Data Protection Policy of ICAP S.A.

“ICAP S.A.”, Kallithea, Eleftheriou Venizelou Ave. number 2, 17676, with VAT number 996952940 (Gen. Com. Reg. No. 147989301000)

  1. Scope

    This privacy policy sets out the way ICAP S.A. (hereinafter referred to as “ICAP”) collects, uses, processes, stores, manages, and protects the commercial and financial information regarding entities and personal data (hereinafter referred to as “Information”), so as to meet the data protection standards of the company and comply with the applicable law.

    This privacy policy shall apply to all information to whom any third party may have access (hereinafter referred to as the “User or/and Client”) or which ICAP manages through its online platform ICAP B2B ( (“Website”)  or/and through the mobile application (Mobile app), “ICAP On the Go”, through which ICAP is bound to protect the privacy of visitors and Users/ Clients of the Website and the services of the application (Mobile app), “ICAP on the Go”.

    This policy shall not apply to information collected through any other website or for practices of companies that we do not control. Please note that the Website may contain links to other websites. For instance, if you click on an advertisement in the Website and you are connected to another website, then this personal data protection policy shall not apply to any information collected by that website. We are not responsible for any personal data protection practices of other websites and we recommend you read the personal data protection policy of each website you visit.


  2. Categories of Collected Data

    A. Financial Information of companies and sole proprietorships: annual financial statements, accounts statements, balance sheets, sales statistics.

    Β. Commercial and other Verification Information of companies and sole proprietorships: historical data, VAT number, registered seat, contact details (website, corporate e-mail and telephone), activity, clients, suppliers, agencies, imports, exports, terms of payment, personnel information, property, banks of cooperation etc. depending on the activity of the entity being evaluated.

    C. Shareholding/ Corporate structure and Management Information: shareholding/corporate structure, management, participations, associate enterprises.

    D. Companies’ Commercial Behaviour Information and natural persons (including also sole proprietorships): payment orders, auctions, seizures, files for bankruptcy, declared bankruptcy, requests for reorganization and other adverse information.

    Notification regarding Personal Data Processing by ICAP (as Controller and Processor - in accordance with the General Data Protection Regulation EU 679/2016)

    Why will you process my Personal Data (PD)?

    ICAP provides products and services containing commercial and financial information about entities (“Information”) on the basis of the intended purpose, as this is described in section 6 hereof. Their contents vary depending on the type and purpose of the service provided by ICAP. 

    Information automatically collected when visiting and interacting on the Website: We inform you that your personal data and information that are collected and processed when you manage your account in the Website or through the mobile and tablet application “ICAP On the Go”, are appropriate to the circumstances and they are required for the processing of your claims and the use of ICAP services.

    In particular, when visiting and interacting with the Website, certain information may be automatically collected, such as:

    • your computer’s Internet protocol address (ΙΡ),

    • the type of browser and the operating system,

    ICAP does not manage, collect or process geolocation data, which are collected and processed exclusively by the companies providing operating systems for each device you use (in case of use of iOS-Apple Inc or in case of android - Google Inc). ICAP does not have access to the positioning refresh rate of GPS.


  3. Data Collection Sources

    1)      General Commercial Registry (G.C.R) – Α, Β, C, D

    2)      Internet (corporate sites) – Α, Β

    3)      Athens Stock Exchange Website – Α, Β, C

    4)      Associated Lawyers Network (acting on our behalf) – D

    5)      Teiresias – D

    6)      Companies - Sole Proprietorships (existing clients) – Α Β, C

    7)      Chambers of Commerce and Registry– Β


  4. Transfer of Data to Third Parties

    ICAP reserves the right to disclose your personal data to any member of its group of companies (parent company and its subsidiaries) to the extent it is reasonably necessary for the purposes determined in this policy and in particular:

    1. Your data will be transmitted to ICAP’s business units that are competent for the smooth and trouble-free operation of the Website services and the application “ICAP on the Go”.
    2. Your data may be transmitted and become accessible by legal entities with which, we have entered from time to time into agreements for the purpose of fulfilling our company’s goal (provision of credit rating evaluation services) in a correct and within our contractual terms framework.
    3. Your data may be transmitted, become accessible and processed by subsidiaries of our group within the European union, which apply the appropriate technical, physical and administrative security measures for protecting data from loss, misuse, damage or amendment, unauthorised access and disclosure, as provided by article 32 of the GDPR 679/2016.
    4. During all transmissions, we always take all measures so as to ensure that the transmitted data are the minimum required and that the conditions for legitimate and lawful processing will always be met.

  5. Personal Data Retention Period

    The data retention period depends on the lawful basis of processing, as set out in detail below:

    1. In case the lawful basis for processing is the exercise of legitimate interest, the processing of personal data is carried out for as long as it is considered necessary, for the achievement of ICAP’s intended purpose and for the time still required until the limitation period of any related claims has expired.
    2. In case the personal data of the user/ client (Account Information) are provided on the basis of the user/client’s own consent within the framework of the user/client’s registration in the services of the Website or/and the application “ICAP On the Go”, we shall retain your data for as long as we maintain our contractual relationship with them both in hard copy and in electronic form or until the granted consent by the data subject is withdrawn. In case this is interrupted for any reason, we shall retain such data for as long as it is required until the limitation period of any related claims expires.
    3. In case the lawful basis for processing is the execution of the contract, we shall retain your data for as long as you have the contractual relationship with us both in hard copy and in electronic form or we shall retain them for as long as it is required until the limitation period of any related claims expires.

  6. Legitimate Interest - Intended Purpose -  Lawful Basis for Data Processing

    ΙCAP S.A. operates as Credit Rating Agency since the 7th of July 2011, in accordance with the approval it received from the Hellenic Capital Market Commission and the European Securities & Markets Authority (ESMA).

    ΙCAP within the framework of its general business activity according to the above and while pursuing of its statutory objectives, which include the collection, management, and provision of commercial and financial information (business information), which concern the credit risk evaluation of entities and the promotion of its business activity for the evaluation of credit risks and the resolution of transactions, has created and maintains a database, which is daily updated with financial and commercial information of entities. ICAP processes and stores the said data within the E.U.   

    Moreover, the Clients/ Users of the Website and the application “ICAP On the Go”, will be subject to certain personal data processing that may be required when registering on the Website or using the application “ICAP On the Go”, in case such processing is deemed necessary for the conclusion of a contract with ICAP, as well as for the use of the aforementioned Websites and applications.


  7. Rights of the Data Subjects

    You may exercise, as the case may be, the rights deriving from the applicable Greek Legislation and the General Data Protection Regulation (Regulation (EU) 2016/679) which are as follows: a. the right of information (article 13), b. the right of access (article 15), c. the right to rectification (article 16), d. the right to erasure “right to be forgotten” (article 17), e. the right to restriction of processing (article 18), f. the right to data portability (to receive your personal data in a structured and commonly used format - article 20 where applicable) and g. the right to object (article 21). 

    1. These rights shall be exercised free of charge for you by sending a relevant letter to the Data Protection Officer (DPO) of ICAP: Eleftheriou Venizelou Street, number 2, Kallithea, PC 17676, Athens, ICAP S.A., +302107200000 or via e-mail to  Alternatively, you may also visit our Subject Access Request page on our website [SAR Form online]. You can also submit your request in writing using the form in Appendix 1, sending the request to: 
      - Complaints / Customer Care Department of ICAP: Eleftheriou Venizelou Street, number 2, Kallithea, PC 17676, Athens
      - Data Protection Officer (DPO) of ICAP: Eleftheriou Venizelou Street, number 2, Kallithea, PC 17676, Athens.
      In case however the aforementioned rights are exercised excessively and without good cause thus causing us administrative burden, we may charge you with the cost related to the exercise of the respective right.
    2. In case you exercise any of your rights, we will take all measures available for the satisfaction of your request within thirty (30) days following the receipt of the relevant request. We may either inform you of the acceptance of your request or any objective grounds that hinder its satisfaction.
    3. Notwithstanding the above, you may at any time object to the processing of your Personal Data, by withdrawing your consent (article 7, par. 3 of the GDPR 679/2016).

  8. Data Processing by ICAP

    In some cases, our clients provide us with their business data, such as customer, supplier or third parties’ data - which may contain personal data (who may be individuals or companies) - within the framework of provision of our services. In such cases, ICAP shall operate as the “Processor” of the personal data, which are included in the said business data. Consequently, in such case different provisions of the GDPR 679/2016 shall apply, with which we comply.

    Additionally, ICAP applies throughout the data processing procedure, the appropriate technical, physical, and administrative security measures for protecting the data from loss, misuse, damage or modification, unauthorised access and disclosure, as it is provided under article 32 of the GDPR 679/2016 in order to ensure appropriate security level against risks, including, among others, as the case may be: a) encryption of personal data b) the ability to ensure confidentiality (article 90 GDPR 679/2016), the integrity, availability, and resilience of processing systems and services on an ongoing basis, c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Moreover, ICAP shall take measures so as to ensure that any physical person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller and limits access to your personal information to authorised employees. ICAP servers are hosted at IBM data centre (hosting provider) in Athens. 


  9. Profiling

    We use the information we obtain to produce scores and ratings such as scores for payment consistency, the level of maximum credit etc. We may also carry out customized profiles for our customers. We use highly developed scoring models and algorithms, which are based on previous similar circumstances, adverse events and economic forecasts to produce a score.

    We recommend to our customers how to interpret and use our scores. Our customers may choose to use our scores alone or combine the scores with other information available to them. Their decision making will be based around whether to insure or market to, extend credit, acquire, trade or partner with a business. Our scores predict whether a business is likely to continue trading, pay its bills on time, receive credit, whether they would be likely to purchase a product or service, where they benchmark within their industry or whether they are subject to any specific risks. We do not make any decisions about an organization – we do not hold blacklists and we do not encourage our customers whether to trade with an organization.


  10. Submission of Complaint - Appeal

    1. For any issue regarding your data processing, you may contact us via e-mail at
    2. Moreover, you are always entitled to contact the Hellenic Data Protection Authority, which may accept the submission of relevant complaints in writing at its offices at 1-3, Kifisias Street, Postal Code 115 23, Athens or via e-mail ( in accordance with the instructions indicated on its website.

  11. Amendments

    This policy may be renewed from time to time, due to amendments to the related legislation or change of ICAP’s corporate structure.
    Thereby, we encourage the Clients/ Users to periodically check this site so as to be informed regarding recent information on
    privacy practices
    In any case, the Clients/ Users will be informed via e-mail or a notice on our Website regarding any amendments to this policy.