The protection of personal data, privacy and the management, protection and security of your data are for Hellenic Export Credit Company S.A. – Export Credit Greece (ECG), an integral element of the relationship of trust that we want to develop with you.
With this policy we want to explain to you as simply and clearly as possible:
– What data about you we process
– For what purposes and under what legal basis we process them
– How long we keep them
– Who are the recipients of your data and
– What are your rights regarding your data and how can you exercise them.
You as users of our services and visitors to our website and our social networks are called “data subjects” while we are the “data controller” of your personal data.
Personal data includes any information that allows, either alone or in combination with others, the unique identification of a natural person.
“Processing of Personal Data” means any action or series of actions carried out with or without the use of automated means, on personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, research of information, use, communication by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion and destruction thereof.
- DATA CONTROLLER & DATA PROTECTION OFFICER
The Data Controller is the “Hellenic Export Credit Company S.A.” – Export Credit Greece (ECG), VAT number 090027229, 1st Revenue Office of Athens.
- By phone at: +30 2119966200
Via e-mail address: firstname.lastname@example.org
- By post to the addresses:
Head Office: 48 Michalakopoulou Street, 11528, Athens
Thessaloniki offices: Polytechneiou 51 & V. HuUgo, 546 25, Thessaloniki
- COMPLIANCE WITH THE REGULATORY AND LEGAL FRAMEWORK
ECG complies with the General Data Protection Regulation (2016/679 EU GDPR) and any other European and national legislation concerning the protection of personal data and electronic communications (such as, indicatively, law 4624/2019) and is bound that it will at all times ensure the protection of your Data:
- The data are collected for specific, clear and legitimate purposes and is not further processed in a manner incompatible with these purposes.
- We collect the necessary personal data for each processing purpose and process them in a lawful, fair and transparent manner, in relation to the data subjects.
- We ensure that they are, as far as possible, accurate and up-to-date and we only keep them for as long as it is necessary for the purposes for which they are processed.
- In any case, the criterion used to determine the period of storage is based on and takes due account of the need to comply with any relevant legal requirements and the data minimization principle.
- We process the Data electronically and manually and take all appropriate measures to protect personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures.
- CATEGORIES OF NATURAL PERSONS FROM WHICH WE COLLECT DATA
- Visitors to our website and our social networks
- Current, past and future employees
- Other interested parties
ΙΙ. COLLECTION, PURPOSE, LEGAL BASIS OF DATA PROCESSING AND PERIOD OF DATA RETENTION
- Data collected during the use of the website
- A. Website
ECG owns and manages the website www.ecg.gr.
When you visit our website, our server collects so-called server log files, and in particular:
– Date and time of entry to the website
– Amount of data sent in bytes.
– The browser and operating system you used to access the website.
– Internet protocol address (IP address), when you enter the website. The IP address is personal data along with the date and time of your visit, although we cannot identify you with this data alone.
The legal basis for which we collect your IP address and keep it in special files (log files) is our legitimate interest in processing this data in order to ensure security of the network, information and services from accidental events or illegal or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data (e.g. control of ddos “denial of service” attacks), as well as our legal obligation to provide a more secure environment for processing your personal data (GDPR article 6 paragraph 1 f and c). The data will not be transferred or used in any other way. However, we reserve the right to review server logs if specific indications of unauthorized use are detected.
This website uses the SSL protocol (Secure Sockets Layer) which uses methods of encryption of the data exchanged between two devices (usually Computers), establishing a secure connection between them, through the Internet, which results in the protection of your personal data, as well as other sensitive data (e.g. orders or inquiries of the data controller). You can recognize that you are in a secure connection by seeing the characters https:// and by the locker symbol that appears in the address bar of your browser.
- B. Links to Websites of Third Parties
The website of ECG may contain links that lead to other websites of third parties or independent entities, such as e.g. partner companies / organizations, which are operated exclusively by them as well as our company’s social media websites. Therefore, ECG bears no liability for the content, actions or policies of these websites. We urge you to carefully read the applicable data protection policies on the websites you visit.
- Sending informative mail/newsletter
We collect your e-mail from you or from published directories (websites, etc.) in order to send you informative mail about the actions and development opportunities that ECG offers you. Then, with your consent, we can send you a newsletter with the news of our company. The legal basis for the processing is our legitimate interest as well as your presumed legitimate interest (Article 6 para. 1 f GDPR) as well as your consent (Article 6 para. 1 a GDPR) and you have the right at any times to revoke by pressing the unsubscribe option.
- Data we collect via email and contact form
In the context of communication between us (e.g. by mail, fax, e-mail, or contact form), the personal data you send us is collected, i.e. first and last names, e-mail, contact details, subject and anything else you want to share with us. These data are stored and used exclusively for responding to your request or for contact and technical management by us.
The legal basis for the processing of these personal data is your consent, Article 6 par.1 a GDPR, and, if they contain a proposal for a contract (such as an application to conclude an insurance contract), taking measures before conclusion of a contract, articles 6 par. 1b GDPR. Your data will be deleted after the final processing of our communication. This will happen if it can be derived from the circumstances that the communication has been completed, provided that they do not contain proposals/requests for a contract, nor are there any legal claims to store such data.
- Data we collect for the conclusion of an insurance policy.
When you submit an insurance application to us, we collect all the data necessary to process the application, sign the insurance policy under the best possible terms for you, and then monitor and service your policy.
We collect these data either from our Exporters/Insurers or from third parties. We will collect from Exporters:
- Details for Exporters: First and last name, profession, address, contact details, VAT number, chamber of commerce, export data and others, financial data (invoices, past exports, overdue claims, loading dates, etc.). If the Exporter is a legal entity, we will collect the first and last names and contact details of its legal representatives and shareholders.
- Details for the Buyers/Recipients of the services: First and last name, occupation, address, country, contact details, VAT number, chamber or trade register, export data (past and under insurance), business financial data (invoices, exports, overdue claims, etc.). If the Buyer is a legal entity, we will collect the first and last names and contact details of its representatives.
In addition to the data that we collect from our Exporters, for the processing and proper assessment of the insurance request you submit to us, we will collect additional financial information – Commercial Information Sheets – for the Exporters and Buyers, from companies whose purpose is to collect and provide commercial information, such as the company ICAP S.A. and other similar partner companies abroad. From these companies we will collect commercial and financial data, mainly data relating to breaches of obligations, transactions, credit behavior, and even share structure in case of legal entities.
The purpose for which we collect the data is to process your request for insurance, the Risk Analysis for each Buyer and each Export, the correct assessment for the assumption of the insurance risk, the approval or rejection of the insurance and, in case of approval, the setting of the credit limit. The legal basis for the processing is the execution of a contract and the taking of measures prior to it (Article 6 par. 1b GDPR) but also ours, our Reinsurers’ as well as the Exporters’ legitimate interest for a correct assessment of the insured risk undertaken by ECG and our Reinsurers, for a correct and fair premium calculation for the Exporter.
Profiling: We use the information we collect to carry out customized profiles for the Exporter/Buyer in relation to the insured Export/Service Provision/Investment (Assessment Form). We use scoring models and algorithms based on previous similar cases and financial forecasts in order to make a decision on whether to insure, promote, extend an Export, what the insured credit limit will be and any potential extension thereof. Our results predict the likelihood of default and/or bankruptcy, whether a business is likely to receive credit, whether it could purchase a product or service, how it rates in relation to the industry in which it is active, or whether it is subject to specific risks depending on country and product. In any case, the proposed decision or the proposed credit limit is not binding on ECG: we can always intervene with cause, at the request of the Exporter or even on our own motion and take a different final decision.
In the event that the insurance request is approved and we proceed to the signing of the insurance policy, these data, as well as those you subsequently provide to us, will be processed for the purpose of monitoring and servicing the insurance policy and for communication with the Buyer/Recipient of the services in case of default.
If you request us to finance your Export from a Banking Institution, we will at your request transmit to the Banking Institution data such as exporter’s and debtor’s first and last name, insurance policy, debtor’s country of origin, invoice data and other data such as loading dates, premium payment dates, maturity/payment dates etc.
The legal basis for the processing is the performance of the contract (Article 6 para. 1b GDPR).
If the insurance event occurs and we need to pay the insurance compensation, we will transmit the necessary data (Exporter, Buyer, insurance data, data relating to the Buyer’s debt and default) to a Collection Company located in the Buyer’s country or to the Buyer’s Bankruptcy Trustee, in order to re-collect the compensation paid and the legal basis for the processing is our legitimate interest for the exercise of our legal claims (Article 6 para. 1f GDPR).
We keep the Exporter’s file data for a period of twenty years from the last insurance request and then delete it.
We may transmit less or more data from the insurance files to our Broker and Reinsurers Group in compliance with a relevant contractual and legal obligation (Article 6 para. 1b and c GDPR).
Finally, for the purpose of the correct assessment of future insurance risks when investigating the possibility of insurance as well as the correct and fair calculation of the insurance premium, ECG keeps a record of Buyers in default, and the legal basis for the processing is ours and a third party’s/Exporter’s legitimate interest (article 6 para. 1f GDPR).
- Suppliers’ data.
For the supply of products and services, ECG complies with the Company’s Procurement Regulation as it applies each time. Depending on the budget amount of the expenditure, a corresponding awarding process is carried out through direct awarding, closed or open tendering. Depending on the type of invitation, in order for you to participate in the respective invitation or competition, we will collect the data required by the relevant legislation and the relevant invitation, such as first and last name, address, copy of criminal record, tax clearance, social security clearance (only in relation to the natural or legal person of the supplier), certificates proving non-bankruptcy, non-administration status, certificate issued by the General Commercial Registry or other chamber, minutes of the Board of Directors. When the scope of the contract requires special skills, we will also collect CVs of the project team. We keep these data for a minimum period of five years or as long as the relevant legislation requires and the legal basis for the processing is the preparation for the conclusion of a contract (Article 6 para. 1b GDPR).
If you are selected or awarded as a supplier, permanent or temporary contractor, we keep your data for a period of ten years from the time that our cooperation finally terminates, unless there are legal reasons for keeping them for a longer period.
The legal basis for the processing of your data is the preparation and execution of a contract (Article 6 para. 1b GDPR).
Finally, your first and last name, address, VAT number and some financial data of the contract that we will sign with you will be forwarded to the Ministry of Administrative Reform for publication in the Program “DIAVGEIA” and the purpose and legal basis for the processing is our compliance with a relevant legal obligation of ECG as Data Controller (Article 6 para. 1c GDPR)
- CV submission
When you submit to ECG – in the event of an invitation to be recruited through the Supreme Council for Civil Personnel Selection (ASEP) or also in other cases – a CV, you provide us with your personal information such as your first and last name, studies, experience, professional skills and preferences, as well as any other information you may wish to disclose to us, such as your photograph. We retain your personal data for a period of up to three years for the purpose of your participation in the competition or to consider the possibility of employing you and the legal basis for the processing of your personal data is your consent as well as the preparation of an employment contract with the ECG (GDPR article 6 par. 1a and 1b).
III. WHO HAS ACCESS TO YOUR DATA
Your data can be accessed by our employees as well as by any other person authorized to process your data in the course of their duties. We cooperate with third parties, natural or legal persons, professionals, independent consultants, etc. who provide us with commercial, professional or technical services (e.g. commercial information, website hosting, IT system support, accounting, consulting and travel services, transport, etc.) for the purposes stated above, and support ECG in whole or in part, in relation to its activities.
The said natural/legal persons act as Data Processors and process the personal data for the same purposes mentioned above, under the same security measures and in accordance with the applicable legal obligations.
Before the third party receives the personal Data, we must: (1) complete a privacy audit in order to assess the privacy practices and risks associated with those third parties, (2) obtain contractual warranties from those third parties that they will process Personal Data in accordance with our instructions and in accordance with this Policy and applicable law, that they will immediately notify ECG of any Privacy or Security incidents, failure to comply with the standards set out in this Policy and existing legislation, that they will cooperate in remedying any such incident, that they will help us meet the rights of individuals set out below and that they will allow the Data Controller to check the processing that they perform in relation to the compliance with these requirements.
IV. DATA TRANSMISSIONS
In addition to the transmissions expressly mentioned in the previous paragraphs (transmission to “DIAVGEIA”, to Banking Institutions financing the Exporter, to the group of Reinsurers, to collection companies and bankruptcy trustees, etc.) your data may be transmitted to our attorneys-at-law, for the purpose of defending our legal claims.
Apart from the above, personal data will not be disclosed to third parties, individuals or legal entities and will not be disseminated.
Where ECG needs to transfer Personal Data outside the European Economic Area-EEA (for example, in order to pursue the recovery of a claim in a Third Country or to use Cloud services) this will be done under the terms and conditions set out in Articles 44 seq. GDPR, but because the transmission is necessary for the establishment, exercise or support of legal claims, it takes place in a country that has been deemed safe by the European Commission, etc.
V. DATA OF MINORS
ECG does not process data of minors.
VI. COOKIES AND RELATED TECHNOLOGIES
Cookies are small text files that are stored on the device (e.g. computer, tablet, mobile phone) with which the user accesses the website. Cookies are unique to each web browser (e.g. Google Chrome, Mozilla Firefox, Internet Explorer, Opera, etc.) and contain anonymous information, which concerns the websites you visit and the devices you use.
Types of cookies we use:
- a) Functionality cookies (necessary)
These cookies are responsible for basic functions of our website and application. They are necessary to be able to browse our website and to access its various sections. The provision of the website’s basic online services is not possible without these cookies.
- b) Statistical analysis and performance cookies
These cookies collect information about how you use our website, such as the website from which you visit derived, the pages you visit most often, the browser you used, etc. We use them to analyze traffic and improve the performance of our website. They collect aggregated, anonymous statistical information, which cannot lead to the identification of the visitor.
Information about the Google Analytics service:
You have the option to completely block the collection of your data through Google Analytics by installing this add-on in your browser:
Other Third Parties Targeting Cookies
Management of cookies
During your visit to our website, we provide you the option, by means of a special application to choose in an easy and simple manner whether or not to install cookies (and related technologies), in total or by category, except for the absolutely necessary ones, i.e. those that are necessary for the website and session operation. You also have the option to change your related preferences at any times, even during the same session.
In addition, you can configure your browser in such a way that you are informed about the setting of cookies and decide to accept or block them. Each browser differs in how it manages cookie settings. This is described in each browser’s help menu, which explains how you can change your cookie settings. Follow the links below depending on the browser you are using:
Please note that you must adjust the settings separately for each browser and device you use.
Update on the cookies we use and changes to cookies
You can see the cookies we use in detail in the relevant “window” that appears on our website. Classification of cookies by category, the name of the cookie, the provider, the duration of storage, are therein mentioned. We may update the cookie statement from time to time, including the date on which this statement was last modified. We advise you to regularly check the cookie statement so that you are informed of any changes.
VII. YOUR RIGHTS
You may contact us by mail or e-mail at Export Credit Greece (ECG), 48 Michalakopoulou Street, 11528, Athens – Attention of Data Protection Officer or at the e-mail email@example.com for exercising your rights in accordance with Articles 15 seq. GDPR, i.e. the rights of:
- Updating and Accessing your data
- Correcting and/or completing your data
- Deletion (if applicable)
- Restriction of processing
- Objecting or withdrawing consent to processing.
You can, for example, request an updated list of people who have access to your data, receive confirmation as to whether or not we are processing personal data relating to you, check its content, source, correctness and location, request a copy, request their correction and restrict their processing and even delete them, if applicable.
We respond to Requests without delay and in any event within (1) one month since we receive your request. However, if your Request is complex or there is a large number of requests from you, we will inform you within the month if we need to obtain an extension for additional (2) two months, within which we will respond to you.
There is no financial charge for exercising rights in relation to your personal data, unless, as provided by law, your request for access to information is unfounded or excessive, in which case ECG reserves the right to charge a reasonable fee under specific circumstances you are relatively informed.
In the event that you consider that: a) one of your requests has not been satisfied in a sufficient and legal manner or b) the right to the protection of your personal data is violated by some processing carried out by us, you have the right to submit a complaint to the Data Protection Authority (postal address: 1-3 Kifisias Ave., PO Box 115 23, www.dpa.gr, tel. 210 6475600, e-mail: firstname.lastname@example.org).
VIII. CHANGES TO THIS POLICY
We encourage you to periodically read this Policy to know how your Data is protected.
Last modified: April 2023