Policy on the processing of customers' personal data (“Policy”) pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”)
The Data Controller is Ersel Banca Privata S.p.A., with registered office in Piazza Solferino, 11 - 10121 Turin, in the person of its legal representative pro tempore (hereinafter “Ersel” or the “Data Controller”).
To exercise your rights, listed in paragraph 7 below, as well as for any other request relating to them and/or to this Policy, you may contact the Data Controller at the following addresses:
The Data Controller has appointed a Data Protection Officer (“DPO”) pursuant to Article 37 of the GDPR, whom you may contact to exercise your rights and receive any other information relating to your rights and/or this Policy, by writing to firstname.lastname@example.org.
For the purposes indicated in paragraph 3 below, the Data Controller shall process your personal data or the personal data of your family members, directly provided by you, by filling in the data collection form on Ersel's website or during the negotiation and conclusion of the contract relating to the services offered by the Data Controller, such as, but not limited to:
In some cases, the Data Controller may process personal data of a special nature within the meaning of Article 9(1) of the GDPR directly provided by you in order to perform certain operations.
Personal data will be processed by the Data Controller for the following purposes:
(a) the management and execution of activities of a contractual and/or pre-contractual nature, including the collection of preliminary information, the management of communications with the customer, the management of transaction orders, access to the reserved area dedicated to you within the Data Controller's website and further formalities related to the provision of the requested services; the legal basis for this purpose is the performance of a contract to which you are a party or for the execution of pre-contractual measures taken at your request, pursuant to Article 6(1)(b) of the GDPR;
(b) fulfilment of administrative-accounting requirements or obligations under laws and/or regulations, both national and EU (including anti-money laundering legislation) or provisions issued by supervisory authorities or bodies; the legal basis for this purpose is the fulfilment of a legal obligation to which the Data Controller is subject pursuant to Article 6(1)(c) of the GDPR;
(c) activities relating to fraud prevention and, in general, the monitoring of the services made available to you in the performance of the contract in place with the Data Controller; the legal basis for this purpose is the pursuit of a legitimate interest of the Data Controller, pursuant to Article 6(1)(f) of the GDPR;
(d) possible management of judicial and/or extrajudicial litigation; the legal basis for this purpose is the pursuit of a legitimate interest of the Data Controller, pursuant to Article 6(1)(f) of the GDPR;
(e) promotion and sales activities for the services and products of the Data Controller and/or of the companies in the Data Controller's Group, including by sending newsletters, invitations to events or market research by means of manual (e.g. telephone contact, paper mail, e-mail, etc.) or automated means of contact (e.g. automated e-mail campaigns, SMS, automated telephone contact, instant messaging, etc.); the legal basis for the processing of the data is the provision of your consent, pursuant to Article 6(1)(a) of the GDPR;
(f) “direct” marketing activities via e-mail, in relation to services or products of the Data Controller and/or of the companies in the Data Controller's Group, similar to those you have already purchased; the legal basis for the processing of the data is the pursuit of a legitimate interest of the Data Controller, pursuant to the combined provisions of Article 6(1)(f) of the GDPR and of Article 130(4) of Legislative Decree no. 196/2003 ( “Privacy Code”), to be identified with your presumed interest in such services or products. In any case, you may object to such processing at the time of data collection or when sending any subsequent communication, by clicking on the appropriate link present in all commercial communications or by the means identified in Article 7 below;
(g) promotion and sale of “dedicated” products and services of the Data Controller and/or of the companies of the Data Controller's Group, specifically identified through customer profiling techniques aimed at analysing and forecasting information relating to your preferences, habits, consumption choices, including through the use of automated techniques or systems, also implemented through the enrichment of data with information acquired from third parties (enrichment). The legal basis for this purpose is your consent pursuant to Article 6(1)(a) of the GDPR;
(h) with regard to any personal data of a special nature, these are processed by the Data Controller in connection with the above-mentioned purposes; the legal basis for the processing of such data is consent, pursuant to Article 9(2)(a) of the GDPR.
For the purpose referred to in paragraph 3, letters (a), (b), (c) and (d) above, the provision of your personal data is mandatory; your refusal to provide such data in the pre-contractual phase will make it impossible for the Data Controller to conclude the contract and/or provide you with the requested services.
With reference to the purposes referred to in paragraph 3 letters (e), (f) and (g) above, the provision of your personal data is optional and your refusal to provide them would not affect the conclusion or execution of the contract, but would only make it impossible for the Data Controller to update you on its products and/or initiatives or to develop promotional initiatives for you that are more in line with your profile.
With reference to the purposes set out in paragraph 3 letter (h) above, failure to provide your personal data of a special nature pursuant to Article 9(1) of the GDPR, or failure to grant your consent to its processing, will make it impossible for the Data Controller to conclude the contract and/or to provide you with the services requested and/or to carry out the other processing operations referred to in paragraph 3.
The retention period of your personal data:
Processing is carried out in compliance with the requirements of the GDPR, according to the principles of fairness, lawfulness and transparency and the protection of your rights as described therein. The personal data shall be processed through the use of electronic, telematic and paper media, subject to security measures suited to ensuring the privacy of the personal data and preventing undue access by unauthorised entities. Telephone calls whereby you submit orders and/or instructions will be recorded on a magnetic medium in accordance with European MiFID II Rules.
For the pursuit of the purposes described in Article 3 above, the personal data processed will be known to the employees, assimilated personnel and contractors of the Data Controller, who will act as authorised entities for the processing of personal data.
Furthermore, your personal data may be processed by third parties belonging, by way of example, to the following categories:
The entities belonging to the above-mentioned categories operate, in some cases, as data controllers specifically appointed by the Data Controller in compliance with Article 28 of the GDPR, and in other cases completely autonomously as separate data controllers, it being understood that, in the latter case, the communication of your personal data to such autonomous data controllers would take place solely to pursue the purposes set out in Article 3 above.
The complete and updated list of the entities to which your personal data may be disclosed can be requested by contacting the Data Controller at the address indicated in Article 1 of this Policy.
Your personal data will not be disseminated.
The Data Controller does not intend to transfer your personal data outside the European Union.
Should such a circumstance become necessary for technical and organisational reasons, such a transfer will in any case be preceded by prior verification of satisfaction of the conditions of legitimacy and of the appropriate guarantees prescribed by Articles 44 et seq. of the GDPR.
In such a circumstance, you may request information from the Data Controller about the transfer of your personal data outside the European Union and obtain a copy of the protection measures adopted by making a specific request to the Data Controller via the e-mail address email@example.com.
In relation to the processing described in this Policy, as data subject, you may, under the conditions set out in the GDPR, exercise the rights set out in Articles 15 - 21 of the GDPR, in particular:
The above-mentioned rights may be exercised vis-à-vis the Data Controller by contacting the points of contact indicated in Article 1 above. The Data Controller will take charge of your request and provide you with information on the action taken in respect of your request without undue delay and, in any event, no later than one month after receipt thereof.
The exercise of your rights as data subject is free of charge pursuant to Article 12 of the GDPR. However, in the case of requests that are manifestly unfounded or excessive, including by reason of their repetitiveness, the Data Controller may charge you a reasonable fee, in the light of the administrative costs incurred in handling your request, or refuse to grant your request.
Finally, please be advised that the Data Controller may request further information necessary to confirm the identity of the data subject.
Ersel Banca Privata S.p.A.
Questa schermata consente al tuo monitor di consumare meno energia quando il computer resta inattivo.
Clicca in qualsiasi parte dello schermo per riprendere la navigazione.