Pursuant to EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation),

Gardant S.p.A., with registered office in Via Curtatone 3, 00185 Roma RM (hereinafter referred to as the “Company”) — PEC (certified e-mail) — both in its own right and as agent of the securitisation vehicles (hereinafter referred to as the “Holders”) represented by it as special servicer, is required to provide some information regarding the use of personal data.

The personal data held by the Company and the other Data Controllers are collected directly from the data subject or from third parties, in which case the information referred to herein shall be provided to the data subject upon registration of the data, or if their communication is envisaged, no later than the first communication.

This information may not include elements already known to the person providing the data and is not required in cases provided for by law.

As a rule, the Company and the other Data Controllers do not require the indication of data that Article 9, paragraph 1 of the General Data Protection Regulation identifies as belonging to the category of special data (e.g., data revealing racial or ethnic origin, religious beliefs, political opinions, state of health and sex life). Should the Company and the other Data Controllers occasionally and unintentionally come into possession of “sensitive” data, the law requires a specific declaration of consent for their processing, which you will find in the attached form.

The data collected by the Company and the other Data Controllers will be processed lawfully and fairly, in compliance with the aforementioned law and confidentiality obligations, and will be used solely and exclusively for the purposes described below:

  • Purposes strictly connected and instrumental to the management of the relationship with the interested party (by way of example, acquisition of information prior to the conclusion of financing and/or restructuring contracts, execution of operations based on the obligations arising from the contract itself, etc.)
  • Purposes related to obligations arising from laws, regulations and EU legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies;
  • Institutional purposes such as purposes connected with and instrumental to tax accounting management, supervisory reporting and other fulfilments connected with credit management;
  • Purposes connected with credit recovery management;
  • Purposes connected with the management of executive and insolvency procedures, as well as attempts to settle such procedures out of court and, in any case, the performance of other activities related to credit recovery.
  • Purposes functional to the Controller’sactivity, for which the interested party has the right to express or deny consent, such as the promotion and sale of products and services of the Controller and of third parties carried out by letter, telephone or remote communication systems.


Please note that the data will be kept for the period of time strictly necessary with the utmost confidentiality and in compliance with appropriate security measures. The processing is carried out with reference only to the categories of data, data subjects and recipients of the communication that are strictly related to this fulfilment, and the data will be kept for no longer than is necessary for this fulfilment.

In relation to the aforementioned purposes, the processing of personal data is carried out by means of manual processing, computer and telematic tools and, in any case, such as to guarantee the security and confidentiality of the same, also in the case of the use of remote communication techniques.

The data you provide may be communicated for the purposes described above to the following:

  • Companies belonging to the Holders’ corporate groups;
  • Companies that provide banking, insurance and financial services;
  • Companies that manage payment services, credit cards, etc.; and
  • Companies that carry out technical-legal-administrative-accounting investigations of files and/or administrative-accounting management of relationships;
  • Companies that carry out activities of transmission, enveloping, transport and sorting of the communications concerned to the data subject;
  • Companies that perform services of archiving the documentation relating to the relationships with the interested party;
  • Companies that provide services relating to credit recovery and services related and instrumental to the management of the relationship with the person concerned (by way of example: acquisition of preliminary and/or subsequent information to the conclusion of financing and/or restructuring contracts);
  • Companies managing national and international systems for the control of risks and fraud against financial intermediaries, banks and interested parties and for credit recovery, including CRIF S.p.A. with registered office in Via M. Fantin, 1 – 3 — 40131 Bologna (BO), which will retain them as autonomous owner in both paper and automated form.


Such data will also be communicated for the same purposes to the entities adhering to the credit protection bureau of CRIF S.p.A., to the companies of the CRIF group and to other companies, including foreign ones, operating in the sector of granting loans, including payment extensions. Such processing will be carried out for the time necessary to pursue such purpose, i.e., it will be stored according to the data retention periods in use in the private risk centres sector. CRIF S.p.A. has appointed as data processor the company IBM Italia with registered office in Circonvallazione Idroscalo — 20090 Segrate (MI). The updated list of data processors may be obtained from the registered office of CRIF S.p.A. or sent by the latter at the express request of the data subject. The provision of data is necessary in order to allow the Institute to adequately assess the credit risk;

  • Persons, companies, associations or professional firms providing services or activities of assistance and advice to the Data Controllers, with particular but not exclusive reference to accounting, administrative, legal, tax and financial matters;
  • Auditing and certification companies;
  • Companies managing payment services;
  • Subjects whose right to access the Data is recognised by provisions of law and secondary regulations or by provisions issued by authorities empowered to do so by law;
  • Persons, companies, associations, including professional ones, that carry out activities of promotion and sale of products distributed by the Data Controllers;
  • Companies for checking the level of customer satisfaction;
  • Companies in charge of organising securitisation operations pursuant to Law no. 130/99, in all its aspects and operational phases.


The subjects belonging to the categories to which the data may be communicated will use such data as Data Controllers pursuant to the law, in full autonomy, being extraneous to the original processing. A detailed and updated list of names of these subjects is available at the offices of the Company and of the other Data Controllers.

Personal data collected under this contract will be retained for ten (10) years after the conclusion of the transaction without prejudice to any further retention requirements under other applicable legislation.

In full compliance with the provisions of Article 15 of EU Regulation 2016/679, the Company and the other Data Controllers inform you that you have the right, inter alia, to obtain:

  • Confirmation as to whether or not personal data relating to you exist, regardless of their being already recorded;
  • Communication in an intelligible form of the same data and of their origin, as well as of the logic of the methods and purposes on which the processing is based;
  • The identity of the data controller, of the data protection officers of each individual data controller, if designated, and of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing;
  • The cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed, the updating, rectification or, where interested therein, integration of the data; certification that such operations have been notified, also as regards their contents, to those to whom the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate to the protected right.


The data subject shall also have the right to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection, and to object, in whole or in part, to the processing of personal data concerning him/her, provided for the purposes of commercial information or sending advertising or direct sales material or for carrying out market research or interactive commercial communication and to be informed by the data controller, not later than when the data are communicated or disseminated, of the possibility of exercising this right free of charge or the right to lodge a complaint with a supervisory authority.

In order to exercise the rights referred to in Article 15 of EU Regulation 2016/679 summarised above, the data subject should contact the Data Controllers by registered letter with return receipt and by email at the addresses indicated above or the Data Protection Officer at the following e-mail address:


We would like to inform you that the Managers of the Italian Credit Information Systems (SIC), including CRIF, to which Gardant S.p.A. adheres, have adapted their operations to the “Code of Conduct for information systems managed by private entities on the subject of consumer credit, reliability and punctuality of payments” (hereinafter referred to as the “Code”), approved by the Authority for the protection of personal data with provision no. 163 of 12/09/2019.

The Code replaces the previous “Code of ethics and good conduct” and largely re-proposes its structure, general principles and contents, aligning its provisions with the European Privacy Regulation (GDPR).

With the approval of the Code, the Authority has therefore formally recognised its full compliance with the principles and rules of the GDPR.

Gardant S.p.A., as a participant in the SIC, partially modifies/supplements the information provided at the time; the main changes introduced follow:

  • It is no longer necessary to obtain the consent of the data subject in order to provide positive credit information to the SIC and consequently it is no longer possible, from now on, to revoke any consent that you may have given in the past. Indeed, the processing of personal data by the operator and the participants in the SIC, in accordance with the terms and conditions set out in the Code, is lawful within the meaning of Article 6, paragraph 1, letter f), of the GDPR as it is necessary for the pursuit of the legitimate interests of the participants in the use of the SIC. If you did not give your consent to the processing of positive data at the time of applying for the loan or if you revoked it subsequently, as a result of the above, the refusal will no longer be valid and the Company will also provide SIC with your positive data;
  • The timeframes for the retention of credit information by the SICs have been modified and in particular:
    • Positive information relating to a terminated relationship may be retained by the SIC for up to 60 months from the date of termination of the relationship or expiry of the relevant contract. Positive information may be further retained in the system if there is negative credit information in relation to other credit relationships with the same individual;
    • Unsuccessful or waived requests may be retained in the credit information system no longer than 90 days after their update;
  • The possibility of recording the personal data of the supplier of leased goods has been introduced in order to prevent fraud for these types of financing.

Full information on the purposes, methods and times of data retention is available on the websites of the companies owning the Credit Information Systems (SIC): — CRIF,

The updated information of our Company is attached to this communication as well as available in the “Privacy” section of the Gardant S.p.A. website.

Information on the Code of Conduct for the Processing of Personal Data for Commercial Information Purposes

(This notice pursuant to Articles 13 and 14 of EU Regulation 679/2016 (GDPR) is also provided on behalf of credit information systems)

Dear Customer,

Gardant S.p.A., as the data controller, informs you that in order to fulfil your request, we will use some data concerning you. This is information that you provide us with or that we obtain by consulting certain databases.

These databases (Credit Information System or SIC) containing information about the persons concerned are consulted for the purpose of assessing, assuming or managing a credit risk, evaluating the reliability and punctuality of the payments of the person concerned and are managed by private individuals belonging to the categories that you will find in the information provided by the SIC managers.

This information will be stored with us; some of the information that you provide to us, together with information arising from your payment behaviour in relation to the relationship that is to be established, may be communicated to the SICs from time to time.

This means that the persons belonging to the above categories to whom you request the establishment of a relationship will be able to know whether you have submitted a request to us and whether you pay regularly.

The processing and communication of your data is a prerequisite for the conclusion of the contract. Without this data we may not be able to process your request.

The storage of this information by the databases is done on the basis of the legitimate interest of the data controller to consult the SIC.

Your data will not be transferred by us to a third country outside the EU or to an international organisation.

According to the terms, methods and within the limits of applicability established by current legislation, you have the right to know your data and to exercise the various rights provided for in Articles 15 to 22 of the GDPR relating to their use (rectification, updating, cancellation, restriction of processing, opposition, etc.).

You may file a complaint with the Data Protection Authority (, as well as resort to the other means of protection provided for by the applicable legislation.

We keep your data at our company for the time necessary to manage your contractual relationship and to comply with legal obligations (e.g., the provisions of Article 2220 of the Civil Code regarding the storage of accounting records).

For any request concerning your data, please use the facsimile on in your own interest and forward it to our company: Gardant S.p.A. – Ufficio Amministrazione – Via Curtatone 3, 00185 Roma 00187 ROMETelephone +39 06 5796743 – Fax +39 06 5796254 –  – e-mail

And/or the companies listed below, to whom we will disclose your data:

  • CRIF S.p.A.

Your data is not used in the automated decision-making process of a credit application.

We would also like to inform you that you can contact our Data Protection Officer at the following address if you have any queries: e-mail

In order to better assess the credit risk, as well as the reliability and punctuality of payments, we disclose certain data (personal data, also of the person possibly co-obligated, type of contract, amount of credit, repayment method) to the SIC systems, which are regulated by the relevant Code of Conduct for the processing of personal data carried out for commercial information purposes (“Code of Conduct”), approved by the Authority for the protection of personal data, with Resolution of 12/06/2019, no. 127 (website; and who hold the status of autonomous data controller. The data are also made accessible to the various private entities belonging to the categories that you will find in the information provided by the SCI managers, available through the channels listed below.

The data relating to you are periodically updated with information acquired during the course of the relationship (payment history, residual debt, status of the relationship).

Within the framework of the SIC, your data will be processed in accordance with the methods of organisation, comparison and processing that are strictly necessary to pursue the purposes described above and in particular to extract from the credit information system the information ascribed to you.

Your data are not subject to any particular statistical processing for the purpose of attributing to you a synthetic judgement or a score on your degree of reliability and solvency (so-called credit scoring). Some additional information may be sent to you if your request is not accepted.

The credit information systems to which we subscribe are managed by:


CRIF S.p.a. — registered office in Bologna Via M. Fantin, n. 1-3, Ufficio relazioni con il Pubblico: Via Zanardi, n. 41 – 40131 Bologna – Tel. +39 051 6458900, website / CONTACT DETAILS: for any further information concerning the processing of personal data handled by Crif Spa, interested parties may contact the data protection officer appointed by Crif Spa at the following addresses: e-mail or PEC (certified e-mail): / TYPE OF SYSTEM: positive and negative / DATA STORAGE TIMES: these times are indicated in the table below / USE OF AUTOMATED CREDIT SCORING SYSTEMS: yes / EXISTENCE OF AN AUTOMATED DECISION-MAKING PROCESS: no / OTHER: CRIF Spa is a member of an international circuit of credit information systems operating in various European and non-European countries and, therefore, the processed data may be communicated (if all the legal requirements are met) to other companies, including foreign companies, which operate — in compliance with the legislation of their country — as independent managers of the aforementioned credit information systems and therefore pursue the same processing purposes as the system managed by CRIF Spa (list of foreign systems available on the website

You have the right to access your personal data at any time. Please contact our company: Gardant Spa Ufficio AmministrazioneVia Curtatone 3, 00185 Roma    00187 ROME – Telephone +39 06 694771 – Fax +39 06 69477901 – – e-mail, or to the operators of credit information systems, at the addresses indicated above.

Similarly, you may request the correction, updating or integration of inaccurate or incomplete data, or the deletion or blocking of data processed in breach of the law, or oppose their use for legitimate reasons to be stated in the request (Articles 15 to 22 of the EU Regulation excluding Article 20).

Data retention times in credit information systems: