Personal Data Protection

Information for Individuals Customers / Transacting Parties on the Processing of Personal Data

Personal Data Protection

Pancrea Factors Single Member S.A. (hereinafter the "Company") and the trade name Pancreta Factors S.A., headquartered at 3 Mitropoleos street in Athens, as the data controller, assures you that the protection of your personal data is of paramount importance. In accordance with Regulation 2016/679 of the EU, as amended (hereinafter the "Regulation") and other provisions of Greek and EU legislation on the protection of personal data, the Company or third parties, on its behalf, will process your personal data, either in the context of the execution of your existing contract with the Company as clients (Suppliers) or in view of the conclusion of a contract, as prospective clients (Suppliers), as well as in the context of any kind of transaction, collaboration, or relationship with it, in any capacity (e.g., as guarantors of clients-suppliers, debtors of clients-suppliers, legal representatives, shareholders, partners, beneficiaries of client's legal entities, external partners of the Company, etc.) as follows:

Which data does Pancreta Factors collect

1. Data for your identification, such as name, surname, father's name, mother's name, gender, ID details, passport details, VAT/TIN, date and place of birth and nationality.

2. Contact details, such as postal address, email address, landline and mobile phone numbers.

3. Data regarding your economic and financial status, such as profession, income, other tax and income-related details (e.g., E1 and E9 forms, tax clearance report, Single Property Tax Form (ENFIA), tax and social security status).

4. Data related to your financial obligations and any default, such as bounced checks, loan and credit contract terminations, payment orders, seizures, payment orders, applications, and decisions for inclusion in pre-bankruptcy, restructuring, and bankruptcy processes.

5. Creditworthiness data, such as debts to credit and/or financial institutions from loans and/or credit lines, letters of guarantee, letters of credit, etc.

6. Credit rating data (credit profiling-credit scoring).

7. Transactional behavior data, such as:

7.1. Data from the operation of your application/contract or your applications/contracts with the Company and the use of the products or services provided to you.

7.2. Transaction data related to the assigned receivables in the context of the provided Factoring services.

8. Identification data of your electronic identity, such as the internet protocol (IP) address, and data from the use of electronic and/or digital products and services of the Company (e.g., cookies), such as location or browsing data on the internet.

9. Image data from the video surveillance systems of the Company's premises, with specific legal marking.


Additionally, we inform you that:

  • In case you provide us with personal data of third parties, you must have informed and ensured their relevant consent, where required, and have referred them to this Company's disclosure.
  • For any collection and processing of personal data of minors, which require special legal protection, the Company complies with all relevant legal requirements and terms set by the current institutional framework.
  • For any changes in the above data, you are obliged to inform Pancreta Factors in a timely manner.


* With the exception of the data mentioned in 1 and 2, which are absolutely necessary for any transactional or contractual relationship with the Company, the type and quantity of the other collected data depend on the type of relationship with the Company and the offered or provided product or service.

Where your data is collected from

The aforementioned personal data are collected from the following, as applicable, sources:

1. Identification and communication data from you, authorized persons, and/or public accessible sources, including freely accessible social networks or websites.

2. Economic, financial, and family status data, as well as information regarding your financial capabilities, from you, authorized persons, public accessible sources such as land registries, cadastres, and the Credit Bureau of "TEIRESIAS S.A." (relevant information about the Company can be found below), and freely accessible social media.

3. Data of non-payment of financial obligations (Credit Bureau) and credit scoring (Credit Scoring System) from the corresponding Company "TEIRESIAS S.A." files (relevant information about the Company can be found below), as well as from other Companies related to Law 3758/2009 and Law 4038/2012, law firms, lawyers, judicial trustees, and debt management companies for cases assigned to them by the Company.

4. Transactional data with the country's financial system from the Credit Bureau of "TEIRESIAS S.A." (relevant information about the Company can be found below).

5. Data related to the operation of your contract(s) with the Company.

6. Data related to transactions concerning assigned receivables, from you, the debtor of the assigned receivables, and/or correspondent factors located in another country, in the case of international factoring.

7. Data on payment transactions by you or payment service providers, upon your order.

8. Electronic identification data, such as Internet Protocol (IP) address, and data from the use of electronic and/or digital products and services of the Company collected from devices (e.g., mobile phones, tablets, etc.) connected to the Company's systems, through cookies and/or from publicly accessible sources, including social networks and internet service providers (such as Google, YouTube).


Additionally, we inform you about the following:

  • all the above data of the first chapter may also be collected by "PANCRETA BANK S.A." (hereinafter "PANCRETA BANK"), which maintains a parent-subsidiary relationship with "PANCRETA FACTORS S.A.," based in Heraklion Crete, 5 Ikarou Ave., 71306, and can be contacted at +30 2810338800. For the processing conducted by PANCRETA BANK and the exercise of your relevant rights, you can obtain information at the above phone number and on the website
  • The Company under the name "Bank Information Systems S.A." and the distinctive title "TEIRESIAS S.A." is responsible for processing data on financial behavior. The Company is headquartered at 2 Alamanas str., Maroussi, 151 25, Athens. For the processing of data it conducts, as well as for exercising your relevant rights, you can obtain information from its website or by contacting +30 2103676700.
  • If the processing of the above personal data is based on your consent, the Company follows the procedures provided by the applicable legal framework. In such cases, you have the right to withdraw your consent at any time without affecting the legality of the processing based on your consent before its withdrawal.
  • Personal data processed by the Company are kept in physical, digital, and/or electronic form.

Why Pancreta Factors collects your data and for what purposes they are processed

The personal data mentioned above are collected either at the beginning of your relationship with the Company or during its duration and are processed for the following purposes:

1. Identification and communication with you during pre-contractual or contractual relationships, as well as for any other transactional relationship with the Company to fulfill contractual or legal obligations.

2. Taking measures at your request before entering into the contract, the preparation and execution of the contract, and generally ensuring its smooth operation and fulfilling the Company's contractual or legal obligations towards you.

3. In the case of granting any credit (usually factoring facility) and providing factoring services, within the framework of the Company's compliance with legal obligations and/or the defense of its legitimate interests:

a. For assessing the credit risk that the Company is to undertake or has already undertaken,

b. For monitoring the development of the relevant facility and the outstanding balance,

c. For recording and archiving your orders within the framework of the provided factoring services,

d. For preventing or limiting the possibility of defaulting on your contractual obligations,

e. For the collection of any amounts due to the Company in case of default on your contractual obligations,

4. Documenting requests submitted by you (e.g., debt settlement requests) or complaints and the examination of them by the Company.

5. Preventing and suppressing of money laundering and terrorist financing.

6. Ensuring the Company's compliance with obligations imposed by the current legislative, supervisory, and regulatory framework, as well as decisions of authorities or courts.

7. Defending the rights and legitimate interests of the Company and protecting the physical integrity and/or property of its clients and the general transactional parties. This includes ensuring security procedures within the Company, preventing crimes, and detecting the possibility of collecting information on deviant behavior (fraud incidents, thefts, etc.).

8. Communicating with you to inform you about the utilization of provided products or services, their features and their developments, new functionalities or opportunities, your participation in draws, contests, and reward programs and for gathering feedback on your satisfaction with the services provided by the Company or any additional requirements you may have.

Profiling – Automated Decision Making


The Company may create a profile through the combined processing of your personal data in the following main cases:

  • For credit risk mitigation, which the Company is to undertake or has already undertaken, and consequently for the limitation of vulnerabilities, it compiles the credit profile of its clients. This specific processing is absolutely necessary for the preparation of each contract and its operation.
  • To improve customer satisfaction and expand it whenever possible, the Company compiles your transactional profile through the combined processing of your data mentioned at the first chapter of this document. This is done to inform and promote new products and services or to expand the use of already granted ones. This processing is in the legitimate interest of the Company to expand its activities. However, since financial services may involve credit risks for you, the processing is carried out after your relevant notification and consent.
  • For the mandatory measures for the prevention and suppression of money laundering and terrorism financing, the Company compiles profiles using internationally recognized standards and models. This processing is done as part of fulfilling the relative legal obligation.


Automated Decision-Making

After profiling, the Company may proceed with automated decision-making that concerns you and may have legal consequences for you (e.g., automated approval or rejection of financing).

In such cases, the Company informs you and provides you with the right to request a reconsideration of the decision with human intervention in writing.

Who are the recipients of your data

1. Employees of the Company who are, on a case-by-case basis, responsible for managing the requests you have submitted to the Company, as well as for the management and operation of the contract or contracts with the Company, to fulfill its obligations arising from them, as well as relevant obligations imposed by law. They are obligated to comply with the legislative framework for data protection and the duty of professional confidentiality.

2. Companies within Pancreta Bank Group, as well as Pancreta Factors itself, in the execution and fulfillment of their contractual, legal, and regulatory obligations, for the assessment of the overall assumed risk and unified customer approach within the Group. This includes the respective Auditors of the Company and/or the Group.

3. Individuals and legal entities to whom the Company may assign the execution of specific tasks on its behalf. This includes, among others, correspondent factors for international factoring, debtor information companies, debt management companies, call centers, lawyers, law firms, notaries, and judicial officers, accredited mediators, data research companies, digitization companies, data management and destruction of archives companies, market research, advertising, and product promotion companies on behalf of the Company, as well as postal service providers, IT application development/maintenance/customization service providers, email service providers, internet hosting service providers, including cloud services, specialized payment service providers, subject to compliance with professional confidentiality and confidentiality obligations in each case.

The Company ensures that those processing data on its behalf meet the prerequisites and provide sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure the protection of your data during their processing.

4. Credit or Financial Institutions based in Greece or European Union that are licensed and legally operating, as well as special purpose companies or entities based on Law 3156/2003 for securitization of receivables.

5. Debt Acquisition Companies under Law 4354/2015, as well as entities in the broader financial sector, including domestic or EU-based investment firms, in the case of transfer (assignment) of receivables arising from financing agreements.

6. Credit Institutions and Payment Service Providers or entities that are mandatorily involved (such as SWIFT, SEPA, VISA, MASTERCARD, interbank payment systems such as DIAS SA, etc.), based in Greece or the European Union, licensed and legally operating, for the execution of a contract or transactions or in third countries under the conditions specified below.

7. Supervisory, auditing, independent, judicial, public, or other authorities and bodies within the framework of their (statutory) powers, duties, and authorities.

8. "TEIRESIAS S.A." for data concerning the files/systems maintained by it, such as data related to bounced cheques, unpaid (at their expiration) bills of exchange, termination of loan or credit contracts, and their progress, as well as contracts providing guarantees.

9. Insurance Companies with which Pancreta Factors enters into credit insurance contracts.

10. Assignees of claims to whom the Company assigns the receivables against the Supplier deriving from the execution of the factoring contract.

Can Pancreta Factors transfer your data to countries outside the EU, (third countries) or to an international organization?

The Company may transfer your personal data to countries outside the EU (third countries) provided that:

1. The European Commission has determined that an adequate level of protection for personal data is ensured by the third country to which the personal data will be transferred.

2. The data recipient has provided appropriate safeguards for the protection of the personal data being transferred.

3. You have been specifically informed and have given your explicit consent to the Company for the transfer of your data.

4. The transfer is necessary for the execution of a contract between the Company and you, or for taking measures at your request prior to entering into a contract.

5. The transfer is necessary for the conclusion or execution of a contract concluded by the Company for your benefit, according to a factoring agreement for receivables from debtors residing or established in third countries.

6. The transfer is necessary for the establishment, exercise, or defense of legal claims or in support of the Company's rights.

7. There is a relevant legal obligation by law or an intergovernmental or international agreement.

8. In the context of the Company's compliance with rules on the exchange of information in the tax field, as derived from legal provisions.


For the fulfillment of points 7 and 8, the Company may transfer your personal data to competent national authorities to be forwarded through them to corresponding authorities in third countries.

How long does the Company keep your data?

If you enter into an agreement with the Company, your personal data will be retained throughout its duration.

In the event of termination of the contract, the Company may retain your personal data until the completion of the statutory time limit for the general prescription of claims, i.e., up to twenty (20) years from the complete settlement of any obligation you have towards it, in any way. If, within the twenty (20) years, legal proceedings are pending with the Company or any entity connected to it, directly or indirectly concerning you, the retention period for your personal data will be extended until the issuance of an irrevocable court decision.

If you do not enter into an agreement with the Company, your personal data will be retained for up to five (5) years from the rejection of your relevant application. In cases where a shorter or longer retention period for your data is prescribed by law or regulatory acts, the above retention period for data will be reduced or increased accordingly.

Documents bearing your signature and in which your personal data have been recorded may be retained in electronic/digital form after a period of five (5) years has passed.

What rights do you have to protect your data?

You have the following rights:

1. To know which personal data concerning you the Company keeps and processes, as well as their origin (right of access).

2. To request the correction and/or completion of your personal data to be complete and accurate, providing any necessary document indicating the need for supplementation or correction, as required (right of correction).

3. To request the limitation of the processing of your data under the applicable terms and conditions (right of limitation).

4. To deny and/or object to any additional processing of your personal data maintained by the Company (right of objection).

5. To request the deletion of your data from the Company's records (right to be forgotten).

6. To request the Company to transfer the data you have provided to any other data controller under the respective terms and conditions (right to data portability).

7. To request, in the case of automated individual decision-making, as mentioned above, a reconsideration of your rejected request with human intervention.

It is noted that the satisfaction of requests under 4 and 5, whether they concern data necessary for the drafting or continuation and operation of the contract, regardless of whether granted by you or acquired from any public source, is subject to the aforementioned restrictions.

Additionally, the Company has the right to refuse the request for limitation of processing or deletion of your data in any case where processing or retention of data is necessary for the establishment, exercise, or support of its legitimate interests, legal rights, or compliance with its legal obligations, as stated in the above section.

Exercising the right to data portability 6, does not imply the deletion of data from the Company's records, which is subject to the terms of the immediately preceding paragraph.

The exercise of the aforementioned rights is effective for the future and does not concern data processing that has already taken place.

8. If the processing of your personal data is based on the consent you have given to the Company, you can revoke it at any time by addressing a relevant statement to the Company. The revocation of consent is only effective for the future and does not affect previous processing based on it.

9. You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA,, which is also the competent supervisory authority for the protection of the fundamental rights and freedoms of individuals regarding the processing concerning you, if you believe that your rights are violated in any way.

How you can exercise your rights

For the exercise of your rights, as stated in the above chapter, you can address the Company's headquarters at 3 Mitropoleos Street, 105 57 in Athens. For your convenience, the company has prepared the relevant form for the exercise of Subject Rights (Available in Greek language).

The Company will make every effort to respond to your request within thirty (30) days of its submission. This deadline may be extended for an additional sixty (60) days if deemed necessary in the absolute discretion of the Company, taking into account the complexity of the request and the number of requests. The Company will inform you, in any case of an extension of the deadline, within thirty (30) days.

The above service is provided free of charge by the Company. However, if your requests are manifestly unfounded, excessive, or repetitive, the Company may either impose a reasonable fee on you, informing you accordingly, or refuse to respond to your request(s).

How your rights are protected

The Company applies the appropriate technical and organizational measures to ensure the confidentiality, security of the processing of your data, and protection against accidental or unlawful destruction, leakage, alteration, prohibited dissemination, or unauthorized access and any other form of unfair processing.

This information is provided in accordance with the provisions of Greek legislation, Regulation (EU) 2016/679 on the protection of personal data.

The Company may update, supplement, and/or modify this information in accordance with the current regulatory and legislative framework, as well as in the context of optimizing and upgrading its website services. Therefore, we recommend referring to the updated version of this information on the Company's website for your adequate information.