Merchant Data Processing Notice

Updated: April 2025

This Merchant Data Processing notice applies if you are entering into an agreement with the entity mentioned below, part of Global Payments Group (“GP”), for the provision of payment services.

When we refer to “you” or “Merchant” in this notice, we refer to the individuals who provide us with personal data in order to procure these services. In the case of sole traders, partnerships and other private companies, this will be the individuals who own the business, and for non private companies, this will mean any directors, officers, shareholders or other parties responsible for the operation of the business whose data we collect. In all cases, this will include any joint applicants or guarantors whose personal data we process.

1. Who we are and how to contact us?

NBG Pay S.A., registered with the General Commercial Registry (GEMI) under Nr. 164307201000, Tax Identification Nr. 801839155, KEFODE Attikis, with registered seat at 3 Anthousas Avenue, 15351, Pallini, Attica is the data controller of your personal data, which means information that is about you or from which we can identify you. This notice describes how we deal with your personal data.

We are the data controller of this personal data under relevant data protection laws because in the context of our business relationship with you, we decide how and why it is processed in the ways explained in this notice. When we use terms such as “we”, “us” and “our” in this notice, we mean NBG Pay.

Our Data Protection Officer can be contacted at any time, including if you have queries about this notice or wish to exercise any of the rights mentioned in it, by emailing [email protected] or by mail to 3 Anthousas Avenue, 15351, Pallini, Attica

2. Where do we get your personal data?

We will generally collect your personal data from the following sources:

• from you directly and indirectly.
• from our Partners with whom you may have a contractual relationship.
• from sources such as Credit Reference Agencies.
• from other members of our GP Group of companies if you already have a product with them,
• from Card Schemes or from business information solutions.

Some of the personal data may also have originated from publicly accessible sources.

3. What kinds of personal data about you do we process?

We process the personal data that you provide to us during the Merchant application and onboarding process as well as during your ongoing relationship with us.

The personal data includes:

• Your title, full name, your contact details (business / home address, email address, telephone numbers), citizenship or nationality;
• Data you provide to us to verify your identity, such as copies of passports, driving licences or utility bills;
• Data arising from your use of our services (for example, data on the volume of transactions, and transaction execution data;
• Information regarding our interactions with you, including, but not limited to, customer service requests, online and telephone communications;
• Device Information and other unique identifiers, including device / browser identifiers, internet protocol (IP) address, cookies, beacons, pixel tags, or similar unique identifiers;
• Personal data that we obtain in the context of sanctions monitoring
• Personal data about your credit history that we obtain from Credit Reference Agencies; and
• Where relevant, personal data about any guarantor that you provide in any application.
• Financial data (information concerning your business revenue, tax certificates) and other economic data that provide an estimate of your Transactional and Financial status and behaviour.
• Access data for e-applications and electronic identification data (e.g. e-signature).
• Information supplied by supervisory, judicial and other public and independent authorities, related to criminal convictions, offences, enforcement of measures to protect the public interest, seizures, confiscations, commitments,
• Where required in accordance with applicable law, special category data in cases of disclosed merchant vulnerabilities (such as physical disability, hearing / visual impairment, mental health, critical illness etc).

If you make a joint application or provide a guarantor, we will also collect the personal data mentioned above about that person. If you are a corporate entity, we will collect the personal data mentioned above about the directors, shareholders and other managers whose names are provided to us by you. You must show this notice to the other applicant and ensure they confirm that they know you will share it with us for the purposes described in it.

4. What are the legal grounds for our processing of your personal data?

NBG Pay may process your said personal data, which are collected either upon commencing the business relationship or at a subsequent time, for the following purposes:

1) Processing necessary to perform our contract with you or for taking steps prior to entering into it, in accordance with Art. 6 (1)(b) GDPR, such as:

1. Verifying your identity.
2. Administering, managing your services and updating your records.
3. Providing you with the requested services or products (which may include sharing your data with 3rd Parties).
4. Providing you with customer service via telephone, customer chat, via social media platforms or other online channels of communication; and
5. Sharing your information with the following entities to facilitate the provision of our services to you:
   • the Card Schemes such as Mastercard, Visa, or any applicable card association or organisation including, without limitation any parent, affiliate, subsidiary, or successor, of any of them.
   • Qualified Security Assessors, or other providers, to verify your Payment Card Industry Data Security Standard (PCI DSS) compliance and compliance with your security obligations under our agreement with you.

2) Where we consider that it is appropriate for us to do so for processing that is necessary for our legitimate interests or in some cases, that of a 3rd party, in accordance with Art. 6 (1) (f) GDPR including

• To administer and manage our relationship and our services and to keep appropriate records;
• To improve our products and services, by reviewing which products you choose, the frequency and type of use, and to test their performance;
• To adhere to guidance and best practice under the regimes of governmental and regulatory bodies;
• To administer good governance for us and other members of GP, and for audit of our business operations including accounting and other compliance obligations;
• To carry out searches at Credit Reference Agencies;
• For fraud prevention and debt recovery;
• To carry out monitoring (including of telephone calls, and where consent is not required by applicable law) as necessary for security, regulatory and quality control purposes;
• For market research, product surveys, analytics and statistics development;
• To determine your eligibility for additional products or services that we believe may be of interest to you (which may include sharing your data with 3rd Parties);
• For direct marketing of our products and partnership offers, (where consent is not required by applicable law), to inform customers about updates to our existing products, the launch of new products as well as products which are offered together with or by our partners; and
• k) To maintain the safety and security of our systems, employees and premises.

3)Processing necessary to comply with our legal obligations, in accordance with Art. 6 (1) (c) GDPR:

• For compliance with laws that apply to us;
• For establishment, defence and enforcement of our legal rights or those of any other member of GP;
• For activities related to the prevention, detection and investigation of crime;
• To carry out identity (know your customer), anti-money laundering checks, and other relevant checks pre-application, at the application stage, and periodically after that;
• To respond to requests from you to exercise your rights under data protection laws;
• When we share your personal data with these other people or organisations:
• Your guarantor (if you have one);
• Law enforcement agencies and governmental and regulatory bodies; or
• Courts and other organisations where that is necessary for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations.

4) Processing with your consent where required by applicable law, in accordance with Art. 6 (1) (a) GDPR:

• To send you direct marketing communications;
• Share your information with a 3rd party;
• To collect information via cookies or similar technologies; and
• For identity verification purposes: In order to provide you with certain services, we are legally obliged to verify your identity. This verification may be through documentary, photographic and/or biometric means and is based on the technology of comparing facial biometric features and a photo from an identity document. Biometric data is considered to be a “special category of data” when used for verification purposes and therefore, the legal basis for processing is your consent. Once you have completed the identification process, your personal data will be retained only for as long as required to fulfil our legal obligations.
• To process special categories of data for Consumer Duty purposes where applicable.

5. Personal data of Minors

We process minors’ personal data exclusively in cases where the minor is the beneficial owner of a business (i.e. taxi owner) and a court order has been issued that allows the minor’s legal guardians to enter into an agreement with us for the provision of payment services to the business.

Under no circumstances do we or GP deal directly with minors, nor are the products and services we provide intended for direct use by minors.

Minors’ data as well as their legal guardians data are collected and may be shared and used in all the ways described in this notice.

6. Personal data processing as part of providing the GP products and services

When you choose to use GP products or services, unless otherwise stated, our legal basis for processing is performance of the contract between you and GP in accordance with Art. 6 (1)(b) GDPR.

GP may provide additional products and/or services not listed in this notice. The services and/or products you have chosen will be listed in our agreement with you. Additional information regarding individual products and/or services will be provided as part of your contract, where required. Note that some of the services and/or products listed below may not be currently available in Greece.

In general, we process your personal data (which may include a transfer to a 3rd party) as described below:

 

GP Partner Products:

When you use the following products that are provided to you via 3rd Parties or in collaboration with GP Partners, GP is an intermediary in these relationships and the data processing may also be subject to the terms, conditions, and privacy practices of those 3rd Parties.

GP may share your data with these 3rd Parties in order to facilitate the provision of the services which you have requested. For information on how these 3rd Parties process your personal data, please visit their websites as applicable.

The specific personal data processed may vary depending on which service / products you choose. Where required, supplementary privacy information will be provided as part of your contract documentation.

GP Partner Products	Product description	Personal Data Processed
Analytics Products	Please see the “Products to support you in collecting and better understanding your (current and future) business metrics, sales / transaction results and user demographics, either independently or in relation to your competitors / other businesses in your region.	Merchant information, including merchant/company name, merchant ID, business address and email address.
Customer Engagement Products (Advertising / Customer Relationship Optimization Products)	Products to improve sales ( online / in-store), boost your business presence and support the integration of seamless customer relationship enhancement tools.	Merchant information, including merchant/company name, merchant ID, business address and email address.
Alternative Payment Methods	Products which allow you to offer non-card payment options including bank transfers, digital wallets, mobile wallets, cryptocurrency, electronic cash, deferred payments, instrumental payments and more to your customers.	Merchant information, including merchant/company name, bank account information, merchant ID, business address and email address, merchant category codes.
Loyalty Products	Loyalty products drive retention and facilitate the provision of offers, rewards, discounts, or other incentives.	Merchant information, including merchant/company name, merchant ID, device ID.
Flexible Financing	Products that help you get financial resources that adjust to your specific business needs whenever you need it .	Merchant information, including merchant / company name, address, merchant ID, business ID number, account information (length of relationship, merchant category codes).
Customer surveys / satisfaction products	Products to support the collection, measurement and analysis of customer service related information in easily accessible and manageable tools.	Merchant information, including merchant / company name, address,device ID, cookie information.
Others	Other products offered by GP, including products that allow you to support local or national charities; provide foreign exchange services and more.	Merchant information, including merchant / company name, address, merchant ID, business ID number, merchant category codes.

7. How and when can you withdraw your consent?

Where processing of your personal data is based on your consent, you have the right to withdraw that consent for future processing at any time. You can do this by contacting us by email via [email protected] or by visiting the merchant marketplace or portal (where applicable) or, for direct marketing communications, from the unsubscribe link in any marketing communication.

The consequence might be that we cannot send you some marketing communications, or that we cannot consider special categories of personal data or provide you with certain services. Please note that if you opt out of receiving marketing-related communications from us, we may still send you administrative, transactional, or account information messages, from which you cannot opt out.

8. Is your personal data transferred outside the European Union ?

As our affiliate companies are located around the globe, your personal information may be transferred to and stored in another country outside of the country in which you reside, including in the United States, which may be subject to different standards of data protection than your country of residence.

Subject to your consent if required by applicable law, we may appoint an affiliate or other 3rd party company to process personal data in a service provider role. We will remain responsible for that company’s processing of your personal data pursuant to applicable data privacy laws.

We take appropriate steps to ensure that transfers of personal data are in accordance with applicable law, are carefully managed to protect your privacy rights and interests and limited to countries which are recognized as providing an adequate level of legal protection or where alternative adequate arrangements are in place to protect your privacy rights.

For more information about suitable safeguards and (where relevant) how to obtain a copy of them or to find out where they have been made available, you can contact our Data Protection Officer using the email details above.

9. With whom do we share your personal data?

• With Members of GP to facilitate entering into a contractual relationship with you and the provision of our products and services to you. A list of the members of our Group is available on our website at: globalpayments.com/en-gb/gdpr
• The National Bank of Greece, for purposes related indicatively for our compliance with legal obligations to which we are subject (including to carry out identity/know your customer and anti-money laundering checks) or for purposes related to the pursuit of our legal interests.
• With our partners and 3rd parties, including those businesses who provide services directly to Merchants to facilitate requested products and/or services or to facilitate registration with relevant regulatory authorities, as needed.
• The sales company or organisation who referred or introduced you to us
• Your guarantor (if you have one)
• The Card Schemes
• Debt recovery agencies and other third parties, individuals or legal entities, that undertake, acting on our behalf, either to notify you and/or your guarantors of your overdue debts arising out of or in connection with your agreement with us, or perform other debt collection related  services in accordance with the provisions of Law 3758/2009, as in force.
• Credit reference and fraud prevention agencies (to the extent applicable).
• Our legal and other professional advisers, auditors and actuaries.
• Financial institutions and trade associations.
• Governmental and regulatory bodies.
• Qualified security assessors, or other providers, to verify your PCI DSS compliance and compliance with your security obligations under our agreement with you.
• Market research organisations, event & social media management and marketing companies  who help us to develop, promote and improve our products and services.
• Other organisations and businesses who provide services such as back up and server hosting providers (including cloud service providers), IT software and maintenance providers, document storage & destruction providers and suppliers of other back-office functions.
• Buyers and their professional representatives as part of any restructuring or sale of our business or assets.
• Supervisory, judicial, independent and other authorities at national and European level to meet our obligations under law or regulatory requirement or court judgment, such as: Bank of Greece, the European Central Bank, the European Commission for Competition, the Hellenic Capital Market Commission, the Hellenic Competition Commission, the US Securities & Exchange Commission (SEC), the Financial and Economic Crime Unit (SDOE), the Financial Police, public authorities in Greece and abroad, courts, public prosecutors, investigators, notaries-public, court bailiffs, mortgage registries.
• Credit institutions, payment institutions, electronic money institutions, investment services providers, mutual fund management companies, execution and trading venues, clearing and settlement companies and systems, trade repositories.
• “Interbanking Systems S.A.” (“DIAS SA”) for the servicing of interbank transactions, “TIRESIAS SA” for the protection of credit and financial transactions, the Hellenic Deposit and Investment Guarantee Fund, the Hellenic Bank Association, Hellenic Exchanges S.A., banks and financial institutions.
• Third parties providing customer support services/call center services on our behalf.

10.   How we share your personal data with Credit Reference Agencies

In order to process your application, we will perform credit and identity checks on you with one or more Credit Reference Agencies (“CRAs”). To do this, we will supply your personal data to CRAs and they will give us information about you. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. Detailed information about this processing is provided as part of the application.

We will use this information to:

• Assess your creditworthiness and whether you are eligible for the product;
• Verify the accuracy of the data you have provided to us;
• Prevent criminal activity, fraud and money laundering;
• Trace and recover debts.

We will continue to exchange personal data about you with CRAs while you have a relationship with us.

When CRAs receive a search from us, they will place a search footprint on your credit file that can be seen by other people who carry out searches.

This information about CRAs is condensed. GP will identify the CRA used in relation to your personal data on request, by emailing our Data Protection Officer as detailed above.

Please note that the processing of your personal data within these agencies is governed by the policies adopted by the relevant agencies. You can contact the CRAs directly by visiting their websites to obtain a copy of your information from them.

• Bank Information Systems S.A. (TIRESIAS) - https://tsek.teiresias.gr/el/Home/PrivacyPolicy

11.  How long do we retain your personal data?

We retain the personal data we collect for different periods of time depending on what it is and how we use it. In some contexts, we will provide additional information about retention as you use the services. When we collect personal data, we will retain it only for as long as is necessary to complete the legitimate business or legal purposes for which we collected it. In any case your personal data may be stored until the completion of the general limitation period for the exercise of legal actions, pursuant to the applicable legal provisions, namely twenty (20) years from the  termination of the relationship. The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you and provide services to you, for example, for as long as you continue to use our services, and the length of time thereafter during which we may have a legitimate need to reference personal data to address issues that may arise.
• Whether there is a contractual obligation to which we are subject, for example, our contracts with you may specify a certain period of time during which we are required to maintain the data.
• Whether there is a legal obligation to which we are subject, for example, certain laws require us to keep records of transactions for a certain period of time before we can delete them; and
• Whether retention is advisable to preserve our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.

12.  What are your rights under data protection laws?

You have certain rights in relation to the processing of your personal data, some of which may not apply in all circumstances.   To learn more or to exercise your rights, you can submit a request by completing this form. You may also contact our Data Protection Officer via [email protected].

• The right to be informed about our processing of your personal data;
• The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
• The right to object to processing of your personal data, where we are relying upon legitimate interest to process data;
• The right to restrict processing of your personal data;
• The right to have your personal data erased (the ‘right to be forgotten’);
• The right to request access to your personal data and to obtain information about how we process it;
• The right to move, copy or transfer your personal data (‘data portability’); and
• Rights in relation to automated decision making that has a legal effect or otherwise significantly affects you.

You have the right to complain to the Hellenic Data Protection Authority, using the following contact information, if you believe that our processing does not comply with applicable data protection laws:

Website: www.dpa.gr

Postal address: Leoforos Kifisias 1-3, 115 23, Athens

Contact Centre: +30 210 6475600

Fax: +30 210 6475628

Email: [email protected]

If you wish to exercise any of these rights against any entity that is a data controller in its own right, you should contact them separately. 

13.  Data Anonymisation and Use of Aggregated Information

Your personal data may be converted into statistical or aggregated data, which cannot be used to re-identify you. It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this notice.

14. General

This document was last issued in April 2025 and may be amended from time to time. Updated versions will be posted on our website .