Privacy Policy and Cookies

               

ASTROBANK’S PRIVACY NOTICE

 Last update:  July 2024

  1. OVERVIEW

ASTROBANK PUBLIC COMPANY LIMITED (“we,” “our” “us” or “the Bank”) is committed to protecting and respecting your privacy and your rights, as regards the personal data collected and processed for the provision of our products and services.

We process your personal information in accordance with the applicable legal and regulatory framework, including the Law on the Protection of Natural Persons Against Personal Data Processing and the Free Movement of Such Data of 2018 (L. 125(I)/2018), as amended from time to time, and the General Data Protection Regulation 2016/679 (“GDPR”), which applies as of 25 May 2018.

This notice (referred to as the “Privacy Notice”) provides an overview of how and why the Bank processes personal data concerning natural persons, as well as of the rights of such persons, in the context of the offering and provision of banking and financial services and products. It is directed to natural persons who are current or prospective customers, or are authorised representatives/agents, security providers, related parties, or beneficial owners of legal entities or of natural persons which/who are current or prospective customers of the Bank, or to natural persons who now have or who had a business relationship with the Bank in the past, or to any other natural persons whose personal data has or may in the future be lawfully obtained by the Bank in the normal course of its business.

For the purposes of the present Privacy Notice, the terms “personal data”, “data” and “personal information” are used to refer to any information relating to you that identifies or may identify you, either directly or indirectly, such as your name, contact details, identification data (e.g. identity card/passport number) and authentication data (e.g. your signature). Moreover, the term “processing” is used herein to collectively refer to actions such as the collection, retention, use, disclosure, transfer, deletion or destruction of personal data.

Please read the following carefully in order to understand our policies and practices regarding your personal data and how we process them.

 

  1. WHO WE ARE AND OUR CONTACT DETAILS

ASTROBANK PUBLIC COMPANY LIMITED is a licensed credit institution incorporated and established in accordance with the laws and regulations of the Republic of Cyprus, with registration no. 189515, and with registered address and/or headquarters at 1 Spyrou Kyprianou Avenue, 1065 Nicosia, P.O. Box 25700, 1393 Nicosia, telephone number 22575500.

Responsibility for the processing of your personal data lies with the Bank, which acts as the data controller, i.e. as the entity that, alone or jointly with others, determines the purposes and means of the processing of personal data.

You may contact our Data Protection Officer (DPO) for any matters arising out of and/or in connection with this Privacy Notice, including for the purposes of exercising of your rights, at:

ASTROBANK PUBLIC COMPANY LIMITED

Data Protection Officer

1, Spyrou Kyprianou Avenue, 1065, Nicosia

P.O Box: 25700, 1393, Nicosia, Cyprus

Tel. Number: 22 366018

Email: dpo@astrobank.com

 

Additionally, the exercise of your rights may be done via any Branch and/or Unit of the Bank, which will in turn liaise with the Data Protection Officer to respond/fulfill your request, or you may fill in the Exercise of GDPR Rights Form, which is available on our website at www.astrobank.com, and submit it electronically to dpo@astrobank.com

We will use reasonable endeavours, in line with the applicable legal framework, to meet, comply with and reply to your inquiries, requests and comments promptly and transparently.  

 

  1. WHAT KIND OF PERSONAL DATA WE PROCESS

The type of personal data we process, the particular processing activity we utilize, as well as the extent of such processing, depend on the services and products requested or agreed in each case.

 

We collect, use, consult or otherwise process personal data of:

  • prospective and current individual customers;
  • persons connected to prospective and current customers, as applicable and/or appropriate (“connected persons”);               
  • Where such customers are individuals, connected persons may include introducers, authorised representatives/agents, attorneys/administrators/executors, family members or close associates of such customers that fall under the category of politically exposed persons (PEP), past and/or current employers.
  • Where such customers are legal entities, connected persons may be, inter alia, introducers/associates, authorised representatives/agents, officials, partners, shareholders, investors, administrators, trustees, authorised signatories, family members or close associates of such connected persons that fall under the category of politically exposed persons (PEP), ultimate beneficial owners (UBOs).
  • security providers for credit facilities (e.g. guarantors); and
  • non-customer counterparties, as required for the provision of our services (e.g. personal and payment information of payers or beneficiaries in payment transactions).

 

More analytically:

  1. Where you are a prospective customer (including an authorised representative/agent of an individual or legal entity that is a prospective customer or the ultimate beneficial owner of a legal entity that is a prospective customer); or a prospective security provider such as a guarantor of credit facilities, we collect and further process data that may include the following:
  • personal identification data (e.g. name, surname, passport/identity card number, social security number);
  • personal details (e.g. gender, marital status, number of dependents, date of birth, place of birth, country of birth, citizenship, education level and other information contained in CVs, where applicable);
  • authentication information (e.g. signature);
  • contact details (e.g. residence address, mailing address, phone numbers, e-mail address);
  • employment data/business activities information (e.g. profession, employer’s name, job title, employment address and contact data);
  • financial identification data (e.g. details of income and expenses, assets and liabilities (including debts and provision of securities), past and expected financial and economic activity);
  • tax information, including the US Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS) details (e.g. country of tax residence, tax identification number);
  • politically exposed persons (PEP) information (where you or a family member or close associate holds/held a prominent public function);
  • purposes for and nature of the intended business relationship with us;
  • In particular, regarding the “sKash” Mobile Wallet Application, including the issuance of the “sKash” cards, during the registration and/or subscription process of natural persons we may collect inter alia, identity card numbers and copies thereof, and/or mobile phone numbers and/or email addresses and/or utility bills and/or other supporting documentation and/or all data as above.

 

Should we enter into a business/contractual relationship with you, we will retain and further process the aforementioned data, as explained in section 9 herein below.

 

  1. In the course of the provision of services and products to you or the legal entity you are connected with, additional personal data may be collected, used and stored, primarily the following:

 

Account and payment services (including Internet Banking and the “sKash” Mobile Wallet Application, the issuance of the “sKash” card”; ad hoc or standing orders/direct debits; and credit/debit cards)

Payment transaction data as well as any other data associated with the transaction. Such data includes account numbers and/or IBAN numbers and/or other unique identifiers; account(s) balance; nature and type of a payment transaction (e.g. purchase of goods, purchase of services, money transfers); data transmitted with the payment order; data about when, where and with whom you transact with, including data of third-party beneficiaries and any other processing that may arise out of our contractual obligations.

 

Savings and deposits:

Data regarding the particular accounts and transactions (e.g. accounts numbers and/or IBAN numbers and/or other unique identifiers, account(s) balance, data transmitted with each transfer/deposit of funds, cheques’ details), withholding tax data for special contribution for defence, financial and economic information (e.g. past and expected credit turnover, source of funds and assets, source of financial possession), and data of any third-party beneficiaries.

 

Banking facilities (e.g. loans and overdrafts):

Information and supporting documentation [that may contain personal data of the borrower(s), and other persons connected/related to the borrower(s)] regarding:

  • the purpose of banking facility (e.g. for immovable property financing, we request a description of the particular property, property valuation reports, construction and municipal permits, sale agreements, title deeds etc.);
  • securities for the provision of banking facilities (e.g. where an insurance policy is assigned to us, data such the particular insurance company, the policy number, current surrender values etc., or for mortgages on immovable properties, we request a description of the particular property, property valuation reports, title deeds, Land Registry reports etc.);
  • where the borrower is a consumer, employment status, such as employment history and nature/term of current position; and/or financial and economic status (e.g. details and supporting documentation of current income and expenses, assets and liabilities (including debts, securities and investments) and data we obtain from the Data Exchange Mechanism Artemis and public and/or regulatory and/or supervisory authorities (such as information we obtain from the relevant registries maintained by the Department of the Registrar of Companies and Official Receiver of the Republic of Cyprus; the Central Bank of Cyprus; and competent Land Registry Offices);
  • where the borrower is a self-employed person or legal entity, business profile and financial activity (e.g. cash flows and balance sheets, business management information; data regarding assets and liabilities; as well as data obtained from the Data Exchange Mechanism Artemis and public and/or regulatory and/or supervisory authorities (such as information obtained from the relevant registries maintained by the Department of the Registrar of Companies and Official Receiver of the Republic of Cyprus; the Central Bank of Cyprus; and competent Land Registry Offices) business activity information, such as expected annual turnover;
  • tax status (e.g. tax identification number, tax residency status, tax declarations and proof of tax return submissions);
  • personal details (e.g. where the borrower is an individual, number of dependents);
  • information regarding authorized representatives/agents (e.g. identification data; authentication data; contact details); or, in the case of legal entities, identification and residency/contact information of individuals connected with the particular legal entity (directors, secretaries, shareholders, signatories and/or other authorized persons/agents, beneficial owners).

 

Where personal guarantees by third parties are offered and/or provided, we request to collect and further process personal data of such third parties regarding their financial and economic background and circumstances, as provided directly from them or from other sources [e.g. from the Data Exchange Mechanism Artemis and the relevant registries maintained by public and/or regulatory and/or supervisory authorities (such the Department of the Registrar of Companies and Official Receiver of the Republic of Cyprus; the Central Bank of Cyprus; and the Land Registry)].

 

Investment and interest rate and currency products and services

We may collect and further process information regarding knowledge and experience with shares, funds, interest rate/currency products and financial investments (e.g. for MiFID services); investment behaviour/strategy (e.g. scope, frequency and risk policy); personal investment portfolio; income, assets and liabilities; foreseeable changes in financial circumstances.

 

Insurance

Where you participate in our bancassurance scheme and/or assign an insurance to us for the purposes of the provision of credit facilities, we also collect information regarding existing/previous policies (e.g. policy numbers, products, premiums, properties and claims), as well as information regarding other persons that are insured under the same insurance scheme you participate in and/or assign to us.

 

  1. Regardless of whether you are a prospective or current customer (including an authorised representative/agent of such an individual or legal entity or the ultimate beneficial owner of such a legal entity); or a prospective or current security provider such as a guarantor of credit facilities, we may process the following data:

                                                                                                         

Website and electronic/digital services

When you access and use our website and electronic/digital services (including the Internet Banking and the “sKash” Mobile Wallet Application), we collect data such as the internet protocol (IP) address used to connect your device to the internet, your login data, type of device you use, network/browser data, a unique device identifier (e.g your mobile phone number and/or device ID), the times you access our website and/or electronic/digital services; and geolocation data.

 

Moreover, when you access and use our website or online services, we may place small data files on your device (“cookies”) in order to create a safer and more efficient online environment. You can view our cookies policy at our website at www.astrobank.com.

 

We collect automatic information, as above, in order to assess, customise and improve our services and products, aiming to deliver to you the highest experience and service standards.

 

Kindly note that, should users of our website choose to follow the special connections (links, hyperlinks, banners) to the websites of third parties, we are not responsible for the terms of personal data processing and protection followed by these parties.

 

Communications with us

When you communicate with us (e.g. face-to-face visits to our Branches/Units and offices, or by letters, emails, faxes, phone or video calls, etc.), more data are created (e.g. method of communication, date and time, content and outcome of our communication). We record and retain in our records information generated by such communications and our relevant responses to you, for the following reasons:

-    We record communications regarding customer service enquiries, requests and comments, to ensure that you receive optimum service levels;

-    We record communications regarding applications for and provision of banking and financial transactions, in order to comply with our statutory obligations under the anti-money laundering and anti-terrorism law and relevant regulatory obligations of the Central Bank of Cyprus.

 

  1. CHILDREN’S DATA

For the purposes of this Privacy Notice, “children” are defined as individuals under the age of eighteen (18).

We understand and respect the importance of protecting the privacy of children.  We may process the personal data of children only with the prior consent and/or authorization of their parents or legal guardians or as otherwise required or permitted by law.

 

  1. SOURCES OF PERSONAL DATA

We lawfully obtain data, as described above, to the extent and where necessary in order to provide our services and products, from:

 

  • Prospective and current customers, either directly from them or from their authorised representatives/agents or via other communication channels (e.g. our website, Internet Banking and the “sKash” Mobile Wallet Application or if you take part to competitions or promotions of the Bank);
  • Third parties, e.g. public and/or regulatory and/or supervisory authorities (such as Department of the Registrar of Companies and Official Receiver of the Republic of Cyprus the Central Bank of Cyprus; Cyprus Clearing House, Central Information Registry and competent Land Registry Offices); credit reference bureaus such as the Data Exchange Mechanism Artemis; other non-affiliated entities with which we have a contractual relationship for the purposes of the provision of our services and products (e.g. JCC Payment Systems Ltd and the Lufthansa Group for credit and debit cards services; cards and ATM services providers; private investigators (in Cyprus and/or abroad), insurance companies for different kinds of insurance contracts e.g. life insurance, bancassurance, motor vehicle, fire or household insurances; other payment services institutions such as Banks and other third parties you transact with (e.g. merchants); natural or legal persons acting as introducers/associates; and entities providing services and products for Know-Your-Customer (KYC) and due diligence purposes;
  • Publicly available sources, e.g. registries maintained by public and/or regulatory and/or supervisory authorities (such as the Companies’ Registry, the Bankruptcies and Liquidations Registries and the Intellectual and Industrial Property Registries maintained by the Department of the Registrar of Companies and Official Receiver of the Republic of Cyprus; and competent Land Registry Offices); lists and databases maintained by other entities including international organisations [such as sanctions list and politically exposed persons (PEPs lists); the media, the press and the internet].

 

  1. WHY WE PROCESS YOUR PERSONAL DATA AND ON WHAT LEGAL BASIS

We collect and further process your personal information in compliance with the applicable data protection legal framework, for the following reasons:

  • For the performance of contractual obligations

We collect and further process data which is necessary in order to perform our contractual obligations to you for the provision of our services and products, or to take steps, at your request, prior to entering into a contract with us. The purposes of the data processing are mainly dependent on the specific service and/or product, as described in the relevant contractual terms and conditions and can include needs assessments, advice, asset management and support, as well as executing transactions.

  • For compliance with our legal obligations

As a bank, we are subject to various legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements [for example the Cyprus Banking Law, the Cyprus Investment Services Law, the applicable Payment Services Laws, the Money-Laundering and Terrorism Financing Laws, the Law on Deposit Guarantee and Resolution of Credit and Other Institutions Scheme, the EU Directive on markets in Financial Instruments (MiFID), the EU Directive on payment services in the internal market (PSD), and tax laws and/or regarding the fight against fraud in tax areas (eg VAT) such as, the EU Directive on administrative cooperation in the field of taxation (DAC), the EU Directive as regards mandatory automatic exchange of information in the field of taxation to reportable cross-border arrangements (DAC6)]; as well as requirements of supervising and/or regulatory authorities [including of the European Banking Supervisory Authority; the Central Bank of Cyprus; the Cyprus Police, including the Unit for Combating Money Laundering (MOKAS), and the Cyprus Securities and Exchange Commission].

For these reasons, data collected, as described above, is used for anti-money laundering and anti-fraud measures; credit controls; tax law controls and reporting obligations; assessment and management of risks of the Bank; for compliance with Court judgments and/or orders; etc.

  • For safeguarding legitimate interests

Where necessary, we collect and manage data above and beyond the performance of our contractual and/or legal obligations, where it is necessary for safeguarding legitimate interests pursued by us or by other parties, in compliance with the applicable personal data legal framework. Data and/or information are processed under this ground for reasons pertaining to business and/or commercial interests, taking into consideration the necessity of such action and your interests, fundamental rights and freedoms, as well as your reasonable expectations. Examples of such processing include the following:

  • Consulting and exchanging data with credit reference agencies (e.g. the Data Exchange Mechanism Artemis) and other registries (e.g. the Companies’ Registry, the Bankruptcies and Liquidations Registries and the Intellectual and Industrial Property Registries maintained by the Department of the Registrar of Companies and Official Receiver of the Republic of Cyprus; competent Land Registry Offices) to determine credit or default risks;
  • Pursue and/or defense of claims in judicial and/or regulatory procedures;
  • To collect and recover funds owned to the Bank;
  • Consulting and exchanging data with external legal consultants/advisors for preparation for legal claims or on ad hoc basis for particular cases;
  • Consulting or exchanging data with external accountants/auditors;
  • Transfer, assignment and/or sale of any or all of our rights, titles or interests under any agreement between you and us;
  • Reviewing and improving procedures for needs and demands assessments for the purpose of direct client discussions;
  • Advertising or market and opinion research, provided that you have not objected to having your data processed for such purposes;
  • Measures for further developing services and products and managing business;
  • Ensuring the smooth operation of our network and IT operations and security;
  • Measures and processes for IP rights protection and theft prevention;
  • Crimes and fraud prevention and investigation;
  • Measures and processes for security purposes and to prove availability [e.g. video surveillance (CCTVs) of our branches, offices and ATMs; admittance controls; and anti-trespassing measures]; and
  • Risk management and control;
  • Taking photos of immovable property by valuators in the context of generating property valuations;
  • Utilisation of external investigative agents and/or other agencies for conducting further investigation for customers posing increasing money laundering/terrorist financing risk and where enhanced due diligence measures are deemed necessary;
  • Utilisation of external expert consultants for conducting specialized investigations for internal audit purposes;
  • Processing of third parties’ personal data in the context of issuing letters of guarantee which relate to such third parties;
  • Measures to determine whether the Bank’s quality standards are met and to initiate actions for the improvement of service e.g. performing customer satisfactions surveys;
  • Outsourcing to third party service providers communication methods such as calls and/or posting to and email communications with customers on behalf of the Bank;
  • Examining customers’ participation eligibility in various draws conducted by the various departments of the Bank such as the cards department etc;
  • Sharing your personal data, where such sharing is necessary for one or more of the following purposes:

(i)   the assessment of the Bank or of any part of the Bank’s assets, with respect to a commercial transaction:

(A)    for the sale, by allotment or otherwise, by the Bank to a potential buyer, of issued share capital of the Bank equalling at least one twentieth (1/20) of the total issued share capital of the Bank (calculated immediately after the completion of the said sale),

(B)     for the sale (either by assignment or otherwise), by the Bank to a potential buyer, of any part of the Bank’s assets (including credit facilities provided by the Bank),

(C)     for the Bank’s entry into an agreement whereby a third person (which for the purposes of this bullet point will be referred to as the “Participant”) will undertake risk in credit facilities that have been provided by the Bank,

(D)    for the encumbering by the Bank of any part of its assets in favour of a third person (which for the purposes of this bullet point will be referred to as the “Counterparty”),

(ii)  the Bank’s awarding of works, services or activities to a collaborator of the Bank, or the Bank’s purchasing or acquisition of products/services from a collaborator of the Bank.

 

  • On the basis of your consent

Insofar as you have granted us explicit and specific consent to the processing of your personal data for specific purposes other than the ones described above, the lawfulness of such processing is based on your consent.

You have the right to revoke your consent at any time. Kindly be advised that any such revocation shall only have effect after it is submitted and filed by us, and that it will not affect the lawfulness of data processed prior to the revocation.

 

  1. WHO RECEIVES YOUR PERSONAL DATA

Within the Bank, your personal information is only processed by the Departments/Units and/or persons that are authorised to process them, given that it is necessary to do so for the fulfillment of our contractual and legal obligations, or where you have given us your consent to process them, or where we believe that it necessary for our legitimate interests to do so, as explained by section 6 above. Kindly note that such persons are under banking secrecy and confidentiality obligations.

Your data may also be received by various service providers and suppliers with whom we have contractual agreements, pursuant to which they are bound by the confidentiality and data protection obligations according to the applicable data protection legal framework.

We may also disclose your personal information to other individuals and/or entities for any of the reasons described above, where and to the extent we are legally obligated or otherwise authorised to do so, or where you have given us your explicit consent.

We will not disclose and/or transfer your personal information to any third parties for their own direct marketing purposes, unless you have explicitly authorised us to do so.

Under the aforementioned conditions, recipients of your personal data may include:

  • Public and/or regulatory and/or supervisory authorities and other public institutions, to the extent that we are under a statutory or regulatory obligation to do so, such as the Central Bank of Cyprus [e.g. data that we disclose and/or disclose to the Central Information Registry (CIR) maintained by the Central Bank of Cyprus that includes information about dishonoured cheques], the European Central Bank, the Cyprus Securities Exchange Commission, tax authorities, European databases, central information system for payments (CESOP), law enforcement authorities [e.g. police, including the Unit for Combating Money Laundering (MOKAS)]; courts and tribunals;
  • Other public authorities, where we are authorised by you to do so (e.g. the Ministry of Labour, Welfare and Social Insurance in respect of applications for benefits; the Ministry of Finance in respect of applications for exemptions);
  • Other relevant government authorities with respect to various government schemes such as the Estia scheme;
  • Other banking and financial institutions or similar institutions to which we transfer your data in order to perform our contractual obligations (e.g. corresponding banks; custodian banks; brokers; stock exchanges; share and stock investment and management companies; the European Investment Fund);
  • Entities we work with for the provision of credit/debit card services (e.g. VISA, MASTERCARD, and JCC Payment Systems Ltd,) including the entities with which the Bank cooperates for the issuance of the “sKash” cards;
  • The Cyprus Clearing House, for the exchange and clearance of cheques;
  • Direct debit service providers;
  • Entities offering technological expertise, solutions and support, such as the Wallet service providers;
  • Credit reference agencies such as the Data Exchange Mechanism Artemis;
  • Valuators and surveyors;
  • Insurance companies;
  • External legal consultants, auditors and accountants; financial and business advisors;
  • Marketing, market research and advertising companies;
  • File storage, archiving, records management companies and cloud storage companies;
  • Prospective and actual purchasers, assignees, transferees and chargees of our rights, titles, titles or interests under any agreement between you and us;
  • Servicing Companies and their sub processors; and
  • Your own legal representatives/agents;
  • Call centers and/or other services providers which may assist us with large scale and urgent campaigns and/or correspondence relating either to marketing or other obligations of the Bank;
  • External investigative agents and/or other agencies to which further investigation is entrusted to be conducted in respect to customers posing increased money laundering/terrorist financing risk and where enhanced due diligence measures are deemed necessary;
  • Various government platforms such as “Ariadni" or other companies for the purposes of performing "Know Your Client" (KYC) verification checks provided that your prior consent has been obtained;
  • Marketing companies and market research companies including companies which assist us in performing customer satisfaction surveys;
  • Insurance brokers for the purpose of negotiating and settling claims under an insurance program which the Bank maintains with relevant insurers and reinsurers.

 

  1. DATA TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

Personal data will only be transferred to third countries, namely countries outside the European Economic Area where:

  • it is necessary to do so in order to carry out your orders (e.g. payment or investment orders) In particular for international credit transfers and separately requested express credit transfers executed through SWIFT, personal data may be transferred to SWIFT’s operating centers in the US;
  • where we are legally obliged to any law and/or European and/or International Regulation (e.g. the Bank is obliged to disclose information to the Cyprus Ministry of Finance which may in turn disclose it to the US authorities pursuant to the legal framework implementing the US Foreign Account Tax Compliance Act (FATCA) and the OECD Common Reporting Standards (CRS Law);
  • data processing is undertaken by third parties on behalf of the Bank and according to the Bank's instructions;
  • it is necessary for the establishment, exercise or defence of legal claims;
  • it is necessary for the performance of a contract between you and the Bank;
  • it is necessary for the purposes of compelling legitimate interests pursued by the Bank which are not overridden by the interests or rights and freedoms of Bank’s customers; or
  • where you have given us your consent to do so.

 

If the Bank does transfer your personal data to a third country, the Bank will make sure that your Personal Data is protected in the same way as if it was being used in the ΕΕΑ.

Service providers and other entities that process your personal data on our behalf are under the obligation to comply with the same personal data protection standards and safeguards as we do, on the basis of either an adequacy decision issued by the European Commission pursuant to Article 45 of the GDPR (in particular, to Switzerland regarding services being rendered in respect of private banking customers) or contractual clauses between us and them or other appropriate safeguards pursuant to Article 46 of the GDPR.

As referred to under section 7, the Bank uses cloud technology to store your personal data. The cloud service providers used by the Bank and their data centers, are located in the EEA area thus bound by the GDPR requirements.

In the case where personal data may be transferred to or accessed from a third country for the purposes of the provision of the services outsourced or, if required by law, the Bank shall ensure contractually that the cloud service providers apply the GDPR principles and provisions. Your rights in relation to this processing activity may be exercised as disclosed in section 13. Retention of personal data on cloud shall be in line with the general retention policy of the Bank as described in section 9.

 

  1. RETENTION PERIOD

As a general rule, we only retain your personal data for as long as it strictly necessary for the purposes they were initially collected, in accordance with the applicable statutory and regulatory framework, including the relevant Directives issued by the Office of the Data Protection Commissioner of the Republic of Cyprus, which are available at the Commissioner’s website Here:

  1.  Pursuant to the above Directives, we shall retain your personal data as follows:

 

  • Personal data of current customers; persons connected to current customers (as above); and current security providers (e.g. guarantors):

We shall retain personal data of such persons throughout our business/contractual relationship with you.

  • Personal data of former customers; persons connected to former customers (as above); and former security providers (e.g. guarantors):

We will delete and destroy or anonymize the personal data of such persons (10) ten years once the contractual relationship between such persons and us is terminated in its totality, and/or the accounts of such persons are closed and/or an individual transaction taking place outside the context of a business/contractual relationship is executed. The aforesaid will not apply and we retain such data for longer where there are any pending legal proceedings and/or investigations by public authorities/bodies and/or other disputes/differences in relation to such data.

  • Personal data of prospective customers; persons connected to prospective customers (as above); and prospective security providers (e.g. guarantors):

We will delete and destroy or anonymize the personal data of such persons six months after the relevant notification for the rejection of applications or the withdrawal of interest by the prospective customer.

 

  1. Pursuant to the Prevention and Suppression of Money Laundering Activities Law of 2007, we will retain the following information and documentation for a period of five (5) years after the end of our business relationship with the customer or after the date of a single transaction:

(a) a copy of the documents and information required for compliance with customer due diligence requirements as defined in the aforementioned Law;

(b) the relevant evidence and records of transactions which are necessary for the identification of transactions;

(c) relevant correspondence documents with customers and other persons with whom a business relationship is maintained.

  • At the end of the five year period referred to above, we shall delete the above specified personal data unless otherwise provided by other legislation.
  • It is provided that we retain the above information/documentation for five (5) additional years where the further retaining of such information/documentation is reasonably justifiable for the purposes of preventing, identifying and investigating money laundering activities and the financing of terrorism, without prejudice to the provisions relating to criminal proceedings concerning evidence in connection with ongoing criminal investigations and proceedings.
  • Provided that, without prejudice to the provisions relating to criminal proceedings associated with money laundering activities and the financing of terrorism, which apply to evidence concerning criminal investigations and legal proceedings, we are obliged to retain the aforementioned information/documentation for a period up until 24 June 2025.
  • For Foreign Account Tax Compliance Act (FATCA) compliance purposes six years.
  • For Common Reporting Standard (CRS) compliance purposes for a period of not less than five years after the end of the period within which the Reporting FI must report the information required to be reported under the CRS.

 

  1. WHETHER WE CARRY OUT AUTOMATED DECISION MAKING (INCLUDING PROFILING)

We do not make decisions based solely on automated processing, including profiling.

However, we may process some of your data, including by automatic means, in order to evaluate certain of your personal aspects (profiling), in the following cases:

  • We carry out data evaluations (including on payment transactions) in the context of our anti-money laundering, anti-terrorism financing and anti-fraud measures. Such assessments may also serve to protect your interests (e.g. where we become aware of any unusual activity of your accounts);
  • We employ credit scoring to assess your creditworthiness, so that we can evaluate whether customers will meet their contractual payment obligations and to make fair and responsible decisions regarding the provision of our services and products, especially in the context of providing banking facilities, including loans and overdrafts.

 

  1. MARKETING

We will only use your personal information for direct marketing purposes if (a) you have given us your explicit consent to do so, in which case you may revoke such consent at any time; or (b) where we believe that such processing is necessary for pursuing our legitimate interests, in accordance with the applicable legal framework and having taken into account the considerations described in section 6 above, in which case you have the right to object to such processing, as described in section 13 below.

 

  1. WHETHER YOU HAVE AN OBLIGATION TO PROVIDE US WITH YOUR PERSONAL DATA

We will ask you to provide us with certain personal information, as described in section 3 above, when you (or the natural or legal person that you represent, or act as agent of, or the entity you are a beneficial owner of) apply to enter into a business relationship with us, as well as during the course of our business relationship (including when you apply for more services and products). The provision of such personal information is a requirement for accepting and carrying out or for continuing a business relationship with you, as they are necessary for the performance of our contractual obligations and for us to comply with our legal obligations, as described by section 6 herein. In particular, we are under legal obligations, in accordance with the applicable anti-money-laundering and anti-terrorism financing legal framework, to collect and use at least the following information and relevant documentation regarding yourself and any natural or legal person that you represent, or act as agent of, or the entity you are a beneficial owner of:

  • Identification data;
  • Citizenship, country and city of birth;
  • Residency information, including residential address.

 

Moreover, during the course of our business/contractual relationship, you must be disclosing any changes to the aforementioned data, without undue delay.

 

If you do not provide us with the necessary information and supporting documentation, we will not be able to enter into or continue a business/contractual relationship with you (or the natural or legal person that you represent, or act as agent of, or the entity you are a beneficial owner of).

 

  1. YOUR PERSONAL DATA RIGHTS

We respect the rights you have under the personal data legal framework, namely the following:

  • Right of access

You have the right to obtain from us confirmation as to whether or not data concerning you are being processed and, if that is case, access to such data and further information in relation to them.

  • Right of rectification

You have the right to request and to obtain from us rectification of inaccurate personal information concerning you.

  • Right to erasure (“right to forget”)

You have the right to request us to erase your data, where one of the following applies:

  • Where such data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • Where we process such data on the basis of your consent and you refuse or withdraw such consent, provided that no other legal ground for processing applies;
  • Where we process your personal information in order to pursue our legitimate interests (e.g. for direct marketing purposes) and you object to such processing, provided that no overriding legitimate grounds for the processing apply;
  • Where such personal data have been unlawfully processed; and
  • Where such personal data have to be erased in compliance with a legal obligation of the Bank.
  • Right to restriction of processing

You have the right to obtain from us restriction of processing of data concerning you, where one of the following applies:

  • Where you contest the accuracy of such data, for a period that allows us to verify the accuracy of such data;
  • Where the processing is unlawful and you oppose the erasure of such data, requesting restriction of their use instead;
  • Where we no longer need to process such data, but you require their retention for the establishment, exercise or defense of legal claims; and
  • Where you have objected to us processing of your personal information on the grounds of our legitimate interests (e.g. for direct marketing purposes), until we verify whether the grounds on which we process such data override your rights and freedoms.
  • Right to object to processing

You have the right to object, at any time, on grounds relating to your particular situation, to us processing your personal data on the basis of our legitimate interests (e.g. for profiling, including for direct marketing purposes). Should you exercise this right, we will no longer process such data unless we are able to demonstrate compelling legitimate grounds for the processing.

  • Right to withdraw consent

Where we request your consent for processing your information, you have the right to refuse to give such consent. Moreover, where you have already given us such consent, you can revoke it at any time. Any such revocation shall only have effect after it is submitted and filed by us, and will not affect the lawfulness of data processed prior to such revocation.

  • Right to portability

You have the right to receive a copy of the personal data that you have provided to us and to transmit those data to another organization and/or to request that we transmit such data directly to another organisation, provided that:

  • we process such personal information on the basis of (a) your consent, or (b) for the performance of our contractual obligations, or (c) at your request, for the purposes of you (or natural or legal person that you represent, or act as agent of, or the entity you are a beneficial owner of) entering into a contractual relationship with us; and
  • the relevant processing activities are carried out by automated means.
  • Right to lodge a complaint

You can contact us for any personal data-related matters, as described by section 2 above.

 

If you are not satisfied or still concerned about any personal data-related matters, you are entitled to file a complaint with the Commissioner, as explained on the latter’s website Here:

  1. DATA SECURITY

We have put in place and implement security policies and procedures safeguard and to provide reasonable protection of your personal data against loss, misuse, unauthorized access, disclosure and alteration.  Such measures include firewalls, digital encryption, access restriction and authorization controls. While we are dedicated to protecting your personal information, security cannot be absolutely guaranteed against threats. In the event that we become aware of a data breach which may cause you a disadvantage, we will notify you accordingly, without undue delay.

Moreover, you are responsible for protecting and maintaining protection of any identification, authentication and other security measures regarding our services and products (e.g. PIN numbers, passwords, security devices and account numbers), as described in the relevant contracts and/or terms and conditions.

 

  1. CHANGES TO THIS PRIVACY NOTICE

We may modify this Privacy Notice from time to time in order to reflect our current practices and/or in accordance with any changes in the applicable legal framework. In such a case, we will update the revision date at the top of the page and notify you accordingly, e.g. by placing a notice to that effect on our website.

   

COOKIES POLICY

What are cookies?
A “cookie” is a small text file which is sent to and stored on your computer or any other device you may use to access the Internet, each time you visit a website, without gathering any information about the documents or files on your device.
On our website we use “cookies” for many different reasons, with the aim of creating a safer and more efficient environment for our visitors/users. We mainly use “cookies”, which are necessary for the provision of services offered through our website, as well as “cookies” used for statistical purposes and matters relating to the functionality of our website (e.g. number of visitors, how many return, frequency of visits, user preferences etc.).
Internet web browsers are usually set by default to accept “cookies”. Consequently, if you wish to modify how your browser operates, either to notify you about the use of “cookies” or to block “cookies”, you must change your browser’s settings.
These cookies are not used for any purpose other than those described below:

  • Statistical Cookies: These cookies tell us about how you use the site and they help us to make it better. For example these cookies count the number of visitors to our website and see how visitors move around when they are using it. This helps us to improve the way our site works, for example, by ensuring that users find what they are looking for easily. Our website uses Google Analytics for statistics reporting.
  • Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
  • Functional Cookies: These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
  • Marketing Cookies: These cookies are used to deliver advertised content which is relevant to you and they can be used to track the effectiveness of our ad campaigns on third party websites. These cookies are placed on our site by our third party service providers and they may remember your web browsing activity. Only anonymized information is captured and used and the purpose is to provide you with content which is relevant to you.

 By selecting "Accept all", you agree to the storage of all cookies of the website on your device, which relate to navigation (necessary cookies) and performance analysis (statistics cookies). By selecting "Reject All", you agree to store only the necessary cookies. You can choose which categories to accept by clicking "Cookies Settings". For better operation of cookies, refresh the page in case of withdrawal of your consent