ATHEXGROUP PRODUCTS AND SERVICES PRIVACY STATEMENT
The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, ATHEXGROUP has established a comprehensive GDPR implementation program across its services, products and businesses, to ensure that the appropriate policies, procedures and controls are in place to facilitate compliance by the GDPR effective date.
ATHEXGROUP has arranged for a GDPR Privacy Statement to be read by each impacted client in order to provide information to meet our GDPR related transparency obligations. The Privacy Statement provides important information to individuals regarding how and why we process their personal data, with whom we share their personal data, certain rights that they may have, and how they can contact our Data Protection Officer.
The GDPR sets a new standard for the protection of personal data and seeks to strengthen the data protection rights of individuals in the EU, while also harmonizing data protection laws across the EU.
One of the key principles under the GDPR is that of transparency. This requires organizations such as ATHEXGROUP to provide people with whom we come into contact in the course of our business dealings, with information about how we use or otherwise process their personal data. This would include the client's officers, directors, employees and other personnel with whom we may interact in connection with our relationship with our clients.
This statement applies to ATHEXGROUP's offered services and products through its subsidiary entities, as follow:
- ATHEX is the holding company of ATHEXGROUP. ATHEX is the operator of the cash and derivatives exchange market (Common Trading Platform), providing listing, trading and relevant services, while it does not hold Financial Assets for the account of others on such platform.
In more detail, ATHEX offers services to its members, such services being related with its operation as the Greek stock and derivatives exchange. Furthermore, ATHEX offers to its members some optional products related to their operations, like front and back office systems, systems collocation and proximity services, as well as the technical infrastructure for order routing to international markets. ATHEX also operates a Common Trading Platform with the participation of the Cyprus Stock Exchange (CSE), hosting at the ATHEX's central trading system (OASIS), hence ATHEX indeed offers operation services to that entity.
- ATHEXClear is one out of the two wholly owned subsidiaries of ATHEX and the EMIR authorized Clearing House ? CCP (Central Counterparty) of the ATHEXGROUP, providing risk management and clearing services on transactions of financial instruments ("securities"). In the course of its operations, ATHEXClear holds securities in the name of the Clearing Member (as collateral provider) on behalf of the Clearing Member clients but in favor of ATHEXClear. Furthermore, ATHEXClear manages the so called Default Fund (Risk-Sharing fund), which has no separate legal personality and consists of the contributions made by the Clearing members.
- ATHEXCSD is the other wholly owned subsidiary of ATHEX and is the Central Securities Depository (CSD) for the Greek Capital Market.
In more detail, ATHEXCSD provides CSD services (issuance/depository, settlement and safekeeping) to its members/direct clients ("CSD Participants") both in relation to Greek and foreign securities. Such CSD Participants are banks and brokerage companies who, in turn, provide similar services to their clients. ATHEXCSD holds securities through custodians, in segregated accounts per investor in Dematerialized Securities System (DSS). The safekeeping of securities is executed within securities accounts held directly in the DSS ("Investor accounts" or "DSS accounts"), in the name of the end-client/investor ("DSS account holder").
DSS accounts are maintained and administered by the ATHEXCSD Participants (Custodians, ATHEX Members, CSDs) also known as DSS Operators, on behalf of their clients, at an end-investor level (DSS account holder).
ATHEXCSD, apart from its role as "Issuer CSD", is also acting as "Investor CSD", enabling its Participants (DSS Operators) to provide settlement and custody services to their clients both in relation to Greek and foreign securities and sets up both direct and indirect links with CSDs in order to facilitate cross border transactions.
ATHEXCSD also performs the role of Central Registrar for securities registered in DSS accounts.
In order to meet our GDPR-related transparency obligations, we have prepared a Product and Services Privacy Statement which provides important information to individuals regarding how and why we process their personal data, with whom we share their personal data, certain rights that they may have, and how they can contact our Data Protection Officer.
It is important that our clients or other individuals with whom we may come into contact with through the provision of services are aware of this Products and Services Privacy Statement. For any questions, clients should contact ATHEXGROUP.
1. Who is responsible for your personal data and how can you contact them?
ATHEXGROUP entities (referred to as "we" and "ATHEXGROUP" in this document) are the controllers of your personal data. For more details you can contact our Data Protection Officer at firstname.lastname@example.org or 110 Athinon Avenue, 104 42 Athens, Greece.
2. Why do we process your personal data?
We process your personal data, as necessary to pursue our legitimate business and other interests, for the following reasons:
- to provide products and services to our clients and to communicate with you and/or our clients about them;
- to manage, administer and improve our business and client and service provider engagements and relationships and for corporate marketing and business development purposes. In this context, we organize events where attendees may be photographed or videotaped. For these events and for other actions (e.g. educational programs) we inform you regularly;
- to monitor and analyze the use of our products and services for system administration, operation, testing and support purposes;
- to manage our information technology and to ensure physical security of our facilities and security of our systems. For security reasons, we identify visitors by collecting necessary personal information (ID, name, car registration number, etc.) which we keep for a limited time;
- to establish, exercise and/or defend legal claims or rights and to protect, exercise and enforce our rights, property or safety, or to assist our clients or others to do this;
- to investigate and respond to complaints or incidents relating to us or our business, to maintain service quality and to train staff to deal with complaints and disputes; and
- for any other purpose that we specifically tell you about when we obtain data about you (or our client tells you about on our behalf).
We also process your personal data to comply with laws and regulations and as well as to pursue our legitimate interests in cooperating with our regulators and other authorities, complying with laws, preventing or detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of the capital markets. This involves processing your personal data for the following reasons:
- to cooperate with, respond to requests from, and to report transactions and/or other activity to, government, tax or regulatory bodies, courts or other third parties;
- to monitor and analyze the use of our products and services for risk assessment and control purposes;
- to conduct compliance activities such as audit and reporting, assessing and managing risk, maintenance of accounting and tax records, and compliance to other laws and regulations; and
- to record and/or monitor telephone conversations so as to maintain service quality and security, for staff training and to deal with complaints and disputes. To the extent permitted by law, these recordings are our sole property.
In most cases, we do not rely on consent since personal data processing a) is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, b) is necessary for compliance with a legal obligation to which we are subject; c) is necessary in order to protect the vital interests of the data subject or of another natural person, d) is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, and e) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party.
If you do not provide information that we request, we may not be able to provide (or continue providing) relevant products or services to, or otherwise do business with you or your organization.
3. To whom do we disclose your personal data?
We disclose your personal data, for the reasons set out in Section 2, as follows:
- to your organization in connection with the products and services that we provide to it if your organization is our client, or otherwise in connection with our dealings with your organization;
- to ATHEXGROUP's entities for the purpose of managing ATHEXGROUP's client, service provider and other business counterparty relationships;
- to counterparty banks, central banks, payment infrastructure providers and other persons from whom we receive, or to whom we make, payments on our clients' behalf;
- to brokers, custodians, sub-custodians, fund administrators, fund houses, depositaries, trustees, financial market infrastructure service providers (including settlement service providers, central securities depositories, exchanges, central clearing counterparties and other similar entities) and other persons from whom we receive, or to whom we make, payments on our clients' behalf, in each case to service your or your organization's account and investment;
- to service providers that provide application processing, fraud monitoring, call center and/or other customer services, hosting services and other technology and business process outsourcing services;
- to our professional service providers (e.g., legal advisors, accountants, auditors, insurers and tax advisors);
- to legal advisors, government and law enforcement authorities and other persons involved in, or contemplating, legal proceedings;
- to competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction or market, domestic or foreign;
- to other persons where disclosure is required by law or to enable products and services to be provided to you or our clients; and
- to prospective buyers as part of a sale, merger or other disposal of any of our business or assets.
4. Where do we transfer your personal data?
We may transfer your personal data to ATHEXGROUP entities, regulatory, prosecuting, tax and governmental authorities, courts and other tribunals, service providers and other business counterparties located in countries outside the European Economic Area (EEA), including countries which have different data protection standards to those which apply in the EEA.
5. How long do we keep your personal data?
We keep your personal data for as long as is necessary for the purposes of our relationship with you or your organization or in connection with performing an agreement with a client or your organization or complying with a legal or regulatory obligation.
6. What are your rights in relation to personal data?
You can ask us to: (i) obtain confirmation as to whether or not your personal data are being processed, and access to the personal data and relevant information, (ii) provide you with a copy of your personal data; (iii) correct your personal data; (iv) erase your personal data, (v) restrict our processing of your personal data, (vi) object at any time to processing of personal data (including profiling), (vii) not to be subject to a decision based solely on automated processing (including profiling).
You can also opt out of the processing of your personal data for direct marketing purposes or object to our other processing of your personal data. These rights will be limited in some situations; for example, where we are required to process your personal data by EU or EU member state law.
To exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details in Section 1. We can in particular, provide copies of the data transfer safeguards referred to in Section 3. You can also complain to the relevant data protection authorities in the EEA member state where you live or work or where the alleged infringement of data protection law occurred.
7. Changes to this Privacy Statement
This Privacy Statement takes effect on 25 May 2018. If we change it, to keep you fully aware of our processing of your personal data and related matters, we will post the new version to our website.