Privacy Statement
STATEMENT REGARDING THE PROTECTION OF PERSONAL DATA
The purpose of this statement is to provide information to you as potential and/or existing customer and, in general, person carrying out business with NBG Pay Societe Anonyme (hereinafter “NBG Pay”), as Controller in whatever capacity, regarding the processing of your personal data, in the context of NBG Pay’s operations and your overall relationship with NBG Pay, pursuant to the provisions of the General Data Protection Regulation 2016/679 (GDPR) and the regulatory framework governing its implementation.
This document will provide you with information about the following:
• Who we are – NBG Pay’s details
• What are the general principles that NBG Pay applies when processing your
personal data?
• What personal data can be processed?
• What are the purposes of such data processing?
• To which recipients can your data be communicated?
• What provisions apply in the case of transmission of your personal data to
third countries (cross-border transmission)?
• For what length of time are your data held?
• What happens when the required period for holding your data has elapsed?
• What are your rights regarding your personal data?
• What obligations must NBG Pay observe when processing your personal data?
• Recording of telephone conversations
• Online Services – Websites
• Update – amendments to this Statement regarding the Protection of Personal
Data
I. WHO WE ARE – NBG Pay’s DETAILS
NBG Pay is registered with the General Commercial Registry (G.Ε.ΜΗ.) under G.E.MH. Nr. 164307201000, Tax Registration Nr. 801839155, Tax Authority: FAE Athens, with registered seat at 74 Piraeus Street, 18346 Moschato, Attica.
As part of its business activity, NBG Pay offers merchant acquiring and payment processing services.
II. WHAT ARE THE GENERAL PRINCIPLES THAT NBG PAY APPLIES WHEN PROCESSING YOUR PERSONAL DATA?
In the context of conducting its business activities, NBG Pay ensures that the processing of your personal data is effected in compliance with the following general principles:
• Your data have been collected in an ethical and lawful manner, with your consent where appropriate, for a specific, explicit and legitimate purpose, and are fairly and lawfully processed in line with the said purpose,
• The collected data are relevant to the purpose of the processing, and are sufficient for, and not in excess of, what is required in the context of the purpose of said processing,
• The data are reviewed for accuracy and are regularly updated in line with legally established procedures,
• The data are kept in a form that enables us to determine your identity for the length of time required in respect of the purposes of said processing,
• Adequate security measures are in place to protect your data against risks such as loss, unauthorized access, destruction, unlawful use or disclosure,
• Before the processing of your personal data, you are duly informed and you provide your consent, where required, actively and on a voluntary basis. Your consent can be withdrawn at any time, without of course affecting the lawfulness of processing based on consent before its withdrawal.
We process personal data under the following legal bases:
a) your consent;
b) for the performance of a contract you have entered into with NBG Pay;
c) in order to take steps regarding a request you submitted prior to the conclusion of the
contract;
d) for compliance with a legal obligation to which NBG Pay as Controller is subject;
e) for the protection of your vital interests;
f) for the performance of a task carried out in the public interest or in the exercise of official authority;
g) when the processing is necessary for the purposes of the legitimate interests pursued by NBG Pay, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
III. WHAT PERSONAL DATA CAN BE PROCESSED?
NBG Pay collects, maintains and processes the personal data you disclose or have already disclosed to NBG Pay as potential and/or existing customers and, in general, as persons carrying out businesses with NBG Pay in whatever capacity at all stages of your business relationship in the context of the products /services provided by NBG Pay or through it. It is noted that NBG Pay processes only the personal data that are necessary for the purpose, at any given time, of such processing. In particular, NBG Pay may process the following personal data:
Personal data that you provide to us, such as:
• Identification and legalization data (full name, date and place of birth, ID or passport details,
• Demographic data (gender, nationality, family status), contact details (postal address, landline or mobile phone number, email address),
• Financial data (information concerning your business revenue, tax residence),
• Access data for e-applications and electronic identification data (e.g. e-signature),
• Geographical location data, if disclosed through you device (smartphone or tablet),
Note that you are obliged to promptly inform NBG Pay of any change in the above data.
Personal data collected by NBG Pay, such as:
• In the context of due diligence, sanctions monitoring and anti-money laundering,
• In the context of monitoring and evaluating risk management of NBG Pay and, in general, serving and supporting your contractual or business relationship with NBG Pay,
• Moreover in the case you are about to or have already entered into a contract with NBG Pay, NBG Pay will access and process your data through TSEK Service provided by TEIRESIAS S.A.,
• In compliance with the applicable legislative and regulatory framework for the submission of data to the supervisory authorities,
• In the context of your correspondence and general communication with NBG Pay,
• Economic data that provide an estimate of your Transactional and Financial status and behavior,
• Information supplied by supervisory, judicial and other public and independent authorities, related to criminal convictions, offences, enforcement of measures to protect the public interest, seizures, confiscations, commitments,
• If there are overdue amounts, data of NBG Pay’s recorded phone communications in order to provide its debtors with information in accordance with the provisions of Law 3758/2009, as amended.
• Data that concern you and which are publicly accessible online or otherwise. The personal data processed by NBG Pay are held in physical and/or electronic form.
With regard to the protection of minors:
Note that under no circumstances does NBG Pay deal directly with minors, nor are the products and services it provides intended for direct use by minors.
IV. WHAT ARE THE PURPOSES OF SUCH DATA PROCESSING?
NBG Pay may process your said personal data, which are collected either upon commencing the business relationship or at a subsequent time, for the following purposes:
A) In the context of the performance of a contract or before its signing, in particular:
i. To confirm the identity of, and verify, your data,
ii. To communicate with you, either in the pre-contractual stage, or about issues related
to your business relationship with NBG Pay,
iii. To draw up, conclude and, in general, manage the contract and the fulfilment of the NBG Pay’s obligations towards you, and to service, manage, monitor and process your transactions and, in general, provide effectively the requested product/ service,
iv. To evaluate the potential for offering a product or service.
B) As part of NBG Pay’s compliance with the obligations established by the applicable
legislative and regulatory framework, in particular:
i. To prevent and suppress money laundering and terrorism financing, and avert fraud against NBG Pay and/or its customers, and any other illegal action,
ii. To evaluate your creditworthiness, where required for the ongoing conduct of our business relationship,
iii. To assess compatibility and any other appraisal or categorization of the customer, as appropriate, when setting up or offering services,
iv. To enable NBG Pay to comply in general with its obligations arising from the legislative and regulatory framework each time applicable (including implementation of current legislation on State aid and tax legislation, as well as the provisions on the automatic exchange of information for tax purposes), and with the decisions of supervisory or judicial authorities,
v. To disclose and transmit information to the competent supervisory, independent, police, judicial and public authorities, in general, as well as duly authorized third-party legal persons, whenever required in accordance with the applicable legislation.
C) In the context of NBG Pay’s lawful and normal operations and the safeguarding of
its rights and legal interests, in particular:
i. To develop and/or improve NBG Pay’s products and services in respect of your preferences and general transaction activity,
ii. To resolve any requests/complaints you may file,
iii.To assess, manage and prevent risks in the context of NBG Pay’s operations, including geographical location measures, to prevent and combat money laundering and terrorism financing, in the context of the procedure for remote account opening,
iv.To prevent crimes and identify and collect data on unlawful activities, for the physical security of individuals and property (including the video surveillance system),
v. To pursue its legal claims before judicial authorities or other bodies of out-of[1]court/alternative dispute resolution, and assess and optimize security procedures and IT systems etc.
D) Having obtained your consent as regards the processing of your personal data for one or more purposes, such as:
Subject to your consent if required by applicable law, we may use your personal data to provide you with direct marketing information about our products and services offered by NBG Pay and as well as those offered by NBG Pay’s affiliated companies, and/or other third parties. Our direct marketing may be by email, telephone, post or SMS or such other method(s) as may become relevant.
We will take steps to ensure that any direct marketing from us will provide a simple means for you to stop further communication, in accordance with applicable law. For example, in email, we may provide you with an email address to which you can send an opt-out request. In addition, if we need your consent for direct marketing communications under applicable law, and if you provide your consent, you will be able to revoke your consent at any time, without of course this affecting the legality of any processing that may have taken place on the basis of the consent prior to its being revoked.
Note regarding automated decision making, including profile creation:
For the aforesaid purposes, processing of your personal data may also be carried out through automated procedures resulting in decisions based on statistical analyses of those parameters that are deemed necessary for each purpose.
There are cases where automated processing becomes necessary for the purpose of signing or performing the contract, such as for example, setting up a profile so as to be able to monitor and prevent fraud and tax evasion, and regarding which the criteria taken into consideration shall be the data subject’s income, profession or compliance with his contractual obligations
V. TO WHICH RECIPIENTS CAN YOUR DATA BE COMMUNICATED
Recipients of the data that NBG Pay is obliged or entitled to disclose, by law or regulation or
court order or in the context of lawful operation of your contractual relationship with it, may be third parties, whether individuals or legal entities, public authorities, services or other bodies, including:
(a) NBG Pay affiliated companies, including companies belonging to Global Payments Group of companies (being Global Payments Inc, and its direct and indirect subsidiaries) and the National Bank of Greece.
(b) third parties, individuals or legal entities, acting by order and for the account of NBG Pay, including the following:
i. Companies notifying debtors and/or guarantors of their overdue debts prior to or after termination and/or the preparatory actions required for out-of-court and judicial pursuit of collection by NBG Pay of their overdue debts in accordance with the provisions of Law 3758/2009, as in force,
ii. Record keeping and destruction companies,
iii. Contact center services companies,
(c) National or European institutions in the context of acting alongside NBG Pay for the purpose of provision of credit to those carrying out transactions with NBG Pay.
(d) “Interbanking Systems S.A.” (“DIAS SA”) for the servicing of interbank transactions, “TIRESIAS SA” for the protection of credit and financial transactions, the Hellenic Deposit and Investment Guarantee Fund, the Hellenic Bank Association, Hellenic Exchanges S.A., and banks and financial institutions in Greece and abroad,
(e) Credit institutions, payment institutions, electronic money institutions, investment services providers, mutual fund management companies, execution and trading venues, clearing and settlement companies and systems, trade repositories,
(f) Supervisory, judicial, independent and other authorities at national and European level to meet NBG Pay’s obligations under law or regulatory requirement or court judgment, such as: Bank of Greece, the European Central Bank, the European Commission for Competition, the Hellenic Capital Market Commission, the Hellenic Competition Commission, the US Securities & Exchange Commission (SEC), the Financial and Economic Crime Unit (SDOE), the Financial Police, public authorities in Greece and abroad, courts, public prosecutors, investigators, notaries-public, court bailiffs, mortgage registries, Greek and foreign attorneys-at-law,
(g) Lawyers, Certified Accountants and Auditing Firms,
(h) Event Management and Marketing Companies
(i) Cloud Service Providers,
(j) Data storage providers
It should be noted that NBG Pay will inform you of any forwarding of your data to the aforesaid recipients, provided that this is required under applicable legislation.
NBG Pay may disclose your personal data to competent supervisory authorities, independent, law enforcement, judicial and other public authorities, where required by the applicable legislative and regulatory framework, on a regular or exceptional basis, upon request or if it is required to report the said data without such prior notification.
It should be noted that when NBG Pay entrusts the processing of personal data to third parties acting in the name and on behalf of NBG Pay, they are under obligation to fully comply with NBG Pay’s instructions, while said compliance is ensured by specific provisions in the relevant contractual texts for outsourcing, and in the observance of other relevant procedures.
VI. WHAT PROVISIONS APPLY IN THE CASE OF TRANSMISSION OF YOUR PERSONAL DATA TO THIRD COUNTRIES (CROSS-BORDER TRANSMISSION)?
In the context of its operations and in compliance with the provisions of the applicable regulatory framework, NBG Pay may send/receive personal data to and/or from its affiliated companies, and link up certain files if necessary.
The sending or link up of data, as above, is effected in accordance with the provisions of European legislation on companies registered in member states within the European Economic Area (EEA) or in line with the local legal framework as regards companies registered outside the EEA.
Personal data may only be sent to non-EEA countries only if the law of the said countries provides an effective level of data protection. If the non-EEA country does not provide an effective level of data protection, personal data may only be transferred to such country if data protection is provided for by a data transfer agreement which ensures an adequate protection level or the European or national legislation provides for the application of the relevant conditions (e.g. if you, as the data subject, have explicitly given your consent for this transfer).
NBG Pay ensures, through appropriate procedures that each affiliated company involved ensures the safe processing of personal data transmitted or interconnected.
VII. FOR WHAT LENGTH OF TIME ARE YOUR DATA HELD?
NBG Pay processes your personal data throughout the duration of each contractual agreement with NBG Pay and after its termination or expiration in any way whatsoever, for as long as required by the applicable legal and regulatory framework.
In particular, your data processed by NBG Pay must be held throughout the period required for the purposes of processing in accordance with the purpose of their processing and/or the applicable legal and regulatory framework.
After the end of this period, the data are held in accordance with the applicable institutional framework for the length of time stipulated, as from the termination of a business relationship or for as long as is required to protect NBG Pay’s rights before a judicial or other competent authority.
VIII. WHAT HAPPENS WHEN THE REQUIRED PERIOD FOR HOLDING YOUR DATA HAS ELAPSED?
If the required period for holding your data has elapsed, NBG Pay pays special attention to how such data will be destroyed. For this purpose, it has established and implements a relevant procedure, which is applied after having ascertained that it is not necessary to keep such records in compliance with legal and regulatory requirements or for the protection of NBG Pay’s interests, and is based on the instructions of the Hellenic Data Protection Authority. NBG Pay ensures that the aforesaid process for destroying files containing personal data is also binding on third parties providing services in the name and on behalf of NBG Pay and any other persons with whom it cooperates in the context of outsourcing or other kind of agreements.
ΙΧ. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?
Following the verification of your identity, you, as a Data Subject, have the following rights:
Right to information
NBG Pay must notify you of the processing to which your personal data are subjected, including what data NBG Payprocesses, for what purpose, for how long NBG Pay keeps them, in a concise, intelligible and easily accessible form using clear and simple wording.
Right of Access
You have the right to require NBG Pay to confirm whether or not personal data of yours are being processed, and, if so, you have the right to access such personal data.
Right to rectification
You have the right to require NBG Pay to rectify inaccurate or incomplete personal data of yours, and the right to have incomplete personal data completed.
Right to Erasure
You have the right to require NBG Pay to erase personal data, which is possible if certain conditions are met.
Right to restriction of processing
You have the right to require NBG Pay to restrict processing under certain conditions.
Right to Object
You have the right to object, at any time, to processing of personal data concerning you. In this case, NBG Pay must stop processing your personal data unless it can provide compelling and legitimate grounds for such processing, which override your interests, rights and freedoms as a Data Subject, including its own right to establish, prosecute and defend its own legal claims.
Right to obtain humanintervention in the context of a decision made by an automated process
You have the right to ask NBG Pay not to allow you to be subject, where applicable, to a decision based solely on automated processing, including profiling, which produces legal consequences concerning you or affects you significantly in a similar way.
Right to portability
You have the right to ask NBG Pay to send you the personal data that you have provided in a structured, commonly-used and machine-readable format, or to ask NBG Pay to transmit these data to another provider.
To further facilitate the exercise of your relevant rights, NBG Pay ensures the development of internal procedures that enable it to respond in a timely and effective way to your relevant requests.
To exercise your rights as above, please submit your request by sending an email to NBG Pay at the email address privacy@nbgpay.com, or by mail at the address: NBG Pay Single Member S.A., 74 Piraeus Street, Moschato, 18346 Athens.
You can contact NBG Pay’s Data Protection Officer about issues regarding the processing of your personal data at dpo@globalpay.com.
If you believe that the protection of your personal data has been compromised in any way, you have the right, if you wish, to refer the matter to the Hellenic Data Protection Authority, using the following contact information:
Website: www.dpa.gr
Postal address: Leoforos Kifisias 1-3, 115 23, Athens
Contact Centre: +30 210 6475600
Fax: +30 210 6475628 E-mail:
X. WHAT OBLIGATIONS MUST NBG Pay OBSERVE WHEN PROCESSING YOUR PERSONAL DATA?
A. Ensure confidentiality and safety of processing
The processing of personal data shall be confidential and carried out exclusively by persons acting under the authority of NBG Pay. Such persons shall be chosen on the basis of strict criteria established by NBG Pay, which shall provide effective guarantees in respect of knowledge and personal integrity so as to safeguard such confidentiality.
Moreover, to protect personal data, appropriate procedures based on high-level security standards have been incorporated in the network, and controls are carried out on a regular basis to ensure strict implementation of the criteria established by NBG Pay for this purpose.
NBG Pay implements appropriate organizational and technical measures for data security and protection against any data breach, such as accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access as well as any other form of unlawful processing. Such measures must aim at ensuring a level of security appropriate to the risks presented by processing and the nature of the data subject to processing.
B. IT Systems Security
To ensure confidentiality of all data held in its IT systems, NBG Pay has established Policies and IT Security Manuals, to ensure:
• protection of the data handled by the data and voice networks used by NBG Pay,
• effective control of users’ access to NBG Pay’s IT systems and protection of the data handled by these systems,
• identification and prevention, to the highest possible level, of any cases of breach of the security of NBG Pay’s IT systems.
XI. RECORDING OF TELEPHONE CONVERSATIONS
NBG Pay uses technical means for recording telephone conversations with clients in the context of providing technical and customer support as well as managing complaints. In such cases, specific relevant notification is provided to the clients and to business partners before any recording any telephone call.
XII. ONLINE SERVICES – WEBSITES
If you make use of NBG Pay’s website, you should be aware that NBG Pay collects personal data of visitors/users of its website only when they voluntarily supply such data, for the purpose of providing online services request by visitor/user for information about NBG Pay’s products and/or services, feedback/comments by visitors/users).
The personal data collected on the website are relevant to the service each time requested by the visitor/user and may include full name, father’s name, ID number, age, gender, occupation, Tax Identification Number, address, telephone number, email address. Where appropriate and depending on the service requested, certain data need only be supplied optionally. NBG Pay may process part or all of the data provided by the visitors/users for the purpose of providing services that are available online as well as for statistical purposes and for improving the information and services provided.
The website may include links to other websites which are under the responsibility of third parties (natural or legal persons). Under no circumstances is NBG Pay responsible for the terms of protection and management of the personal data that these websites follow.
Cookies
NBG Pay may collect data identification about visitors/users of its website by using relevant technologies such as cookies and/or Internet Protocol (IP) address tracking. Cookies are small text files that are stored on the hard drive of each visitor/user and do not take knowledge of any document or file on someone’s computer. They are used to facilitate the visitor’s/user’s access regarding the use of specific services and/or webpages for statistical purposes and for identifying useful or popular areas, and to assess the effectiveness of the webpage and improve the performance of the site. These data may also include the type of browser used by the visitor/user, the type of computer, its operating system, Internet service providers and other such information. In addition, our website’s information system automatically collects information about the websites the visitor/user visits and about the links to third-party websites he may choose through pages of NBG Pay’s website.
The visitor/user of the website can find out details about the categories of cookies used by NBG Pay’s website through the relevant help screen. It should be noted that the cookies that are technically necessary in order to link to and navigate around the webpage or to be provided with a service cannot be deactivated. For the remaining categories of cookies which are optional visitors/users of the website must choose whether they wish to activate them and, if so, to provide relevant consent.
If the visitor/user of the website does not enable the use of optional cookies, then, as the case may be, he may miss out on some additional information/functionality as such are stated on the settings page for the cookies.
By using the optional cookies, NBG Pay can leverage the capabilities provided by Google Analytics, and in particular by Display Advertising, utilizing the remarketing features to promote its products and/or services online. In particular, third-party vendors, including Google, display advertising messages by NBG Pay on various websites on the Internet. NBG Pay and third-party suppliers, including Google, use cookies (such as the Google Analytics cookie) or third-party cookies (such as DoubleClick cookie) jointly to update, optimize and serve advertising messages based on someone’s previous visits to NBG Pay’s website. Our site visitors/users may declare that they do not wish to be recipients of relevant messages and are excluded from future actions in Display Advertising and can adjust Google Display Network ads using the Ads Settings or enable the Google Analytics opt-out browser add-on, if they so wish, via the following link https://tools.google.com/dlpage/gaoptout (seeking further help at https://support.google.com/chrome/answer/187443?hl=en).
The type of information NBG Pay collects will depend on which Cookies the User choose to allow, but may include the following:
• IP address (masked);
• Date and time of the request (visit to the Website);
• Title of the page being viewed (Page Title);
• URL of the page being viewed (Page URL);
• URL of the page that was viewed prior to the current page (Referrer URL);
• Time in local visitor’s time-zone;
• Files that were clicked and downloaded (Download);
• Links to an outside domain that were clicked (Outlink);
• Location: country, region, city, approximate latitude and longitude (Geolocation);
• Browser version, browser plugins (PDF, Flash, Java,) operating system version, device identifier (User-Agent header); etc.
Visitors/users of NBG Pay’s website can delete the cookies and deactivate their use by following the instructions in their preferred browser, as below:
• Safari
• Firefox
• Internet Explorer
For other kinds of browser, users/visitors of NBG Pay’s website should refer to the respective information provided by the provider.
XIII. UPDATE – AMENDMENTS ΤΟ THIS STATEMENT REGARDING THE PROTECTION OF PERSONAL DATA
NBG Pay may update, supplement and/or amend this Statement regarding the protection of personal data in accordance with the applicable regulatory and legislative framework. In this case, the updated Statement will be posted on NBG Pay’s website.