Table of contents
- Introduction
- What information we collect
- How we’ll use your information
- Who we might share your information with
- How long we’ll keep your information
- Transferring your personal data overseas
- Your rights
- How we keep your personal data secure
- More details about your personal data
- Appendix 1: Entities covered by this notice
- Appendix 2: Retention period
Introduction
As a result of the completion of the sale of HSBC Continental Europe’s branch operations in Greece (HSBC Greece) to Pancreta Bank SA (Pancreta) (the Transfer) personal data which relate to you and your banking relationship and products with HSBC Greece (including personal data of special categories, to the extent such personal data has been shared with HSBC Greece) have been transferred to Pancreta. Kindly note that following the Transfer HSBC Greece will cease completely its banking activities.
More specifically, personal data of individuals linked to the deposit and investment accounts and related services, as well as all lending and credit products of HSBC Greece, under any capacity [for example (a) as regards retail customers: depositors (including payers and payees with respect to payment transactions), investors, borrowers, co-borrowers, guarantors and persons that have provided security for any lending product, card holders, contracting parties in general, partners/members/shareholders and beneficial owners of legal entities, third persons related with the above, such as proxies, representatives, their employees, attorneys, professional advisors or other agents, clients’ counterparties/contracting parties, in each case where required for the provision of services (such as payers or beneficiaries in payment transactions), family members, etc. and (b) as regards wholesale customers: administrators, representatives, partners/members/shareholders and members of management, beneficial owners, third persons related with the wholesale customers, such as proxies, representatives, their employees, attorneys, professional advisors or other agents, guarantors, company’s counterparties/contracting parties, in each case where required for the provision of services such as payers or beneficiaries in payment transactions, etc.] (the Data Subjects) were transferred upon completion of the Transfer from HSBC Greece to Pancreta, so that the latter may process those for the purpose of managing your banking relationship and products.
As from completion of the Transfer, Pancreta processes the personal data of the Data Subjects, acting as a data controller, specifying the purposes for and means of personal data processing, in accordance with the applicable data protection legislation, especially the General Data Protection Regulation (EU) 2016/679 and Greek Law 4624/2019, as in force. All relevant information on the processing of personal data by Pancreta (data controller details, personal data categories, sources, purpose and legal basis for processing, rights for the protection of personal data, recipients, retention period, etc.) is described in Pancreta’s Privacy Policy, which is available on the Pancreta’s website at www.pancretabank.gr.
Kindly note as from completion of the Transfer, HSBC Greece continues to process the personal data of the Data Subjects, as data controller (independently from Pancreta), in order to comply with its legal and regulatory obligations to which it is subject under applicable laws (such as the legal and regulatory framework on money laundering and terrorist financing) as well as for purposes related to any pending litigation. Such processing of personal data shall be carried out pursuant to the provisions of this Privacy Notice.
Wherever we’ve said ‘you’ or ‘your’, this means you, any authorised person on your account and other related people (including authorised signatories, proxies, partners, members and trustees).
When we say ‘we’, we mean HSBC Greece and HSBC Continental Europe France as stated in Appendix 1 which act as a data controller in respect of your personal data.
What information we collect
We’ll only collect your information in line with relevant regulations and law. We may collect it from a range of sources and it may relate to any of our products or services you have held in the past with HSBC Greece.
Some of it will come directly from you. We might also get some of it from publicly available sources.
The type of information that we retain will differ depending on the type of products held with HSBC Greece.
The information we collect may include:
- Identification Information, e.g.:
- personal details, e.g. name, previous names, gender, date and place of birth;
- contact details, e.g. address, email address, landline and mobile numbers;
- information concerning your identity e.g. photo ID, ID or passport information, National Insurance number, National ID card and nationality;
- other information about you that you give us by communicating with us.
- Financial Information and information concerning your former relationship with HSBC Greece, e.g.: your financial information and information about your relationship with us, including the products and services you held with HSBC Greece, the channels you used and your ways of interacted with us, your payment history, transactions records, market trades, payments into your account including salary details and information concerning complaints and disputes;
- information we use to identify and authenticate you, e.g. your signature and your biometric information, such as your voice for voice ID, additional information that we receive from external sources that we need for compliance purposes;
- investigations data, e.g. due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to relevant exchanges of information between and among individuals, organisations, including emails, voicemail, live chat;
- records of correspondence and other communications between us, including email, live chat, instant messages and social media communications;
- information that we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities.
How we'll use your information
Following the Transfer, we’ll only use your information to comply with our legal and regulatory obligations to which we are subject under applicable laws (such as the legal and regulatory framework on money laundering and terrorist financing) as well as for purposes related to any pending litigation.
Who we might share your information with
We may share your information with others where lawful to do so including where we or they:
- have a public or legal duty to do so, e.g. to assist with detecting and preventing fraud, tax evasion and financial crime;
- need to in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;
- perform data processing operations on our behalf under their capacity as processors, such as the provision of data storage, filing, management and destruction of files and data services.
We may share your information for these purposes with others including:
- Pancreta
- other HSBC group companies and any sub-contractors, agents or service providers who work for us or provide services to us (including Pancreta) or other HSBC Group companies (including their employees, sub-contractors, service providers, directors and officers);
- law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
- other parties involved in any disputes, including disputed transactions;
- fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity.
How long we’ll keep your information
We keep your information in line with our data retention policy. For example we will retain your core banking data for a minimum period of five years from the end of our relationship with you. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise.
We may need to retain your information for a longer period where we need the information to comply with regulatory or legal requirements or where we may need it for our legitimate purposes, e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc.
If we don’t need to retain information for this period of time, we may destroy, delete or anonymise it more promptly.
For more information please consult Appendix 2 of this Privacy Notice.
Transferring your personal data overseas
Your information may be transferred to and stored in locations outside the European Union (EU) or European Economic Area (EEA) including countries or regions that may not have the same level of protection for personal information. When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is lawful. We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and / or for our legitimate interests. In some countries or regions the law might compel us to share certain information, e.g. with tax authorities. Even in these cases, we’ll only share your information with people who have the right to see it.
You can obtain more details of the protection given to your information when it’s transferred outside the EU or EEA by contacting us using the details in the ‘More details about your information’ section below.
Your rights
You have a number of rights in relation to the information that we hold about you. These rights include:
- the right to access information we hold about you and to obtain information about how we process it;
- in some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. We may continue to process your information if we have another legitimate reason for doing so;
- in some circumstances, the right to receive certain information you have provided to us in an electronic format and / or request that we transmit it to a third party;
- the right to request that we rectify your information if it’s inaccurate or incomplete;
- in some circumstances, the right to request that we erase your information. We may continue to retain your information if we’re entitled or required to retain it;
- the right to object to, and to request that we restrict, our processing of your information in some circumstances. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing your information and / or to refuse that request.
You can exercise your rights by contacting us using the details set out in the ‘More details about your information’ section below. You also have a right to complain to the Hellenic Data Protection Authority by visiting www.dpa.gr or to the data protection regulator in the location where you live or work.
How we keep your personal data secure
We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We also ensure that appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information are applied.
More details about your personal data
If you’d like further information on anything we’ve said in this Privacy Notice, or to contact our Data Protection Officer (DPO), contact us at: Dataprotection@hsbc.fr or by writing at the following address :
Data Protection Officer
HSBC Continental Europe
38, avenue Kléber , 75116 Paris
Appendix 1: Entities covered by this notice
France HSBC Continental Europe, (France)
Greece HBCE Continental Europe (Greece)
Appendix 2: Retention period
Purposes for which personal data is used (see section II) | Legal basis for implementation | Maximum retention period (unless stated otherwise) |
---|---|---|
Entering into a business relationship and management of business relationship, i.e. providing products and services, processing transactions and executing your instructions | Legitimate interest Legal obligation Contract execution |
Maximum of 20 years from the end of any contractual relationship
This retention period may be extended if required by an authority or to defend a right or interest |
Assistance within the framework of bank transactions | Legitimate interest Legal obligation Contract execution |
Maximum of 20 years or processing of an instruction/transaction
This retention period may be extended if required by an authority or to defend a right or interest |
Compliance with legislation and regulations | Legitimate interest Legal obligation Public interest |
Maximum of 6 months for certain telephone calls 20 years from the end of any contractual relationship This retention period may be extended if required by an authority or to defend a right or interest 30 years for data relating to searches for deceased persons or insurance products |
Crime prevention and detection | Legitimate interest Legal obligation Public interest |
20 years from the date the offence is observed (prevention of money laundering, fraud, court or administrative requests) |
Security and continuation of our activities | Legitimate interest Legal obligation |
45 days for video surveillance images 20 years for inappropriate behaviour from the end of any contractual relationship This retention period may be extended if required by an authority or to defend a right or interest |
Risk management and compliance | Legitimate interest Legal obligation |
20 years from the end of any contractual relationship, legal dispute or the end of a legal or regulatory requirement |
Improving our products and services | Legitimate interest | 7 years from when the data is collected |
Prospecting and business development and/or protecting and promoting the HSBC brand | Legitimate interest Consent |
Duration related to consent given by the person concerned 2 years for natural persons who are not customers Cookies for 2 years from when the data is collected |
Analysing the results of our marketing activities | Legitimate interest | For the entire duration of the contractual relationship |
Managing our internal operating requirements with regard to credit and risk management, Protecting our rights | Legitimate interest | Duration related to any disputes or administrative or court proceedings |
Allowing for a transfer, merger or spinoff | Legitimate interest | Duration relating to the proposed contraction |
Purposes for which personal data is used (see section II) | Entering into a business relationship and management of business relationship, i.e. providing products and services, processing transactions and executing your instructions |
---|---|
Legal basis for implementation |
Legitimate interest Legal obligation Contract execution |
Maximum retention period (unless stated otherwise) |
Maximum of 20 years from the end of any contractual relationship
This retention period may be extended if required by an authority or to defend a right or interest |
Purposes for which personal data is used (see section II) | Assistance within the framework of bank transactions |
Legal basis for implementation |
Legitimate interest Legal obligation Contract execution |
Maximum retention period (unless stated otherwise) |
Maximum of 20 years or processing of an instruction/transaction
This retention period may be extended if required by an authority or to defend a right or interest |
Purposes for which personal data is used (see section II) | Compliance with legislation and regulations |
Legal basis for implementation |
Legitimate interest Legal obligation Public interest |
Maximum retention period (unless stated otherwise) |
Maximum of 6 months for certain telephone calls 20 years from the end of any contractual relationship This retention period may be extended if required by an authority or to defend a right or interest 30 years for data relating to searches for deceased persons or insurance products |
Purposes for which personal data is used (see section II) | Crime prevention and detection |
Legal basis for implementation |
Legitimate interest Legal obligation Public interest |
Maximum retention period (unless stated otherwise) | 20 years from the date the offence is observed (prevention of money laundering, fraud, court or administrative requests) |
Purposes for which personal data is used (see section II) | Security and continuation of our activities |
Legal basis for implementation |
Legitimate interest Legal obligation |
Maximum retention period (unless stated otherwise) |
45 days for video surveillance images 20 years for inappropriate behaviour from the end of any contractual relationship This retention period may be extended if required by an authority or to defend a right or interest |
Purposes for which personal data is used (see section II) | Risk management and compliance |
Legal basis for implementation |
Legitimate interest Legal obligation |
Maximum retention period (unless stated otherwise) | 20 years from the end of any contractual relationship, legal dispute or the end of a legal or regulatory requirement |
Purposes for which personal data is used (see section II) | Improving our products and services |
Legal basis for implementation | Legitimate interest |
Maximum retention period (unless stated otherwise) | 7 years from when the data is collected |
Purposes for which personal data is used (see section II) | Prospecting and business development and/or protecting and promoting the HSBC brand |
Legal basis for implementation |
Legitimate interest Consent |
Maximum retention period (unless stated otherwise) |
Duration related to consent given by the person concerned 2 years for natural persons who are not customers Cookies for 2 years from when the data is collected |
Purposes for which personal data is used (see section II) | Analysing the results of our marketing activities |
Legal basis for implementation | Legitimate interest |
Maximum retention period (unless stated otherwise) | For the entire duration of the contractual relationship |
Purposes for which personal data is used (see section II) | Managing our internal operating requirements with regard to credit and risk management, Protecting our rights |
Legal basis for implementation | Legitimate interest |
Maximum retention period (unless stated otherwise) | Duration related to any disputes or administrative or court proceedings |
Purposes for which personal data is used (see section II) | Allowing for a transfer, merger or spinoff |
Legal basis for implementation | Legitimate interest |
Maximum retention period (unless stated otherwise) | Duration relating to the proposed contraction |