Gordian Holdings Limited
Data Protection Notice - June 2023
This privacy statement explains how we, Gordian Holdings Limited, a limited liability company incorporated under the laws of the Republic of Cyprus with registration number HE378128 and authorized by the Central Bank of Cyprus as a credit acquiring company (“we”/”us”/”our”/”Gordian Holdings”), use any personal data we collect about you or that you provide to us, in your capacity as i) a user of the website operated by Gordian Holdings, and/or ii) real estate agent or tenderer and/or buyer of a property owned by us which is advertised on the website https://gogordian.com or otherwise promoted by Gordian Servicing Limited (“Gordian Servicing”/ the “Servicer”), acting for and on behalf of and/or in accordance with the our instructions, iii) a borrower or a security provider connected to the portfolio owned by Gordian Holdings.
Gordian Holdings appointed Gordian Servicing, a credit servicer authorised by the Central Bank of Cyprus, under the terms of a servicing agreement and/or a general power of attorney, and in line with best practices and in full adherence with applicable laws and regulations, to provide the following non-exhaustive list of services: loan administration, debt recovery, property repossession, property management and administration and the promotion and marketing of properties for sale.
For the purposes of this privacy statement, due to the need of Gordian Holdings to determine the means and purposes of the processing of personal data, and to process personal data in line with its own professional and/or regulatory and/or legal obligations, Gordian Holdings and the Servicer shall be considered separate controllers of your personal data. This means that Gordian Holdings shall carry out such processing in accordance with its own obligations and duties under the Cyprus Data Protection Law and the GDPR (as such terms are defined below).
“Personal data” means information which either by itself or when combined with other information that we hold or which is available to us, can be used to identify you.
We are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the General Data Protection Regulation (“GDPR”) and the local data protection law, in particular, the Cyprus Data Protection Law 125(I)2018 as amended or replaced from time to time (“Cyprus Data Protection Law”).
If you have any questions about this privacy statement, or if you wish to exercise any rights mentioned in it, you can contact us at firstname.lastname@example.org.
2. What personal data we process and where we collect it from
We collect and process personal data which have been/are (i) provided to Gordian Servicing by you in its capacity as our servicer (and which personal data were obtained by you or from various sources), (ii) collected from/provided by you or your representative(s); (iii) lawfully collected from Credit Reference Agencies and/or Fraud Prevention Agencies; (iv) lawfully collected from other third parties, our external lawyers and/or servicers; (v) collected from publicly available sources (such as the Department of Registrar of Companies and Official Receiver, the Land Registry, the Bankruptcy Archive, commercial registers, the press and the Internet).
In relation to (i):
a. if you are a borrower or a security provider, the personal data which were obtained, may include:
- your title, name and address and address history (including evidence of name and address), contact details (such as telephone and mobile numbers and email address), date and place of birth, gender, nationality, photograph, authentication data (e.g. signature), occupational history, marital status, dependents, employment status, job title, your financial details such as salary or other income and expenses, assets, other financial information, bank details (including bank account statements), property ownership and personal debts, number of dependent children, personal investments and investment income, life insurances (life insurance companies, policy numbers, current surrender values), personal public service number, tax residency and tax ID, if you hold/held a prominent public function (for PEPs), personal data about you which is obtained from third parties (such as credit reference agencies like Artemis Credit Bureau and publicly available sources such as records of debt judgements and bankruptcy information), residence or work permit in case of non-EU nationals, own and/or third party security granted, employment position (e.g. whether you are a director/ secretary of a company), nature and term of the employment relationship, proof of tax return submissions, statements and transaction history, property documentation for house financing (e.g. property description, property valuation reports, construction and municipal permits, land registry reports, sale agreements).
- sensitive data such as health information including details of any illness, disease, condition or disability that might affect your ability to work or otherwise impact your financial circumstances.
b. If you are a corporate borrower in addition to the aforementioned data, the personal data which were obtained may also include business records, i.e. cash flows and balance sheets and business management information as well as tax declarations, proof of tax return submissions, purpose of financing, collateral information, property documentation (property description, Land Registry reports, property valuation reports).
c. If you are an authorised representative/ agent or beneficial owner of a legal entity , or an individual tenant of a property owned by us, the personal data which were obtained may also include: your name, address, contact details (telephone, email), EU basic payment account identification, birth date, place of birth (city and country), marital status, employed/self-employed, personal data disclosing your economic and financial background and credit reference agency data, if you hold/held a prominent public function (for PEPs), authentication data (e.g. signature), tax information (e.g. defense tax, tax residency, tax identification number).
In relation to ii), iv) and v) above, information that we collect, generate or observe might include information relating to: assets which are relevant to our services, our services generally, emails, call recordings and website usage data. More particularly, such information may include information set out in a) to c) above and:
d. If you are a tenderer/interested buyer for or successful buyer of a property owned by us , or an individual tenant of such a property, which property is promoted and managed (in each case) by us or Gordian Servicing for sale, or if you are our vendor or potential vendor, the relevant personal data which we may collect and process may include: your name, address, contact details (telephone, email), EU basic payment account identification, birth date, place of birth (city and country), marital status, employed/self-employed, personal data disclosing your economic and financial background and credit reference agency data, if you hold/held a prominent public function (for PEPs), authentication data (e.g. signature), tax information (e.g. defense tax, tax residency, tax identification number).
e. If you are an individual who has consented to receiving marketing material from Gordian Servicing, the relevant personal data collected and processed may include: your name and contact details (telephone, email).
In relation to iii) above, information that we obtain from third party sources might include information procured in accordance with our and/or the Servicer’s obligations under anti-money laundering laws and regulations, including any political affiliations you may have and records of any criminal background or financial sanctions against you, as well as any past or current adverse media in relation to you. Such third-party sources may include:
- Public websites
- Credit Reference Agencies.
- Third parties that provide information regarding criminal background, economic sanctions and/or political associations.
- Agencies that perform asset tracing or occupancy checks.
- Intermediaries acting for us.
3. Whether you have an obligation to provide us with your personal data
We may request additional personal data in relation to you, in order to perform and fully meet our contractual, legal and/or regulatory obligations. The personal information that we request may be required in order to meet the provisions of the money laundering and/ or counter-terrorism financing regulations.
4. Why we process your personal data and on what legal basis
As mentioned above, we are committed in protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the GDPR and the Cyprus Data Protection law, for one or more of the following reasons:
i. For the performance of a contract
We process personal data in order to perform our contractual obligations . We also process personal data in order to perform transactions and services based on contracts with our customers or interested or successful buyers of properties owned by us, but also to be able to complete our acceptance procedures so as to enter into a contract with prospective customers. The purpose of processing data depends on the requirements of each service. The relevant contract terms and conditions provide details of the purpose of the data processing.
ii. For compliance with a legal obligation
There are a number of legal obligations emanating from laws and regulations to which we are subject to, e.g. the Sale of Credit Facilities and other Related Matters Law, the Arrears Management Directive, the Directive on Governance and Management Arrangements, the Anti-Money Laundering and Counter-Terrorist Financing Laws and regulations and Tax Laws. There are also various supervisory authorities to whose laws and regulations we are subject to e.g. the tax authorities, the Central Bank of Cyprus, the Unit for Combatting Money-Laundering (MOKAS). Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls. These activities may include:
• the credit and/or property servicing business, tax and regulatory obligations, including related reporting obligations the management of credit and mortgage loans, loan reporting obligations to the Central Bank of Cyprus and credit history reporting to Artemis and other related obligations.
• to assist auditors in their auditing of our business and/or, where required our business in accordance with legal obligations.
• to carry out certain checks, including checks related to political affiliations, financial sanctions, and previous criminal allegations or convictions. This may require us to process information about criminal convictions and offences.
• the investigation, detection and prevention of crimes relating to fraud, money laundering, market abuse and/or terrorist financing. The actions taken include the "know your customer" procedures and other necessary onboarding and ongoing customer checks for potentially reporting the relevant information to the money laundering and fraud prevention authorities as required.
iii. For the purposes of safeguarding legitimate interests
We process personal data to safeguard the legitimate interests pursued by us, or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. Examples of such processing activities include:
• initiating legal claims and preparing defense in litigation procedures
• means and processes we undertake to provide for the IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures
• measures to manage business,
• sharing your personal data within the our corporate group and/or shareholder,
• completing the sale of a property and/or asset owned by us,
• executing the transfer and/or assignment, and/or sale to one or more persons of loans or assets held by us and/or to charge and/or encumbrance over, any or all of our benefits, rights, title or interest under any agreement between us and our customer.
• the transfer and/or assignment to one or more persons of our rights and obligations under any servicing agreement.
iv. You have provided your consent
Provided that you have given to us or the Servicer, and, your explicit consent for processing (other than for reasons set out herein above) then the lawfulness of some of our processing is based on that consent. You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.
Examples of when we process personal data with your consent are:
• When you request us to share your data with someone else
• When you indicate you wish to receive direct marketing from us or the Servicer
• For special categories of personal data such as data regarding your health or if you have special circumstances which may require us to tailor how we communicate with you; in such circumstances we will explain to you when we ask for your consent what purpose and how we will use your data.
5. Who receives your personal data
In the course of the performance of our contractual and statutory obligations, your personal data may be provided to the Servicer or other entities within our corporate group. Various service providers may also receive your personal data so that we may perform our contractual, legal and/or regulatory obligations. Such service providers enter into contractual agreements with us, pursuant to which they are bound contractually to maintain the confidentiality and protection of your data in line with the Cyprus Data Protection Law and the GDPR.
We may disclose data about you for any of the reasons set out above, or if we are legally required to do so, or if we are authorised under our contractual, regulatory or statutory obligations or if you have given your consent. All data processors appointed by Gordian Holdings and/or the Servicer to process personal data are bound by contract to comply with the GDPR provisions. Under the circumstances referred to above, recipients of personal data may be, for example:
• Our servicers and financial and business advisors.
• Our shareholders and investors.
• Our supervisory and other regulatory and public authorities where a statutory obligation exists. Some examples are the Central Bank of Cyprus, tax authorities, criminal prosecution authorities, the Unit for Combatting Money-Laundering (MOKAS).
• Credit and financial institutions such as our and/or our correspondent banks.
• The bank(s) through which your payments to us are processed.
• Valuers and surveyors.
• External legal firms.
• Corporate administrators including our company secretary.
• Asset trace investigators.
• Real Estate agents.
• Potential or actual purchasers and/or transferees and/or assignees and/or chargees of our assets and/or loans; and/or benefits, rights, title or interest under any agreement with its customer(s), and their professional advisors, service providers, suppliers and financiers.
• Debt Collection Agencies.
• Credit reference agencies (e.g. ARTEMIS Credit Bureau Ltd).
• Auditors and accountants.
• Marketing companies (where you have provided consent) and market research companies.
• Fraud prevention agencies.
• File storage companies, archiving and/or records management companies, cloud storage companies.
• Purchasing and procurement and website agencies.
6. Transfer of your personal data to a third country or to an international organisation
The disclosure of your personal data to the third-party recipients set out above may involve the transfer of data to jurisdictions outside the European Economic Area ("EEA"), which are not the subject of an adequacy decision by the EU Commission. Such countries may not be subject to equivalent data protection laws as countries within the EEA. Any transfer of your personal data to jurisdictions outside the EEA may only occur in accordance with the requirements of the GDPR and the Cyprus Data Protection Law.
7. To what extent there is automated decision-making and whether profiling takes place
In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enable you to enter into or perform a contract, where data assessments (including on payment transactions) are carried out in the context of combating money laundering and fraud.
8. How we treat your personal data for marketing activities and whether profiling is used for such activities
We may process your personal data to tell you about products, services and that may be of interest to you or your business. The personal data that we process for this purpose consists of information you provide to us and/or the Servicer and data we collect and/or infer when you use our services. We may study all such information to form a view on what we think you may need or what may interest you.
We can only use your personal data to promote our products and services to you if we have your explicit consent to do so.
You have the right to object at any time to the processing of your personal data for marketing purposes by contacting us at email@example.com.
9. How long we keep your personal information for
We will keep your personal data for as long as we (either directly or through the Servicer) have a business relationship with you and/or as required or permitted by law.
Once the aforesaid business relationship with you has ended, we may keep your data for up to ten (10) years. This period is based on a mixture of our legal and regulatory obligations and limitation periods. The reasons for keeping your data are:
• To respond to queries or complaints or regulatory requests; and
• To maintain records according to any rules that apply to us.
We may keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons, for example if it is the subject of ongoing litigation or legal enquiry.
10. Your data protection rights
You have the following rights in terms of your personal data we hold about you. We will normally respond to your request within 30 calendar days from receipt of all required identification, unless your request requires us to carry out further investigation or is considered excessive, in which case, we will respond within 3 months from the date of receiving your request.
a. The right to receive access to your personal data. This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it. In order to raise a data subject request please contact us at firstname.lastname@example.org
b. The right to request correction (rectification) of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
c. The right to request erasure of your personal data. This enables you to ask us to erase your personal data (known as the ‘right to be forgotten’) where there is no good reason for us continuing to process it. Please note however that, we may need to retain your data notwithstanding your request, in order to enable us to comply with regulatory obligations.
d. The right to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
e. The right to object where we are processing your personal data for direct marketing purposes. If you object to processing for direct marketing purposes, then we shall stop the processing of your personal data for such purposes.
f. The right to request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
- it is not accurate;
- it has been used unlawfully but you do not wish for us to delete it;
- it is not relevant anymore, but you want us to keep it for use in possible legal claims;
- you have already asked us to stop using your personal data, but you are waiting us to confirm if we have legitimate grounds to use your data.
g. The right to request to receive a copy of the personal data you have provided to us concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by us to other organisations you will name (known as the right to data portability).
h. The right to withdraw the consent that you gave to us (directly or via the Servicer), with regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you. It is noted that, withdrawal of consent may inhibit our ability to provide you with services in accordance with your wishes.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact email@example.com. We endeavour to address all of your requests promptly.
Right to lodge a complaint
If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by writing to us as the address on our website www.gordianholdings.com or email us at firstname.lastname@example.org. You also have the right to complain to the Office of the Commissioner for Personal Data Protection. Find out on their website how to submit a complaint at http://www.dataprotection.gov.cy.
11. Other websites
Our website may contain links to other websites. This privacy statement only applies to this website. Other websites will have their own privacy policies. We do not control these third-party websites and are not responsible for their use of your personal data.
12. Changes to this privacy statement
We keep our privacy statement under regular review, and we may modify or amend it from time to time. We will place any updates on the relevant section on our website, so that a current and up to date statement will be available on our website. We encourage you to review this statement periodically to be always informed about how we are processing and protecting your personal information.