Personal Data
Privacy Notice on the processing of personal data in the context of your contractual relationship with the Company
The company under the name “PIRAEUS SECURITIES S.A.” (hereinafter referred to as “the Company”), with VAT/ Tax Registration Number: 094285013, General Commercial Registry No.: 1320701000, in its capacity as Data Controller, informs you in relation to the processing of your personal data, as well as your rights, as data subject, pursuant to the Regulation (EU) 2016/679 and the relevant Greek legislation in force regarding the protection of personal data.
The Company’s registered office is in Athens, Stadiou Str. 10, P.C. 105 64, telephone number: + 30 210 33 54 100, e-mail: info@piraeus-sec.gr.
The present notice is addressed to natural persons, who conduct any transaction with the Company, indicatively to customers, who have a permanent relationship with the Company, to legal representatives of such persons as well as to their legal successors or assignees, to the representatives of legal persons and to any natural person, who, in any capacity, has any transactional relations with the Company.
The Company’s registered office is in Athens, Stadiou Str. 10, P.C. 105 64, telephone number: + 30 210 33 54 100, e-mail: info@piraeus-sec.gr.
The present notice is addressed to natural persons, who conduct any transaction with the Company, indicatively to customers, who have a permanent relationship with the Company, to legal representatives of such persons as well as to their legal successors or assignees, to the representatives of legal persons and to any natural person, who, in any capacity, has any transactional relations with the Company.
1. What personal data we process and from which source we collect them
In the context of your contractual relationship with the Company, the latter collects and process in particular the following categories of personal data:• Identification data (e.g. name, surname, father’s name, VAT/ Tax Identification Number, Identity Card/ Passport Number or any other document that may identify a person, specimen of natural / digital signature),
• Contact information (e.g. fixed and mobile telephone number, permanent residence, home address, postal and e-mail address),
• Data concerning your professional status (data relating to your profession and work address). You may be asked to provide additional information (e.g professional identity or student identity card) given that such information is prerequisite for initiating or retaining a specific contractual relation.
• Data concerning orders (including audio data when orders are orally provided).
• Data concerning contractual behavior throughout the provision of investment services.
• Data concerning Customer’s knowledge and experience in the investment sector, their financial status, their tolerance level towards risk and investment objectives.
• Data concerning economic and financial status (e.g. tax declarations, tax residence, tax clearance statements, Uniform Real Estate Property Tax (“ENFIA”), financial data of personal company, data relating to portfolio) or other sources of income, gauging of property resources, info relating to Investor and Securities Account Number on Dematerialized Securities System of the ATHEXCSD, as well as any additional info that is required in the context of the legal provisions in force relating to the markets in financial instruments.
• Data related to the use of the digital assistant ‘AI Assistant’ in the Online trading and Piraeus brainy application (e.g. user questions, IP address, logs).
It is noteworthy that except the identification data and contact Information that are absolutely necessary for the contractual relationship between the Customer and the Company, the quality and quantity of the remainder data that are processed depend on a case-by-case form of relationship and the provided product or service. Personal data provided by you to the Company shall be complete, accurate and be immediately updated in due course by you in any case of change or wherever required by the Company for maintaining your contractual relationship with the Company or fulfilling Company’s legal obligation stipulated by law and the relevant regulations in force.
The above-mentioned personal data that are processed by the Company:
a) are collected from you and third parties, which are authorized to act on your behalf, or
b) are communicated by a third party natural or legal person or public body and are necessary either for the purposes of the legitimate interests pursued by the Company or by a third party, or for the performance of a task carried out in the public interest, or
c) are collected from publicly accessible sources (e.g. Land and Mortgage Registries / National Cadastre, commercial registry numbers, the internet) given that such data are necessary for the purposes for which they are processed.
Furthermore, in the context of the operation of the Company's online portal, in order to confirm your data in the context of the Anti-Money Laundering – AML legislation, you are offered with the alternative of providing and/or updating:
a) Identity details
b) Contact details
c) Income details
d) Details of professional activity
through the "Know Your Customer" (KYC) service of the Ministry of Digital Governance (MDG), where, upon your consent to the MDG, the latter extracts, from the primary information systems of the Government, and transmits the above-mentioned data to the Company.
2. Processing of special categories of personal data
As part of the process of remote electronic identification of natural persons when entering into a business relationship, the Company processes your personal data of special categories, and specifically biometric data resulting from taking a dynamic selfie/video in order to complete your remote electronic identification. The video taken shows your face in motion and you are also asked to provide an audio message (which will result from repeating a number).The above-mentioned procedure follows the provisions of Decision No. 4/894/23.10.2020 of the Board of Directors of the Hellenic Capital Market Commission on the subject of the remote electronic identification of natural persons by the obligated persons supervised by HCMC when entering into business relationships or conducting occasional transactions and specifically according to the permitted by the HCMC remote/online electronic identification by an automated process without the presence of an employee, by taking a dynamic-selfie/video in real time with the use of a specialized software application, which is based on the dynamic and not static taking of photos of the natural person, in order to ensure that he/she participates live in the process (liveness). Detailed information on the processing of this personal data for the purpose of remotely identifying you in the context of opening a new investment account can be found in the informational text you receive during the process of opening an investment account through our online customer portal.
In addition to the abovementioned, processing of special categories of personal data shall apply only in the occasion that such processing a) is necessary for the establishment, exercise or defence of legal claims or b) relates to personal data which are manifestly made public by you. The Company has taken in any case the necessary technical and organizational measures to ensure the secure storage and processing of your data in relation to the above-mentioned special categories of data.
3. Data concerning minors
The processing of minors’ personal data is conducted according to the terms of the present notice and only in the cases that the minor takes part in joint brokerage account. For the purpose of this notice, minors are considered the natural persons that have not reached the age of 18.4. Data Processing Purposes
Personal data processed by the Company, as above mentioned, either during the coοθρmmencement of the transactional relation, or at a later stage, are subject to processing for the following purposes:i. The proper execution of the contracts between us and the effective provision of the chosen investment services, including the quality of service, support and monitoring your transactional relations with the Company.
ii. The assessment of your investment profile (risk assessment profile).
iii. The collection, structuring, recording and storage of your orders of any kind addressed to the Company, that are provided in written, or via electronic means or by telephone for the purposes of concluding a transaction and in view of the security of transactions.
iv. Keeping you informed of corporate bond issues, public offerings or equity capital increases and any similar matters of interest.
v. The handling of complaints relating to Company’s investment services and products.
vi. The Company’s compliance with its legal obligations in accordance with the existing legal and regulatory framework, such as the legislation on the prevention and suppression of money laundering, terrorist financing and the prevention of fraud against the Company and its customers, the handling of Company’s operational and credit risks and tax legislation, as well as Company’s compliance with public authorities’ or/and courts’ decisions and orders.
vii. The establishment, exercise, or defense of legal claims of the Company before the competent judicial authorities or any other extra-judicial/ alternative dispute resolution body.
viii. The physical security of the Company’s premises and the protection of persons and goods through a video surveillance and access control system. You can find a detailed notice of the said processing at the Reception of the Company and its website.
ix. The function and training of the digital assistant ‘AI Assistant’, to support you during the use of the Online trading and Piraeus brainy application.
5. Legal Basis of Data Processing
The legal basis for the processing that is carried out for the purpose (i) above is the fact that the data processing is necessary for the performance of the contract you have already concluded with the Company or in order to take steps at your request prior to entering into a contract (ar. 6, para. 1.b GDPR). The legal basis for the processing that is carried out for the purposes (ii) and (iii) above is the fact that the processing is necessary for the Company’s compliance with its legal obligations pursuant to Law 4514/2018, as amended and in force, which has transposed into the national law Directive 2014/65/EU on markets in financial instruments (ar. 6, para.1.c GDPR).
The legal basis for the processing that is carried out for the purpose (iv) above is the fact that the processing is serving the Company’s legitimate interests, specifically the provision of information, which is of interest to the Company's clients in the context of the investment services they receive (ar. 6 para. 1.f GDPR).
The legal basis for the processing that is carried out for the purpose (v) above is the fact that the processing is necessary for the Company’s compliance with its legal obligations pursuant to Law 4514/2018, Directive 2014/65/EU (MIFID II), Regulation (EU) 2017/565, and the Guidelines for complaints-handling for the securities (ESMA) and banking (EBA) sectors (JC 2014 43) as in force and have been incorporated in the supervisory duties of the Hellenic Capital Market Commission (henceforth referred to as: “HCMC”).
The legal basis for the processing that is carried out for the purpose (vi) above is the fact that the processing of your data is necessary for the Company’s compliance with the remaining legal obligations, including but not limited to Law 4557/2018, as in force, on the prevention-suppression of the use of the financial system for the purposes of money laundering or terrorist financing (Transposition of Directive 2015/849/EU) and the current regulatory framework of the HCMC or pursuant to Law 4493/2017, as in force, on the enhancement of the international tax compliance and implementation of the Foreign Account Tax Compliance Act (FATCA) and Law 4428/2016 (CRS), as in force, on ratification of the multilateral competent authority agreement on automatic exchange of financial account information.
The legal basis for the processing that is carried out for the purpose (vii) above is the fact that the processing is necessary in order to protect the legitimate interest pursued by the Company, and more specifically in order to safeguard its legal claims and rights as well as its property.
The legal basis for the processing that is carried out for the purpose (viii) above is the fact that the processing is necessary in order to protect the legitimate interest pursued by the Company, and more specifically in order to protect natural persons and goods that can be lawfully found in its premises.
The legal basis for the processing that is carried out for the purpose (ix) above is the fact that the processing is necessary in order to protect the legitimate interest pursued by the Company, and more specifically in order to optimize the quality of the services provided to you and increase the level of your satisfaction.
6. Data Retention period
Your personal data are stored only for as long as it is required according to the quality of the processing and only in order to achieve the purpose of the processing. Specifically, your data are stored, generally, for five (5) years of the termination of the business relationship.Where your request for collaboration with the Company is not accepted and the conclusion of a contract is not completed, your data will be stored for a period of six (6) months. In addition, your data will be stored for a period of two (2) months in case the procedure regarding a request of yours to activate an investment account at UBS Switzerland AG is not completed.
Different data retention periods are applicable when the processing is carried out for the purpose of the Company’s compliance with its legal obligations. In such cases your data are stored for the periods that are defined by the existing legal and regulatory framework. Indicatively, it is stated that for the Company's compliance with its obligations under Law 4557/2018, as applicable, for the prevention and suppression of money laundering and terrorist financing, the Company, inter alia, stores, for five (5) years after the end of the business relationship with the customer:
a) the documents and information required to comply with the due diligence requirements set out in article 13 of the abovementioned law, including information obtained by means of electronic identification, relevant trust services, as defined in Regulation (EU) 910/2014, or with any other secure, remote or electronic identification process regulated, recognized, approved or accepted by EETT. This data, according to art. 4 of Decision No. 4/894/23.10.2020 of the Board of Directors of the HCMC includes any photo or video taken during a remote electronic identification process.
b) the originals or copies of the documents necessary to determine the transactions,
d) the details of business, commercial and professional correspondence with customers, as may be determined by the supervisory authorities.
Furthermore, in the event of a legal dispute, your personal data will be kept in any case until the issuance of a final and unappealable court decision.
7. Who are the recipients of your personal data
The Company’s employees, within their spheres of competence, who have received the necessary information for the secure processing of your personal data have access to your data.In addition to this, recipients of your data are natural and legal persons, to which the Company has delegated the performance of specific tasks on its behalf, which may indicatively be companies responsible for the management (retention, destruction) of files and data, electronic systems, network support and software providers and companies responsible for the issuance and transmission of statements.
The Company has legitimately guaranteed that the data processors that process your data on its behalf have fulfilled the legal provisions and have offered sufficient assurance for the implementation of organizational and technical measures to ensure the security of your personal data and data subject rights.
Furthermore, recipients of your data in the context of a contractual relationship, execution of a contract or fulfillment of your contractual relationships related to the provision of investment services are:
- Credit institutions, payment institutions, financial organisations or bodies (e.g. Central Securities Depository, Stock / Exchange Markets),
- Cooperating companies, indicatively referred: Investment Services Companies (‘AEPEY’) and Mutual Funds by Management Companies (‘AEDAK’),
- Cooperating lawyers, law firms, bailiffs, notaries,
- Couriers and shipping companies.
Additionally, recipients of your necessary personal data may be on case-by-case basis supervisory, independent, judicial, prosecution, public or/and any other authorities and entities such as HCMC, the Ministry of Finance, the Independent Authority for Public Revenue (‘AADE’), judicial authorities, supervisory bodies, and mediation entities, in the context of their capacities, duties and powers, when the transmission is defined by law or court order,
Moreover, in the context of the proper execution and fulfillment of the contractual, legal, and regulatory obligations of the Company and the Piraeus Group, recipients of necessary data are entities of the Group, as well as the Company’s or/and Group’s auditors.
The Company carries out data transfers to third countries or international organizations only in specific and exceptional cases and in particular:
a) in the event that you submit a request to activate an investment account with UBS Switzerland AG, your data is transmitted to Switzerland. For this transfer there is an adequacy decision of the European Commission in accordance with article 45 of the GDPR, ensuring the adequate level of protection of your personal data in the specific country,
b) when submitting an account opening request through the Web Portal, as part of your remote electronic identification, data is temporarily transmitted to our platform provider (Onfido), which is based in the United Kingdom. This transfer is carried out on the basis of the relevant adequacy decision issued by the European Commission for the United Kingdom,
c) in the context of portfolio and shares of mutual funds of foreign stock exchanges transfer orders management, your data is transferred to the stock exchanges of third countries. The transfers in question are carried out on the basis of an adequacy decision that exists for that third country and in the absence of such a decision the transfer is carried out as it is necessary for the performance of the contract between the data subject and the controller, or the implementation of pre-contractual measures taken at your request (art. 49.1.c GDPR).
d) if required by the nature of processing, the data may be transferred to the USA, due to the use of software and cloud computing provider established in that third country. In these cases, the transfer takes place under the legal basis of the standard contractual clauses issued by the Commission on June 2021 (article 46.2c of the GDPR).
8. Security of personal data
We are fully committed that we have taken the appropriate organizational and technical measures to secure and protect your data from any form of accidental or unlawful processing. Please note that our authorized personnel, who process your personal data, have received appropriate training, guidance, and information. We have been taking measures that are reviewed and amended on a regular basis or when deemed necessary based on new needs and technological developments.9. Data subject's rights
Υou as the data subject have the following rights:Ι. Right to access your personal data
You have the right to obtain from the Company, who acts as controller, confirmation as to whether or not your personal data are being processed and to access to the information relating to the processing of your personal data (e.g. purposes of processing, categories of data concerned, recipients, data retention period etc.) as well as to receive a copy of your personal data (ar. 15 GDPR).
II. Right to rectify inaccurate personal data and supplement your data (ar. 16 GDPR)
III. Right to erasure your personal data when specific obligations and legal rights of the Company are met, based on the applicable legal and regulatory provisions (ar. 17 GDPR).
IV. Right to restrict the processing of your personal data, where the accuracy of your personal data is contested, or the processing is unlawful or the purpose of processing has ceased and only if there is not any applicable legitimate reason for their retention (ar. 18 GDPR).
V. Right to data portability and transfer your data to another controller provided that the processing is based on consent or on a contract and is carried out by automated means (ar. 20 GDPR).
VI. Right to object to the processing of your data on grounds relating to your particular situation when this processing is carried out for the purposes of the legitimate interests pursued by the Company (ar. 21 GDPR).
VII. Right to withdraw your consent, where the processing of personal data is based on your prior consent for the said processing.
Please note that the above-mentioned data subject rights may not be satisfied by the Company if legal conditions are not met or in case any exceptions provided for by the GDPR apply.
10. Exercising your rights and lodging a complaint
For every request relating to the processing of your personal data and exercise of your rights, you may contact in writing for the attention of: “PIRAEUS SECURITIES S.A., Data Protection Officer (DPO)” and this shall be communicated to the Company via registered letter or via the email address: dpo@piraeus-sec.gr.Our response to your request will take place within (1) one month of its receipt and does not incur any cost for you. The above time period may be prolonged for a period of two (2) additional months, due to the complexity or the number of the requests. In such case, you will be informed about the time extension and the reasons for it, as soon as possible and in any case within (1) one month since receiving your request. In case you consider that: a) your request has not been sufficiently and lawfully satisfied or b) your right to the protection of your personal data has been violated by our processing, you have the right to lodge a complaint with the Hellenic Data Protection Authority (address: Kifissias 1-3, Postal Code: 115 23, Athens, https://www.dpa.gr/, telephone number: 210 6475600, email address: contact@dpa.gr).
PIRAEUS SECURITIES S.A. based on its current data protection policy and in the context of the relevant legal and regulatory framework, as in force, may update and amend the present notice, an updated form of which will be at any time available on the Company’s website (www.piraeus-sec.gr).