Categories of subjects that personal data may be communicated to or who can gain knowledge of them
To pursue the purposes described or when it is indispensable or required by law or by authorities with the power to impose it, the Controller reserves the right to communicate data to recipients belonging to the following categories:
- Subjects providing banking, financial and insurance services;
- Supervision and control Authorities and Bodies and, in general, public or private subjects with important public enforcement functions (e.g.: FIU, Bank of Italy, Revenue Office, Central Interbank Alarm Register, Central Risk Register of the Bank of Italy, Judicial Authorities, in any case solely within limits set forth in the assumptions established by laws applicable);
- Other companies of the Group the Controller belongs to, or in any case parent companies, subsidiaries or associated companies pursuant to art. 2359 Italian civil code (also located abroad);
- Subjects performing data acquisition and processing services;
- Subjects providing services to manage the IT system of the Controller and the telecommunications networks (including mailing services);
- Subjects providing document filing and data-entry activities;
- Subjects providing assistance services to the data subject;
- Professional firms or companies as part of assistance and advisory relations;
- Subjects performing market surveys to measure the customer satisfaction level on the quality of services and activities provided by the Controller;
- Subjects performing controls, audits and certification of activities implemented by the Controller.
Subjects belonging to the categories indicated above operate autonomously as separate process controllers, or as processors appointed specifically for the service; the list, updated continuously, is published on the website www.bancaifis.it.
The personal data may be known, related to tasks performed, by Controller employees, including internees, temporary workers, consultants, the employees of external companies, all specifically authorised, instructed and appointed as processors.
Lastly, no data coming from the web services are circulated.
List of Subjects to whom the data may be communicated
Transfer of data to Non-EU Countries/organisations
When needed to perform the purposes mentioned, the data of the data subject could be transferred abroad, to non-EU Countries/organisations that guarantee a personal data protection level deemed suitable by the European Commission with a decision; or, in any case, based on other suitable guarantees, for example the Standard Contractual Clauses adopted by the European Commission. A copy of any data transferred abroad and the list of the non-EU Countries/organisations to which the data has been transferred can be obtained from the Controller by submitting a specific request by ordinary mail sent to the registered office of the Controller or by e-mail sent to firstname.lastname@example.org.
Rights of the data subject
Pursuant to articles from 15 to 22, the Regulation attributes specific rights to the data subject. More specifically, the data subject can obtain: a) confirmation of whether its personal data is being processed or not and, in that case, access to that data; b) rectification of incorrect personal data and integration of any incomplete data; c) erasure of its personal data in cases where it is permitted by the Regulation; d) restriction to processing, for hypotheses set forth in the Regulation; e) communication, to recipients that the personal data were transmitted to, of the requests to rectify/erase the personal data and restrict processing received from the data subject, except when that should prove impossible or imply a disproportionate effort; f) reception, in a structured, commonly-used format readable by an automatic device, of the personal data provided to the Controller and their transmission to another controller, at any time, even if relations possibly held with the Controller should cease. The data subject also has the right to object at any time to its personal data being processed. In those cases, the Controller is obliged to abstain from any further processing, with no prejudice to reasons permitted by the Regulation. The data subject also has the right not to be subjected to a decision based solely on automated processing, including profiling, that causes legal effects concerning him/her and significantly affecting his/her person; unless that decision: a) is needed to finalise or execute a contract between the data subject and the Controller; b) is authorised by Union law or that of the member State the Processor is subject to; c) is based on the specific data subject consent. For the aforementioned letters a) and c), the data subject has the right to obtain human intervention from the Controller, to express its opinion and dispute the decision. Requests may be submitted by ordinary mail sent to the registered office of the Processor or by email sent to email@example.com. The data subject also has the right to submit a complaint to the data protection Authority pursuant to art. 77 of Regulation (EU) 2016/679, and to take legal action pursuant to arts. 78 and 79 of the Regulation itself.