Gordian Holdings Limited
Data Protection Notice - May 2019


This notice sets out details of how personal information relating to you, as a borrower, adviser, security provider, or guarantor or as an authorised representative/agent or beneficial owner of legal entities or of natural persons who are borrowers, advisers, security providers or guarantors ("Personal Data"), will be handled by Gordian Holdings (referred to as ‘we’, ‘us’, ’our’ or ‘the Company’) as controller of the Personal Data and / or on the Company’s behalf by its third party service providers in accordance with the General Data Protection Regulation (“GDPR”) and the Cyprus Data Protection Law 125(I)2018 as amended or replaced from time to time (hereinafter the “Cyprus Data Protection Law”). The Company is committed to protecting your privacy and handling your data in an open and transparent manner.


This privacy statement


- is directed to natural persons who are current customers of the Company, or are authorised representatives/agents or beneficial owners of legal entities or of natural persons which/who are current customers of the Company,

- provides an overview of how we collect and process your personal data and tells you about your rights under the local data protection law and the EU General Data Protection Regulation (‘GDPR’),

- contains information about when we share your personal data with third parties (for example, our service providers or suppliers).

In this privacy statement, your data is sometimes referred to as “personal data” or “personal information”. We may also sometimes collectively refer to handling, collecting, protecting and storing your personal data or any such action as “processing” such personal data.


For the purposes of this statement, personal data shall mean any information relating to you from which you may be identified, and which includes, for example, your name, address date of birth and identification number.



1. Who we are


On 30 May 2019 (from now on referred to as the “Transfer Date”) Bank of Cyprus Public Company Limited transferred your loan(s) and other obligations to Gordian Holdings Limited (from now on referred to as “Gordian”). Gordian Holdings is authorised by the Central Bank of Cyprus as a credit acquiring company with registration number in the Republic of Cyprus ΗΕ 378128.

If you have any questions, or want more details about how we use your personal information, you can contact us at dataprotection@gordianholdings.com.



2. What personal data we process and where we collect it from


We collect and process different types of personal data which we received from Bank of Cyprus (hereinafter the “BoC”) within the context of the purchase of your loan, we may also process personal data that we receive from you or through your representative(s).


We may collect and process personal data which we lawfully obtain from other parties for example credit reference agencies such as Artemis Bank Information Systems Limited, public authorities, trace agencies, adverse media and sanctions databases, lawyers and servicers.


We may also collect and process personal data from publicly available sources (e.g. the Department of Registrar of Companies and Official Receiver, the Land Registry, the Bankruptcy Archive, commercial registers, the press and the Internet).


If you are a borrower, the Company processes your Personal Data including information provided in the original application for your mortgage loan and information that was collected or created by the original lender and personal information that we collect, generate or observe while administering your mortgage loan. This information will include:



a. Information you provided to Bank of Cyprus; this may include your name and address (including evidence of name and address), contact details, date of birth, gender, nationality, photograph, signature, occupational history, marital status, dependents, job title, employment history, current income and expenses, assets, other financial information, bank details (including bank account statements), property ownership and personal debts, number of dependent children, personal investments and investment income, life insurances (life insurance companies, policy numbers, current surrender values, personal public service number, tax residence and tax ID, credit reference agency data [e.g. Artemis], residence or work permit in case of non-EU nationals, own and/or third party security [e.g. if an existing personal guarantor], employment position [e.g. as per corporate certificates of directors/shareholders]. Nature and term of the employment relationship, proof of tax return submissions, statements and transaction history, property documentation for house financing [e.g. property description, property valuation reports, construction and municipal permits, land registry reports, sale agreements].


b. Special Categories of Data provided to the Company; this might include health information processed in accordance with the regulations and guidance of the Central Bank of Cyprus, including details of any illness, disease, condition or disability that might affect your ability to work or otherwise impact your financial circumstances.


c. Information that the Company collects, generates or observes; this might include information relating to assets, management services, emails, call recordings and website usage data.


d. Information that the Company obtains from third party sources; this might include information procured in accordance with the Company’s obligations under anti-money laundering regulation including any political affiliations you may have and record of any criminal background or financial sanctions, as well as any past or current adverse media in relation to you. For further details on our processing of criminal convictions data please see section 6 |(b) below. This might also include information obtained from public websites, adverse media searches and information received from intermediaries.


Such third parties include:
- Credit reference agencies
- Third parties that provide information regarding criminal background, economic sanctions and political associations
- Agencies that perform asset traces or occupancy checks


For Commercial borrowers; in addition to the above, business records, i.e. cash flows and balance sheets and business management information as well as tax declarations, proof of tax return submissions, purpose of financing, collateral information, property documentation [property description, Land Registry report, property valuation reports].


For individuals who have provided personal guarantees; personal data arising from the performance of our contractual obligation, name, address, contact details (telephone, email), identification data, EU basic payment account identification, birth date, place of birth (city and country), marital status, employed/self-employed, personal data disclosing your economic and financial background and credit reference agency data [e.g. Artemis], if you hold/held a prominent public function (for PEPs), criminal background and/or financial sanctions, authentication data [e.g. signature], tax information (e.g. defence tax, tax residency, tax identification number), financial info (as expected annual credit/debit turnover, nature of transactions, source of income, source of assets,), information on any third-party beneficiaries.


For individuals who are authorised representatives/agents of borrowers or directors or beneficial owners of borrower companies; personal data, which we collect and process for you, may include your name, address, contact details (telephone, email), identification data, EU basic payment account identification, birth date, place of birth (city and country), if you hold/held a prominent public function (for PEPs), criminal background and/or financial sanctions, authentication data [e.g. signature].



3. Whether you have an obligation to provide us with your personal data

We may request additional personal data in relation to you, in order to comply with the terms of our agreements with you and fully meet our contractual and legal obligations. The personal information that we request may be required in order to meet the provisions of the money laundering and/ or counter- terrorist financing regulations.



4. Why we process your personal data and on what legal basis


As mentioned earlier we are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the GDPR and the Cyprus Data Protection law, for one or more of the following reasons:


A. For the performance of a contract

We process personal data in order to perform our duties and meet our obligations to you pursuant to your mortgage loan agreement and to exercise our rights under our contracts with you..


B. For compliance with a legal obligation

There are a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements, e.g. the Arrears Directive, anti-money lander and counter-terrorist financing directives and laws and tax laws. There are also various supervisory authorities to whose laws and regulations we are subject e.g. the tax authorities, the Central Bank of Cyprus, the Unit for Combatting Money-Laundering (MOKAS). Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls. These activities may include;


- the credit acquiring company business, tax and regulatory obligations, including its related reporting obligations, the management of its credit and mortgage loans, loan reporting obligations to the Central Bank of Cyprus and credit history reporting to Artemis and other related obligations imposed upon the Company.


- To assist the Company’s auditors in the auditing of Company in accordance with its legal obligations.


- We are required to carry out certain checks, including checks related to political affiliations, financial sanctions, and previous criminal allegations or convictions. This may require us to process information about criminal convictions and offences. This processing is necessary in order for us to manage the loan agreement with you in accordance with our legal obligations.


- To investigate, detect, prevent or prosecute crimes in relation to the prevention of fraud, money laundering, market abuse and/or terrorist financing, including "know your customer" and other necessary onboarding and ongoing customer checks as well as potentially reporting relevant information to the money laundering and fraud prevention authorities as required.


C. For the purposes of safeguarding legitimate interests

We may process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you.


Examples of such processing activities include:

• Initiating legal claims and preparing our defence in litigation procedures,
• Means and processes we undertake to provide for the Company’s IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures,
• Measures to manage business,
• Sharing your personal data within the Company’s group and shareholder,
• Sharing information with purchasers and potential purchasers,
• The transfer, assignment and/or sale of loans or assets held by the Company.


D. You have provided your consent

In order to manage and administer your (or the legal or natural persons for whom you are an authorised representative/agent or beneficial owner) loan or security or guarantee effectively we may need to meet specific requests or proposals in support of which you provide health related data in accordance with the Code of Conduct for Handling Borrowers in Financial Difficulties and any other relevant current or future regulations and guidance. Provided that you have given BoC your explicit consent for processing then the lawfulness of some of our processing may be based on that consent, which has passed to the Company as loan owner. You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.


Please note that you have a right to object to the processing of your Personal Data where that processing is carried out for our legitimate interests or to withdraw your consent, should we rely upon your consent for processing the special categories of data specified above.


If you do not provide, or if you withdraw your consent for processing special categories of Personal Data, as specified above, we may not be able to manage and administer your loan (or that of the legal or natural persons for whom you are an authorised representative/agent or beneficial owner), security or guarantee and provide you with the services you require, or meet your specific requests. This is particularly relevant in relation to requests for forbearance, for which additional Personal Data may be requested. In all instances in which we request your personal information, we will, where applicable, identify if there is a statutory reason for requesting such information and we will explain the consequences for you if you do not provide it.



5. Who receives your personal data


In the course of the performance of our contractual and statutory obligations your personal data may be provided to relevant service providers and/or other third parties including other companies that support our business. Various service providers and suppliers may also receive your personal data so that we may perform our obligations. Such service providers and suppliers enter into contractual agreements with the Company by which they observe confidentiality and data protection according to the Cyprus Data Protection Law and GDPR. Under the circumstances referred to above, recipients of personal data may include, for example:

- Our servicers and advisers
- Shareholders and investors
- Supervisory and other regulatory and public authorities, for example the Central Bank of Cyprus, tax authorities, criminal prosecution authorities, the Unit for Combatting Money-Laundering (MOKAS)
- Credit and financial institutions such as correspondent banks and the European Investment Fund
- The bank(s) through which your payments are processed
- Valuators and surveyors
- Our legal advisors 
- Our corporate administrators including the company secretary 
- Appointed receivers/managers
- Asset trace investigators
- Estate agents
- Potential purchasers and purchasers of assets or loans 
- Debt collection agencies
- Credit reference agencies (ARTEMIS)
- Auditors and accountants
- Marketing companies and market research companies
- Fraud prevention agencies
- File storage companies, archiving and/or records management companies, cloud storage companies
- Purchasing and procurement and website agencies.



6. Transfer of your personal data to a third country or to an international organisation


The disclosure of your Personal Data to the third-party recipients set out above may involve the transfer of data to the USA, and other jurisdictions outside the European Economic Area ("EEA"), which are not the subject of an adequacy decision by the EU Commission. Such countries may not be subject to equivalent data protection laws as countries within the EEA. Any transfer of your Personal Data to jurisdictions outside the EEA may only occur in accordance with the requirements of the GDPR and the Cyprus Data Protection Law.



7. To what extent there is automated decision-making and whether profiling takes place


In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you, where data assessments (including on payment transactions) are carried out in the context of combating money laundering and fraud.



8. How long we keep your personal information for


We will keep your personal data for as long as we have a business relationship with you as an individual or in respect of our dealings with a legal entity you are authorized to represent or are beneficial owner and thereafter as required or permitted by law.


Once our business relationship with you (or the legal or natural person which/who you are authorized to represent or are the beneficial owner of) has ended, we may keep your data for up to ten (10) years in accordance with the directive of the Data Protection Commissioner (http://www.dataprotection.gov.cy).


We may keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons, for example if it is the subject of ongoing litigation or legal enquiry.



9. Your data protection rights


You have the following rights in terms of your personal data we hold about you. We will normally respond to your request within one month, unless your request requires us to carry out further investigation or is considered excessive, in which case, we will respond within 3 months from the date of receiving your request. In accordance with your rights under the GDPR and Cyprus Data Protection Law, you may:


- Receive details with regard to the personal data that we hold on you and request access to your personal data. To raise a request please contact us at dataprotection@gordianholdings.com


- Request correction [rectification] of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.


- Request erasure of your personal information. This enables you to ask us to erase your personal data [known as the ‘right to be forgotten’] where there is no good reason for us continuing to process it.


- Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.

- Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if;

• it is not accurate;
• it has been used unlawfully but you do not wish for us to delete it;
• it is not relevant any more, but you want us to keep it for use in possible legal claims;
• you have already asked us to stop using your personal data but you are waiting us to confirm if we have legitimate grounds to use your data.


- Request to receive a copy of the personal data concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by ourselves to other organisations you will name [known as the right to data portability].


- Withdraw the consent that you gave us with regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you. As noted in Section 6 D. above, withdrawal of consent may inhibit our ability to manage your loan in accordance with your wishes. To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact dataprotection@gordianholdings.com.


- Right to lodge a complaint
If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by writing to us as the address on our website www.gordianholdings.com or email us at dataprotection@gordianholdings.com. You also have the right to complain to the Office of the Commissioner for Personal Data Protection. Find out on their website how to submit a complaint (http://www.dataprotection.gov.cy).



10. Changes to this privacy statement

We may modify or amend this privacy statement from time to time.
A current and up to date statement will be available on our website. We encourage you to review this statement periodically so as to be always informed about how we are processing and protecting your personal information.