postal and e-mail address, landline and mobile phone number.
3. Your financial and property status, indicatively profession, earnings, other tax and income details (indicatively Ε1 and Ε9 forms, tax return form)
4.  Your family status data and the data of your dependent members.
5. Data on your financial obligations and any breach thereof, indicatively bad cheques, loan and credit agreement terminations, payment orders, seizures and payable cheques, restructuring and bankruptcy filings and judgements.
6. Data regarding your creditworthiness, such as debts, to credit and/or financial institutions from loans and/or credits.
7. Your credit scoring data (credit profiling – credit scoring).
8. Data regarding your transactional behavior.
9. Data on the operation of the application/contract or your applications/contracts, with the Bank and the use of the products or services that you have been granted by the Bank.
10. Data on your knowledge and experience in the investment sector or in the sector of insurance, your financial status, your risk tolerance level and your investment goals and needs.
11. Data from transaction payments and from the provision of payment services.
12. Recognition data of your electronic identity, such as your IP Address and data from the use of electronic or/and digital products and services of the Bank, (e.g. cookies – see cookies policy here).
13. Data on your health and the health of your dependent member’s and/or your family members– in specific cases, (e.g. debt restructuring), if you invoke them.
14. Data on your telephone communications with the Bank, recorded after you have been informed of the recording and pursuant to the provisions of the legal framework.
15. Image data from the video recording systems at the Bank’s premises and the ATMs which it has installed, and which bear the special signs as provided for by law.

In addition, we inform you that in case you provide us with personal data of third parties, you shall ensure that you have obtained their respective consent and referred them to the Bank’s present notice.

^(*) Except for the data mentioned under .1 and .2 which are required for any transactional and contractual relationship with the Bank, the type and amount of the other data collected depends on the type of your relationship with the Bank in each case and the banking product or banking service offered or provided.

The aforementioned personal data is collected from the following sources, as the case may be:

1.The identification and contact data (Α.1, Α.2) is collected directly from you, from persons authorized by you and/or publicly accessible sources, including social media networks or websites.

2.The data regarding your financial, property and family status, as well as the data concerning your financial abilities (Α.3 and Α.4) is collected directly from you, from persons authorized by you, from publicly accessible sources, such as Land Registries, Cadastral Offices and from the Prenotation-Mortgage System of “TIRESIAS S.A.” (for relevant information about the company, see below) and from social media networks.

3.Data on the breach of financial obligations (Breach of Obligations System), on creditworthiness (System for the Collection of Loans) and on credit scoring (Credit Scoring System) (Α.5 to Α.7), is collected from the aforementioned records (systems) of “TIRESIAS S.A.” (relevant information about the company, see below) as well as from Debtor Information Companies of L. 3758/2009 and L. 4038/2012, affiliated with the Bank, law firms and lawyers, court bailiffs, and loan service provider companies of L. 4354/2015, for relevant cases assigned to them by the Bank.

4. Data on the transactional behavior with the country’s financial system (Α.6-Α.8) is collected from the System for the Collection of Loans of “TIRESIAS S.A.” (for relevant information about the company, see below).

5. Data regarding the operation of your agreement(s) with the Bank is collected by the Bank itself (A.9).

6. Data regarding your investment profile  is collected directly from you.

7. Data regarding transactional payments  is collected either directly from you or from the payment service providers, at your request.

8. Recognition data of your electronic identity, such as your IP Address, and data from the use of electronic or/and digital products and services of the Bank is collected by cookies (see cookies policy here) or/and publicly accessible sources, including social media networks and network service providers (indicatively Google, YouTube)

9. Health data  is submitted on your own initiative either directly by you or by a person authorized by you.

10. Data on your telephone communications with the Bank and image data  is collected from the recording systems of the Bank.

The company under the tradename ‘’BANK INFORMATION SYSTEMS SA’’ and the distinctive title ‘’TIRESIAS SA’’ is a data controller of the financial behavior data on behalf of the country’s banking system. The company’s registered seat is at 2 Alamanas Street, 151 25 Maroussi. You can obtain information on the processing which it carries out as well as on the exercise of your rights on its website (www.teiresias.gr) or on the phone number 210 3676700.

The aforementioned personal data is collected either at the beginning or during your contractual relationship with the Bank and is processed for the following purposes:

1. The identification and communication with you both at the pre-contractual and contractual stage with you, as well as for any other transactional relationship with the Bank.

2. The drafting of a contract, its execution and in general its smooth operation for the fulfillment of the Bank’s obligations towards you and the supervisory authorities.

3. In the case of granting of any loan or credit of any type and in the context of the Bank's compliance with its legal obligations and / or the protection of its legitimate interest:

(a) to assess the credit risk that the Bank is called upon to undertake or has already undertaken

(b) to monitor the development of the relevant contract and the debt

(c) to avert or limit the likelihood of defaulting on your contractual obligations

(d) to pursue the collection of any amounts owed to the Bank in case you have defaulted on your contractual obligations

(e) for the management of any claim arising from loan agreements, which you are a party to.

4. The support of any request that you have submitted (such as the request for the restructuring of your debts due to inability to pay due to health factors) and its assessment by the Bank.

5. The prevention and suppression of money laundering and terrorist financing.

6. The Bank’s compliance with its obligations, imposed by the applicable legal, regulatory and supervisory framework, as well as the decisions of any public authorities or courts.

7. The protection of the rights and legal interests of the Bank as well as the protection of the physical integrity and/or the property of its customers and the transactional public, such as ensuring the Bank’s security procedures, preventing crimes, identifying and collecting evidence of criminal behavior (cases of fraud, theft, etc.)

8. To contact you in order to inform you about the utilization of the banking products or banking services provided by the Bank, their capabilities, characteristics and developments, as well as to investigate the extent to which you are satisfied with the Bank’s customer service and the banking services provided by the Bank, and/or your additional claims and requirements.

9. The creation of a transactional profile (marketing profiling), the promotion of new products/services of the Bank and/or co-operating third companies, provided you have given your explicit consent thereto.

10. To provide you with investment or related products or services depending on your needs, goals and investment experience.

11. The execution of payment transactions activated by you or at your request.

The Bank may apply partially automated processing methods in order to pursue its purposes (2, 3, 5, 8 and 9 as mentioned above) and create a profile.

1.Bank employees who are responsible for handling any requests you have submitted to the Bank, as well as for the management and operation of your contract(s) with the Bank in order to fulfill the obligations arising therefrom and the relevant obligations imposed by law.

2. Natural and legal persons to which the Bank assigns the execution of specific tasks on its behalf, such as, amongst others, appraisers or real estate appraisal companies, debt information companies (L. 3758/2009 and L. 4038/2012), loan service provider companies (L. 4354/2015), telephone support – information companies (call centers), lawyers, law firms, notaries and court bailiffs, accredited mediators and centers for the provision of mediation services, experts, specialists, database management companies, risk management service companies, skip tracing and asset tracing companies, file storage and management companies, market research, advertising and product promotion companies on behalf of the Bank, providers of postal services, IT service providers, e-mail providers, web hosting service providers, including cloud services, specialized payment service providers, under the condition that they fulfill their confidentiality obligations.

3. Credit and/or financial institutions with registered seat in Greece or the European Union, which have acquired the required license of operation and operate legally, as well as companies or special purpose vehicles under the meaning of Law 3156/2003 on the securitization of claims.

4. Claim acquisition companies under L. 4354/2015, as well as entities of the wider financial sector, including domestic or EU investment companies, in the event of the assignment of claims arising from loan agreements.

5. Credit institutions and payment service providers or entities that necessarily intervene (such as SWIFT, SEPA, VISA, MASTERCARD etc.) with registered seat in Greece or the European Union, which have acquired the required license of operation and operate legally, to execute a contract or transactions, or third countries under the conditions of section E below.

6. Supervisory, auditing, judicial, public and/or other authorities and entities within the framework (as provided by law) of their competencies, duties and authorities.

7. “TIRESIAS SA” for data concerning the records maintained by it, such as bad cheques, unpaid bills of exchange (at their maturity date), terminations of loan or credit agreements, loan and credit agreements and their development, as well as guarantee agreements.

8. Co-financing or guarantee institutions, as applicable, such as the Hellenic Fund for Entrepreneurship and Development, the European Investment Bank, the Greek State, the European Investment Fund and the Export Credit Insurance Organization. Recipients of the data sent to the Hellenic Fund for Entrepreneurship and Development may be any public Greek or EU authority, which is involved in the activities and management of the Entrepreneurship Fund and in accordance with the provisions in force at the time, such as the Greek State, the European Commission (including the European Anti-Fraud Office (OLAF)), the Court of Audit of the European Community, the Special Unit for the Management of the Competitive Business Program -Entrepreneurship and Innovation and any other authorized Entity or Organization under the framework of the Fund and Action.

The Bank may transfer your personal data to third countries outside the EU provided that:

1. The European Commission has decided that the third country where the personal data will be transmitted, ensures an adequate level of protection for the personal data.

2. The recipient of the data has provided appropriate safeguards for the protection of personal data that is being transferred.

3. You have been specifically informed and have granted your explicit consent to the Bank for the transfer of your data.

4. The transfer is required for the performance of a contract or the execution of your orders, e.g. transfer orders for remittance to a bank account of a financial institution in a third country, or in the event of transmission for the execution of an order for the execution of transactions with financial instruments.

5. The transfer is necessary for the establishment, exercise or defense of legal claims of the Bank.

6. The Bank has a relevant obligation arising from a legal provision, an intergovernmental or international agreement.

As well as:

7. In line with the Bank’s compliance obligations with the rules on the exchange of information in the field of taxation which arise from legal provisions.

For the fulfillment of the obligations under (Ε.5) or (Ε.6) above, the Bank may transfer your personal data to competent national authorities for them to forward the data to the respective authorities of third countries.

In the event that you enter into a contract with the Bank, your personal data will be kept for the entire duration thereof. In the event that the contract is terminated, the Bank may retain your personal data until the statutory time limit for the general waiver of claims, i.e. for a time period of up to twenty (20) years from its termination in any way. If there are any ongoing legal proceedings with the Bank or any affiliated company thereof by the end of the twenty (20) years, which concern you, either directly or indirectly, the said retention period of your personal data shall be extended until the issuance of an irrevocable court judgement.

If you do not enter into a contract with the Bank, your personal data will be kept for five (5) years from the rejection of your respective application. In case the law or regulatory acts provide for a smaller or greater retention period, the aforementioned retention period will be decreased or increased accordingly.

Documents that bear your signature and your personal data, may be kept in electronic/digital form after the lapse of five (5) years.

You have the following rights:

1.To know which personal data that concerns you is being processed and retained by the Bank, as well as its source (right of access).

2. To request the rectification and/or supplementation of your personal data, so that it is complete and accurate by presenting any necessary documents which prove the need for such rectification or supplementation (right to rectification).

3.To request the restriction of the processing of your personal data (right to restriction).

4. To refuse and/or object to any additional processing of your personal data kept by the Bank (right to object).

5. To request the erasure of your personal data, from the Bank’s records (right to erasure).

6. To request from the Bank to transmit the data you have submitted thereto to any other data controller (right to data portability).

It is noted that the fulfillment of your requests under 3, 4 and 5 in so far as they are necessary for the execution or the continuation of the operation of the contract, regardless of whether they were provided by you or collected from any public source, entails the termination, at the Bank's discretion, of the respective contract/contracts, pursuant to the terms thereof and your request will not be reviewed.

In addition, the Bank has the right in any case to refuse to fulfill your right to restriction of processing or erasure of your personal data if the processing or retention of your personal data is necessary for the establishment or exercise or support of its legitimate interests, lawful rights or its compliance with legal obligations, as referenced in the 3rd chapter .

The exercise of your right to data portability does not entail the erasure of your personal data from the Bank’s records, which is subject to the preceding paragraph.

The exercise or the above-mentioned rights acts for the future and does not concern the processing of personal data which has already been carried out.

7. You have the right to file a complaint with the Hellenic Data Protection Authority (HDPA www.dpa.gr), which is the competent supervisory authority for the protection of the fundamental rights and freedoms of natural persons, for processing which concerns you, if you believe that your rights are being infringed in any way.

For the exercise of your rights you may contact all Branches of the Bank and fill in the Data Subject Rights Form.

The Bank shall make its best efforts to respond to your request within thirty (30) days from its submission. This deadline may be extended by sixty (60) further days, provided that it is necessary at the Bank’s sole discretion, taking into account the complexity of the request and the number of requests. The Bank shall inform you in any case of the extension of the deadline within thirty (30) days.

The above service is provided by the Bank free of charge. However, if your requests are manifestly unfounded, excessive or repetitive, the Bank may either charge a reasonable fee, informing you thereof or refuse to respond to your request/s.

The Bank implements all appropriate technical and organizational measures for the safeguarding of your privacy, the security of the processing of your personal data and its protection from accidental or illegitimate destruction, leak, alteration, prohibited dissemination or unauthorized access, as well as any other illegitimate form of processing.

The present notice is made for the implementation of the provisions of Greek law and Regulation (EU) 2016/679. It replaces any previous notice on the processing of your personal data pursuant to L. 2472/1997 which may be referenced in any contractual or other documents of the Bank. The Bank may update, supplement and/or amend the present notice, pursuant to the existing regulatory and legal framework. In this case, the updated version will be posted on the Bank’s website (www.pancretabank.gr) and shall be available at its Branches.