The Data Controller is FinecoBank S.p.A. - holding Company of the FinecoBank Banking Group with registered office at Piazza Durante no. 11, 20131 Milan (the "Bank" or "Fineco").
Fineco processes personal data of natural or legal persons and individual companies and / or self-employed professionals ("data subjects") for the following purposes:
Fineco processes personal data collected directly from the data subject or from third parties, which includes, by way of example, identification data (for example, surname, forename, address, date and place of birth), data relating to image (for example, identity card photo) and voice recording (i.e. Registration of telephone orders, registration of telephone conversations with the data subject, also to safeguard the rights in the event of litigations or for quality control purposes) and other data attributable to the above-mentioned categories.
The Bank does not request and does not process on its own initiative any special categories of data of Data Subjects (for example, data which reveals the racial or ethnic origin, political opinions, and religious or philosophical convictions, trade union membership, genetic data, biometric data aimed at identifying in an unequivocal way a physical person, data relating to health or to sexual activity or sexual orientation of the person). However, it is possible that, in order to execute specific requests for services and operations inherent in the relationship with the client (for example payment of dues to parties or unions, subscriptions to associations, etc.) it has to process this data. Because the Bank cannot intercept or refuse these requests, the contract proposal can only be accepted if the Data Subject has given their written consent to the above-mentioned processing. The data in question will be exclusively processed to execute the request from the client.
The data subject's personal data may become available to natural or legal persons with the title of controllers and to natural persons that process data to carry out the tasks assigned to them , including: Fineco employees, secondees, temporary workers, interns, consultants and contractors.
The Bank - without the consent from the data subject being necessary - may communicate the personal data in its possession:
The detailed list of the entities to whom the data may be communicated can be consulted at the "Privacy" section of the website finecobank.com.
The current regulations on data protection give specific rights to the data subject who, to exercisethose rights, may address themselves directly and at any time to the Data Controller.
The rights that may be exercised by the data subject are described below:
The data subject may at any time amend their optional consent preferences.
The right to access sets out the possibility for the Data Subject to know what personal data concerning him or her are being processed by the Bank and to receive a copy of it (in the case of further copies being requested a contribution based on the costs incurred may be debited). The information provided include: the purposes of the processing, the categories of personal data concerned, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period, as well as the guarantees applied in the case of transfer of data to a third country and the rights that may be exercised by the Data Subject will be detailed.
The right to correction allows the data subject to update or correct inaccurate or incomplete data held by the Bank relating to them.
The right to be forgotten, allows the data subject to require the erasure of personal data concerning him or her in the following special cases:
This right may be exercised even after withdrawal of consent.
A data subject may request the Bank to limit the way their data is processed under certain circumstances. The right of restriction of processing may be exercised by the data subject in the case of:
With the exception of storage, where processing has been restricted any processing of the personal data is prohibited.
The right to portability allows the data subject to receive the personal data concerning him or her, which he or she has provided to the Bank, for other purposes. Each data subject may ask to receive the personal data relating to them or to request its transfer to another data controller, in a structured format, in common use and legible.
Note, data portability only relates to personal data (for example, surname, forename, address, date and place of birth, residence), as well as a set of data generated by the transaction activity that the Bank has defined for each macro-category of product / service (for example, current or extinguished relationships, current account transactions). This right does not apply to non-automated processing (for example, paper files or records).
The right to object allows the data subject to object to the processing of their personal data in certain circumstances.
5.1 Exceptions to the exercise of the rights
The regulations on data protection recognise specific exceptions in relation to the exercise of the Data Subject’s rights.
The Bank may continue to process personal data despite a data subject's exercise of their rights if one or more of the following applicable conditions applies:
- execution of a legal obligation applicable to the Bank;
- resolution of litigation and / or disputes (own or of third parties);
- internal and / or external investigations / inspections;
- requests from Italian and / or foreign public authorities;
- reasons of relevant public interest;
- execution of a contract in force between the bank and a third party; and/or
- any further blocking conditions / status of a technical nature identified by the Bank.
5.2. Procedure for exercising rights
In order to exercise his/her rights, a data subject may contact the Bank at the email address email@example.com or make the request in writing to FinecoBank, Via Rivoluzione d’Ottobre 16, 42123 Reggio Emilia.
The period for the response is one (1) month, extended to two (2) months in cases of particular complexity; in these cases, the Bank shall provide at least one interim communication within one (1) month. In principle, the exercise of the rights is free; having assessed the complexity of dealing with the request and, in the case of clearly unfounded or excessive requests (including repeated requests) the Bank reserves the right to ask for a contribution.
The Bank has the right to ask for further information necessary for the purposes of identifying the requesting party.
Fineco processes and keeps the personal data of the Data Subject throughout the period of the contractual relationship and for period after the contract is at an end, for the execution of the obligations inherent and consequent upon it, to respect the applicable legal and regulatory obligations, as well as for its own or third-party defence purposes, up to expiry of the period for storage of data. In particular, the period of storage of personal data of the Data Subject runs:
Fineco has the obligation to communicate the request for erasure to other data controllers who process personal data for which the Data Subject has requested erasure.
At the end of the storage period, the personal data referring to the Data Subject will be erased or kept in a form that does not allow the identification of the Data Subject, unless its further processing is necessary for one or more of the following purposes:
Personal data may also be transferred to countries not belonging to the European Union or to the European Economic Area (so-called “Third-Party Countries") recognised by the European Commission as having an adequate level protection of personal data. Fineco shall only transfer data to other Third-Party Countries if such countries have an adequate level of protection of personal data compared to that of the European Union (for example, through the signing of the standard contractual clauses set out by the European commission) and the Fineco suppliers located in the third-party country have agreed to appropriate measures so that the exercise of the rights of the Data Subject is protected.
To support international financial transactions (for example bank transfers abroad) and any specific operations in the national area (for example transfers in foreign currency and / or with a non-resident counterparty), requested by the Data Subject, it is necessary to use international messaging service handled by S.W.I.F.T. (Society for Worldwide Interbank Financial Telecommunication), with registered office in Belgium (www.swift.com).
The Bank informs S.W.I.F.T. (Controller of the S.W.I.F.T. Net Fin system) of the data necessary for execution of the transactions (for example, the names of the payee, the beneficiary and the respective banks, the bank details, the amount and, if stated, the reason for the payment).
The normal functioning of the service includes a continuous and massive transborder data flow, due to the location of the SWIFT operating centres. The store-and-forward capability of the two SWIFT operating centres in Europe and in the US operates as follows: the messages are decrypted automatically in the operating centres to store and forward the information in a few milliseconds. This “store-and-forward” process is intended to validate (control the correctness or the presence of letters/numbers in the mandatory message fields) the information (for instance make sure that the correct currency code of the transfer is filled in, e.g. “EUR”) on the basis of contents that is standardized. During this process, the information is also stored for 124 days in both operating centres for security (back-up) reasons which then act as perfect “mirrors”. This ensures that the data storage is parallel and the data are identical.
As a consequence of the TFTP ("Terrorist Finance Tracking Program"), SWIFT is subject to legally binding requests to provide the U.S. Treasury Department (UST) with data located in its US operating centre, which is necessary for the purpose of the prevention, investigation, detection or prosecution of terrorism or terrorist financing.
The Bank recalls that the Data Subject retains the rights indicated in paragraph “Rights of the data subjects” of this privacy notice.
This section describes the FinecoBank S.p.A. website function, with reference to the processing of personal data of users who consult it. The information is provided only for the websites of FinecoBank S.p.A. and not for other websites that may be consulted by the user through links.
The information also considers Recommendation no. 2/2001 that the European Authority for the protection of personal data, gathered in the Group established by art. 29 of directive no. 95/46 / CE, adopted on May 17, 2001 to identify minimum requirements for collection of personal data online and, in particular, the methods, times and nature of the information provided to users when they link to web pages.
Place of data processing
The processing of data connected to the web services takes place at the aforementioned Registered Office and is handled only by FinecoBank S.p.A. personnel, persons authorized to process personal data or by authorized persons of FinecoBank S.p.A. No personal data deriving from the web service is disclosed. The personal data provided by users are used for the sole purpose of performing the service requested and are communicated to third parties only if this is necessary for this purpose.
The IT systems and software procedures used to operate this website acquire some personal data whose transmission is implicit in the use of the Internet, which is based on the TCP / IP protocol. This information that is not collected to be associated with identified interested parties, but which by its very nature could, through processing and association with data held by third parties, allow users to be identified as navigators. This category of data includes the "IP addresses" or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) of the requested resources, the time of the request, the method used submitting the request to the web server, the size of the file obtained in response, the numeric code indicating the status of the response given by the web server (successful, error, etc .) and other parameters relating to the operating system and the IT environment user. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning on the FinecoBank S.p.A. website. It should be noted that the aforementioned data could be used to ascertain responsibility in the event of computer crimes against the FinecoBank S.p.A. website or to other sites connected to it. In other case, the navigation data are deleted immediately after the relative statistical processing and in any case are kept for 24 months from the time of collection.
Data provided by the user on voluntarily basis
Some particular services requested by the interested party (e.g. chat, contact forms, etc.) involve the subsequent acquisition of some personal data of the applicant, including the e-mail address, necessary to respond to requests.
Specific summary information will be progressively reported or displayed on the pages of the site prepared for these particular services on request.
The systems and procedures of Bank's Call Center acquire some data referring to customer calls. This category includes the remote number of the caller (where not hidden), the navigation data in the IVR mast (i.e. the actions / keystrokes that the customer performs to access the various services), the duration of the call, as well as only in cases expressly provided and with prior notice to the interested party, audio recording of the call.
The aforementioned data are processed in order to obtain statistical information on the use of the Call Center, to check its correct functioning and ensure its safety, as well as to ascertain responsibility in the event of any offenses, to the detriment of the Bank or of the customers of the same.
Optional personal data
The user is free to provide personal data contained in the specific electronic request forms, in the sections of the website set up for particular services on request, excluding for those regarding navigation data. It should be noted that the refuse to provide such data make impossible to obtain what is requested.
Processing methods and security measures
Personal data are processed with automated and non-automated tools, for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent the loss of data, illicit or incorrect use and unauthorized access.
To find out more, you can consult the section of the web site dedicated to safety
FinecoBank S.p.A. does not use its website to request data from persons under the age of 18.
Where the Data Subject believes he/she has suffered a breach of their rights they may make a claim or a report to the Italian data protection authority or contact the relevant legal authorities in his/her own jurisdiction. Contact details of the Information Commissioners Office can be found at www.garanteprivacy.it.
Fineco reserves the right to make changes to this policy from to time to time. Please check back on the website to be aware of any updates.