General information on the Processing of your Personal Data by COSMOTE Payments (Data Privacy Notice)
The protection of your personal data is a priority for us. We, at COSMOTE Payments, fully understand how important the protection of your personal data is.
This is why we take all the necessary measures for the security and proper management of your data.
1. What is personal data?
By the term personal data (hereinafter Data) we mean any information that concerns you and through which we can identify you. This identification can be carried out either through a specific piece of information or through a possible combination of information available to us.
2. Which of your Data do we process?
COSMOTE Payments, as a provider of electronic money and payment services, processes the Data you provide during your registration and identification in the context of providing our services, your transaction Data as well as data necessary to verify your identity in accordance with what is mentioned below.
- The Registration / Identification Data includes your name, ID or passport details and tax return details if submitted, VAT number, your address, your landline and mobile phone numbers, bank and debit account numbers/ your prepaid card numbers, your e-mail addresses, your calls to the customer service call center as well as the image of your face as it is captured in the video conference and the photos that depict your biometric facial features.
- Transaction data includes account details in a third bank, history of payments and payment methods, money transfers to another account, card details as well as all the data required to process transactions (that debit or credit bank accounts etc. ) or the charge for the transactions carried out.
- Verification - Identification data includes data necessary for your identity verification and strong authentication, such as password, biometric data, device data, etc.
3. For what purposes do we process your Data?
We process your Data to fulfill your contract.
In order to sign a contract for the provision of electronic money and payment services with COSMOTE Payments or to submit an application for the purpose of concluding one, it is necessary to provide us with at least the Data as described above (service registration / activation data). In addition, if you become our customer, it is necessary for us to process your Transaction Data, as described above (Transaction Data) in order to carry out transactions and provide our services based on the terms of use of our services, your billing according to the type of transaction, as well as the management of requests and your support.
This processing is therefore carried out for the purpose of executing the contract between us and providing you with electronic money and payment services such as paying bills, charging COSMOTE Payments E-WALLET, remote identification or identification with physical presence of the account holder, issuing and redeeming electronic money (Top-up and Redemption Transactions), issuing a COSMOTE Payments E-WALLET payment account and accepting payment cards online or even at your request before the conclusion of the contract, but also to be able to complete the contract conclusion process with prospective clients.
We also process your data for the purpose of verifying your identity in the cases required according to the terms of service of COSMOTE Payments.
We process Data based on your consent
A. to create your own profile
We may process your Data combined, in order to create your individual profile based on your personal preferences.
Profiling is a form of automated processing of your Data through which we may assess certain preferences of yours, such as recommending products that you may be interested in and sending you relevant updates/advertisements that match your interests.
B. For the commercial promotion of the OTE Group's products and services, and if you have given your consent, COSMOTE Payments may transmit a limited range of your Data to the other companies of the OTE Group and mainly the Data contained in your contract for the purpose of submitting proposals and offers regarding services and products of other OTE Group companies tailored to your needs.
C. To verify your identity.
In order to achieve the electronic remote identification of your data, COSMOTE Payments may process, if you consent, data concerning:
- the recording of your visual and audio communication with our representative in real time via video call.
- the biometric characteristics resulting from the recording of your dynamic self-portrait (dynamic-selfie), in order to carry out a check, in relation to the photo of the identification document, using special software without the presence of our representative. In the event that you do not consent to the use of biometric data, electronic remote identification is carried out via a video call with a representative.
Read the text with which the relevant consent is provided here.
We process your Data based on our legitimate interest.
We process your Data based on our legitimate interest, always taking into account your rights as a customer. The processing of your Data is limited to the strictly expected processing, which is compatible with our transactional relationship. These types of processing are as follows:
1. For the direct marketing of our products and services, COSMOTE Payments may process a limited range of your Data and in particular the Data contained in your contract, usage aggregates and/or requests you have submitted. This processing is limited and is intended solely for the purpose of submitting proposals and offers for similar products and/or our services. You have the right to object to communications for the commercial promotion of products & services, in the ways indicated.
2. In addition, processing of your Data may be carried out by COSMOTE Payments for the purpose of sending purchase surveys or evaluations of our specific products or services. These surveys are usually in the form of a questionnaire and may be sent to you by email, SMS or through an IVR system or phone calls. They may also be conducted through partner research firms. Although your participation in these surveys is particularly important to us as your responses help us improve our products and services, you nevertheless have the right to object being contacted for surveys in the ways listed.
3. We may also process Data for the purpose of:
- the assessment, management and prevention of risks in the context of the operation of COSMOTE Payments as well as for the prevention and suppression of money laundering from criminal activities and the financing of terrorism,
- the assertion of our legal claims before the judicial authorities or other out-of-court/alternative dispute resolution bodies,
- security and proof of transactions in the context of recording calls with our customer service call center.
We process your Data to comply with our legal obligations.
We process your Data in order to comply with the applicable legislation for:
i) prevention and suppression of money laundering and terrorist financing, as well as the prevention of fraud against COSMOTE Payments and/or our customers, as well as any other illegal act;
ii) compliance with its obligations deriving from the applicable legislative and regulatory framework (including the application of the applicable tax legislation as well as the provisions regarding the automatic exchange of information in the tax sector) and with the decisions of supervisory or judicial authorities,
iii) obligation to notify and transmit to the competent Supervisory, Police, Judicial and in general Public Authorities.
4. Who will process your Data?
Together with us, it is possible that our partners or third-party companies will process your Data that is strictly necessary for the provision of our services. Your Data may be disclosed to our commercial partners (e.g. COSMOTE & GERMANOS network stores) who mediate the conclusion of the contract between us, to telephone customer service and to information systems supply and support companies. In these cases, these third party companies are Processors on behalf of COSMOTE Payments. However, we, COSMOTE Payments, remain solely responsible for the security of your Data, taking all necessary measures.
Apart from the above partners or third-party companies, COSMOTE Payments does not disclose, process or publish your Data to third parties, with the exception of the cases in which the sharing / transmission is required by the applicable legal framework.
Also, recipients of your Data may be third parties in relation to COSMOTE Payments, natural or legal persons, public authorities, services or other entities, such as:
- "DIAS Interbanking Systems S.A." ("DIAS S.A.") for the servicing of interbank transactions and "TIRESIAS S.A." for the protection of credit and financial transactions.
- Supervisory, Judicial, Independent and other Authorities at national and European level for the fulfillment of an obligation of COSMOTE Payments based on law or regulatory provision or court decision (e.g. Bank of Greece).
5. How do we ensure that our Processors respect your Data?
Our Processors are contractually bound to:
- observe confidentiality, and bind their personnel with the corresponding obligations,
- not pass on Data to third parties without our written permission;
- take organizational and technical security measures to protect the Data,
- notify us of any incident involving the breach of your Data,
- delete and/or return your Data to us, upon termination of our contract,
- to comply with the legal framework for the protection of personal data and in particular the General Data Protection Regulation (GDPR) and Law 4624/2019.
6. Do we transfer your Data outside the EU?
We process your Data mainly within Greece and the European Union (EU). In the event that we transfer them to countries outside the EU, we make sure that the transfer is made in accordance with the provisions of Regulation 979/2016/EU.
7. How long will we keep your Data?
The Data relating to your identification, the originals or copies of the documents necessary to determine the transactions, and those resulting from the use of the services are kept (e.g. transactions) for a period of five (5) years after the end of the business relationship or the date of the casual transaction.
At the end of this period, the Data is deleted, unless required by another provision of law or regulatory decision to keep it for a longer period, which cannot exceed ten years (e.g. for tax purposes).
In the event that the process of your electronic remote identification has been completed, but you do not contract with COSMOTE Payments, your Data will not be retained.
However, in the event that COSMOTE Payments terminates the process of your remote electronic identification without completing it for the following reasons:
- visual confirmation of you or your official identification document or both is not possible or there is any discrepancy or uncertainty between them or
- there is any discrepancy of the details, information and Data submitted during the remote electronic identification process with an independent and reliable source or
- there is a risk of money laundering or terrorist financing,
your Data that we have received for your identification will be kept for at least five (5) years from the submission of the relevant application.
Recorded calls with the customer service call center are kept for one year.
8. What measures do we take to protect your Data?
At COSMOTE Payments we foresee in our corporate processes the appropriate technical and organizational measures and apply them to the IT systems and platforms used to collect, process or use the Data.
These are indicative:
- measures to prevent unauthorized persons from accessing the Data processing systems (access control).
- measures that ensure that Data processing systems cannot be used by unauthorized persons (access denial control).
- measures to ensure that persons authorized to use the Data processing systems have access only to the Data for which they are authorized, and that the Data cannot, during processing, or use, or after recording them, to be transmitted, copied, modified or deleted by unauthorized persons (data access control).
- measures that ensure that during electronic transmission, or during transfer, or recording, the Data cannot be transmitted, copied, changed or removed by unauthorized persons, and that it is possible to check and ascertain the processors to whom Data has been transmitted via data transmission equipment (control of Data transmission).
- measures that ensure that it is possible to retrospectively examine and ascertain whether and by whom Data was entered, modified or deleted in the Data processing systems (data input control).
- measures to ensure that Data processed by third parties/contractors is only processed in accordance with our instructions (contractor control).
- measures ensuring that Data collected for different purposes can be processed separately (separation rule).
9. What are your rights in relation to your Data?
The rights that a customer of ours can exercise include:
Access right: You have the right to receive information about your Data that we process (e.g. the purposes of the processing, the types of Data, the recipients to whom it is shared, the period for which it is kept) and to provide you with copies of it.
Right of rectification: You have the right to request the correction of your Data (eg correction of address, contact details, identity number).
Right to erasure: You have the right to request the deletion of your Data in the event that it is no longer necessary in relation to the purposes for which it was processed or in the event that you have withdrawn the consent based on which we collected and processed it.
Right to restrict processing: You have the right to request the restriction of processing for a specific purpose.
Right to Data Portability: You have the right to receive the Data you have provided to the company in a structured, commonly used and human-readable format.
Right to object to the processing of your Data in cases where you do not wish the processing of your Data.
We also inform you that COSMOTE Payments has appointed a Data Privacy Officer (DPO) based on the provisions of the current legislation. To contact the Data Protection Officer, you can send an e-mail to customerprivacy@cosmotepayments.gr.
10. How do you exercise your rights?
To exercise your rights, you can:
- send an e-mail to customerprivacy@cosmotepayments.gr or
- send a letter to the address COSMOTE Payments Single Member S.A., 99 Kifisias Street, 15124, Maroussi with the subject "Exercise of personal data rights"
Furthermore, you reserve the right to submit a written complaint to the competent supervisory authority, the Personal Data Protection Authority (1-3, Kifissias Ave., 115 23, Athens +30 210 6475600, contact email contact@dpa.gr).
11. How long does it take us to respond to your requests?
COSMOTE Payments will respond free of charge to your requests without delay at the latest within one month of receipt of the request. In exceptional cases, this deadline may be extended for two (2) months if this is required due to the complexity of your request. In any case, we will inform you of the aforementioned extension and the reason for the delay specifying the new response date.
If we consider that your request is manifestly unfounded or excessive we reserve the right to request the payment of a reasonable fee for its satisfaction taking into account the administrative costs for its execution or even to refuse to proceed with your request.
12. How are you notified of changes to this Policy?
This Policy is updated when necessary. If there are significant changes to our Policy or the way we use your Data, we will post an update to this Policy on our website before those changes take effect and we will notify you in any convenient way.
We encourage you to periodically read this Policy to be aware of how your Data is protected.
13. Trackers / Cookies
Cookies are small files that are stored on the users' computer or mobile device and which are placed by the websites they visit and/or the mobile applications they use, in order to recognize them. In addition to cookies, there are other trackers, such as pixels (e.g. Facebook Pixel), local storage, third-party SDKs included in mobile applications, etc. Trackers store information or gain access to information stored on the terminal user's equipment (computer, mobile phone, tablet, etc.).
You can be informed regarding the categories of cookies / trackers we use and manage your options here.