PRIVACY NOTICE REGARDING THE WEBSITE
pursuant to Article 13 of EU Regulation 2016/679
Dear user, the Data Controller welcomes you to the website www.gruppocassacentrale.it (the “Site”) and invites you to read the following notice (the “Notice”), issued pursuant to Article13 of EU Regulation 2016/679 about the protection of natural persons with regard to the processing of their personal data and the free circulation of the same (“GDPR”).
This document describes all the types of processing performed by the Data Controller via the Site, as defined below. The purpose of the type of processing performed from time to time will depend on the service you have requested.
The Data Controller is CASSA CENTRALE BANCA – CREDITO COOPERATIVO ITALIANO S.P.A., Italian Tax Code 00232480228, VAT no. 02529020220, with legal office in Via Segantini, 5 - 38122 TRENTO, in the person of its pro tempore legal representative (the “Data Controller”). To exercise your rights, listed under point 5 of this notice, and for any other requests regarding matters of privacy, you can contact the Data Controller by writing to dpo@cassacentrale.it
The Data Controller has also appointed a data protection officer (“DPO”), whom you can contact directly in order to exercise your rights, and to receive any information you may need regarding the processing of your personal data and/or this Notice, by writing to:
- Cassa Centrale Banca – Credito Cooperativo Italiano S.p.A., via Segantini 5, Trento (38122) – Attn. Data Protection Officer
- by sending an email to the address: dpo@cassacentrale.it
- by sending a certified public email to the address: dpo@pec.cassacentrale.it
2.1 Browsing data
The IT systems and software procedures which ensure that this website works properly can, during their routine use, acquire certain personal data implicitly sent when a user uses the Internet communication protocols.
This information is not collected for the purpose of associating it with identified data subjects. However, by its very nature, it could enable the users to be identified, when it is processed and associated with data held by third parties.
Usually this category of data includes the IP addresses or domain names of the computers used by the users who connect to the website, the URI addresses (Uniform Resource Identifiers) of the requested resources, the time of the request, the method used to make the request to the server, the size of the file received response, the numerical code indicating the status of the response provided by the server (successful, error, etc.) and other parameters related to the user’s operating system and IT environment.
The browsing data are retained for 7 days from the time of collection and are processed to ensure the legitimate interest of the Data Controller - Article 6, paragraph 1, letter f) of the GDPR, for the following purposes:
- evolution and technological maintenance of the site;
- investigation of potential cybercrimes;
- statistical analyses on the use of the site to check that it works correctly and supervise the security aspects;
- monitoring and assessment regarding the use of the site by the users.
2.2 Data provided voluntarily by the user
The optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and the completion of the “forms” lead to the acquisition of the sender’s contact details, and all the personal data contained in the communications required to manage, fulfil or meet specific requests forwarded to the Bank.
Failure to confer the requested data will make it impossible for the Data Controller to fulfil your request.
The legal basis for the processing is the need to fulfil your request, in compliance with Article 6, paragraph 1, letter b) of the GDPR. Accordingly, there is no need to acquire your consent prior to the processing.
The data collected for the above-mentioned purposes will be processed for the time strictly required in order to fulfil your request.
Specific information will be published on the pages of the website dedicated to the provision of specific services.
2.3 Data provided for commercial communications
If you want to be kept informed about the latest new products and services offered by the Data Controller, you can sign up to our marketing initiatives which entail the sending of newsletters and additional sales-related communications.
The legal basis for the sending of commercial communications and the newsletter is your explicit consent, which the Data Controller requests you provide in all the pages of the website on which you can sign up to those services, in compliance with Article 6, paragraph 1, letter a) of the GDPR.
Your personal data will be processed until you decide to revoke your consent or object to the processing.
2.4 Data provided for surveys for statistical purposes
If you agree to provide some personal information for statistical purposes by filling in a specific survey, it will allow us to collect your opinion on the importance of sustainability issues (economic, social and environmental) that we will be taking into account in the development and implementation of our social responsibility activities, as well as in the drafting of the non-financial statement pursuant to Italian Legislative Decree 254/2016.
The legal basis for completing the survey is your express consent, which the Controller requests from you on the pages of the website where the data collection form is located, in compliance with Article 6, paragraph 1, letter a) of the GDPR.
The provision of data is optional; failure to provide the requested data will make it impossible for the Controller to process the data of the survey.
Your personal data will be processed for the time necessary to carry out the statistical survey; you may also decide to revoke your consent or object to the processing.
2.5 Data used for statistical processing ("Insights") of the Controller’s Facebook page
The Data Controller is the administrator of the Facebook Page: https://www.facebook.com/profile.php?id=61558687927128 and https://www.facebook.com/vincimagicmoments
When a user uses the Page administered by the Controller, Facebook.com (“Social Media”) collects information such as, for example, the types of content viewed or with which the user interacts, the actions carried out as well as the information on the devices used (IP addresses, operating system, browser type, language settings, data on cookies).
Page Insights are aggregate statistics created by particular events recorded by Facebook servers when users interact with the Pages and the contents present in them.
As set out in Facebook’s Privacy Policy, Social Media collects and uses information also in order to provide statistical data collection services defined as Page Insights to the administrators of the pages to enable them to understand the means with which people interact with the contents present in them.
Details on the means of processing undertaken by Facebook are available at the following link:
https://www.facebook.com/privacy/policy/
Details on the personal data processed for Insights are available at the following link:
https://www.facebook.com/legal/terms/information_about_page_insights_data
Details on the cookies used by Facebook are available at the following link:
https://www.facebook.com/policies/cookies/
The Data Controller, as administrator of the Page, and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are joint data controllers in compliance with article 26 of the GDPR for the processing of such personal data recorded for events supplied through the Page’s Insights ("Insights Data").
The joint controllership agreement, between the Controller and Facebook, covers the creation of these events and their aggregation in Insights in the Page provided to each administrator.
The legal base for the processing is the Controller’s legitimate interest, art. 6, paragraph 1, letter f), GDPR. Therefore, it is not necessary to acquire your prior agreement to processing.
Failure to provide the data requested will make it impossible for the Controller to provide services through the Page published on Facebook.
The data collected will be processed for the time strictly necessary to achieve the aforementioned purposes as specified in the above Facebook policies.
2.6 Cookies
The Data Controller can also process your personal data using cookies.
For this type of processing, the Data Controller invites you to view the Cookie Policy
2.7 COOKIES FOR REMARKETING
This Website uses Google AdWords and Meta's remarketing service (Facebook and Instagram) to market the products and services offered by the Data Controller on third-party Websites.
Remarketing may consist in conducting advertising campaigns on Google's search results page, on a website of the Google Display Network (Google AdSense), or inside the Facebook social network, targeting the visitors of the website that will have given consent for these purposes.
Third-party providers, including Google and Facebook, use cookies to display ads based on the previous visits to our website. Of course, all data collected will be used in accordance with our privacy policy, as well as the privacy policies of Google and Facebook.
The legal basis for remarketing is your explicit consent, which the Controller requests of you in the short cookie policy, in accordance with Article 6(1)(a) of the GDPR.
The remarketing cookies used by this website will be used for 90 days for Google AdWords and Meta (Facebook and Instagram).
You may object to remarketing campaigns using the following links:
for Google:
https://support.google.com/ads/answer/2662922?hl=it
https://adssettings.google.com/authenticated?hl=it#display_optout
for Facebook:
https://www.facebook.com/ads/website_custom_audiences/
2.8 TRANSFERRING YOUR PERSONAL DATA TO THIRD PARTIES TO FULFIL REQUESTS FOR INFORMATION
Following your request for specific marketing initiatives, collected through forms found on the website, the Data Controller may transfer your personal data, with your prior consent, to the Bank of the Group you intend to request information from; the Bank shall process your personal data as an independent controller (“Third-Party Recipient”).
The legal basis for transferring your personal data to the Bank of the Group specified by you, in order to fulfil your request for information, is the explicit consent that the Controller requests of you on all the pages of the website where it is possible to sign up for this service, in accordance with Article 6(1)(a) of the GDPR.
Any failure to provide personal data, or to give consent, will prevent the Controller from fulfilling your request.
The Controller and the Bank of the Group that is the Third-Party Recipient shall process the data collected for the above purposes for the time strictly required to fulfil your request.
The Bank of the Group, i.e. the Third-Party Recipient, shall fulfil your request as per paragraph 2.2 (Data voluntarily provided by the user) of this policy.
You will be able to exercise your rights vis-à-vis the Data Controller and the Bank of the Group (Third-Party Recipient) as per paragraph 5 of this policy.
For additional information, see the policy published on the website of the Group's Bank to which you have submitted your request for information.
Your personal data will be processed in compliance with the provisions set forth by the legislation in force regarding personal data protection, using paper, computerised and digital means, based on logics strictly connected to the indicated purposes and, in any case, using methods suitable for guaranteeing the security and confidentiality of the same in conformity with the provisions envisaged by Article 32 of the GDPR.
3.1 Processing methods and children under the age of 14 years old
The Data Controller does not consciously use its website to request data from children under 14 years of age.
If you are aged between 14 and 18 years old, your data will only be processed for the purposes of providing the services of the information company (web services).
For the pursuance of the purposes described above, your personal data can come to the knowledge of the employees, other persons treated as such, collaborators and agents of the Bank who will operate as parties authorised to perform the processing and/or Data Supervisors.
Additionally, the Data Controller may need to communicate your personal data to third parties belonging, for example, to the following categories:
- companies belonging to the Cassa Centrale Banca Cooperative Banking group or subsidiaries or associates of the parent company pursuant to Article 2359 of the Italian Civil Code;
- parties that provide services for managing the Bank’s IT system;
- companies that offer services designed to detect the quality of the services, market research, commercial information and the promotion of products and/or services.
The full, updated list of the parties to whom your personal data can be communicated can be requested from the Data Controller’s registered office.
In order to perform operations or specific services requested, the Data Controller may transfer your personal data outside the European Economic Area ensuring an adequate degree of protection.
To obtain a copy of the warranty conditions and where they are available, you can send a request to the addresses of the Data Controller.
In relation to the data processing described in this Notice, as Data Subject, under the conditions set forth by the GDPR, you can exercise the rights ratified by Articles 15 to 22 of the GDPR and, in particular:
- right of access – Article 20 of the GDPR: the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access the personal data;
- right to rectification – Article 16 of the GDPR: the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed;
- right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay. The right to erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
- right to restriction of processing – Article 18 of the GDPR: the right to obtain from the Data Controller restriction of the processing when: a) the accuracy of the personal data is contested by the Data Subject; b) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the data are required by the Data Subject for the establishment, exercise or defence of legal claims; d) the Data Subject has objected to the processing pending verification of whether the legitimate grounds of the Data Controller override those of the Data Subject;
- data portability right - Article 20 of the GDPR: the right to receive, in a structured format of common use that can be read by an automatic device, the personal data that concern you provided to the Data Controller, and the right to freely send these to another data controller, should the processing be based on your consent and be performed using automated means. Additionally, the right to have your personal data transmitted directly from the Bank to another Data Controller, where technically feasible;
- right to object - Article 21 of the GDPR: the right to object at any time to processing of personal data concerning you, based on the legitimacy of legitimate interest, including profiling, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims;
- right not to be subject to a decision based solely on automated processing – Article 22 of the GDPR: the Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or that similarly significantly affects him or her, unless this is necessary for entering into, or performance of, a contract or unless it is based on your explicit consent. In any case, a decision based on automated processing may not concern your personal data and you can, at any time, obtain human intervention on the part of the Data Controller, express your point of view and contest the decision;
- right to lodge a complaint with the Italian Data Protection Authority: https://www.garanteprivacy.it/web/guest/home_en;
- withdraw the consent you have previously granted at any time, with the same level of ease required to grant the same, without this affecting the lawfulness of any processing based on consent before its withdrawal.
The above-mentioned rights can be exercised to the Data Controller using the contacts indicated above in point 1.
Exercising your rights as Data Subject is free of charge, pursuant to Article 12 of the GDPR. However, where requests from a Data Subject prove to be manifestly unfounded or excessive, in particular due to their repetitive character, the Data Controller may charge a reasonable fee, taking into account the administrative costs of managing your request or refuse to act on the request.
Finally, please note that the Data Controller can request any further information that may be required to confirm the identity of the Data Subject.
02.02.2023