In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (the “Regulation”), Banca Ifis S.p.A. (the “Company”), in its role as Data Controller, wishes to inform persons who have signed up for and are taking part in this event (the “Data Subjects”), that the personal data concerning them (the “Data”) will be processed lawfully, fairly and transparently, in accordance with the methods and for the purposes set out below.
- Sources of personal data
The Data to be processed are acquired directly by the Company or through third parties as result of the Data Subject registering for the Company’s event or during the event itself.
- Purpose of and legal basis for processing
Personal data are processed as part of the Company’s normal activities, for the following purposes:
- A) To allow the Data Subject to take part in the event and to benefit from the connected services (e.g. registering for workshops, etc.) and allow the Company to organise the event.
- B) With prior specific consent:
b.1) To carry out marketing activities (sending newsletters and publicity material, and to carry out market research, promotional activities and offer its products and/or services) using automated means (e.g. e-mail, SMS, MMS, fax, phone calls);
b.2) To use photos and/or videos taken during the event and to publicise them on social networks, websites, and through any other means of communication used by the Company, with the full right to adapt and/or modify and edit them if it deems it necessary and/or appropriate, including in accordance with Articles 10 and 320, Italian Civil Code and Articles 96 and 97, Italian Law no. 633/1941 (Italian Copyright Law).
The provision of Data for the purposes referred to in point A) does not require consent from the Data Subject, since these Data are required to take part in the event and for the event to be managed correctly. If the Data Subject refuses to provide the information required, it will not be possible for the Company to register the Data Subject for the event or for the Data Subject to take part in the event.
However, with regard to the processing purposes referred to in point B), the Data Subject has the right not to give consent, and to object at any time to the Company processing the Data, since the legal basis on which processing is carried out is the consent given by the Data Subject. The only consequence of refusing to provide this Data will be that the Data Subject will not be able to make use of related services. This will not lead to any negative consequences. Consent may be revoked at any time without this having any negative effect on the lawfulness of processing carried out previously.
- Categories of personal data
The following categories of personal data may be processed for the purposes indicated in paragraph 3: identifying and contact data (e.g. name, surname, place and date of birth, e-mail address, tax reference number, profession or sector of activity); credentials used to access the reserved area set out for the event (e.g. user ID and password); photo and/or video images; any other data which may be provided by the Data Subject through registering for and taking part in the event, including any special categories of data (e.g. allergies or food intolerances) provided to the Company by the Data Subject.
- Methods used to process personal data
Data are processed using manual, computerised and telematic tools, with an approach that is strictly linked to the purposes set out above and, in any case, in accordance with the care, guarantees and measures required by the relevant legislation and regulatory provisions, aimed at ensuring the confidentiality, integrity and availability of Data, as well as avoiding physical, material or non-material damage (e.g. loss of control of personal data or limitation of rights, discrimination, identity theft or fraud, financial losses, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage).
- Transfer of data to Non-EU Countries/organisations
When needed to perform the purposes mentioned, the data of the data subject could be transferred abroad, to non-EU Countries/organisations that guarantee a personal data protection level deemed suitable by the European Commission with a decision; or, in any case, based on other suitable guarantees, for example the Standard Contractual Clauses adopted by the European Commission. A copy of any data transferred abroad and the list of the non-EU Countries/organisations to which the data has been transferred can be obtained from the Controller by submitting a specific request by ordinary mail sent to the registered office of the Controller or by e-mail sent to firstname.lastname@example.org.
- Categories of subjects that personal data may be communicated to or who can gain knowledge of them
To pursue the purposes described or when it is indispensable or required by law or by authorities with the power to impose it, the Controller reserves the right to communicate data to recipients belonging to the following categories:
- subjects providing banking, financial and insurance services;
- supervision and control Authorities and Bodies and, in general, public or private subjects with important public enforcement functions (e.g.: FIU, Bank of Italy, Revenue Office, Central Interbank Alarm Register, Central Risk Register of the Bank of Italy, Judicial Authorities, in any case solely within limits set forth in the assumptions established by laws applicable);
- other companies of the Group the Controller belongs to, or in any case parent companies, subsidiaries or associated companies pursuant to art. 2359 Italian civil code (also located abroad);
- subjects performing data acquisition and processing services;
- subjects providing services to manage the IT system of the Controller and the telecommunications networks (including mailing services);
- subjects providing document filing and data-entry activities;
- subjects providing assistance services to the data subject;
- professional firms or companies as part of assistance and advisory relations;
- subjects performing market surveys to measure the customer satisfaction level on the quality of services and activities provided by the Controller;
- subjects performing controls, audits and certification of activities implemented by the Controller.
Subjects belonging to the categories indicated above operate autonomously as separate process controllers, or as processors appointed specifically for the service; the list, updated continuously, is published on the website www.bancaifis.it.
The personal data may be known, related to tasks performed, by Controller employees, including internees, temporary workers, consultants, the employees of external companies, all specifically authorised, instructed and appointed as processors.
Lastly, no data coming from the web services are circulated.
- Storage and erasure of personal data
As set out by Article 5, paragraph 1, letter e) of the Regulation, Data will normally be stored in a form which allows the Data Subject to be identified for a period of time no greater than that which is necessary to achieve the purposes for which the Data were collected and processed, in accordance with the principle of proportionality and necessity established by legislation and regulatory provision regarding personal data protection. In determining the storage period, the laws governing the activities and sectors in which the Company operates will also be taken into consideration (e.g. anti-money laundering legislation and legislation which governs keeping accounting records), and the general and special provisions established by Garante Privacy [Italian Data Protection Authority] (e.g. in relation to the storage timescales for marketing purposes). Once this period has elapsed, the Data will be erased or anonymised, except where Data are required to be stored for a greater length of time to fulfil legal obligations or to comply with orders from Public Authorities and/or Supervisory Bodies.
- Rights of the Data Subject
In accordance with Articles 15 to 22, the Regulation enables Data Subjects to exercise specific rights.
In particular, a Data Subject may obtain: a) confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data; b) the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed; c) the erasure of personal data concerning him or her, where permitted by the Regulation; d) the restriction of processing, in the cases provided for by the Regulation; e) the communication of any request for rectification/erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort; f) his or her personal data, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and to have the right to transmit those data to another Data Controller, at any time, even on termination of any relationship established with the Data Controller.
The Data Subject also has the right to oppose, at any time, the processing of personal data concerning him or her: in this case, the Data Controller is obliged to refrain from any further processing, save for the purposes allowed by the Regulation.
The Data Subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except for where this decision is: a) necessary to enter into or perform a contract between the Data Subject and the Data Controller; b) authorised by Union law or by the laws of the Member state under which jurisdiction the Data Controller falls; c) based on the Data Subject’s explicit consent. In the cases specified in points a) and c) above, the Data Subject has the right to obtain human intervention from the Data Controller, to express his or her opinion and to contest the decision.
These requests may be submitted to the organisational unit responsible for replying to the Data Subject, by letter, to be sent to the Data Controller’s headquarters, or by e-mail, to email@example.com.
The Data Subject also has the right to lodge a complaint with Garante Privacy [Italian Data Protection Authority], as set out by Article 77 of the Regulation, and to an effective judicial remedy in accordance with Articles 78 and 79 of the Regulation.
- Data Controller and Data Protection Officer
The Data Controller is Banca Ifis S.p.A., with registered office in Venice-Mestre, Via Terraglio no. 63. The Data Controller has appointed a Data Protection Officer, who can be contacted by email at: firstname.lastname@example.org.