This Personal Data Protection Policy (hereinafter the 'Policy') is made pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the 'General Data Protection Regulation' or 'GDPR') and Greek Law 4624/2019 on the Protection of Individuals Regarding Processing of Personal Data
2. DATA CONTROLLERThe data controller is Up Hellas, a Greek company, whose registered office is located at Dragatsaniou street, 6, 10559, Athens (Greece), hereinafter “Up Hellas”. It is noted for completeness of information purposes that Up Hellas is acting as an Independent Data Controller, along with Up Aganea, the latter being an Electronic Money Institution registered in in the Mercantile Registry of Madrid, in volume 33.127, folio 31, section 8, page M-596190 (henceforth referred to as “Up Aganea”), who is acting as an Independent Data Controller, having its own Privacy Policy.
3. DATA PROTECTION OFFICER / CONTACTUp Hellas has appointed a Data Protection Officer (hereinafter the 'DPO'). For any information concerning the processing of personal data by Up Hellas, please contact our DPO:
The Policy governs the processing of personal data by Up Hellas in connection with the provision of Up EXPENSE cards and associated services (hereinafter the 'Products' and/or 'Services')
5. PERSONS CONCERNEDThe persons concerned by the processing carried out by Up Hellas under the conditions defined below are:
Processing for the purpose of providing the Products and Services by Up Hellas.
Purposes of the processing | Type of necessary data Processed | Legal basis of the processing | Data retention periods |
---|---|---|---|
1. Acting as Distributor in the provision of issuance payment services | First name, last name, Date of birth, Identification number (Passport number or ID number or TAX number) of individuals (legal representative and ultimate beneficiary owner). | Performance of the contract | 6 years from the end of the contractual relationship |
6 years from the end of the contractual relationship | Last name, first name, professional e-mail address. | Performance and application of services of the contract | The personal data contained in the online ordering platform is kept for as long as the platform account is active, plus 13 months after the online platform account is deactivated. |
3.a Authenticate and allow Users/Cardholders to access the Services provided (application and its functionalities) to create a profile in the mobile app allowing the User/Cardholder to access all the functionalities of the application.3.b. Communicate to the User/Cardholder the status of his/her account and information related to his/her card | Last Name, first name, e-mail address, telephone number of the Users/Cardholders Order tracking and history | Performance and access to the services of the contract, Terms & Conditions of use of mobile app | The personal data contained in the personal profile made available to Users/Cardholders are kept for as long as the profile is active, plus 13 months from the deactivation of the mobile app account |
4. Ensuring the validity of transactions related to the use of the card | Payment card data, purchase history and transaction details, account balance. | Performance and access to the services of the contract, Terms & Conditions of use of card and Terms & Conditions of mobile app. | 6 years from the receipt/collection of the data. |
5. Assist and manage user requests through mobile app | Last Name, first name, e-mail address, telephone number and information about the Users/Cardholders' requests | Performance and access to the services of the contract, Terms & Conditions of use of card and Terms & Conditions of the app. | 6 years from the creation of the personal account in the mobile app. |
6. Assist and manage user requests | Last Name, first name, e-mail address, telephone number, oral and written dialogues of the Users/Cardholders | Consent of the data subject(forrecording the communication) | 1 year from the relevant communication |
7. Data analysis, audit, control and fraud prevention | Last name, first name, e- mail address, beneficiary ID/User/Cardholder | Up Hellas' legitimate interest in carrying out audits and internal controls and fraud prevention controls | 6 years from the receipt/collection of the data |
8. Identifying usage patterns | Data stripped of any information that directly or indirectly identifies a person | Up Hellas’ legitimate interest in the efficient management and development of its business | 6 years from the receipt/collection of the data |
9.Transmit data relating to purchase histories and transaction details to the Customer. | Transaction data | Performance and access to the services of the contract, Terms & Conditions of use of card and Terms & Conditions of the app. | 6 years from the receipt/collection of the data. |
The data will not be used for automated decision making or profiling.
8. DATA RECIPIENTSPersonal data is processed by Up Hellas's internal departments, by persons authorized to have access to it. The processing conditions are regulated, and each employee is made aware of the handling of personal data. The data may be transmitted to other companies of the Up Group involved in the provision of the Products or Services(based on the legitimate interest in ensuring efficient management of the group). Up Hellas uses external service providers to provide the Products and Services offered to its Clients, Users/Cardholders and Partners, in particular card manufacturing and delivery, transaction authorization, data hosting, security and call centers, the online shop. These companies may be subcontractors of Up Hellas within the meaning of the GDPR or may be data controllers within the meaning of the GDPR. Personal data may be transferred to these service providersfor the sole purpose of providing a service to Up Hellas. Up Hellas ensures that its subcontractors have put in place technical and organizational measures to ensure the protection of the data processed. In addition, in accordance with the regulations in force, personal data may also be transmitted to the competent authorities on request, and in particular to public bodies, judicial officers, legal representatives, and bodies responsible for collecting debts, exclusively to meet legal obligations, as well as in the case of the search for the perpetrators of offences (on the legal basis of the fulfilment of legal obligations or on the basis of Up Hellas's overriding interest in the defense of its legitimate rights)
9. DATA TRANSFERS OUTSIDE THE EUROPEAN UNIONThe personal data processed by the Data Controller is processed exclusively within the European Union or the European Economic Area.
10. RETENTION PERIODSThe data are kept forthe periods mentioned in Article 6, depending on the processing carried out. Some data may be retained for an additional period of time necessary to meet Up Hellas's legal or regulatory obligations or for the purpose of exercising Up Hellas's legal rights. Beyond these periods,some anonymized data may be kept for archiving orstatistical purposes
11. RIGHTS OF THE PERSONS CONCERNEDEach data subject hasthe right to access, rectify, delete, limit, oppose, port his or her data, or withdraw his or her consent under the conditions and within the limits provided for by the General Data Protection Regulation. The person concerned may also define the directives relating to the fate of his or her data after his or her death in accordance with Article 85 of the Data Protection Act. Furthermore, the data subject may exercise his/her rights at any time by contacting the DPO of Up Hellas at the contact details given in Article 3. In the interest of confidentiality and protection of personal data, Up Hellas may ask the person concerned to enclose a copy of an official identity document, such as a valid identity card or passport, in support of his/her request. All requests will be processed assoon as possible and in accordance with applicable law. In some cases, personal data may only be deleted after a certain period of time imposed by applicable regulations and statutes of limitations. In such cases, Up Hellas will retain the data until the permitted deletion date. The data subject isinformed that in the event ofrefusal to provide personal data or exercise of the right to erasure, restriction or objection, in cases where the personal data are necessary for the purposes described in Article 6 of this Policy (except as expressed in relation to Articles 6.2 and 12), Up Hellas may have to suspend or discontinue in whole or in part the provision of the Products and Services to the data subject or to the person on whose behalf the data subject acts. In the event of a dispute regarding the use of his or her data, the data subject has the right to lodge a complaint through a special web portal to the Hellenic Data Protection Authority (Athens, 1-3 Kifissias Avenue, PC 115 23 | tel: +30 210 6475600). Detailed instructions for filing a complaint are provided on the website of the Hellenic Authority. For any information concerning the processing of personal data by Up Hellas, please contact our DPO:
Any recipient of commercial communications from Up Hellas may choose to unsubscribe at any time, even if he or she has previously expressed a different choice, either by clicking on the unsubscribe link in such communications or by setting up his or her choices differently in his or her personal online space.
13. COOKIESA cookie is a computer file that does not directly identify the person concerned but stores on their computer and/or equipment information relating to the pages consulted, the date and time of the consultation, the information entered and retained to avoid subsequent entry. Cookies are used by Up Hellas in the manner set out in its Cookie Policy, which is available on the various sites concerned and at the following link: https://www.uphellas.gr/en/document-center
14. UPDATEUp Hellas updated on 04.03.2024. The data subject will be informed of the change by any means, such as e-mail or notification on the Up Hellas website.