Why this notice?
DATA CONTROLLER AND DATA PROTECTION OFFICER
Your data will be processed by UniCredit S.p.A., with registered office at Piazza Gae Aulenti n. 3, Tower A, 20154 Milan, as data controller (hereinafter, also the "Controller").
The Data Protection Officer appointed by UniCredit S.p.A. may be contacted at UniCredit S.p.A., Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milan, email: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.
CATEGORIES OF DATA PROCESSED
During their normal operation, the information systems and software procedures used for the functions of this websites collect certain personal data, the transmission of which is implicit in the use of Internet, based on the TCP/IP protocol.
This is information which is not gathered to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by others, enable the users to be identified.
This category of data includes the "IP addresses" or domain names of the computers used by users who visit the Site, the addresses in URI (Uniform Resource Identifier) format of the resources requested, the time of the request, the method used in submitting the request to the web server, the dimensions of the file obtained in response, the numerical code indicating the state of the response given by the web server and other parameters relating to the user's operating system and IT environment.
Such data are used for the sole purpose of handling user requests pursuant to art. 6, let. b) of the GDPR and to check its correct functioning, pursuant to art. 6, let. f) of the GDPR.
it should be noted that the aforementioned data could be used to ascertain responsibility in case of computer crimes against the Site or other websites connected or linked to it.
Data provided by the user
The personal data provided by the user by filling in the forms on the Site will be processed by the Controller for the sole purpose of managing the user's requests, as well as for the purpose of fulfilling the legal obligations to which the Data Controller is subject.
The legal basis applicable to the processing is that of art. 6, lett. b) and c) of the GDPR.
Further information about the cookies installed through the Site are available at the link: Cookies Policy - UniCredit (unicreditgroup.eu)
OPTIONALITY OF CONFERMENT OF PERSONAL DATA
Apart from the navigation data, users are free to provide their personal data included in the specific electronic request forms, in the sections of the website prepared for the particular services on request.
It should be noted, however, that failure to provide such information may make it impossible to fulfil the request.
PROCESSING METHOD AND SECURITY MEASURES
The personal data are processed with automated and non-automated instruments, only for the time strictly necessary to achieve the purposes for which they have been collected.
Specific security measures are implemented to prevent loss of data, illegal or incorrect uses and unauthorized access.
In particular, in the sections of the Site where personal data are requested from users navigating the Site, the channel through which the data transit is encrypted by means of the security technology Secure Sockets Layer & Transport Layer Security, abbreviated as SSL/TLS. The SSL/TLS technology makes available an encrypted channel in which information transits before it is exchanged via internet between the user's computer and the Controller central systems, making it incomprehensible to unauthorized persons and thus guaranteeing the confidentiality of the information transmitted.
The use of SSL/TLS requires however a compatible browser capable of "swapping" a security key with a minimum length of 128 bits, necessary to establish the said secure connection with the Controller central systems.
RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The data may be communicated:
i) to those subjects (e.g. administrative, judicial, supervisory and control authorities) to whom such communication must be made in compliance with an obligation provided for by law, by a regulation or by the EU regulations;
ii) financial intermediaries belonging to the UniCredit Group, on the basis of the provisions of the anti-money laundering legislation (see art. 39, paragraph 3 of Legislative Decree no. 231/2007), which provides for the possibility of communicating personal data relating to reports considered suspicious between financial intermediaries belonging to the same group;
iii) third parties, suppliers of products and/or services, whether or not part of the UniCredit Group.
These recipients, depending on the cases, process personal data as Autonomous Data Controller or Data Processor.
Your data may also be disclosed to persons authorized to process personal data, in relation to the data necessary to perform the tasks assigned to them, natural persons belonging to the following categories: workers employed by the Controller or seconded to it, temporary workers, interns, consultants and employees of external companies appointed as data processors.
TRANSFER OF DATA TO THIRD COUNTRIES
The Controller informs that personal data may be transferred also to countries not belonging to the European Union or to the European Economic Area (so-called Third Countries) recognized by the European Commission as having an adequate level of protection of personal data or, otherwise, only if an adequate level of protection of personal data compared to that of the European Union is contractually guaranteed by all Controller suppliers located in the Third Country (e.g. through the signing of Standard Contractual Clauses provided by the European Commission) and that the exercise of the rights of the data subject is always ensured.
Further information can be requested by writing to: Group.DPO@unicredit.eu
RIGHTS OF THE DATA SUBJECTS
The GDPR grants individuals, sole proprietorships and/or freelancers specific rights the rights referred to in art. From 15 to 22 of GDPR, including the right to know what personal data is held by the Controller and how it is used (Right of Access), to obtain the updating, rectification or, if interested, integration of such data, as well as their erasure, transformation into anonymous form or limitation.
PERIOD OF DATA STORAGE AND RIGHT TO ERASURE (i.e. RIGHT TO BE FORGOTTEN)
The Controller processes your personal data for the time strictly necessary to achieve the purposes described above.
At the end of the applicable retention period, personal data relating to the user will be deleted or stored in a form that does not permit the identification of the user (e.g., irreversible anonymization), unless their further processing is necessary for one or more of the following purposes: i) resolution of pre-litigation and/or litigation initiated before the expiry of the retention period; ii) to follow up investigations/inspections by internal control functions and/or external authorities started before the expiry of the retention period; iii) to follow up requests from Italian and/or foreign public authorities received/notified to the Controller before the expiry of the retention period.
HOW EXERCISE THE DATA SUBJECTS' RIGHTS
In order to exercise the rights described in the previous paragraphs, the user may apply to: UniCredit S.p.A., Claims, Via Del Lavoro n. 42, 40127 Bologna, tel. +39 051.6407285, fax +39 051.6407229, indirizzo e-mail: firstname.lastname@example.org.
The deadline for the reply is one (1) month, which may be extended by two (2) months in particularly complex cases; in these cases, the Controller will provide at least one interim communication within one (1) month.
The exercise of the rights is, in principle, free of charge; the Controller reserves the right to charge a fee in the event of manifestly unfounded or excessive requests (including repetitive ones).
COMPLAINT OR REPORT TO THE PERSONAL DATA PROTECTION AUTHORITY
The Controller informs you that you have the right to file a complaint or a report to the Italian Data Protection Authority or alternatively to appeal to the judicial authority.
UniCredit S.p.A. does not consciously use the Site to obtain data from minors under the age of 18.
SOCIAL MEDIA MONITORING ACTIVITY MADE BY UNICREDIT S.P.A.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
1 Data Controller and Data Protection Officer
The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).
You can contact the Data Protection Officer at:
Data Protection Office
Piazza Gae Aulenti n. 3
Tower A, 20154 Milan (MI)
2.PURPOSES AND LEGAL BASIS OF THE PROCESSING
UniCredit wishes to understand the public sentiment towards its brand and to monitor the perception of its products, services or campaigns, through research carried out on information in the public domain. UniCredit, in the pursuit of this interest, may process some personal data referring to online users and users of Social Media, Forums, Blogs, other digital sites or digital media (the "Data Subjects").
The legal basis of the processing is the legitimate interest of UniCredit to understand the public sentiment about its brand and to monitor the perception of its products, services or campaigns, through research carried out on information in the public domain.
The processing is carried out according to logic strictly related to the purposes described above and, in any case, in such a way as to guarantee the security and confidentiality of the data concerned.
3.CATEGORIES OF DATA PROCESSED
UniCredit collects and analyses data present in social media and in various online sources, including forums, blogs and online news sites, intentionally made public by the Data Subjects, among which there could be personal data referring to the Data Subjects themselves. Therefore, only information in the public domain will be processed. Such information may also include individual quotes or personal data such as personal details (e.g. name, surname, address, etc.). Such personal data are processed mainly in an aggregate manner for the purposes described above. No personal data referring to a specific Data Subjects are intentionally processed, nor is any monitoring of a specific Data Subjects carried out. However, it is possible that individual quotations are taken and used to understand a general attitude towards UniCredit.
4.RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
For the purposes of the processing activities described above and necessary to analyze the public sentiment towards UniCredit, UniCredit may make use of platforms and analysis activities of external suppliers, who will act as autonomous data controllers or as data processors appointed by UniCredit.
The topics to be monitored have been strictly circumscribed and it is also ensured that the persons acting under the authority of UniCredit and having access to the personal data of the Data Subjects follow precise instructions and obligations of confidentiality.
Further to that, only a limited number of persons authorised by UniCredit may access to the personal data referring to the Data Subjects.
5.DATA SUBJETCS' RIGHTS
The GDPR grants individuals, sole proprietorships and/or freelancers the rights referring to in articles from 15 to 22 of GDPR, including the right to know what personal data is held by UniCredit and how it is used (Right of Access), to obtain the updating, rectification or, if interested, integration of such data, as well as their erasure, transformation into anonymous form or limitation.
5.1. PERIOD OF DATA STORAGE AND RIGHT TO ERASURE (i.e. RIGHT TO BE FORGOTTEN)
UniCredit will keep the personal data referring to the Data Subject per the period strictly necessary to achieve the purposes specified above and, in any case, for a maximum period of six months.
6.HOW EXERCISE YOUR RIGHTS
In order to exercise the rights, set forth in the previous paragraph, each Data Subject may apply to:
Group Marketing & Communication
Piazza Gae Aulenti n. 3
Tower A - 20154 Milano (MI)
Tel. +39 02 88623569
The deadline for the reply is one (1) month, which may be extended by two (2) months in particularly complex cases; in these cases, UniCredit will provide at least one interim communication within one (1) month.
The exercise of the rights is, in principle, free of charge; UniCredit reserves the right to charge a fee in the event of manifestly unfounded or excessive requests (including repetitive ones).
UniCredit has the right to request information necessary for the identification of the applicant
7.COMPLAINT OR REPORT TO THE PERSONAL DATA PROTECTION AUTHORITY
UniCredit informs the Data Subjects about the right to file a complaint or a report to the Italian Data Protection Authority or alternatively to appeal to the Judicial Authority. The contacts of the Italian Data Protection Authority are available on the websit: http://www.garanteprivacy.it.