Statement Regarding the Protection of Personal Data

NATIONAL BANK OF GREECE S.A. (hereinafter “the Bank” or “NBG”), as Controller, recognizes and attaches particular importance to the obligation to comply with the applicable regulatory and legislative framework on banking secrecy and, in general, on the protection of individuals from processing of personal data.

The purpose of this statement is to provide information to you as potential and/or existing customers and, in general, persons carrying out business with NBG in whatever capacity, regarding the processing of your personal data, in the context of NBG’s operations and your overall transactional relationship with NBG, pursuant to the provisions of the General Data Protection Regulation 2016/679 (GDPR) and the regulatory framework governing its implementation.

This document will provide you with information about the following:

Who we are - NBG’s details
What are the general principles that the Bank applies when processing your personal data?
What personal data can be processed?
What are the purposes of such data processing?
To which recipients can your data be communicated?
What provisions apply in the case of transmission of your personal data to third countries (cross-border transmission)?
For what length of time are your data held?
What happens when the required period for holding your data has elapsed?

What are your rights regarding your personal data?
What obligations must NBG observe when processing your personal data?
Ensuring protection against phishing
Installation of CCTV for security reasons
Recording of telephone conversations
E-services: Internet Banking - Mobile Banking - Websites
Update - amendments to this Statement regarding the Protection of Personal Data

In detail

Who we are - NBG’s details

NATIONAL BANK OF GREECE S.A. is a banking corporation registered with the General Electronic Commercial Registry (G.E.MI.) No 237901000, website https://www.nbg.gr, headquartered in 86, Eolou Street, 10232 Athens, Greece. As part of its business activity, NBG offers a wide range of financial products and services that meet the ever evolving needs of private and business customers.

What are the general principles that the Bank applies when processing your personal data?

In the context of conducting its business activities, the Bank ensures that the processing of your personal data is effected in compliance with the following general principles:

Your data have been collected in an ethical and lawful manner, with your consent where appropriate, for a specific, explicit and legitimate purpose, and are fairly and lawfully processed in line with the said purpose,
The collected data are relevant to the purpose of the processing, and are sufficient for, and not in excess of, what is required in the context of the purpose of said processing,
The data are reviewed for accuracy and are regularly updated in line with legally established procedures,
The data are kept in a form that enables us to determine your identity for the length of time required in respect of the purposes of said processing,
Adequate security measures are in place to protect your data against risks such as loss, unauthorized access, destruction, unlawful use or disclosure,
Before the processing of your personal data, you are duly informed and you provide your consent, where required, actively and on a voluntary basis. Your consent can be withdrawn at any time, without of course affecting the lawfulness of processing based on consent before its withdrawal.

Your consent is not required in the following cases:

a) for the performance of a contract you have entered into with NBG;

b) in order to take steps regarding a request you submitted prior to the conclusion of the contract;

c) for compliance with a legal obligation to which NBG as Controller is subject;

d) for the protection of your vital interests;

e) for the performance of a task carried out in the public interest or in the exercise of official authority;

f) when the processing is necessary for the purposes of the legitimate interests pursued by NBG, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

What personal data can be processed?

NBG collects, maintains and processes the personal data you disclose or have already disclosed to the Bank as potential and/or existing customers and, in general, as persons carrying out businesses with NBG in whatever capacity at all stages of your business relationship in the context of the products /services provided by the Bank or through it, as well as data arising from your bank account statements and/or from previous loans from the banking system. It is noted that the Bank processes only the personal data that are necessary for the purpose, at any given time, of such processing. In particular, NBG may process the following personal data:

Personal data that you provide to us, such as:

Identification and legalization data (full name, date and place of birth, ID or passport details, national health insurance number (AMKA),
Demographic data (gender, nationality, family status), contact details (postal address, landline or mobile phone number, email address),
Financial data (information concerning your salary and property status, tax residence),
Access data for e-applications (e.g. i-bank login) and electronic identification data (e.g. e-signature),
Geographical location data, if disclosed through you device (smartphone or tablet), •
In exceptional cases, data related to your health and standard of living (e.g. in compliance with its obligations for responsible lending).

Note that you are obliged to promptly inform the Bank of any change in the above data.

Personal data collected by NBG, such as:

In the context of due diligence, sanctions monitoring and anti-money laundering,
In the context of monitoring and evaluating your creditworthiness, risk management of the Bank and, in general, serving and supporting your contractual or business relationship with NBG,
In compliance with the applicable legislative and regulatory framework for the submission of data to the supervisory authorities
In the context of your correspondence and general communication with the Bank,
Economic data that provide an estimate of your investment and financial status and behavior,
Cookies and associated technologies that enable access and use of specific pages and/or website pages for statistical reasons,
Information supplied by supervisory, judicial and other public and independent authorities, related to criminal convictions, offences, enforcement of measures to protect the public interest, seizures, confiscations, commitments,
If there are dues in arrears, data of the Bank’s recorded phone communications in order to provide its debtors with information in accordance with the provisions of Law 3758/2009, as amended; when communication of this kind occurs, other persons who are notdebtors may happen to answer the respective calls, but in such cases the Bank does not disclose to them any personal data regarding the debtors.
Data that concern you and which are publicly accessible online or otherwise.

The personal data processed by NBG are held in physical and/or electromagnetic form.

With regard to the protection of minors:

The Bank recognizes the need to protect the data of minors, as defined by the current legal framework. The data of minors are held by NBG only if they have been provided by those having custody of said minors and only for the purpose of meeting the needs of the respective banking relationship for the benefit of the minors. Note that under no circumstances does NBG deal directly with minors, nor are the products and services it provides intended for direct use by minors, and moreover NBG deals only with those exercising custody over such minors.

What are the purposes of such data processing?

NBG may process your said personal data, which are collected either upon commencing the business relationship or at a subsequent time, for the following purposes:

A) In the context of the performance of a contract or before its signing, in particular:

i. To confirm the identity of, and verify, your data,

ii. To communicate with you, either in the pre-contractual stage, or about issues related to your business relationship with NBG,

iii. To draw up, conclude and, in general, manage the contract and the fulfilment of the Bank’s obligations towards you, and to service, manage, monitor and process your transactions and, in general, provide effectively the requested product/ service,

iv. To service any kind of transaction via e-banking services (transactions effected through alternative networks),

v. To evaluate the potential for offering a product or service and in particular to assess suitability and compatibility when providing investment and ancillary services, and to provide you with relevant information, to oversee governance and monitoring of investment products, and include you, if possible, in the designated customer target market for such products,

vi. to inform you about any amounts due under Law 3758/2009, as amended.

B) As part of NBG’s compliance with the obligations established by the applicable legislative and regulatory framework, in particular:

i. To prevent and suppress money laundering and terrorism financing, and avert fraud against the Bank and/or its customers, and any other illegal action,

ii. To evaluate your creditworthiness, where required for the ongoing conduct of our business relationship,

iii. To assess compatibility and any other appraisal or categorization of the customer, as appropriate, when setting up or offering a financial instrument or service,

iv. To record and file all the customers’ orders for the performance of transactions on financial instruments, including the obligation to record orders given by phone,

v. To record and keep records of the Bank’s communications by phone carried out in the context of informing its debtors of their overdue debts, as per the provisions of Law 3758/2009, as amended, and in order to monitor the proper implementation of the said Law on behalf of the Bank.

vi. To document your request (such as, for example, a request for debt restructuring by reason of inability to repay the debt for health reasons) and its assessment by the Bank,

vii. To enable the Bank to comply in general with its obligations arising from the legislative and regulatory framework each time applicable (including implementation of current legislation on State aid and tax legislation, as well as the provisions on the automatic exchange of information for tax purposes), and with the decisions of supervisory or judicial authorities,

viii. To disclose and transmit information to the competent supervisory, independent, police, judicial and public authorities, in general, as well as duly authorized third-party legal persons, whenever required in accordance with the applicable legislation,

ix To identify you in the Bank’s capacity as a Registration Authority in order to submit an application to a Qualified Trust Service Provider for the issuance of a qualified certificate, according to Regulation (EU) 910/2014 (eIDAS).

C) In the context of NBG’s lawful and normal operations and the safeguarding of its rights and legal interests, in particular:

i. To develop and/or improve NBG’s products and services in respect of your preferences and general transaction activity,

ii. To resolve any requests/complaints you may file,

iii. To assess, manage and prevent risks in the context of NBG’s operations, including geographical location measures, to prevent and combat money laundering and terrorism financing, in the context of the procedure for remote account opening through the i-bank mobile banking app,

iv. To prevent crimes and identify and collect data on unlawful activities, for the physical security of individuals and property (including the video surveillance system),

v. To transfer, concede (either directly or as collateral) and/or securitize any or all liens, claims, guarantees, privileges, securities under any agreement of the client with NBG, towards any third party(ies),

vii. To pursue its legal claims before judicial authorities or other bodies of out-ofcourt/alternative dispute resolution, and assess and optimize security procedures and IT systems etc.

D) Having obtained your consent as regards the processing of your personal data for one or more purposes, such as:

i. To send you information about new products and/or services offered by NBG and its Group companies, as well as other companies, which are marketed by the Bank and match your interests and preferences. In this case, we inform you that you are entitled to revoke your consent at any time, without of course this affecting the legality of any processing that may have taken place on the basis of the consent prior to its being revoked.

ii. To better understand the way you use and interact with the content of our website, by using cookies.

iii. To improvethe services we provide via our website, so as to better meet your personal needs and choices.

iv. To improve and measure the effectiveness and impact of our advertising displayed on third-party websites.

Note regarding automated decision making, including profile creation:

For the aforesaid purposes, processing of your personal data may also be carried out through automated procedures resulting in decisions based on statistical analyses of those parameters that are deemed necessary for each purpose.

For example, the Bank processes information concerning the services you use and/or the banking transactions that you usually carry out (e.g. tax payment using a credit card) in order to present you with products, services or offers that meet your needs more effectively. In such a case, the Bank requests your explicit consent. In addition, there are cases where automated processing becomes necessary for the purpose of signing or performing the contract, such as for example, setting up a profile so as to be able to monitor and prevent fraud and tax evasion, or ascertaining credit scores based on personal data received directly from you or by means of research in the economic data base of TIRESIAS S.A. and regarding which the criteria taken into consideration shall be the data subject’s income, financial obligations, profession, compliance with his contractual obligations in the context of any previous credit facilities received by him from the Bank or another institution.

To which recipients can your data be communicated

Recipients of the data that NBG is obliged or entitled to disclose, by law or regulation or court order or in the context of lawful operation of your contractual relationship with it, may be third parties, whether individuals or legal entities, public authorities, services or other bodies, including:

(a) NBG Group companies, such as, for example: (i) NBG Securities, (ii) NBG Factors, (iii) Ethniki Hellenic General Insurance S.A., (iv) NBG Asset Management, (v) Ethniki Leasing S.A. (vi) PAEGAE, as well as any persons (individuals or legal entities) cooperating with NBG in any form, acting in the name and on behalf of NBG for the purpose of processing the contract (such as Advisors or Associates, subsidiaries or overseas NBG branches),

(b) third parties, individuals or legal entities, acting by order and for the account of the Bank, including the following:

i. Companies notifying debtors and/or guarantors of their debts prior to or after termination and/or the preparatory actions required for out-of-court and judicial pursuit of collection by NBG of their overdue debts in accordance with the provisions of Law 3758/2009, as in force,

ii. Credit servicing firms under Law 4354/2015, as in force

iii. Record keeping and destruction companies,

iv. Contact center services companies,

v. IT supplies and support companies,

vi. Market analysis and research and product marketing companies,

vii. Safekeeping and security companies,

viii. Custodianship Services Companies, ix. Advisory firms,

x. Data reporting providers, xi. Insurance companies and insurance intermediaries in the context of the provision of insurance products,

xii. Property valuers xiii. Data storage providers

(c) Companies to which NBG 's claims are transferred, such as Special Purpose Vehicles, in the context of securitization of receivables and Credit Acquisition Firms under Law 4354/2015, as in force.

(d) National or European institutions in the context of acting alongside NBG for the purpose of provision of credit to those carrying out transactions with NBG.

(e) "Interbanking Systems S.A." ("DIAS SA") for the servicing of interbank transactions, "TIRESIAS SA" for the protection of credit and financial transactions, the Hellenic Deposit and Investment Guarantee Fund, the Hellenic Bank Association, Hellenic Exchanges S.A., and banks and financial institutions in Greece and abroad,

(f) Social security bodies, public institutions, chambers of commerce and public companies,

(g) Credit institutions, payment institutions, electronic money institutions, investment services providers, mutual fund management companies, execution and trading venues, clearing and settlement companies and systems, trade repositories,

(h) Qualified Trust Service Providers in accordance with Regulation (EU) 910/2014 (eIDAS) and any subcontractors thereto (i.e. providers of information support systems and video-identification platforms), in the context of digital customer onboarding through the i-bank mobile banking app or when issuing a qualified certificate through the Bank as a Registration Authority,

(i) Supervisory, judicial, independent and other authorities at national and European level to meet NBG’s obligations under law or regulatory requirement or court judgment, such as: the Bank of Greece, the European Central Bank, the European Commission for Competition, the Hellenic Capital Market Commission, the Hellenic Competition Commission, the US Securities & Exchange Commission (SEC), the Financial and Economic Crime Unit (SDOE), the Financial Police, public authorities in Greece and abroad, courts, public prosecutors, investigators, notaries-public, court bailiffs, mortgage registries, Greek and foreign attorneys-at-law,

(j) Certified Accountants and Auditing Firms,

(k) Cloud Service Providers,

(l) Real estate management or real estate investment companies.

It should be noted that NBG will inform you of any forwarding of your data to the aforesaid recipients, provided that this is required under applicable legislation.

NBG may disclose your personal data to competent supervisory authorities, independent, law enforcement, judicial and other public authorities, where required by the applicable legislative and regulatory framework, on a regular or exceptional basis, upon request or if it is required to report the said data without such prior notification.

It should be noted that when NBG entrusts the processing of personal data to third parties acting in the name and on behalf of NBG, they are under obligation to fully comply with NBG's instructions, while said compliance is ensured by specific provisions in the relevant contractual texts for outsourcing, and in the observance of other relevant procedures.

What are your rights regarding your personal data?

Following the verification of your identity, you, as a Data Subject, have the following rights:

Right to information
NBG must notify you of the processing to which your personal data are subjected, including what data NBG processes, for what purpose, for how long NBG keeps them, in a concise, intelligible and easily accessible form using clear and simple wording.

Right of Access
You have the right to require NBG to confirm whether or not personal data of yours are being processed, and, if so, you have the right to access such personal data.

Right to rectification
You have the right to require NBG to rectify inaccurate or incomplete personal data of yours, and the right to have incomplete personal data completed.

Right to Erasure
You have the right to require NBG to erase personal data, which is possible if certain conditions are met.

Right to restriction of processing
You have the right to require NBG to restrict processing under certain conditions.

Right to Object
You have the right to object, at any time, to processing of personal data concerning you. In this case, NBG must stop processing your personal data unless it can provide compelling and legitimate grounds for such processing, which override your interests, rights and freedoms as a Data Subject, including its own right to establish, prosecute and defend its own legal claims.

Right to obtain human intervention in the context of a decision made by an automated process
You have the right to ask NBG not to allow you to be subject, where applicable, to a decision based solely on automated processing, including profiling, which produces legal consequences concerning you or affects you significantly in a similar way.

Right to portability
You have the right to ask NBG to send you the personal data that you have provided in a structured, commonly-used and machine-readable format, or to ask NBG to transmit these data to another provider.

To further facilitate the exercise of your relevant rights, NBG ensures the development of internal procedures that enable it to respond in a timely and effective way to your relevant requests.

To exercise your rights as above, please submit your request by filling out the special NBG forms available at any of our branches.

You can contact NBG’s Data Protection Officer about issues regarding the processing of your personal data at 93 Eolou St. Athens 10551, Greece or by sending an email to [email protected] or by visiting any of the Bank’s branches.

If you believe that the protection of your personal data has been compromised in any way, you have the right, if you wish, to refer the matter to the Hellenic Data Protection Authority, using the following contact information:

Website: www.dpa.gr

Postal address: Leoforos Kifisias 1-3, 115 23, Athens

Contact Centre: +30 210 6475600

Fax: +30 210 6475628

E-mail: [email protected]

Ιnformation regaring processing of personal data through video surveillance system and other security systems

Purpose and lawfulness of processing

The Bank uses a surveillance system for the purpose of protecting persons and goods.

The processing is necessary for compliance with a legal obligation of the Bank as the controller (article 6 par. 1. (c) of the GDPR), and in particular the Ministerial Decision No. 3015/30/6/23.03.2009 (Government Gazette B’ 536/23.03.2009) "Determination of security conditions for branches of credit institutions", as amended and in force.

At the same time, the processing is necessary for the purposes of the legitimate interests pursued by the Bank as the controller (article 6 par. 1. (f) of the GDPR).

In addition, if you are entering in a Branch of the Bank that has a relevant information sign regarding the photographing of those entering it, we inform you that the entry in this particular Branch is done through double entrance doors, where a security system is installed with a camera to simply take a picture of the upper torso of the body and the face of the entrants.

The security system does not identify or verify the identity of incoming customers, for example by recognizing an eye iris or fingerprints, but processes characteristics of the geometry of the face of the person entering in order to prohibit entry to those persons who have their characteristics covered (that is, persons who wear glasses, a hat, a mask, a helmet, a scarf, etc.).

This processing is necessary for the purposes of the legitimate interests pursued by the Bank as the controller (article 6 par. 1 (f) of the GDPR).

Analysis of the legitimate interests

The legitimate interest of the Bank consists in the need to protect the premises of the Bank's facilities and the goods found in them from illegal acts, such as thefts, criminal activities, etc. The same applies to the safety of life, physical integrity, health as well as the assets of the Bank's staff and third parties who are carrying out business with the Bank (ie persons with transactional relationship with the Bank) who are legally in the supervised area. The Bank collects only image data and has limited reception to places where it has been assessed that there is an increased likelihood of committing illegal acts (eg theft), such as in cash registers in its Branches, in Automatic Cash Registers (ATMs) and in the entrance of the Bank’s Branches and Buildings, without focusing on places where the privacy of the persons whose image is being taken may be excessively restricted, including their right to respect their personal data.

In addition, with regard to the entrance security system of the Bank's Branches where persons entering are being photographed, this photography is done on behalf of the Bank for the sole purpose of prevention and deterrence of criminal acts, protecting persons with transactional relationship with the Bank, staff and assets of the Bank.

Recipients

The material collected is accessible only by the competent / authorized personnel of the Bank who is in charge of the security of the premises. This material shall not be transmitted to third parties, except in the following cases: (a) to the competent judicial, prosecutorial and police authorities when it includes information necessary to investigate a criminal act involving persons or goods relating to the controller, (b) to the competent judicial, prosecutorial and police authorities when requesting data, legally, in the exercise of their duties, and (c) to the victim or the perpetrator of a criminal offense, in the case of data which may constitute evidence of the act.

Data retention period

The Bank maintains the video surveillance data for the period set for banks and financial institutions according to the currently applicable regulatory framework and in particular the relevant Instructions and Decisions of the Hellenic Data Protection Authority, after which they are automatically deleted. If during this period cases of organized financial fraud or questioning of a financial transaction arise, the relevant parts of the video surveillance system data may be kept in a separate file with appropriate security measures for as long as required for the investigation and disciplinary or judicial prosecution of these incidents.

In addition, with regard to the entrance security system of the Bank's Branches where those entering are photographed, it is noted that the photographic file is kept for twenty four (24) hours. After the expiration of the above-mentioned retention period, the said file is deleted, while it is not be transmitted to any recipient, except in the case of a criminal offense.

Rights of data subjects

For your information on your rights as data subjects as well as how to exercise these rights, you can refer to Unit IX above (ΙΧ. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?)

To evaluate a request for providing a copy of your image, you need to determine when you were in the range of the cameras and give a copy of your image to make it easier to locate your data and hide the data of third parties involved. Alternatively, you are given the opportunity, after submitting your relevant request and locating the relevant data by the Bank, to come to the Bank's facilities in order to be shown the images in which you appear. It should also be noted that the exercise of the right to object or erasure does not imply the immediate erasure of data or the amendment of the processing. In any case, the Bank will respond to you in detail as soon as possible, within the periods set by the GDPR.

Online Services: Internet Banking - Mobile Banking - Websites

If you make use of NBG's website, you should be aware that NBG collects personal data of visitors/users of its website only when they voluntarily supply such data, for the purpose of providing online services (e.g. i-bank Internet Banking and Mobile Banking, request by visitor/user for information about NBG’s products and/or services, feedback/comments by visitors/users).

The personal data collected on the website are relevant to the service each time requested by the visitor/user and may include full name, father’s name, ID number, age, gender, occupation, Tax Identification Number, address, telephone number, e mail address. Where appropriate and depending on the service requested, certain data need only be supplied optionally. NBG may process part or all of the data provided by the visitors/users for the purpose of providing services that are available online as well as for statistical purposes and for improving the information and services provided.

The website may include links to other websites which are under the responsibility of third parties (natural or legal persons). Under no circumstances is NBG responsible for the terms of protection and management of the personal data that these websites follow.

Cookies

NBG may collect data identification about visitors/users of its website by using relevant technologies such as cookies and/or Internet Protocol (IP) address tracking. Cookies are small text files that are stored on the hard drive of each visitor/user and do not take knowledge of any document or file on someone’s computer. They are used to facilitate the visitor’s/user’s access regarding the use of specific services and/or webpages for statistical purposes and for identifying useful or popular areas, and to assess the effectiveness of the webpage and improve the performance of the site. These data may also include the type of browser used by the visitor/user, the type of computer, its operating system, Internet service providers and other such information. In addition, our website's information system automatically collects information about the websites the visitor/user visits and about the links to third-party websites he may choose through pages of NBG's website.

The visitor/user of the website can find out details about the categories of cookies used by the Bank’s website through the relevant help screen. It should be noted that the cookies that are technically necessary in order to link to and navigate around the webpage or to be provided with a service cannot be deactivated. For the remaining categories of cookies, which are optional, visitors/users of the website must choose whether they wish to activate them and, if so, to provide relevant consent.

If the visitor/user of the website does not enable the use of optional cookies, then, as the case may be, he may miss out on some additional information/functionality as such are stated on the settings page for the cookies.

By using the optional cookies, NBG can leverage the capabilities provided by Google Analytics, and in particular by Display Advertising, utilizing the remarketing features to promote its products and/or services online. In particular, third-party vendors, including Google, display advertising messages by NBG on various websites on the Internet. NBG and third-party suppliers, including Google, use cookies (such as the Google Analytics cookie) or third-party cookies (such as DoubleClick cookie) jointly to update, optimize and serve advertising messages based on someone’s previous visits to NBG’s website. Our site visitors/users may declare that they do not wish to be recipients of relevant messages and are excluded from future actions in Display Advertising and can adjust Google Display Network ads using the Ads Settings or enable the Google Analytics opt-out browser add-on, if they so wish, via the following link https://tools.google.com/dlpage/gaoptout (seeking further help at https://support.google.com/chrome/answer/187443?hl=en).

Visitors/users of NBG’s website can delete the cookies and deactivate their use by following the instructions in their preferred browser, as below:

Chrome
Safari
Firefox ▪
Internet Explorer

For other kinds of browser, users/visitors of NBG’s website should refer to the respective information provided by the provider.