Search

We handle your data with care

Thank you for visiting our website. We take the protection of your privacy very seriously and want you to feel protected during your visit.

Information for the Processing of Personal Data

The Data Controller of your data is the company "EOS MATRIX GREECE SINGLE-MEMBER LOAN AND CREDIT CLAIMS MANAGEMENT SOCIÉTÉ ANONYME”, with the distinctive title "EOS MATRIX RECEIVABLES MANAGEMENT GREECE S.A.", Vouliagmenis Avenue No. 423B, Ilioupoli, Attica, P.C. 16346 No. GEMI 143618701000, tel: 2109792990  e-mail: [email protected]

The Data Protection Officer for the company can be contacted at the above address (please include the line “ATTENTION: Data Protection Officer”) or by email at: [email protected]

Thank you for visiting our website. We take the protection of your personal data very seriously and want you to feel safe when visiting us.

 

1. Name and contact details of Data Controller and Data Protection Officer

The Data Controller of your data is the company "EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDITS GREECE SOCIETE ANONYME", 423Β Vouliagmenis Avenue. P.C. 163 46, Illioupoli, Attica, Greece, No. GEMI 143618701000, legally licensed and supervised by the Bank of Greece (Decision No 505/26/28.06.2024 decision of the Credit and Insurance Committee of the Bank of Greece (Government Gazette Β’ 3745/01.07.2024) Tel: +30 210 9792-900, e-mail: [email protected] (“EOS Matrix Greece”).

You may contact the Data Protection Officer of EOS Matrix Greece at the above address (please include the line “ATTENTION: Data Protection Officer”) or by email at: [email protected]

 

2. Scope

This privacy notification concerns the processing of personal data of natural persons who visit/use this website (the “Website”). If your visit to the Website or your request submitted via the Website concerns other EOS Group companies (“EOS Group”), we may need to pass on your data to the other companies in the EOS Group (see below under 7).

 

3. Privacy policies of the other companies of EOS Group

You can view the Privacy Policies of other EOS Group companies in the “Personal Data” section of the Website.

 

4. Basic Principles of data processing

We process your data in a legal and transparent way, in accordance with the European (General Data Protection Regulation 679/2016 EU) and national legislation (Law 4624/2019 etc). We collect and process your data only for explicit, legitimate and defined purposes and only the data necessary for the purposes we process it.

We retain the data for as long as necessary, in accordance with the applicable legislation, the processing purposes and the relevant EOS Matrix Greece/ EOS Group policies and procedures, and we make sure that your personal data is as accurate, secure and updated as possible.

 

5. Sources of personal data

We collect your personal data:

  • Directly from you; and
  • From third parties that provide personal data that relate to you. If you transmit personal data about third parties (e.g., your spouse, relatives etc.), you are responsible for complying with the applicable data protection provisions. This may require obtaining the consent of these third parties prior to the transmission of their data to us.

Moreover, we collect your personal data automatically through relevant systems which are used in connection with your website consultation (e.g., cookies, log data). For instance, we may collect your personal data from the device through which you access the Website. Finally, we use tracking technology to collect data about you. You can find more information on how we use cookies and other similar tracking technologies in paragraph 8 of this notification.

 

6. Collection of personal data, purpose and legal basis for their processing

When you retrieve the Website, the browser used on your device automatically sends information to our website’s server. This information is temporarily saved in a log file. The following information is collected without your intervention and saved until it is automatically deleted after three (3) days:

  • IP address of retrieving computer,
  • date and time of access,
  • name and URL of retrieved file,
  • website from which access occurred (referrer URL),
  • website retrieved from the Website,
  • your computer’s browser and possibly operating system as well as name of your access provider.

The aforementioned data are processed by us for the following purposes:

  • to ensure trouble-free connection establishment to the Website,
  • to ensure comfortable use of the Website,
  • to analyse the system security and stability,
  • to protect the Website against malicious acts that jeopardise the availability, authenticity, integrity and confidentiality of stored or transmitted data (e.g. control of 'denial of service' attacks), and
  • for other organizational purposes.

 

The legal basis for the processing of your data is our legitimate interest in ensuring the security of our networks, information and services from accidental events or illegal actions, as well as our legal obligation to provide as secure an environment as possible for the processing of your personal data (Article 6 par. 1 (f) and (c) of the GDPR). The Data will not be transferred or used in any other way. However, we reserve the right to check server log files if specific indications of illegal use are found.

 

When you contact us via email or contact form

In the context of communication between us through the contact form or e-mail, we collect your name and e-mail as well as any other information you may provide to us during our communication. This data is stored and used solely to respond to your request. The legal basis for the processing of this personal data is your consent and our legitimate interest in responding to your request, which are applicable to Article 6 par. 1 (a) and (f) of the GDPR. Your data will be deleted after the final processing of our communication. This will be the case if it can be inferred from the circumstances that the communication has been completed, provided there are no legitimate reasons for storing such data.

If you contact us for the purpose of concluding a contract, the additional legal basis for the processing of your data is Article 6 par. 1 (b) of the GDPR.

 

7. Transmission of data

We may disclose personal data in the situations described below:

  • to other EOS Group companies;
  • to third parties who provide services to us (e.g., IT companies, telecommunication providers);
  • to third parties insofar as it is necessary in order to process your request, if you contact us using the contact form of this Website;
  • to any court of any relevant jurisdiction or any relevant authority;
  • to public authorities, regulators or governmental bodies or other third parties, when required by the applicable legislation/ regulation; or
  • Otherwise, if you consent to such disclosure.

With the exception of the above, the Data will not be shared with third parties, natural or legal persons, and will not be disseminated.

 

8. Cookies

Like most websites, we use cookies and similar technologies when you access and browse the Website, in order to make your visit comfortable and efficient as possible. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, or similar) when you visit the Website. Cookies do not harm your device and do not contain any viruses, Trojan horses, or other malicious software. Information yielded in connection with the specific device used is stored in the cookie. However, this does not mean that we directly receive knowledge of your identity through this.

Use of cookies serves, for one thing, to make use of our offering more pleasant for you. For example, we use so-called Session cookies to recognize that you have already visited specific pages on the Website. These are automatically deleted after you leave the Website. Likewise, to optimize the user-friendliness, we also use temporary cookies, which are saved on your device for a specific defined period of time. If you visit the Website again to use our services, it will automatically be recognized that you already visited us and the entries and settings you made will automatically be recognized so that you do not have to enter them again.

Cookies are divided up into the four categories of “Necessary,” “Statistics,” “Comfort,” and “Marketing.”

 

The necessary cookies are required for the operation and the basic functions of the Website. In particular, they enable the security-relevant functioning of the Website.

 

The statistical cookies are used for improving our services, for ensuring a needs-based design and the continuous optimization of the Website. For this, we collect anonymized data for statistics and analytics, for example, to determine site traffic, page view statistics, and user behavior and to adapt and improve our content and the website experience.

 

The preference cookies are used for facilitating the use of our website. If you visit the Website again to use our service, it will automatically be recognized that you were on the Website and the entries and settings you made will automatically be recognized so that you do not have to enter them again. For example, through this, you will not have to reenter your user data every time, but rather you can access the data already entered when you visit the Website again.

 

We use marketing cookies so that we can provide you with relevant and interest-based content when you visit the Website.

 

The data processed through necessary cookies are necessary for the stated purposes for safeguarding our legitimate interests as well as those of third parties pursuant to Article 6 para. 1 lit. f of the GDPR, mainly for the safe use of the Website.

 

The data process through statistic, preference and marketing cookies is relying on your consent, pursuant to Article 6t para.1 lit. a of the GDPR, for the purposes of offering optimum user experience, statistical purposes as well as marketing purposes. You may change your settings/withdraw your consent at any time by clicking on “Cookies Settings” at the bottom of the Website.

 

Managing Cookies

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a notification message always appears before a new cookie is placed. Each browser differs depending on how it manages cookie settings. This is described in the Help menu of each browser, which explains how to change your cookie settings. Follow the links below depending on the browser you are using:

 

Complete deactivation of cookies, however, may lead to you not being able to use all the features of the Website.

 

9. Social media and YouTube

We use Shariff buttons from social networks Facebook, Twitter, Google+, LinkedIn, Xing, on the Website. The buttons are simple HTML links. The procedure we use is within the framework of the Shariff solution. With the Shariff solution a script retrieves the number of times, e.g., the share button on a page has been clicked on: for this the script contacts the social network via the programming interfaces and retrieves the numbers. None of your personal data are transmitted in the process. Rather than your IP address, only our server address is transmitted to Facebook, Google and Twitter. You only become directly connected to Facebook, Google or Twitter if you perform an action. Before that the social networks cannot collect any data about you. As long as you do not click on a link to share content, you remain invisible to the networks. If you click on a link, the obligation to provide information about data collection and processing no longer rests with us, but rather with the operator of the social network.

 

YouTube Videos

The Website contains links to videos from YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. If you visit a website on the Website that contains such a video, a direct connection is established between your browser and the YouTube server after you have activated the video. YouTube receives the information that you have visited the Website with your IP address. If you click on the link to the video, your IP address will be forwarded to YouTube. We would like to point out that, as the provider of the Website, we have no knowledge of the content of the transmitted data or of its use by YouTube. For more information, please see YouTube's privacy policy (https://www.youtube.com/)

 

10. Data security

We make every effort to ensure that your data is secure and protected from illegal processing, accidental or fraudulent loss and destruction, and unauthorized access. We have implemented a detailed information security program and implement security policies and controls taking into account the best practices of modern technology and the cost of their implementation, as well as we have trained our executives and staff to adhere to data confidentiality and confidentiality rules. Our staff and third-party partners are committed in writing to respecting the confidentiality of the data to which they have access.

The Website uses the Secure Sockets Layer (SSL) protocol, which applies methods of encrypting data exchanged between two devices by establishing a secure connection between them over the internet, which results in the protection of your personal data and other sensitive data. You can recognize that you are on a protected connection by seeing the characters https:// the lock symbol that appears in your browser's address bar. Generally, this encryption is at 256-bit. If your browser doesn't support 256-bit encryption, we choose to reduce it to 128-bit v3 technology.

 

11. Transfers to Third Countries or Organisations

We have taken care that, in most cases, your data is processed within the European Union (or the European Economic Area). In the case of data processing in a third country outside the European Economic Area this will only be done if this third country has an adequacy decision by the European Commission or if other appropriate data protection guarantees are available (in particular standard EU contractual clauses or binding internal company data protection rules).

 

12. Minor’s data

The Website is not directed to minors (under 18 years of age), nor does EOS Matrix Greece, in principle, process their data. If we need to process minor’s data (under 18 years of age), the processing will only be done with the written and expressed consent of the persons who have parental responsibility for the minor.

 

13. Will your personal data be used for automated decision-making?

As a rule, we do not use fully automated decision-making (i.e., a purely automated process that would produce legal effects concerning you or significantly affecting you) during your access to the Website or when you make use of a contact form so as to reach out to us. If such a decision-making process is used in isolated cases, you will be separately informed, to the extent your notification is required by law.

 

14. Do you have an obligation to provide personal data?

For the purpose of using the Website, you will need to provide us with personal data that is required for its use and in particular for technical or IT security reasons. If you do not provide this data, you will not be able to use the Website.

For the purpose of reaching out to us through the relevant form, you are only required to provide us the personal data without which your inquiry cannot be processed by us.

 

15. Data subject rights

You may contact the Data Protection Officer of EOS Matrix Greece at the postal and e-mail address referred to in paragraph 1 hereof at any time, in order to exercise your rights in accordance with Articles 15-22 of the GDPR i.e. the rights of access, correction, deletion (where permitted), restriction of processing or even opposition to processing, You have in particular the right to:

  • pursuant to Art. 15 of the GDPR to request information about your personal data processed by us, in particular about the purposes for processing, the personal data category, the categories of the recipients to whom your data have been or will be disclosed, the planned retention duration, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if they were not collected by us and the existence of automated decision-making including profiling and if applicable meaningful information about their details; 
  • pursuant to Art. 16 of the GDPR to demand the immediate rectification of incorrect or completion of the personal data saved by us about you;
  • pursuant to Art. 17 of the GDPR to demand the erasure of the personal data saved by us about you as long as processing is not necessary for exercising of the right to freedom of expression and information, for fulfilment of a legal obligation, for reasons of public interest or for assertion, exercising or defence of legal claims;
  • pursuant to Art. 18 of the GDPR to demand the restriction of processing of your personal data as long as the accuracy of the data is questioned by you and processing is unlawful, but you reject their erasure and we no longer need the data, but you require them for assertion, exercising or defence of legal claims or you have filed an objection to the processing in accordance with Art. 21 of the GDPR;
  • pursuant to Art. 20 of the GDPR to demand receipt in a structured, standard and machine-readable format of your personal data which you provided to us or transmission to another responsible party;
  • pursuant to Art. 21 of the GDPR, to oppose the processing of your personal data when it is done on the basis of the legitimate interests of our own or third parties (Article 6(1) of the GDPR) if there are specific reasons for doing so or related to marketing.
  • pursuant to Art. 7(3) of the GDPR you may withdraw the consent you have given us at any time, but the withdrawal does not affect the legality of the processing that took place up to the time of withdrawal.

 

Finally, in accordance with Article 77 of the GDPR, you have the right to lodge a complaint to the competent Hellenic Data Protection Authority, Kifisias 1-3, P.C. 115 23, Athens, Call Centre: +30-210 6475600, website: http://www.dpa.gr/, or to the supervisory authority of your usual place of residence.

 

16. Update and amendment of this notification

This notification is currently valid and was last updated in September 2025 and may be amended at any time by EOS Matrix Greece. Significant changes will be posted on the Website before they take effect. You may print this notification or request a copy by post or phone.

What data do we collect? 

EOS MATRIX GREECE Claims Management S.A. collects and processes data of natural persons (debtors, guarantors, related persons such as family members, legal representatives, representatives, beneficial owners, etc.) whose debts are included in the portfolios of claims managed in accordance with  L. 5072/2023, upon their award by the entity/company acquiring claims or special purposes such as EOS Finance Gmbh and EOS Securisation Gmbh. Both EOS MATRIX GREECE Claims Management S.A. and the entities that assigned the management of the Receivables have the status of Data Controller.

Categories and sources of personal data:

Personal data of debtors, guarantors, representatives and beneficial owners, including identification and communication data of such persons, details of debts and contracts from which these debts arise as well as telephone records, were transmitted to the Manager "EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDITS GREECE SOCIETE ANONYME" by:  (i) the entity that entrusted EOS MATRIX GREECE S.A. with the management of your debt, such as EOS Finance Gmbh and EOS Securisation Gmbh; (ii) directly from you; (iii) publicly accessible sources (indicatively, telephone directories, courts, mortgages, land offices, etc.); (iv) from the financial conduct data records kept by TEIRESIAS S.A. (headquarter address: 2 Alamanas Street, 151 25 Maroussi, tel: 210 3676700, information on the processing of personal data by TEIRESIAS S.A. is posted on its website: www.tiresias.gr) and (v) lawyers, law firms, bailiffs, notaries.

Purpose and legal basis of processing:

Your personal data is processed: (a) for the purpose of managing and collecting your debts and supporting the legal interests of EOS MATRIX and third parties, in accordance with Article 6 par. 1 f of the GDPR, including the control and selection of appropriate recovery measures in accordance with the relevant data; (b) for the purpose of refinancing your loan and drawing up with you, the performance and operation of a contract for the general settlement of your debt and other obligations, in accordance with Article 6 PAR. 1 b of the GDPR (c) to comply with legal and supervisory obligations arising from Law 5072/2023 and Act No. 225/30.01.2024 of the Executive Board of the Bank of Greece, as applicable, in accordance with Article 6,par. 1 c of the GDPR.

Recipients of your data:

Recipients of your personal data may be: Judicial and competent Public Authorities (such as Mortgages, Debtor Information Register, Personal Data Protection Authority, etc.), Lawyers, Judicial Curators, Debtor Information Companies and TEIRESIAS S.A.

Retention Period:

Your personal data is retained for as long as necessary for the purpose for which it was transmitted to or collected by our company. After the collection of the debt, they will be kept for a further five years in the archives of our company, unless it is required to keep them for a longer period at the request or decision of the competent authorities, or because there is a case of further retention, in accordance with the applicable legal periods of data retention, in accordance with paragraph 3 of Article 34 of Law 4624/2019.

Rights of subjects, in accordance with the GDPR:

Data subjects, provided the legal requirements are met, may exercise their rights in accordance with Articles 15 to 22 of the GDPR and the relevant provisions of Law 4624/2019, such as the right to information, access, correction, deletion, restriction of processing, data portability and objection to processing, addressed to the Data Protection Officer of the Data Controller EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDITS GREECE SOCIETE ANONYME to the above postal address (Attention of the Data Protection Officer) or to the e-mail address : [email protected]. Please note that you have the right, in accordance with Article 77 of the GDPR, to address your concerns to the competent Data Protection Authority, by submitting any request or complaint concerning the processing of your personal data. The Greek Data Protection Authority is located in Athens, on Kifisias Avenue No.1-3. You can also visit the website of the Independent Privacy Authority (www.dpa.gr), where you will find detailed information. 

Notice on the Processing of personal data by EOS Matrix Greece pursuant to Regulation (EU) 2016/679 and the relevant Greek and European legislation

 

The company under the name “EOS MATRIX GREECE SINGLE-MEMBER LOAN AND CREDIT CLAIMS MANAGEMENT SOCIÉTÉ ANONYME”, with registered offices in the Municipality of Ilioupoli, Attica (423B Vouliagmenis Avenue, PC 16346, GEMI No. 143618701000) (hereinafter “EOS Matrix Greece”), informs you pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR"), Greek law 4624/2019 for the implementation thereof and the relevant Greek and European legislation on the protection of personal data, under its capacity as controller with regard to the collection and further processing of your personal data and your rights as data subject.

 

This Notice provides information regarding any processing of personal data carried out by EOS Matrix Greece in its capacity as controller.

Where EOS Matrix Greece acts as a processor, the relevant controller’s privacy notices shall apply. However, even in such cases, EOS Matrix Greece acts as a controller solely with respect to the following:

  1. the recorded voice communications record as regards the communications conducted by EOS Matrix Greece for the purpose of providing information to debtors for overdue debts;
  2. the record relating to debtors’ complaints and requests addressed to EOS Matrix Greece, in accordance with the applicable regulatory framework;
  3. the data required for the compliance of EOS Matrix Greece with the applicable legal and regulatory framework on money laundering and terrorism financing; and
  4. the data required for the overall compliance of EOS Matrix Greece with the obligations imposed by the applicable legal, regulatory and supervisory framework, as well as with the decisions of any competent authorities (governmental, administrative, supervisory etc.) and/or court.

The processing activities carried out by EOS Matrix Greece as controller, pursuant to the abovementioned (1-4), are governed by the terms of the present Notice. This Notice may be supplemented by specific notices where applicable (e.g., in cases of processing special categories of data, cookies, data collected via the website, CCTV systems, visitor logs, etc.).

 

1. Details of the Data Controller

The controller of your personal data is “EOS MATRIX GREECE SINGLE-MEMBER LOAN AND CREDIT CLAIMS MANAGEMENT SOCIÉTÉ ANONYME”, with registered offices in the Municipality of Ilioupoli, Attica (423B Vouliagmenis Avenue, PC 16346, GEMI No. 143618701000), a special purpose Société Anonyme licensed and supervised by the Bank of Greece for the management of loan and credit claims pursuant to Law 5072/2023, in conjunction with Article 1 of Law 4354/2015, as in force (Decision No. 505/26/28.06.2024 of the Credit and Insurance Committee of the Bank of Greece, published in Government Gazette B’ 3745/28.06.2024).

2. Scope of this Notice

This Notice applies to natural persons (debtors, co-debtors, guarantors, etc.) whose debts are included in receivables portfolios managed by EOS Matrix Greece, following their assignment by the relevant entities, as well as to any natural persons connected to such individuals and/or their debts (e.g., guarantors, family members, heirs, legal representatives, attorneys, proxies, other authorized persons, employees, associates, legal representatives, shareholders and beneficial owners of debtors that are legal entities, etc.).

It is noted that if the debtor (or co-debtor, joint borrower, guarantor, etc.) is a legal entity, this Notice applies to its directors, representatives, partners, beneficial owners, and officers, whose personal data EOS Matrix Greece processes in connection with the debt of that legal entity.

 

3. What Personal Data EOS Matrix Greece processes and which sources it collects data from

A. Categories of personal data processed by EOS Matrix Greece

With the exception of data under points (i) and (ii) below which are absolutely necessary in any relationship with EOS Matrix Greece, the categories and number of other collected and processed personal data depends in any case on the data subject’s capacity, as per Section 2 above, as well as on other factors, such as the type of relationship, partnership or transaction with EOS Matrix Greece.

In view of the above, the personal data that EOS Matrix Greece collects and processes may indicatively be the following and not all of them necessarily concern you:

  1. Identification data: full name, father’s name, mother’s name, identity card and identity card number or passport and passport number, tax identification number, Social Security Number (AMKA), date and place of birth, nationality, signature data, etc.
  2. Contact details: postal and email address, landline and mobile telephone numbers, etc.
  3. Data concerning your economic, financial and family status: profession and duration of occupation, remuneration, dependent family members, marital status or non/ partnership contract/widowhood, tax declarations (forms E1 and E9 etc.), salary statements, tax clearance certificates and/or insurance clearance certificates, mobile, real estate and other assets, etc.
  4. Data concerning the failure to fulfil your financial obligations: such as termination of loan and credit agreements, payment orders, seizures and relevant payment rulings, applications for and decisions on consolidation or bankruptcy or debt settlement in general.
  5. Data concerning your creditworthiness: such as debts towards credit and/or financial institutions deriving from loans and credits etc.
  6. Credit profiling/ credit scoring data from databases on economic behavior such as the company TIRESIAS S.A.
  7. Payment data and data relating to the operation, servicing and administration of the loan or credit from which your debt arises, including the relevant contractual documents, the payment history of your debt, as well as letters or extrajudicial letters exchanged in relation to your debt.
  8. Data related to recorded communications (such as phone calls, face to face communications, electronic communications) in accordance with the legal requirements (including, indicatively, any complaints and requests submitted by the debtors, as well as any telephone communications made by EOS Matrix Greece for the purpose of informing the debtors for overdue debts).
  9. Special categories of personal data, such as health data concerning you and/or dependent members of your family, which are collected directly from you by virtue and for the purposes of implementing the procedures of the Bank of Greece Code of Conduct, as well as for the purposes of processing and assessing any debt-settlement requests and complaints and/or where you have provided your explicit consent and/or when the processing is necessary for the establishment, exercise or support of legal claims of EOS Matrix Greece or the respective receivables entity. For further information regarding the processing of special categories of personal data by EOS Matrix Greece, please refer to the Information and Consent Notice for the Processing of Special Categories Personal Data which is available at the EOS Matrix Greece’s website.
  10. Data related to the use of electronic and/or digital services and communications of EOS Matrix Greece (such as cookie identifiers, IP addresses, location data or other online identification data), pursuant to the specific terms governing such services.
  11. Image data collected from the video surveillance systems at the premises of EOS Matrix Greece, where relevant notification signs have been placed pursuant to the law (analytical information for the processing of the personal data through the video surveillance system at your entrance in the premises of EOS Matrix Greece are available to the EOS Matrix Greece’s website).
  12. Data deriving from supplementary and supporting documentation you send to or submit to EOS Matrix Greece during your contractual relationship with EOS Matrix Greece or at a pre-contractual stage.
  13. Data for the assessment of the risk of money laundering and/or terrorism financing.
  14. Minors’ data, only when the legal preconditions have met.

B. Sources from which EOS Matric Greece collects your personal data

EOS Matrix Greece collects data from the following sources:

  1. The credit or financial institution which granted the loan or credit from which your debt derives
  2. The entity which assigned to EOS Matrix Greece the servicing of your debt.
  3. Other servicers under the provisions of Greek law 5072/2023, as applicable and in force.
  4. Directly from you.
  5. Credit or financial institutions with which you maintain a customer relationship for the purpose of applying due diligence measures pursuant to the applicable legal and regulatory framework on the prevention, detection and mitigation of money laundering and terrorist financing.
  6. Publicly accessible sources (indicatively telephone directories, land registers, cadastral offices, registers, web, etc.).
  7. From the databases on economic behavior held by the company TIRESIAS S.A. (registered office’s address: 2 Alamanas Str., 151 25 Maroussi, tel. number: +30 210 3676700, website: www.teiresias.gr).It is noted that the controller of the aforesaid economic behavior data is the company under the trade name “INFORMATION BANKING SYSTEMS SA” and distinctive title “TIRESIAS S.A.” to which you may address any request regarding the exercise of your relevant rights as well as the provision of information in accordance with the law. Such information on the processing of personal data by TIRESIAS S.A. is available at the company’s website at: www.teiresias.gr.
  8. Lawyers, law firms, court bailiffs, notaries.
  9. Third (natural or legal) parties, acting on your behalf or related to you.
  10. Electronic devices or applications you use, or service providers EOS Matrix Greece collaborates with.
  11. Public authorities, services and bodies (including the Central Portal of the Public Administration and the tax authorities) in accordance with the legal provisions.

It is noted, that in case you provide EOS Matrix Greece with third parties’ personal data, including those of process agents and/or administrators, representatives, partners and management bodies, you must have ensured that you have duly informed such third parties with regard to the transfer of their personal data and the processing thereof by EOS Matrix Greece, prior to such transfer (indicatively via reference to this Notice of EOS Matrix Greece), and that you have obtained their necessary consent, if required.

4. Why EOS Matrix Greece collects and processes your personal data and for which processing purposes

EOS Matrix Greece processes your personal data for credit servicing purposes in accordance with Greek law 5072/2023, as applicable and in force. In particular, EOS Matrix Greece processes your personal data for the purposes mentioned below:

A. For the execution of a contract and in order to take pre-contractual measures at your request.

Said processing of your personal data serves, in particular, purposes such as:

  1. Your identification, verification of your data and communication with you during the management of your debt under the original loan or credit agreement or under the relevant debt-settlement agreement and during both the pre-contractual and contractual stage.
  2. The management of your loan or credit agreement, from which your debt under the servicing of EOS Matrix Greece derives, and the conclusion, execution, management and, in general, smooth servicing of the agreement concluded for the settlement of your debt and for the fulfillment of the respective obligations arising therefrom.
  3. The monitoring of your debt evolution, the assessment of your application and your request and the monitoring of the payments you make.
  4. The prevention or mitigation of your potential failure to fulfill your obligations arising from the loan or credit, from which your debt under the servicing of EOS Matrix Greece, derives.
  5. The pursuit of the collection of any amounts you owe in relation to the loan or credit, under the servicing of EOS Matrix Greece.
  6. The communication with you, the provision of information to you in view of finding the best solution for your debt.

B. For EOS Matrix Greece’s compliance with its legal obligations

EOS Matrix Greece will process your personal data to the extent required to comply with the below legal and regulatory obligations to which it is subject and which derive from the provisions of Greek law 5072/2023 and the relevant Acts of the Bank of Greece Executive Committee, as applicable and in force:

  1. the legal and regulatory framework on money laundering and terrorist financing, as in force from time to time;
  2. the Bank of Greece Code of Conduct;
  3. act no. 157/02.04.2019 the Bank of Greece Executive Committee, as applicable from time to time, which imposes, inter alia, obligations for the provision of information and, in general, requirements on transactions’ transparency, including, in particular, the management of debtors’ requests and complaints;
  4. the submission of regulatory reports to the Bank of Greece and the conduct of audits by the Bank of Greece;
  5. article 8 para. 2 of Greek law 3758/2009, as applicable and in force, which imposes the obligation to record the content of the telephone calls conducted by EOS Matrix Greece for the purposes of informing the debtors for overdue debts; and
  6. the overall compliance of EOS Matrix Greece with the obligations imposed by the applicable legal, regulatory and supervisory framework, including the operation of the electronic personalised information system: myeos.eos-greece.com, as well as with the decisions of any competent authorities (public, supervisory, independent, prosecution etc.) or courts (including arbitrary).

C. For the purpose of the legitimate interests pursued by EOS Matrix Greece or by a third party

The processing of your personal data serves purposes relating to:

  • the defense of EOS Matrix Greece’s or the respective receivables entities’ legal rights and interests, as such entities are specified above,
  • the collection and judicial pursuit of claims under the servicing of EOS Matrix Greece,
  • the prevention and deterrence of criminal acts or frauds against EOS Matrix Greece,
  • the security and safety of information systems, facilities and assets of EOS Matrix Greece as well as the protection of persons who do business with EOS Matrix Greece, of the personnel and visitors of EOS Matrix Greece’s premises,
  • the handling of your complaints,
  • the evaluation and optimization of operations, processes, security procedures and information systems,
  • upgrading the services provided,
  • the management of operational and financial risks of EOS Matrix Greece,
  • the compliance of EOS Matrix Greece with obligations arising from contracts concluded with the receivables entities, procedures for securitization or sale of receivables from loans and credits within the applicable legal and regulatory framework and the assessment of the level of your satisfaction from the services provided by EOS Matrix Greece for the purpose of the improvement thereof and from the transactional relationship between you and EOS Matrix Greece, in general. Prior to such processing EOS Matrix Greece ensures that your interests or fundamental rights and freedoms requiring the protection of your data are not overridden by EOS Matrix Greece’s interests or the interests of the respective receivables entities.

D. With your consent

Where EOS Matrix Greece has requested and received your consent, the processing of your personal data is based on such consent.

In these cases, you have the right to withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on your consent provided before its withdrawal.

For more information you may access the Consent Statement for the processing of your personal data of special categories which is available to the EOS Matrix Greece’s website.

Ε. Profiling or automated decision-making

EOS Matrix Greece does not make decisions based solely on automated processing of personal data.

However, EOS Matrix Greece may make decision on the basis of non-solely automated decision-making by applying partially automated methods and procedures including:

  1. credit profiling based on your financial data, as well as your creditworthiness and credit rating, when this is necessary for the conclusion or execution of a contract between you and EOS Matrix Greece as controller and/or where this is permitted by the European or national legal framework to which EOS Matrix Greece is subject,
  2. profiling for the risk assessment of money laundering and terrorist financing with the use of international acknowledged modes for the combined evaluation of data to ensure EOS Matrix Greece’s compliance with its legal obligations.

The result of the above processing activities includes the approval or rejection of your debt settlement application.

5. Who are the recipients of your personal data

Within the context of the processing of your personal data, EOS Matrix Greece may transfer such data to the following recipients:

  • To the respective receivables entities.
    Please note that, in particular as regards your identification and contact data (identity card data, telephone number, address etc.) that EOS Matrix Greece (either itself or through third parties acting on its behalf as processors) collects from you and/or from publicly available sources in the context of managing your debt, recipients may be all the entities of receivables under the management of EOS Matrix Greece.
  • To the (natural or legal) persons to which EOS Matrix Greece delegates the performance of specific tasks on its behalf (processors). In this context, your personal data may be transferred, indicatively, to:
  • Debt notification companies in case your debt has become overdue.
  • Service providers (affiliated companies and third parties), which perform data processing operations, such as the provision of data storage, including filing, management and destruction of files and data services, call centers, or other natural or legal persons that process personal data for the purposes of checking and updating thereof, IT products and/or services providers and/or technical support providers of all kinds of information and electronic systems and networks, including online systems and platforms, providers of printing and sending of the periodic statements and written communications, for the purpose of recording the payments of your debt, as well as providers of other supporting services with respect to  EOS Matrix Greece's activities in the managing of your debt (collaborating service networks, receiving and processing requests, provision of back-office services, etc.).
  • Providers of consulting services with respect to the receivables portfolios under servicing and other professional consultants.
  • Providers of accounting/tax services.
  • Security companies.
  • Post services providers.
  • Real estate management or investment companies as well as brokers.
  • Credit Purchasers of Greek law 5072/2023 and special purpose entities engaged in securitization transactions of Law 3156/2003, in the framework of assignment of receivables under the management of EOS Matrix Greece (including the evaluation process).
  • Lawyers, law firms, court bailiffs, notaries and competent courts, experts.
  • Certified Auditors.
  • Other credit servicing companies under the provisions of Greek law 5072/2023, as applicable and in force.
  • Substitutes of EOS Matrix Greece as servicer of securitized receivables within the meaning of article 10 para. 14 of Greek law 3156/2003.
  • Security trustees in case of servicing of securitized receivables as per articles 10 and 14 of Greek law 3156/2003 as well as noteholders and/or representatives thereof pursuant to the provisions of article 10 para. 22 of Greek law 3156/2003 and the originator.
  • Supervisory authorities (including the Bank of Greece), governmental, administrative, independent, judicial, prosecution, police, tax, public, European and/or other authorities or entities or parties entrusted with the monitoring or supervision of the activities of EOS Matrix Greece and within the competence thereof and authorised mediators and meditation centers, arbitration tribunals and alternative dispute resolution entities.
  • Insurance companies and intermediaries in the framework of providing insurance products (indicatively for the insurance of a secured property, in case you are not fulfilling your relevant insurance obligations, for the loan insurance and its repayment in case of death, etc.).
  • TIRESIAS S.A. as regards the data relating to the records kept by it (termination of loan and credit agreements, loan and credit agreements and the evolution thereof, contracts for the provision of guarantee etc.), for the abovementioned purposes for data processing by TIRESIAS S.A. and for the purposes of the database "Tiresias System of Risk Control", as described in detail on the website of the aforesaid company (www.tiresias.gr), where the information of the processing of personal data by TIRESIAS S.A. as controller, is available.
  • To credit institutions where the deposit account is kept to service your debt.
  • The employees of EOS Matrix Greece, who are responsible for the processing of your personal data as well as members of EOS Matrix Greece’s administration and within the course of their duties.
  • To public institutions.
  •  Any third parties that submit a request for information to EOS Matrix Greece, when the legal conditions have been met.

6. Transfer of your personal data outside the European Economic Area

EOS Matrix Greece will not transfer your personal data directly to third countries or international organisations, unless such transfer is required by the applicable regulatory or legal framework.

If applicable, EOS Matrix Greece may transfer your personal data to third countries under the following circumstances:

  1. Where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country or international organisation ensure an adequate level of protection, or
  2. If appropriate safeguards have been provided from the recipient, in accordance with the national and European legislation.

In the absence of the above-mentioned circumstances a transfer may take place if:

  1. you have provided your express consent to EOS Matrix Greece; or
  2. the transfer is necessary for the performance of a contract between you and EOS Matrix Greece, such as for the execution of your orders, or
  3. the transfer is necessary for the establishment or exercise or defense of legal claims and rights of EOS Matrix Greece, or
  4. there is a relevant obligation arising from a legal provision or an international convention to which EOS Matrix Greece is subject. In order to fulfill such obligation, EOS Matrix Greece may transfer your personal data to competent national authorities so that such data are delivered through them to the respective authorities of third countries.

7. How long your personal data is stored

Your personal data shall be retained for the entire time period during which your debt remains under the servicing of EOS Matrix Greece, in accordance with the relevant assignment contract with the respective receivables entity, and for as long as it is permitted by the applicable legal and regulatory framework. In any case your personal data may be stored until the completion of the general limitation period for the exercise of legal actions, pursuant to the applicable legal provisions, namely twenty (20) years from the – under any condition – termination of your relationship.

In the event of a legal dispute with EOS Matrix Greece and/or the respective receivables entity, or relevant administrative dispute, said storage period will be extended until the issuance of an irrevocable court decision.

EOS Matrix Greece shall keep a record of all complaints received, including documents relating to each case, for a minimum period of five (5) years in accordance provisions set forth in Act no. 157 / 02.04.2019 of the Bank of Greece Executive Committee.

Finally, EOS Matrix Greece shall retain any recorded telephone communication for the purposes of informing the debtors for overdue debts (article 8 para. 2 Greek law 3758/2009, as in force), for one (1) year.

 

8. Your rights towards EOS Matrix Greece regarding the protection of your personal data

In accordance with the provisions of GDPR, you have the following rights:

  1. Right of access to your personal data that are retained and processed by EOS Matrix Greece, as well as to information concerning the processing thereof (origin of the data, purposes of processing, categories of recipients, storage period etc.).
  2. Right to rectification of your personal data, in the event of inaccurate data or for the purposes of completing incomplete personal data by providing any necessary document justifying the need for rectification.
  3. Right to object on grounds relating to your particular situation unless the processing is necessary for the purposes of the legitimate grounds of EOS Matrix Greece or a third party.
  4. Right to restriction of processing of your personal data where the accuracy of the personal data is contested by you or the processing is unlawful or EOS Matrix Greece no longer needs your personal data for the purposes of processing, or you have objected to the processing and the verification whether the legitimate grounds of EOS Matrix Greece override yours.
  5. Right to erasure of your personal data from EOS Matrix Greece’s records.
  6. Right to data portability of your personal data and transfer thereof to another controller, provided that the processing is based on your consent or on a contract and is carried out by automated means.

Please note the following with regard to your abovementioned rights:

  1. The right of access may not be fully or partially satisfied if the disclosure of the data would jeopardize national defense, national security and public safety as well as if the data cannot be deleted due to legal or regulatory provisions that require their retention or the retention serves exclusively data protection or control purposes, the provision of information would require disproportionate effort and the necessary technical and organizational measures make it impossible to process for other purposes.
  2. Your rights to object, restriction of processing and erasure (points iii, iv and v, above) may not be satisfied, partially or fully, if they are necessary for the performance of your contract and regardless of the source thereof.
  3. EOS Matrix Greece has in any case the right to reject your request for restriction of processing or erasure of your personal data (points iv and v, above), if the processing or storage thereof is necessary for the establishment, exercise or defense of the rights of EOS Matrix Greece or the respective receivables entities or for the fulfillment of the obligations of EOS Matrix Greece. In particular, the right to delete your data may not be satisfied if your data is processed without automated means, provided that due to the special nature of the storage it is not possible to delete it or it is possible only with disproportionately large effort, given that your interest in deletion is not considered important or if the deletion is in conflict with the retention periods provided for in the law or terms of contract.
  4. The right to data portability (point vi above) does not include the erasure of the personal data from the records of EOS Matrix Greece, which erasure is subject to the conditions of the above point

9. How you may exercise your rights towards EOS Matrix Greece

For the exercise of your rights, you may address your relevant requests in writing, to the Customer Service and Complaints Management Unit of EOS Matrix Greece (423B Vouliagmenis Avenue, PC 16346) or via email at [email protected]. EOS Matrix Greece shall use its best endeavors to address your request within thirty (30) days from its submission. The abovementioned period may be extended by two (2) further months, if deemed necessary at reasonable discretion of EOS Matrix Greece, taking into account the complexity and number of requests. EOS Matrix Greece shall inform you in case of such extension within one month from the receipt of the request. The abovementioned service is provided by EOS Matrix Greece free of charge. However, where requests are manifestly unfounded, excessive or repetitive, EOS Matrix Greece may, after informing the person who has submitted the request, either charge a reasonable fee or refuse to act on the request/requests.

10. Data Protection Officer of EOS Matrix Greece

You may contact the Data Protection Officer of EOS Matrix Greece for any matter regarding the processing of your personal data, in writing at 423B Vouliagmenis Avenue, PC 16346, or via email at [email protected].

11. Rights to lodge a complaint at the Hellenic Data Protection Authority

You have the right to lodge a complaint before the Hellenic Data Protection Authority for any matter regarding the processing of your personal data (www.dpa.gr).

What data do we collect? 

EOS MATRIX GREECE Claims Management S.A. collects and processes data of natural persons (debtors, guarantors, related persons such as family members, legal representatives, representatives, beneficial owners, etc.) whose debts are included in the portfolios of claims managed in accordance with  L. 5072/2023, upon their award by the entity/company acquiring claims or special purposes such as EOS Finance Gmbh and EOS Securisation Gmbh. Both EOS MATRIX GREECE Claims Management S.A. and the entities that assigned the management of the Receivables have the status of Data Controller.

Categories and sources of personal data:

Personal data of debtors, guarantors, representatives and beneficial owners, including identification and communication data of such persons, details of debts and contracts from which these debts arise as well as telephone records, were transmitted to the Manager "EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDITS GREECE SOCIETE ANONYME" by:  (i) the entity that entrusted EOS MATRIX GREECE S.A. with the management of your debt, such as EOS Finance Gmbh and EOS Securisation Gmbh; (ii) directly from you; (iii) publicly accessible sources (indicatively, telephone directories, courts, mortgages, land offices, etc.); (iv) from the financial conduct data records kept by TEIRESIAS S.A. (headquarter address: 2 Alamanas Street, 151 25 Maroussi, tel: 210 3676700, information on the processing of personal data by TEIRESIAS S.A. is posted on its website: www.tiresias.gr) and (v) lawyers, law firms, bailiffs, notaries.

Purpose and legal basis of processing:

Your personal data is processed: (a) for the purpose of managing and collecting your debts and supporting the legal interests of EOS MATRIX and third parties, in accordance with Article 6 par. 1 f of the GDPR, including the control and selection of appropriate recovery measures in accordance with the relevant data; (b) for the purpose of refinancing your loan and drawing up with you, the performance and operation of a contract for the general settlement of your debt and other obligations, in accordance with Article 6 PAR. 1 b of the GDPR (c) to comply with legal and supervisory obligations arising from Law 5072/2023 and Act No. 225/30.01.2024 of the Executive Board of the Bank of Greece, as applicable, in accordance with Article 6,par. 1 c of the GDPR.

Recipients of your data:

Recipients of your personal data may be: Judicial and competent Public Authorities (such as Mortgages, Debtor Information Register, Personal Data Protection Authority, etc.), Lawyers, Judicial Curators, Debtor Information Companies and TEIRESIAS S.A.

Retention Period:

Your personal data is retained for as long as necessary for the purpose for which it was transmitted to or collected by our company. After the collection of the debt, they will be kept for a further five years in the archives of our company, unless it is required to keep them for a longer period at the request or decision of the competent authorities, or because there is a case of further retention, in accordance with the applicable legal periods of data retention, in accordance with paragraph 3 of Article 34 of Law 4624/2019.

Rights of subjects, in accordance with the GDPR:

Data subjects, provided the legal requirements are met, may exercise their rights in accordance with Articles 15 to 22 of the GDPR and the relevant provisions of Law 4624/2019, such as the right to information, access, correction, deletion, restriction of processing, data portability and objection to processing, addressed to the Data Protection Officer of the Data Controller EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDITS GREECE SOCIETE ANONYME to the above postal address (Attention of the Data Protection Officer) or to the e-mail address : [email protected]. Please note that you have the right, in accordance with Article 77 of the GDPR, to address your concerns to the competent Data Protection Authority, by submitting any request or complaint concerning the processing of your personal data. The Greek Data Protection Authority is located in Athens, on Kifisias Avenue No.1-3. You can also visit the website of the Independent Privacy Authority (www.dpa.gr), where you will find detailed information. 

1. Introduction & General Terms

“EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDIT GREECE S.A.” (423Β Vouliagmenis Avenue. P.C. 163 46, Illioupoli, Attica) ("EOS") collects, stores and processes Personal Data (as defined below) in accordance with the General Data Protection Regulation (ΕΕ) 2016/679 (the “GDPR”) and local data protection legislation (jointly “Data Protection Legislation”). This Notification of EOS to its counterparties according to Articles 13 and 14 of the GDPR (the “Notification”) describes the way in which EOS collects, uses and processes Personal Data relating to its counterparties (if they are natural persons) or their legal representatives, the directors, the beneficial owners and/or the contact persons of their counterparties if the counterparties are legal entities (“You”). EOS is the controller of your Personal Data.

 

2. Types of Personal Data collected - Sources

For the purposes of this Notification, Personal Data means any information which relates to an identified or an identifiable person, or which may be used to identify a person (“Personal Data”). The types of Personal Data that EOS may process include, as the case may be:

  • First name, last name, father’s name, mother’s name, email address, signature, products, or services provided;
  • When the counterparty is a natural person: VAT number and Tax Authority, number of ID document, date of issue and issuing authority;
  • When the counterparty is a legal entity: working position within the counterparty/ capacity.

Your Personal Data are in principle collected from you or from EOS’s counterparty which transferred to EOS your data in the context of their agreement or for the purpose of concluding an agreement. Moreover, we may obtain your Personal Data from other sources such as publicly available sources, creditworthiness assessment companies, etc.

 

3. Personal Data of Third Parties

If you provide EOS with Personal Data of third parties (e.g. legal representatives, employees), you must notify these persons that EOS will process their Personal Data and inform them of their respective rights (for example by disclosing this Notification).

Moreover, if required by law, you must obtain the consent of these persons to transfer their data to EOS and allow EOS to process their data. If you provide Personal Data of third parties, EOS assumes that you have notified them accordingly and obtained their consent.

 

4. Why does EOS collect, use, disclose and store Personal Data?

EOS collects, uses, discloses and stores Personal Data for the following purposes: (1) to selecta counterparty, (2) to conclude an agreement with the counterparty (3) to implement the agreement with the counterparty, including managing the relevant payment fees under this agreement, (4) to assess the cooperation with the counterparty, (5) to safeguard its rights under the applicable law, (6) to fulfil its obligations required by law, (7) internal control (e.g. productivity, maintaining financial integrity), (8) to ensure compliance with EOS’s internal policies and procedures (9) to conduct research (market research, satisfaction survey, etc.) and (10) to pursue direct marketing.

 

5. Legal Basis of the processing of your Personal Data

The legal basis for the collection, use, and processing of your Personal Data is defined in Article 6, para. 1 b), c) and f) of the GDPR. This means that EOS is processing your data: (i) to execute the agreement you have entered into with EOS or to take action to reach this agreement, (ii) to comply with its legal obligations, (iii) for the legitimate interests of EOS or any third party, unless your rights and freedoms prevail over these interests (e.g. to safeguard EOS’s legitimate interests, prevention of fraud, internal investigation). If the legal basis for processing your personal data is your consent, EOS will obtain this separately.

 

6. Recipients of your Personal Data

EOS may from time to time disclose your Personal Data to third parties for any of the aforementioned purposes. Examples of third parties to whom EOS may transfer your Personal Data include:

  • Third parties which provide us with services (e.g. IT companies)
  • Entities which are within the same group of companies with EOS.
  • Consultants or auditors.
  • Any court or judicial authority, mediator, arbitrator, taxation authority or regulatory or public authority.
  • Public or national authorities were required by law.
  • Otherwise, if you have given your consent for that disclosure.

 

7. Overseas transfers of Personal Data

Due to the nature of our work, we may disclose your Personal Data to third parties established outside the European Economic Area (EEA). In these cases, except where the relevant country has been determined by the European Commission to provide an adequate level of protection (currently Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay, Japan, Republic of Korea, United Kingdom and the United States under the EU-US Data Privacy Framework), we require such recipients to comply with appropriate measures designed to protect the Personal Data.

 

8. Retention period of your Personal Data

We will retain your Personal Data for as long as we consider it to be necessary in order to fulfil the purpose for which they were collected or to comply with legal, regulatory, accounting, auditory requirements or requirements provided in our internal policies/ proceedings. In order to define the adequate retention period of your Personal Data we take into consideration the applicable legislation, as well as the quantity, the nature and the sensitivity of the Personal Data, the prospective risk of damage caused due to an unauthorized use or disclosure of your Personal Data, the purposes for which we collected your Personal Data and whether we can fulfil the purposes through other means.

 

9. Your rights and obligations

(a) Your obligation to notify us of any change

It is important your Personal Data that we store are up-to-date and accurate. Please notify us if there is a change in the Personal Data that you have provided us with.

(b) Your rights in relation to your Personal Data

In certain circumstances, you have the right by law to:

  • Request access to your Personal Data.
  • Request the correction of your Personal Data that we store about you.
  • Request that your Personal Data be deleted.
  • Object to the processing of your Personal Data (e.g. you have the right to object in writing if we process your Personal Data for direct marketing purposes by contacting us at the email address mentioned below).
  • Request the restriction of the processing of your Personal Data.
  • Receive your Personal Data in a structured format or request the transfer of your Personal Data to a third party (“data portability”).
  • Withdraw, in cases where we process your Personal Data based on your consent, your consent at any time. Note that withdrawing your consent will not affect the legality of the processing which was based on your consent prior to its withdrawal.
  • Request, where applicable, not to be subject to decisions based on automated decision making, including profiling.

If you want to exercise your rights in accordance with the above, or you have any question relating to this Notification, please contact us at [email protected]. Finally, you have the right to lodge a complaint with the competent Data Protection Authority (for Greece: www.dpa.gr).

 

10. Changes to this Notification

We reserve the right to update this Notification at any time, and we will notify you by updating this Notification on our website at: https://gr.eos-solutions.com. Any changes to this Notification are applicable by the time of its update on our website, unless otherwise provided.

 

Purposes and Legal Basis of Processing: 

Your data shall be processed for the purpose of debt management in accordance with Article 6 par. 1 (f) of the GDPR. Our legitimate interest is to purchase receivables, manage them and entrust the collection of such receivables to receivables management companies. Personal data shall also be processed for the purpose of complying with applicable legal and regulatory obligations, e.g. applicable tax legislation, in accordance with Article 6 par. 1 (c) of the GDPR.

Categories of Data and Data Sources:

We process the following categories of data: Identification data, contact data, Contract and financial claims data, payments data, as appropriate. This data was transmitted to us by the original creditor, lawyers and debt management companies, as well as publicly accessible sources (Mortgages, public registers).

Recipients:

As part of the debt recovery process, we have forwarded and/or will transmit your data, if necessary, to the following categories of recipients: credit providers, service providers, third-party debtors, courts, bailiffs, lawyers, receivables management companies and debtors’ information companies.

Retention Period:

After three years of full repayment of the outstanding claim or termination of the recovery process, we will check whether there is a legal obligation to further retain your data, or part of it, otherwise we will delete it.

Rights of data subjects:

If the legal requirements are met, you have the following rights under Articles 15 to 22 of the GDPR: the right to information, access, correction, deletion, restriction of processing and right to data portability. In addition, in accordance with Article 21 of the GDPR, you have the right to object to the processing, provided that it is based on the legitimate interest of our own or third parties, Article 6 par. 1 (f) of the GDPR.  Finally, in accordance with Article 77 of the GDPR, you also have the right to lodge a complaint with a competent Data Protection Supervisory Authority, even with the Authority located in your place of residence. The Supervisory Authority responsible for our company is: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Kurt-Schumacher-Allee 4, 20097 Hamburg, Germany.

Pursuant to the application of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), “EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDIT GREECE S.A.” (423Β Vouliagmenis Avenue. P.C. 163 46, Illioupoli, Attica) ("EOS") would like to inform you of the following:

  1. EOS, in its capacity as data controller, processes personal data of natural persons who have any transactional or other contractual relationship with EOS (such as, indicatively, clients, suppliers, etc.) or whose data EOS processes in the context of providing loan and credit claims management services (e.g., debtors, guarantors, etc.), and in this context submit a complaint to EOS (“data subjects” and/or “complainants”). This Notice supplements any other information provided to data subjects regarding the processing of their personal data, which remain in force and are available on EOS’s website (https://gr.eos-solutions.com).

In addition to the personal data processed by EOS in the context of its contractual relationship with the complainant, EOS may also process, inter alia: (a) identification details of the complainant (e.g., surname, first name, father’s name, mother’s name, contact telephone (landline/mobile), email address) and (b) personal data that may be contained in the complaint form/letter submitted by the complainant and which will be subject to evaluation by EOS. The disclosure of data specified in subparagraph (a) above is a requirement for the evaluation/investigation of the submitted complaint by EOS. Information on how to submit complaints to EOS can be found at: https://gr.eos-solutions.com.

  1. The source of the data is the data subject himself/ herself disclosing his/ her data.
  2. EOS processes data subjects’ personal data, as the case may be, for the following purposes: (a) To record, handle, and evaluate/ investigate the submitted complaint. For such data processing, the legal basis shall be either the performance of the relevant contract concluded with EOS (or the taking of such measures) (e.g., in the case of EOS’s clients or suppliers) and/or the compliance with a legal obligation of EOS (e.g., in the case of debtors, etc.). (b) To safeguard the interests of EOS. For such data processing, the legal basis is that processing is necessary for the purposes of the overriding legitimate interests pursued by EOS (i.e., the legitimate interests related to improving its services and procedures). For the above purposes, EOS does not proceed with automated decision-making, including profiling of data subjects.
  3. As the case may be and depending on the case and the purpose of processing, personal data may be transmitted to authorized EOS employees by department/service, as well as to companies associated with EOS with which EOS has concluded a contract and which process data on its behalf (e.g., IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy, compliance with the data protection legislation. In addition, EOS may transmit personal data to third parties when so required by law or for the purposes of or in connection with legal proceedings in which it participates, or for the purposes of, or in connection with legal proceedings in which it participates, or otherwise for the purpose of supporting, exercising, or defending its rights, or to third parties that are law enforcement authorities and have submitted a lawful transmission request, or where it considers that transmission is necessary in connection with an investigation into the suspicion or existence of an illegal activity. Personal data shall not be transferred outside the European Economic Area.
  4. The above data will be retained for a period time as required or allowed by the legislation/ regulatory framework in force each time, taking into account the applicable prescription period, which may extend to up to 20 years.
  5. The data subject shall have the following rights under the GDPR: (a) to receive a copy of the personal data held by EOS, together with other information on how data is processed; (b) to request that personal data concerning him or her be rectified and, under conditions, to request the deletion or restriction of processing, or to object to the processing of personal data; (c) to receive a copy or to request the transmission of a copy of his or her personal data to a third party in a structured, commonly used and machine-readable format (right to data portability). Where the processing of data is based on his or her consent, the data subject shall have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. If the data subject wishes to receive further information about the processing of his or her personal data or to exercise any of his or her above rights, he or she must email EOS’s Data Protection Officer exclusively at: [email protected], or send a letter to the mailing address mentioned above. Finally, the data subject has the right to file a complaint with the competent supervisory authority about how EOS handles his or her data (www.dpa.gr).

 

Purposes and Legal Basis of Processing:

Your data shall be processed for the purpose of debt management in accordance with Article 6 par. 1 (f) of the GDPR. Our legitimate interest is to purchase receivables, manage them and entrust the collection of such receivables to receivables management companies. Personal data shall also be processed for the purpose of complying with applicable legal and regulatory obligations, e.g. applicable tax legislation, in accordance with Article 6 par. 1 (c) of the GDPR.

Categories of Data and Data Sources:

We process the following categories of data: Identification data, contact data, Contract and financial claims data, payments data, as appropriate. This data was transmitted to us by the original creditor, lawyers and debt management companies, as well as publicly accessible sources (Mortgages, public registers).

Recipients:

As part of the debt recovery process, we have forwarded and/or will transmit your data, if necessary, to the following categories of recipients: credit providers, service providers, third-party debtors, courts, bailiffs, lawyers, receivables management companies and debtors’ information companies.

Retention Period:

After three years of full repayment of the outstanding claim or termination of the recovery process, we will check whether there is a legal obligation to further retain your data, or part of it, otherwise we will delete it.

Rights of data subjects:

If the legal requirements are met, you have the following rights under Articles 15 to 22 of the GDPR: the right to information, access, correction, deletion, restriction of processing and right to data portability. In addition, in accordance with Article 21 of the GDPR, you have the right to object to the processing, provided that it is based on the legitimate interest of our own or third parties, Article 6 par. 1 (f) of the GDPR.  Finally, in accordance with Article 77 of the GDPR, you also have the right to lodge a complaint with a competent Data Protection Supervisory Authority, even with the Authority located in your place of residence. The Supervisory Authority responsible for our company is: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Kurt-Schumacher-Allee 4, 20097 Hamburg, Germany.

1. Introduction & General Terms

The company under the name “EOS Matrix Receivables Management from Loans and Credit Greece S.A.”, with registered offices in the Municipality of Ilioupoli, Attica (423B Vouliagmenis Avenue, PC 16346, GEMI No. 143618701000) (hereinafter “EOS”), collects, stores and processes Personal Data (as defined below) in accordance with the General Data Protection Regulation (ΕΕ) 2016/679 (the “GDPR”) and local data protection legislation (jointly “Data Protection Legislation”).

This Notification describes how EOS collects, uses and processes your Personal Data. This Notification covers Personal Data that is held electronically and also applies to paper-based filing systems. EOS is the data controller of your Personal Data.

2. What is Personal Data?

Personal Data means any information which relates to an identified or identifiable individual, or which could be used to identify an individual (“Personal Data”). The types of Personal Data that EOS may collect from or about you include, on a case-by-case basis:

(a) Personal and family information: first name, surname, father’s name, mother’s name, spouse’s full name (if applicable), residence details (address and telephone number), date and place of birth, gender, residence and work permits, nationality, fulfillment of military obligations (excluding reasons for discharge due to incapacity or deferment of service), Social Security Number (AMKA), identity card number, date of issue and issuing authority, passport number and date of issue/expiry, mobile phone number, email address, tax identification number and tax office, bank account details and other financial information, details of business activities outside EOS and participation in Boards of Directors (where such information is relevant to employment), marital status and details of dependents.

 

(b) Information relating to your education and work experience: details of previous employers and references, other information related to your previous employment, i.e. job title and/or position and description of responsibilities/duties, type of employment (fixed-term/indefinite), working hours and shifts, location, length of service, contact details of previous employment (telephone, address, fax, and email address), start and end date (as applicable) of employment, name and contact details of supervisor, manager, or team leader, information on benefits and related details, salary information, information regarding participation in training programs and related recommendations, academic background and education, professional training, licenses and certifications, foreign languages, activities and research, information relating to complaints and grievances, and the reason for any dismissal.

(c) Any other information included in your CV or otherwise provided to us, even if not requested.

3. Why does EOS process your Personal Data?

EOS processes your Personal Data for the following purposes: (1) evaluating your application to determine if you should be hired; (2) safeguarding EOS’s interests; and (3) complying with the provisions of applicable legislation.

4. Legal basis for processing Personal Data

The legal basis for the collection, processing and use of your Personal Data is established in article 6 para 1 letters a), b), c) and f) of GDPR. This means that we processes your data: (i) on the basis of your consent, which is expressed by the clear affirmative action of sending your CV to us; (ii) in order to make steps at your request, prior to entering into a contract with you; (iii) in order to be able to comply with our legal obligations as your employer; and (iv) for the prevailing legitimate interests pursued by EOS or by a third party, except where such interests are overridden by the interests or the fundamental rights and freedoms of the Applicant.

5. Does EOS share or transfer your Personal Data?

EOS may from time to time disclose your Personal Data to third parties for any of the purposes listed above. Examples of relevant third parties to whom EOS may disclose Personal Data include governmental agencies, courts, as well as third parties who provide services in connection with (among other things) the evaluation of Applicants.

When we disclose your Personal Data to third parties who provide services on our behalf (e.g. IT companies), we ensure that such service providers agree to use Personal Data only in accordance with our instructions and in accordance with the terms laid down in the relevant agreement which has been concluded between them and EOS.

EOS may also disclose Personal Data to third parties:

  • where such disclosure is required by law or for the purposes of, or in connection with, any legal proceedings to which it is a party, or otherwise for the purpose of establishing, exercising or defending its legal rights; or
  • who are law enforcement authorities or other government agencies and who have made a lawful request for such disclosure; or
  • where EOS believes that its disclosure is necessary in connection with an investigation of suspected or actual criminal activity or in case EOS sells or transfers its activity or its assets (partially or in full) (including merger, restructuring, spin-off, termination or liquidation)

6. International Transfers of Personal Data

Personal data shall not be transmitted outside the European Economic Area.

7. Third-party Personal Data

Where you provide third-party Personal Data to EOS (i.e.. data from a spouse and/ or family members or third-party personal data for the purpose of obtaining recommendations), you are required to inform these persons about their rights in connection with the processing of their Personal Data (for example, by presenting the present Notification to them). Moreover, it is your responsibility to obtain the consent of these persons. At the time you provide the third-party Personal Data, EOS considers that the third-party consent as granted, to the extent required by law.

8. Data retention

EOS retains your Personal Data for the time period permitted or required by the applicable data protection/ regulation, which, in case that you are not being employed by us, may not exceed the period of 6 months, unless you have given your consent for its retention.

9. Consequences in case of failure to provide Personal Data 

If an Applicant does not wish to disclose the requested minimum necessary Personal Data for the evaluation of his application, then EOS will review whether, in view of the circumstances, such evaluation can be made.

10. Applicant’s Rights

You have the following rights under the data protection legislation:

  • to request access to your Personal Data or to request that your Personal Data is rectified or deleted, or that its processing is restricted;
  • object to the processing of your Personal Data; or
  • receive your Personal Data in a portable format or to request the transmission of your Personal Data to a third party in a structured format; or
  • withdraw your consent, at any time without affecting the lawfulness of processing based on consent before its withdrawal.

If you would like to discuss or exercise any of these rights, please use the contact details in section 13 below.

Finally, you have the right to lodge a complaint to the Hellenic Data Protection Authority (www.dpa.gr).

11. Origin of Personal Data

In principle any data relating to you is collected from you personally. EOS may also obtain your Personal Data from sources such as the following:

  • An employment or recruitment agency;
  • Previous employers;
  • Public registers that contain your Personal Data;
  • In the context of pre-employment screening, EOS may make use of public sources such as search engines and public sections of social media accounts to the extent that they are relevant to the job position of the Applicant;
  • Third parties (e.g. individuals that make a recommendation for you).

12. Updates

EOS may update this Notification from time to time due to changes in laws and regulations or its internal procedures and systems and will notify the Applicants accordingly (e.g. via its website). All changes are effective from the date of publication, unless provided otherwise.

13. Contact Us

If you have any questions or concerns about this Notification, or would like to exercise any of your rights, please contact our Data Protection Officer at [email protected].

The company under the name “EOS MATRIX RECEIVABLES MANAGEMENT FROM LOANS AND CREDIT GREECE S.A.” (423B Vouliagmenis Avenue, PC 16346, Ilioupoli, Attica) ("EOS") notifies you of the following regarding the closed-circuit television (CCTV) systems that operate at its premises:

  1. Monitoring and processing your personal data (your image) are necessary for the purpose of preventing and deterring illegal actions.
  2. The legal basis for processing the aforementioned data is that processing is necessary for the purposes of the prevailing legitimate interest pursued by EOS, as described above (article 6, para. 1, section. (f) of the Regulation (EU) 2016/679 (General Data Protection Regulation).
  3. Apart from third parties acting on behalf of EOS (e.g., IT companies), recipients of your personal data are judicial, prosecuting and police authorities and/or the person who is depicted as the victim and/or the perpetrator of the above illegal actions.
  4. Your personal data are not transmitted outside the European Union.
  5. The data are destroyed within a period of 15 days, unless their retention is permitted or required under law or regulations.
  6. If you wish to exercise your right of access to, rectification, deletion, restriction or objection to the processing of your personal data as well as your right to data portability, contact EOS’s Data Protection Officer at [email protected], or send a letter to the address mentioned above.
  7. You have the right to lodge a complaint with the competent Data Protection Authority (for Greece: www.dpa.gr).

INFORMATION NOTE TO THE DATA SUBJECTS

The company under the name “EOS Matrix Receivables Management from Loans and Credit Greece S.A.”, with registered offices in the Municipality of Ilioupoli, Attica (423B Vouliagmenis Avenue, PC 16346, GEMI No. 143618701000) (hereinafter “EOS Matrix Greece”), informs you pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “GDPR”), Greek law 4624/2019 for the implementation thereof and the relevant Greek and European legislation on the protection of personal data, under its capacity as controller with regard to the collection and further processing of your personal data belonging on special categories as data subject:

1. What personal data of special categories EOS Matrix Greece processes and from which sources it collects them from

EOS Matrix Greece collects directly from you or through your legal representatives or your authorized persons, personal data of special categories related to your health (such as physical and mental condition, disabilities, medical history, other health data) and/or your dependent family members.

2. For which purposes and on what legal basis EOS Matrix Greece processes the above personal data of special categories

EOS Matrix Greece collects and processes the above personal data of special categories within the framework and for the purposes of application of the procedures of the Bank of Greece Code of Ethics (Decision no. 392/1/31.5.2021 of the Bank of Greece Credit and Insurance Committee, as applicable and in force), processing and evaluation of requests submitted by you for settlement of debts and addressing complaints, as well as in the context of examination and regulation of the frequency of your telephone calls to inform you about your debt.

EOS Matrix Greece processes this personal data of yours after you have previously given your explicit consent to the intended processing, by signing the Consent Statement that follows the present Notice.

We note that, in any case, you have the right to withdraw your consent at any time, without, however, affecting the lawfulness of processing based on your consent provided before its withdrawal.

3. Who are the recipients of your data

Recipients of all or part of the above personal data of special categories may be in addition to you and/or your legal representatives and the persons authorized by you, as the case may be, the following:

  1. The respective receivables entities whose claims are serviced from time to time by EOS Matrix Greece (other controllers),
  2. The (natural or legal) persons to whom EOS Matrix Greece entrusts the execution of specific works on its behalf and who act as processors of the personal data. In this context, your personal data may be transferred, indicatively and not restrictively:
  1. To service providers (affiliated companies and third parties) who carry out personal data processing operations, such as data storage providers, archiving, file management and destruction service providers, providers of IT products and/or services and/or all kinds of IT, electronic systems and networks support, including online systems and platforms, as well as providers of other supporting functions for the activities of EOS Matrix Greece (cooperating service networks, receiving and processing requests, providing internal support services, etc.).
  2. To security companies.
  1. Lawyers, law firms, bailiffs.
  2. The Bank of Greece and other supervisory, governmental, administrative, independent, judicial, prosecutorial, public and/or other authorities or bodies or parties, which have been entrusted with the control or supervision of the activities of EOS Matrix Greece within the scope of their responsibilities as well as third parties, if the transmission or notification is required by law or a court decision.
  3. The specially authorized employees of EOS Matrix Greece, who are responsible for the processing of your personal data within the exercise of their duties as well as the members of the administration of EOS Matrix Greece in the context of their duties.
  4. Other servicing companies of article 1 par. 1 (a) of L.4354/2015, as applicable and in force, in conjunction with L. 5072/2023, either at the suggestion of the respective receivables entities or in the context of managing a settlement request.

4. How long does EOS Matrix Greece store your above personal data

EOS Matrix Greece keeps the above personal data, including the present Information and Consent Notice for the Processing of Personal Data of Special Categories, for five (5) years after the end of your relationship with EOS Matrix Greece, unless otherwise provided by the applicable legal and regulatory framework for the observance of the legal obligations or for the establishment, exercise or support of legal claims of EOS Matrix Greece and/or the receivables entity.

Especially in case of legal dispute with EOS Matrix Greece and/or the respective receivables entity or administrative dispute, the aforesaid retention period will be extended until the issuance of an irrevocable court decision.

5. Which are your rights and how you can exercise them

According to the provisions of GPDR, you have the following rights:

  1. Right of access of your personal data kept and processed by EOS Matrix Greece, as well as to information related to their processing (origin of data, purposes of their processing, categories of their recipients, the time of their storage).
  2. Right of rectification of your personal data, in case of any inaccurate data or in case of need to complete incomplete data, submitting any necessary document from which the need for correction or completion arises.
  3. Right of objection for reasons related to your particular situation, in case the processing is necessary for the purposes of the legal interests pursued by EOS Matrix Greece or a third party.
  4. Right to restrict the processing of your personal data, if you dispute their accuracy or the processing is illegal or EOS Matrix Greece does not need your personal data for processing purposes or you have exercised a right of objection and the verification of the legal reasons of EOS Matrix Greece is pending prevail over your reasons.
  5. Right to erasure of your personal data from the files we keep.
  6. Right to the portability of your personal data to any other controller, provided that the processing is based on your consent or contract and is carried out by automated means.

Please note the following in relation to your above rights:

  1. The right of access may not be satisfied in whole or in part, as the disclosure of the data would jeopardize national defense, national security and public safety, they may not be deleted due to legal or regulatory provisions, they serve only purposes data protection, the provision of information would require a disproportionate effort and the necessary technical and organizational measures would make it impossible to process for other purposes.
  2. Your rights of objection, restriction of processing and erasure (above iii, iv and v, respectively) may not be satisfied in whole or in part, as they relate to data necessary for the continuation of the contract regardless of the source of collection.
  3. EOS Matrix Greece has in any case the right to refuse your request for restriction of processing or deletion of your personal data (above under iv and v, respectively), if the processing or storage of data is necessary for the establishment, exercise or support rights of EOS Matrix Greece or the respective bodies of claims or for the fulfillment of obligations of EOS Matrix Greece. In particular, your right to erasure your data may not be satisfied if your data is processed without automated means, since due to the special nature of storage it is not possible to delete or it is only possible with a disproportionately large effort, taking into account that your interest in erasure is not considered significant or if the erasure is in conflict with compliance periods set by law or contract.
  4. The exercise of the right to portability (above under vi) does not imply the erasure of the data from the files of EOS Matrix Greece, which (erasure) is under the terms of the immediately preceding paragraph.
  5. The exercise of the above rights acts for the future and does not affect the processing of data that has already been performed.

To exercise your rights, you can contact the Customer Service and Complaints Management Unit of EOS Matrix Greece, 423B Vouliagmenis Avenue, PC 163462, Municipality of Ilioupoli, Attica or by e-mail at [email protected].

7. Right to lodge a complaint with the Hellenic Data Protection Authority

You have the right to lodge a complaint before the Hellenic Data Protection Authority for any matter regarding the processing of your personal data. For the respective competence of the Authority and the procedure to be followed for filing a complaint, you may visit the Hellenic Data Protection Authority (www.dpa.gr> My Rights > Lodge a complaint), where detailed information is available.

In any case, you may refer to the Information Notice of EOS Matrix Greece, which is posted on its website at: https://gr.eos-solutions.com, where you will find all information regarding the full range of processing activities carried out by EOS Matrix Greece.

1. Introduction

This Privacy Notice applies to all natural persons who submit, either with their name or anonymously, a report within the whistleblowing system on violations of Union law that has been implemented (the “Report”), regarding violations that have been committed or are very likely to be committed.

THIS NOTICE SUPPLEMENTS ANY OTHER INFORMATION WE HAVE ALREADY PROVIDED TO YOU AND FORMS AN INTEGRAL PART OF THE WHISTLEBLOWING POLICY ON VIOLATIONS OF UNION LAW.

In this Notice, the terms “we” and/or “Company” refer to “EOS MATRIX GREECE SINGLE-MEMBER LOAN AND CREDIT CLAIMS MANAGEMENT SOCIÉTÉ ANONYME”, with registered offices in the Municipality of Ilioupoli, Attica (423B Vouliagmenis Avenue, PC 16346), GEMI No. 143618701000, which is the data controller.

The Company does not provide a relevant data protection notice to the Reported Person or to Witnesses, as defined in Section 2 below, for as long as required and whenever deemed necessary for the purpose of preventing and addressing attempts to obstruct, hinder, frustrate or delay follow-up measures, especially investigations, or attempts to identify the Whistleblower, as defined in Section 2 below, as well as for protecting them against retaliation.

 

2. Types of personal data and categories of natural persons

During the reporting process, the Company, as controller, may collect personal data of the following persons (collectively the “data subjects” and/or “you”):

  • Natural persons submitting a Report, providing information on violations within scope (“Reporting Person” and/ or “Whistleblower”),
  • Natural or legal persons named in the Report as those allegedly responsible for the violation (“Reported Person”),
  • Third parties not named as Reported Persons but referred to in the Report and/or providing additional information or evidence (“Witnesses”).

The types of personal data that the Company may collect during this process include: (a) your personal information (such as that collected through the system for the purpose of submitting the Report, e.g. full name, date of birth, telephone number (landline/mobile), and email address), (b) work-related data (such as job title, business unit, duties, annual evaluations), and (c) any information included in the Report concerning the reported violation, such as the location and time of the incident, additional information or available evidence, the way you are connected to the incident and the person against whom it is submitted, any other persons you suspect may be involved in the incident, which may relate either to the Whistleblower or to any other natural person mentioned above, as well as the content of the Report itself (e.g. information relating to accounting matters, internal audits or audit procedures, crimes in the banking or financial sector, and bribery cases connected with the reported incidents). The disclosure of the data mentioned under points (a) to (c) above constitutes a prerequisite for initiating an investigation after submission of the Report, in order to establish whether the alleged act or incident is substantiated.

When using the system, you are strongly advised that any personal data included in the Report concerning yourself or other persons be strictly limited to what is necessary for the purpose of the Report, and strictly and objectively required in order for us to verify the reported acts.

 

3. Source of personal data

The Company collects personal data directly from the above-mentioned data subjects.

 

4. Legal basis for processing personal data

The legal basis for the collection, processing, and use of personal data in the context of the whistleblowing procedure is determined by Article 6(1)(c) and (f) of the GDPR. This means that we process your data either to comply with a legal obligation to which we are subject, or for purposes of legitimate interests pursued by the Company, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subjects.

 

5. Purposes of processing personal data

During the process through the reporting system, the Company collects, uses, and generally processes the personal data of data subjects, as applicable, for the following purposes: (1) To manage the internal whistleblowing system and ensure the security of the processing operations carried out through the system, (2) To ensure compliance with internal policies and reduce instances of misconduct, (3) To safeguard the application of appropriate corporate governance principles in daily operations, (4) To comply with any applicable laws and regulations on whistleblowing (e.g. requirements for prior disclosure or notification, where applicable, to national authorities), (5) To conduct investigative procedures regarding the relevance of the reported facts, (6) To use in the context of any legal or regulatory proceedings (including future proceedings) and for obtaining legal advice or for the establishment, exercise, or defense of legal claims, and (7) To impose sanctions in cases of abuse of the reporting system by the perpetrator.

 

6. Recipients of personal data

Personal data is processed solely by authorized employees and bodies of the Company responsible for handling reports and contractually bound by confidentiality obligations, including the Officer for the Receipt and Monitoring of Reports. Data may also be transferred to cooperating companies contracted by the Company to process data on its behalf (e.g. providers of whistleblowing system management services or investigative services), within the scope of their responsibilities and under obligations of confidentiality, secrecy, and compliance with data protection legislation.

Furthermore, data may be shared with affiliated companies within the EOS Group to the extent such disclosure is considered necessary, provided that the same safeguards are met with respect to report management. Data may also be transferred or processed by selected third-party specialists, such as external lawyers or consultants.

Finally, the Company may disclose personal data to third parties when required by law (e.g. mandatory notifications to competent authorities), in the context of or in connection with legal proceedings in which it is involved, to support, exercise, or defend its rights, to law enforcement authorities submitting a valid disclosure request, or when it considers disclosure necessary in the course of any investigation relating to suspected or actual unlawful activity. Since data included in Reports may be used as evidence in administrative, civil, and criminal investigations and proceedings, such data will also be provided to the competent supervisory and investigative authorities.

The Company guarantees the confidentiality of any Report and the information contained therein, as well as the anonymity of the Reporting Person, even if the Report turns is later found to be false or unfounded. In particular:

  • Personal data and any information that directly or indirectly identifies the Reporting Person will not be disclosed to anyone other than the authorized members of staff responsible for receiving or monitoring Reports, unless the Reporting Person gives his/her explicit consent.
  • Other data transfers occur only if the Whistleblower gives explicit consent or if disclosure is required by applicable Union or national law under the relevant conditions.
  • By exception, the Whistleblower’s identity and any other information may be disclosed only when required by Union or national law, in the context of administrative, civil, or criminal investigations by competent public authorities or in judicial proceedings, and only if such disclosure is necessary to serve the purposes of Union or national law or to safeguard the defense rights of the Reported Person

The above protections for Whistleblowers’ identity also apply to the identity of Reported Persons.

Reports are stored confidentially and retrieved when required by Union or national law, and in any case until completion of each investigation or legal proceeding initiated as a result of the Report.

 

7.  Overseas transfers

Personal data in Reports will not be transferred to countries outside the European Economic Area.

 

8.  Your rights in connection with personal data

Under certain circumstances and subject to applicable law, you have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data that we hold about you.
  • Request correction of the personal data that we hold about you. This enables you to correct incomplete or inaccurate data that we hold about you.
  • Request erasure of your personal data. This enables you to ask for the deletion or removal of personal data where there are no grounds for us to continue data processing. You also have the right to ask for the deletion or removal of your personal data when you have exercised your right to object to the processing (see below).
  • Object to the processing of your personal data when we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to such processing on that ground.
  • Request the restriction of the processing of your personal data. This enables you to ask for the suspension of the processing of your personal data, for example if you want us to establish its accuracy or the legal grounds for its processing.
  • Where personal data is processed by automated means:
    • in case we process your personal data on the basis of your consent; or
    • in case that such processing is necessary for entering into or performing our obligations under a contract with you,

request the transfer of your personal data to you or to another party (also known as “data portability”).

  • Where we process your personal data on the basis of your consent, you may withdraw that consent at any time. If you do not give your consent or withdraw your consent this may affect our ability to provide you with our services. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • In certain circumstances, request not to be subject to automated decision-making, including profiling.

Certain rights are not absolute under the applicable legislation (as sometimes there may be overriding interests that require the processing to continue, for example)

In addition, the Company may choose not to satisfy the above rights when exercised by Reported Persons or Witnesses, or when they arise from monitoring measures of the Report.

If you wish to obtain further information or be informed about the processing of your personal data, or to exercise any of your above rights, you must send an email to the Company’s Data Protection Officer exclusively at the following email address: [email protected], or send a letter to the address mentioned above.

Finally, you have the right to lodge a complaint with the supervisory authority in the jurisdiction where you live or work, or in the place where you think an issue in relation to your personal data has arisen (for Greece: www.dpa.gr).

 

9. Retention of personal data

The retention period of the above data is the time required or permitted by the applicable legislation/ regulatory framework, also taking into account the applicable prescription period, which may extend up to 20 years. Specifically: (a) when the Report is deemed unfounded, data will be retained for two (2) months from its rejection, (b) when legal or disciplinary proceedings are initiated against the Reported Person or the Whistleblower, data will be retained until completion of such proceedings and expiry of the deadline for lodging appeals, in accordance with applicable law, (c) when the Report reveals substantiated findings against a Company executive, data will be retained for as long as their employment/ relationship with the Company lasts and will be deleted twenty (20) years after the termination of the relationship by any means, and (d) when the Report reveals substantiated findings against an external partner or supplier of the Company, data will be retained for the entire duration of the cooperation and will be deleted five (5) years after termination of the cooperation by any means.

 

10. How to contact us

If you wish to exercise any of your rights in connection with your personal data or to receive further information on the retention periods of your personal data, please contact the Company at [email protected].

 

11. Updates

The Company may update this Notice periodically due to changes in legislation, regulations, or internal processes and systems, and will inform you of any significant changes through the appropriate communication channels. All changes take effect from the date of publication, unless otherwise specified.