Statement on the processing of personal data
(In accordance with Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council)
PERSONAL DATA PRIVACY NOTICE
We hereby inform credit information subjects (hereinafter “data subjects”) that the Central Credit Register (hereinafter the “CCR”), operating under Law 4972/2022, keeps a record of credit information, identification information and general information extracted from the systems of the corresponding creditor or of the IAPR, the GE.M.I. and ERGANI, for reasons of cross-checking, and processes such data for the purposes stated below.
The terms used in this notice fall within the meaning of Article 113 of Law 4972/2022 and of Article 1 of Bank of Greece Governor’s Act No.2697/11.12.2025.
Purpose of data processing and legal basis
The purpose of data processing is the proper and full operation of the Register and the provision of a credit report under Law 4972/2022. The processing of personal data is necessary for compliance with the legal obligation imposed on the Bank of Greece (the “Bank”) as data controller under Law 4972/2022 (Article 6 par. 1(c) of the GDPR).
The personal data that are collected and processed refer to credit information, identification information and general information, as specified in Article 113 of Law 4972/2022.
Recipients
The aforementioned data shall not be disclosed to any third parties, except for authorised staff of the Bank of Greece, persons providing services to the Bank for the operation of the Register, and persons and authorities under Law 4972/2022.
Personal data are processed only by authorised staff of the Bank of Greece and persons that provide services to the Bank under the terms mentioned above, who have been made duly aware of their legal obligations and the applicable rules of conduct and who take all the necessary technical and organisational measures for the protection of such data.
Data controller
“BANK OF GREECE”, whose registered office is in Athens (21 El. Venizelos Str., GR-102 50 ATHENS), tel.: +30 210 320 1111).
Representative of the data controller
For matters concerning personal data, the Bank of Greece is represented by the Bank’s data protection officer (email: dpo@bankofgreece.gr).
Data retention period
The Bank of Greece will keep the aforementioned personal data in its records for a period of 10 years from the time they were extracted from the systems of the corresponding creditor.
Rights of data subjects
In line with the applicable legislation, data subjects have the following rights with respect to their personal data: the right of access and to rectification; the right to restriction of processing; and the right to challenge or complete the data concerning them. In order to exercise these rights, data subjects may either use the CCR Portal, as detailed in the CCR’s Operation Manual, or submit a written request to the Bank of Greece and its aforementioned representative, clearly indicating their full contact details.
Data subjects have the right to lodge a complaint with the Hellenic Data Protection Authority.
For any further questions about the processing of your personal data, or if you wish to exercise the above legal rights, under the provisions of the law, you may contact the Bank of Greece and the CCR Portal.