Personal Data Protection Policy

According to the Regulation (ΕΕ) 2016/679 (GDPR)

«UCI GREECE CREDIT AND LOAN RECEIVABLES SERVICING COMPANY SINGLE MEMBER SOCIETE ANONYME» with GEMI number 140459601000 and distinctive title “UCI Greece Loan Management Services” was established in Athens in 2017 according to law 4354/2015, as applicable, with the main purpose of managing receivables arising from mortgage and consumer loans and credits to physical entities granted from financial institutions. 

UCI GREECE CREDIT AND LOAN RECEIVABLES SERVICING COMPANY SINGLE MEMBER SOCIETE ANONYME (hereinafter “UCI Hellas”), as controller or processor (as defined in the GDPR), commits to protect personal data and apply the GDPR as well as national legislation to protect personal data. This policy concerns physical entities, whose debts are included in the claims portfolios currently managed by UCI Hellas, physical entities who are in any way associated with these debts, e.g. guarantors, third party collateral providers, members of their family or their delegates, legal representatives in case the debtor is a legal entity, as well as physical entities whose data refer to loan files managed by UCI Hellas, e.g. lawyers, bailiffs, notaries, etc. It also concerns physical entities who visit for any reason the facilities of UCI Hellas (hereinafter “Data Subjects”).


UCI Hellas collects and processes different types of personal data, only to the extent necessary depending on the purpose of the processing and the time required in each case, which it receives from the Data Subjects themselves and through third parties who allow access to personal data based on the consent of the Data Subjects or other legal basis.

More specifically, UCI Hellas collects and processes the following categories of personal data: 

  1. Identification data: name, patronymic, police or other identity card or passport, TIN and competent Tax Office, AMKA, date of birth, gender, etc.
  2. Contact details: home address, phone numbers, email address, etc.
  3. Economic, financial, property and family situation data: occupation, salary, marital status, E1 and E9 forms, settlement notes, creditworthiness data, eg debts to banks, payment orders, seizures, etc.
  4. Data on the loans and credits managed by contracts, due amount, installments, payments, collateral, correspondence between the lender and the debtor or between UCI Hellas with the above, out-of-court settlements, complaints, seizures, contracts, etc.
  5. Data recording of conversations and communications always in accordance with the legal requirements, including communications for information on overdue receivables in accordance with L.3758 / 2009, as applicable.
  6. Special categories of data, such as health data and data of minors only to the extent that they constitute the content of claims of files e.g. applications of Law 3869/2010.
  7. Image data recorded by the video surveillance system installed on its premises.
  8. Data of visitors who come to its facilities for any reason.

UCI Hellas collects the above data from:

  1. the credit or financial institution that has assigned to UCI Hellas the management of the claim or other credit or financial institutions with which it cooperates for purposes of exercising due diligence, in accordance with the current regulatory framework on the prevention and suppression of legal income directly from the Data Subjects,
  2. publicly accessible sources such as telephone directories, courts, mortgage offices, cadastral offices, etc., media, internet, commercial records, provided that this data is necessary for the purposes of the processing,
  3. lawyers, law firms, bailiffs, notaries,
  4. the company “Banking Information Systems SA” (Tiresias) and more specifically from the Obligation Assignment System (S.A.Y.) and the Grant Collection System (S.S.X.),
  5. third parties (natural or legal), acting on behalf of or related to data subjects.

UCI Hellas collects and processes personal data:

  1. for the execution and smooth operation of the contract from which the claims it manages and in general the management of the debt are derived.
  2. to fulfill the obligations of the company to the debtor or the principal of the claim.
  3. for the compliance of the company with its legal obligations such as a) the prevention and suppression of money laundering and terrorist financing, as well as the prevention, detection and suppression of fraud against the company or other customers, b) the company’s compliance with the obligations imposed by the applicable legal, regulatory and supervisory framework, as well as the decisions of any authorities (public, supervisory, etc.) or courts.
  4. for the purposes of the legitimate interests of UCI Hellas, including:
    1. the management of claims and the preparation of legal actions for their collection;
    2. the business development of the company; including the investigation of the degree of customer satisfaction with the services provided, with a view to improving them and in general with the general business relationship with them.
    3. the judicial defense of its interests;
    4. compliance with the company’s internal policies and procedures;
    5. the protection of persons, assets and premises of the company.


UCI Hellas does not make decisions solely on the basis of automated processing, including the profiling. If such processing which produces legal effects that affect you or significantly affect you in a similar manner becomes necessary, the company will provide you with more specific information and, where required, request your consent.


For the proper execution and fulfillment of the contractual, legal and regulatory obligations of UCI Hellas, the employees of the company’s business and operating units have access to your personal data, within the framework of their responsibilities, who are bound by a confidentiality obligation to respect protection of data in accordance with national data protection legislation and the GDPR.

In addition, your personal data may be transmitted to service providers (processors) who have been appointed by us to process personal data and are bound by a contract to maintain confidentiality and data protection in accordance with national data protection legislation and the GDPR, as well as tax and supervisory authorities or where designated by legal or regulatory provisions. 

For the purposes of your debt management, the following may be indicative of the following data:

  1. UCI Hellas employees who are responsible for the evaluation of your requests, the management and operation of the contract / regulation and the fulfillment of the obligations arising therefrom, as well as the relevant obligations imposed by law;
  2. the main requirements of the company;
  3. other non-performing loan management companies;
  4. debtor information companies of Law 3758/2009;
  5. law firms and / or legal advisers;
  6. bailiffs;
  7. notaries;
  8. the company Tiresias SA for registration, in particular in the “Obligation Assignment System” (SAY) and / or the “Grant Collection System” (S.S.X.)1
  9. financial and business advisors;
  10. certified Accountants and Auditing companies;
  11. real estate appraisers;
  12. archiving, storage and file management companies;
  13. systems for support, processing and storage in the computing cloud “cloud”;
  14. insurance companies;
  15. web design and support companies;
  16. other recipients to whom the transmission or notification is required by the applicable regulatory, legislative and generally regulatory framework or court decision (eg supervisory or judicial authorities, tax authorities, supervisory bodies, intermediaries) It is noted that the UCI Hellas will also provide more specific information to the data subjects regarding any transfer of your data to the above recipients, provided that it is provided by the current legislation.  

 Recipients of the image data recorded by the video surveillance system of the company are, in principle, the authorized employees of UCI Hellas, in the context of performing their duties. They may also be police and judicial authorities, in the event of an incident that falls within their remit, as well as a third party with a relevant legal interest (e.g. victim of an illegal act).


The personal data processed by UCI Hellas must be retained throughout the duration of the purpose for which they are processed and / or the current legal and regulatory framework and in any case for a period of twenty (20) years from last calendar day of the year ending the respective transaction relationship with UCI Hellas or the principal of the receivables. In case of a legal dispute, the data are kept for a longer period of time, until the irrevocable completion of the judicial process. UCI Hellas may retain personal data for less than the abovementioned period provided that this is provided for in the management contract of a particular portfolio(s). 

Telephone calls in particular are kept for a shorter period, as the law stipulates (today: one year).

Also, the image data from the security cameras are kept for fifteen (15) days, after which they are safely deleted. In the event that an incident is detected during this period, the specific data are isolated and kept for up to one (1) month, in order to investigate the incident and the possible initiation of legal proceedings to defend the legal interests of the company. In case the incident concerns a third party, these data are kept for up to three (3) more months.

 It is noted that UCI Hellas may retain the data even after the expiration of the processing purpose, if it is not allowed to delete them for legal or regulatory reasons.


Personal data is not initially transmitted to third countries (i.e. to countries outside the European Economic Area). In case this becomes necessary, UCI Hellas will forward the personal data in compliance with the relevant provisions of the regulatory framework.


UCI Hellas implements appropriate organizational and technical measures (such as anonymization, pseudonymization, data encryption, firewalls, privacy by design and by default, strict procedures and policies, continuous training of staff, etc.) for the security of your data, ensuring its confidentiality, processing and protection against accidental or unlawful destruction, accidental loss, alteration, prohibited dissemination or access and any other form of unlawful processing in order to ensure the application of the law.


After verifying your identity, as Data Subjects you have the following rights:

  1. Right to information: UCI Hellas must inform you of the processing to which it submits your data, including but not limited to what data it processes, for what purpose, for what period of time it will retain it, in a transparent, comprehensible and easily accessible form, using clear and simple wording.
  2. Right of access: You have the right to receive a confirmation from UCI Hellas as to whether or not your personal data is processed and, if so, you have the right to access that data.
  3. Right to correction: You have the right to require from UCI Hellas the correction of any inaccurate personal data and the completion of any incomplete data.
  4. Right of deletion: You have the right to request from UCI Hellas the deletion of personal data, subject to the obligations and legal rights of UCI Hellas for their retention based on the applicable legal and regulatory provisions.
  5. Right to restrict processing: You have the right to be provided by UCI Hellas with the restriction of processing, provided that certain conditions are met.
  6. Right of objection: You have the right to object, at any time, to the processing of personal data concerning you. UCI Hellas in this case should stop processing, unless it demonstrates compelling and legitimate reasons that prevail over your interests, rights and freedoms as a data subject or for the establishment, exercise or support of legal claims.
  7. Portability: You have the right to request from UCI Hellas to obtain your personal data, which you have provided in a structured, commonly used and machine-readable format, or to forward it to another controller by UCI Hellas.
  8. Right to withdraw consent: You have the right to withdraw your consent at any time for the processing of your personal data, provided that such processing is based on your consent.

Regarding the above rights, UCI Hellas ensures the development of internal procedures in order to respond in a timely and efficient manner to your relevant requests.

To exercise any of your rights or if you have any other questions regarding the use of our personal data by us, you may contact UCI Hellas, or fill out the form on the UCI Hellas website. You can also contact the Data Protection Officer of UCI Hellas at:

Postal address


Data Protection Officer,

Angelou Pirri 5, 11527, Athens,

or in person at the company’s headquarters at the address above. 

Finally, if you consider that your personal data protection is affected in any way or if you have exercised any or all of your rights to protect your data and still feel that your concerns about how we use your personal data has not been satisfactorily addressed by us, you can, if you wish, also appeal to the Personal Data Protection Authority, with the following contact details:


Postal Address: 1-3 Kifissias Avenue, PC 115 23, Athens

Call Center: +30 210 6475600

Fax: +30 210 6475628



UCI Hellas will update this policy whenever necessary. If there are significant changes to the policy or the way it uses your personal data, it will post a notice in a prominent place on its website before the changes take effect. In any case, the Data Subjects are encouraged to read this Policy periodically to know how their personal data is protected.

Last update: November 2020

1In particular, it is noted that:

– At S.A.Y. data on the credit behavior of individuals and companies (eg uncovered checks, complaints of loan and credit agreements, payment orders, auction programs, bankruptcies, etc.) are recorded and the period of retention of relevant data is from 2 to 10 years (depending on of the data category).

– In the S.S.X. including data on the status of grants to businesses and private-consumers (current debts, arrears, etc.) and the retention period of the relevant data is 5 years. Responsible for the processing of SAY and S.S.X. is “TIRESIAS SA” (Municipality of Maroussi, Alamanas 1, PC 151 25).