BANK OF GREECE

EUROSYSTEM

HUMAN RESOURCES AND ORGANISATION DEPARTMENT

PERSONAL DATA PROTECTION POLICY

ATHENS, APRIL 2019

 Table of contents

CHAPTER 1: INTRODUCTION, SCOPE AND KEY PRINCIPLES ............................. 2

ARTICLE 1 – INTRODUCTION..................................................................................... 2
ΑRTICLE 2 – PURPOSE................................................................................................ 2
ARTICLE 3 – SCOPE ..................................................................................................... 2
ARTICLE 4 – PERSONAL DATA.................................................................................. 3
ARTICLE 5 – KEY PRINCIPLES .................................................................................. 3
CHAPTER 2: LAWFULNESS OF PROCESSING, INFORMATION TO BE
PROVIDED TO, AND CONSENT OF, THE DATA SUBJECT ..................................... 4
ARTICLE 6 – PERSONAL DATA PROCESSING ...................................................... 4
ARTICLE 7 – INFORMATION OF THE DATA SUBJECT ........................................ 4
ARTICLE 8 – INFORMATION TO BE INCLUDED IN THE PRIVACY NOTICE .. 4
ARTICLE 9 – LEGAL BASIS FOR DATA PROCESSING ........................................ 5
ARTICLE 10 – CONSENT OF THE DATA SUBJECT............................................... 6
ARTICLE 11 – RIGHTS OF DATA SUBJECTS ......................................................... 6
ARTICLE 12 – SPECIAL CATEGORIES OF DATA .................................................. 7
CHAPTER 3: SECURITY MEASURES AND PERSONAL DATA BREACHES ........ 7
ARTICLE 13 – DATA PROTECTION BY DESIGN AND BY DEFAULT ................. 7
ARTICLE 14 – ORGANISATIONAL AND TECHNICAL MEASURES..................... 7
ARTICLE 15 – RECORDS OF PROCESSING ACTIVITIES.................................... 8
ARTICLE 16 – DATA PROTECTION IMPACT ASSESSMENT .............................. 8
ARTICLE 17 – PERSONAL DATA BREACH.............................................................. 9
ARTICLE 18 – LOG OF DATA BREACHES ............................................................... 9
ARTICLE 19 – NOTIFICATION OF PERSONAL DATA BREACHES .................... 9
CHAPTER 4: DATA PROCESSOR MANAGEMENT .................................................. 10
ARTICLE 20 – CONTRACTUAL CLAUSES ............................................................. 10
CHAPTER 5: TRANSFER OF DATA TO THIRD PARTIES OR INTERNATIONAL
ORGANISATIONS............................................................................................................. 10
ARTICLE 21 – TRANSFER OF DATA TO THIRD PARTIES................................ 10
ΑΝΝΕΧ ................................................................................................................................ 11
GLOSSARY .................................................................................................................... 11

1
 PERSONAL DATA PROTECTION POLICY

CHAPTER 1: INTRODUCTION, SCOPE AND KEY PRINCIPLES

ARTICLE 1 – INTRODUCTION

The Bank of Greece (hereinafter “the Bank”) collects and processes personal data in the
context of:

• its competences , among other things regarding:

- the supervision of credit and financial institutions, in accordance with Article 55A of its
Statute;
- the supervision of insurance and reinsurance undertakings and intermediaries; and
- the oversight of payment systems and instruments, with a view to ensuring their
stability, reliability and efficiency;
• the exercise of its functions, e.g. data of dependent employees, salaried consultants, or
persons otherwise engaged by the Bank or other persons having a collaboration
relationship with the Bank on any terms and conditions.
The processing of such data, which is necessary for the smooth execution of the Bank’s
operations and the support and monitoring of any type of relationships between the Bank and
the data subjects, shall take place in accordance with the provisions of the applicable
legislative and regulatory framework on personal data protection (General Data Protection
Regulation – GDPR – and the relevant Greek legislation).

ΑRTICLE 2 – PURPOSE

This Policy lays down key principles for the effective management and protection of personal
data at the Bank, as well as for the confidentiality of such data, and describes the Bank’s
orientations and goals regarding the relevant organisational and technical measures.

ARTICLE 3 – SCOPE

This Policy applies to the Bank, with the possibility of being extended to third parties,
collaborators , providers, etc. that receive, transmit, collect, access or process in any manner
any personal data on behalf of the Bank, as joint controllers or data processors.

The Policy applies across all types of data, systems, processes and procedures relating to
the collection, storage, use or transmission of personal data handled by the Bank in the
context of its activities.

2
The only case in which the Policy is not applicable is where the Bank acts as data processor.

ARTICLE 4 – PERSONAL DATA

Personal data are defined as any information relating to an identified or identifiable natural
person (“data subject”); an identifiable natural person is one who can be identified directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.

ARTICLE 5 – KEY PRINCIPLES

Protection of personal data at the Bank shall be governed by the following key principles:

Lawfulness, fairness and transparency

Personal data shall be collected lawfully and legitimately, with due respect for the data
subject’s right to be informed. Personal data shall be processed for lawful and legitimate
purposes, in a transparent manner, provided that the lawfulness of the processing has been
ensured through the legal bases set out in the GDPR and in Article 9 hereof.

Purpose limitation

Personal data shall only be collected for specified, explicit and legitimate purposes, notified
to the subject, and not further processed in a manner that is incompatible with those
purposes.

Data minimisation

Only personal data which are relevant and limited to what is necessary in relation to the
purposes for which they are processed shall be collected.

Accuracy

The personal data collected must be accurate, and data subjects must be able to update
them, if they request so.

Storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no
longer than the period necessary in relation to the purposes for which the personal data are
processed, as such period is envisaged in the Bank’s institutional and operational framework.

Integrity and confidentiality

3
The Bank shall take appropriate technical or organisational measures to protect the integrity
and confidentiality of the personal data, whether digital or physical.

Accountability

The Bank must be able to demonstrate compliance with the requirements of the GDPR,
through the ongoing monitoring and improvement of its personal data protection framework.

CHAPTER 2: LAWFULNESS OF PROCESSING, INFORMATION TO BE

PROVIDED TO, AND CONSENT OF, THE DATA SUBJECT

ARTICLE 6 – PERSONAL DATA PROCESSING

Personal data processing includes collection, recording, organisation, structuring, storage,

adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure
or destruction.

ARTICLE 7 – INFORMATION OF THE DATA SUBJECT

The Bank shall ensure that the data subjects have adequate information on the processing
and use of their data by the Bank and give their consent where required.

Where the data are collected from the data subject, and not from third parties, the Bank shall,
at the time when personal data are obtained, provide the data subject with an adequate
privacy notice containing appropriate information on the processing of his/her data. Where
the data are obtained from third parties, the Bank shall provide such information at the latest
within one (1) month of the data collection or, if the data are to be used for communication
with the data subject, at the latest at the time of the first communication to that data subject,
or, if a disclosure to another recipient is envisaged, at the latest when the personal data are
first disclosed.

ARTICLE 8 – INFORMATION TO BE INCLUDED IN THE PRIVACY NOTICE

The following information shall be included in the privacy notice in order to ensure fair and
transparent processing:

- the identity and the contact details of the controller;

- the contact details of the Data Protection Officer;
- the purposes of the processing for which the personal data are intended;
- the categories of personal data concerned;

4
- the legal basis for the processing;
- where the processing is based on the data subject’s consent, the existence of the right to
withdraw consent;
- the recipients or categories of recipients of the personal data, if any;
- information on any transfer of personal data to a third country;
- the period for which the data will processed, as well as the period for which the data will
be stored;
- the right to lodge a complaint with a supervisory authority, as well as adequate information
on the rights of data subjects and the means to exercise those rights in accordance with
the provisions of the GDPR;
- the existence or non-existence of automated decision-making;
- the existence of the right to request from the Controller access to, and rectification or
erasure of, personal data or restriction of processing concerning the data subject, or to
object to processing, as well as the right to data portability; and
- where the data are not collected from the subject, the source from which the personal
data originate.

ARTICLE 9 – LEGAL BASIS FOR DATA PROCESSING

Any processing of personal data must rest on at least one of the following legal bases:

- Consent of data subject: the data subject has explicitly consented to processing for one or
more purposes;
- Contractual relationship: performance of a contract between the data subject and the
controller or implementation of pre-contractual measures taken at the data subject's
request;
- Legal obligation: compliance with a legal obligation to which the controller is subject;
- Protection of vital interests of the data subject or of other natural persons;
- Task in the public interest/exercise of official authority by the controller: performance of a
task carried out in the public interest or in the exercise of official authority vested in the
controller;
- Legitimate interest: legitimate interest pursued by the controller or by a third party, except
where such interest is overridden by interests or fundamental rights and freedoms of the
data subject which require protection of personal data, in particular where the data
subject is a child.

5
ARTICLE 10 – CONSENT OF THE DATA SUBJECT

Where the data subject’s consent is required, the Bank shall ensure that such consent is
obtained at the time of the collection of the data and before any processing. If a new purpose
for processing arises, the Bank shall obtain a new consent from the data subject.

The Bank shall ensure that:

- the request for consent is presented in an intelligible and easily accessible form, using
clear and plain language;
- the consent is given in a manner which is clearly distinguishable from any other matters
to which the data subject may consent;
- the consent is given freely and in an explicit and affirmative manner by the data subject;
- the consent is not obtained in the form of pre-ticked boxes;
- the consent is given for specific purposes of personal data collection and processing;
- where the consent is provided by the data subject via electronic or other automated
means, it is automatically stored in a secure environment;
- the statement or withdrawal of consent is stored along with the following information:
name of data subject, date and manner of statement/withdrawal of consent, any consent
notice transmitted to the data subject ;
- the data subjects are informed of their right to withdraw their consent at any time, without
however affecting the lawfulness of processing based on consent given before its
withdrawal;
- withdrawal of consent is in practice as easy as granting consent;
- appropriate organisational and technical measures are in place to enable termination of
processing if consent is withdrawn; and
- the documents proving statement/withdrawal of consent are easily accessible.

ARTICLE 11 – RIGHTS OF DATA SUBJECTS

The Bank shall ensure the existence of a procedure ensuring that requests by data subjects
are handled and addressed in accordance with the rules of transparent information,
communication and monitoring concerning the exercise of the rights of data subjects. All the
personal data subjects whose data are maintained at the Bank shall have the following
rights:

- the right to obtain information on and/or access to personal data concerning them;
- the right to request erasure of data;
- the right to request rectification;
- the right to restrict processing;

6
- the right to data portability, if they have provided the data to the Bank themselves; and
- the right to object to processing.

ARTICLE 12 – SPECIAL CATEGORIES OF DATA

The Bank shall collect, store, use, disclose or process, in a different manner, the “Special
categories of data” (sensitive data) only where one of the following applies:

- the subject has given his/her explicit consent to the processing of the data;
- processing is necessary for the fulfilment of obligations under labour law;
- processing is necessary in order to protect the data subject or another person, in cases
where the data subject is physically or legally incapable of giving consent.
Processing shall refer to information disclosed by the data subject or necessary for the
establishment, exercise or defence of legal claims, or necessary for reasons of material
public interest. Cases of personal data processing other than those covered by the
provisions of the GDPR (such as criminal convictions and offences, requests by public
authorities for lifting banking secrecy, criminal records required as part of recruitment
processes) are covered by special legal provisions.

CHAPTER 3: SECURITY MEASURES AND PERSONAL DATA BREACHES

ARTICLE 13 – DATA PROTECTION BY DESIGN AND BY DEFAULT

The Bank shall apply the principle of data protection by design, whereby data protection is an
integral part of any new project undertaken by the Bank and involving processing of
personal data. The Bank shall also apply, where necessary, the principle of data protection
by default, ensuring that only personal data which are necessary for each specific purpose of
the processing are processed, for the absolutely necessary period and, in all cases, are not
made accessible to an indefinite number of natural persons.

ARTICLE 14 – ORGANISATIONAL AND TECHNICAL MEASURES

The Bank shall extensively evaluate the existing security measures and specify minimum
organisational and technical measures in order to protect the confidentiality, integrity,
availability and lawful processing of personal data. In particular, the Bank has developed a
Framework of Principles and an Organisational Framework for its IT Security Policy, as well
as a set of individual policies and procedures for ensuring best practices in personal data
security.

7
Furthermore, the Bank has developed a training and awareness programme for its staff in
order to keep them informed on issues of data security and personal data protection in
general.

ARTICLE 15 – RECORDS OF PROCESSING ACTIVITIES

The Bank shall maintain a record of all processing activities for which it is responsible .
Where the Bank acts as data controller, that record shall, as a minimum, contain the
following information:

- the name and contact details of the controller and, where applicable, the joint controller,
the controller's representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed,
including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international
organisation, including the identification of that third country or international organisation
and the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
and
- where possible, a general description of the technical and organisational security
measures.

ARTICLE 16 – DATA PROTECTION IMPACT ASSESSMENT

Where a type of processing is likely to result in a high risk to the rights and freedoms of
natural persons, the Bank shall carry out an impact assessment on the basis of specific
criteria, unless otherwise specified. The following criteria shall be taken into account in order
to identify the processing operations which require an impact assessment due to their
inherent high risk:

- assessment or rating, including profiling and forecasting;

- automated decision-making, which produces legal effects concerning the data subject or
similarly significantly affects him or her, including exclusion or discrimination;
- systematic monitoring of the data subjects, including data collected through networks or
systematic monitoring of a publicly accessible area;
- sensitive data or data of a strictly personal character;
- data subject to processing on a large scale;

8
- matching or combination of sets of data;
- data concerning vulnerable data subjects, including children, vulnerable sections of the
population that merit special protection (mentally ill, asylum seekers, elderly, patients,
etc.);
- innovative use or application of new technological or organisational solutions; and
- where the processing itself prevents data subjects from exercising a right or using a
service or contract.

ARTICLE 17 – PERSONAL DATA BREACH

A personal data breach is an incident involving the accidental or unlawful destruction, loss,
modification, unauthorised disclosure of, or access to, personal data transferred, stored, or
otherwise processed by the Bank.

The Bank shall have appropriate organisational and technical measures in place for the
timely recognition and effective management of such incidents. In evaluating personal data
breach risk, the following criteria shall be taken into account:

- the type of the breach;

- the nature, sensitivity and volume of the personal data affected;
- the identifiability of the data subject;
- the severity of the consequences for the data subject;
- the specific features of the data subject; and
- the number of data subjects concerned.

ARTICLE 18 – LOG OF DATA BREACHES

All incidents of personal data breach shall be kept in an appropriate data breach log. This log
shall record all the details of the incident (date, action taken, parties involved, action plan,
etc.), as well as details of the incident assessment and notification to the subjects and/or
supervisors.

ARTICLE 19 – NOTIFICATION OF PERSONAL DATA BREACHES

If a personal data breach is likely to result in a risk to the rights and freedoms of subjects, the
Bank shall, through its Data Protection Officer, notify such breach to the supervisory authority
without undue delay and, where feasible, not later than 72 hours after having become aware
of the breach and in accordance with the prescribed procedure. Where the notification to the

9
supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the
delay.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of
the subjects, the Bank shall also communicate the personal data breach to the data subject.

CHAPTER 4: DATA PROCESSOR MANAGEMENT

ARTICLE 20 – CONTRACTUAL CLAUSES

In all cases where the Bank acts as data controller and intends to contract a third party to act
as data processor, the Bank shall ensure that appropriate data secrecy and security
measures are applied in that processor’s environment. The Bank shall retain responsibility
for the protection of these data.

Every data processing outsourcing shall be governed by a written agreement, containing

adequate clauses covering obligations, such as security and confidentiality obligations, data
integrity requirements, as well as obligations relating to the use and disclosure of data. The
data processor shall be bound in writing to non-disclosure, either by signing a separate non-
disclosure agreement or by a relevant clause in any contractual relationship with the Bank, in
order to ensure that the data processor and its staff are prevented from using or disclosing
the information provided by the Bank.

CHAPTER 5: TRANSFER OF DATA TO THIRD PARTIES OR INTERNATIONAL

ORGANISATIONS

ARTICLE 21 – TRANSFER OF DATA TO THIRD PARTIES

The Bank shall ensure that personal data are not transferred to countries that do not provide
an adequate level of personal data protection. If the Bank deems necessary to transfer data
to countries that do not provide an adequate level of personal data protection, it shall ensure
that appropriate safeguards are in place, e.g. in the form of binding corporate rules, standard
data protection clauses, an approved code of conduct, etc.

Any transmission of data by the Bank to the European Central Bank and/or national central
banks of euro area Member States of the European Union (EU) as part of its competences
as a member of the Eurosystem shall be carried out in accordance with the provisions of the
GDPR.

10
 ΑΝΝΕΧ

GLOSSARY

GDPR

General Regulation on Data Protection (Regulation (EU) 2016/679 of the European

Parliament and of the Council.

Special categories of personal data (“sensitive data”)

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs; trade-union membership; genetic data, biometric data processed solely to identify a
human being; health-related data; and data concerning a person’s sex life or sexual
orientation.

Data processor

A natural or legal person, public authority, agency or other body which processes personal
data on behalf of the data controller.

Data protection impact assessment (DPIA)

A procedure for evaluating risks to the rights and freedoms of data subjects, determining the
appropriate measures for addressing such risks.

Processing

Any operation or set of operations which is performed on personal data or on sets of

personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.

Supervisory authority

An independent public authority which is established by a Member State. For Greece, this
authority is the Hellenic Data Protection Authority (HDPA).

Disclosure

Notification, communication, announcement, publication or any other activity whereby the

data can become known to recipients.

Data Register

An electronic register of all the personal data processing activities of the Bank, broken down
by business unit.

11
Personal data breach

Any breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
processed.

Consent of the data subject

Any freely given, specific, informed and unambiguous indication of the data subject's wishes
by which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.

Third parties

Any natural or legal person, public authority, agency or other body, other than the data
subject, processor and persons who, under the direct authority of the controller or processor,
are authorised to process personal data.

Data controller

The natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data; where the
purposes and means of such processing are determined by Union or Member State law, the
data controller or the specific criteria for its nomination may be provided for by Union or
Member State law.

Data Protection Officer (DPO)

The person designated by the Bank to carry out the tasks of the data protection officer as
described in the GDPR.

Data subject

Any natural person whose personal data are maintained by the Bank in its capacity as data
controller.

12