The following information applies to all of you who, as natural persons, use the Ombudsman’s services to resolve your disputes with the Bank, the Investment Company or another financial services provider, or to answer your questions and includes the terms, rights, and how they are exercised, with regards to the processing of your personal information.
The entity under the name “Hellenic Financial Ombudsman – Non-Profit Alternative Dispute Resolution Organization (HFO-ADRO)” former HOBIS based in Athens (1, Massalias Street, 10680), Tax Code 999119797, Tel. 210-3676700 www.hobis.gr.
and in particular the sector of the Greek Financial Ombudsman (hereinafter referred to as the “Financial Ombudsman”), processes Personal Data of Individuals as a Controller to examine, mediate and ultimately facilitate the out-of-court settlement of disputes with financial service providers, in accordance with the detailed provisions of the Statute and its Rules of Procedure and the legal framework governing its establishment and operation.
The Financial Ombudsman, consistent with its institutional role as an Alternative Dispute Resolution entity, defends the principle of respect for privacy, including the protection of personal data. Regarding its operation, it is generally bound to observe confidentiality with regard to the information brought to its knowledge and in particular compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as applicable to any other more specific legislation. For that reason, it implements internal procedures, adopts policies and uses appropriate technical and organizational measures to ensure the lawful processing and security of the personal data granted to it in the course of its work.
- What is personal data and what is its processing?
The term personal data means any information relating to you as a natural person, the “data subject”, such as your full name, postal address, electronic address, mobile and telephone number, email, ID, tax code which identify alone or in combination your identity, hereinafter “Personal Data”.
Personal data processing is any operation or set of operations which is performed on personal data whether or not by automated means, such as collecting, registering, organizing, structuring, storing, altering, retrieving, searching for information, use, transmission, limitation, erasure or destruction.
- What personal data we collect and from which sources?
We collect and maintain in electronic and/or physical files, your personal data that you provide us orally or declare to us in the “COMPLAINT FORM” when submitting your request (recorded telephone conversation, name, surname, father’s name, ID number, Passport number, Tax Code, postal and e-mail addresses, telephone number), as well as the corresponding details of the authorized person. Other personal data, such as the transaction data for which you are submitting the request, will be forwarded to us either by you or by the financial service provider under your authorization.
- For what purpose do we process – legal base
The above data is processed for the examination of your complaint, in order to mediate the dispute with your provider and also to identify you in our necessary communications. Therefore, the above processing is done in assurance of the legitimate interest that you individually seek and after you have agreed in advance, granting us your own data on your own initiative. You have the right to revoke your above consent, without prejudice to the legitimacy of the processing of your data based on it. In this case, we will not be able to continue our actions to fulfill the purpose for which you have granted us.
The above processing is also carried out in order to fulfill the tasks that we have undertaken under our statutes and our Rules of Procedure, as an Alternative Dispute Resolution entity (ADR) registered under the number 70330/2015 of the Joint Ministerial Decision (Government Gazette 1421 B’), Directive 2013/11/EU and Regulation (EU) No 524/2013 of the European Parliament and of the Council in order to contribute to the proper functioning of the internal market for financial services through the achievement of a high level of consumer protection.
Some of your data are also processed for statistical purposes, without any correlation to you, as they are subject to pseudonymisation.
Your data may also be processed for the purpose of establishing, pursuing or supporting legal claims or for reasons of public interest.
- Who are the recipients of your data?
Your personal data is received and processed by our staff, within their sphere of competence. Your personal data may also be accessible by third parties, technology service providers, contracted by us in the framework of service provision that meets stringent data processing and data security standards. The above persons and providers are committed to maintaining the security of your data, complying with the legal framework for their processing and protection, and being subject to controls to effectively comply with the above commitments. Your data may also be forwarded to competent Judicial, Prosecutor and other Public and/or Independent Authorities, as long as we are dictated by our legal obligations or rights.
- Retention period of your data
We process your personal data for as long as it is required according to the purpose for which you provided it to us, as stated in point 3 above.
In particular, your data contained in the electronic and/or physical files of written requests will be retained for a maximum period of five (5) years from end of the year in which the processing of the request you submitted to us is completed. In case the examination of your written request is beyond our competence, the above period is limited to two (2) months from the last day of the month in which we have demonstrably provided you with the relevant information. Exceptionally, the data required to prove such information shall be kept for a maximum period of five (5) years.
Your data contained in the electronic file of telephone requests are kept for three (3) months from the end of the month in which the relevant registration was made.
Also, records of telephone calls (call data and voice recording) are kept for three (3) months from the end of the month in which the relevant recording was made.
The above-mentioned time periods shall be extended accordingly if the relevant data are requested by the person concerned or by a public, independent, or judicial authority in the context of an investigation into the case in question or the exercise of the legal rights of the person concerned or of the HFO.
Moreover, some of your data are kept for a longer period, as we process them for statistical purposes, but without any connection to your person, as they are subject to pseudonymization.
- Your rights
You can always contact us (see paragraph 8) to exercise your legal rights.
To protect your rights, you will also need to provide us with your identification (copy of your identity card or passport).
You have the following rights:
- The right to receive information and have access to your personal data held by us.
- The right to rectification of any inaccurate data and fill in incomplete information by submitting relevant documents proving this correction.
- The right to erasure (“the right to be forgotten”), provided that there is no reasonable, legitimate reason or obligation to maintain them.
- The right to restriction of processing of your data, in cases where their accuracy or lawfulness of processing is questioned, or the data are no longer necessary for the purpose for which they were granted.
- The right to data portability, i.e. transferring your data to another controller, provided that the processing is carried out by automated means (the portability does not include data in printed form) and the exercise of the above right does not adversely affect the rights and freedoms of others.
- The right to object to the processing of your personal data, provided that there are no compelling and legitimate reasons which override your interests, rights and freedoms, such as the foundation, exercise or support of legal claims or public interest grounds.
- Competent Authority
If you consider that your rights, regarding the protection of your personal data, have been violated in any way, you have the right to file a complaint with the Personal Data Protection Authority (1-3 Kifissias Avenue, 115 23, Athens, tel. 210 6475600, e-mail firstname.lastname@example.org).
If you wish to receive more information and clarifications regarding the processing of your personal data, to submit any comments or complaints or to exercise any of your rights, you can contact the data protection officer email@example.com.
This update may be supplemented or amended in accordance with the applicable legal and regulatory framework as well as after each update of our internal data protection procedures and practices. The updated version is always posted on our web site (www.hobis.gr) and is also available at our offices in 1, Massalias Street, Athens.