Information on the Processing of Personal Data regarding Service Users of the "Hellenic Stock Exchanges - Athens Stock Exchange" Group Companies

The present information concerns the processing of your personal data from the use of the products and services offered by the companies of the ATHEXGROUP Group, namely the parent company "HELLENIC EXCHANGES - ATHENS STOCK EXCHANGE S.A." (hereinafter referred to as "ATHEX") and its subsidiaries "HELLENIC CENTRAL SECURITIES DEPOSITORY S.A." (hereinafter referred to as "ATHEXCSD") and "ATHENS EXCHANGE CLEARING HOUSE S.A.". (hereinafter referred to as "ATHEXCLEAR") (all companies hereinafter referred to as "companies"). Please read this document in order to be informed in detail about the terms of the processing of your data:

Processing Operator

Depending on the products and services you receive, ATHEX, ATHEXCSD or ATHEXCLEAR are responsible for processing the personal data that are processed when you use the products and services they provide to you. The headquarters of the companies are located in Athens, 110 Athinon Street, 110, P.C. 104 42, contact telephone +30 210 33 66 800, e-mail: protocol@athexgroup.gr.

Collection of Personal Data

Companies collect and process personal data that is necessary and exclusively for the achievement of the intended purpose of processing. These data, depending on the service provided, relate to.  

a) Identification data, such as name, surname, patronymic, maiden name, gender, identity card number (ID card or passport number), VAT number, tax office, date and place of birth, nationality, profession and other demographic data.

b) Contact data, such as postal and e-mail address of residence and work, fixed and mobile telephone number, as registered by the participants in the system of securities (S.A.T.)

c) Occupational data such as job and position.

d) Data of a financial nature such as, but not limited to, investor share and securities account codes in the securities system (SSS), quantities and type of securities held in the SSS, investment orders and movements in the trading system and the SSS, as recorded by the members of the Athens Exchange and the participants.

e) Digital data such as usernames, logs of accesses and commands entered in applications/platforms, IP addresses.

Personal data are collected either directly from the subjects or arise during the performance of the designated functions of the companies or due to the contractual relationship of the subjects with the companies of the ATHEXGROUP Group.

Purpose and Legal Basis for Processing Personal Data

a) The company "HELLENIC EXCHANGES - ATHENS STOCK EXCHANGE S.A." provides, among others, the following services or performs the following actions for the purpose of the performance of which it processes personal data in the capacity of Data Controller:
 

• Access to the Athens Exchange Markets (obtaining, maintaining and generally managing Membership of the Athens Exchange, access of Members to the trading system and record keeping, record keeping of Members, communication with Members, charging of fees, recording and record keeping of meetings, monitoring of transactions of special traders, management and control of authorized users of the trading system, etc.)
• Trading on the markets of the Athens Exchange (management of orders to execute trades, provision of public registration service for H.B.I.P., implementation of market protection measures as provided for by the Athens Exchange Regulation and carrying out the required updates on its website and other bodies for the purpose of pre-trade and post-trade transparency, publication of data in the Daily Price Bulletin, etc.)
• Surveillance-monitoring of transactions to detect indications of abusive market abuse behavior.
• Provision of approved transaction reporting mechanism services (ARM service) for the transmission of transaction data from clients of the ARM service (mainly Investment Firms, Banks, etc. and related to their clients' transaction data) to regulators.
• Attracting companies for listing or financing and managing applications for the admission of securities to trading on the Athens Exchange for new listings and implementation of corporate transactions of listed companies (assessment of the suitability of the issuer and the securities, overall management of the listing process such as assessment of the listing application, approval of the listing, commencement of trading, etc.)
• Providing access to communication systems (e.g. HERMES).
• Communication between the Athens Exchange and issuers for the dissemination of information to the investing public.
• Monitoring compliance with the Athens Exchange Rules against Members, prospective Members, authorized users of the trading system, issuers who have listed securities or who have applied for the listing of their securities on the Athens Exchange and any other person bound by the Athens Exchange Rules, as well as the imposition of measures.
• Education, certification or training of executives on financial sector issues such as, but not limited to, securities and derivatives trading.
• Management of internal and external users in applications provided by ATHEX.
• Security of the company's information systems and infrastructure, including the management of user access to applications, logical accesses, security incidents and vulnerabilities, as well as logs, to the extent that the processing is strictly necessary and proportionate to the intended purpose.
   

The legal basis for the processing of personal data which is carried out in order to fulfil the above purposes a1 - a8, is determined by the fact that the processing is necessary a) for the compliance of the company with its legal obligations (Art.6 par. 1(c) of the GDPR), as they arise from the law. 4514/2018, as in force, as it transposed into Greek law Directive 2014/65/EU of the European Parliament and of the Council and b) for the performance of a task carried out in the public interest (Art. 1(e) of the GDPR) due to the institutional role of ATEX in the Greek capital market, operating within the framework set by the Athens Exchange Regulation, which has been established pursuant to Law no. 4514/2018.

Furthermore, the legal basis for the processing of data for purpose a3, is also the compliance of the Company with its legal obligations, as arising, in addition to Law 4514/2018, to inform the supervisory authority about significant violations of the rules of the Athens Exchange, such as circumstances of irregular trading or actions that may indicate prohibited conduct and Regulation (EU) 596/2014 on market abuse.

The legal basis for the processing carried out in pursuit of purpose a9 is the fact that the processing of the data is necessary for the performance of a contract between the natural person and ATHEX (Article 6(1)(b) of the GDPR) and in particular for the provision by ATHEX of the training and/or certification services for which the natural person has expressed interest by sending the relevant application form.

For processing a10, depending on the relationship that ATHEX has with the natural person, where the processing is carried out in the context of a cooperation service contract concluded by the natural person with ATHEX, the legal basis is the fact that the processing of the data is necessary for the performance of the cooperation contract between the natural person and ATHEX (Article 6(1)(b) of the GDPR).

Furthermore, with regard to the processing carried out in pursuit of purpose a11, the legal basis is the legitimate interest of ATHEX (Article 6(1)(f) of the GDPR), which consists in ensuring the security of its network, systems and information.

b) The company "HELLENIC CENTRAL SECURITIES DEPOSITORY S.A." has as its purpose the exercise of activities related to the provision of central securities depository services in accordance with the applicable EU and national legislation and in order to serve its purpose the company carries out activities related to the provision of the following basic services, namely:  

• Initial registration of securities in book-entry form.
• Centralized maintenance of securities accounts in book-entry form.
• Settlement through book-entry securities systems.
• A register of shareholders and/or an electronic register of shareholders, a register of unitholders of managers of traded funds or non-traded funds and other securities holders in book-entry form.
• Support and processing of corporate transactions, including tax transactions, general meetings or meetings of bondholders and other beneficiaries and related information services.
• Services of a bondholder representative.
• Providing issuer companies with access to the AXIALINE communication systems for downloading the share register.
• Tax collection and remittance services.
• Management of collateral and other encumbrances, such as management of liens or encumbrances and registration of foreclosures.
• Support for title funding. 
• Providing links to other central securities depositories and market infrastructures, such as market operators and exchanges.
• Inheritance services.
• Services to carry out transfers of securities at the request of the beneficiaries. 
• Regulatory reporting services, securities coding (ISIN), provision of information on securities in book-entry form.
• Participant access (obtaining, maintaining and managing participant status) to the Securities Note System (SSS), maintaining participant records, communicating with participants, charging fees, managing and controlling authorized users of participants in the SSS, etc.
• Education, certification or training of executives on financial sector issues such as, but not limited to, the use of trading systems, the organization of market infrastructures, products and services of infrastructures and systems and the operation of markets in general.
• Management of internal and external users in applications provided by ATHEXCSD. Security of the company's information systems and infrastructure, including the management of user access to applications, logical accesses, security incidents and vulnerabilities, as well as logs, to the extent that the processing is strictly necessary and proportionate to the intended purpose.

The legal basis for the processing of personal data which is carried out in order to fulfil the purposes b1 - b15, is the fact that the processing is necessary a) for the compliance of the company with its legal obligations as they arise from Law 4569/2018 and Regulation (EU) 909/2014 (article 6 par. 1(c) of the GDPR) and b) for the performance of a task carried out in the public interest (Article 6(1)(c) of the GDPR) and (b) for the performance of a task carried out in the public interest (Article 6(1)(c) of the GDPR). 1(e) of the GDPR) due to the institutional role of ATEXCSD in the Greek capital market, which acts as the administrator of the Greek Central Securities Depository System (CSD) in the context of the provision of depository services and as a central securities depository, under the provisions of the Hellenic Central Securities Depository Operating Regulation, which is issued in accordance with the provisions of Regulation (EU) 909/2014 and Articles 1 to 30 of Law No. 4569/2018.

The legal basis for the processing carried out in pursuit of purpose b16 is the fact that the processing of data is necessary for the performance of a contract between the natural person and ATHEXCSD (Article 6(1)(b) of the GDPR) and in particular for the provision by ATHEXCSD of training and/or certification services, for which the natural person has expressed interest by sending the relevant application form.

For processing b17, depending on the relationship that ATHEXCSD has with the natural person, where the processing is carried out in the context of a cooperation-service contract concluded by the natural person with ATHEXCSD, the legal basis is the fact that the processing of the data is necessary for the performance of the cooperation contract between the natural person and ATHEXCSD (Article 6(1) (b) of the GDPR). If the natural person is an executive of a person with whom ATHEXCSD has entered into a cooperation contract, under which the natural person has been granted the status of a user of ATHEXCSD's applications, ATHEXCSD processes the data in order to ensure the successful, timely and efficient performance of that contract and the legal basis for such data processing is the legitimate interest of ATHEXCSD, which consists in particular in the smooth performance of the contract it has with the natural person's employer (Article 6(1) (f) of the GDPR).

Furthermore, with regard to the processing carried out in pursuit of purpose b18, the legal basis is the legitimate interest of ATHEXCSD (Article 6(1)(f) of the GDPR), which consists in ensuring the security of its network, systems and information.

c) The "ATHENS EXCHANGE CLEARING HOUSE S.A." has as its purpose the management of clearing systems and/or central counterparty for the purpose of carrying out activities of finalization or settlement or settlement of finalization of transactions in financial instruments and the provision of all kinds of services related to the clearing and settlement and the operation of a central counterparty and in order to achieve its purpose the company carries out any relevant activity relating in particular to the following. It may, for the purpose of carrying out these activities, process personal data in the capacity of Data Controller:
 

• Settlement of transactions, on a multilateral or bilateral basis or as a central counterparty, carried out in Greece or abroad.
• Finalizing or arranging or settling the finalization of transactions in financial instruments carried out in Greece or abroad, and generally ensuring the smooth fulfilment of obligations and the exercise of rights arising from such transactions, including the provision of guarantees.
• Provision of settlement preparation services and services related to the risk management of transactions in financial instruments and, in general, the provision of services aimed at ensuring the fulfilment of all kinds of obligations and the exercise of rights of persons wishing to conclude transactions in financial instruments in Greece or abroad.
• Participation in systems and mechanisms of other administrators carrying out clearing or settlement, finalization or settlement activities or settlement of finalization of transactions in financial instruments, in connection with financial instrument markets, settlement systems, central securities depositories, securities registers or central banks, in Greece or abroad, in the context of its relevant activities.
• Access of clearing members (obtaining, maintaining and managing clearing membership) to the clearing system, keeping a record of clearing members, communication with clearing members, charging, managing and controlling authorized users of clearing members in the clearing system, etc.
• Carrying out educational, certification or training activities on capital market issues relating in particular to the operation of the clearing or settlement systems administered by ATHEXCLEAR and the services it provides, based on the general rules, regulations and technical procedures applicable and in force from time to time.
• Management of internal and external users in applications provided by ATHEXCLEAR.
• Security of the company's information systems and infrastructure, including the management of user access to applications, logical accesses, security incidents and vulnerabilities, as well as logs, to the extent that the processing is strictly necessary and proportionate to the intended purpose.

The legal basis for the processing of personal data carried out for the fulfilment of purposes c1 - c5, is the fact that the processing is necessary a) for the compliance of the company with its legal obligations, as derived from Regulation (EU) 648/2012 (Article 6(1)(c) of the GDPR) and b) for the performance of a task carried out in the public interest (Article 6(1)(c) of the GDPR). c) of the GDPR) and b) for the performance of a task carried out in the public interest (Article 6(6)(c) of the GDPR). 1(e) of the GDPR) due to the institutional role of ATHEXCLEAR in the Greek capital market, which operates as a central counterparty and clearing system operator, in accordance with the provisions of the Regulation on the Clearing of Transactions in Book-Entry Securities and the Clearing of Orders issued pursuant to Article 73 of Law No. 3606/2007, the decision of the Board of Directors of ATHEXCLEAR No. 103/28.7.2014 and the approval decision 1/704/22-01-2015 of the Securities and Exchange Commission.

The legal basis for the processing carried out in pursuit of purpose c6 is the fact that the processing of the data is necessary for the performance of a contract between the natural person and ATHEXCLEAR (Article 6(1)(b) of the GDPR) and in particular for the provision by ATHEXCLEAR of training and/or certification services, for which the natural person has expressed interest by sending the relevant application form.

For processing c7, depending on the relationship that ATHEXCLEAR has with the natural person, when the processing is carried out within the framework of a cooperation-service agreement that the natural person has concluded with ATHEXCLEAR, the legal basis is the fact that the data processing is necessary for the execution of the cooperation agreement between the natural person and ATHEXCLEAR (article 6 par.1(b) of the GDPR). If the natural person is an executive of a person with whom ATHEXCLEAR has entered into a cooperation agreement, on the basis of which the natural person has obtained the status of a user of ATHEXCLEAR's applications, ATHEXCLEAR processes the data in order to ensure the successful, timely and efficient execution of this of the contract and legal basis for said data processing is ATHEXCLEAR's legitimate interest, which consists in particular in the smooth execution of the contract it has with the natural person's employer (Article 6 par.1(f) of the GDPR).

Furthermore, regarding the processing carried out in pursuit of purpose c8, the legal basis is the legal interest of ATHEXCLEAR (Article 6 par.1(f) of the GDPR), which consists in ensuring the security of the network, systems and information her.

Recipients of Personal Data

The companies ensure that your personal data will be processed by the necessary, in any case, their personnel, who have received the necessary information on the safe processing of your personal data. In addition, recipients of your data are:

a) Natural and legal persons, to whom the companies entrust the execution of specific tasks on their behalf such as, among others, the other companies of the Group (ATHEX, ATHEXCSD or ATHEXCLEAR) in the cases in which they offer the companies services related to those described in present information on processing purposes, file storage and management companies, providers of auditing services, development services, maintenance, configuration of IT applications, providers of e-mail services, internet hosting services including cloud services, providers of electronic teleconferencing platforms. The cooperating persons, who act as processors of personal data, have been informed and committed in advance to respect the confidentiality of your data, are aware of and follow our instructions regarding the processing of personal data and take all appropriate measures to protection of them.

b) Supervisory, control or other authorities and bodies within the framework of their statutory powers, duties and powers (such as the Capital Market Commission and ESMA) when the transmission to them is required by law or provided for by it, companies licensed and authorized by the above authorities to act as intermediaries to achieve the transmission as well as statutory auditors or auditing companies.

Data transfers to countries outside the European Economic Area (EEA) or to an international organization

Your personal data is not transferred to third countries (outside the EEA).

Data retention period

Your personal data is kept only for the period required by law as well as for a reasonable period required by the nature of these processings and only for as long as necessary to achieve their purpose.

Rights of the subject of personal data

According to Regulation (EU) 679/2016 (GDPR), as a data subject, you have the following rights, which may be exercised on a case-by-case basis:

• Right of access to your personal data
• Right to correct and/or complete your data
• Right to erasure/right to be forgotten
• Right to restriction of processing
• Right to portability of your data
• Right to object to the processing of your data
• Exercise of rights
   

If you wish to receive further information regarding the processing of your personal data or to exercise any of your above rights, you can address the companies through physical mail, depending on the company you wish, to: Hellenic Stock Exchanges ? Athens Stock Exchange S.A., or Hellenic Securities Depository S.A., or Athens Stock Exchange Clearing Company S.A., Athens Avenue 110, 104 42 Athens, attention: Data Protection Officer (DPO), or by e-mail to Data Protection Officer (DPO) of the Company at: dataprotectionofficer@athexgroup.gr.

Our response to your request will take place within (1) one month of receiving it and will not incur any cost to you. The above deadline may be extended for a period of two (2) additional months, due to the complexity or number of requests, in which case you will be informed of the extension and the reasons thereof as soon as possible and at the latest within one month of receipt of the request

Security of personal data

Companies implement an information security management system and take appropriate organizational and technical measures to ensure confidentiality, secure data processing and protect it from accidental or unlawful destruction, loss, alteration, prohibited dissemination or access, as well as from any other form of unfair processing. It is noted that the authorized personnel of the companies have received the appropriate training and guidance.

Submit complaints

In the event that you consider that: a) one of your requests has not been satisfied sufficiently and legally or b) the right to the protection of your personal data is violated by any processing we carry out, you have the right to submit a complaint to the Personal Data Protection Authority (postal address: Kifissias 1-3, PO Box 115 23, Athens, https://www.dpa.gr/, tel. 210 6475600, e-mail: contact@dpa.gr).