Personal Data Protection Policy

Contents

1. HFO Personal Data Protection Policy

This information is for all of you who, as natural persons, use the Ombudsman’s services to resolve disputes with banks, investment companies, or other financial service providers, or to answer questions, as well as questions or requests regarding the exercise of your rights under the General Data Protection Regulation (GDPR). It outlines the terms, your rights, and how to exercise them in relation to the processing of your personal data.

The company under the name “Hellenic Financial Ombudsman – Non-Profit Alternative Dispute Resolution Organisation (HFO-ADRO)”, formerly “H.O.B.I.S.”, based in Athens (1 Massalias Street, Postal Code 10680), with tax identification number 999119797, telephone number 210 3676700 and email info@hobis.gr, and in particular, its division Hellenic Financial Ombudsman (HFO) (hereinafter “Financial Ombudsman”), processes the personal data of natural persons as the Data Controller in order to examine, mediate, and ultimately facilitate the out-of-court settlement of their disputes with financial service providers. This is in accordance with the detailed provisions of the HFO’s Articles of Association and Rules of Procedure, as well as the legal framework governing its establishment and operation.

Consistent with its institutional role as an Alternative Dispute Resolution Entity, the Financial Ombudsman upholds the principle of respect for privacy, including the protection of personal data. In terms of its operations, it is generally committed to maintaining confidentiality and secrecy regarding information it receives, and specifically to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any other relevant legislation. To this end, it implements internal procedures, adopts policies and takes appropriate technical and organisational measures to ensure both the lawful and legitimate processing and the security of personal data disclosed to it in the course of its work.

1.1 What is personal data, and how is it processed?

Personal data refers to any information relating to you as an individual (“data subject”), such as your name, postal address, web address, mobile and landline telephone numbers, email address, ID number and tax identification number. This information can identify you either on its own or when combined with other data, hereinafter “Personal Data”.

‘Processing’ personal data means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, information searching, use, transfer, restriction, erasure or destruction.

1.2 What personal data do we collect and from which sources?

We collect and store in electronic and/or physical files the personal data that you provide verbally or declare in the ‘COMPLAINT FORM’ when submitting your request, such as recorded telephone conversation, your full name, father’s name, ID number, passport number, tax identification number, postal and email address, contact telephone numbers, as well as details of the authorised person. Other personal data, such as details of the transactions for which you are submitting the request, are provided either by you or by your counterparty provider on your behalf.

In addition, as soon as you visit our website using any browser or our other infrastructures and services, your electronic address (IP), which constitutes personal data, but we are not able to identify you on our own based only on this element, is recorded in log files, among other things.

1.3 Purpose of processing – legal basis

We primarily process the above data to deal with your complaint, aiming to mediate in resolving the dispute with your provider. We also process it for identification purposes during our necessary communications. Therefore, this processing is carried out to satisfy your legitimate interest that you individually pursue and after you have previously in practice agreed to by providing us with your data on your own initiative. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing of data based on it. In this case, we will not be able to continue taking action to fulfil the purpose for which you provided us with your data.

We also process your data to fulfil the tasks we have undertaken within the framework of our statutory purpose and our Rules of Procedure as an Alternative Dispute Resolution entity (ADR), registered in the Register provided for in the Joint Ministerial Decision number 70330/2015 (Government Gazette 1421 B’), in accordance with Directive 2013/11/EU and Regulation (EU) No. 524/2013 of the European Parliament and of the Council. Our aim is to contribute to the smooth functioning of the internal market for financial services by achieving a high level of consumer protection.

We also process some of your data for statistical purposes. However, this data is pseudonymised, meaning it is not identifiable to you as an individual.

Your electronic address (IP) is recorded in order to ensure the security of our infrastructures, information and services from accidental events, illegal or malicious actions, which endanger the availability, integrity and confidentiality of stored and/or transmitted data, as well as for the detection and investigation of security incidents. The above processing is necessary for the purposes of the legitimate interests pursued by the controller (GDPR, article 6, par. 1(f)), in order to ensure the security of both our website and our other infrastructures, information and services. It is noted that, although our website uses the Google Analytics service to collect statistical data, we have activated the IP anonymization function (anonymizeIp), so that your address (IP) cannot be identified.

Finally, your data may be processed for the purpose of establishing, exercising, or defending legal claims or for reasons of public interest.

1.4 Who are the recipients of your data?

The human resources staff responsible for our services have access to your personal data within the scope of their responsibilities. Third-party technology service providers to our entity may also become aware of your data when providing support services, provided they comply with strict data processing and security standards. These individuals and providers are committed to maintaining the security of your data and complying with the legal framework for its processing and protection. They are also subject to checks to ensure they effectively comply with these commitments. We may also transfer your data to competent Judicial, Prosecutorial and other Public and/or Independent Authorities if dictated by our legal obligations or rights.

1.5 How long we keep your data

We will process your personal data for as long as is necessary for the purpose for which you provided it to us, as mentioned above in point 1.3.

In particular, your data contained in electronic and/or physical files of written requests is kept for a maximum period of five (5) years, and ten (10) years for GDPR requests, from the end of the year in which the examination of your request is completed. If we determine that we are not competent to examine your written request, the above period is limited to two (2) months from the last day of the month in which we provided you with the relevant information. Exceptionally, data required to prove this information is kept for a maximum period of five (5) years.

Data contained in electronic telephone request files is kept for three (3) months from the end of the month in which the relevant recording was made.

Additionally, telephone call records (call details and voice recordings) are kept for three (3) months from the end of the month in which the relevant recording was made.

The electronic addresses (IPs) are kept for a maximum period of one (1) year, from the end of the year in which you visited our website or any other of our systems/infrastructures.

These time limits are extended accordingly if the relevant data are requested by the data subject or by a public, independent or judicial authority in the context of an investigation into the relevant case, or for the exercise of legal rights by the data subject or HFO.

Furthermore, some of your data is retained for a longer period of time as it is processed for statistical purposes. However, this data is pseudonymised, meaning it is not identifiable to you as an individual.

1.6 Your rights

You can contact us at any time (see section 1.8) to exercise your legal rights.

In order to protect your rights, you must also provide us with identification details (e.g. a copy of your ID card or passport).

You have the following rights:

  • The right to be informed about, and to access, the personal data that we hold about you.
  • The right to correct any inaccurate data and to complete any incomplete data by providing relevant documents to prove the corrections.
  • The right to erase your data (‘right to be forgotten’), provided that there is no reasonable, legitimate reason or legal obligation for us to retain it.
  • The right to restrict the processing of your data in cases where its accuracy or the lawfulness of its processing is disputed, or where the data is no longer necessary for the purpose for which it was provided.
  • You have the right to data portability, i.e. the right to request that your data be transferred to another controller. This right applies when the processing is carried out by automated means (portability does not include data in printed form) and when exercising this right does not adversely affect the rights and freedoms of others.
  • The right to object to the processing of your personal data, provided there are no compelling and legitimate reasons that override your interests, rights and freedoms, such as the establishment, exercise or defence of legal claims or reasons related to the public interest.

1.7 Competent Authority

If you believe that your rights regarding the protection of your personal data have been violated in any way, you have the right to file a complaint with the Hellenic Data Protection Authority (Kifisias Avenue 1-3, 115 23 Athens; tel. +30 210 6475600; contact@dpa.gr).

1.8 Contact

To receive more information and clarification on the processing of your personal data, or to submit comments or complaints, please contact the Data Protection Officer at dpo@hobis.gr. To exercise any of the above rights, please complete the application form available here.

1.9 Amendments

This notice may be supplemented or amended in accordance with the applicable legal and regulatory framework, as well as following any updates to our internal data protection procedures and practices. The updated notice is posted on our website (www.hobis.gr) and is also available at our offices at 1 Massalias Street, Athens.

2. HFMC Personal Data Protection Policy

This information is for all of you who, as natural persons, wish to use HFMC’s support services to resolve your dispute through the mediation procedure under Law 4640/2019, or for submitting questions or requests regarding the exercise of your rights under the General Data Protection Regulation (GDPR). It includes the terms and conditions, your rights, and how to exercise them in relation to the processing of your personal data.

Τhe Company “Hellenic Financial Ombudsman – Non-Profit Alternative Dispute Resolution Organisation (HFO-ADRO)”, (formerly HOBIS), based in Athens (1 Massalias Street, Postal Code 10680), with tax identification number 999119797, telephone number 210 3676700 and email info@hobis.gr, and in particular its division HFMC, processes your personal data as a Data Controller in accordance with the detailed provisions of its Articles of Association and Rules of Procedure, as well as the legal framework governing its establishment and operation.

Consistent with its institutional role as an Alternative Dispute Resolution Entity, the HFO-ADRO upholds the principle of respect for privacy, including the protection of personal data. In terms of its operations, it is generally committed to maintaining confidentiality and secrecy regarding information it receives, and specifically to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any other relevant legislation. To this end, it implements internal procedures, adopts policies and takes appropriate technical and organisational measures to ensure both the lawful and legitimate processing and the security of personal data disclosed to it in the course of its work.

2.1 What is personal data, and how is it processed?

Personal data refers to any information relating to you as an individual (“data subject”), such as your name, postal address, web address, mobile and landline telephone numbers, email address, ID number and tax identification number. This information can identify you either on its own or when combined with other data, hereinafter “Personal Data”.

‘Processing’ personal data means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, information searching, use, transfer, restriction, erasure or destruction.

2.2. What personal data do we collect, and from which sources?

We collect and store the personal data you provide in your application (full name, father’s name, ID number, tax identification number, postal and email addresses and contact telephone numbers) in physical and/or electronic files when you submit it, as well as the corresponding details of the authorised person.

2.3 Purpose of processing – legal basis

We primarily process the above data to fulfil your request and subsequently to provide our support services. We also process it for identification purposes during our necessary communications.
Therefore, this processing is carried out to satisfy your legitimate interest that you individually pursue and after you have previously in practice agreed to by providing us with your data on your own initiative. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing of data based on it. In this case, we will not be able to continue taking action to fulfil the purpose for which you provided us with your data.

We also process some of your data for statistical purposes. However, this data is pseudonymised, meaning it is not identifiable to you as an individual.

Finally, your data may be processed for the purpose of establishing, exercising, or defending legal claims or for reasons of public interest.

2.4 Who are the recipients of your data?

The human resources staff responsible for our services have access to your personal data within the scope of their responsibilities. Third-party technology service providers to our entity may also become aware of your data when providing support services, provided they comply with strict data processing and security standards. These individuals and providers are committed to maintaining the security of your data and complying with the legal framework for its processing and protection. They are also subject to checks to ensure they effectively comply with these commitments. We may also transfer your data to competent Judicial, Prosecutorial and other Public and/or Independent Authorities if dictated by our legal obligations or rights.

2.5 How long we keep your data

We will process your personal data for as long as is necessary for the purpose for which you provided it to us, as mentioned above in point 2.3. In any case, your data will be kept for a period of five (5) years from the end of the year in which the mediation process and provision of our support services are completed, and for ten (10) years from the end of the year in which the examination of your submitted GDRP request is completed. If HFMC does not provide you with mediation support services for any reason (for example, if your request is not accepted by Party B or if you withdraw before the mediation process begins), your data will be kept for one (1) month from the last day of the month in which you were provided with the relevant information.

These time periods may be extended if requested by any Judicial or other Public Authority, or if there are legitimate reasons for retaining the data, such as establishing, exercising or contest legal claims or reasons relating to the public interest. Furthermore, some of your data is retained for a longer period of time as it is processed for statistical purposes. However, this data is pseudonymised, meaning it is not identifiable to you as an individual.

2.6 Your rights

You can contact us at any time (see section 1.8) to exercise your legal rights.

In order to protect your rights, you must also provide us with identification details (e.g. a copy of your ID card or passport).

You have the following rights:

  • The right to be informed about, and to access, the personal data that we hold about you.
  • The right to correct any inaccurate data and to complete any incomplete data by providing relevant documents to prove the corrections.
  • The right to erase your data (‘right to be forgotten’), provided that there is no reasonable, legitimate reason or legal obligation for us to retain it.
  • The right to restrict the processing of your data in cases where its accuracy or the lawfulness of its processing is disputed, or where the data is no longer necessary for the purpose for which it was provided.
  • You have the right to data portability, i.e. the right to request that your data be transferred to another controller. This right applies when the processing is carried out by automated means (portability does not include data in printed form) and when exercising this right does not adversely affect the rights and freedoms of others.
  • The right to object to the processing of your personal data, provided there are no compelling and legitimate reasons that override your interests, rights and freedoms, such as the establishment, exercise or defence of legal claims or reasons related to the public interest.

2.7 Competent Authority

If you believe that your rights regarding the protection of your personal data have been violated in any way, you have the right to file a complaint with the Hellenic Data Protection Authority (Kifisias Avenue 1-3, 115 23 Athens; tel. +30 210 6475600; contact@dpa.gr).

2.8 Contact

To receive more information and clarification on the processing of your personal data, or to submit comments or complaints, please contact the Data Protection Officer at dpo@hobis.gr. To exercise any of the above rights, please complete the application form available here.

2.9 Amendments

This notice may be supplemented or amended in accordance with the applicable legal and regulatory framework, as well as following any updates to our internal data protection procedures and practices. The updated notice is posted on our website (www.hobis.gr) and is also available at our offices at 1 Massalias Street, Athens.

HFO Logo
Since 1999, we have been pioneers in the Extrajudicial Resolution of Financial Disputes.
We strengthen consumer and business protection in two ways:
1. Free Ombudsman Services
2. Support services for Mediation under Law 4640/2019
Navigation
Information
Contact Information
Mon - Fri | 08.15 - 14.45

(+30) 210 3376 700
Visits by appointment

info@hobis.gr

1 Massalias, 106 80 Athens, Greece

Copyright © 2025 Cosmote DigitalMarketing4U

Τίτλος Ανακοίνωσης

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

These cookies are technically necessary to enable you to connect to the website or to provide the internet service you have requested.

Name Type Purpose Duration Provider Recipient Default Status
wordpress_sec Necessary Provides security for user logins in WordPress, protecting session cookies from unauthorized access. session hobis.gr HFO Enabled
wp-wpml_current_language Necessary Stores the user’s selected browsing language. session hobis.gr HFO Enabled
moove_gdpr_popup Necessary Remembers cookie preferences to avoid repeated confirmation requests. 1 year hobis.gr HFO Enabled
Στατιστικά

These cookies collect information about how visitors use the website, for example how many users have visited it, which pages of the website they visit most often, etc. These cookies collect aggregated information that does not directly identify a visitor. They are used exclusively to improve the operation of a website. For this purpose, we use Google Analytics mechanisms.

Name Type Purpose Duration Provider Recipient Default Status
_ga Performance Used by Google Analytics for visitor analysis. 2 years Google Inc HFO Disabled
__ga_R1TBLT1MC4 Performance Supplementary Google Analytics cookie. 2 years Google Inc HFO Disabled
Powered by  GDPR Cookie Compliance