1. Purpose and Basic Principles
The legality, objectivity and transparency of processing.
Limitations on the purpose of processing.
Minimising the data to be processed.
Accuracy and updating of the data being processed.
Data integrity and confidentiality during processing.
Restrictions on the retention / storage time.
Compliance with the legislative and regulatory framework in force from time to time.
The Company is responsible and is in a position at any given time to prove its ongoing compliance with the above principles which are elaborated on in this Policy.
The Company checks, rechecks and updates this Policy at regular intervals and in all events whenever considered necessary, taking into account the legislative and regulatory framework in force from time to time.
2. Legislative and regulatory framework
The Company has adopted and implemented this Policy in its capacity as a controller of personal data in the context of its compliance with the provisions of the General Data Protection Regulation (Regulation (EU) No 2016/679, hereinafter the GDPR) and Directive (EU) 2016/680, as transposed into the Greek legal order, and the applicable regulatory framework from time to time, including the decisions, circulars, opinions and acts in general issued by the Hellenic Data Protection Authority.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
“Processor” means a natural or legal person which processes personal data on behalf of the controller.
“Processing” means any collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, restriction, erasure or destruction of personal data which may have come to the Company’s knowledge both in the context of its contractual relations with clients and in the context of information the Company receives from third parties (whether natural or legal persons) or public sector bodies when they or the Company are exercising their lawful rights.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Company client” means any natural person who has acquired units / shares in UCITS or CIUs which the Company manages and/or represents, and any natural person to whom the Company provides investment services. In the case of clients who are legal persons, clients for the purpose of this Policy means the natural persons who lawfully represent clients who are legal persons.
“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.
“Client consent” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Third party” means a natural or legal person, public authority, agency or body other than the client, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
“Controller” means the legal person which alone determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Company is the Controller.
“Data subject” means any identified or identifiable natural person to whom the personal data being processed relates. For the purposes of this Policy, Company clients are considered to be data subjects.
4. Processing of client personal data by the Company
4.1. Legality of processing
The Company processes the personal data of its clients in the following cases, in accordance with the specific provisions of the applicable legislation and the terms and conditions laid down therein:
Where the processing is necessary to serve, support and monitor its contractual relations with clients, and to ensure proper and lawful implementation of the contracts between them. This case also includes processing which is considered necessary to take the measures needed after a client request made prior to signing of the contract (pre-contractual stage).
Where the processing is necessary for compliance with a legal obligation to which the Company is subject or for the purposes of the legitimate interests deriving from contractual relations with customers or from other rights deriving from the applicable legislation.
Where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Where the client has given express, specific written consent to the personal data relating to him or her being processed for one or more specific purposes, provided that processing is not based on one of the legal bases in points (1– 3) above. In that case the client is entitled to withdraw consent at any time, and the withdrawal shall not affect the legality of processing which was based on consent prior to withdrawal. Consent can be withdrawn by a letter sent in writing or electronically to the Company addressed to the Data Protection Officer and is valid from the date of submission onwards.
4.2. Prior notification
Where processing of data by the Company is based on client consent, the Company shall ensure that before it obtains the necessary specific, express written consent beforehand in accordance with the above, it informs the client of the following points as a minimum:
Its role as a data controller.
The Data Protection Officer's contact details.
The type of personal data it processes.
The purpose or purposes of processing.
The legal basis for processing.
The categories of potential data recipients.
The data retention period.
The client's rights in relation to his/her data being processed.
4.3. Data being processed
4.3.1. The Company processes its clients’ personal data which:
has been submitted or will be submitted by the clients themselves or by their legal representatives which is necessary to commence, maintain and implement contractual relations with the Company, whether current or future.
it obtains or comes to its knowledge via third parties, whether natural or legal persons, or public bodies, where it is necessary to achieve the Company’s own legitimate interests or those of a third party, or to perform duties which are carried out in the public interest.
comes from publicly accessible sources and/or files to the extent and degree that they are necessary for the purposes of processing.
Personal data provided by clients must be complete and accurate and must be updated by clients themselves, promptly in each case where the data changes or whenever else considered necessary or useful by the Company to maintain business relations or to enable the Company to comply with obligations deriving from the legislative and regulatory framework applicable from time to time.
To commence and maintain a contractual relationship with its clients, the Company acting in compliance with the applicable legislative and regulatory framework governing mutual fund management companies and alternative investment undertaking management companies, which also provide investment services (MFMC - Expanded scope A.E.D.O.E.E.) collects, holds and processes the following personal data of its clients, which are necessary in line with the applicable legislation, reduced to the minimum data needed for the purposes for which the data is processed:
ID Card / Passport or other official form of identification.
Date of birth.
Permanent place of residence, home address and address for correspondence.
Occupation and work address.
Tax residence, Tax Reg. No., and local tax office.
Phone number (land line and mobile).
Utility bill (electricity, phone or water).
Economic/investor profile, knowledge and experience of investments and
Sample of signature (in hard copy or electronic format).
4.3.2. Children’s data
The processing of personal data relating to minors is done under the strict condition that consent is first obtained from the parents or persons with parental care in accordance with the specific provisions of the legislation in force from time to time.
4.3.3 Special categories of data
The Company does NOT process personal data of its clients revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of identifying a client or data concerning health or data concerning a client’s sex life or sexual orientation.
4.4. Purposes of processing
The purposes for which the personal data of the Company’s clients are processed are:
a) to facilitate, support and monitor the participation of unitholders in collective investment undertakings (UCITS and CIUs) which the Company manages and/or represents, based on application forms submitted by clients to join and redeem units or redeem units - reinvest in CIUs managed / represented by the Company.
b) to facilitate, support and monitor contractual relations with Company clients who receive portfolio management services, investment advice services, the receipt and forwarding of orders in financial instruments as a service, and to ensure proper and lawful implementation of contracts between those parties.
c) to record, register and file all manner of instructions, application forms and requests from clients to the Company provided in writing, electronically or by phone in the context of their holding in the CIUs which the Company manages and/or represents or in the context of investment services provided to them by the Company.
d) to fulfil the Company’s obligations deriving from the legislative and regulatory framework applicable from time to time in the context of managing and representing the CIUs and providing investment services, and to comply with decisions of the competent supervisory, administrative, public and judicial/prosecution authorities and services.
e) to satisfy all manner of client requests addressed to the Company and to examine client complaints and
f) to enable clients to receive printed and electronic messages for advertising - marketing purposes from the Company.
4.5. Storage and retention period
The personal data of Company clients is subject to processing, and is held and stored by the Company in a secure environment solely and exclusively for the purposes intended and only for such time as is needed to achieve those purposes, subject to more specific provisions of the applicable legislation. In all events, the personal data of clients is held for 20 years from termination of the contractual relationship between the Company and the client in any manner or from total redemption by the client of all units in the CIUs managed and/or represented by the Company, appropriate. Those time limits do not apply in the case of litigation, in which case the data retention periods extends until an irrevocable court judgment is handed down.
The recipients of the personal data of the Company’s clients may include:
i) any credit institution which performs the duties of custodian / sub-custodian of the CIUs managed / represented by the Company, the brokers / sub-brokers appointed in each case to distribute units in the CIUs managed / represented by the MFMC and third parties - providers to whom the Company has outsourced under contract its functions in the context of the CIUs it manages / represents and the provision of investment services.
ii) third parties to whom the Company has assigned in whole or in part the performance of personal data processing functions on its behalf, to better facilitate the management and representation of CIUs and the provision of investment services to clients, and compliance with the legislative and regulatory framework applicable from time to time.
iii) third parties with whom the Company collaborates in carrying on its activities to perform its obligations in the context of managing and representing the CIUs and providing investment services to clients.
iv) CIU management companies which the Company represents, their custodians, and any person to whom the management companies and the custodians of the CIUs the Company represents have outsourced, under the relevant contact, the performance of their functions in the context of managing / acting as custodian for the said CIUs, including performing client personal data processing functions on their behalf.
v) any person to whom transmission of data is required under the applicable legislative and regulatory framework or on the basis of an administrative decision and
vi) the supervisory authorities competent for inspection and operation of both the CIUs which the Company manages and/or represents and for the Company itself, and in general any public, administrative, supervisory, judicial, prosecution or other authority and/or service when performing its lawful duties.
The Company has lawfully ensured that the persons processing the personal data of clients on its behalf comply with the requirements deriving from the applicable legislation and provide adequate assurances about the application of suitable technical and organisational measures so that when the personal data of clients is being processed by them, their rights are protected
The Company has already put in place technical and organisational measures to safeguard confidentiality and to lawfully hold, process, protect ad safely store the personal data of its clients from all illegal or unlawful processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access in accordance with the provisions of the applicable legislation. Those measures are re-examined and updated whenever that is considered necessary.
4.8. Data protection impact assessment
Where, taking into account the nature, scope, context and purposes of processing, the Company considers that processing could entail high risk for the rights and freedoms of its clients, before processing takes place, it will -with the assistance of the Data Protection Officer- assess the impact of the planned processing activities on the protection of personal data, which includes all the aspects referred to in Article 35 of the GDPR. That impact assessment is required in the case of a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
In light of the above, the impact assessment is carried out in the case of use of new technologies or the adoption/use of data processing operations which could entail high risk for the rights and freedoms of clients as data subjects.
Where necessary, and in particular when the risk of processing operations changes, the Company shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment.
4.9. Transmission of personal data to third countries / international organisations
Personal data can only be transmitted to third countries or international organisations where an adequate level of protection is ensured by the third country or international organisation. If that is no so, the Company may transfer personal data to a third country or international organisation only under the strict conditions set out in the GDPR.
5. Client rights as data subjects
As data subjects, the Company’s clients have the following rights:
a) the right to information and to access the personal data relating to them and to obtain information about such, and the origin, purposes of processing, recipients or categories of recipients, and retention period.
b) the right to submit a request for rectification.
c) the right to erasure of data, subject to the Company’s obligations and lawful rights to retain data for a minimum specific period pursuant to the legislative and regulatory framework applicable from time to time.
d) the right to restrict processing of data where the accuracy of the data is contested or processing is unlawful, or there is no longer any purpose for processing it, provided that there are no lawful grounds for retaining the data.
e) the right to data portability to another controller, provided that processing is based on client consent and is done using automated means. Whether this right can be satisfied depends on the Company’s lawful rights and obligations to retain data and the performance of its duties in the public interest.
f) the right to object to the processing of data relating to them on grounds relating to their particular situation in cases where data is processed to perform a duty carried out in the public interest or for the purpose of the legitimate interests pursued by the Company or a third party.
Requests from Company clients about their personal data and requests to exercise their rights must be submitted to the Company’s Data Protection Officer at the email address firstname.lastname@example.org or in writing to the Company’s offices at 25-29 Karneadou St., Athens GR-10675, marked for the attention of the Data Protection Officer. To that end the special company form entitled APPLICATION FOR DATA SUBJECTS TO EXERCISE THEIR RIGHTS IN THE CONTEXT OF IMPLEMENTING THE GENERAL DATA PROTECTION REGULATION (GDPR) must be filled out.
6. Security of personal data
6.1. Security of processing
The Company implements suitable technical and organisational measures to ensure on a continuous basis the level of security needed in relation to the risks associated with the personal data of clients and the processing thereof. In that context the Company:
has adopted and continuously implements a Policy and procedures to ensure confidentiality and the integrity, availability and reliability of the data processing systems and services.
has adopted a Business Continuity Plan to ensure that in the case of a physical or technical incident it is able to restore availability and access to personal data immediately without delay.
regularly carries out tests, assessments and evaluations of the effectiveness of its technical and organisational measures to ensure the security of processing, taking into account the main risks which arise from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
ensures that each natural person who acts under its supervision and has access to personal data, processes it only within the limits of the instructions given to him/her by the Company and under the terms and conditions laid down by the Company.
has adopted personal data encryption procedures wherever that is considered necessary.
6.2. Personal data breaches
Any breach of this Policy and the legislative and regulatory framework applicable from time to time relating to personal data and the protection thereof, and in general any security breach which leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, is a personal data breach.
To address possible cases of data breaches the Company has adopted and implemented a personal data breach management and response policy.
In cases of personal data breaches, the Company promptly notifies (doing so if feasible within 72 hours of the moment it becomes aware of the fact) the personal data breach to the Hellenic Data Protection Authority unless the breach is not capable of putting client rights and freedoms at risk.
Moreover, in the case of data breaches, the Company promptly informs the Data Protection Officer who in arrangement with the Company takes all measures necessary and takes all steps required to limit the breach, ensure it does not spread and rectify it. The Data Protection Officer records the data breaches which occur, evaluates the causes and documents all breaches, and reports the facts associated with them, their consequences and the rectification measures taken.
When the personal data breach could put the rights and freedoms of clients at high risk, the Company promptly notifies the personal data breach to them in accordance with the specific provisions of the GDPR.
7. Company Obligations
7.1. Privacy by design
Both when specifying the means for data processing and when processing data, the Company implements suitable technical and organisational measures designed to apply data protection principles that ensure that the requirements of the GDPR are met on a continuous basis and to protect clients’ rights as data subjects. In that context, when collecting, holding and processing data it applies the following principles:
Data minimisation - The Company only collects and processes the personal data absolutely necessary for the purposes of processing.
Legality, objectivity and transparency.
Accuracy and updating of the data being processed.
Access to data restricted only to the persons needed for proper and lawful performance of the duties/tasks assigned to them, and only to the extent and degree that access is necessary.
Continuous testing and checking of the adequacy of personal data processing procedures and the organisational and technical measures implemented.
The adoption of simple, easy and effective procedures for clients to exercise the rights associated the data held.
Pseudonymisation - where not required to meet the purposes of processing, personal data is held in such a manner that the personal data can no longer be attributed to a specific client without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
7.2. Privacy by default
The Company implements appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to all personal data collected, the extent of their processing, the storage and retention period and data accessibility. An extension to processing is only possible after prior special, express and written consent from the client in accordance with paragraph 4.2 above.
7.3. Record of processing activities
As Controller, the Company keeps a record of processing activities for which it is responsible, which includes the following information:
a) the name and contact details of the Company, its representatives and Data Protection Officer.
b) the purpose of processing.
c) a description of the categories of data subjects and of the categories of personal data.
d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations.
e) where appropriate, transmission of personal data to a third country / international organisation, including identification of the third country / international organisation.
f) where possible, the deadlines specified for erasure of various categories of data, g) where possible, a general description of technical and organisational security measures which the Company has adopted and implements.
7.4. Staff Training
The Company ensures that all its staff (employees and executives) are fully briefed and trained about all issues relating to the protection of client personal data and staff compliance with the obligations deriving from the GDPR, the legislative and regulatory framework applicable from the time to time, and the policies and procedures the Company has adopted. Induction training is provided when an employee is recruited or upon commencement of an employment relationship/collaboration between him/her and the Company in any way, while during the course of the employment relationship/collaboration the Company ensures that all staff received regular briefings / undergo re-training.
8. Outsourcing of processing to processors
In cases where the Company wishes to outsource the processing of personal data of clients to third parties on its behalf, it only uses processors who provide adequate assurances about implementation of suitable technical and organisational measures, in a way that processing meets the requirements in the GDPR and the legislative and regulatory framework applicable from time to time, and to safeguard the protection of client rights.
Outsourcing in accordance with the above shall be done under a written contract signed by the Company and the processor, which binds the latter in relation to the Company, and as a minimum sets out, inter alia, the scope and duration of the processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the Company’s obligations and rights as controller.
9. Data Protection Officer
The Company has appointed a Data Protection Officer who participates appropriately and in time in all issues related to the processing of personal data. More specifically, the Data Protection Officer assumes the following duties:
a) he/she informs and advises the Company and employees/executives who process data in any way, about their obligations deriving from the GDPR, the legislative and regulatory framework applicable from time to time, and the policies/procedures which the Company has adopted relating to the protection of personal data.
b) he/she monitors compliance by the Company and its employees/executives who process data in any way, with their obligations deriving from the GDPR, the legislative and regulatory framework applicable from time to time, and the policies/procedures which the Company has adopted relating to the protection of personal data, including the assignment of duties, awareness raising and training of employees involved in processing operations and the relevant checks.
c) he/she provides advice when requested in relation to the data protection impact assessment and monitors its implementation.
d) he/she collaborates with the Hellenic Protection Authority.
e) he/she acts as a liaison with clients on all issues relating to the processing of their personal data and exercise of their rights and
f) he/she acts as a liaison with the Hellenic Data Protection Authority on issues relating to the processing of personal data by the Company.
When performing his/her duties, the Data Protection Officer takes due account of the risk associated with processing operations, considering the nature, scope, context and purposes of processing.
The contact details of the Data Protection Officer appointed by the Company are: Eleni Chilari, 25-29 Karneadou St., Athens GR-10675, tel. 210 7419828 email: email@example.com.