Pursuant to EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation),
Gardant S.p.A., with registered office in Via Curtatone 3, 00185 Roma RM (hereinafter referred to as the “Company”) — PEC (certified e-mail) firstname.lastname@example.org — both in its own right and as agent of the securitisation vehicles (hereinafter referred to as the “Holders”) represented by it as special servicer, is required to provide some information regarding the use of personal data.
SOURCE OF PERSONAL DATA
The personal data held by the Company and the other Data Controllers are collected directly from the data subject or from third parties, in which case the information referred to herein shall be provided to the data subject upon registration of the data, or if their communication is envisaged, no later than the first communication.
This information may not include elements already known to the person providing the data and is not required in cases provided for by law.
As a rule, the Company and the other Data Controllers do not require the indication of data that Article 9, paragraph 1 of the General Data Protection Regulation identifies as belonging to the category of special data (e.g., data revealing racial or ethnic origin, religious beliefs, political opinions, state of health and sex life). Should the Company and the other Data Controllers occasionally and unintentionally come into possession of “sensitive” data, the law requires a specific declaration of consent for their processing, which you will find in the attached form.
PURPOSE OF PROCESSING
The data collected by the Company and the other Data Controllers will be processed lawfully and fairly, in compliance with the aforementioned law and confidentiality obligations, and will be used solely and exclusively for the purposes described below:
- Purposes strictly connected and instrumental to the management of the relationship with the interested party (by way of example, acquisition of information prior to the conclusion of financing and/or restructuring contracts, execution of operations based on the obligations arising from the contract itself, etc.)
- Purposes related to obligations arising from laws, regulations and EU legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies;
- Institutional purposes such as purposes connected with and instrumental to tax accounting management, supervisory reporting and other fulfilments connected with credit management;
- Purposes connected with credit recovery management;
- Purposes connected with the management of executive and insolvency procedures, as well as attempts to settle such procedures out of court and, in any case, the performance of other activities related to credit recovery.
- Purposes functional to the Controller’sactivity, for which the interested party has the right to express or deny consent, such as the promotion and sale of products and services of the Controller and of third parties carried out by letter, telephone or remote communication systems.
Please note that the data will be kept for the period of time strictly necessary with the utmost confidentiality and in compliance with appropriate security measures. The processing is carried out with reference only to the categories of data, data subjects and recipients of the communication that are strictly related to this fulfilment, and the data will be kept for no longer than is necessary for this fulfilment.
DATA PROCESSING METHODS
In relation to the aforementioned purposes, the processing of personal data is carried out by means of manual processing, computer and telematic tools and, in any case, such as to guarantee the security and confidentiality of the same, also in the case of the use of remote communication techniques.
CATEGORIES OF PERSONS TO WHOM THE DATA MAY BE COMMUNICATED
The data you provide may be communicated for the purposes described above to the following:
- Companies belonging to the Holders’ corporate groups;
- Companies that provide banking, insurance and financial services;
- Companies that manage payment services, credit cards, etc.; and
- Companies that carry out technical-legal-administrative-accounting investigations of files and/or administrative-accounting management of relationships;
- Companies that carry out activities of transmission, enveloping, transport and sorting of the communications concerned to the data subject;
- Companies that perform services of archiving the documentation relating to the relationships with the interested party;
- Companies that provide services relating to credit recovery and services related and instrumental to the management of the relationship with the person concerned (by way of example: acquisition of preliminary and/or subsequent information to the conclusion of financing and/or restructuring contracts);
- Companies managing national and international systems for the control of risks and fraud against financial intermediaries, banks and interested parties and for credit recovery, including CRIF S.p.A. with registered office in Via M. Fantin, 1 – 3 — 40131 Bologna (BO), which will retain them as autonomous owner in both paper and automated form.
Such data will also be communicated for the same purposes to the entities adhering to the credit protection bureau of CRIF S.p.A., to the companies of the CRIF group and to other companies, including foreign ones, operating in the sector of granting loans, including payment extensions. Such processing will be carried out for the time necessary to pursue such purpose, i.e., it will be stored according to the data retention periods in use in the private risk centres sector. CRIF S.p.A. has appointed as data processor the company IBM Italia with registered office in Circonvallazione Idroscalo — 20090 Segrate (MI). The updated list of data processors may be obtained from the registered office of CRIF S.p.A. or sent by the latter at the express request of the data subject. The provision of data is necessary in order to allow the Institute to adequately assess the credit risk;
- Persons, companies, associations or professional firms providing services or activities of assistance and advice to the Data Controllers, with particular but not exclusive reference to accounting, administrative, legal, tax and financial matters;
- Auditing and certification companies;
- Companies managing payment services;
- Subjects whose right to access the Data is recognised by provisions of law and secondary regulations or by provisions issued by authorities empowered to do so by law;
- Persons, companies, associations, including professional ones, that carry out activities of promotion and sale of products distributed by the Data Controllers;
- Companies for checking the level of customer satisfaction;
- Companies in charge of organising securitisation operations pursuant to Law no. 130/99, in all its aspects and operational phases.
The subjects belonging to the categories to which the data may be communicated will use such data as Data Controllers pursuant to the law, in full autonomy, being extraneous to the original processing. A detailed and updated list of names of these subjects is available at the offices of the Company and of the other Data Controllers.
Personal data collected under this contract will be retained for ten (10) years after the conclusion of the transaction without prejudice to any further retention requirements under other applicable legislation.
RIGHTS UNDER ARTICLE 15 OF THE GENERAL DATA PROTECTION REGULATION
In full compliance with the provisions of Article 15 of EU Regulation 2016/679, the Company and the other Data Controllers inform you that you have the right, inter alia, to obtain:
- Confirmation as to whether or not personal data relating to you exist, regardless of their being already recorded;
- Communication in an intelligible form of the same data and of their origin, as well as of the logic of the methods and purposes on which the processing is based;
- The identity of the data controller, of the data protection officers of each individual data controller, if designated, and of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing;
- The cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed, the updating, rectification or, where interested therein, integration of the data; certification that such operations have been notified, also as regards their contents, to those to whom the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate to the protected right.
The data subject shall also have the right to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection, and to object, in whole or in part, to the processing of personal data concerning him/her, provided for the purposes of commercial information or sending advertising or direct sales material or for carrying out market research or interactive commercial communication and to be informed by the data controller, not later than when the data are communicated or disseminated, of the possibility of exercising this right free of charge or the right to lodge a complaint with a supervisory authority.
In order to exercise the rights referred to in Article 15 of EU Regulation 2016/679 summarised above, the data subject should contact the Data Controllers by registered letter with return receipt and by email at the addresses indicated above or the Data Protection Officer at the following e-mail address: email@example.com