Information on the processing of personal data of shareholders of Eurobank Ergasias Services and Holdings S.A. pursuant to Regulation (EU) 2016/679 and the relevant Greek and European Union legislation

“Eurobank Ergasias Services and Holdings S.A.” (hereinafter referred to as “Eurobank Holdings”), having its registered offices in Athens, 8 Othonos Str., 105 57, registered at the General Commercial Registry with GCR No 000223001000, informs you, under its capacity as data controller, pursuant to Regulation (EU) 2016/679 (hereinafter referred to as “the Regulation”), Law 4624/2019 and further provisions of the relevant Greek and EU legislation on personal data protection,  on the processing of your personal data. The term “you” for the purposes of this notice refers indicatively to Eurobank Holdings’ shareholders, ex-shareholders, persons with voting power or/and persons exercising rights deriving from Eurobank Holdings’ shares, proxies, representatives of the above and/or third persons in general who are related to the abovementioned. Notices that are more specific may supplement this Information.

The necessary personal data collected by Eurobank Holdings may indicatively be the following and not all of them necessarily concern you. It is hereby explicitly clarified, that the number and categories of personal data that Eurobank Holdings collects depends on the capacity of the data subject; their provision is a required precondition for servicing the shareholder relationship.

a. Identification data: name and surname, father’s name, mother’s name, Identity Card number/Passport number, Tax Identification Number, Social Security Number, citizenship, profession, etc..

b. Contact information: postal and/or e-mail address, fixed and/or mobile telephone number, etc..

c. Number and type of shares/ voting rights/ rights deriving from the shares, DDS number, Securities Account number and operator.

d. For the shareholders that use the “e-General Meeting” application the following additional personal data are collected: identification data and access/login data as well as data deriving from the use of the application etc..

e. As regards those with voting rights, representatives of legal entities, shareholders’ representatives (including representatives of those deriving rights from the shares), Eurobank Holdings collects data regarding the capacity under which you have or exercise a voting right and relevant supporting documentation. Such data may indicate conflict of interest among the representatives.

f. Communication data as well as data deriving from your queries, requests and supporting documentation you may submit to Eurobank Holdings.

g. Data deriving throughout the shareholder relationship, such as the percentage and type of participation, your transactional activity with regard to the shares.

h. Data in the framework of your participation in the general meeting through teleconference, such as the participation password etc..

Eurobank Holdings collects the aforementioned data either directly from you (including the cases you use the “e-General Meeting” application) or from third persons acting on your behalf, persons related to you, from the company under the name “Greek Central Securities Depository S.A.” or from companies providing teleconference services.

In case you provide Eurobank Holdings with personal data of third persons you must have in advance properly informed them (indicatively, by referring them to the preset document) and have ensured their consent, where necessary. It is recalled that you are obliged to timely update your abovementioned personal data.

Eurobank Holdings processes your personal data required each time:

Α. To service your relationship as shareholder or user of the application “e-General Meeting” (article 6 para 1b of the Regulation)

Said processing of the data described under section 1 above serves purposes such as:

a) Your identification.

b) The communication with you.

c) Verifying the eligibility and legality of exercising your rights as Eurobank Holdings’ shareholders and/or persons with voting rights, pursuant to the relevant legislation and regulatory framework on limited liability companies and/or companies with shares or securities that are admitted to trading on a regulated or organized market as well as pursuant to the statute (indicatively: participation in general meetings, exercise of the voting right during these meetings, drawing up a shareholders’ list, keeping minutes of the meetings and records of the general meetings’ decisions etc.).

d) The fulfilment of Eurobank Holdings’ obligations towards you as shareholders or as persons with voting right (i.e. dividend distribution).

e) For those who choose to register with the “e-General Meeting” application: your registration, the provision of the application services as well as the proper function and support of the application.

f) The response to your requests or queries.

Said processing (point A. above) serves also the compliance of Eurobank Holdings with its legal obligations (point B. below) as well as its or a third party’s legal interests (point C. below).

Β.To comply with its legal obligations (article 6 para 1c of the Regulation) 

The processing of the data described under Section 1 above serves purposes such as:

a) Eurobank Holdings’ compliance with obligations imposed by the relevant legal, regulatory, and supervisory framework, international agreements as well as with authorities’ decisions (public, supervisory, independent, prosecution etc.) or courts (regular or arbitrary).

b) Keeping and maintaining records setting out Eurobank Holdings’ shareholders.

c) Protecting persons and property.

Said processing (point B. above) serves also Eurobank Holdings’ or a third party’s legal interests (point C. below).

C. To protect Eurobank Holdings’ or a third party’s (such as indicatively companies of Eurobank Holdings Group, cooperating companies etc.) legal interests (article 6 para 1f of the Regulation) 

Additionally, the processing of the personal data described under section 1 above serves purposes, such as indicatively the establishment, exercise and defense of legal claims, the security and safety of Eurobank Holdings information systems, facilities and assets in general, the carrying out of analyses and statistics, its reputation, the deterrence of criminal acts or frauds  against Eurobank Holdings or a third party,  the promotion of its activity and corporate profile etc.

D.  Upon your consent (article 6 para 1a of the Regulation)

In case we have asked and received your consent, especially when the processing cannot be established on any of the abovementioned (2.A. – 2.C.) legal bases, the processing of your data under Section 1 is based on your consent (see in particular the below mentioned case regarding the data transfer outside the EEA under 4.c.i.). In such cases, you have the right to withdraw your consent at any time. Please see below under section 7 how you can withdraw your consent; where relevant, we will also inform you on specific ways to withdraw your consent depending on the way you consented. The processing based on your consent prior to its withdrawal remains unaffected.

E. Automated decision-making including profiling

Eurobank Holdings does not carry out solely automated individual decision-making. In case Eurobank Holdings decides in the future to carry out automated individual decision-making, including profiling, that produces legal effects or significantly affects you in a similar way, you will be provided with a specific notice and, where required, you will be asked for your consent.

Recipients of your data may indicatively be the following:

a. Eurobank Holdings’ competent employees and members of the administration within the framework of their duties as well as competent employees of its subsidiary company “Eurobank S.A.” within the framework of providing supplementary services to Eurobank Holdings.

b. Lawyers, law firms, bailiffs, notaries, experts, chartered accountants/auditors, and consulting services providers (such as financial consultants etc.).

c. Companies responsible for storage, filing, management and destruction of files, records and data, information application and services providers, teleconference services providers, telecommunication services providers, cloud services providers, information society services providers and mail services providers.

d. The company “Greek Central Securities Depository SA”.

e. Supervisory, independent, judicial, prosecution, police, tax, public or/and any other authorities (such as the Hellenic Capital Market Commission, the Bank of Greece, the Ministry of Development and Investments etc.), authorized mediators and mediation centers, arbitration tribunals and alternative dispute resolution entities.

f. Other shareholders, persons with voting rights, representatives of legal entities, shareholders’ representatives (including representatives of those deriving rights from the shares) as well as those playing a key role and being in charge of carrying out Eurobank Holdings’ general meetings.

g. Any third persons that submit a request to Eurobank Holdings in order to receive information, pursuant to the law.

For the personal data processing of the abovementioned recipients that act as controllers, we advise you to consult their personal data notices.

Eurobank Holdings may transfer your personal data to third countries or international organizations outside the European Economic Area (EEA) under the following circumstances:

a) if the Commission decides that the third country, territory or one or more specified sectors within that third country or an international organization ensures an adequate level of protection; or

b) if appropriate safeguards for data processing have been provided, according to EU and/or national legislation.

c) In the absence of the abovementioned circumstances, a transfer may take place if a derogation as provided for in by the relevant EU and/or national legislation is met, including indicatively the following:

i. You have explicitly provided your consent to Eurobank Holdings;

ii. Within the framework of Eurobank Holdings’ compliance with obligations imposed by the legislation or international agreements and to the extent that the transfer is necessary for important reasons of public interest, or

iii. The transfer is necessary for the establishment, exercise or defense of legal claims.

Personal data will be kept for the time necessary for the fulfillment of their processing purpose, otherwise for the time required by relevant the legal and/or regulatory framework or the time necessary for the exercise of claims or defense of rights and legitimate interests.

More precisely:

Data collected through the application “e-General Meeting” shall be kept only for the time required for the fulfillment of the purpose they were collected and processed. In case you choose to cancel your registration with the application, the data collected through it for the purposes of its function will be deleted except for the data required by the relevant legal and/or regulatory framework or are necessary for the defense of legal rights and interests of Eurobank Holdings or a third party.

Moreover, few data may be part of Eurobank Holdings records and will be kept during the entire period said record exists.

You have the following rights to the extent they can be implemented:

a. Ta demand to know the categories of your personal data that we store and process, where they come from, the purposes of their processing, the categories of their recipients, their storage period as well as your relevant rights (right of access).

b. To demand the rectification or/and amendment to your data so that they are complete and accurate (right to rectification) by providing any necessary document justifying the need for rectification.

c. To ask for a restriction of the processing of your personal data (right to restriction of processing).

d. To object to any further processing of your stored personal data (right to object).

e. To obtain the erasure of your personal data from the records we keep (right to erasure), under certain circumstances such as in cases when the data are no longer necessary, you have withdrawn your consent or your data have been unlawfully processed etc..

f. To ask for the transfer of your data kept by Eurobank Holdings to any other controller (right to data portability).

g. To withdraw your consent at any time. The legality of the processing based on your consent before its withdrawal remains unaffected and you can consent again to the processing.

h. Right to complain to the Data Protection Authority: You have the right to lodge a complaint with the Hellenic Data Protection authority in case you consider that your rights are in any way violated. For the Authority’s competence as well as the way to lodge a complaint you can find detailed information on its website (www.dpa.gr – Citizen Rights – Complaint to the Hellenic DPA).

Please note the following as regards your abovementioned rights:

i. Eurobank Holdings preserves in any case the right to deny your request for restriction of the processing your data or their deletion, in case their processing or storage is necessary for the exercise of your rights as shareholders and/or persons with voting power, the representation of legal entities, the representation of shareholders’ (including the representation of those deriving rights from the shares) or the fulfillment of Eurobank Holdings’ obligation towards you as shareholders and/or persons with voting power, as well as for the establishment, exercise or defense of Eurobank Holdings legitimate rights or its compliance with its legal obligations.

ii. Eurobank Holdings has also the right to deny your request for data erasure to the extent that some of these data are not erased but kept for its records as described under point 2.B.b above.

iii. The exercise of these rights is valid for the future and does not affect any previous data processing.

For the exercise of your rights described in the previous section explicitly including you right to withdraw your consent you may contact in writing the Investor Information Services  Division, 8 Iolkou & Filikis Etiarias Str., 14234 Nea ionia , Athens or by sending an email to investorsinfo@eurobankholdings.gr.

Eurobank Holdings will use its best endeavors to address your request within thirty (30) days of its receipt. The abovementioned period may be prolonged for sixty (60) more days, if deemed necessary, at Eurobank Holdings absolute discretion, taking into consideration the complexity of the issue and the number of requests. Eurobank Holdings shall inform you within thirty (30) days of the request’s receipt in any case of prolongation of the abovementioned period. The abovementioned service is provided by Eurobank Holdings free of charge. However, in case the requests manifestly lack of foundation and/or are excessive and repeated, Eurobank Holdings may, after informing you, impose a reasonable fee or refuse to address your request(s).

You may contact the Data Protection Officer for any matter regarding the processing of your personal data at the address Eurobank Holdings, 8 Othonos Str., 10557 Athens or by sending an email to dpo@eurobankholdings.gr.

Eurobank Holdings implements appropriate organizational and technical measures to ensure the security and confidentiality of your personal data and their protection from accidental or unlawful destruction, loss, alteration, prohibited transmission, dissemination or access and any other form of unlawful processing.

Eurobank Holdings may amend the present Information. In such case, the date of the update will be mentioned at the end of the Information and you will be notified accordingly via a posting on Eurobank Holdings’ website. (www.eurobankholdings.gr).