Personal Data Protection Policy

In accordance with Regulation (EU) 2016/679 and Law 4624/2019

QQUANT MASTER SERVICER Servicing of Loans and Credits Single Member SA (hereinafter referred to as “Quant”) which operates in accordance with Law 4354/2015 and is supervised by the Bank of Greece as Controller or Processor, undertakes to protect the personal data and to implement the General Data Protection Regulation of the EU 2016/679 (hereinafter referred to as “GDPR”), Law 4624/2019 and other national and European legislation on the protection of personal data of natural persons.In the context of its activity, Quant manages portfolios of claims from loans and credits granted by credit and financial institutions, following their assignment by credit institutions as well as by Companies for the acquisition of claims of Article 1 par. 1b of Law 4354/2015 as in force.

1. Scope

This Policy defines the terms and conditions to which Quant adheres for the protection of natural persons whose personal data are processed for the execution of its work in accordance with the purpose of its licensing and operation.

Quant reserves the right to amend and adapt this Policy whenever it is deemed necessary, and the changes are made effective from the date of their posting on its website:

In the event that any of these terms is considered invalid, unlawful or unfair for any reason, the other terms will remain valid and effective as in force as far as they do  not contradict with this policy.

The Personal Data Protection Policy, the Cookies Policy and the Terms of Use of the  Webpage “qquant.grconstitute the overall agreement between Quant and the personal data subjects.

2. Definitions

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing of personal data” means any operation or set of operations which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Recipients of personal data” means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. 

“Website” means the Webpage “” hereinafter referred to as “Webpage”.

“Users” or “User” means the visitor of the Webpage as well as the user registered in the Platform.

3. Legal Bases for the Processing of Personal Data and Processing Purposes

Quant collects and processes personal data by virtue of the following legal bases and to achieve the following purposes:

3.1 Where processing is necessary for the performance of a contract of which the data subject is a contracting party or the processing of the data serves to fulfill the contractual obligations of Quant to third parties or to take measures at the request of the data subject before the conclusion of a contract, for the purposes of:

  • The debt management and in particular for the identification of the debtor and the other parties involved and the communication with the debtor, the preparation of an appropriate settlement with specific repayment terms in accordance with the relevant Greek legislation, the monitoring of the progress of the debt, the prevention or limitation of the probability of breaching his/hers obligations, the pursuit of the collection of any amounts due as well as communication with the debtor for the purpose of his/her briefing and support for the settlement of his/her debts.
  • Electronic, telephone and paper communication.
  • The investigation and handling of complaints submitted in relation to the services of Quant.

3.2 Where processing is necessary for the compliance with Quant’s legal obligation of as Controller or Processor, for the purposes of:

  • Prevention and suppression of money laundering and the financing of terrorism and the implementation of due diligence measures to debtors of portfolio claims.
  • Compliance with the obligations imposed by the applicable legal and regulatory framework (as described below) and the supervisory authorities, as well as with the decisions of Authorities or courts. 

3.3 Where processing is necessary to achieve the Quant’s legitimate interests of and provided that they do not go beyond the rights and freedoms of data subjects, for the purposes of:

  • The proper and more efficient operation and management of the Website.
  • The investigation and possible resolution of technical issues in the context of the provision of online services.
  • Protection of persons and assets of Quant through a closed video surveillance system (CCTV). 

3.4 Where processing is possible in case the data subject’s consent has been expressly provided in advance for the purposes of:

  • The examination of an application for employment at Quant.
  • Understanding how data subjects use and interact with the content of the Website through the use of cookies.
  • The collection and transmission of personal data and credit data to TIRESIAS SA and the receipt of the corresponding data by TIRESIAS SA. 
  • The processing of special categories of personal data in the context of the collection of supporting documents for debt settlement.

In such cases there is the right to withdraw the consent at any time, but without prejudice to the lawfulness of the processing based on consent prior to its withdrawal.

Legal and Regulatory Framework 

Quant processes the personal data of the subjects in compliance with the obligations arising from the following legal and supervisory provisions:

  • Articles 1-3 of Law 4354/2015 and the Act No 118/19.5.2017 of the Executive Committee of the Bank of Greece, as in each time in force.
  • The Code of Conduct of Law 4224/2013 – Decision of the Credit and Insurance Committee of the Bank of Greece no. 392/1/31.5.2021, and as each time in force, and any other regulatory and implementing act or decision, issued in connection with the above. 
  • Act no. 2501/2002 of the Governor of the Bank of Greece, as each time in force as well as the relevant Decisions of the Executive Committee of the Bank of Greece. This Act imposes obligations for information and generally conditions of transparency, as well as the handling of requests and complaints of debtors.
  • The legal and regulatory framework on the prevention and suppression of money laundering and terrorist financing, as each time in force (in particular, Law 4557/2018 which transposed Directive 2015/849/EU, Law 4734/2020 which transposed Directive 2018/843/EU and Law 4816/2021 which transposed Directive 2018/1673/EU and the no. 281/5/17.3.2009 Decision of the Banking and Credit Committee of the Bank of Greece, the Recommendations of the Financial Action Task Force, as well as all relevant Acts, Decisions and implementing circulars of any competent Authority, as each time in force ).
  • Act no. 172/1/29.05.2020  of the Executive Committee of the Bank of Greece which sets out the terms and conditions for the remote electronic identification of natural persons at the conclusion of a business relationship with credit institutions and supervised financial institutions, in the context of the implementation of due diligence measures provided for in the institutional framework for the prevention of money laundering and terrorist financing.
  • Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAs Regulation ), Presidential Decree 150/2001 on electronic signatures, which remains in force in so far as it is not inconsistent with the eIDAs Regulation, the regulatory framework of the “Hellenic Telecommunications and Post Commission” related to digital signatures, and the Digital Governance Code – Law 4727/2020. Furthermore, Presidential Decree 131/2003 on Electronic Commerce and the Information Society Services and Presidential Decree 25/2012 on the filing of electronic legal documents, the issuance of certificates by the Courts, and any relevant legal framework.
  • Law 3758/2009, as amended by Law 4038/2012 and as each time in force, which imposes, inter alia, the obligation to record the content of telephone communications carried out for the purpose of informing debtors of overdue claims. 
  • Law 3471/2006 on the confidentiality of communications and the protection of personal data and privacy in the field of electronic communications, which transposesDirective 2002/58/EC of the European Parliament and of the Council, and Law 3917/2011 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or public networks.
  • The obligations arising from the submission of supervisory reports to the Bank of Greece and the conduct of audits by the Bank of Greece.
  • The Decisions, Directives, Recommendations of the Personal Data Protection Authority.

4. Collection and Processing of Personal Data

Personal data are collected for the above specific, explicit and legitimate purposes. Any processing of personal data is be limited, strictly and only, to the data necessary for the purposes of such processing (“minimisation of data”) and is be carried out on the basis of the principles of lawfulness, objectivity and transparency. 

In particular, they are collected and processed:

4.1. The personal data of the debtors and other parties involved in claims managed by Quant are those that have been transferred by the Banks that granted the loan and / or the credit, as well as those collected from the following sources:

  • The beneficiaries to whom the claims from loans and credits from Financial Institutions were sold and transferred.
  • Companies for the servicing of loans and credits referred to in Article 1 par. 1a of Law 4354/2015 as in force.
  • Lawyers, law firms, court bailiffs and notaries.
  • Directly from the data subjects.

The personal data of the debtors and other parties involved, concern the following:

  • Certification and verification of identity (“Know your Client”, KYC), contact details (postal and e-mail address, landline, mobile, etc.).
  • The marital and financial status, including income, solvency, and any other data required for the personal status, as well as special categories of data collected in accordance with the legal requirements directly from the data subjects, such as health data and / or and of dependent family members or otherwise collected from publicly accessible sources for the purposes of the Code of Conduct of Law 4224/2013 of the Bank of Greece.
  • Data from the keeping and servicing of the contracts included in the portfolios under management.
    • Data of the recording of conversations and communications following prior notification and in accordance with the legal requirements, as well as the frequency of communications and meetings with Quant employees.
    • Payment history of debts and data of payment transactions and payment services.
    • Background of legal actions and litigation of claims.
    • Letters or extrajudicial letters exchanged in respect of debts.
    • Finally, information that is shared with other information that is retained, such as system information about the frequency of communications, dates, times and locations of meetings with Quant employees, and information that is publicly accessible on social networking platforms may be combined (Facebook, Twitter, LinkedIn, etc.). 

4.2. Information collected during the use of the Website:

Personal data are be collected only if disclosed. No registration is required for the use of the Webpage, except for the services of the Platform. Information may be disclosed if forms are completed that generally include information such as name, title, company / registered office, e-mail and telephone / fax numbers, and which are provided on information request screens. 

When navigating the Website, we automatically collect technical information such as:

  • The IP Address is a number that identifies the User’s computer or other similar device each time it is connected to the Internet, allowing computers and servers to identify and communicate with each other on the network. Quant may collect technical information, including the IP address used to connect the computer to the Website, login information, data such as type and version of browser, time zone settings, types and versions of plug-in browsers, operating system and platform, for the purpose of collecting non-personal data for analysis and trending.
  • The Uniform Resource Locator (URL) is the address of a specific website or file on the Internet. Quant may collect information about the User’s visit, such as recording the full clickstream on the Website’s pages when accessing, browsing and exiting it (including date and time data), data displayed or for search, page response time, load errors, specific page visit duration, page interaction information (such as scrolling data, “click” and page interaction when moving the mouse pointer over a specific point (mouseover) and methods to exit the pages. 
  • Cookies are small text files which are sent by the web server that “supports” the Website and stored in the browser of the electronic device of the User (computer, mobile phone, tablet or other electronic device) which is used during the visit to the Website. You can find out more from the Cookies Policy.

4.3. Especially for job applicants – prospective employees, the personal data processed by Quant are determined by the applicable legislation and generally include the name and contact details, data on previous employment, education, skills and any other data included in the curriculum vitae or cover letter to Quant. In case the candidate is invited for an interview, some additional personal data as well as special category of personal data may be collected, if this is absolutely necessary for the evaluation of the suitability for specific positions. Finally, the information received from the candidates interviewed may be retained. 

4.4. Use of Video Surveillance System – CCTV by Quant as a controller for the protection of persons and / or assets in order to protect the workplace, in accordance with the provisions of the legal and regulatory framework. 

Image data from the video recording system of the spaces of Quant where the relevant markings exist are kept for the minimum possible time provided for. 

5. Impact Assessment for the Protection of Personal Data

When a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of processing, may cause a high risk to the rights and freedoms of natural persons, Quant as a controller shall carry out an assessment of the impact of the processing operations on the protection of personal data, in accordance with the provisions of the GDPR and the respective Decisions for the preparation of a list of the Personal Data Protection Authority with the types of processing operations subject to the requirement to carry out an impact assessment on data protection.

6. Recipients of Personal Data

6.1 For the purposes of debt management and the completion of applications on the Website, the following may be the recipients of the data:

  • Credit Institutions whose portfolios are managed by Quant.
  • Companies to which portfolios of claims deriving from loans and credits were transferred from Credit and Financial Institutions. These companies have become the beneficiaries of the claims managed by Quant. 
  • Debtor information companies of Law 3758/2009, as in force, in case the debt has become due.
  • Lawyers and law firms, court bailiffs, experts, notaries and courts.
  • Companies for the servicing of claims from loans and credits referred to in Law 4354/15, as amended and in force.
  • Supervisory, independent, judicial, prosecutorial, public and/or other authorities or agencies within the scope of their responsibilities.  Quant may disclose personal data to the Bank of Greece and other competent State Authorities or if otherwise required by law or by order of a competent court or Authority. The above processing will continue for as long as required by law.
  • Service providers (affiliated undertakings and third parties), appointed by Quant for specific services including data processing, such as service providers of storage, archiving, data and file management or IT service providers and/or service providers of support of all kinds of information systems and networks or consulting service providers relating to the portfolios currently under management (real estate appraisers, experts, engineers, real estate management consultants, etc.) or providers of audit and accounting/tax services (certified auditors, accountants, etc.) or providers of printing services and statements and written communications, including the cooperating Banks and their networks for the purpose of making payments against debts and the general service of debtors through their networks in Greece.
  • Employees of Quant who are responsible for the evaluation of requests, the management and operation of the contract / settlement and the fulfillment of the obligations arising from it and the relevant obligations imposed by law.

6.2 The Information System of TIRESIAS SA, which is the central database for the purpose of gathering and making financial information available to financial institutions and financial organisations  for the purpose of processing the minimisation of risks from the conclusion and management of credit contracts with insolvent clients and, in general, from the creation of bad debts. In particular, personal data are collected, transmitted and processed in the following databases, which are kept by TIRESIAS SA. I) in the Default Financial Obligations System (DFO) and / or II) in the Credit Consolidation System (CCS), taking into account the consent already given to the Bank or to Quant by the debtor and involved in a claim. 

In particular, it is noted that:

  • In the DFO, data on the credit behavior of individuals and companies (e.g. bounced checks, termination of loan and credit agreements, payment orders, liquidation auction programs, bankruptcies, etc.) are registered.
  • The CCS includes data on the status of loans to businesses and  individuals – consumers (current debts, debts in arrears, etc.). The controller of the DFO and CCS is “TIRESIAS SA” (Municipality of Maroussi, Alamanas 1, PC 151 25).

6.3 Especially for job applicants – prospective employees, their personal data is available only to the duly authorised employees of Quant, who are in charge of human resources management tasks. Personal data may be sent to cooperating companies as well as to Quant partners, who undertake work related to the operation of the contract between them, indicatively, payroll services companies, employment agencies cooperating with Quant, seminar and training companies, for participation in an evaluation process and for conducting cognitive tests and / or technical skills assessment tests through cooperating platforms and providing their data to them, tax and legal advisors, third parties carrying out audits at Quant under the regulatory obligations of Quant or obligations arising from the applicable legislation. Access to the data of job applicants – prospective employees is provided only after their consent and if they are aware of this Policy and have accepted it when submitting the CV. The cooperating companies as well as the authorised Quant external partners will act either as joint controllers of the processing, defining the means and purposes of the processing, or will act as processors on behalf of Quant, in both cases bound by the terms hereof on the processing of data, always on the basis of appropriate guarantees and in accordance with the applicable data protection legislation, in order to maintain the required level of data protection.

6.4 The information collected by our Website is used for the purposes stated at the time of collection. Quant may also disclose data to other members of the Group, namely its affiliates, its parent company and its subsidiaries, as well as to service providers to which it has contractually assigned the services on its behalf, including indicatively service providers  of customer relationship management (CRM) , data analytics and search engines, who help to optimize the Website. Quant may also cooperate with other companies to provide services jointly or to communicate information to a partner or its associates in the context of the implementation of promotional actions, in accordance with the legal and regulatory framework in force.

6.5 Quant, for personal data provided to third parties for their own use and for which it is  recipient, does not sell or transfer them for marketing purposes. Quant shall retain the right to use or disclose the information provided if required by law or if it is reasonably considered that such use or disclosure is required to protect the rights of Quant and / or to comply with a mandate of a competent authority or any other obligation to disclose or transmit personal data or to implement this Policy, in order to protect the rights, assets or security of Quant, its customers or third parties.  The above includes the exchange of information with other companies and organizations for the purposes of protection against fraud and credit risk mitigation.

7. Transfers of Personal Data to Third Countries or International Organizations

Quant may transfer personal data to third countries outside the EU. and the European Economic Area. In this case, the level of protection of the rights of the data subjects and the appropriate safeguards set by the GDPR will be ensured through the application of the standard contractual clauses as defined by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 “on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” and its Annex, as well as by other relevant Implementing Decisions of the Regulation and any Annexes thereto.

Quant may also store Personal Data in countries or areas of jurisdiction outside the place of establishment of the data subjects. By disclosing personal data on its Website, the Users consent to the aforementioned cross-border transfer and storage of their data to third countries.  Quant undertakes to to take all reasonably necessary measures to ensure that the data is subject to secure processing and always in accordance with this Policy.

In any such case, Quant may transfer the personal data to third countries if: (a) an adequate level of protection is ensured in accordance with the European Commission from the third country, from territory or from one or more specific sectors in that third country; or (b) appropriate safeguards have been provided for processing by the recipient on the basis of the legal and regulatory framework on personal data protection. If none of the above conditions apply, the transfer may be made if one the following conditions is met: i) the transfer is necessary for the establishment or exercise of legal claims or the defense of the rights of Quant; or ii) there is a relevant obligation of Quant from a provision of law or transnational agreement; iii) the data subject has expressly consented to the proposed transfer, after having been informed of the possible risks; iv) the transfer is necessary for the performance of a contract between the data subject and Quant or for the implementation of pre-contractual measures taken at the data subject’s request; v) the transfer is necessary for the conclusion or performance of a contract which was concluded in the interest of the data subject between  Quant and another natural or legal person.

8. Security of Personal Data 

Quant has taken and is implementing the appropriate technical and organizational measures in order to ensure the implementation of the legislation and the appropriate level of security of personal data and has duly trained its staff and binds all its associates, who are acting on its behalf as Processors with contracts governed by the guarantees and safeguards of Regulation (EU) 2016/679. In particular, Quant’s Website Users should take into consideration that the Website may also contain links to other websites in respect of which Quant does not bear any responsibility for the practices and conditions of data protection or their content.

9. Rights of the Data Subject

Legislation on the protection of personal data provides the following rights, which are in principle exercised without financial burden, on the basis of the provisions of the legal framework provided that there are no restrictions on their exercise provided for by the legal framework:

Right of access, i.e. confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, information on which data has been collected and processed by Quant, their origin, the purposes and the legal basis for their processing, any recipients or categories of recipients of personal data, in particular in third countries and the period for which the personal data will be stored.

Right to rectification of any inaccurate personal data by submitting to Quant a statement of correction or completion of any  incomplete personal data in order to become complete and accurate.

Right to erasure of personal data in the following cases: 

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 
  2. the consent on which the processing of personal data was based is withdrawn, without retroactive effect, and there is no other legal ground for the processing;
  3. the personal data have been processed without the existence of the necessary legal base; 
  4. where the law provides for the obligation to erase personal data; 
  5. where personal data of a child have been collected through the provision of information society services, with the consent of the child if he / she is over 16 years of age or, if the child is under 16 years of age, with the consent given or authorised by the holder of parental responsibility over of the child.

Right to restriction of processing of personal data in the following cases: 

  1. the accuracy of the personal data is contested and until Quant verifies the accuracy of the personal data; 
  2. where the conditions for erasure of the previous paragraph are met and instead of erasure, the restriction of processing of personal data shall be requested; 
  3. where personal data are no longer needed for processing purposes, but such personal data are required for the establishment, exercise or defense of legal claims;
  4. where there are objections to the processing and the right of objection may be exercised until Quant verifies whether the legitimate grounds for the processing override those of the data subject.

Right to object to the processing of personal data at any time and on grounds relating to the particular situation of the data subject, when the processing is necessary for the performance of a task carried out for reasons of public interest or the legitimate interests pursued by Quant or third party, unless there are compelling and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims of Quant.

Right to data portability, i.e. the right to receive in a structured, commonly used and machine-readable format and to transmit those data to another controller, which have been provided to Quant, if the processing of personal data has taken place following consent or was necessary for the performance of a contract.

Right to withdraw at any time the consent (without retroactive effect) provided to Quant, in case the processing of personal data is based on consent.

These rights may be restricted by an obligation of implementation of other laws, for example in the case of a request for restriction, erasure of data or even objection, where Quant is obliged to retain and process such data by law.

For the exercise of the above rights as well as to resolve any question regarding the applicable legislation on personal data, you can contact Quant as follows:
-Through the electronic contact form at: Contact – Quant ( 

-By letter to the Data Protection Officer: by post to the address Kifissias 66, 15125 Maroussi, Athens, Greece or via email

-At the above address and email you can attach:

  • the form of exercise of your above rights, originating from the GDPR (Template 1)                 
  • the request form for a record of recorded calls (Template 2)                 

Quant will respond without financial burden to the request, without delay and in any case within one month (30 days) from the receipt of the request, except for exceptional cases, in which case the above deadline may be extended by two more months, if necessary, taking into account the complexity of the request and / or the number of requests. Quant informs about any extension of the above deadline within one month from the receipt of the request, as well as the reasons of the delay.

In particular:

– If the submitted request is not satisfied according to the above, there is the possibility of submitting a complaint to the Hellenic Data Protection Authority [ Kifissias 1-3, PC 115 23, Athens, tel .: +30 2106475600,, e-mail:], as well as filing an appeal before the competent judicial authorities.

– If the request is deemed by Quant to be manifestly unfounded or excessive, the payment of a reasonable and proportionate fee may be imposed, taking into account the costs of satisfying the request or not being followed up by a reasoned decision of Quant.

10. Personal Data Retention Time

Quant retains the personal data of natural persons for as long as provided for in each case from the applicable legal and regulatory framework and in any case for a period of twenty (20) years from the last calendar day of the year of termination of the respective transactional relationship with the company or credit institution. In case any request for cooperation with Quant is not accepted, the data will be retained for a period of five (5) years. In case of litigation, personal data will be retained until the end of the pending litigation, even in case of exceeding the maximum period of twenty (20) years.

In the Default Financial Obligations System (DFO) of TIRESIAS SA, the retention period of the relevant data is from (two) 2 to (ten) 10 years (depending on the data category).

In the Credit Consolidation System (CCS) of TIRESIAS SA, the retention period of the relevant data is (five) 5 years. 

Any recorded telephone communication, as well as the record of the data of the relevant telephone communications for the purpose of informing debtors of overdue claims (Article 6 par. 7 of Law 3758/2009, as in force), shall be retained for one (1) year.

Especially for job applicants – prospective employees, personal data are retained for the period that is absolutely necessary to achieve the purpose of their collection but also in accordance with the relevant legislation. Where personal data are not necessary for the above purposes, they will be safely destroyed after two (2) years. If the prospective employee accepts a proposal for cooperation with Quant, the personal data collected prior to the recruitment will be part of his or her personal file and will be retained throughout his / her employment and for some additional years after the termination of the cooperation, in accordance with applicable law. Finally, for the fulfillment of the legal or contractual obligations of Quant or for the establishment, exercise or defense of any legal claims, personal data may be retained for a period exceeding two (2) years.

The video surveillance data will be retained for a period of seven (7) days.

In case of change of the retention periods of the personal data provided for by law or by regulatory acts, the above retention periods of personal data will be reduced or increased accordingly.

11. Collaboration with Controllers and Processors

In order to fulfill its purpose and its contractual obligations, QQUANT MASTER SERVICER Servicing of Loans and Credits Single Member SA cooperates with Controllers and Processors, as specifically mentioned in Chapter 6, paragraph 6.1. The list of Controllers and Processors is posted on the Website Data Protection Policy – Quant ( and is updated at regular intervals according to the respective changes.

I. Portfolios’ Beneficiaries

II. Credit Institutions

  • Pancreta Bank
  • Olympus Bank

ΙΙΙ.  Collaborating Law Firms and Offices

12. Contact details

Registered office: 66 Kifissias, 15125 Maroussi, Athens, Greece
GCR: 143190101000
Telephone: 210 444 1999

Data Protection Officer:
Address: 66 Kifissias, 15125 Maroussi, Athens, Greece
Telephone: 210 444 1999

Latest Update 24.10.2023