PRIVACY NOTICE REGARDING THE WEBSITE
pursuant to Article 13 of EU Regulation 2016/679
Dear user, the Data Controller welcomes you to the website www.gruppocassacentrale.it (the “Site”) and invites you to read the following notice (the “Notice”), issued pursuant to Article13 of EU Regulation 2016/679 about the protection of natural persons with regard to the processing of their personal data and the free circulation of the same (“GDPR”).
This document describes all the types of processing performed by the Data Controller via the Site, as defined below. The purpose of the type of processing performed from time to time will depend on the service you have requested.
The Data Controller is CASSA CENTRALE BANCA – CREDITO COOPERATIVO ITALIANO S.P.A., Italian Tax Code 00232480228, VAT no. 02529020220, with legal office in Via Segantini, 5 - 38122 TRENTO, in the person of its pro tempore legal representative (the “Data Controller”). To exercise your rights, listed under point 5 of this notice, and for any other requests regarding matters of privacy, you can contact the Data Controller by writing to firstname.lastname@example.org
The Data Controller has also appointed a data protection officer (“DPO”), whom you can contact directly in order to exercise your rights, and to receive any information you may need regarding the processing of your personal data and/or this Notice, by writing to:
2.1 Browsing data
The IT systems and software procedures which ensure that this website works properly can, during their routine use, acquire certain personal data implicitly sent when a user uses the Internet communication protocols.
This information is not collected for the purpose of associating it with identified data subjects. However, by its very nature, it could enable the users to be identified, when it is processed and associated with data held by third parties.
Usually this category of data includes the IP addresses or domain names of the computers used by the users who connect to the website, the URI addresses (Uniform Resource Identifiers) of the requested resources, the time of the request, the method used to make the request to the server, the size of the file received response, the numerical code indicating the status of the response provided by the server (successful, error, etc.) and other parameters related to the user’s operating system and IT environment.
The browsing data are retained for 7 days from the time of collection and are processed to ensure the legitimate interest of the Data Controller - Article 6, paragraph 1, letter f) of the GDPR, for the following purposes:
- evolution and technological maintenance of the site;
- investigation of potential cybercrimes;
- statistical analyses on the use of the site to check that it works correctly and supervise the security aspects;
- monitoring and assessment regarding the use of the site by the users.
2.2 Data provided voluntarily by the user
The optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and the completion of the “forms” lead to the acquisition of the sender’s contact details, and all the personal data contained in the communications required to manage, fulfil or meet specific requests forwarded to the Bank.
Failure to confer the requested data will make it impossible for the Data Controller to fulfil your request.
The legal basis for the processing is the need to fulfil your request, in compliance with Article 6, paragraph 1, letter b) of the GDPR. Accordingly, there is no need to acquire your consent prior to the processing.
The data collected for the above-mentioned purposes will be processed for the time strictly required in order to fulfil your request.
Specific information will be published on the pages of the website dedicated to the provision of specific services.
2.3 Data provided for commercial communications
If you want to be kept informed about the latest new products and services offered by the Data Controller, you can sign up to our marketing initiatives which entail the sending of newsletters and additional sales-related communications.
The legal basis for the sending of commercial communications and the newsletter is your explicit consent, which the Data Controller requests you provide in all the pages of the website on which you can sign up to those services, in compliance with Article 6, paragraph 1, letter a) of the GDPR.
Your personal data will be processed until you decide to revoke your consent or object to the processing.
The Data Controller can also process your personal data using cookies.
2.5 COOKIES FOR REMARKETING
This Website uses Google AdWords to market the products and services offered by the Data Controller on third-party Websites.
Remarketing may consist in conducting advertising campaigns on Google's search results page, on a website of the Google Display Network (Google AdSense), or inside the Facebook social network, targeting the visitors of the website that will have given consent for these purposes.
The remarketing cookies used by this website will be used for 90 days for Google AdWords.
You may object to remarketing campaigns using the following links:
2.6 TRANSFERRING YOUR PERSONAL DATA TO THIRD PARTIES TO FULFIL REQUESTS FOR INFORMATION
Following your request for specific marketing initiatives, collected through forms found on the website, the Data Controller may transfer your personal data, with your prior consent, to the Bank of the Group you intend to request information from; the Bank shall process your personal data as an independent controller (“Third-Party Recipient”).
The legal basis for transferring your personal data to the Bank of the Group specified by you, in order to fulfil your request for information, is the explicit consent that the Controller requests of you on all the pages of the website where it is possible to sign up for this service, in accordance with Article 6(1)(a) of the GDPR.
Any failure to provide personal data, or to give consent, will prevent the Controller from fulfilling your request.
The Controller and the Bank of the Group that is the Third-Party Recipient shall process the data collected for the above purposes for the time strictly required to fulfil your request.
The Bank of the Group, i.e. the Third-Party Recipient, shall fulfil your request as per paragraph 2.2 (Data voluntarily provided by the user) of this policy.
You will be able to exercise your rights vis-à-vis the Data Controller and the Bank of the Group (Third-Party Recipient) as per paragraph 5 of this policy.
For additional information, see the policy published on the website of the Group's Bank to which you have submitted your request for information.
Your personal data will be processed in compliance with the provisions set forth by the legislation in force regarding personal data protection, using paper, computerised and digital means, based on logics strictly connected to the indicated purposes and, in any case, using methods suitable for guaranteeing the security and confidentiality of the same in conformity with the provisions envisaged by Article 32 of the GDPR.
3.1 Processing methods and children under the age of 14 years old
The Data Controller does not consciously use its website to request data from children under 14 years of age.
If you are aged between 14 and 18 years old, your data will only be processed for the purposes of providing the services of the information company (web services).
For the pursuance of the purposes described above, your personal data can come to the knowledge of the employees, other persons treated as such, collaborators and agents of the Bank who will operate as parties authorised to perform the processing and/or Data Supervisors.
Additionally, the Data Controller may need to communicate your personal data to third parties belonging, for example, to the following categories:
- companies belonging to the Cassa Centrale Banca Cooperative Banking group or subsidiaries or associates of the parent company pursuant to Article 2359 of the Italian Civil Code;
- parties that provide services for managing the Bank’s IT system;
- companies that offer services designed to detect the quality of the services, market research, commercial information and the promotion of products and/or services.
The full, updated list of the parties to whom your personal data can be communicated can be requested from the Data Controller’s registered office.
Your personal data will not be transferred to third parties outside the European Union and will not be disseminated.
In relation to the data processing described in this Notice, as Data Subject, under the conditions set forth by the GDPR, you can exercise the rights ratified by Articles 15 to 22 of the GDPR and, in particular:
- right of access – Article 20 of the GDPR: the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access the personal data;
- right to rectification – Article 16 of the GDPR: the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed;
- right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay. The right to erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
- right to restriction of processing – Article 18 of the GDPR: the right to obtain from the Data Controller restriction of the processing when: a) the accuracy of the personal data is contested by the Data Subject; b) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the data are required by the Data Subject for the establishment, exercise or defence of legal claims; d) the Data Subject has objected to the processing pending verification of whether the legitimate grounds of the Data Controller override those of the Data Subject;
- data portability right - Article 20 of the GDPR: the right to receive, in a structured format of common use that can be read by an automatic device, the personal data that concern you provided to the Data Controller, and the right to freely send these to another data controller, should the processing be based on your consent and be performed using automated means. Additionally, the right to have your personal data transmitted directly from the Bank to another Data Controller, where technically feasible;
- right to object - Article 21 of the GDPR: the right to object at any time to processing of personal data concerning you, based on the legitimacy of legitimate interest, including profiling, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims;
- right not to be subject to a decision based solely on automated processing – Article 22 of the GDPR: the Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or that similarly significantly affects him or her, unless this is necessary for entering into, or performance of, a contract or unless it is based on your explicit consent. In any case, a decision based on automated processing may not concern your personal data and you can, at any time, obtain human intervention on the part of the Data Controller, express your point of view and contest the decision;
- right to lodge a complaint with the Italian Data Protection Authority: https://www.garanteprivacy.it/web/guest/home_en;
- withdraw the consent you have previously granted at any time, with the same level of ease required to grant the same, without this affecting the lawfulness of any processing based on consent before its withdrawal.
The above-mentioned rights can be exercised to the Data Controller using the contacts indicated above in point 1.
Exercising your rights as Data Subject is free of charge, pursuant to Article 12 of the GDPR. However, where requests from a Data Subject prove to be manifestly unfounded or excessive, in particular due to their repetitive character, the Data Controller may charge a reasonable fee, taking into account the administrative costs of managing your request or refuse to act on the request.
Finally, please note that the Data Controller can request any further information that may be required to confirm the identity of the Data Subject.