Why this notice?
This page describes the methods of management of the Websites of UniCredit S.p.A., with reference to the processing of the personal data of users who consult it. This is a disclosure made also under the terms of Art. 13 and 14 of Regulation EU 2016/679 to those who interact with the web services of UniCredit S.p.A., accessible by electronic means via the addresses:
corresponding to the homepages of the UniCredit S.p.A. websites. The disclosure is made only for the UniCredit S.p.A. websites and not also for any other websites consulted by the user through links.
The disclosure is based also on Recommendation No 2/2001 which the European Personal Data Protection Authority, meeting as the Working Party established by Art. 29 of Directive 95/46/EC, adopted on 17 May 2001 to identify certain minimum requirements for the on-line gathering of personal data and, in particular, the methods, times and nature of the information that Data Controllers must provide to users when they visit web pages, irrespective of the purposes of the visit.
The "Data Controller"
Following consultation of this website, data on identified or identifiable persons may be processed. The "data controller" is UniCredit S.p.A., whose Registered Office is in Piazza Gae Aulenti, 3, Tower A - 20154 Milan.
In case of data processing running, within the various sections of the website will be pointed out the relevant Data Processors.
Place of data processing
The processing of data connected with the web services of this site takes place at the above Headquarters and also at the office in Via Livio Cambi, 1, in Milan and is performed only by the personnel of UniCredit S.p.A., in charge of the processing, or by employees of UniCredit Services S.C.p.A., the "Data Processor" designated by the controller UniCredit S.p.A.
No personal data deriving from the web service is disseminated.
The personal data provided by users are used for the sole purpose of performing the service or task requested and are communicated to third parties only when necessary for this purpose.
Types of data processed
During their normal operation, the information systems and software procedures used for the functions of this websites acquire certain personal data the transmission of which is implicit in the use of the Internet, which is based on the TCP/IP protocol.
This is information which is not gathered to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by others, enable the users to be identified.
This category of data includes the "IP addresses" or domain names of the computers used by users who visit the website, the addresses in URI (Uniform Resource Identifier) format of the resources requested, the time of the request, the method used in submitting, the request to the web server, the dimensions of the file obtained in response, the numerical code indicating the state of the response given by the web server (success, error, etc...) and other parameters relating to the user's operating system and IT environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the websites and to check the correct operation of the UniCredit S.p.A. websites.
It should be noted that the above data could be used to ascertain responsibility in the case of computer crime which harms the UniCredit S.p.A. website or the structures of the data processor UniCredit Services S.C.p.A., or other websites connected or linked to it: except in this case, the navigation data are deleted immediately after the related statistical processing and in any case, they are kept for 24 months from the time of collection.
Data provided voluntarily by the user
Requests to send e-mail to the addresses indicated in the relevant section of the UniCredit S.p.A. website entail the subsequent acquisition of certain personal data of the applicant, including the applicant's e-mail address, necessary to respond to the requests.
Specific summary disclosures will be progressively contained or displayed on the pages of the website prepared for these particular services on request
Call CenterThe systems and procedures arranged for operation of the Bank's Call Center acquire certain data in relation to customers' calls. This category includes the caller's remote number (if not hidden), the navigation data in the IVR call flow (that is the actions/key pad inputs that the customer performs to gain access to the various services), duration of the call, and, only in the cases expressly envisaged and after notifying the caller, audio recording of the call.
The above data are processed in order to obtain anonymous statistical information on the use of the Call Center, to check that it is operating correctly and to ensure its security, as well as for the aware of responsibility in the event of any crimes that damage the Bank or its customers.
Optionality of conferment of personal dataApart from the details provided for navigation data, users are free to provide their personal data included in the specific electronic request forms, in the sections of the website prepared for the particular services on request.
It should be noted, however, that failure to provide such information may make it impossible to fulfil the request.
Processing method and security measuresThe personal data are processed with automated and non-automated instruments, only for the time strictly necessary to achieve the purposes for which they have been gathered. Specific security measures are observed to prevent loss of data, illegal or incorrect uses and unauthorized access.
In particular, in the sections of the website prepared for particular services, where personal data are requested from users navigating the site, the channel through which the data transit is encrypted by means of a security technology entitled Secure Sockets Layer & Transport Layer Security, abbreviated as SSL/TLS. The SSL/TLS technology makes available an encrypted channel in which information transits before it is exchanged via the Internet between the user's computer and the UniCredit S.p.A. central systems, making it incomprehensible to unauthorized persons and thus guaranteeing the confidentiality of the information transmitted.
The use of SSL/TLS requires however a compatible browser capable of "swapping" a security key with a minimum length of 128 bits, necessary to establish the said secure connection with the UniCredit S.p.A. central systems.
Rights of data subjectsThe data subjects to whom the personal data - which may be collected in the aforementioned specific sections - refer, have the right, pursuant to art. 15 and following of the above mentioned Regulation, to know at any time what personal data are held by UniCredit S.p.A. and how these data are used (Right of access), to obtain updating, correction or, if there is interest, integration, as well as cancellation, anonymization or limitation and may at any time revoke, where issued, consent to the processing of data: for purposes of sending commercial and advertising material, for direct sales or market research (i.e. direct marketing) and for profiling and marketing enrichment purposes.
Any such requests must be sent to:
Via Del Lavoro, 42
Tel.: +39 051.6407285
Fax: +39 051.6407229
MinorsUniCredit S.p.A. does not knowingly use its website to request data from persons of less than 18 years of age.
Data processors appointed by UniCredit
Lists are available at the following link (Destinatari o categorie di destinatari dei dati personali section):
SOCIAL MEDIA MONITORING ACTIVITY MADE BY UNICREDIT S.P.A.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
1 Data Controller and Data Protection Officer
The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).
You can contact the Data Protection Officer at:
Data Protection Office
Piazza Gae Aulenti n. 3
Tower A, 20154 Milan (MI)
2 Purpose and legal basis of processing
UniCredit aims to understand public sentiment towards its brand and monitor the perception of its products, services or campaigns, through researches carried out on information in the public domain. In pursuit of this interest, UniCredit has no intention of processing personal data referring to users of Social Media (hereinafter the "Data Subjects"), but in monitoring Social Media, UniCredit may still process personal data referring to Data Subjects.
The legal basis of the processing is the legitimate interest of UniCredit S.p.A. as a subject interested in understanding public sentiment towards its brand and monitoring the perception of its products, services or campaigns, through research carried out on information in the public domain.
Processing is carried out using manual, IT and electronic tools with logic strictly related to the aforementioned purposes and, in any case, in order to guarantee the security and confidentiality of the data.
3 The categories of personal data concerned
UniCredit collects and analyzes data contained in social media and in various online sources, including forums, blogs and online news sites (hereinafter "Social Media"), intentionally made publicly available by the Data Subjects, among which there may however be personal data referring to same Data Subjects. Therefore, only publicly available information will be processed, which could also include individual citations or personal data such as, for example, name, surname, address, etc. or image data (e.g. photo of the Data Subject) or other personal data.
The above list of personal data are mainly processed in aggregated form and for the pursue of the above purpose. Personal data of individual Data Subjects are not intentionally processed. However, it is possible that individual citations will be resumed and used to describe a general attitude towards UniCredit in Social Media.
4 Recipients or recipients' categories of personal data
To perform the above mentioned processing of personal data, necessary to carry out research on the public sentiment regarding Unicredit S.p.A., Unicredit uses an external supplier Talkwalker S.à r.l., which is based in 12-16, avenue Monterey, 2163 Luxembourg (the "External Supplier") which acts as Data Processor pursuant to Art. 28 Regulation (EU) 2016/679.
Such data are further processed on behalf of Unicredit S.p.A. by the TF Group S.r.l. - based in Via Vitruvio 1, 20124, Milan (MI), Italy - also duly appointed as data processor pursuant to Art. 28 Regulation (EU) 2016/679 in order to produce quality reports.
The areas subject to monitoring have been strictly circumscribed and it is ensured that the personnel processing such data, duly appointed as "authorized person for processing", to access and use the External Supplier's platform, will respect precise instructions and obligations of confidentiality and security.
Furthermore, only a limited number of persons authorized to process UniCredit S.p.A. can access the personal data of the Data Subjects.
5 Data Subjects' rights
The General Data Protection Regulation ("EU Regulation 679/2016") assign to the Natural Persons, Individual Companies and Freelancers (the "Data Subjects") specific rights, among which the one to know what personal data are held by UniCredit and how they are used (Right of access), to obtain the update, the correction or, if interested, the integration, as well as the cancellation, transformation into anonymous form or limitation. Since UniCredit does not interact directly with the Social Media Data Subjects and since, in principle, UniCredit does not have access to the data of the Data Subjects, it would be impossible to UniCredit, or would involve a disproportionate burden, to reach such Data Subjects individually. This privacy notice is therefore the way by which UniCredit brings users of social media to the attention of the facts.
5.1 Data retention period and right to erasure (i.e. right to be forgotten)
The External Supplier will delete the results of UniCredit's queries that may contain personal data of Data Subjects, after a maximum period of six months.
Even the automatic backups of the aforementioned research will be deleted from the electronic systems used by the External Supplier, after a maximum period of six months.
The statistical reports produced by the External Supplier procedure, which contain aggregated data, are archived for a maximum period of six months, after which they will also be destroyed or canceled by the persons authorized to process of UniCredit S.p.A.
6 Procedures to exercise the rights
Each interested Data Subject has the right to access his personal data that may be contained in the research carried out by UniCredit SpA and to correct them, to limit their processing and, under certain conditions, to request their cancellation.
Each Data Subjects can exercise these rights by contacting:
Group Brand Management & Stakeholder Insight
Piazza Gae Aulenti n. 3
Tower A - 20154 Milano (MI)
Tel. +39 02 88623569
E-mail address: email@example.com
The deadline for the reply is one (1) month, that may be extended by two (2) further months in cases of particular complexity; in these cases, the Bank provides at least one interim communication within one (1) month.
The rights' excercise is, in principle, free of charge; UniCredit reserves the right to request a fee in the event of manifestly unfounded or excessive requests (even repetitive).
UniCredit has the right to request information necessary for identification purposes of the applicant.
7 COMPLAINT OR REPORTING TO THE SUPERVISORY AUTHORITY FOR THE PROTECTION OF PERSONAL DATA
UniCredit informs Data Subjects that they have the right to lodge a complaint with or make a report to the Italian Data Protection Authority, or else to appeal to the Judicial Authority. The contacts of the Italian Data Protection Authority can be consulted on the website http://www.garanteprivacy.it.