General Privacy Policy

Latest update: December 24th, 2019

You may download the file in PDF format here.

Thank you for using our products and services (hereinafter referred to as the “Services”). The Services are provided by the company under the corporate name “Societe Anonyme for the Management & Operation of Networks for Electronic Transactions Cardlink” and with the distinctive title “CARDLINK S.A.”, having its registered seat at Irakleio of Attica, 41-45 Marinou Antipa Str., with Tax Registration Number 999265069, Tax Offices FAE of Athens (hereinafter “Cardlink”).

The present Privacy Policy aims to inform you about the data “Cardlink” collects through its Services and websites, how it uses such data, as well as to inform you about your respective rights (hereinafter the “Privacy Policy”).

  1. Data Contoller – Data Protection Officer (DPO)

 Cardlink, having its registered seat at Irakleio of Attica, 41-45 Marinou Antipa Str., with Tax Registration Number 999265069, Tax Offices FAE of Athens, tel.: +30 210 630 3000, e-mail: info@cardlink.gr, website: https://cardlink.gr/, would like to inform you that, for the purposes of its business activities, it processes personal data of its customers, according to the applicable national legislation and the General Regulation no. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR), as it applies.

For any issue regarding the processing of personal data, you can contact Mrs. Eleni Aggloupa directly, by calling: +30 211 106 9711, or by sending an e-mail to the address: dpo@cardlink.gr, with subject line “Attention: DPO”.

  1. Information we collect

The personal data that Cardlink collects and processes are limited to the absolutely necessary and appropriate for the fulfillment of our purposes and can be summarized as follows. The personal data collected can be divided into two categories:

A. Personal data that you provide to Cardlink:

While providing its Services, Cardlink may collect data, such as name and/or corporate name, address, telephone number, tax registration number, e-mail address, comments and observations, data related to the means of payment (i.e. credit card numbers etc.), transactional details and/or other information, under the condition that such data were requested and voluntarily submitted by you per Service.

B. Personal data collected by other sources:

Cardlink may collect the aforementioned data from third-party contractors or from the cooperating banks, provided that they were lawfully collected pursuant to an agreement or an existing relationship between you and such third party and that you were duly informed that data that concern you may or will be transferred and/or notified to third parties, such as our company.

In cases where Cardlink collects data from other sources and has not received it from you as a data subject, for the purpose of fulfilling its legitimate interests in protecting the credibility of transactions, and the implementation of appropriate pre-contractual measures with prospective clients, it is possible  to request relevant data from sources such as Banks, as well as from other public sources such as the Business Registry, FEK, TEIRESIAS and – where appropriate – the Internet.

The personal data processed by Cardlink are stored in hardcopies or/and electronic form.

Please note that with respect to the personal data collected directly from you as customers, you must notify Cardlink of any change to your data without delay, as well as respond to potential requests for updates, otherwise Cardlink is entitled to seek such data in any lawful means.

  1. Purposes of processing

Cardlink processes and uses the personal data it collects and/or are provided by you, for the following legitimate purposes:

– In order to provide the Services which you assign and anticipate to receive from Cardlink, to duly perform our agreements with third parties, such as the banks for any products, services or transactions you request and consequently in order to comply with our contractual obligations, to prove and manage your orders, for after-sale support, in order to be able to communicate with you regarding any orders placed and in general where such processing is reasonably necessary, or required for the compliance with the legal or regulatory provisions, the resolution of disputes, the prevention of fraud and abuse and/or the imposition of terms and conditions. Cardlink may also use your personal data for your registration to its website and the provision of services associated with such website (i.e. for the processing of queries regarding Cardlink’s products and/or services), for the assessment and analysis of the market, customers, products and  services provided by Cardlink (i.e. for submitting questions in order to be provided with your personal opinion with respect to our products and services, conducting customer surveys), for tracking, reviewing and improving our products and services, for the creation and development of a centralized system of reporting and for the statistical analysis of your transactions and the development and retention of internal records.

– For the preservation and protection of the legal interests, both of your and Cardlink’s. In this context, we also use closed circuit television system (CCTV) and security cameras in order to be able to protect the safety of all natural persons, materials, equipment, as well as of our facilities. We also use special security software aiming at tracking and preventing malicious actions. For more information on processing of personal data and the use of surveillance systems visit our Special Privacy Notice on CCTV systems. In particular, while you are visiting our electronic websites, we use information, i.e. IP address, location data, genre of users’ devices, in order to track and/or to prevent frauds and/or abuses of our website.

Additionally, where necessary, Cardlink uses every lawful means to substantiate our legal claims and claim our claims. We are conducting research on the quality of our services in order to continually improve them and fully meet your needs.

–  For purposes of carrying out the obligations and exercising specific rights imposed under the provisions of the tax or payment systems related legislation

– For the purposes of communicating with you and presenting our products and services. Provided that you have given your consent and always in compliance with our legal obligations, Cardlink may send you and advertising message and ask you, should you wish to do so, to fill in a form declaring your interest, in order to contact you.

Under no circumstances does Cardlink collect or process a greater number of information or data than it is required to fulfill the processing purposes or personal data which are not relevant to processing purposes.

  1. Legal bases for the processing of your personal data

Cardlink processes your personal data, only when there is a legal basis for the processing:

  1. a) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;b) Processing is necessary for the purposes of Cardlink’s legitimate interests, which could include the safety of the persons and of the premises by using CCTV, the safety of information and network, IT support and the conduct of research for the improvement of the quality of our services, the establishment, exercise and support of legal claims, the development of our business activities in general, the credibility and safety of transactions, as well as the marketing practices towards you.
  2. c) Processing is necessary for Cardlink’s compliance with legal obligations which may include, in particular, Labor and Tax law, Law 2190/1920 as amended by Law 4548/2018, the provisions of the Code of Civil Procedure, as well as the law on the prevention and suppression of money laundering and terrorist financing as further specified in the framework of Law 4557/2018.
  3. d) The data subject has given consent to the processing of his or her personal data for the purposes of receiving notifications for products, services, offers sometimes personalized based on your preferences, either by Cardlink or by third co-operating companies which process your personal data.
  4. Retention period for personal data

Cardlink shall retain personal data collected for the above purposes for the period necessary for each particular processing. Τhe period for which the personal data shall be stored is determined based on the particular criteria set below on a case-by-case basis:

– When processing is performed on the basis of execution of a contract, personal data shall be stored for as long as it is necessary for the performance of the contract and the establishment, exercise and/or support of legal claims possibly arising from such contract.

– We will retain the data of your Cardlink account for so long as you are using such account and you do not require its deletion.

– Any data provided by you to Cardlink for the provision of its Services shall be retained for so long as it is necessary for the provision of its Services.

-Should it be reasonably necessary for compliance with the legal or regulatory provisions, the resolution of disputes, the prevention of fraud and abuse and/or the imposition of terms and conditions, Cardlink may retain your data, as required, even after the expiry of your account or even if it is not required for the provision of its Services.

– When processing is imposed as an obligation by provisions of the applicable legal framework, personal data shall be stored for as long as it is required by the relevant provisions.

  • For the purposes of promoting products and services (marketingactivities), your personal information shall be stored until your consent is withdrawn. You are free to withdraw your consent any time. Withdrawal of consent does not affect the legitimacy of the processing that was based on consent, during the period prior to its withdrawal.
  1. Transfer of personal data to third parties

Cardlink allows access to your personal data to members of its personnel (to the extent that this is necessary for the performance of their duties) and to companies providing systems and operations which are essential to Cardlink in order to provide its Services to you and to other customers, such as the cooperating banks. Such companies provide Cardlink with systems for the processing of transactions, call centers for customer service, software development services relating to its Services, services for the installation and management of POS terminals, marketing services as well as other ancillary services that may include customer-supplier management systems, courier and cloud services. We would also like to inform you that our employees, who process your personal data, treat it with the strictest confidentiality, possess an adequate and significant level of knowledge on data protection and are bound by confidentiality clauses or are under a regulatory obligation for confidentiality. If you are a holder of a Cardlink electronic account, we may provide access to your personal data, only for the purposes expressly notified to you on a Service-specific basis and described in the present Privacy Policy and to the extent that such provision of access is necessary, to companies which provide us with online services and applications which are interconnected with our Services and are exclusively used for providing you with better customer services, for responding to your queries and for improving your overall experience when using your Cardlink electronic account. In such cases, Cardlink has ensured that the processors, performing the processing on its behalf, provide sufficient reassurance that the appropriate technical and organizational measures shall be implemented, so that the data processing is in accordance with the protection of your rights. Cardlink may also disclose your personal information to external partners, lawyers, law firms, consulting companies, debtors’ information companies, in order for them to handle and resolve any critical case. In addition, Cardlink may share your information with relevant services, law enforcement agencies and other third parties, within the frame of their jurisdiction and where permitted by law.

  1. Transfer of personal data to third countries

Please also note that Cardlink might be required to transfer data that concern you within and outside the EU in order to provide its Services in the most efficient way and only for purposes notified on a Service-specific basis and described in the present Privacy Policy, i.e. in cases where third parties that provide Cardlink with systems and operation services maintain an establishment in or provide their services to Cardlink from third countries. Under any circumstances, we shall comply with our legal personal data protection obligations; we shall assess the level of personal data protection compliance of our sub-contractors pursuant to the requirements of the applicable legislation on the protection of personal data; and we shall conclude special written agreements in order to ensure that processing is carried out in accordance with the applicable legal framework and that the level of protection is the same or higher than the level accorded by the EU data protection legislation.

Reasons for transferring your personal data may be that there are appropriate safeguards applicable to each case of recipient, such as European Commission’s adequacy decisions or standard contractual clauses as approved by the European Commission and applicable at each time. In the absence of the above, the data transfer shall be based on specific situations, in accordance with the provisions of the General Regulation. Additionally, in some cases, the transfer may be based on the foundation, exercise or support of legal claims, or where the transfer is required by a court decision, administrative authority or international agreement or the legitimate interests of Cardlink. In any case, Cardlink ensures that there is an appropriate level of protection and that the data transfer is legal.

  1. Information security

Cardlink has adopted and currently applies all appropriate technical and organizations measures in order to safeguard the security of the Services provided, as well as the confidentiality of the information stored in its Services.

Accessing Cardlink Services depends on your own initiative, not on the initiative of Cardlink. As such, you are responsible for acquiring and maintaining the necessary equipment (i.e., personal computer), software, telecommunication equipment and other services potentially required for gaining access to Cardlink Services, websites and platforms.

You undertake to safeguard and to protect your computer and systems from viruses and other malicious software.

To the extent possible, Cardlink has adopted all appropriate security measures in order to protect its websites from viruses and other malicious software. Cardlink controls access to its website through the use of security systems that aim to prevent attacks and other unauthorized actions taken against its websites. Under any circumstances, Cardlink cannot guarantee that the content of the website through which it provides its Services is free from viruses, errors and other damaging data and/or information and as such, Cardlink is not responsible for any damage caused to users, their software, documents or files, or for any damage in general that users might suffer due to the above. In any case, the function of the Internet and the fact that it is accessible by anyone, does not permit to guarantee that unauthorized third parties will never be able to violate the technical and organizational measures applied, by gaining access and possibly using personal information for unauthorized and / or unlawful purposes.

  1. Use of Cookies

Our website uses cookies in order to enable your access to our Services. One of the main purposes for the use of cookies is to save your preferences and other information to your personal computer in order to save time, since you will not need to re-submit the same or identical information each time you use our website, as well as in order to personalize your experience, to customize content and to provide advertisements that may be of interest to you when visiting our website.

You may accept or reject cookies; please note, however, that the rejection of cookies might affect the accessibility and use of Cardlink Services. Should you wish to disable cookies, you may do so by changing your web browser setting(s). Please note that disabling cookies may prevent you from logging-in, accessing or using certain interactive parts of the Services that require cookies.

We will ask you to provide us with your consent in order to use cookies, i.e. Google Analytics cookies. Further information on how Google processes your personal data through Google Analytics can be found in the web link below: https://policies.google.com/privacy/update#infocollect .

  1. Third Party websites

Our website may contain links to other websites operated by external third parties, while websites operated by external third parties may contain links to our website. Cardlink takes all necessary measures in order to ensure that its website is only linked to websites of external third parties which maintain and enforce the same standards and criteria on privacy and personal data protection. In any case, Cardlink bears no responsibility for the privacy and/or personal data protection practices adopted in third party websites insofar as you have left the present website. Cardlink suggests that you cautiously review any applicable terms and personal data protection policies of such websites.

  1. Transfer of personal data to debtor informing companies

In case you have entered into an agreement with Cardlink relating to any of its Services for the provision of which you have undertaken the obligation to pay a respective fee and your corresponding debt to Cardlink becomes overdue and fails to be settled, we do hereby inform you that your contact details and other information on your debt will be notified and transferred to a debtor informing company for non-performing obligations so that such company proceeds to informing you respectively on the status of your debt pursuant to the provisions of L. 3758/2009, as amended and in force. In case your personal data are inaccurate, you should immediately inform Cardlink to the contact details referred to in paragraph 10 of the present Policy.

  1. Voice recordings

We would like to inform you that in order to efficiently manage your requests for the performance of our contractual relationship, any phone conversations between you and authorized representatives of Cardlink shall be recorded. Such recordings are retained for an appropriate period of time, as such period is determined according to applicable legislation and relevant decisions of the Greek Data Protection Authority. It should be specified, however, that not all phone calls with third party enterprises are recorded, i.e. phone calls initiated from our offices are not recorded. More specifically, the recording of telephone conversations takes place in the context of the development of a particular relationship, in order to provide evidence of professional contact. In this case, we will inform you in advance that our call will be recorded, as well as on the purpose of this recording.

  1. Profiling – Automated individual decision- making

Cardlink does not make decisions based solely on automated processing of personal data and does not conduct profiling. Your rights in relation to your personal data

Right to information and access: You have the right to be informed and to have access to your personal data and to receive additional information concerning their processing. You may exercise the right to be informed, as well as the right to access your personal data here.

Right to rectification: You have the right to obtain the correction, amendment, completion and update of your personal data. Moreover, you have the right to be informed on the recipients of your data. You may exercise the right to rectification here.

Right to erasure (right to be forgotten): You have the right to obtain from Cardlink the erasure of your personal data, in cases when such data are processed on the basis of your consent or in order to safeguard the legitimate interests pursued by Cardlink. In all other cases (i.e., when there is a contract in force, when personal data are processed for compliance with a legal obligation or for reasons of public interest), the above right of erasure is subject to specific limitations or is not applicable depending on the particular case in question. Moreover, you have the right to be informed on the recipients of your data. You may exercise your right of erasure here.

Please specify in your request the actions to which you wish us to proceed and the purpose thereof, since in case, for example, you wish to stop being contacted for advertising and promotional purposes, the appropriate action would possibly be the restriction of the processing of your personal data rather than their erasure.

Right to restriction of processing: You have the right to obtain restriction of processing of your personal data when: (a) the accuracy of the personal data is contested, for a period enabling the verification of the accuracy of the personal data; (b) the processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead; (c) personal data are no longer needed for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; and (d) you have objected to processing pending the verification whether the legitimate grounds of Cardlink override those of you as the data subject. Moreover, you have the right to be informed on the recipients of your data. You may exercise your right of restriction of processing here.

Right to object: You have the right to object any time to processing of your personal data, when processing is necessary for the purposes of the legitimate interests pursued by the controller or in case personal data are processed for direct marketing purposes and profiling. You may exercise your right of objection here.

Right to data portability: You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to obtain the transmission of those data to another controller, provided that it is technically feasible. This rights concerns the personal data that you have directly provided to Cardlink and the processing of which is carried out by automated means based on your consent or in performance of a relative contract. You may exercise your right to data portability here.

Right to withdraw your consent: You have the right to withdraw your consent to the extent it was given for the intended processing, at any time. You may exercise your right to withdraw your consent by sending an e-mail to the e-mail address dataprotection@cardlink.gr with subject line “Personal Data – Withdrawal of Consent”.

In case you wish to directly contact the Data Protection Officer (Cardlink DPO), you may address Mrs. Aggloupa Eleni by calling the telephone number: +30 211 1069711 or by sending an e-mail to dpo@cardlink.gr  with subject line “Attn: DPO”.

In the aforementioned cases, we shall make all possible efforts to respond to your request within thirty (30) days of its submission. This deadline may be extended for an additional sixty (60) days, if necessary, taking into account the complexity of the request and the number of requests, so Cardlink shall notify you within the said thirty (30) day deadline.

  1. Right to lodge a complaint before the Greek Data Protection Authority

The natural person the personal data of whom is processed by Cardlink has the right to lodge a complaint to the Greek Data Protection Authority (www.dpa.gr), Tel: +30 210 6475600, Fax: +30 210 6475628, E-mail address: complaints@dpa.gr.

  1. Changes to Privacy Policy

Information regarding Cardlink’s Privacy Policy reflects the current status of data processing on our website. In the event of changes to the data processing, such information about data protection shall be updated accordingly. Our website shall always have the most up-to-date version of this data protection information, so as to keep you informed about the scope of data processing on our website. We recommend that you always be aware of how we process and protect your personal information. All future changes to this Privacy Policy shall be made known in advance, before these changes are put into force.

You may download the file in PDF format here.