Banca Ifis Logo

Web Privacy Policy

Introduction

Pursuant to arts. 13 and 14 of Regulation (EU) 2016/679 (“the Regulation”), we would like to inform users about how and why the personal data of those interacting with our websites / mobile app are processed. This Web Privacy Policy is provided solely for www.bancaifis.it and its web subdomains and not for other websites possibly consulted by the user through links published on the above website. This Policy considers all sector regulations, with specific reference to:

  • Recommendation 2/2001 of the Art. 29 Group, related to the minimum requirements for the collection of online data in the EU;
  • Directive 2009/136/EC, amending Directive 2002/58/EC (so-called e-Privacy Directive), related to the processing of personal data and protection of private life in the electronic communications sector;
  • General Provision of the Authority for the protection of personal data “Identification of the simplified methods related to information and acquiring consent to use cookies” of 8 May 2014;
  • “Guidelines cookies and other tracking tools” of the Authority for the protection of personal data of 10 June 2021.

The Joint Controllers are:

  • Banca Ifis S.p.A., with registered office in Via Terraglio 63, 30174 Venezia.
  • Ifis Rental Services S.r.l., with registered office in Via Borghetto 5, 20122 Milano.
  • Cap.Ital.Fin. S.p.A., with registered office in Via Miguel Cervantes de Saavedra, 55, 80133, Napoli.

The Joint Controllers have appointed a Data Protection Officer, who can be contacted by email at: rpd@bancaifis.it.

1) Data provided voluntarily by users

The user may voluntarily provide the Joint Controllers with its personal data, with specific reference to personal information, e-mail address and other contact data, in the following circumstances:

  • sending communications by e-mail to the addresses provided in this website;
  • filling in online contact forms present on this website to request assistance;
  • subscribing to the periodical newsletter;
  • taking part in surveys to investigate the quality of services offered;
  • creating a personal account and using the services connected to the account.

The personal data provided are collected, processed and stored by the Joint Controllers for the following purposes:

  • to respond to communications received;
  • to respond to the requests for assistance (including reports on any disservice);
  • to send newsletters and other information and/or advertising material for products and services offered by the Joint Controllers;
  • to generate and manage user accounts;
  • to process data collected during surveys conducted to assess the level of satisfaction with services provided.

The personal data supplied are processed by the Joint Controllers solely for the time needed to achieve the purpose they were collected for. Once that purpose has been achieved, the personal data are deleted or made irreversibly anonymous.

Users using the forums, or other channels, to publish their contents, hence including their personal data, on this website, acknowledge that information made public can be read, collected and used by third parties who have no relationship with the Joint Controllers, also to send unwanted messages. The Joint Controllers declare that it is not responsible for any improper use that third parties could make of the personal data that users decided to publish through the channels mentioned.

2) Navigation data

During their normal operations and solely for the connection duration, the information systems operating this website acquire some personal data transmitted implicitly on using internet communication protocols. This information is not collected to be associated with identified data subjects but, for its very nature, could enable user identification through processing and association with data held by third parties. This data category includes: IP addresses or the names of computers used by users to connect to this website; URI (Uniform Resource Identifier) addresses of the resources requested, the time requests are made, the method used to submit requests to the server, the size of the file obtained in response, the numerical code indicating the status of the answer given by the server (successful, error, etc.), the characteristics of the browser used for navigation purposes, the size of the window in which the browser is performed in the device used, and other parameters related to the user’s operating system and computer environment. These data are only to collect anonymous statistics on how this website is used and to check it operates correctly, and are deleted straight after processing. The data could be used to ascertain responsibilities in any hypothetical computer crimes damaging the website. In that occurrence too, the contact data do not last longer than seven days.

Cookies are small strings of text that the website sends and memorises in the user’s device; to then be used by the website itself at the user’s next visit. During navigation, the user’s device may also receive cookies sent by different websites or web servers (belonging to so-called “third parties”), on which there could be elements (for example, images, maps, sounds, specific links to the pages of other domains) present on the website visited. Cookies are used for different purposes such as performing IT authentication, monitoring sessions, memorising information on specific configurations concerning users accessing the server.

Personal data collected by the website are processed automatically for the time strictly needed to achieve collection purposes. Where needed, processing performed by the Joint Controllers on data collected from the website could be based on automated decision-making processes that produce legal effects or have a similar significant effect on the data subject such as, for example, processing performed using profiling cookies. Suitable technical and organisational security measures are complied with to prevent damage, whether material or immaterial (e.g. loss of control of the personal data or limiting rights, discrimination, theft or usurping identity, financial losses, unauthorised decryption of pseudonymisation, prejudice to reputation, loss of the confidentiality of personal data protected by professional secret or any other significant economic or social damage).

In order to pursue the stated purposes, or when indispensable or required by the law or by authorities with the necessary power, the Joint Controllers reserve the right to communicate the data to both natural and legal persons who operate as separate autonomous data controllers or as data processors appointed for this purpose. In particular, for the provision of web services provided through cookies, users’ personal data may be communicated to third parties specifically indicated in the website’s cookie banner.

The personal data may be known, related to tasks performed, by Controller employees, including internees, temporary workers, consultants, all specifically authorised, instructed and appointed as processors.

Lastly, no data coming from the web services are circulated.

When needed to perform the purposes mentioned, the data of the data subject could be transferred abroad, to non-EU Countries/organisations that guarantee a personal data protection level deemed suitable by the European Commission with a decision; or, in any case, based on other suitable guarantees, for example the Standard Contractual Clauses adopted by the European Commission. A copy of any data transferred abroad and the list of the non-EU Countries/organisations to which the data has been transferred can be obtained from the Joint Controllers by submitting a specific request by ordinary mail sent to the registered office of the Joint Controllers or by e-mail sent to privacy@bancaifis.it.

Pursuant to articles from 15 to 22, the Regulation attributes specific rights to the data subject. More specifically, the data subject can obtain: a) confirmation of whether its personal data is being processed or not and, in that case, access to that data; b) rectification of incorrect personal data and integration of any incomplete data; c) erasure of its personal data in cases where it is permitted by the Regulation; d) restriction to processing, for hypotheses set forth in the Regulation; e) communication, to recipients that the personal data were transmitted to, of the requests to rectify/erase the personal data and restrict processing received from the data subject, except when that should prove impossible or imply a disproportionate effort; f) reception, in a structured, commonly-used format readable by an automatic device, of the personal data provided to the Joint Controllers and their transmission to another controller, at any time, even if relations possibly held with the Joint Controllers should cease. The data subject also has the right to object at any time to its personal data being processed. In those cases, the Joint Controllers are obliged to abstain from any further processing, with no prejudice to reasons permitted by the Regulation. The data subject also has the right not to be subjected to a decision based solely on automated processing, including profiling, that causes legal effects concerning him/her and significantly affecting his/her person; unless that decision: a) is needed to finalise or execute a contract between the data subject and the Joint Controllers; b) is authorised by Union law or that of the member State the Joint Controller is subject to; c) is based on the specific data subject consent. For the aforementioned letters a) and c), the data subject has the right to obtain human intervention from the Joint Controllers, to express its opinion and dispute the decision. Requests may be submitted by ordinary mail sent to the registered office of the Joint Controllers or by email sent to privacy@bancaifis.it. The data subject also has the right to submit a complaint to the data protection Authority pursuant to art. 77 of Regulation (EU) 2016/679, and to take legal action pursuant to arts. 78 and 79 of the Regulation itself.

Some services (e.g. internet banking) are also provided through mobile applications, available for download on the Google (Play Store) and Apple (App Store) marketplaces. In particular, the “Rendimax” application is developed, updated and maintained by third parties (e.g. Cedacri S.p.A.), designated as data processors.

The processing of personal data is aimed at enabling users to make use of all the functionalities provided by the application and to ensure its proper functioning.

For the pursuit of the aforementioned purposes, the processing of the following categories of personal data is an integral part of the application installation process:

  • personal, identification and contact data, such as, for example, name, surname, e-mail address, telephone number;
  • mobile device data, such as, but not limited to, device model, IMEI Number, Phone Number, SIM ID, Device Name, IP, operating system version, screen resolution, type of network connection, Wi-Fi network name, language;
  • crash logs (and other diagnostic data): this information is indispensable in order to allow the application to be installed, to function properly, and to perform security and fraud prevention analyses.

The data subject may only object to the processing of the aforementioned information by uninstalling the application independently.

Once installed, depending on the service activated, the application may require access to certain functions of the device in order to use certain services offered by the application. The data subject may, at any time and independently, enable or disable these functions. Enabling these functions involves the processing of certain personal data, such as:

  • geolocation data: the application offers – and may offer – functions that require the activation of the location detection systems of the device in use (GPS, Wi-fi, GSM network); geolocation data are also used to assess the risk of the transactions carried out and to carry out the relevant security and fraud prevention analyses; geolocation services can be deactivated at any time by accessing the appropriate location permission section of the device operating system;
  • image-related data: the application accesses the device camera whenever the QR-Code capture and recognition service is activated; authorisation to use the camera is optional, but if it is not provided, it will not be possible to use the relevant QR-Code capture and recognition feature; authorisation to access the device camera does not entail automatic processing of the images stored in the device gallery;
  • contact data: the application may request authorisation to access the list of contacts made available as part of the provision of the service (e.g. telephone numbers for assistance); access to this data does not entail automatic processing of the data contained in the device address book; at any time, the user may change this choice by accessing the device settings, revoking the authorisation previously granted;
  • authentication data: depending on the device model, the application may request, in order to facilitate authentication, consent to use the biometric data provided by the fingerprint or facial image; the application does not save any biometric factor, but only verifies that the data belongs to the person authorised to use the device; the user assumes all responsibility in the event of enabling third parties to use the same device;
  • data on running applications: the information provided by the operating system on other applications running on the device makes it possible to identify any code potentially capable of intercepting and interfering with the operations performed;
  • storage data: this type of authorisation is required to guarantee the caching of certain technical information that is not linked to the user and is functional to enable the application to receive and store data within the memory of the device, such as, for example, accounts, statements and transparency documents.

 

The user may choose to activate so-called push notifications from the application on the device screen in order to (i) authenticate, (ii) authorise account provisions or (iii) receive service information such as the presence of an application update or the execution of a payment. The user can deactivate so-called push notifications directly from the device settings.

The application uses analytics or debugger tools that, by analysing the use of the application, allow to intercept and resolve any malfunctions and/or improve the experience. These tools do not process personal data, or process anonymous data, and are only used to enable certain features of the application to function properly and to prevent fraudulent activities by third parties.

Factoring – Loan Agreements

Privacy Banca Ifis