Information pursuant to article 13 and 14 of the European Regulation on the Protection of Personal Data

Dear Customer,
pursuant to Article 13 and 14 of the European Regulation for the protection of personal data 2016/679 (“Regulation”), BANCA CF PLUS S.P.A. with registered office in Via Piemonte 38 – 00187, Rome (hereinafter the “Bank”), Fax 06.5740269- website: www.bancacfplus.it, email: info.contodeposito@bancacfplus.it, as “Data Controller”, is required to provide you with some information regarding the use of your personal data.

Credito Fondiario has appointed a Data Protection Officer (DPO) who can be reached at the following email address: dpo@bancacfplus.it.

 

    1. Source of personal data

The personal data held by the Bank are generally collected directly from the data subject. However, where this is required by law (e.g. anti-money laundering, anti-terrorism checks) or in the case of acquisition of information from credit and commercial information companies, the data may also be acquired from third parties. In the latter hypothesis, the information referred to herein is provided to the data subject at the time of registration of the data, or if their communication is envisaged, no later than the first communication.

This information may not include elements already known to the person providing the data and is not due in cases provided for by law.

 

  1. Personal data and special categories of personal data

For the purposes illustrated below, the Bank may acquire and process, in addition to identification and contact data, also data relating to your credit and financial position and exposure, account movement data, the existence of any criminal proceedings related to terrorism prevention activities, risk profile for regulatory purposes.

The Bank does not collect data classified as “special categories of personal data” by current legislation (including the Regulations) on the protection of personal data, (for example, data disclosing racial and ethnic origin, religious beliefs, political opinions, state of health and sex life).

 

  1. Purpose of processing, nature of conferment and legal bases of the processing

 

The data collected by the Bank will be processed lawfully and fairly, in compliance with the above-mentioned law and confidentiality obligations, and will be used solely and exclusively for the purposes described below:

  1. Purposes strictly connected and instrumental to the management of the relationship with the interested party (by way of example, acquisition of information prior to the conclusion of the deposit contract, preliminary investigation, evaluation of creditworthiness, management of contractual relationships, execution of transactions based on the obligations arising from the contract itself, statistical processing, etc.);
  2. Purposes connected with obligations deriving from laws, regulations and EU legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies;
  3. Institutional purposes, such as purposes connected with and instrumental to accounting and fiscal management, legal auditing of accounts, supervisory reporting, as well as other obligations related to the management of the relationship;
  4. Purposes connected with the management of executive and insolvency procedures as well as attempts at out-of-court settlement
  5. Purposes connected with the management of the relationship with the interested party, for the sharing of service information, by e-mail, telephone and/or text message (in particular, to inform him/her of the imminent expiry of the bond and of any specific and dedicated offers in the event of any renewal of said bond).

The provision of data for the purposes referred to in points 1-4 above is necessary and any refusal will make it impossible for the Bank to proceed with the opening of the account or to continue with the contractual relationship; consent is not required for the processing of such data as the processing is due to comply with legal and regulatory obligations, or contractual obligations or to protect the rights of the Bank.

The provision of data for the purpose of point 1 is necessary for the performance of the contract with the data subject. The legal basis for such processing is Art. 6 (1) lit. b of the Regulation.

The provision of data for the purpose of point 2 and point 3 is necessary for compliance with a legal obligation to which the Bank is subject. The legal basis for such processing is Art. 6 (1) lit. c of the Regulation.

The provision of data for the purpose of point 4 in case of executive and insolvency procedures is necessary for compliance with a legal obligation to which the Bank is subject. The legal basis for such processing is Art. 6 (1) lit. c of the Regulation.

The provision of data in case of out-of-court settlements set out in point 4 is based on the Bank’s legitimate interest in protecting its rights. The Bank’s interest is to settle disputes with clients and business partners out of court. The legal basis for such processing is Art. 6 (1) lit. f of the Regulation.

The provision of data for the purposes of point 5 is based on the Bank’s legitimate interest in maintaining a lasting relationship with the client. The legal basis for such processing is Art. 6 (1) lit. f of the Regulation.

 

  1. Modalities of data processing and storage

In relation to the aforementioned purposes, the processing of personal data is carried out by means of manual processing, automated computer and telematic tools and, in any case, such as to ensure the security and confidentiality of the same, even in the case of use of remote communication techniques. The data are processed according to the principles of fairness, correctness and transparency provided by the applicable legislation on the protection of personal data (including the Regulation) and protecting the privacy of the person concerned and his rights by adopting appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

All data will be kept for as long as necessary for the management of the contractual relationship and in accordance with the relevant applicable legislation. Below is an outline of the data retention period.

 

PURPOSE. RETENTION TIMES
Anti-terrorism and anti-money laundering 10 years
Management of civil accounting and contractual obligations 10 years
Obligations arising from tax and fiscal regulations 10 years
Fraud prevention 10 years
Fulfilment of legal obligations and management of any litigation 10 years subject to further preservation

 

  1. Categories of subjects to whom the data may be communicated

In the pursuit of the aforementioned pre-contractual purposes and the execution of the contract and therefore to accept the request for opening an account, the data may be communicated to specifically identified third parties, including as employees and other collaborators authorized to do so, for processing and/or services strictly functional to the same purposes (including continuous processing), such as

  1. Companies that provide professional and technical services for the performance of activities functional to the above-mentioned purposes (for example, suppliers of IT services and other computer services, such as CSE Consorzio Servizi Bancari Soc. Cons. a r.l.);
  2. Companies and suppliers of which the Bank avails itself for the acquisition, registration and processing of data deriving from documents or supports supplied or originated by the customers themselves (e.g. processing relating to payments, enveloping and transmission of communications to customers), for the performance of technical-legal-administrative-accounting preliminary investigations of the files and/or for activities of administrative-accounting management of the relationships (such as, for example, opening and closing of the account);
  3. Companies that carry out activities of transmission, transport and sorting of the communications concerned to the interested party;
  4. Companies that carry out archiving services of the documentation related to the relationships with the interested party;
  5. Persons, companies, associations or professional firms that provide services or activities of assistance and advice to the Bank, with particular, but not exclusive reference to accounting, administrative, legal, tax and financial matters;
  6. Companies carrying out banking activities for the performance of services functional and necessary for the above purposes.
  7. Auditing and certification companies of the financial statements;
  8. Subjects whose right to access the data is recognized by provisions of law and secondary regulations or by provisions issued by authorities empowered to do so by law.

The subjects belonging to the categories to which the data may be communicated will use such data as data processors (on behalf of the Bank and within the limits of the instructions given by it) or as independent data controllers, in accordance with the applicable legislation on the protection of personal data. A detailed and updated list of these persons is available at the Bank’s offices and at the email address dpo@bancacfplus.it.

Personal data may also be known and processed by the Bank’s employees and/or collaborators who act as appointees or data processors according to their respective duties in accordance with the instructions received by the Bank.

The data are not subject to dissemination. The data will not be transferred outside the EU.

 

  1. Rights of the interested party

At any time and free of charge, the interested party may exercise, in relation to the processing of data described herein, the rights provided for by the Regulation (art. 15-21) and the current legislation on the protection of personal data, including

– Receive confirmation of the existence of their personal data and access their content (right of access);

– Update, modify and/or correct personal data (right of rectification);

– To request the deletion (subject to any applicable exceptions) or limitation of the processing of data processed in violation of the law including data whose retention is not necessary in relation to the purposes for which the data were collected or otherwise processed (right to be forgotten and limitation);

– To revoke consent, where given, without prejudice to the lawfulness of the processing based on the consent given prior to revocation;

– To lodge a complaint with the Supervisory Authority for the protection of personal data in case of violation of the regulations on the protection of personal data;

– Receive your electronic personal data in a structured and commonly used machine-readable format and transmit it to another data controller (right to data portability), subject to any applicable exceptions.

 

Requests for data deletion are subject to applicable legal and record-keeping obligations imposed on the Bank.

At any time and free of charge, the data subject may further exercise, in relation to the processing of data described herein, the right to object to the processing (right of objection) where the data is processed for direct marketing purposes. To the extent the processing of data is based on legitimate interests (Art. 6 (1) lit. f of the Regulation) or on a task carried out in the public interest (Art. 6 (1) lit. e of the Regulation), the right to object can be based on grounds relating to the data subject’s particular situation.

To exercise these rights, the data subject may submit a request by sending an email to privacy@bancacfplus.it. When contacting the Bank, the data subject should be sure to include his or her name, email address, mailing address and/or telephone number(s) to ensure that the Bank can properly handle his or her request.

 

  1. Identity and Contact Details of the Data Controller and Data Protection Officer

The Data Controller is Banca CF Plus S.P.A., with registered office in Via Piemonte 38, 00187, Rome in the person of its pro-tempore Legal Representative.

The Data Protection Officer is domiciled at the Bank’s registered office and is available at dpo@bancacfplus.it

The Bank will process your personal data as described in the Information pursuant to Article 13 and 14 of the European Regulation on the protection of personal data attached to the General Terms and Conditions of Contract.