Statement on the processing of personal data

The purpose of data processing is the proper and full operation of the Register and the provision of a credit report under Law 4972/2022. The processing of personal data is necessary for compliance with the legal obligation imposed on the Bank of Greece (the “Bank”) as data controller under Law 4972/2022 (Article 6 par. 1(c) of the GDPR).

The personal data that are collected and processed refer to credit information, identification information and general information, as specified in Article 113 of Law 4972/2022.

The aforementioned data shall not be disclosed to any third parties, except for authorised staff of the Bank of Greece, persons providing services to the Bank for the operation of the Register, and persons and authorities under Law 4972/2022.

Personal data are processed only by authorised staff of the Bank of Greece and persons that provide services to the Bank under the terms mentioned above, who have been made duly aware of their legal obligations and the applicable rules of conduct and who take all the necessary technical and organisational measures for the protection of such data.

“BANK OF GREECE”, whose registered office is in Athens (21 El. Venizelos Str., GR-102 50 ATHENS), tel.: +30 210 320 1111).

For matters concerning personal data, the Bank of Greece is represented by the Bank’s data protection officer (email: dpo@bankofgreece.gr).

The Bank of Greece will keep the aforementioned personal data in its records for a period of 10 years from the time they were extracted from the systems of the corresponding creditor.

In line with the applicable legislation, data subjects have the following rights with respect to their personal data: the right of access and to rectification; the right to restriction of processing; and the right to challenge or complete the data concerning them. In order to exercise these rights, data subjects may either use the CCR Portal, as detailed in the CCR’s Operation Manual, or submit a written request to the Bank of Greece and its aforementioned representative, clearly indicating their full contact details.

In particular, as mentioned in the relevant webpage (https://ccr.bankofgreece.gr/en/about-the-central-credit-register/), as a natural person – Debtor you may request the provision of a Type A Credit Report, which contains a set of identification and verification data regarding you as a Debtor, as well as data reflecting your credit status over the last twelve (12) months. According to Article 120(2) of Law 4972/2022, you have the right to contest, rectify and complete the data contained in the Credit Report by submitting a relevant online request.

The submission of the Contestation Request serves the purpose of:

• Rectifying inaccurate data contained in the Credit Report.
• Completing incomplete data in the Credit Report.

Each Request for rectification and/or completion of Credit Information is to be addressed to one Creditor only, whom the Debtor specifies and to whom the Request is automatically forwarded after its submission for checking and for possible rectifying actions.

Creditors that receive a Contestation Request are obliged to respond in writing to the Bank of Greece in order for the latter to reply to the Debtor who submitted the Request, no later than 30 days from its submission. If the Creditor does not intend to comply, they must provide justification for this decision in their reply.

Exclusive responsibility for the validity, completeness and accuracy of the Credit Information reported in the CCR, which is then displayed in the Credit Reports, rests with Creditors.

Data Subject Rights
The data subject rights provided for in the General Data Protection Regulation (GDPR) are exercised, with regard to the Central Credit Register, as follows:

1. Right of information and transparency (GDPR Articles 12-14): It is exercised via the information contained in the relevant webpage (https://ccr.bankofgreece.gr/en/about-the-central-credit-register/) and via the provision of a Type A Credit Report.

2. Right of access by the data subject (GDPR Article 15): It is exercised via the right to be provided with a Type A Credit Report.

3. Right to rectification (GDPR Article 16): It is exercised via the right of contestation of the Credit Report’s content (see above). 

4. Right to restriction of processing (GDPR Article 18): It is exercised via the right to contest and rectify the Credit Report’s content.

5. Right to erasure (“right to be forgotten”) (GDPR Article 17): This does not apply in the case of the Central Credit Register. According to Article 17(3)(b) of the GDPR, this right shall not apply to the extent that processing is necessary “...for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. 

6. The right to data portability (GDPR Article 20) does not apply hereto: According to Article 20(3) of the GDPR “The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

7. Right to object (GDPR Article 21): This right does not apply because the processing is necessary for the performance of a task carried out in the public interest.

8. Right to non-automated individual decision-making (GDPR Article 22): There is no automated individual decision-making.

Data subjects have the right to lodge a complaint with the Hellenic Data Protection Authority.

For any further questions about the processing of your personal data, or if you wish to exercise the above legal rights, under the provisions of the law, you may contact the Bank of Greece and the CCR Portal.