ATHEXCSD is the data controller for the processing of personal data carried out due to your status as a User of the ATHEXCSD Public Tender Service System, in the context of your working relationship with a Participant/Bank. The Company's headquarters are located in Athens, 110 Athinon St., P.O. 10442, contact phone: +30 210-3366800, email: protocol@athexgroup.gr.

The Company collects and processes the personal data that is absolutely necessary for the following purposes:

a. to access the Public Tender Service System of ATHEXCSD, as an authorized user of the Participant/Bank, following the relevant request/agreement of the Participant/Bank with which you maintain a working relationship.
b. for ATHEXCSD's response to the respective requests of the Participant/Bank as they are submitted by you, as his/her authorized persons, and for communication with you in the context of the needs of executing public tender servicing services.
c. for the security of ATHEXCSD's information systems and infrastructure, including the management of your access to applications, logical accesses, security incidents and vulnerabilities, as well as log files, to the extent that the processing is strictly necessary and proportionate to the intended purpose.

The personal data that ATHEXCSD processes is collected either directly from you or your employers, or from your use of ATHEXCSD applications and platforms. The personal data processed by ATHEXCSD, as the case may be, are:

• Basic details of a natural person (e.g. full name) 
• Contact information (email, phone number)
• Digital Data (e.g. username, logs of accesses and commands registered in applications/platforms, IP address)

It is noted that, due to the complex nature of the processing and the role of ATHEXCSD in the Greek capital market, more than one legal processing basis may be applied on a case-by-case basis for the above-mentioned processing purposes. Specifically:

The processing of your data in pursuit of the above purposes a and b is carried out to ensure the successful, timely and effective execution of the contract between ATHEXCSD and the Participant/Bank who is your employer. Therefore, the legal basis for this processing is the legal interest of ATHEXCSD, which consists in particular in the orderly execution of the contract that ATHEXCSD has with the Participant/Bank (Article 6 par. 1f of the GDPR).

At the same time, given that the above processing concerns the use of systems / applications / platforms (such as the Public Tender Service System), the provision and operation of which results from the institutional role of ATHEXCSD in the Greek capital market, a legal basis for the processing of the data to you is the fact that the processing is necessary for the fulfillment of a task performed in the public interest (article 6 par. 1e' of the GDPR), and in particular in the context of the institutional role of ATHEXCSD, based on Regulation (EU) 909/2014 and of Law 4569/2018 for the central securities depositories, and based on the Regulation of Operation of ATHEXCSD which has been drawn up pursuant to Law 4569/2018, and Decision 8 of the Board of Directors. of ATHEXCSD.

The legal basis for the processing carried out in pursuit of the above purpose c is the fact that the processing of your data is necessary for the purposes of the legal interests of ATHEXCSD (Article 6 par. 1f of the GDPR) and in particular for the security of the information system of ATHEXCSD against random events, illegal/malicious actions, which jeopardize the availability, authenticity, integrity and confidentiality of personal data processed by ATHEXCSD.

ATHEXCSD ensures that access to your personal data is only available to the necessary, in any case, company personnel, who have received the appropriate information on the safe processing of your personal data.

In addition, recipients of your data are natural and legal persons, to whom the Company assigns the execution of specific tasks on its behalf such as, among others, system maintenance and technical support providers, software service providers and information security service providers. In addition, the recipients of your data are the other companies of the ATHEX Group (ATHEX, ATHEXCLEAR) in the cases in which they offer ATHEXCSD services related to the processing purposes described in this update. The persons in question, acting as processors of personal data, have been informed and committed in advance to respect the confidentiality of your data, are aware of and follow the instructions of ATHEXCSD regarding the processing of personal data and take all appropriate measures to protection of them. It is also noted that the other companies of the Group may, on a case-by-case basis, receive your data within the framework of their own institutional competences, when this is required by the intended purpose of processing.

Furthermore, the recipients of your necessary personal data may be, on a case-by-case basis, the Capital Market Commission, as well as other supervisory, audit, independent, judicial, public and/or other authorities and bodies within the framework of their statutory powers, duties and powers when the transmission to them is required by law or provided for by it.

Your personal data is not transferred to third countries (outside the EEA).

Your personal data are kept only for the reasonable period of time required by the nature of their processing and only for as long as necessary to achieve its purpose, unless there is a contrary legal obligation to keep them.

If you wish to receive further information regarding the processing of your personal data or to exercise any of your above rights, you may contact the Company by physical mail to: Hellenic Central Depository of Securities S.A., 110 Athinon Avenue, 104 42 Athens , Attention: Data Protection Officer (DPO) or via email to the Data Protection Officer (DPO) of the Athens Stock Exchange Group at the email address dataprotectionofficer@athexgroup.gr.

Our response to your request will take place within (1) one month of receiving it and will not incur any cost to you. The above deadline can be extended for a period of two (2) additional months, due to the complexity or number of requests, in which case you will be informed of the extension and the reasons for it as soon as possible and at the latest within a month of receiving the request.

According to the GDPR, as a data subject, you have the following rights, which may be exercised on a case-by-case basis:

• Right of access to your personal data
• Right to correct and/or complete your data
• Right to erasure/right to be forgotten
• Right to restriction of processing
• Right to object to the processing of your data
• Right to portability of your data 

ATHEXCSD implements an information security management system to ensure privacy, secure data processing and protect it from accidental or unlawful destruction, loss, alteration, prohibited dissemination or access, as well as from any other form of unlawful processing.

The company has taken appropriate organizational and technical measures for the security and protection of your data from any form of accidental or unlawful processing. It is noted that the specially authorized staff, who process your personal data, have received the appropriate training, guidance and information.

The measures taken are reviewed and modified at regular intervals or when deemed necessary based on new needs and technological developments.

In the event that you consider that: a) one of your requests has not been satisfied sufficiently and legally or b) the right to the protection of your personal data is violated by some processing that we carry out, you have the right to submit a complaint to the Personal Data Protection Authority (postal address Kifisias 1-3, PO Box 115 23, Athens, https://www.dpa.gr/, tel. 210 6475600, e-mail: contact@dpa.gr).