Gordian Holdings Limited
Data Protection Statement
This privacy statement explains how we use any personal data we collect about you or that you provide to us.
Gordian Holdings Limited (“we/us/our/Company’/ ‘Gordian”) is authorised by the Central Bank of Cyprus as a credit acquiring company with registration number ΗΕ 378128. Pursuant to the provisions of Article 18 of the Sale of Credit Facilities and other Related Matters Law of 2015 (Law 169 (I)/2015) as amended, and in accordance with the provisions of the Scheme of Arrangement between Gordian and Bank of Cyprus Public Company Limited (“BOC”) dated 21 May 2019 which became effective on 30 May 2019, the rights and obligations of BOC under a number of facilities, securities and judgements were legally transferred to Gordian (the “Transfer”).
For the purposes of this privacy statement, the controller of your personal data is Gordian. This means that we, either alone or jointly with others (for example our service providers) will determine who and how your personal data is processed.
“Personal data” means information which either by itself or when combined with other information that we hold or which is available to us, can be used to identify you. We are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in in accordance with the General Data Protection Regulation (“GDPR”) and the local data protection law, in particular, the Cyprus Data Protection Law 125(I)2018 as amended or replaced from time to time ( “Cyprus Data Protection Law”).
If you have any questions about this privacy statement, or if you wish to exercise any rights mentioned in it, you can contact us at firstname.lastname@example.org
2. What personal data we process and where we collect it from
We collect and process personal data which we or our agents (i) received from BoC within the context of the Transfer; (ii) collected from you or your representative(s); (iii) lawfully collected from Credit Reference Agencies and/or Fraud Prevention Agencies; (iv) lawfully collected from other third parties, our external lawyers and/or servicers; (v) collected from publicly available sources (such as the Department of Registrar of Companies and Official Receiver, the Land Registry, the Bankruptcy Archive, commercial registers, the press and the Internet).
a. If you are a borrower with us, we generally always collect and process: Information you or your agents and/or representatives provided to BOC, or its agents when you applied for a loan facility and/or granted a security in favour BOC, or which was collected by BOC at the time, where such facilities and/or securities were transferred to Gordian pursuant to the Transfer. Such information, may include: your title, name and address and address history (including evidence of name and address), contact details (such as telephone and mobile numbers and email address), date of birth, gender, nationality, photograph, signature, occupational history, marital status, dependents, job title, your financial details such as salary or other income and expenses, assets, other financial information, bank details (including bank account statements), property ownership and personal debts, number of dependent children, personal investments and investment income, life insurances (life insurance companies, policy numbers, current surrender values), personal public service number, tax residence and tax ID, personal data about you which is obtained from third parties (such as credit reference agencies like Artemis and publicly available sources such as records of debt judgements and bankruptcy information), residence or work permit in case of non-EU nationals, own and/or third party security granted, employment position (e.g. whether you are a director/ secretary of a company), nature and term of the employment relationship, proof of tax return submissions, statements and transaction history, property documentation for house financing (e.g. property description, property valuation reports, construction and municipal permits, land registry reports, sale agreements) and any other information you provided to BOC or its agents.
b. Special categories of data provided to us, BOC (in accordance with (a) above), or our agents; this might include health information including details of any illness, disease, condition or disability that might affect your ability to work or otherwise impact your financial circumstances.
c. Information that we collect, generate or observe; this might include information relating to assets, management services, emails, call recordings and website usage data.
d. Information that we obtain from third party sources; this might include information procured in accordance with our obligations under anti-money laundering laws and regulations including any political affiliations you may have and records, of any criminal background or financial sanctions against you, as well as any past or current adverse media in relation to you. This might also include information obtained from public websites, information received from intermediaries acting for us. Such third-party sources may include:
- Credit Reference Agencies.
- Third parties that provide information regarding criminal background, economic sanctions and/or political associations.
- Agencies that perform asset tracing or occupancy checks.
If you are a corporate borrower, in addition to the aforementioned data, we may collect and process your business records, i.e. cash flows and balance sheets and business management information as well as tax declarations, proof of tax return submissions, purpose of financing, collateral information, property documentation (property description, Land Registry reports, property valuation reports).
If you are an authorised representative/ agent or beneficial owner of a legal entity or of a natural person who is a borrower or our customer (including an actual or potential buyer of a property from us), or an individual tenant of a property owned by us, or a vendor who provide services to us, the relevant personal data which we may collect and process may include: Name, address, contact details (telephone, email), EU basic payment account identification, birth date, place of birth (city and country), marital status, employed/self-employed, personal data disclosing your economic and financial background and credit reference agency data, if you hold/held a prominent public function (for PEPs), , authentication data (e.g. signature), tax information (e.g. defence tax, tax residency, tax identification number).
If you are a security provider (e.g. guarantor for a credit facility), in addition to the aforementioned personal data, we may collect also: criminal background and/or financial sanctions data, personal data disclosing your economic and financial background (such as annual credit/ debit turnover, nature of transactions, source of income and source of assets), information on any third party beneficiaries.
If you are an individual who has consented to receiving marketing material from Gordian, the relevant personal data which we collect and process may include: your name and contact details (telephone, email).
3. Whether you have an obligation to provide us with your personal data
We may request additional personal data in relation to you, in order to comply with the terms of our agreements with you and fully meet our contractual and legal obligations. The personal information that we request may be required in order to meet the provisions of the money laundering and/ or counter- terrorist financing regulations.
4. Why we process your personal data and on what legal basis
As mentioned above, we are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the GDPR and the Cyprus Data Protection law, for one or more of the following reasons:
i. For the performance of a contract
We process personal data in order to perform financial transactions and services based on contracts with our customers but also to be able to complete our acceptance procedures so as to enter into a contract with prospective customers. The purpose of processing data depends on the requirements of each service and the relevant contract terms and conditions provide more details of the relevant purposes.
ii. For compliance with a legal obligation
There are a number of legal obligations emanating from the relevant laws and regulations to which we are subject as well as statutory requirements, e.g. the Sale of Credit Facilities and other Related Matters Law, the Arrears Management Directive, the Directive on Governance and Management Arrangements, the Anti-Money Laundering and Counter-Terrorist Financing Laws and regulations, Tax Laws. There are also various supervisory authorities to whose laws and regulations we are subject to e.g. the tax authorities, the Central Bank of Cyprus, the Unit for Combatting Money-Laundering (MOKAS). Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls. These activities may include:
- The credit acquiring company business, tax and regulatory obligations, including its related reporting obligations, the management of its credit and mortgage loans, loan reporting obligations to the Central Bank of Cyprus and credit history reporting to Artemis and other related obligations imposed upon the Company.
- To assist the Company’s auditors in the auditing of Company in accordance with its legal obligations.
- We are required to carry out certain checks, including checks related to political affiliations, financial sanctions, and previous criminal allegations or convictions. This may require us to process information about criminal convictions and offences. This processing is necessary for us to manage the loan agreement with you in accordance with our legal obligations.
- To investigate, detect, prevent or prosecute crimes in relation to the prevention of fraud, money laundering, market abuse and/or terrorist financing, including "know your customer" and other necessary onboarding and ongoing customer checks as well as potentially reporting relevant information to the money laundering and fraud prevention authorities as required.
iii. For the purposes of safeguarding legitimate interests
We process personal data to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. Examples of such processing activities include:
- Initiating legal claims and preparing our defence in litigation procedures
- Means and processes we undertake to provide for the Company’s IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures
- Measures to manage business
- Sharing your personal data within the Company’s group and/or shareholder
- Sharing information with potential and actual purchasers of properties,
- Our own and risk management
- The transfer, assignment and/or sale to one or more persons of loans or assets held by the Company and/or charge and/or encumbrance over, any or all of the Company’s benefits, rights, title or interest under any agreement between the customer and the Company.
iv. You have provided your consent
Provided that you have given to Gordian, and as regards the facilities and/or securities which were transferred to Gordian from BOC pursuant to the Transfer, to BOC, your explicit consent for processing (other than for reasons set out herein above) then the lawfulness of some of our processing is based on that consent,. You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.
Examples of when we process personal data with your consent are:
- When you request us to share your data with someone else
- When you indicate you wish to receive direct marketing from us
- For special categories of personal data such as data regarding your health or if you have special circumstances which may require us to tailor how we communicate with you; in such circumstances we will explain to you when we ask for your consent what purpose and how we will use your data.
5. Who receives your personal data
In the course of the performance of our contractual and statutory obligations, your personal data may be provided to other entities within our Group. Various service providers may also receive your personal data so that we may perform our obligations. Such service providers enter into contractual agreements with the Company by which they observe confidentiality and data protection according to the Cyprus Data Protection Law and GDPR.
We may disclose data about you for any of the reasons set out above, or if we are legally required to do so, or if we are authorised under our contractual, regulatory or statutory obligations or if you have given your consent. All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions. Under the circumstances referred to above, recipients of personal data may be, for example:
- Our servicers and financial and business advisors.
- Our shareholders and investors.
- Supervisory and other regulatory and public authorities where a statutory obligation exists. Some examples are the Central Bank of Cyprus, tax authorities, criminal prosecution authorities, the Unit for Combatting Money-Laundering (MOKAS).
- Credit and financial institutions such as correspondent banks.
- The bank(s) through which your payments are processed.
- Valuators and surveyors.
- External legal firms.
- Our corporate administrators including the company secretary.
- Asset trace investigators.
- Estate agents.
- Potential or actual purchasers and/or transferees and/or assignees and/or charges of the Company’s assets and/or loans and/or any of the Company’s benefits, rights, title or interest under any agreement between the customer and the Company, and their professional advisors, service providers, suppliers and financiers.
- Debt Collection Agencies.
- Credit reference agencies (e.g. ARTEMIS).
- Auditors and accountants.
- Marketing companies (where you have provided consent) and market research companies.
- Fraud prevention agencies.
- File storage companies, archiving and/or records management companies, cloud storage companies.
- Purchasing and procurement and website agencies.
6. Transfer of your personal data to a third country or to an international organisation
The disclosure of your personal data to the third-party recipients set out above may involve the transfer of data to jurisdictions outside the European Economic Area ("EEA"), which are not the subject of an adequacy decision by the EU Commission. Such countries may not be subject to equivalent data protection laws as countries within the EEA. Any transfer of your personal data to jurisdictions outside the EEA may only occur in accordance with the requirements of the GDPR and the Cyprus Data Protection Law.
7. To what extent there is automated decision-making and whether profiling takes place
In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you, where data assessments (including on payment transactions) are carried out in the context of combating money laundering and fraud.
8. How we treat your personal data for marketing activities and whether profiling is used for such activities
We may process your personal data to tell you about products, services and offers that may be of interest to you or your business. The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services. We may study all such information to form a view on what we think you may need or what may interest you.
We can only use your personal data to promote our products and services to you if we have your explicit consent to do so.
You have the right to object at any time to the processing of your personal data for marketing purposes by contacting us at email@example.com
9. How long we keep your personal information for
We will keep your personal data for as long as we have a business relationship with you as an individual or in respect of our dealings with a legal entity you are authorised to represent or are beneficial owner and thereafter as required or permitted by law.
Once our business relationship with you (or the legal or natural person which/who you are authorised to represent or are the beneficial owner of) has ended, we may keep your data for up to ten (10) years. This period is based on a mixture of our legal and regulatory obligations and limitation periods. The reasons for keeping your data are:
- To respond to queries or complaints or regulatory requests; and
- To maintain records according to any rules that apply to us.
We may keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons, for example if it is the subject of ongoing litigation or legal enquiry.
For prospective customer personal data (such as where you give us data but don't subsequently proceed with the purchase of a property from us), or authorised representatives/agents or beneficial owners of a legal entity prospective customer, we shall keep your personal data for a limited period of time from the date of sharing such data with us.
10. Your data protection rights
You have the following rights in terms of your personal data we hold about you. We will normally respond to your request within 30 calendar days from receipt of all required identification, unless your request requires us to carry out further investigation or is considered excessive, in which case, we will respond within 3 months from the date of receiving your request.
- The right to receive access to your personal data. This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it. In order to raise a data subject request please contact us at firstname.lastname@example.org
- The right to request correction (rectification) of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- The right to request erasure of your personal data. This enables you to ask us to erase your personal data (known as the ‘right to be forgotten’) where there is no good reason for us continuing to process it. Please note however that this right does not take precedence over our obligations as a regulated business to retain your data in certain circumstances.
- The right to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
- The right to object where we are processing your personal data for direct marketing purposes. If you object to processing for direct marketing purposes, then we shall stop the processing of your personal data for such purposes.
- The right to request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
• it is not accurate;
• it has been used unlawfully but you do not wish for us to delete it;
• it is not relevant anymore, but you want us to keep it for use in possible legal claims;
• you have already asked us to stop using your personal data, but you are waiting us to confirm if we have legitimate grounds to use your data.
- The right to request to receive a copy of the personal data you have provided to us concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by ourselves to other organisations you will name (known as the right to data portability).
- The right to withdraw the consent that you gave us with regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you. It is noted that, withdrawal of consent may inhibit our ability to manage your loan in accordance with your wishes.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact email@example.com. We endeavour to address all of your requests promptly.
Right to lodge a complaint
If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by writing to us as the address on our website www.gordianholdings.com or email us at firstname.lastname@example.org. You also have the right to complain to the Office of the Commissioner for Personal Data Protection. Find out on their website how to submit a complaint at http://www.dataprotection.gov.cy
11. Other websites
Our website may contain links to other websites. This privacy statement only applies to this website. Other websites will have their own privacy policies. We do not control these third-party websites and are not responsible for their use of your personal data.
12. Changes to this privacy statement
We keep our privacy statement under regular review, and we may modify or amend it from time to time. We will place any updates on the relevant section on our website, so that a current and up to date statement will be available on our website. We encourage you to review this statement periodically to be always informed about how we are processing and protecting your personal information.