This Policy takes into consideration all the pertinent rules on the matter, with particular reference to:
- 29 of the Group’s Recommendation no. 2/2001, regarding the minimum requirements for the online gathering of data within the EU;
- Directive 2009/136/EC, amending Directive 2002/58/EC (the so-called e-Privacy Directive), regarding the processing of personal data and the protection of privacy in the electronic communications sector;
The Data Controller is Banca IFIS S.p.A., with registered office in Via Terraglio 63, 30174, Venice. The Data Controller has appointed a Data Protection Officer, who can be contacted by email at: firstname.lastname@example.org.
Type of data processed and purposes of processing
1) Data provided voluntarily by users
The voluntary sending of email to the email addresses indicated on the aforementioned websites / blogs leads to the subsequent acquisition of the sender’s email address, which is necessary for responding to requests, as well as any other personal data included in the message. This is also the case with the handling of complaints sent by users and the answering of the same. The data provided in this way are processed by the Data Controller for the time necessary for completion of the purposes for which they have been communicated and they will be cancelled as soon as these operations have been completed.
Moreover, the user is free to provide their own personal data via online and contact forms, to request the sending of newsletters, information and/or advertising material, as well as other periodical or occasional communications, and to create and manage an account: the use of these data for the purposes mentioned by the Data Controller can take place solely with the permission of the sender and until said permission is retracted by the user themselves. On the basis of said permission, the Data Controller may propose that users participate in surveys aimed at assessing the quality of the services offered. Any information provided by the users will be processed exclusively in relation to the survey itself and will be cancelled once this processing is complete.
Users who make use of forums or other methods for publishing personal content on the Data Controller’s websites / blogs must be aware of the fact that published information may be read, gathered or used by third parties who do not have any relationship with the Data Controller, also for the sending of unsolicited messages. The Data Controller will not be held responsible for the use that said third parties may make of the personal data that the users choose to publish with these means.
2) Navigation data
The computer systems used for the operating of the websites / blogs, during standard operation and for the sole duration of the connection, acquire various forms of personal data, the transmission of which is implicit in using internet communication protocols. This information is not gathered to be associated to identified Data Subjects, but, for its very nature, could allow the identification of the user through processing of, and association with, data held by third parties. This category of data includes: IP addresses or the names of computers used by the users who connect to the websites / blogs, addresses in URI (Uniform Resource Identifier) notation for the requested resources, the time of the requests, the method used to make the requests to the server, the size of the file received in response, the numerical code indicating the status of the response provided by the server (successful, error, etc.), the characteristics of the browser used for navigation, the size of the window in which the browser is running on the device in use, as well as other parameters relative to the operating system and the user’s computing environment. These data are used solely to gather anonymous statistical information regarding the use of the websites / blogs and to monitor their correct functioning and are cancelled immediately after being processed. The data may be used to ascertain responsibility in the case of a hypothetical information technology crime committed against the websites / blogs, but even in this case, the contact data are not held for more than seven days.
Cookies are small strings of text that the website sends and saves in the user’s device, to then be used by the same website when the user returns. During navigation, the user may also receive cookies on their device which have been sent by other websites or servers (belonging to so-called “third parties”) which may contain some elements (such as, for example, images, maps, sounds, specific links to pages in other domains) present on the website visited. Cookies are used for various purposes such as, for example, computer authentication, session monitoring, and the saving of information regarding specific configurations regarding the users accessing the server.
Cookies can be either technical or for profiling.
- Technical cookies: technical cookies can be subdivided into session cookies (which guarantee standard navigation and use of the website) and permanent cookies (cookie analytics, used to collect information in an aggregated form regarding the number of users and how they visit the website, and function cookies, which allow the user to navigate according to a series of selected criteria, such as, for example, language etc.). The installation of these categories of cookies does not require the prior consent of the users. Technical cookies are installed in the user’s device in order to identify the user when they log into the websites, to analyse navigation with a view to continuous optimisation, and to carry out analyses aimed at improving the aspect, the functionality and the level of security of the website. Furthermore, this website uses technical cookies which allow for personalised navigation, according to a series of criteria selected on the website by the user.
For information on how to modify the settings regarding cookies, please refer to the instructions below, according to the browser that is being used:
|Browser||Link to cookie management|
|Microsoft Internet Explorer||https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies|
Click here for the list of the cookies that we use on our websites / blogs.
Methods of processing of personal data and storage period
The personal data gathered by the Data Controller’s website are processed by automatic instruments for the time strictly necessary for the purposes for which they were collected. At the end of said period, the data will be cancelled or rendered anonymous, save for when further storage is necessary for legal reasons or to comply with orders from Public Authorities and/or Supervisory Bodies. Where necessary, processing carried out by the Bank with regards to personal data gathered from the Bank’s websites / blogs can be based on automated decision-making processes which produce legal implications, or which have a similar and significant effect on the data subject, such as, for example, processing carried out via the use of profiling cookies.
Appropriate measures of organisational and technical security are observed in order to prevent both material or non-material damage (e.g. the loss of control over personal data or limitation of rights, discrimination, identity theft or fraud, financial losses, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, or any other significant economic or social disadvantage).
No data deriving from web services will be subject to disclosure.
Categories of entities to which personal data may be disclosed or which may become aware of the data
For the pursuit of the purposes described, or in cases in which it is strictly necessary or required by law or by authorities empowered to impose said law, the Data Controller reserves the right to communicate the data to recipients in the following categories:
- subjects who carry out banking, financial and insurance services;
- Regulatory and Control Authorities and Bodies and, in general, public or private with prominent public functions (e.g. the Italian Financial Information Unit – UIF, the Bank of Italy, the Italian Tax Authority – Agenzia delle Entrate, the Interbank Register of Bad Cheques and Payment cards, the Bank of Italy’s Central Credit Register, the Judicial Authorities, in any case solely within the limits of the conditions established by the applicable legislation);
- other companies from the Group to which the Bank belongs, whether parent, subsidiary or associated, pursuant to Article 2359 of the Italian Civil Code (even where situated abroad);
- entities carrying out services for the gathering, processing and elaboration of data;
- entities providing IT and telecommunications network management services for the Bank (including mailing services);
- entities responsible for document storage and data-entry;
- entities responsible for customer services;
- professional firms or companies providing assistance and consultancy services;
- entities carrying out market research activities, aimed at identifying the level of satisfaction expressed by the customer on the quality of the services provided and activities carried out by the Bank;
- entities responsible for the control, auditing and certification of the Bank’s activities.
Data may also become known, in the exercising of assigned tasks, by the Bank’s personnel, including interns, temporary workers, consultants, employees of external companies, all specifically authorised to process personal data.
Data transfer to non-EU countries/organisations
Where it is necessary to achieve the purposes mentioned, a Data Subject’s Personal Data may be transferred abroad, to non-EU countries/organisations which guarantee a level of protection of personal data which is deemed appropriate under the decision of the European Commission, or in any case based on other appropriate safeguards, for example, the Standard Contractual Clauses adopted by the European Commission. A copy of any Data transferred abroad, as well as the list of non-EU countries/organisations to which Data have been transferred, may be requested from the Data Controller by presenting a request to the organisational unit charged with responding to Data Subjects, via standard mail sent to the headquarters of the Data Controller or via email to email@example.com.
Rights of the Data Subject
Pursuant to Articles 15 to 22, the Regulation enables Data Subjects to exercise specific rights. In particular, a Data Subject may obtain: a) confirmation of the existence of personal data processing which concerns them and, in this case, the access to said data; b) the correction of incorrect personal data and the integration of incomplete personal data; c) the cancellation of personal data which concerns them, when permitted by the Regulation; d) the limiting of processing, in the cases provided for by the Regulation; e) the communication to recipients of the personal data of requests made by the Data Subject for the correction/cancellation of personal data and the limiting of processing of the same, save for cases in which this is impossible or which would require an unreasonable level of effort; f) the reception, in a structured format which is of common use and legible by an automatic device, of the personal data provided to the Data Controller, as well as the transmission of the same to another data controller, at any time, even on termination of any relationship established with the Data Controller. The Data Subject also has the right to oppose, at any time, the processing of personal data which concern them: in this case, the Data Controller is obliged to refrain from any further processing, save for the purposes allowed by the Regulation. The Data Subject also has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or has a similar effect on their person, save for when said decision is: a) necessary for the conclusion or execution of a contract between the Data Subject and the Data Controller; b) authorised by Union law or by the laws of the Member state to whose jurisdiction the Data Controller is subject; c) based on the explicit consent of the Data Subject. In the cases specified in points a) and c) above, the Data Subject has the right to obtain human intervention form the Data Controller, to express their opinion and to appeal against the decision.
These requests may be submitted to the organisational unit responsible for responding to the Data Subject, by letter to the headquarters of the Data Controller, or by e-mail to firstname.lastname@example.org.
The Data Subject also has the right to file a complaint with the Italian Data Protection Authority (Garante Privacy).