PERSONAL DATA PROTECTION DECLARATION OF MARFIN INVESTMENT GROUP
Update on Personal Data Processing
“MARFIN INVESTMENT GROUP HOLDINGS S.A.” (henceforth, «Company») states that for the purpose of exercise of its entrepreneurial activities, proceeds to the processing of personal data of natural persons (such as business partners, suppliers, its shareholders, its personnel as well as potential employees, indicatively speaking), according to effective national legislation and European Regulation 2016/679 for the protection of natural persons against processing of personal data and for the free movement of such data (General Data Protection Regulation, henceforth «Regulation») as is currently effective).
The Company is committed to the respect and effective protection of your personal data. It is for this reason that we undertake the appropriate measures to protect the personal data we process and to secure that their processing, both by the Company itself and by third parties who process personal data, is always done according to the commitments posed by the legal framework. In this frame, we seriously take under consideration that you are efficiently updated on your personal data.
This Declaration of Personal Data Protection describes the personal data that the Company collects for you, how we use and protect your personal data and the choice you have in relation to the way we use such data.
What is the Regulation
The Regulation is the new regulatory framework of European Union (ΕU) in the area of personal data protection. The scope of the Regulation is the establishment of the conditions for the processing of personal data, for the purpose of protecting the rights and liberties of natural persons and in particular the right of personal data protection.
Personal Data: any information referring to an identified or identifiable natural person.
Special Categories of Personal Data («Sensitive Personal Data»): data of personal character revealing race or national origin, political beliefs, religious or philosophical beliefs or participation in a union, as well as genetic data, biometric data, data relating to health or sexual life or sexual orientation of the natural person.
Data Subject: the identified or identifiable natural person to whom Personal Data or/and Sensitive Personal Data refer.
Processing: any act or set of operations carried out with or without the use of automated means in personal data or in sets of personal data such as the collection, registration, organization, structuring, storage, adaptation or alteration, retrieve, search, use, disclosure by transmission, dissemination or any other form of disposition, association or combination, restriction, erasure or destruction.
Controller: For the purposes of this policy, Controllers are the Companies of the Group that separately or jointly define the aims and the processing manner of Personal Data.
Processor: the natural or legal person, public authority, agency or other private body that processes Personal Data for the Controller.
Consent: any indication of the free, specific, explicit and in full knowledge will of the Data subject, by which the Data Subject expresses that it agrees, by way of a declaration or a clear positive action, that the Personal Data relating to it are processed.
Personal Data Violation: a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored or otherwise processed.
1. Which categories of Personal Data the Company processes for you
Communication Data The Company collects communication data (email, phone number). These data are collected in a variety of ways: they are posted on the Company's contact format http://www.marfininvestmentgroup.com/gr/default.aspx., i.e. at the initiative of those who ask for information about share transfers and generally investment information on the initiative of those submitting CV or natural persons who send their personal data for having provided a service to the Company. For the sake of security of the Company's physical persons, materials and other facilities, we record the name of the visitors who enter the Company's premises to perform projects and so on.
Your Curriculum Vitae Education, employment history and any information you choose to submit through the CV submission process. Data from executive search consultancy companies, as well as from publicly available sources, such as information posted on publicly accessible websites, social media profiles, and public search engine information, where this information is relevant and convenient to your assessment for the placement you are applying for.
Particulars of the personnel of the Company The details required by law and the labor agreement that has been drafted according to the law, signed between the employee and the Company, i.e. name and surname, names and surnames of parents, home address, personal mobile number, VAT number and Tax agency, or ID or passport registration number, issuing authority and date of issuance, date of birth, social security registration number, electronic national social security body, bank account number, family status, military status (for male), confirmed work experience if any, education degrees and on certain occasions details pertaining to the capacity of the employee, i.e. Lawyers’ Bar Association number for legal staff, number of the professional identity card of the economic chamber for economists.
Billing information, from suppliers that are natural persons, i.e. home/ headquarters address, VAT number / Tax agency.
Bank Account Number of suppliers for payment of their fees.
Video Recording from our CCTV and security cameras to prevent malicious actions
Registration of Shareholder The Company is listed at the Athens Stock Exchange (ATHEXGROUP). The shareholders, according to the law and the Regulation of the System of the Intangible Assets (SIA), proceed to register their details to the records of the SIA, thus creating an Investors Entry, which includes the name and surname and father’s name and surname of the shareholder, the details of his identification certificate, i.e. the date of birth, nationality, tax information (article 4 of the SIA Regulation), the number and type of shares that holds, as well as any modification of said details. The said details are processed on behalf of the Company by a company that provides Shareholder Services, with whom the Company collaborates.
Remote participation in the General Meetings of the Company In order for the shareholders to exercise the right of remote participation in the General Meetings of the Company, the Company may use a platform created by the Athens Exchange Group for the provision of General Meetings remote participation services in real time through tele-conference to listed companies in web-site https://axia.athegroup.gr and Cisco Webex tele-conference application used by the above Group. For the creation of an entry of the shareholder or his/her representative to the electronic platform, a valid email address and mobile telephone number of the shareholder or his/her representative is required. During his/her participation to the General Meeting, provided he/she activates the tele-conference application through the relevant link, his/her name and surname, vote if any during the voting process and audio-visual material is collected, provided he/she participates actively in the General Meeting. If he/she participates in the General Meeting through a representative, then are also collected the name and surname, the home address, the ID or passport number, the email address and mobile telephone number of the representative through the representative appointment form. Also, in the event of participation through a representative, any information provided, related to a potential conflict of interest is collected.
2. How we collect your personal data
- In the case where an employment contract is concluded between the Company and you in order that you are employed at the Company.
- When you contact us directly through our website, by phone (either by calling or by sms) or by e-mail.
- When the Company collects your personal data from your résumé you send either to firstname.lastname@example.org or in any other way.
- When the Company wishes to provide a service, it collects the suppliers' personal data through the service invoices they provide for the payment of their remuneration.
- When you visit our premises.
3. Why we process your personal data
The Company processes your personal data for one or more of the following purposes:
- Information about our activities on trading of stocks and investing information in general.
- For statistical or historical reasons.
- For the security of physical persons, materials and facilities of the Company through the recording by CCTV and security cameras of visits of third parties such as visitors, contractors during their visit to the Company's premises, the granting of access cards to the premises of the Company. By using special security systems (hardware, software) to detect and prevent malicious actions.
- For the recruitment process of qualified and suitable personnel for the purposes of our business activity.
- In order to comply with a statutory obligation such as the tax laws and the law on Sociétés Anonymes, to disclose transactions of liable persons in the Stock Exchange, to manage claims for compensation, to attend the management of court cases etc., to see the compliance with laws 2396/1996 and 3756/2009 regarding the Rules of the Operation of the Dematerialized Securities System (hereinafter referred to as the "DSS Regulation") and any other relevant legislation or regulation for reasons specified in those instruments.
4. Legal basis for processing of your personal data
The legal reasons for the processing of Personal Data by the Company are:
- The conclusion and execution of a written or otherwise negotiated contract.
- Compliance with national and/or European legislation.
- Preserving and protecting your legitimate interests as well as ours. Thus, we use closed CCTV systems and security cameras in order to protect the security of individuals, materials and other facilities of the Company, and for the same reason we record the details of visitors, contractors and any service providers that enter the premises of the Company, and give them access cards at the Company's premises.
- The consent that you provide under the specific conditions set out in the legal framework.
- The specific disclosure by the Data Subject.
5. Duration of preservation of your personal data
Your personal data will be retained for as long as is necessary to fulfill the purposes for which they were collected, including for the fulfillment of any legal or accounting requirements. In determining the appropriate period of personal data retention, we take into account the quantity, nature and degree of sensitivity of personal data, the potential risk of harm due to unauthorized use or disclosure of your personal data, the purposes for which we process your personal information data and whether we can fulfill these purposes by other means and by the applicable legal requirements. In some cases, your personal data may be anonymized so that they can no longer be associated with you, so we have the right to use this information without notice.
Our general policy is to maintain your personal data in order to pursue the above-mentioned processing purposes and to comply with applicable legal obligations. The data storage time is decided on the basis of the following specific criteria, as appropriate:
- When processing is imposed as a requirement under provisions of the applicable legal framework, your personal data will be stored for as long as it is required by the relevant provisions.
- The data entered by the interested investors in the communication form with the Company are stored for as long as it is required by the content and nature of the query.
- For update and information purposes, your personal data are retained until your consent is withdrawn. This can be done by you at any time. Recalling of consent does not affect the legality of consent-based processing in the period before its revocation.
- If you accept the offer for work in the Company, your Personal Data will be retained based on the Employee Data Processing Notice, which is communicated to all Employees.
- CVs, for which a record is kept for future use, are stored for a period of twenty-four (24) months.
- Provided you participate in the General Meeting, your personal data are included in the minutes of the General Meeting, as required by the law on S.A.s and for reasons of corporate transparency.
All recipients have access to only those of your Personal Data that are collected according to what was mentioned above in chapters 2, 3 and 4, and are strictly necessary for the fulfillment of the purposes and duties or services they have undertaken to the Company. The Company transfers personal data to third parties to whom it assigns the processing personal data for its behalf. Specifically, the Company has contracted technical information support for its suppliers, the staff and the update web-page for the share register to IT companies.
Your personal data may be accessed by third parties that provide the Company with services related to your recruitment and evaluation of your application, by companies hosting or supporting IT systems, recruitment applications support or HR systems, etc.
Recipients of Personal Data are, among others, an actuarial company for the purpose of preparing the annual actuarial studies, the Company for Jurors for regular accounting and tax audits, the insurance Intermediation Company and the Insurance Company for reasons of insurance coverage and compensation, EFKA, the Tax Office, the Labor Inspectorate and the Bank with which the Company cooperates for payroll issues.
Within the Company, your Personal Information will be disclosed to and may be accessed by only the relevant persons who need to be aware of it for management or for the decision to recruit, the human resources department, the system administrators, and other support groups (such as the IT and the Economic Department) and, of course, the heads of the relevant departments in the search for candidates for a job. In this context, the Company's Human Resources Department can assess your resume and your suitability for position filling.
In any case, access to unauthorized persons, including the Company's workforce, in your personal data is forbidden.
Where we provide your Personal Information to third parties, we do so given that these third parties agree to comply with the provisions of the Regulation. Any company in which the Company will disclose your personal data under a service agreement will process your Personal Data in its capacity as processors solely for the purpose and for the account of and on behalf of the Company.
If you participate in a general meeting of shareholders, then according to the effective legislation on Sociétés Anonymes and the laws of the capital market, third parties may see your Personal Data in the table of the shareholders. In addition, we transfer your Personal Data to recipients who have the right to process your data at their own risk. This includes public authorities, including the Securities and Exchange Commission, the General Commercial Registry (GEMI) and the Athens Stock Exchange in order to fulfill statutory obligations.
In any case, the Company does not sell or otherwise transfer for any reason, or disclose your Personal Data to anyone other than the above mentioned, except in the context of compliance with legal or tax obligations, in the execution of an order of the public authorities and in the context of exercise by our Company of its rights before the judicial authorities.
7. Transfer of Personal Data outside the European Union
The Personal Data collected by the Company from you are not transferred or processed outside the European Union.
8. Guarantees for the security of your Personal Data
The Company shall implement appropriate technical and organizational measures aimed at the safe processing of Personal Data and the prevention of accidental loss or destruction and unauthorized and / or illegal access to it, use, modification or disclosure thereof. In any case, the way in which the internet operates and the fact that it is free to anyone is a fact that cannot guarantee that unauthorized third parties will never be able to violate the applicable technical and organizational measures by gaining access and possibly using personal data for unauthorized and / or unfair purposes.
When you grant us your Personal Data, we take steps to ensure that they are kept secure. In order to protect your Personal Data, we take physical, technical and organizational protection measures. We update and control the security technology we use on a sustained basis. We restrict access to your Personal Data to those employees only who need to know this data in order to provide benefits or services to you. In addition, we educate employees about the importance of confidentiality and the maintenance of privacy and security of your Personal Data. Among other things, we have implemented the following technical and organizational measures and procedures to protect your Personal Data from any loss, alteration, illegal processing or change:
- detecting and managing security breaches ·
- use of servers located in rooms with limited access and subject to regular checks ·
- use of information systems and programs for computers that are installed in a way that minimizes the use of Personal Data and / or user authentication data·
- adoption of individual procedures for the preservation of Personal Data and their safe deletion / destruction·
- access to “need-to-know” systems and databases.
The management of databases and the processing of Personal Data will always be within the scope of the processing purposes set and in accordance with the applicable law on the protection of Personal Data.
9. Your rights
Any natural person the Personal Data of whom are processed by the Company may exercise the following rights in accordance with the terms and more specific provisions of the Regulation:
Right of Access You are entitled to know and verify the legitimacy of the processing. In connection with this right, you are entitled to receive from the Company information about your personal data that we process and information regarding its processing, such as its purposes, the recipients and the period of maintenance (Article 15 of the Regulation). Under this right, you are entitled to request the Company to provide you free of charge with a copy of your Personal Data that are processed. In the event that the claims are recurrent and manifestly unfounded, the Company reserves the right to set a reasonable fee in accordance with Article 12 § 5a of the Regulation.
Right of Rectification You are entitled to request the rectification of any inaccuracies or the completion of any incomplete information, which the Company will proceed immediately without undue delay (Article 16 of the Regulation). The Company is committed to inform immediately third parties - recipients to whom your Data have been made public (Article 19 of the Regulation).
Right of Erasure («right to be forgotten») You are entitled to request the erasure of your personal data as long as there is no legal obligation to comply with their preservation or you oppose their processing, having a legitimate interest in it (Article 17 of the Regulation). In some cases (such as, for example, where there is a contract, a statutory obligation to process personal data, public interest), this right is subject to specific restrictions or does not exist as the case may be. The Company will proceed with the erasing without undue delay upon your request under the conditions laid down in the applicable Greek and European legislation on the Protection of Personal Data. The Company is committed to inform immediately third parties - recipients to whom your Data have been made public (Article 19 of the Regulation).
Right of Objection You are entitled to oppose the processing of your Personal Data when there is a legitimate interest under the terms and provisions of Article 21 of the Regulation.
Right of Withdrawal of Consent In cases where we process your Personal Data based on your consent, you are at any time entitled to withdraw your consent or change the degree of consent you have granted without that affecting the legitimacy of the processing for the period prior to withdrawal of your consent.
Portability Right You are entitled to receive your Personal Data in a structured, commonly used and machine readable format, as well as you have the right to ask for such data to be forwarded to other controllers (Article 20 of the Regulation).
Right to Restriction You are entitled to request the suspension of the processing of Personal Data concerning you: (a) when you dispute the accuracy of your Personal Data and until it is verified, (b) when you object to the deletion of Personal Data and you are requesting the restriction of its use, instead of its deletion, c) when Personal Data are not needed for processing purposes, it is nevertheless necessary for the foundation, exercise, support of legal claims, and (d) when you object to the processing and until it is verified that there are legitimate reasons that concern us and supersede the reasons for which you oppose the processing (Article 18 of the Regulation)
Right to lodge a complaint You are entitled to contact the relevant Greek independent authority, the Personal Data Protection Authority, in the event of your data being processed unlawfully (http://www.dpa.gr/). Call Center: +30 210 6475600, Fax: +30 210 6475628, E-mail: email@example.com
If you exercise any of these rights, the Company will respond within one month, unless your request is highly complex or there are a number of similar requests. In any case, the Company is committed to inform you in detail of any breach incident if it is likely to put your rights and freedoms at a high risk, as well as the measures taken to address it.
10. Personal Data of Minors
The site http://www.marfininvestmentgroup.com/gr/default.aspx targets at adult audiences (such as investors and people looking for information about the Company). The Company does not knowingly process the Personal Data of minors under the age of 16. Once the Company is informed of the disclosure of online Personal Data of a person under the age of 16 without the consent of the parent or the person that exercises parental custody, the Company will take appropriate steps to delete such data from its databases and secure non-use of data.
In the event that minors under the age of 16 that are children of staff, their Personal Data are collected by the Company for tax reasons (income deduction) following consent by their parents in order that they are included in insurance schedules.
11. Links to other websites
Our website may contain links to websites managed by the Company or to third-party websites. We provide these links for your convenience, but we do not review, monitor or monitor the privacy practices of websites managed by third parties. In the event that you choose to connect to any third party's website through any links, hyperlinks, banners that may be contained on the Website, the Company and any other company member of the Group has no responsibility for the terms of management and protection of Personal Data of those third parties. In addition, this privacy statement applies only to the Company. We are not responsible for the performance of third-party websites or for the business transactions you make with them. Therefore, we suggest that whenever you follow a link from this website to someone else, even to a website managed by the Company, that you read carefully the Privacy Statements of those sites.
12. Contact details of Controller & Protection Responsible
The Controller is the anonymous Company under the name "MARFIN INVESTMENT GROUP HOLDINGS S.A.", with headquarters in the Municipality of Athens, 10 El. Venizelos (Panepistimiou) str., 10671, as legally represented. You may contact the Company for any questions or inquiries regarding your Personal Data and their processing, as well as to exercise any of your stated rights at: email: firstname.lastname@example.org, tel .: 210 3504000, website : www.marfininvestmentgroup.com. You can contact the DPO for any matter concerning the processing of your Personal Data by sending an email to email@example.com.
13. Publication Information - Changes and Updates
The Company reserves the right to modify and update this Statement at any time, for any reason, without notice to you, except posting the updated Statement on its website. Please check your website regularly to update your current Privacy Statement which is in effect, and specifically before providing any new personal information.
Any change to this Statement will be immediately posted here.