Privacy Policy

Themis Portfolio Management Limited (hereinafter referred to as “The Company”, “we”) is a Servicing Real Estate management and loan asset management company that operates in Cyprus , subject to the licence and supervision of the Central Bank of Cyprus. The provision of these services largely depends on the processing of large amount of information, including personal data.

The Company respects the privacy of all physical persons whose personal data are processed by the Company. This Privacy Policy has been prepared for and addressed to our customers, employees, vendors, partners and all other interested parties such as obligors (i.e. borrowers, security providers, guarantors and their respective representatives) that may be affected and whose personal data may be processed by The Company.

We encourage you to read this Privacy Policy which sets out important details about how your personal data are processed by The Company in accordance with Data Protection Law, including but not limited to the EU General Data Protection Regulation 2016/679 (“GDPR”), the Cyprus Data Protection legislation 125(I)2018 and the Cyprus legislation governing the electronic communications and postal services 112(I)2004.

1. The Company’s role and details

The Company is the data controller of personal data for certain categories of data subjects such as employees and external contractors and other collaborators of the Company, as well as for our real estate operations). In practice this means that we are responsible for determining the purpose and the means of processing of your personal data. Equally importantly, the Company is a Data Processor in relation to the access and processing of personal data of our customers’ obligors. In the latter case we rely on the Data Controllers (specifically the owners of the loan portfolios) to have identified a valid legal basis for the processing we conduct on their behalf and for informing us when changes to such legal bases become necessary or an enacted by them.

For any queries or concerns relating to privacy, or to exercise any of the rights listed in section 11 of this Policy, please contact our Data Protection Officer (“DPO”) dpo@themispm.com.

2. Data protection principles

In relation to your personal data, our privacy management framework is designed to ensure that such personal data are:

processed fairly, lawfully and in a transparent way (“lawfulness, fairness, transparency”).
processed only for specific and defined purposes that we consider necessary in the course of providing our services (“purpose limitation”).
relevant, adequate and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
accurate, and up to date (“data accuracy”).
kept for only as long as we need them for the purposes for which the data are processed (“storage limitation”), in line with our retention policies.
processed in a way that is designed to ensure they will not be lost, destroyed, used for purposes that you are not aware of, or otherwise processed in an unlawful or unauthorised manner (“integrity and confidentiality”).

3. Categories of personal data we process

We process various categories of personal data including, but not limited to the following:

#	Business Relationship	Types of Personal Data we Process	Legal Bases
1	Corporate Obligors	We process the personal data listed below, in the context of the Loan agreement to which the Corporate Obligor is a party in whichever capacity (borrower, guarantor or security provider). Such personal data may relate to the Ultimate Beneficial Owner(s), Directors and Officers, employees and legal representatives of the legal person, as well as other physical persons responsible for the interaction with the Company’s personnel. Identity and contact details, such as: full name, address, email address, phone number, date of birth, ID, nationality, gender, marital status, employment history, details about dependants; Financial/banking information, such as: income and expenses, property ownership, bank account details, debts, investments, house financing data, property evaluation data, securities, insurance data, Special categories of data, such as: health related data or other sensitive information included in supporting documents provided to your previous creditor or to Themis. Criminal conviction data, financial sanctions or other related information we collect directly from you or your former creditor. Position / Company Role information Authority to negotiate and bind the corporate obligor to legally enforceable decisions, respond to financial inquiries, execute financial transactions, etc. Due Diligence and Know Your Customer information, as dictated by law
2	Obligors (borrowers, security providers, guarantors) – Physical Persons	The following personal data are processed in the context of the Loan Agreement between the Obligor and the owners of the loan portfolios, especially in the context of identifying a mutually agreeable solution and loan restructurings: Identity and contact details, such as: full name, address, email address, phone number, date of birth, ID, nationality, gender, marital status, employment history, details about dependants; Financial/banking information, such as: income and expenses, property ownership, bank account details, debts, investments, house financing data, property evaluation data, securities, insurance data, Special categories of data, such as: health related data or other sensitive information included in supporting documents provided to your previous creditor or to Themis. Criminal conviction data, financial sanctions or other related information we collect directly from you or your former creditor.	Contract Consent (for special categories of personal data in accordance with Art.9 of the GDPR)
3	Real Estate Bidders and Interested Buyers	The Company executes promotional and sales processes on behalf of real estate asset owners, and as a facilitator for direct property sales. In this context, the Company acts as an independent Data Controller and in this capacity processes the following personal data: Full Name Gender Age and date of birth Employment information such as profession, occupation, qualifications, employer information, title, role and position, etc Contact details such as mobile, home and work phone numbers Location information (physical home and work address, etc) Electronic identifiers such as email addresses, IP addresses, usernames, etc Identification numbers such as National ID, Passports, Drivers License, authentication questions, in electronic or physical form Economic and financial data for example assets, salary and emoluments, periodic expenses and commitments, etc Health and medical data, relevant to the obligor’s ability to meet their obligations under the loan agreement Nationality information Physical and legal persons are hereby notified that the information they provide to the Company in the context of an expression of interest to acquire a property (or the conclusion of a contract to acquire such a property) shall be shared with the owners of the property being sold by the Company on behalf of the owner.	Contract Consent (for special categories of personal data in accordance with Art.9 of the GDPR) Legislation for those personal data which are stipulated by legal or regulatory obligations (e.g. AML Law) Consent for marketing communications relating to properties of interest
4	Property Tenants	Certain properties which are managed by the Company on behalf of the property’s owners, are leased or rented out to physical or legal persons. In those cases, the Company conducts processing in relation to the following personal data (in cases of legal persons, of the physical persons acting on their behalf): Full Name Gender Age and date of birth Employment information such as profession, occupation, qualifications, employer information, title, role and position, etc Contact details such as mobile, home and work phone numbers Location information (physical home and work address, etc) Electronic identifiers such as email addresses, IP addresses, usernames, etc Identification numbers such as National ID, Passports, Drivers License, authentication questions, in electronic or physical form Physical and legal persons are hereby notified that the information processed by the Company may be shared with external 3^rd parties who may be acting as independent Data Controllers (e.g. companies providing Facilities Management services for the building in which the property leased / rented out, belongs) or Data sub-processors to the Company, for example technicians offering maintenance services to the rented property. In the former case, the responsibility for adherence to applicable privacy legislation rests with the respective 3^rd party acting as a Data Controller, whereas in the latter, that responsibility remains with the Company.	Contract
5	Employees	“Master Data” [full name, ID, Social Security number, address, marital status, children, age, gender, personal emails] “Recruitment Data” [academic records, experience, previous employers, references] Evaluation & Performance Information [salary, appraisals, promotions, disciplinary data, complaints and resulting investigations, appeals against HR decisions] Occupational data [languages, special skills, driver license] Operational data [sales, locations of travel, training records, leave of absence, timesheets / arrival and departure times, passports and IDs in support of business travel arrangements] Financial data [payroll, payroll-related, life insurance details, family status, bank account details]	Contract
6	Applicants	CV information, including: Contact details Previous employment records References Work permit information Skills & Professional and Academic Achievements (e.g. languages, academic degrees Medical information (for specific vacancies / jobs only) Clean Police / Criminal Record Existence of non-performing Loan information	Contract Consent (for special categories of personal data in accordance with Art.9 of the GDPR)
7	Website Users and Visitors	Cookies (please check separate policy) Location information, including physical and IP addresses, etc Full name, email address, mobile phone number (if you choose to register to our Newsletter or similar services we offer)	Consent Legitimate Interest (for browsing the site)
8	Website Users and Visitors	Full name Day and time of entry and exit Company persons you are visiting Entry pass number we provide during your visit and logs of office locations visited Camera / CCTV recordings	Legitimate Interest

4. Sources

We collect personal data about you in a variety of ways. As mentioned above, most of your personal data we process were collected from your original creditor (i.e. your Bank or other Credit Institution). We may also require the collection of additional data directly from you for the purpose of providing our Services.

Furthermore, we may collect data about you from third parties, such as the Artemis Data Registries, other credit reference agencies as well as public authorities such as the Land Registry, the Registrar of Companies, the Central Bank, or any third party with which you have entered into an agreement to represent you in any proceedings or other aspects which affect your relationship with The Company in any manner.

5. Legal basis for processing your data

The Company may process your personal data as described below on the basis of at least one of the legal grounds under GDPR Article 6 (1) and the conditions provided under GDPR Articles 9(2) and 10.

The Company relies on the following legal bases when processing your personal data:

The processing may be subject to your specific, informed and unambiguous consent, for example when using analytical, performance or other non-essential cookies on our website, or when processing your personal data for direct marketing purposes (“Consent”, GDPR Art. 6 (1) (a)).
The processing is necessary in order to perform a contract we have with you or perform the agreement by virtue of which you as a debtor were originally granted the credit facilities. Alternatively, in order to take steps at your request prior to entering into a contract (“Contractual Obligation”, GDPR Art. 6 (1) (b)).
The processing is necessary as a result of applicable legislation and regulatory frameworks, including the laws that govern Credit Facilities and other legal and/or regulatory obligations to which The Company is subject to, such as reporting, compliance, verification and other required activities which involve the processing of personal data. These obligations also include strict and specific statutory requirements under Tax and Anti-money laundering law as well other directives issued from time to time by the Central Bank of Cyprus (“Legal Obligation”, GDPR Art. 6 (1) (c)).
The processing is necessary for the purpose of pursuing and safeguarding our legitimate interests, provided that those interests are not overridden by your rights and freedoms. These include occasions where it may be necessary to disclose your personal data to our subcontractors who are responsible for the security of our systems, assets and business operations, as well as to other third parties, such as credit reference agencies or any other relevant organisations, in order to facilitate the restructuring or management of your loans by The Company. In addition, we will rely on this legal basis if deemed necessary for the initiation of legal proceedings (“legitimate interest”, GDPR Article 6 (1) (f)).
The processing of special categories of data (see section 3) is necessary for the purposes of assessing your ability to meet your financial obligations. This processing activity is based on your explicit consent, whether you have provided such consent to your previous creditor (upon which the Company may rely on) or directly to The Company at the time of disclosing supporting documents with regard to your potential ability to meet your financial obligations. (“Explicit consent”, GDPR Art. 9 (2) (a)). We may also process special categories of data if deemed necessary for the establishment, exercise or defence of legal claims (GDPR Art. 9 (2) (f)).
The processing of previous convictions or other offences may be processed when necessary for the purpose of conducting necessary due diligence and in order to comply with The Company’s obligations under Anti-money laundering or other related legislation or regulation (GDPR Art. 10 (1)).

6. What happens if you do not provide your personal data to The Company

As described above, most of your personal data have been collected by The Company as a result of the portfolio transfer from your original creditor to The Company, either at the time of the transfer or subsequently, based on The Company’s own data collection and privacy management procedures.

However, we may require the collection of additional information from you when necessary to provide our services as described in this Privacy Policy. If you refuse to provide such necessary personal data or if you decide to withdraw your explicit consent for processing of special categories of data (see section 5 above), it is highly likely that we will not be able to provide our services to you. As per our policies, we shall seek to point this out in the respective privacy notices where relevant.

7. Sharing your personal data

Pursuant to our contractual, statutory and regulatory obligations we may share your personal data with various organisations/companies, such as debt collection agencies, credit reference agencies, fraud detection/prevention agencies, our legal advisors, credit reference or other agencies as required, in order to facilitate the restructuring or management of your loans by The Company. In addition, public authorities (e.g. the tax authorities) or other supervisory or regulatory and / or law enforcement authorities (e.g. The Unit for Combating Money Laundering (MOKAS), the Police, or the Central Bank of Cyprus) may become recipients of your personal data as required under applicable law.

There may be instances where we may need to allow access to or disclosure of your data to our service providers, such as our legal advisors, property valuers, bailiffs, licensed private investigators, IT consultants, etc..

At The Company we take all reasonable and necessary steps (either by a direct agreement in accordance with GDPR Art. 28 or by other legally binding arrangements) to ensure that our service providers (data processors) that process personal data on behalf of The Company comply with Data Protection Law and our instructions regarding the processing of your personal data.

8. Technical & Organisational Measures

GDPR imposes obligations to Data Controllers and Data Processors which in several cases are dependent upon consistent implementation of relevant measures and controls across their own operations as well as those of their Data Processors. Our policy is to process personal data with due regard to the security, privacy and protection of the data we receive, store and process.

This privacy policy explains the types of such technical and organizational measures that we employ so as to enhance the level of protection of personal data that we process. These measures the key ones of which are outlined below, are designed to maximise the control over privacy in accordance to GDPR and have the objective of providing a level of security that is appropriate to the related risks.

As part of our overall data protection framework, The Company has appointed a Data Protection Officer, in accordance with the requirements of GDPR. Our DPO can be contacted at dpo@themispm.com.
All our personnel, including service agents and / or relationships managers and handlers periodically observe GDPR-specific awareness sessions so as to maintain the currency of their understanding of GDPR and how it may impact our various operations that affect personal data we process.
We seek to ensure that 3rd parties who support The Company operations or systems or who are otherwise involved in our personal data processing operations, have and operate necessary technical and organizational measures for protecting the security and privacy of personal data.
Our Incident Response Management, and Breach Notification procedures are designed to include escalation of identified incidents to our Data Protection Officer, who is authorized and experienced to involve related executives when such incidents involve personal data of one or more of The Company affected entities and / or persons.
Our recruitment and ongoing personnel training and development, as well as the evaluation and disciplinary processes we operate, are designed to promote and maintain a high standard of professional ethics and competency at all levels of The Company, which is in line with industry standards and our professional and legal responsibilities.
In addition, The Company operates several complementary technical and organisational measures, designed to protect the privacy of personal information that we collect, store and process. Such measures include logical access controls and user rights management with the objective of minimising access to personal (and other Company) information and data, only to authorised Company We also utilise user access credentials management with enforced frequent changes, password complexity and maximum / minimum lengths, restrictions on reuse of same passwords, etc., complemented by a structured process for periodic review and confirmation of continued business need to such personal data.
Furthermore, The Company uses purpose-specific technologies and tools (such as firewalls, intrusion prevention, mail security gateways, sandboxing technologies, etc.), all designed to monitor and manage the security of its electronic perimeter. The Company also has in place an active and ongoing patch management program across security, server and endpoint devices for addressing newly released threats, and benefits from the use of endpoint malware protection at laptop, servers and desktop level. Finally, we also utilize technologies that deliver encryption for data in motion and at rest to protect against privacy risks in cases of hardware theft or loss.

9. Data transfers

Our Policy is not to transfer personal data to organisations located outside of the European Economic Area. In cases where a transfer to third countries which are not subject to an adequacy decision by the European Commission is necessary, such transfer will only be carried out in accordance with the required safeguards under Chapter V of the GDPR and the respective provisions of the Cyprus Data Protection Law, including but not limited to the EU approved standard contractual clauses or other safeguards under GDPR Article 49.

10. Retention of data

The Company shall only process your personal data for the period necessary to fulfil the purposes described in this Privacy Policy, in accordance with applicable law and the guidelines issued from time to time by the Data Protection Commissioner’s Office. We will securely delete or destroy your personal data within defined periods following the end of the business relationship you have with The Company or with a customer of The Company of which you act as a representative, officer, beneficial owner, guarantor or collateral provider. Please note that in the case of a pending judicial process and a legal, financial or technical issue in progress, the relevant personal data will be retained until the final judgment is given or a solution is reached. At that point, the retention periods of our policies shall come into effect.

11. Your data subject rights

You have the following rights under GDPR with regards to the processing of your personal data:

the right to be informed about how we process your data (“right to be informed”).
the right to access your personal data and request a copy of the data we hold and process about you (“right of access”).
the right to request us to update or correct any inaccurate or incomplete personal (“right to rectification”).
the right to withdraw your consent. The withdrawal shall not affect the lawfulness of processing based on consent before it was withdrawn by you.
the right to lodge a complaint with the supervisory authority (Office of the Commissioner for the Protection of Personal Data: http://www.dataprotection.gov.cy, commissioner@dataprotection.gov.cy).

You also have the following rights in certain circumstances:

the right to have your data deleted where there is no longer a lawful reason for us to continue processing them (“right to erasure”).
the right to restrict the processing of the data, if for example the data are not accurate. (“right to restriction”).
the right to receive your personal data in a structured, commonly used and machine-readable format, and have your personal data transferred to another data controller (“right to data portability”).
the right to object to the processing of your personal data, especially in situations where we rely on our legitimate interests (“right to object”).
the right not to be subject to automated decision-making and profiling of personal data which may significantly affect your rights.

Please note that some of the rights mentioned above are not absolute. They are subject to exceptions under GDPR and applicable depending on the legal basis we rely on in each case.

You may request to exercise your rights by sending an email to dpo@themispm.com.

We endeavour to respond to requests within 30 days, although we reserve the right to extend this period to two additional months when the requests require a disproportionate effort. Before assessing any request, The Company will request a valid ID from the data subject and the 30 day time limit shall commence upon confirmation of your identity.

12. Updates to this Privacy Policy

In cases where significant changes have been made regarding the processing of your personal data, we will inform you accordingly and update this Privacy Policy. This version of the Policy has been approved for issue on June 26^th 2023.

13. Other Important Information

This Privacy Policy does not alter in any way other than explicitly defined herein, the obligations and responsibilities of The Company or its customers, employees, vendors or partners, all of which are governed by the respective contracts (where applicable) and related arrangements between The Company and each of those customers, employees, vendors or partners.

14. Glossary & Useful Definitions

#	Term	Definition
	Personal Data	Also referred to as “personally identifiable information (or “PII”), personal data is any information relating to an identified or identifiable living natural person (the “data subject”)
	Legal Basis of Processing	The basis on which the processing of personal data may be based and may be one of the following: the consent of the data subject to the processing of his / her personal data processing is necessary in order to enter into a contract to which the data subject is a contractual party or to take action at the request of the data subject before or after a contract is entered into force processing is necessary to comply with a statutory obligation of the Data Controller or the Data Processor as the case may be processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, unless such interest overrides the interest or fundamental rights and freedoms of the data subject who require the protection of personal data, in particular if the subject of the data is a child processing is necessary to safeguard the vital interest of the data subject or other natural person processing is necessary for the performance of an obligation performed in the public interest or in the exercise of public authority assigned to the Company.
	Legitimate Interest	Our lawful interests in conducting and managing our business to enable us to give you the best services and / or products and secure and private by design experience. In choosing to perform personal data processing under the legal basis of legitimate interest, we seek to ensure that we consider and balance any potential impact on you (both positive and negative) and your rights before doing so. As a general principle, we do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
	Data Controller	The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
	Data Processor	A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
	Data Protection Officer	A Data Protection Officer (or “DPO”) is a security leadership role required by the GDPR. The DPO is responsible for (a) overseeing data protection strategy and implementation within an organization; (b) ensuring compliance with GDPR requirements; (c) the provision of advice to the Data Controller or the Data Processor and their staff in relation to personal data processing; and (d) to cooperate with Data Protection Authorities and supervisory bodies in all privacy and data protection matters.
	Cross-border Transfers	Transfers of personal data outside the European Economic Area in physical and / or electronic form