The Cyprus Development Bank Public Company Limited (referred to as ‘we’, ‘us’, ‘our’, ‘cdbbank’ or the ‘Bank’) is committed to protecting your privacy and handling your personal data in an open and transparent manner. The personal data that we collect and process will vary depending on the product or service we provide to you.
This privacy statement:
- provides an overview of how cdbbank collects and processes your personal data and tells you about your rights under the EU General Data Protection Regulation (‘GDPR’) and any law supplementing or implementing the GDPR;
- is directed to natural persons who are: (a) current or potential customers of the Bank, and/or (b) authorised representatives/agents, officers, signatories or beneficial owners of legal entities or of natural persons which/who are current or potential customers of the Bank;
- is directed to natural persons who had such a business relationship with the Bank in the past;
- is directed to natural persons who are guarantors or have provided any type of security to the Bank in relation to the obligation of a customer of the Bank, and
- is directed to visitors of our website, namely cdb.com.cy (the “Website”) .
For the purposes of this privacy statement:
- when we refer to “personal data” or “personal information” we mean data which identifies or may identify you and which may include, for example, your name, address, identification number, telephone number, date of birth, occupation and family status;
- when we refer to “processing” we mean the handling of your personal information by us, including collecting, protecting and storing your personal data;
- when we refer to “sensitive personal data” we mean personal data which may reveal information about your racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, genetic or biometric data.
1. Who we are
cdbbank is a licensed credit institution registered in Cyprus under registration number HE1148 as a public limited liability company having its registered office and head offices at 50, Arch. Makarios III Avenue, P.O. Box 21415, CY-1508, Nicosia.
If you have any questions, comments and/or requests regarding this privacy statement or wish to obtain more details in relation to the personal information we process about you, please contact our Data Protection Officer at 50, Arch. Makarios III Avenue, CY-1508, Nicosia, Cyprus, P.O. Box 21415, or send us an email at email@example.com.
2. How we collect your personal data
- We obtain your personal data mainly through any information you provide directly to us in person or via your representatives/agents or through our website, either in the context of our business relationship or when you wish to contact us to raise a question. We may also collect your data through information provided by third parties or other entities within the Cyprus Development Bank Group (the “Group”). Below is a list of ways in which we collect your data. Personal data collected directly from you, including:
- when you apply for our products or services;
- when you contact us for an enquiry, complaint or for any other reason;
- when you use our branches, telephone services, websites or mobile applications; and
- when you use and manage your accounts.
- Personal data collected from other sources, including:
- your authorised representative;
- other organisations or people with which you may have a relationship such as joint account holders or your employer;
- other entities within the Group;
- third parties who provide services to you or us, credit reference agencies, fraud prevention or government agencies, and other banks;
- publicly available sources, such as the Department of Registrar of Companies and Official Receiver, the press and media and online search engines.
3. If you fail to provide personal data
Where we need to collect personal data in order to provide you with the services you have asked us for or to process your instructions or to comply with our legal obligations and you fail to provide that data when requested, we may not be able to provide you with the services you have asked us for or carry out your instructions. In this case, we may have to cancel the engagement we have with you, but we will notify you if this is the case at the time.
4. What personal data we collect and process
We collect and process various categories of personal data at the start of, and for the duration of, your relationship with us. We will limit the collection and processing of information to information necessary to achieve one or more of our legitimate purposes as identified in this privacy statement. Personal data may include the following:
Types of Personal Data
Examples of Personal Data
Identity and Contact Details
Your name, where you live, how to contact you and how to verify your identity. For example telephone number, home address, work address, email address, date of birth, fax number, passport number and identity card number.
Details about your work, job title and function, nationality, education, marital status, social security number and tax status.
Your personal wealth, proof of income, assets and liabilities, financial position and credit and borrowing history.
Details about payments to and from your accounts with the Bank, expenditure and tax information and direct debit data.
Details about the products or services we provide you with.
Details about how you use our products and services, including your online activity behavior, based on your interaction with us and our websites and applications including any searches, site visits and spending patterns.
Details on the devices and technology you use including your Internet Protocol (IP) address, smart device information, location coordinates, online and mobile banking security authentication, mobile phone network information.
How and what methods we use in order to communicate with you through formal and verbal correspondence.
Open Data and Public Records
Details about you that are in public records and information about you that is openly available on the internet.
Physical Access Data
Visual images and personal appearance, including CCTV images.
Other data about how you use our products and services.
Any permissions, consents or preferences that you give to the Bank. This includes things like how you want the Bank to contact you, whether you get paper statements.
We may also process certain sensitive personal data for specific and limited purposes. Such data may include information about racial and/or ethnic origin.
5. Children’s data
We understand the importance of protecting children's privacy. We may collect personal data in relation to children only provided that we have first obtained their parents’ or legal guardian’s consent or unless otherwise permitted under applicable law. We do not provide any online services to children but we may allow children, with their parents’ or legal guardian’s consent, to become subscribers of cdbbank’s e-Banking (the Bank’s online banking system) in order to view their account balances. For the purposes of this privacy statement, “children” are individuals who are under the age of eighteen (18).
6. Why we need your personal data
We will only use and share your information where it is necessary for us to carry out our lawful business activities. Most commonly, we will use your personal data for one or more of the following reasons:
a. For the performance of a contract
We may process your personal data where it is necessary in order to enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:
- perform engagement acceptance procedures for products or services;
- provide and administer those products and services throughout your relationship with the Bank, including opening, setting up or closing your accounts or products, collecting and issuing all necessary documentation, executing your instructions, processing transactions, including transferring money between accounts, making payments to third parties, resolving any queries or discrepancies and administering any changes;
- manage and maintain our relationships with you and for ongoing customer service;
- administer any credit facilities or debts, including agreeing repayment options;
- communicate with you about your account(s) or the products and services you receive from us.
The purpose of processing personal data depends on the requirements for each product or service and the contract terms and conditions provide more details of the relevant purposes.
b. For compliance with a legal obligation
There is a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements including among others the Cyprus Banking law, the Prevention and Suppression of Money Laundering and Terrorist Financing Law, the Cyprus Investment Services Law, Tax laws, the Law on Deposit Guarantee and Resolution of Credit and Other Institutions Scheme and the Payment Services and Access to Payment System Law. There are also various supervisory authorities whose legislative instruments are binding on us including the European Central Bank, the European Banking Authority, the Central Bank of Cyprus and the Cyprus and Securities Exchange Commission. Such legal obligations require us to carry out certain data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls.
c. For the purposes of safeguarding legitimate interests
In some cases, we may process personal data so as to safeguard and pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights are not overridden by our interests. For example, we may process your personal data in order to:
- protect our legal rights and interests (initiating legal claims and preparing our defence in litigation procedures);
- monitor, maintain and improve internal business processes, information and data, technology and communications solutions and services;
- ensure network and information security, including monitoring authorised users’ access to our information technology for the purpose of preventing cyber-attacks, unauthorised use of our telecommunications systems and websites, prevention or detection of crime, asset security, admittance controls, anti-trespassing measures and protection of your personal data;
- ensure business continuity and disaster recovery and responding to information technology and business incidents and emergencies;
- manage and monitor our properties, offices and branches by setting up CCTV systems, for the purpose of crime or fraud prevention and prosecution of offenders, for identifying accidents and incidents and emergency situations and for internal training;
- provide assurance on Bank’s material risks and reporting to internal management and supervisory authorities in whether the Bank is managing them effectively;
- perform general, financial and regulatory accounting and reporting;
- share your personal data within the Group for the purpose of updating / verifying your personal data in accordance with the relevant anti-money laundering compliance framework;
- conduct cdbbank Group risk management;
- transfer, assign (whether outright or as security for obligations) and / or sell to one or more persons (including the Central Bank of Cyprus) of and / or charge and / or encumbrance over, any or all of the Bank’s benefits, rights, title or interest under any agreement between the customer and the Bank;
- identify new business opportunities and develop enquiries and leads into applications or proposals for new business and to develop our relationship with you;
- understand our customers’ actions, behavior, preferences, expectations, feedback and financial history in order to improve our products and services, develop new products and services, and to improve the relevance of offers of products and services by the Group;
- monitor the performance and effectiveness of products and services;
- assess the quality of our customer services and provide staff training;
- perform analysis of the customers’ complaints for the purposes of preventing errors and process failures and rectifying negative impacts on customers;
- compensate customers for loss, inconvenience or distress as a result of services, process or regulatory failures;
- trace debtors and recover outstanding debt;
- to check the Website and our other technology services are being used appropriately and to optimise their functionality;
- carry out financial, credit and insurance risk assessments; and
- manage and take decisions about your accounts.
d. You have provided your consent
We will only ask for your consent when we wish to provide marketing information to you in relation to our products or services which we believe may be of interest and of benefit to you.
You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.
7. Sensitive personal data
We will only process your sensitive personal data for specific and limited purposes, such as detecting and preventing financial crime or to make our services accessible to customers. We will only process sensitive personal data when we have obtained your explicit consent or are otherwise lawfully permitted to do so.
8. Who we share your personal data with
In the course of the performance of our contractual and statutory obligations, your personal data may be provided to various departments within the Bank but also to other companies of the Group. Various service providers and suppliers may also receive your personal data in order to assist us in carrying out our business obligations and meeting our business needs. Such service providers and suppliers enter into contractual agreements with the Bank by which they observe the confidentiality and data protection of the information we provide to them according to applicable data protection laws including the GDPR.
It must be noted that we may disclose data about you for any of the reasons set out hereinabove, or if we are legally required to do so, or if we are authorised under our contractual and statutory obligations. All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions which are relevant to them. Under the circumstances referred to above, recipients of personal data may be, for example:
- Supervisory and other regulatory and public authorities around the world, in as much as a statutory obligation exists. Some examples are the Central Bank of Cyprus, the European Central Bank, the income tax authorities and law enforcement authorities;
- Other credit and financial institutions such as correspondent banks and the European Investment Fund;
- Share and stock investment and management companies;
- Valuators and surveyors;
- Non-performing loan management companies;
- Debt collection agencies;
- Credit reference agencies, such as Artemis Bank Information Systems Limited;
- External legal consultants;
- Financial and business advisors;
- Auditors and accountants;
- Marketing companies and market research companies;
- Companies which assist us to provide you with debit cards;
- Card Associations;
- Card payment processing companies;
- Fraud prevention agencies;
- File storage companies, archiving and/or records management companies and cloud storage companies;
- Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support and facilitating payments;
- Purchasing and procurement and website and advertising agencies;
- Rating agencies;
- Potential or actual purchasers and/or transferees and/or assignees and/or charges (including the Central Bank of Cyprus) of any of the Bank’s benefits, rights, title or interest under any agreement between the customer and the Bank, and their professional advisors, service providers, suppliers and financiers; and/or
- Other agents working on our behalf from time to time.
If you ask us to, we will share information with any third party that provides you with account information or payment services. If you ask a third-party provider to provide you with account information or payment services, you are allowing that third party to access information relating to your account. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
In the event that any additional authorised users are added to your account, we may share information about the use of the account by any authorised user with all other authorised users.
The Bank will not share your information with third parties for their own marketing purposes without your consent.
9. Transferring your personal data to a third country or to an international organisation
The Bank will only send your personal data to a country outside the EEA (a “third country”):
- If this is required for the execution of your orders (for example, when payments are made to a person in a third country, or for payment orders through a correspondent bank in a third country, such as dollar payments);
- if this is prescribed by law ;
- if you have given the Bank your consent; or
- in the context of data processing undertaken by third parties on behalf of the Bank and according to the Bank’s instructions.
If the Bank does send your personal data to a third country, the Bank will make sure that your personal data is protected in the same way as if it was being used in the EEA. The Bank will use one of these safeguards:
- Send it to a third country with privacy laws that give the same protection as the EEA, as certified by an adequacy decision of the European Commission. Learn more about this on the European Commission website.
- Put in place a contract with the recipient that they must protect it to the same standards as applicable in the EEA. If we issue a debit card to you, we may send limited personal data to Lebanon, strictly for the purposes of the issuance of the debit card. We will ensure that the transfer of your data is secure and that appropriate safeguards are in place through contractual clauses with the recipient of the data.
- Transfer it to organisations in the USA that are part of the Privacy Shield. This is a framework that sets privacy standards for data sent between the USA and EEA countries. It makes sure the standards are similar to what is used within the EEA. Learn more about this on the European Commission website.
- Transfer it to organisations that comply with binding corporate rules, or an approved code of conduct or certification mechanism that requires its protection to the same standards as applicable in the EEA.
10. Automated decision-making and Profiling
In establishing and carrying out a business relationship, we generally do not use any automated decision-making. However, we may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you or where we are required by law to do so, in the following cases:
- data assessments (including on payment transactions) are carried out in the context of combating money laundering and fraud. An account may be detected as being used in a way that is unusual for you or your business. These measures may also serve to protect you.
- credit scoring is used as part of the assessment of your creditworthiness. This calculates whether you or your business will meet your payment obligations pursuant to a contract. This helps us make responsible lending decisions that are fair and informed.
11. Marketing information
We may process your personal data so as to inform you about products, services and offers that may be of interest to you or your business.
The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services, such as information on your transactions. We study all such information to form a view on what we think you may need or what may interest you. In some cases, profiling is used, i.e. we process your data with the aim of evaluating certain personal aspects in order to provide you with targeted marketing information on products and/or services.
We can only use your personal data to promote our products and/or services to you if we have your explicit consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so.
You have the right to object at any time to the processing of your personal data for marketing purposes, by contacting your personal banker at any time or any branch of the Bank either in person or in writing or by clicking on the option to opt out of receiving marketing information in any future marketing communication.
Even if you inform us that you no longer wish to receive marketing material, you will still receive other important information from us from time to time, such as changes to your existing products or services.
We may ask you to confirm or update your choices, if you purchase any new products or services from us in the future. If you change your mind you can update your choices at any time by contacting your personal banker or any branch of the Bank either in person or in writing.
12. How long we keep your personal information for
By providing you with products and/or services, we create records that contain your information, such as customer account records, activity records, tax records and lending and credit account records. Records can be held on a variety of media (physical or electronic) and formats.
We will keep your personal data for as long as we have a business relationship with you (as an individual or in respect of our dealings with a legal entity you are authorised to represent or are beneficial owner, signatory or officer). Once our business relationship with you has ended, we may keep your personal data for up to ten (10) years in accordance with guidance 1/2017 and 2/2017 of the Data Protection Commissioner (http://www.dataprotection.gov.cy). After the expiration of the ten (10) year retention period, the Bank will erase and/or destroy your personal data via secured procedures. Following the completion of the aforementioned secured procedures, the recovery of your personal data with technical and/or other means will not be possible. We may keep your data for longer than ten (10) years if we cannot delete it for legal, regulatory or technical reasons. For example, the Bank may keep your data for such longer periods as is necessary to preserve evidence for legal or other proceedings which have not yet come to a conclusion. If we do so, we will make sure that your privacy is protected and that your data are only used for those purposes.
For prospective customer personal data (or authorised representatives/agents or beneficial owners of a legal entity that is a prospective customer) we shall keep your personal data for six (6) months from the date of notification of the rejection of your application for banking services and/or facilities or from the date of withdrawal of such application, as per guidance 1/2017 and 2/2017 of the Data Protection Commissioner (http://www.dataprotection.gov.cy).
13. Your data protection rights
We want to make sure you are aware of your rights in relation to the personal data we process about you. We have described those rights and the circumstances in which they apply further below.
You have the following rights in terms of your personal data we hold about you:
- Receive access to your personal data. This enables you to receive access or receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data we hold about you. If you believe that any of the information that we hold about you is inaccurate or incomplete, you have a right to request that we correct the inaccurate personal information.
- Request erasure of your personal information. You may request that we delete your personal information if you believe that:
- we no longer need to process your information for the purposes for which it was provided;
- we have requested your permission to process your personal information and you wish to withdraw your consent; or
- we are not using your information in a lawful manner.
Please note that if you request us to delete your information, we may have to suspend the operation of your account and/or the products and services we provide to you.
- Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you exercise your right to object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You also have the right to object where we are processing your personal data, for direct marketing purposes. This also includes profiling in as much as it is related to direct marketing.
If you object to processing for direct marketing purposes, then we shall stop the processing of your personal data for such purposes.
Depending on the circumstances, we may need to restrict or cease processing your personal data altogether or, where requested, delete your personal information. Please note that if you object to us processing your personal data, we may have to suspend the operation of your account and/or products and services we provide to you.
- Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
- it is not accurate; or
- it has been used unlawfully but you do not wish for us to delete it; or
- it is not relevant any more, but you want us to keep it for use in possible legal claims; or
- you have already asked us to stop using your personal data but you are waiting for us to confirm if we have legitimate grounds to use your data.
Please note that if you request us to restrict processing your personal data, we may have to suspend the operation of your account and/or the products and services we provide to you.
- Request the transfer of your personal data. Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering into a contract with us, you have the right to receive the personal information you provided to us in a portable format. You may also request us to provide it directly to a third party, if technically feasible. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
- Withdraw the consent that you gave us at any time with regard to the processing of your personal data for certain purposes, such as to promote our products and/or services to you and/or to process your sensitive data. We will always make it clear where we need your consent to undertake specific processing activities. Please note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please visit any branch of the Bank, or send a message through the Bank’s e-Banking service if you are a subscriber of e-Banking.
You can also contact our Data Protection Officer at firstname.lastname@example.org
We will endeavour to address all of your requests promptly.
14. Right to lodge a complaint
If you have exercised any or all of your data protection rights or otherwise feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by submitting a request to the email email@example.com.
You also have the right to complain to the Office of the Commissioner for Personal Data Protection. Find out on their website how to submit a complaint (http://www.dataprotection.gov.cy).
15. Changes to this privacy statement
This privacy statement sets out the information that the Bank must provide to you for the purposes of the GDPR which is applicable as of 25 of May 2018. Any information in relation to the processing of personal data that is included in any of the Bank’s existing circulars, manuals and associated forms on matters which are covered by this privacy statement are deemed to be superseded by the information in this notice.
We may modify or amend this privacy statement from time to time.
We will notify you appropriately when we make changes to this privacy statement and we will amend the revision date at the top of this page. We do however encourage you to review this statement periodically so as to be always informed about how we are processing and protecting your personal information.
Our website uses small files known as cookies to make it work better in order to improve your experience.