In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (the “Regulation”), IFIS NPL S.p.A. (the “Company”), in its role as Data Controller, wishes to inform persons who have signed up for and are taking part in this event (the “Data Subjects”), that the personal data concerning them (the “Data”) will be processed lawfully, fairly and transparently, in accordance with the methods and for the purposes set out below.
2. Sources of personal data
The Data to be processed are acquired directly by the Company or through third parties as result of the Data Subject registering for the Company’s event or during the event itself.
3. Purpose of and legal basis for processing
Personal data are processed as part of the Company’s normal activities, for the following purposes:
- A) To allow the Data Subject to take part in the event and to benefit from the connected services (e.g. registering for workshops, etc.) and allow the Company to organise the event.
- B) With prior specific consent:
b.1) To carry out marketing activities (sending newsletters and publicity material, and to carry out market research, promotional activities and offer its products and/or services) using automated means (e.g. e-mail, SMS, MMS, fax, phone calls);
b.2) To use photos and/or videos taken during the event and to publicise them on social networks, websites, and through any other means of communication used by the Company, with the full right to adapt and/or modify and edit them if it deems it necessary and/or appropriate, including in accordance with Articles 10 and 320, Italian Civil Code and Articles 96 and 97, Italian Law no. 633/1941 (Italian Copyright Law).
The provision of Data for the purposes referred to in point A) does not require consent from the Data Subject, since these Data are required to take part in the event and for the event to be managed correctly. If the Data Subject refuses to provide the information required, it will not be possible for the Company to register the Data Subject for the event or for the Data Subject to take part in the event.
However, with regard to the processing purposes referred to in point B), the Data Subject has the right not to give consent, and to object at any time to the Company processing the Data, since the legal basis on which processing is carried out is the consent given by the Data Subject. The only consequence of refusing to provide this Data will be that the Data Subject will not be able to make use of related services. This will not lead to any negative consequences. Consent may be revoked at any time without this having any negative effect on the lawfulness of processing carried out previously.
4. Categories of personal data
The following categories of personal data may be processed for the purposes indicated in paragraph 3: identifying and contact data (e.g. name, surname, place and date of birth, e-mail address, tax reference number, profession or sector of activity); credentials used to access the reserved area set out for the event (e.g. user ID and password); photo and/or video images; any other data which may be provided by the Data Subject through registering for and taking part in the event, including any special categories of data (e.g. allergies or food intolerances) provided to the Company by the Data Subject.
5. Methods used to process personal data
Data are processed using manual, computerised and telematic tools, with an approach that is strictly linked to the purposes set out above and, in any case, in accordance with the care, guarantees and measures required by the relevant legislation and regulatory provisions, aimed at ensuring the confidentiality, integrity and availability of Data, as well as avoiding physical, material or non-material damage (e.g. loss of control of personal data or limitation of rights, discrimination, identity theft or fraud, financial losses, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage).
6. Transfer of data to countries/organisations outside the EU
Where it is necessary to achieve the purposes referred to in paragraph 3, the Personal Data concerning a Data Subject may be transferred abroad, to countries/organisations outside the EU which guarantee a level of personal data protection that is deemed adequate by the decision of the European Commission, or in any case based on other appropriate safeguards, for example, the Standard Contractual Clauses adopted by the European Commission.
A copy of any Data transferred abroad, as well as the list of countries/organisations outside the EU to which Data have been transferred, may be requested from the Data Controller using the contact details indicated in paragraphs 9 and 10 below.
7. Categories of entity to which personal data may be disclosed or which may become aware of the data
To achieve the purposes described in paragraph 3, the Company reserves the right to disclose the Data to the following categories of recipient:
- Supervisory and Control Authorities and Bodies and, in general, public or private entities with prominent public functions (e.g. the Italian Financial Intelligence Unit – UIF, the Bank of Italy, the Italian Tax Authority – Agenzia delle Entrate, the Interbank Register of Bad Cheques and Payment cards, the Bank of Italy’s Central Credit Register, the Judicial Authorities, in any case solely within the limits of the conditions established by the applicable legislation);
- other companies of the Group to which the Company belongs, or in any case parent, subsidiary or associated companies, pursuant to Article 2359, Italian Civil Code (even where located abroad);
- entities carrying out services to collect, process and study data;
- entities providing IT and telecommunications network management services for the Company (including mailing services);
- entities which print, envelope, transmit, transport and sort correspondence;
- entities responsible for document storage and data-entry;
- entities responsible for customer services;
- professional firms or companies providing assistance and consultancy services (e.g. accounting firms, law firms, etc.);
- financial agents, credit brokers and other intermediaries operating in the credit, financial or banking sector having the task of promoting and placing the Company’s products and/or services;
- entities carrying out communication assistance and consultancy services (e.g. market research activities, aimed at identifying the level of satisfaction expressed by the customer on the quality of the services and activities carried out by the Company, telemarketing, etc.);
- entities responsible for controlling, auditing and certifying the Company’s activities;
- entities taking part in events and/or initiatives organised by the Company which the Data Subject also participates in (e.g. as partner).
The entities listed above work independently as separate Data Controllers, or as Data Processors authorised by the Company, and a list of these entities, which is constantly updated, is available at www.bancaifis.it.
Data may also become known, in the exercising of assigned tasks, by the Company’s personnel, including interns, temporary workers, consultants, all of whom are specifically authorised by the Company to process Data.
Personal data, within the limits and for the purposes indicated above at paragraph 3, point b.2) and after receiving consent from the Data Subject, will be disclosed and, therefore, unknown entities, of whatever type, will become aware of these Data, including through the Data being made available or being consulted.
8. Storage and erasure of personal data
As set out by Article 5, paragraph 1, letter e) of the Regulation, Data will normally be stored in a form which allows the Data Subject to be identified for a period of time no greater than that which is necessary to achieve the purposes for which the Data were collected and processed, in accordance with the principle of proportionality and necessity established by legislation and regulatory provision regarding personal data protection. In determining the storage period, the laws governing the activities and sectors in which the Company operates will also be taken into consideration (e.g. anti-money laundering legislation and legislation which governs keeping accounting records), and the general and special provisions established by Garante Privacy [Italian Data Protection Authority] (e.g. in relation to the storage timescales for marketing purposes). Once this period has elapsed, the Data will be erased or anonymised, except where Data are required to be stored for a greater length of time to fulfil legal obligations or to comply with orders from Public Authorities and/or Supervisory Bodies.
9. Rights of the Data Subject
In accordance with Articles 15 to 22, the Regulation enables Data Subjects to exercise specific rights.
In particular, a Data Subject may obtain: a) confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data; b) the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed; c) the erasure of personal data concerning him or her, where permitted by the Regulation; d) the restriction of processing, in the cases provided for by the Regulation; e) the communication of any request for rectification/erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort; f) his or her personal data, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and to have the right to transmit those data to another Data Controller, at any time, even on termination of any relationship established with the Data Controller.
The Data Subject also has the right to oppose, at any time, the processing of personal data concerning him or her: in this case, the Data Controller is obliged to refrain from any further processing, save for the purposes allowed by the Regulation.
The Data Subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except for where this decision is: a) necessary to enter into or perform a contract between the Data Subject and the Data Controller; b) authorised by Union law or by the laws of the Member state under which jurisdiction the Data Controller falls; c) based on the Data Subject’s explicit consent. In the cases specified in points a) and c) above, the Data Subject has the right to obtain human intervention from the Data Controller, to express his or her opinion and to contest the decision.
These requests may be submitted to the organisational unit responsible for replying to the Data Subject, by letter, to be sent to the Data Controller’s headquarters, or by e-mail, to firstname.lastname@example.org.
The Data Subject also has the right to lodge a complaint with Garante Privacy [Italian Data Protection Authority], as set out by Article 77 of the Regulation, and to an effective judicial remedy in accordance with Articles 78 and 79 of the Regulation.
10. Data Controller and Data Protection Officer
The Data Controller is IFIS NPL S.p.A., with registered office in Venice-Mestre, Via Terraglio no. 63. The Data Controller has appointed a Data Protection Officer, who can be contacted by email at: email@example.com.