Privacy Notice – GDPR

1. Data Controller - Contact Details

Epirus Bank is the data controller. You can contact us at the following contact details:
Registered Office Address: 6, Patriarchou Ioakeim St. & Karapanou St., Ioannina
Telephone: +302651 0 59000
E – mail : info@epirusbank.gr

2. Which of my personal data are collected and in what manner?

The personal data collected and processed by Epirus Bank are only those which, in each case, are necessary for a certain and clearly specified purpose and a specific legal basis.

The purpose is to provide you with better services, to notify you of new products and services that meet your needs, to provide you with personalized services and to serve your banking transactions with Epirus Bank, which you, our customers, have selected for your transactions.

In this context, the personal data processed are those that you provide to Epirus Bank, when visiting any of our branches or on real, interactive time, when you are using our official websites, our products or services or interact with us, for example, when you register for a new e-banking account or when you contact us or when you submit an application for a bank product (e.g. loan), which you have selected.

The personal data you provide us include information depending on the manner of interaction with Epirus Bank, for example, a visit to one of our branches or one of our websites, or the e-banking services you use, which are strictly necessary for each transactional or contractual relationship with our bank, such as:

• Identification and demographic details, such as full name, father’s name, gender, date and place of birth, identity card number, passport number, nationality, TIN, SSN, family status.
• Contact details (postal address, landline and mobile phone numbers, e-mail address).

In addition, the following data are collected; the type and volume of which depends on the type of relationship, as the case may be, and the product or service offered or provided:

• Data pertaining to the financial, property and family status, such as E1 and E9 forms, tax assessment certificates, profession, remuneration, financial status, dependents.
• Data arising out of the operation of one or more contracts between customers and the bank and the use of the products which customers have selected and obtained.
• Data from the performance of payments and the provision of payment services.
• Data pertaining to users’ identifiers and transactional behavior, which are provided by devices or applications used, such as IP addresses or other data provided through the devices used by customers such as location identifiers, as well as online browsing behavior (cookies), which, alone or in combination with unique identifiers, may be used in order to identity customers and create profiles.
• Data pertaining to customers’ knowledge and experience in the investment or insurance sector, their financial status, risk tolerance level and investment goals.
• Transactional behavior data (marketing analysis).
• Data pertaining to telephone calls with customers, recorded in accordance with the provisions of the legislative framework.
• Financial obligations default data, such as dishonored checks, terminations of loan and credit agreements, orders for payment, seizures and enforcement orders for payment, applications and decisions for reorganization or bankruptcy.
• Creditworthiness data, such as debts to credit and/or financial institutions from loans and/or credits.
• Credit scores (credit profiling – credit scoring).

Epirus Bank, in addition to direct data collection from you, collects data from the following entities, in the context of protecting its legitimate interests:

Α. from TIRESIAS SA, pertaining to

• financial obligations behavior pertaining to you (dishonored checks, seizures and enforcement orders for payment, terminations of loan agreements, applications for bankruptcy or reorganization, etc.)
• your credit score
• details concerning Mortgages - Prenotations of Mortgages

Β. during use of your e-banking account. These data pertain to:

• cookies that facilitate access and use of specific services and/or pages of our website.

C. Data pertaining to your financial, property and family status from publicly accessible sources, such as Land Registers/Cadastre Offices or data transmitted by various supervisory, judicial and public bodies, and imposition of measures for ensuring the interests of the Government (such as attachments and seizures of accounts).

D. Data pertaining to payment activities from you or from payment services providers at your order.

Ε. Recorded data from the surveilance data system for the protection of people and goods that are at all times in the bank.

Where in the foregoing cases the processing is based on the grant of your consent, Epirus Bank follows the procedures provided for by the law in order to obtain such consent.

3. Which are the purposes of processing and which are the legal bases thereof?

Personal data are collected in accordance with the GDPR and the applicable legislation, either at the beginning of the transactional relationship and/or subsequently, and are processed for the following purposes:

• Personal data processing with your consent
• Personal data processing for performing the contract, when we respond to a services provision request.
• Personal data processing for complying with our legal obligations.
• Personal data processing for our legitimate interests.

Epirus Bank may process your personal data for the following purposes, per legal basis:

1. With your consent

• Identification and contact with you in any transaction with Epirus Bank at any pre-contractual or contractual stage.

2. For the performance of our contractual obligations, where a contract has been concluded with the Bank or during a pre-contractual procedure.

• Contact during a pre-contractual procedure in the context of an application for a product or service.
• Assessment of the credit risk the Bank would have to undertake or has already undertaken, in case of a loan or credit.
• Management, monitoring, handling and servicing transactions arising out of the proper performance of a contract and fulfillment of our obligations owed to you.
• Transaction services through electronic services (ATM, e-banking).

3. For the fulfillment of our legal obligations.

• Fulfillment of our obligations imposed by applicable tax and insurance legislation for our customers and personnel.
• Fulfillment of our obligations in accordance with applicable legislation concerning disclosure to Public Authorities (Supervisory, Independent, Police, Judicial).
• Prevention and combat of money laundering and terrorism financing and the prevention of fraud against Epirus Bank and its customers.
• Assessment of your creditworthiness in order to assess your requests (e.g. settlements, debt arrangements).
• Recording and archiving all transaction orders given by customers.

4. For our legitimate interests.

• Promotion of new products and services to you, as well as to new customers, provided that appropriate consent has been granted.
• Development and improvement of the services provided and/or our products through your transactional activities and interests.
• Handling of customer complaints.
• Management or risks from default on obligations arising out of loan agreements.
• Prevention of unlawful activities.
• Protection and security of IT systems.
• Entrance in a video surveillance system area.

4. Who are the recipients of my personal data?

Bank employees who are responsible for the management and operation of each contract or transactional relationship between customers and Epirus Bank, for the purposes of the performance of the obligations arising thereunder, as well as of the respective obligations imposed by the legislation, who must comply with the legislative framework, including bank secrecy.

In this context, Epirus Bank employees will have access to your personal data in the context of the performance of the tasks assigned to them by the Bank in its capacity as the data controller.

Epirus Bank is obliged or entitled to disclose your personal data to various third party recipients, such as:

• Insurance Organizations, Public Organizations, Chambers and Public Corporations.
• Supervisory, Independent, Police, Judicial and, in general, Public authorities, in the context of their powers (such as the Bank of Greece, the Hellenic Competition Commission, the Financial Police, Land Registries, Courts, Prosecution Authorities, etc.).
• Credit institutions, companies and/or organizations providing payment and payment processing services that have been licensed and operate lawfully (e.g., DIAS, VISA, MasterCard, Attica Bank), in the context of performance of contracts or transactions.
• TIRESIAS SA, in respect of the files kept by it for the protection of credit and financial transactions, in accordance with applicable provisions.
• Natural persons or legal entities that act as data processors at the orders of the Epirus Bank, who comply with its instructions, the GDPR and the applicable legislation, as ensured through relevant contracts.
  • IT systems provision and support companies
  • Loan management company
  • Consultancy services companies
  • Guarding and security companies
  • Lawyers
  • Court Bailiffs
  • Engineers

subject to compliance, in any event, with professional secrecy and confidentiality obligations.

5. How long will my data be kept?

Epirus Bank retains your personal data for a period determined by the applicable legal and regulatory framework.

• In case of conclusion of a contract, personal data are retained for twenty (20) years after the expiry of the contract. In case of pending judicial proceedings in respect of such contract, the retention period will be extended beyond twenty years, until the issue of an irreversible judgment.
• Where a transactional relationship is not concluded, the personal data will be retained for five (5) years from the relevant application, in the context of which such personal data were collected.
• The video surveillance data are kept for a period of up to forty five (45) days, except for the data of specific places that are kept for a period of ninety (90) days, unless recorded cases of organized fraud or transaction dispute, in which case the relevant data are kept separately for, as long as, time is required to investigate and prosecute responsible.

6. What are cookies and why are they collected by Epirus Bank?

In order to ensure that our website functions correctly, we may sometimes set small pieces of data, known as cookies, in your computer or mobile device. Cookies are small text files stored by a webserver on a computer or mobile device. The content of the cookie may be retrieved or read only by the server setting the cookie. The text in a cookie usually consists of identifiers, location names and some numbers and characters. Cookies are unique to the browsers or mobile applications you use and allow websites to store data, such as your preferences.

Epirus Bank only uses session cookies, which are deleted after each visit.

7. How are my data protected?

Epirus Bank works daily in order to ensure that the personal data we obtain:

• Are processed lawfully, fairly and in a transparent manner in relation to the data subject;
• Are collected exclusively for specified and legitimate purposes;
• Are adequate, relevant to the purpose for which they are collected and limited to what is necessary;.
• Are accurate and up to date;
• Are kept exclusively for a determined period and not for longer periods.
• They are processed in a manner that ensures the necessary personal data security.

8. What are my rights?

Customers have the following rights:

• Right of access

You can receive information at any time concerning the personal data we retain, and access them.

• Right to data rectification

You have the right to contact us in order to rectify inaccurate or incomplete data.

• “Right to be forgotten”

Unless any law obliges us to retain the data pertaining to you, you can ask us to delete them.

• Right to data portability

You can ask us to transfer your data to another entity.

• The right to object and to restriction of processing

If you disagree with the manner we process your personal data, you can request the suspension or the restriction of the processing.

• The right to withdraw consent

You have the right to withdraw your consent to the processing of your data at any time.

Epirus Bank will make every effort to respond to your request without delay and, in any event, within one month from the receipt of the request. Said deadline period may be extended by two further months, if necessary, taking into account the complexity of the request and the number of requests. The bank will notify you of such extension within one month from the receipt of the request, as well as for the reasons of the delay. If you have submitted your request electronically, the notification will be provided, if possible, electronically, unless you, the data subject, have requested otherwise.

Where the Bank satisfies your request: a) for restriction of data processing, or b) for objection to the processing of your personal data, or c) for the erasure of your data from the Bank records, if such data are required for the conclusion or continuation and performance of the contract, then such satisfaction shall automatically entail the termination, on your part, of the respective contract or the inability to process your relevant request.

Epirus Bank, in any event, is entitled to refuse to satisfy your request for the restriction of processing or erasure of your personal data, if such processing is necessary for the establishment, exercise or defense of lawful rights or the performance of its obligations.

The above services are provided free of charge. However, if your requests are manifestly unfounded, excessive or repetitive, the bank is entitled to either impose a reasonable fee or refuse to act on such requests.

Request for the exercise of data subjects’ rights

9. Consent withdrawal

You also have the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on such consent prior to the withdrawal.

10. Data Protection Officer

If you have any questions concerning the processing of your personal data or your rights or even if you think that your personal data are infringed, please contact our Data Protection Officer at dpo@epirusbank.gr or in writing, at the postal address: Data Protection Officer, 6, Patriarchou Ioakeim St. & Karapanou St., PC 45221, Ioannina, and we will respond as soon as possible, the latest within one month.

11. Hellenic Data Protection Authority

If we do not resolve the matter of personal data infringement, you may file a complaint with the Hellenic Data Protection Authority (www.dpa.gr), which is the competent supervisory authority for the protection of the fundamental rights and freedoms of natural persons against the processing of personal data.