Privacy

Customers

Pursuant to EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free circulation of such data (G.D.P.R or General Data Protection Regulation),

Gardant S.p.A., headquartered at Via Curtatone 3, 00185 Rome (the “Company”) – PEC gardantspa@legalmail.it- both in its own right and as an agent of the securitization vehicles (the “Data Controllers”) represented by it as servicer, is required to provide certain information regarding the use of personal data.

SOURCE OF PERSONAL DATA

The personal data held by the Company and other Data Controllers are collected directly from the data subject or from third parties, in which case the information referred to herein is provided to the data subject at the time of registration of the data, or if it is to be communicated, no later than the first communication.

This information may not include the elements already known to the person providing the data and is not due in cases provided for by law.

SENSITIVE DATA.

As a rule, the Company and the other Data Controllers do not require the indication of data that Article 9 paragraph 1 of the General Regulations On Data Protection identifies as belonging to the category of special data (e.g., data capable of revealing racial and ethnic origin, religious beliefs, political opinions, state of health and sexual life). In the event that occasionally and unintentionally the Company and other Data Controllers come into possession of “sensitive” data, for their processing the law requires a specific manifestation of consent, which you will find in the attached form.

PURPOSES OF PROCESSING

The data collected by the Company and other Data Controllers will be processed lawfully and fairly, in compliance with the aforementioned law and confidentiality obligations, and will be used solely and exclusively for the purposes described below:

– purposes strictly related and instrumental to the management of the relationship with the interested party (by way of example, acquisition of information preliminary to the conclusion of financing and/or restructuring contracts, execution of operations on the basis of obligations arising from the contract itself, etc.);

– purposes related to obligations arising from laws, regulations and EU legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies;

– institutional purposes such as purposes connected with and instrumental to tax accounting management, supervisory reporting as well as other obligations related to credit management;

– purposes related to credit recovery management;

– purposes related to the management of executive and insolvency procedures as well as related to the implementation of attempts to settle them out of court and, in any case, to the performance of other activities functional to credit recovery;

It should be noted that the data subject’s data will be kept for the period of time strictly necessary with the utmost confidentiality and in compliance with appropriate security measures. The processing is carried out with reference only to the categories of data, data subjects and recipients of communication strictly related to this fulfillment, storing, moreover, the data no longer than the period necessary for this fulfillment.

DATA PROCESSING METHODS

In relation to the stated purposes, the processing of personal data is carried out through manual processing, computer and telematic tools and, in any case, such as to ensure the security and confidentiality of the same, even in the case of the use of remote communication techniques.

CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED

The data you provide may be communicated by virtue of the purposes described above to:

– companies belonging to the Data Controllers corporate groups;

– companies that perform banking, insurance and financial services;

– companies that carry out technical-legal-administrative-accounting investigations of files and/or administrative-accounting management of reports;

– companies that carry out transmission, enveloping, transport and sorting activities of the communications concerned to the data subject;

– companies that carry out archiving services of the documentation related to the relationships with the interested party;

– companies that provide services inherent to debt collection and services related and instrumental to the management of the relationship with the interested party (by way of example: acquisition of preliminary and/or subsequent information to the conclusion of financing and/or restructuring contracts);

– management companies of national and international systems for the control of risks and frauds to the detriment of financial intermediaries, banks and interested parties and credit recovery, including CRIF S.p.A. with registered office in Via M. Fantin, 1 – 3 – 40131 Bologna (BO), which will retain them as autonomous owner in both paper and automated mode.

Such data will, in addition, be communicated for the same purposes to the entities adhering to the Credit Protection Bureau of CRIF S.p.A., to the companies of the CRIF group to other companies, including foreign ones, that operate in the sector of granting loans including payment extensions. Such processing will take place for the time necessary for the pursuit of said purpose, i.e., it will be retained according to the data retention times in use in the private risk center sector. CRIF S.p.A. has appointed as data processor the company IBM Italia with registered office in Circonvallazione Idroscalo – 20090 Segrate (MI). The updated list of data processors may be collected from the offices of CRIF S.p.A. or sent by the latter at the express request of the data subject. The provision of data is necessary in order to enable the Institute to adequately assess credit risk;

– persons, companies, associations or professional firms that provide services or activities of assistance and advice to the Data Controllers, with particular but not exclusive reference to issues in accounting, administrative, legal, tax and financial matters

– auditing and financial statement certification companies;

– subjects whose right to access the Data is recognized by provisions of the law and secondary regulations or by provisions issued by authorities empowered to do so by law;

– companies in charge of the organization of securitization operations pursuant to Law No. 130/99, in all its aspects and operational phases.

Subjects belonging to the categories to which the data may be communicated will use such data as Data Controllers under the law, in full autonomy, being unrelated to the original processing. A detailed and updated list of names of these subjects is available at the offices of the Company and other Controllers.

DATA RETENTION

Personal data collected in the performance of this contract will be retained for ten (10) years from the conclusion of the transaction subject to any additional retention requirements under other applicable regulations.

RIGHTS UNDER ARTICLES 15-22 OF THE GENERAL DATA PROTECTION REGULATION

In relation to the processing operations described in this notice and in accordance with Articles 15-22 of the EU Regulation, the data subject is informed that he/she has the right:

1. to request from the Data Controller access to the personal data concerning him/her and information about the processing carried out on them;
2. to the rectification of data or the deletion of data in the hypotheses referred to in Article 17 of the Regulation and consistent with other retention obligations on the part of the data controller;
3. to revoke the consent given previously;
4. to the limitation of processing in the hypotheses referred to in Art.18 of the Regulation;
5. to data portability, i.e., the right to receive in a structured, commonly used and machine-readable format the personal data concerning him or her, and the right to transmit such data to another data controller without hindrance from the controller to whom he or she has provided them, where the processing is based on consent, on a contract, or is carried out by automated means;
6. not to be subjected to a decision based solely on automated processing that produces legal effects concerning him or her or affects him or her in a similarly significant way.

Any rectification or erasure or restriction of processing carried out at the request of the data subject – unless this proves impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the personal data have been transmitted. The Data Controller may notify the data subject of these recipients if the data subject so requests.

In addition to the rights described above and in accordance with the same methods of exercise, the data subject has the right to object, at any time, to the processing of personal data concerning him or her if the processing is carried out in pursuit of the legitimate interest of the Data Controller. The Data Controller will refrain from further processing of personal data unless it demonstrates the existence of compelling legitimate grounds for processing that override the rights of the data subject, or for the establishment, exercise or defense of a legal claim.

To exercise these rights, the data subject may contact the Data Protection Officer (DPO) free of charge, unless unfounded or excessive requests are made, by contacting him or her at the contact details above. The Company will provide feedback to your requests, if in line with applicable regulations, in the timeframe mentioned above. In order to ensure the protection of your data, it may be necessary to verify your identity before your requests are acted upon.

You also have the right to file a complaint with the Garante per la protezione dei dati personali if you believe that your rights have not been respected, following the procedures and directions published on the Authority’s official website at www.garanteprivacy.it.

In order to exercise the rights under Article 15 of the EU Regulation 2016/679 summarized above, the data subject should contact the Data Controllers by registered letter with return receipt and e-mail at the above addresses or the Data Protection Officer at the following address: dpo@gardant.eu

SIC

We would like to inform you that the Managers of Italian Credit Information Systems (SIC), including CRIF, to which Gardant S.p.A. adheres, have adapted their operations to the “Code of Conduct for Information Systems Managed by Private Entities on Consumer Credit, Reliability and Punctuality of Payments” (henceforth the Code), approved by the Guarantor for the Protection of Personal Data with Order No. 163 of 12/09/2019.

The Code replaces the previous “Code of Ethics and Good Conduct” and largely re-proposes its structure, general principles and contents, aligning its provisions with the European Privacy Regulation (GDPR).

With the approval of the Code, the Authority has thus formally recognized its full compliance with the principles and rules of the GDPR.

Gardant S.p.A., as a participant in the SCI, partially amending/supplementing the information provided to it at the time, reports below the main changes introduced:

– it is no longer necessary to acquire the consent of the data subject in order to provide positive credit information to the SIC, and consequently it is no longer possible, from now on, to revoke any consent you may have given in the past. In fact, the processing of personal data by the operator and participants in the SCI, in accordance with the terms and conditions set forth in the Code, is lawful under Article 6(1)(f) of the GDPR as it is necessary for the pursuit of legitimate interests1 of the participants in the use of the SCI. If you had not given consent to the processing of positive data at the time of the application for the loan or had revoked it afterwards, as a result of the above, the denial will no longer be valid and the Company will also provide the SCI with your positive data;

– the time frame for retention of credit information by SCIs has been changed and in particular:

o those of positive type related to a terminated report may be retained by SICs up to sixty months from the date of termination of the report or expiration of the related contract. Positive type information may be retained further in the system if negative type credit information is found to be present in relation to other credit reports, referring to the same data subject;

o unsuccessful or waived applications may be retained in the credit information system no longer than ninety days from the date of their update;

– the possibility of recording the personal data of the supplier of leased goods was introduced for the purpose of fraud prevention for such types of financing.

Complete information on the purpose, method and time of data retention is available on the websites of the companies that own the Credit Information Systems (CIS): – CRIF www.crif.it,

Our Company’s updated disclosure is attached to this communication as well as available in the “Privacy” section of the Gardant S.p.A. website.

Disclosure Regarding the Code of Conduct for the Processing of Personal Data Performed for Commercial Information Purposes.

HOW WE USE YOUR DATA

(This disclosure under Articles 13 and 14 of the EU Regulation 679/2016 (GDPR) is also made on behalf of credit information systems)

Dear Client,

Gardant S.p.A., as the data controller, informs you that in order to follow up on your request, we will use some data concerning you. This is information that you yourself provide to us or that we obtain by consulting certain databases.

These databases (Credit Information System or SIC) containing information about the data subjects are consulted to assess, assume or manage a credit risk, to evaluate the reliability and punctuality of payments of the data subject and are managed by private individuals and participated by private entities belonging to the categories that you will find in the disclosures provided by the managers of the SICs.

This information will be stored with us; some of the information that you yourself provide to us, along with information originated by your payment behavior regarding the relationship to be established may be communicated periodically to the SCIs.

This means that parties in the above categories to whom you request the establishment of a relationship will be able to know whether you have submitted a request to us and whether you pay regularly.

The processing and communication of your data is a necessary requirement for the conclusion of the contract. Without this data we may not be able to follow up on your request.

Retention of this information by databases is done on the basis of the legitimate interest of the data controller in consulting SCI.

PROCESSING CARRIED OUT BY OUR COMPANY

Your data will not be transferred by us to a third country outside the EU or to an international organization.

According to the terms, modalities and within the limits of applicability established by the regulations in force, you have the right to know your data and to exercise the different rights provided for in articles 15 to 22 of the GDPR related to their use (rectification, updating, deletion, restriction of processing, opposition, etc.).

You may lodge a complaint with the Data Protection Authority (www.garanteprivacy.it), as well as have recourse to the other means of protection provided by the applicable legislation.

We keep your data at our company for as long as necessary to manage your contractual relationship and to fulfill legal obligations (e.g., for the provisions of Article 2220 of the Civil Code regarding the retention of accounting records.

For any request regarding your data, please use in your interest the fac-simile on the website www.garanteprivacy.it, forwarding it to our company: Gardant S.p.A. – Administration Office – Via Curtatone 3, 00185 Rome – Phone 06 5796743 – Fax 06 5796254 – www.gardant.eu – e-mail info@gardant.eu

and/or to the companies indicated below, to which we will communicate your data:

• CRIF S.p.A.

and/or to the companies indicated below, to which we will communicate your data: Your data are not used in the automated decision-making process of a credit request. We also inform you that for any occurrence our Data Protection Officer can be contacted at the following address: email dpo@gardant.eu.

TREATMENT CARRIED OUT BY THE SIC MANAGER

In order to better evaluate the credit risk, as well as the reliability and punctuality of payments, we communicate some data (personal data, including of the person possibly co-obligated, type of contract, amount of credit, reimbursement method) to the Information System systems Credit institutions, which are regulated by the relevant Code of Conduct for the processing of personal data carried out for the purposes of commercial information (‘Code of Conduct), approved by the Guarantor for the protection of personal data, with Resolution of 12/06/2019, n. . 127; website www.garanteprivacy.it) and who hold the status of independent data controller. The data is also made accessible to various private entities belonging to the categories that you will find in the information provided by the SIC managers, available through the channels listed below. The data concerning you are updated periodically with information acquired during the relationship (payment trend, residual debt exposure, status of the relationship). Within the SIC, your data will be processed according to methods of organisation, comparison and processing strictly indispensable to pursue the purposes described above and in particular to extract the information ascribed to you from the credit information system. Your data are not subject to particular statistical processing in order to give you a summary opinion or a score on your degree of reliability and solvency (so-called credit scoring). Some additional information may be provided to you if your request is not accepted.

The credit information systems we participate in are managed by:

IDENTIFICATION DETAILS:

CRIF S.p.a. – registered office in Bologna Via M. Fantin, n. 1-3, Public Relations Office: Via Zanardi, n. 41 – 40131 Bologna – Tel. 051 6458900, website www.consumatori.crif.com / CONTACT DETAILS: for any further information relating to the processing of personal data processed by Crif Spa, interested parties may contact the data protection officer appointed by Crif Spa at the following addresses: email dirprivacy@crif.com or pec: crif@pec.crif.com / TYPE OF SYSTEM: positive and negative / DATA STORAGE TIMES: these times are indicated in the table below / USE OF AUTOMATED SYSTEMS OF CREDIT SCORING: yes / EXISTENCE OF AN AUTOMATED DECISION-MAKING PROCESS: no / OTHER: CRIF Spa adheres to an international circuit of credit information systems operating in various European and non-European countries and, therefore, the data processed may be communicated (all existing the legal requirements) to other companies, including foreign ones, which operate – in compliance with the legislation of their country – as independent managers of the aforementioned credit information systems and therefore pursue the same processing purposes as the system managed by CRIF Spa (list of systems affiliated foreign countries available on the website www.crif.it)”” You have the right to access data concerning you at any time. Please contact our company Gardant Spa – Administration Office – Via Curtatone 3, 00185 Rome – Telephone 06 694771 – Fax 06 69477901 – www.gardant.eu – e-mail info@gardant.eu, or to the managers of the credit information systems, at the addresses indicated above. Likewise, you can request the correction, updating or integration of inaccurate or incomplete data, or the cancellation or blocking of those processed in violation of the law, or oppose their use for legitimate reasons to be highlighted in the request (articles from 15 to 22 of the EU Regulation excluding art. 20).

Service Providers

Pursuant to the EU Regulation 2016/679 (G.D.P.R.) on the protection of individuals with regard to the processing of personal data and on the free circulation of such data, Gardant S.p.A., with registered office in Via Curtatone 3, 00185 Rome (the “Company”) – PEC gardantspa@legalmail.it- both in its own right and as an agent of the securitization vehicles (the “Data Controllers”) represented by it as servicer, is required to provide certain information regarding the use of personal data.

SOURCE OF PERSONAL DATA

Please note that we will acquire or have already acquired directly from you your personal data subject to processing as described in this policy. In particular, we will acquire or have already acquired your common data.

SENSITIVE DATA

The Company in the performance of its activities and in the pursuit of the stated purposes, informs you that it will not process special categories of data, so-called “sensitive data,” such as personal data capable of revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,” as well as “genetic data, biometric data intended to uniquely identify a natural person, data relating to a person’s health or sex life or sexual orientation” (Article 9 of the GDPR).

Should sensitive personal data be processed, which are not covered by legal provisions or EU regulations, your specific consent should be requested.

Furthermore, the Company will not process your judicial data (Art. 10 of the GDPR).

PURPOSES OF PROCESSING

Your personal data are processed by the Company for the following purposes:

1. a) fulfillment of obligations required by law, regulation or EU legislation and for civil, accounting and tax purposes;
2. b) entering into and executing contractual relationships or pre-contractual measures between you and the Controller, such as invoicing, correspondence and management of the supplier register;
3. c) protection of Gardant’s rights arising from the contract (e.g. breach of contract, warnings), within the legitimate interest of the Owner.

With regard to the purposes indicated above, we inform you that the processing of your personal data by the Company, including the communication of such data to the parties referred to in paragraph 5 below, does not require your consent as processing is necessary for the performance of legal obligations (letter a), for the performance of obligations arising from the contract itself (letter b) or for the pursuit of a legitimate interest of the Data Controller (letter c). Any refusal to provide the data, in whole or in part, may result in the impossibility for the Company to execute the contract or to properly perform all the obligations.

However, the collection of this data will be guided by the cardinal principles, enucleated in the GDPR.

CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED

The Data Controller may communicate the data of data subjects to third parties as autonomous data controllers or data processors appointed by the Data Controller.

In particular, your data may be communicated to:

1. a) companies that manage software and/or hardware of the Data Controller or that manage computer archives on its behalf;
2. b) subjects to whom the communication of data is necessary or is otherwise functional for the management of the contractual relationship;
3. c) companies controlled by the Controller;
4. d) bodies of the public administration (agencies, ministries, social security and welfare institutions) in compliance with obligations required by law;
5. e) entities to which the right to access data is recognized by legal provisions or regulatory or EU regulations (e.g.: judicial authorities and police forces, sector supervisory authorities, auditing companies, rating companies, etc.).

Information pertaining to these entities, including the indication of the data controller and data processors, which is constantly updated and easily accessible, is available free of charge by contacting the DPO at the contact details above.

For the same purposes mentioned above, the data provided to the writer may be communicated to those authorized to process them (Subjects operating under the authority of the Data Controller and Subjects operating under the authority of the Data Processors appointed by the Data Controller).

DATA RETENTION

The Company will retain your personal data for the time necessary to achieve the purposes specified in this Notice, after which the data will be deleted in accordance with legal requirements.

In particular, in the case of termination of the relationship, personal data will be retained from the date of the event in order to fulfill the legal requirements for the retention of accounting records, as well as for any requests for further retention for judicial requirements and tax audits.

RIGHTS UNDER ARTICLES 15-22 OF THE GENERAL DATA PROTECTION REGULATION

In relation to the processing operations described in this information notice and pursuant to Articles 15-22 of the EU Regulation, the data subject is informed that he/she has the right:

1. a) to request from the Data Controller access to the personal data concerning him/her and information about the processing carried out on them;
2. b) to the rectification of the data or the deletion of the same in the cases referred to in Article 17 of the Regulation and consistent with other retention obligations on the part of the owner;
3. c) to revoke the consent given previously;
4. d) to the limitation of processing in the hypotheses referred to in Art.18 of the Regulation;
5. e) to data portability, i.e., the right to receive in a structured, commonly used and machine-readable format the personal data concerning him or her, and the right to transmit such data to another data controller without hindrance from the controller to whom he or she has provided them, when the processing is based on consent, on a contract, or is carried out by automated means
6. f) not to be subjected to a decision based solely on automated processing that produces legal effects concerning him or her or affects him or her in a similarly significant way.

Any corrections or erasure or restriction of processing carried out at the request of the data subject – unless this proves impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the personal data have been transmitted. The Data Controller may notify the data subject of these recipients if the data subject so requests.

In addition to the rights described above and in accordance with the same methods of exercise, the data subject has the right to object, at any time, to the processing of personal data concerning him or her if the processing is carried out in pursuit of the legitimate interest of the Data Controller. The Data Controller will refrain from further processing of personal data unless it demonstrates the existence of compelling legitimate grounds for processing that override the rights of the data subject, or for the establishment, exercise or defense of a legal claim.

To exercise these rights, the data subject may contact the Data Protection Officer (DPO) free of charge, unless unfounded or excessive requests are made, by contacting him or her at the contact details above. The Company will provide feedback to your requests, if in line with applicable regulations, in the timeframe mentioned above. In order to ensure the protection of your data, it may be necessary to verify your identity before your requests are acted upon.

You also have the right to file a complaint with the Garante per la protezione dei dati personali if you believe that your rights have not been respected, following the procedures and directions published on the Authority’s official website at www.garanteprivacy.it.

In order to exercise the rights under Article 15 of the EU Regulation 2016/679 summarized above, the data subject should contact the Data Controllers by registered letter with return receipt and e-mail at the above addresses or the Data Protection Officer at the following address: dpo@gardant.eu

Model for the execution of the rights of the interested party

Modello per l’esecuzione dei diritti dell’interessato