Themis Portfolio Management Limited using Altia as the registered trademark (hereinafter referred to as “The Company”, “we”) is a credit servicer company that operates in Cyprus, subject to the licence and supervision of the Central Bank of Cyprus.
The provision of these services largely depends on the processing of large amount of information, including personal data.
The Company respects the privacy of all physical persons whose personal data are processed by the Company. This Privacy Policy is therefore addressed to a) the Company’s website users, and b) the Company’s customers, namely security collateral providers, borrowers, their guarantors and their representatives, beneficial owners or other officers of borrower companies or other related individuals (“data subjects”, “you”) whose personal data may be processed as a result of the credit acquisition by The Company and as required in the course of providing its Asset Management Services. As part of our normal operations, we may process personal data of the directors and employees of our Service Providers and other trade vendors, recruitment candidates, members of our Board of Directors and other advisors and onsite visitors and guests.
We encourage you to read this Privacy Policy which sets out important details about how your personal data are processed by The Company in accordance with Data Protection Law, including but not limited to the EU General Data Protection Regulation 2016/679 (“GDPR”), the Cyprus Data Protection legislation 125(I)2018 and the Cyprus legislation governing the electronic communications and postal services 112(I)2004.
The Company is the data controller of your personal data, which means that we are responsible for determining the purpose and the means of processing of your personal data.
Our DPO can be reached at dpo@themispm.com
Tel: +357 22255333
In relation to your personal data, we will seek to ensure that the data are:
We process various categories of personal data including, but not limited to the following:
# | Business Relationship | Types of Personal Data we Process | Legal Bases |
Corporate Obligors (borrowers and / or guarantors and / or security providers) | We process the personal data listed below, in the context of the Loan agreement to which the Corporate Obligor is a party in whichever capacity (borrower, guarantor or security provider). Such personal data may relate to the Directors and Officers, employees and legal representatives of the legal person, as well as other physical persons responsible for the interaction with the Company’s personnel.
| Contract Consent (for special categories of personal data in accordance with Art.9 of the GDPR) | |
2 | Obligors (borrowers, security providers, guarantors) – physical persons | The following personal data are processed in the context of the Loan Agreement between the Obligor and the Company, especially in the context of identifying a mutually agreeable solution and loan restructurings:
| Contract Consent (for special categories of personal data in accordance with Art.9 of the GDPR) |
3 | Real Estate Bidders and Interested Buyers | The Company executes promotional and sales processes on behalf of real estate asset owners, and as a facilitator for direct property sales. In this context, the Company processes the following personal data:
| Contract Consent (for special categories of personal data in accordance with Art.9 of the GDPR) Legislation for those personal data which are stipulated by legal or regulatory obligations (e.g. AML Law) Consent for marketing communications relating to properties of interest |
4 | Employees | “Master Data” [full name, ID, Social Security number, address, marital status, children, age, gender, personal emails] “Recruitment Data” [academic records, experience, previous employers, references] Evaluation & Performance Information [salary, appraisals, promotions, disciplinary data, complaints and resulting investigations, appeals against HR decisions] Occupational data [languages, special skills, driver license] Operational data [sales, locations of travel, training records, leave of absence, timesheets / arrival and departure times, passports and IDs in support of business travel arrangements] Financial data [payroll, payroll-related, life insurance details, family status, bank account details] | Contract |
5 | Applicants | CV information, including:
Clean Police / Criminal Record | Contract Consent (for special categories of personal data in accordance with Art.9 of the GDPR) |
6 | Website Users and Visitors |
| Consent Legitimate Interest (for browsing the site) |
7 | Visitors |
| Legitimate Interest |
We collect personal data about you in a variety of ways. As mentioned above, most of your personal data were collected by The Company from your former creditor (i.e. your Bank or other Credit Institutions). We may also require the collection of additional data directly from you for the purpose of providing our Services.
Furthermore, we may collect data about you from third parties, such as the Artemis Data Registries, other credit reference agencies as well as public authorities such as the Land Registry, the Registrar of Companies, the Central Bank, or any third party with which you have entered into an agreement to represent you in any proceedings or other aspects which affect your relationship with The Company in any manner.
The Company may process your personal data as described below on the basis of at least one of the legal grounds under GDPR Article 6 (1) and the conditions provided under GDPR Articles 9(2) and 10.
The Company relies on the following legal bases when processing your personal data:
As described above, most of your personal data have been collected by The Company as a result of the portfolio transfer from your original creditor to The Company, either at the time of the transfer or subsequently, based on The Company’s own data collection and privacy management procedures.
However, we may require the collection of additional information from you when necessary to provide our services as described in this Privacy Policy. If you refuse to provide such necessary personal data or if you decide to withdraw your explicit consent for processing of special categories of data (see section 5 above), it is highly likely that we will not be able to provide our services to you.
Pursuant to our contractual, statutory and regulatory obligations we may share your personal data with various organisations/companies, such as debt collection agencies, credit reference agencies, fraud detection/prevention agencies, our legal advisors, credit reference or other agencies as required, in order to facilitate the restructuring or management of your loans by The Company. In addition, public authorities (e.g. the tax authorities) or other supervisory or regulatory authorities (e.g. The Unit for Combating Money Laundering (MOKAS) or the Central Bank of Cyprus) may become recipients of your personal data as required under applicable law.
There may be instances where we may need to allow access to or disclosure of your data to our service providers, such as our legal advisors, property valuers, IT consultants, etc..
At The Company we take all reasonable and necessary steps (either by a direct agreement in accordance with GDPR Art. 28 or by other legally binding arrangements) to ensure that our service providers (data processors) that process personal data on behalf of The Company comply with Data Protection Law and our instructions regarding the processing of your personal data.
GDPR imposes obligations to Data Controllers and Data Processors which in several cases are dependent upon consistent implementation of relevant measures and controls across their own operations as well as those of their Data Processors. Our policy is to process personal data with due regard to the security, privacy and protection of the data we receive, store and process.
This privacy policy explains the types of such technical and organizational measures that we employ so as to enhance the level of protection of personal data that we process. These measures the key ones of which are outlined below, are designed to maximise the control over privacy in accordance to GDPR and have the objective of providing a level of security that is appropriate to the related risks.
You have the following rights under GDPR with regards to the processing of your personal data:
You also have the following rights in certain circumstances:
Please note that some of the rights mentioned above are not absolute. They are subject to exceptions under GDPR and applicable depending on the legal basis we rely on in each case.
You may request to exercise your rights by sending an email to dpo@themispm.com.
We endeavour to respond to requests within 30 days, although we reserve the right to extend this period to two additional months when the requests require a disproportionate effort. Before assessing any request, The Company will request a valid ID from the data subject.
In cases where significant changes have been made regarding the processing of your personal data, we will inform you accordingly and update this Privacy Policy. This version of the Policy has been approved for issue on June 14th 2021.
# | Term | Definition |
|
Personal Data | Also referred to as “personally identifiable information (or “PII”), personal data is any information relating to an identified or identifiable living natural person (the “data subject”) |
|
Legal Basis of Processing |
The basis on which the processing of personal data may be based and may be one of the following:
|
|
Legitimate Interest | Our lawful interests in conducting and managing our business to enable us to give you the best services and / or products and secure and private by design experience. In choosing to perform personal data processing under the legal basis of legitimate interest, we seek to ensure that we consider and balance any potential impact on you (both positive and negative) and your rights before doing so. As a general principle, we do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). |
|
Data Controller | The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. |
|
Data Processor | A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller. |
|
Data Protection Officer | A Data Protection Officer (or “DPO”) is a security leadership role required by the GDPR. The DPO is responsible for (a) overseeing data protection strategy and implementation within an organization; (b) ensuring compliance with GDPR requirements; (c) the provision of advice to the Data Controller or the Data Processor and their staff in relation to personal data processing; and (d) to cooperate with Data Protection Authorities and supervisory bodies in all privacy and data protection matters. |
|
Cross-border Transfers | Transfers of personal data outside the European Economic Area in physical and / or electronic form |
Company
Information
© 2023 Altia. All rights reserved.
© 2023 Altia. All rights reserved.