The WAIZ App is an application (hereinafter “the App” or “WAIZ”) offered by NATIONAL BANK OF GREECE S.A (hereinafter “NBG” “we”, “us”, “our”) that provides Account Information Services and Payment Initiation Services, as set out in Law 4537/2018 [which transposed Directive EU 2015/2366 (PSD II) into Greek legislation]. For more information regarding the function of the App please read our Terms and Conditions of Use for the App (which can be found here).

The purpose of this privacy statement is to provide information to you as a potential and/or existing user of the WAIZ App regarding the processing of your personal data by NBG as the data controller, pursuant to the provisions of the General Data Protection Regulation 2016/679 (GDPR), when using the WAIZ App or visiting our website.

WAIZ acknowledges and gives top priority to its requirement to comply with the applicable regulatory and legal framework on banking secrecy and on the protection of individuals with regard to the processing of their personal data.

1.Who we are

NATIONAL BANK OF GREECE S.A., a public limited banking company, registered in the General Commercial Registry (GEMI), with the GEMI Νο. 237901000, website https://www.nbg.gr, headquartered in 86, Eolou street, 102 32, Athens, has the full copyrights on the App. Moreover, National Bank of Greece is Controller of the personal data you enter when using the App, as per the following. Please note that for your personal data related to the bank accounts you add to the WAIZ App, each bank you are a client to acts also as an independent data controller of the said data and therefore for more information, please be informed of their respective Privacy Policies.

2.What personal can data be processed

Personal data is any data relating to a person who is identified or who can be identified (such as a name, an identification number, or an online identifier).

Personal data you provide.

You may give us your personal data by registering to WAIZ and using our Services, interacting with the App or our website, or by corresponding with us via email, phone or otherwise. Examples of personal data you may provide us with, include:

 

Note that you should inform WAIZ the soonest possible about any change in the aforesaid data.

Personal data from connected banks in the context of the Account Information Service.

If you connect one of your banks to our App, we will automatically collect some financial information from your connected banks, such as:

 

Personal data we collect from you.

When you use the App or our website we may collect information such as:

 

3.Purposes of processing your personal data

PURPOSE

LEGAL BASIS

We process your personal data insofar as is necessary for the provision of services and smooth functioning of the App. This allows you, inter alia, to securely connect to the App and enables you to have all your online bank accounts in one place, to start payments and to review specific details regarding your accounts and transactions, so you can manage your money more easily and efficiently.

 

The processing of your personal data is necessary to meet the obligations we undertake to you by accepting the terms and conditions of use of the App.

Provision of Account Information Services

The processing of your personal data is necessary to access and use information of the accounts you link to the App, as per your explicit consent provided to us in accordance with the Terms and Conditions of Use for the App.

Provision of the Payment Initiation Service

The processing of your personal data is necessary to initiate a payment, as per your explicit consent provided to us in accordance with the Terms and Conditions of Use for the App.

We process your personal data so as to organise, and to enable you to take part in, competitions, draws and other reward programmes related to the use of the App in order to enable us to check the validity of participating entries, to contact winners, and give out the prizes.

 

The processing of your personal data is necessary to meet the obligations we undertake to you by accepting the terms and conditions of participation in competitions, prize draws, and other reward programmes.

In addition, we process your personal data for the following purposes:

•   to improve the content and the services that you’re offered through the App,

•   to send you notifications about weekly or monthly reports, spending and balance alerts, challenges, new features of the App,

•   to give you relevant Smart Insights and suggest relevant Actions within the App,

 

•   to provide updates to make the most out of the App’s products and/or services (e.g. updates about new features or functionalities or ways to make better use of them, and your information about or participation in, reward programmes, prize draws, competitions, and so on),

•   to improve your experience and make the App services better for you,

•   to assess how you use the App and the website and analyse that data,

•   to set up a secure connection between your device and the App,

•   to take action, if we need to defend our legal rights under the App Terms and Conditions of Use if you breach any laws or regulations or our App Terms and Conditions of Use,

•   to resolve potential requests/complaints that you may make,

•   to perform research and trend analysis, depending on the way you use the App, so as to optimise your experience,

•   to better align WAIZ products and services with the way you use the application,

•   to resolve any technical issues at app and user level.

The processing of your personal data is necessary for the purposes of the legitimate interests of WAIZ.

 

Furthermore, we process your personal data as part of WAIZ’s compliance with the obligations established by the applicable legal and regulatory framework, such as Law 4557/2018 on the prevention and combating of money laundering and the financing of terrorism, as well as the prevention of the provision of financial services to individuals and legal entities, beneficial owners and/or countries or jurisdictions subject to international financial and trade sanctions, as well as Directive 2015/2366 on payment services (PSD2) transposed into Greek legislation by Law 4537/2018.

 

The processing of your personal data is necessary for WAIZ to comply with its legal obligations under the applicable legal and regulatory framework.

Finally, to the extent that a legal ground described above would not apply to processing of your personal information by us, we will seek your consent for such specific purpose in accordance with applicable law.

The processing of your personal data may be based on your explicit and up-to-date consent.

In such a case you have the right to withdraw your consent at any time. Revocation of your consent does not affect the legality of the processing based on your consent prior to its revocation.

 

4.Recipients with whom your data can be shared

Recipients of the data that we are obliged or entitled to disclose, by law or regulation or court order or in the context of lawful operation of the data subjects’ business and contractual relationship, may be third parties (natural or legal persons), public authorities, services or other bodies, such as:

A.Third parties, natural or legal persons, acting by order and on behalf of WAIZ where they help us to run our service or the technology systems that are needed to operate our App and services, including the following categories:

1.Contact center services and Customer relation management companies,

2.Analysis and market research and product promotion companies,

3.Advisory firms, including financial advisors and auditors of WAIZ,

4.Data storage providers, to safely and securely store your data,

5.Aggregation service providers, where necessary in order to retrieve Account Information for use in the App on your behalf,

6.Email services, e.g. to send you regular updates or communication,

7.Website and app analytics,

8.Software and application development providers, for the development and smooth operation of the application.

9.Cloud services providers, for hosting certain functions of the app and storing data.

 

B.Supervisory, judicial, independent and other authorities at national and European level to meet WAIZ’s obligation under law or regulation or court judgment.

 

In the event of data being transmitted to third parties within the scope of data processing activities, then such third parties are obliged to adhere to the applicable legal and regulatory framework including the General Data Protection Regulation (2016/679) and have been contractually obliged to comply with all legal and regulatory requirements.

5.Provisions in the event of any transmission of personal data to non-EEA ("third") countries (cross-border transmission)

In the context of WAIZ’s operations your personal data is not transferred outside of the European Economic Area (EEA). However, if necessary, the said transfer is effected in accordance with the provisions of European legislation on Companies registered in member states within the European Economic Area (EEA), or the local legal framework as regards Companies registered outside the European Economic Area (EEA). Personal data may only be disclosed to third countries outside the European Economic Area (EEA) if the foreign law provides for an adequate level of data protection. If the foreign law does not provide an adequate level of data protection, personal data may only be transferred to such country if either the data subject has explicitly consented to the transfer, or if data protection is provided for by an adequate data transfer agreement (i.e. if you, as the data subject, have explicitly given your consent for this transfer). We ensure, through appropriate procedures, that the required procedures are carried out by the local authorities, as well as that each third party involved ensures the safe processing of personal data transmitted.

6.Data retention period

Your personal data are held for the length of time necessary for the fulfilment of the purpose of processing as set out hereinabove. Otherwise, we may retain your personal data for the period required in order to:

In any event your personal data may be retained for up to 20 years after total deletion of your WAIZ account and the termination or expiration of the agreement with you in any way whatsoever. If upon the lapse of the twenty (20)-year period there are ongoing judicial proceedings with the Bank related to the provision of WAIZ services, directly or indirectly affecting you, the said data retention period shall be extended until the issue of a final judgement.

 

7.Action taken when the data retention period has expired

In the event that the data retention period has expired, we pay special attention to how this data is destroyed. To this end, once we have ascertained that it is not necessary to keep records for compliance with legal and regulatory requirements or for the protection of our interests, we have established and implement a respective procedure that is based on the guidelines of the Hellenic Data Protection Authority. We shall ensure that the said process for destroying records containing personal data also binds third parties/data processors who provide services to WAIZ.

8.Your rights on the protection of your personal data

Following verification of your identity, you, as a Data Subject, have the following rights:

Right to Information

WAIZ must provide you with any information in relation to the processing of your personal data, including what data WAIZ processes, for what purpose, and for how long WAIZ keeps them, in a concise, understandable and easily accessible form, using clear and simple wording.

Right of Access

You have the right to obtain from WAIZ confirmation as to whether or not personal data of yours are being processed, and, if so, you have the right to access said personal data.

Right to Rectification

You have the right to require of WAIZ rectification of any inaccurate or incomplete personal data of yours and the right to have incomplete personal data completed.

Right to Erasure

You have the right to request WAIZ to erase your personal data, which can be met if certain conditions are met.

Right to Restriction

You have the right to request WAIZ to restrict processing of your data under certain conditions.

Right to Object

You have the right to object, at any time, to the processing of personal data concerning you. WAIZ shall then no longer process your Personal Data unless it demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of yours or for the establishment, exercise or defence of legal claims.

Right to Obtain Human Intervention

You have the right to ask from WAIZ not to be subject to a decision based solely on automated processing, including profiling, which generate legal effects concerning you or similarly affect you significantly.

Right to Portability

You have the right to ask WAIZ to give you the personal data that you have provided them, in a structured, commonly-used and machine-readable format or to ask WAIZ to transmit such data to another controller.

 

In order to further facilitate the exercise of your respective rights, we ensure the development of internal procedures so as to respond in a timely and effective manner to your relevant requests.

You can contact NBG’s Data Protection Officer about issues regarding the processing of your personal data at 93 Eolou St. Athens 10551, Greece or by sending an email to dpo@nbg.gr or by visiting any of the Bank’s branches.

If you believe that the protection of your data has been compromised in any way, you can also lodge a complaint with the Data Protection Authority using the following contact details:

Website: www.dpa.gr/
Address: 1-3 Kifissias Avenue, 115 23, Athens T: +30 210 6475600 F: +30 210 6475628 contact@dpa.gr

9.Cookies

We may collect identification data about visitors/users of the WAIZ website by using relevant technologies such as cookies and/or Internet Protocol (IP) address tracking. Cookies are small text files that are stored on the hard drive of each visitor/user and do not access any document or file from someone’s computer. They are used to facilitate visitor/user access to the use of specific services and/or site pages for statistical purposes and in order to determine the areas that are useful or popular, as well as to assess the effectiveness of the site and to improve the performance of the site. These data may also include the type of browser used by the visitor/user, the type of computer, its operating system, Internet service providers and other information of this kind. In addition, the site's information system automatically collects information about the sites the visitor/user visits and about the links to third-party websites he may choose through the use of WAIZ's website.

The visitor/user of the website can get detailed information about the categories of cookies used on WAIZ's website through the relevant explanatory screen. It should be noted that the cookies that are technically necessary in order to link to and navigate around the webpage or to be provided with a service cannot be deactivated. For the rest categories of cookies, which are optional, the visitor/user of the website should choose whether they wish to activate them and, if so, provide their consent

If the visitor/user of the website does not allow the use of optional cookies, then he may lose some additional information/functionality as mentioned in the cookie setup page.

By using the optional cookies, we can leverage the capabilities provided by Google Analytics, and in particular by Display Advertising, utilizing the remarketing features to promote its products and/or services online. In particular, third-party vendors, including Google, display advertising messages from WAIZ on various websites on the Internet. WAIZ and third-party vendors, including Google, use cookies (such as the Google Analytics cookie) or third-party cookies (such as DoubleClick cookie) jointly to update, optimize, and service promotional messages based on previous visits of someone on WAIZ’s website.

Our website visitors/users may declare that they do not wish to receive relevant messages and be excluded from future actions in Display Advertising and adjust Google Display Network ads using Ads Settings or activate, if they so wish, the Google Analytics opt-out browser add-on via the link https://tools.google.com/dlpage/gaoptout link (looking for further help at https://support.google.com/chrome/answer/187443? hl = en).

The visitor/user of the WAIZ website may delete the cookies and disable their use by selecting the browser he uses listed below and following the instructions:

 

If using another browser, the user/visitor to the WAIZ website should refer to the relevant information of its provider.

For more information and to customize your cookie preferences, please go to Cookie Settings on our webpage.

10.Update-amendments to the privacy statement

We may update, supplement and/or amend this Privacy Statement in accordance with the applicable regulatory and legislative framework. In such case, the updated Statement will be posted on the WAIZ website (https://www.nbg.gr) and will also be available in the App.