Our new Privacy Notice

As a result of the completion of the sale of HSBC Continental Europe’s branch operations in Greece (HSBC Greece) to Pancreta Bank SA (Pancreta) (the Transfer) personal data which relate to you and your banking relationship and products with HSBC Greece (including personal data of special categories, to the extent such personal data has been shared with HSBC Greece) have been transferred to Pancreta. Kindly note that following the Transfer HSBC Greece will cease completely its banking activities.

More specifically, personal data of individuals linked to the deposit and investment accounts and related services, as well as all lending and credit products of HSBC Greece, under any capacity [for example (a) as regards retail customers: depositors (including payers and payees with respect to payment transactions), investors, borrowers, co-borrowers, guarantors and persons that have provided security for any lending product, card holders, contracting parties in general, partners/members/shareholders and beneficial owners of legal entities, third persons related with the above, such as proxies, representatives, their employees, attorneys, professional advisors or other agents, clients’ counterparties/contracting parties, in each case where required for the provision of services (such as payers or beneficiaries in payment transactions), family members, etc. and (b) as regards wholesale customers: administrators, representatives, partners/members/shareholders and members of management, beneficial owners, third persons related with the wholesale customers, such as proxies, representatives, their employees, attorneys, professional advisors or other agents, guarantors, company’s counterparties/contracting parties, in each case where required for the provision of services such as payers or beneficiaries in payment transactions, etc.] (the Data Subjects) were transferred upon completion of the Transfer from HSBC Greece to Pancreta, so that the latter may process those for the purpose of managing your banking relationship and products.

As from completion of the Transfer, Pancreta processes the personal data of the Data Subjects, acting as a data controller, specifying the purposes for and means of personal data processing, in accordance with the applicable data protection legislation, especially the General Data Protection Regulation (EU) 2016/679 and Greek Law 4624/2019, as in force. All relevant information on the processing of personal data by Pancreta (data controller details, personal data categories, sources, purpose and legal basis for processing, rights for the protection of personal data, recipients, retention period, etc.) is described in Pancreta’s Privacy Policy, which is available on the Pancreta’s website at www.pancretabank.gr.

Kindly note as from completion of the Transfer, HSBC Greece continues to process the personal data of the Data Subjects, as data controller (independently from Pancreta), in order to comply with its legal and regulatory obligations to which it is subject under applicable laws (such as the legal and regulatory framework on money laundering and terrorist financing) as well as for purposes related to any pending litigation. Such processing of personal data shall be carried out pursuant to the provisions of this Privacy Notice.

Wherever we’ve said ‘you’ or ‘your’, this means you, any authorised person on your account and other related people (including authorised signatories, proxies, partners, members and trustees).

When we say ‘we’, we mean HSBC Greece and HSBC Continental Europe France as stated in Appendix 1 which act as a data controller in respect of your personal data.

• Identification Information, e.g.:
• personal details, e.g. name, previous names, gender, date and place of birth;
• contact details, e.g. address, email address, landline and mobile numbers;
• information concerning your identity e.g. photo ID, ID or passport information, National Insurance number, National ID card and nationality;
• other information about you that you give us by communicating with us.
• Financial Information and information concerning your former relationship with HSBC Greece, e.g.: your financial information and information about your relationship with us, including the products and services you held with HSBC Greece, the channels you used and your ways of interacted with us, your payment history, transactions records, market trades, payments into your account including salary details and information concerning complaints and disputes;
• information we use to identify and authenticate you, e.g. your signature and your biometric information, such as your voice for voice ID, additional information that we receive from external sources that we need for compliance purposes;
• investigations data, e.g. due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to relevant exchanges of information between and among individuals, organisations, including emails, voicemail, live chat;
• records of correspondence and other communications between us, including email, live chat, instant messages and social media communications;
• information that we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities.

Following the Transfer, we’ll only use your information to comply with our legal and regulatory obligations to which we are subject under applicable laws (such as the legal and regulatory framework on money laundering and terrorist financing) as well as for purposes related to any pending litigation.

We may share your information with others where lawful to do so including where we or they:

• have a public or legal duty to do so, e.g. to assist with detecting and preventing fraud, tax evasion and financial crime;
• need to in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;
• perform data processing operations on our behalf under their capacity as processors, such as the provision of data storage, filing, management and destruction of files and data services.

We may share your information for these purposes with others  including:

• Pancreta
• other HSBC group companies and any sub-contractors, agents or service providers who work for us or provide services to us (including Pancreta) or other HSBC Group companies (including their employees, sub-contractors, service providers, directors and officers);
• law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
• other parties involved in any disputes, including disputed transactions;
• fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity.

We keep your information in line with our data retention policy. For example we will retain your core banking data for a minimum period of five years from the end of our relationship with you. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise.

We may need to retain your information for a longer period where we need the information to comply with regulatory or legal requirements or where we may need it for our legitimate purposes, e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc.

If we don’t need to retain information for this period of time, we may destroy, delete or anonymise it more promptly.

For more information please consult Appendix 2 of this Privacy Notice.

Your information may be transferred to and stored in locations outside the European Union (EU) or European Economic Area (EEA) including countries or regions that may not have the same level of protection for personal information. When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is lawful. We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and / or for our legitimate interests. In some countries or regions the law might compel us to share certain information, e.g. with tax authorities. Even in these cases, we’ll only share your information with people who have the right to see it.

You can obtain more details of the protection given to your information when it’s transferred outside the EU or EEA by contacting us using the details in the ‘More details about your information’ section below.

You have a number of rights in relation to the information that we hold about you. These rights include:

• the right to access information we hold about you and to obtain information about how we process it;
• in some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. We may continue to process your information if we have another legitimate reason for doing so;
• in some circumstances, the right to receive certain information you have provided to us in an electronic format and / or request that we transmit it to a third party;
• the right to request that we rectify your information if it’s inaccurate or incomplete;
• in some circumstances, the right to request that we erase your information. We may continue to retain your information if we’re entitled or required to retain it;
• the right to object to, and to request that we restrict, our processing of your information in some circumstances. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing your information and / or to refuse that request.

You can exercise your rights by contacting us using the details set out in the ‘More details about your information’ section below. You also have a right to complain to the Hellenic Data Protection Authority by visiting www.dpa.gr or to the data protection regulator in the location where you live or work.

We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We also ensure that appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information are applied.

If you’d like further information on anything we’ve said in this Privacy Notice, or to contact our Data Protection Officer (DPO), contact us at: Dataprotection@hsbc.fr or by writing at the following address :

Data Protection Officer

HSBC Continental Europe

38, avenue Kléber , 75116 Paris

France    HSBC Continental Europe, (France)

Greece    HBCE Continental Europe (Greece)