This Policy takes into consideration all the pertinent rules on the matter, with particular reference to:
- Article 29 of the Group’s Recommendation no. 2/2001, regarding the minimum requirements for the online gathering of data within the EU;
- Directive 2009/136/EC, amending Directive 2002/58/EC (known as the e-Privacy Directive), regarding the processing of personal data and the protection of privacy in the electronic communications sector;
The Data Controller is IFIS NPL S.p.A., with registered office in Via Terraglio 63, 30174, Venice (the “Data Controller” or the “Company”). The Data Controller has appointed a Data Protection Officer, who can be contacted by e-mail at: email@example.com.
Type of data processed and purposes of processing
1) Data provided voluntarily by users
The voluntary sending of e-mail to the addresses indicated on the aforementioned website, also via the use of online forms and contact forms provided for the user, results in the consequent acquisition of the sender’s e-mail address by the Data Controller, as well as any other personal data in the message or requested during the completion of the aforementioned online forms and contact forms. The provision of said data is necessary for the identification of the user, the handling of their request and the responding to the same. This is also the case with the handling of complaints sent by users and the answering of the same, as well as in relation to the creation and management of an account. The data provided in this way are processed by the Data Controller for the time necessary for completion of the purposes for which they have been communicated and they will be cancelled as soon as these time limits have expired.
Moreover, the user is free to provide their own personal data via online and contact forms, to request the sending of newsletters, information and/or advertising material, as well as for market research and activities regarding the promotion and offering of company products and/or services: the use of these data for the purposes mentioned by the Data Controller can take place solely with the permission of the user and until said permission is retracted by the user themselves.
2) Navigation data
The computer systems used for the operating of the website, during standard operation, and for the sole duration of the connection, acquire various forms of personal data, the transmission of which is implicit in using internet communication protocols. This information is not gathered in order to be associated to specific Data Subjects, but, for its very nature, could allow the identification of the user through processing of, and association with, data held by third parties. This category of data includes: IP addresses or the names of computers used by the users who connect to the website, addresses in URI (Uniform Resource Identifier) notation for the requested resources, the time of the requests, the method used to make the requests to the server, the size of the file received in response, the numerical code indicating the status of the response provided by the server (successful, error, etc.), the characteristics of the browser used for navigation, the size of the window in which the browser is running on the device in use, as well as other parameters relative to the operating system and the user’s computing environment. These data are used solely to gather anonymous statistical information regarding the use of the website and in order to monitor its correct functioning, and are cancelled immediately after being processed. Data could be used to ascertain responsibility in the event of hypothetical computer crimes committed against the website.
Cookies are small strings of text that the website sends and saves in the user’s device, to then be used by the same website when the user returns. During navigation, the user may also receive cookies on their device which have been sent by other websites or servers (belonging to so-called “third parties”) which may contain some elements (such as, for example, images, maps, sounds, specific links to pages in other domains) present on the website visited. Cookies are used for various purposes such as, for example, computer authentication, session monitoring, and the saving of information regarding specific configurations regarding the users accessing the server.
Cookies can be either technical or for profiling.
- Technical cookies: technical cookies can be subdivided into session cookies (which guarantee standard navigation and use of the website) and permanent cookies (cookie analytics, used to collect information in an aggregated form regarding the number of users and how they visit the website, and function cookies, which allow the user to navigate according to a series of selected criteria, such as, for example, language etc.). The installation of these categories of cookies does not require the prior consent of the users. Technical cookies are installed in the user’s device in order to identify the user when they log into the websites, to analyse navigation with a view to continuous optimisation, and to carry out analyses aimed at improving the aspect, the functionality and the level of security of the website. Furthermore, this website makes use of technical cookies that allow personalised navigation, according to a series of criteria entered on the website by the user.
Click here for the list of the cookies that we use on our websites / blogs.
|Microsoft Internet Explorer||https://support.microsoft.com/it-it/help/17442/windows-internet-explorer-delete-manage-cookies|
Methods of processing of personal data and storage period
The personal data gathered by the Data Controller’s website are processed by automatic instruments for the time strictly necessary for the purposes for which they were collected. At the end of said period, the data will be cancelled or rendered anonymous, save for when further storage is necessary for legal reasons or to comply with orders from Public Authorities and/or Supervisory Bodies. Where necessary, processing carried out by the Data Controller with regards to personal data gathered from the Data Controller’s website can be based on automated decision-making processes which produce legal implications or which have a similar and significant effect on the Data Subject, such as, for example, processing carried out via the use of profiling cookies.
Appropriate measures of organisational and technical security are observed in order to prevent both material or non-material damage (e.g. the loss of control over personal data or limitation of rights, discrimination, identity theft or fraud, financial losses, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, or any other significant economic or social disadvantage).
No data deriving from web services will be subject to disclosure.
Categories of entities to which personal data may be disclosed or which may become aware of the data
For the pursuit of the purposes described, or in cases in which it is strictly necessary or required by law or by authorities empowered to impose said law, the Data Controller reserves the right to communicate the data to recipients in the following categories:
- Supervisory and monitoring authorities and bodies and, in general, public and private subjects performing a public role (e.g. the Financial Intelligence Unit, the Bank of Italy, the Italian Inland Revenue, the Interbank Register of Bad Cheques and Payment cards, the Bank of Italy’s Central Credit Register, the Judicial Authorities, in any case solely if the conditions established by the applicable regulation apply);
- Companies which compare the Data provided by the Data Subject with those available on public registers, lists, deeds or documents available to the general public, in order to verify if these data are correct, also in compliance with appropriate verification obligations imposed by the Anti-Money Laundering Decree, as well as in cases of protests and adverse entries;
- Entities responsible for the control, auditing and certification of the Company’s activities;
- Companies managing national and international systems combating fraud against banks and financial intermediaries;
- Other companies of the Group to which the Company belongs, whether parent, subsidiary or associated, pursuant to Article 2359 of the Italian Civil Code (also situated abroad);
- Entities which carry out banking, financial and insurance services;
- Financial agents, loan brokers and other intermediaries operating in the credit, financial or banking sector, including collection agencies, with the role of managing the Company’s products and/or services;
- Entities carrying out services for the gathering, processing and elaboration of data;
- Entities providing IT and telecommunications network management services for the Data Controller (including mailing services);
- Entities responsible for document storage and data-entry;
- Entities responsible for customer services;
- Professional firms or companies providing assistance and consultancy services (e.g. accountancy firms, legal firms, etc.);
- Entities carrying out activities of communication assistance and consultancy (e.g. market research activities aimed at identifying the level of satisfaction expressed by the Data Subjects on the quality of the services provided and activities carried out by the Company, telemarketing etc.);
- Entities which print, envelope, transmit, transport and sort correspondence;
- Entities who, in various roles, succeed to the Company in the ownership of legal relationships (e.g. assignees or potential assignees of assets, receivables and/or contracts).
The subjects belonging to the aforementioned categories operate independently as separate Data Controllers, or as Data Processors appointed for the purpose by the Company, whose list, constantly updated, is published on the website www.bancaifis.it.
Data may also become known, in the exercising of assigned tasks, by the Data Controller’s personnel, including interns, temporary workers, consultants, all specifically authorised to process personal data.
Data transfer to non-EU countries/organisations
Where it is necessary to achieve the purposes mentioned, a Data Subject’s Personal Data may be transferred abroad, to non-EU countries/organisations which guarantee a level of protection of personal data that is deemed appropriate under the decision of the European Commission, or in any case based on other appropriate safeguards, for example, the Standard Contractual Clauses adopted by the European Commission. A copy of any Data transferred abroad, as well as the list of non-EU countries/organisations to which Data have been transferred, may be requested from the Data Controller by presenting a request to the organisational unit charged with responding to Data Subjects, via standard mail sent to the headquarters of the Data Controller or via e-mail to firstname.lastname@example.org.
Rights of the Data Subject
Pursuant to Articles 15 to 22, the Regulation enables Data Subjects to exercise specific rights. In particular, a Data Subject may obtain: a) confirmation of the existence of personal data processing which concerns them and, in this case, the access to said data; b) the correction of incorrect personal data and the integration of incomplete personal data; c) the cancellation of personal data which concerns them, when permitted by the Regulation; d) the limiting of processing, in the cases provided for by the Regulation; e) the communication to recipients of the personal data of requests made by the Data Subject for the correction/cancellation of personal data and the limiting of processing of the same, save for cases in which this is impossible or which would require an unreasonable level of effort; f) the reception, in a structured format that is of common use and legible by an automatic device, of the personal data provided to the Data Controller, as well as the transmission of the same to another data controller, at any time, even on termination of any relationship established with the Data Controller. The Data Subject also has the right to oppose, at any time, the processing of personal data which concern them: in this case, the Data Controller is obliged to refrain from any further processing, save for the purposes allowed by the Regulation. The Data Subject also has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or has a similar effect on their person, save for when said decision is: a) necessary for the conclusion or execution of a contract between the Data Subject and the Data Controller; b) authorised by Union law or by the laws of the Member state to whose jurisdiction the Data Controller is subject; c) based on the explicit consent of the Data Subject. In the cases specified in points a) and c) above, the Data Subject has the right to obtain human intervention form the Data Controller, to express their opinion and to appeal against the decision.
These requests may be submitted to the organisational unit responsible for responding to the Data Subject, by letter to the headquarters of the Data Controller, or by e-mail to email@example.com.
The Data Subject also has the right to file a complaint with Garante Privacy [the Italian Data Protection Authority].