Pursuant to EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free circulation of such data (G.D.P.R or General Data Protection Regulation),
Gardant S.p.A., headquartered at Via Curtatone 3, 00185 Rome (the “Company”) – PEC email@example.com- both in its own right and as an agent of the securitization vehicles (the “Data Controllers”) represented by it as servicer, is required to provide certain information regarding the use of personal data.
SOURCE OF PERSONAL DATA
The personal data held by the Company and other Data Controllers are collected directly from the data subject or from third parties, in which case the information referred to herein is provided to the data subject at the time of registration of the data, or if it is to be communicated, no later than the first communication.
This information may not include the elements already known to the person providing the data and is not due in cases provided for by law.
As a rule, the Company and the other Data Controllers do not require the indication of data that Article 9 paragraph 1 of the General Regulations On Data Protection identifies as belonging to the category of special data (e.g., data capable of revealing racial and ethnic origin, religious beliefs, political opinions, state of health and sexual life). In the event that occasionally and unintentionally the Company and other Data Controllers come into possession of “sensitive” data, for their processing the law requires a specific manifestation of consent, which you will find in the attached form.
PURPOSES OF PROCESSING
The data collected by the Company and other Data Controllers will be processed lawfully and fairly, in compliance with the aforementioned law and confidentiality obligations, and will be used solely and exclusively for the purposes described below:
– purposes strictly related and instrumental to the management of the relationship with the interested party (by way of example, acquisition of information preliminary to the conclusion of financing and/or restructuring contracts, execution of operations on the basis of obligations arising from the contract itself, etc.);
– purposes related to obligations arising from laws, regulations and EU legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies;
– institutional purposes such as purposes connected with and instrumental to tax accounting management, supervisory reporting as well as other obligations related to credit management;
– purposes related to credit recovery management;
– purposes related to the management of executive and insolvency procedures as well as related to the implementation of attempts to settle them out of court and, in any case, to the performance of other activities functional to credit recovery;
It should be noted that the data subject’s data will be kept for the period of time strictly necessary with the utmost confidentiality and in compliance with appropriate security measures. The processing is carried out with reference only to the categories of data, data subjects and recipients of communication strictly related to this fulfillment, storing, moreover, the data no longer than the period necessary for this fulfillment.
DATA PROCESSING METHODS
In relation to the stated purposes, the processing of personal data is carried out through manual processing, computer and telematic tools and, in any case, such as to ensure the security and confidentiality of the same, even in the case of the use of remote communication techniques.
CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED
The data you provide may be communicated by virtue of the purposes described above to:
– companies belonging to the Data Controllers corporate groups;
– companies that perform banking, insurance and financial services;
– companies that carry out technical-legal-administrative-accounting investigations of files and/or administrative-accounting management of reports;
– companies that carry out transmission, enveloping, transport and sorting activities of the communications concerned to the data subject;
– companies that carry out archiving services of the documentation related to the relationships with the interested party;
– companies that provide services inherent to debt collection and services related and instrumental to the management of the relationship with the interested party (by way of example: acquisition of preliminary and/or subsequent information to the conclusion of financing and/or restructuring contracts);
– management companies of national and international systems for the control of risks and frauds to the detriment of financial intermediaries, banks and interested parties and credit recovery, including CRIF S.p.A. with registered office in Via M. Fantin, 1 – 3 – 40131 Bologna (BO), which will retain them as autonomous owner in both paper and automated mode.
Such data will, in addition, be communicated for the same purposes to the entities adhering to the Credit Protection Bureau of CRIF S.p.A., to the companies of the CRIF group to other companies, including foreign ones, that operate in the sector of granting loans including payment extensions. Such processing will take place for the time necessary for the pursuit of said purpose, i.e., it will be retained according to the data retention times in use in the private risk center sector. CRIF S.p.A. has appointed as data processor the company IBM Italia with registered office in Circonvallazione Idroscalo – 20090 Segrate (MI). The updated list of data processors may be collected from the offices of CRIF S.p.A. or sent by the latter at the express request of the data subject. The provision of data is necessary in order to enable the Institute to adequately assess credit risk;
– persons, companies, associations or professional firms that provide services or activities of assistance and advice to the Data Controllers, with particular but not exclusive reference to issues in accounting, administrative, legal, tax and financial matters
– auditing and financial statement certification companies;
– subjects whose right to access the Data is recognized by provisions of the law and secondary regulations or by provisions issued by authorities empowered to do so by law;
– companies in charge of the organization of securitization operations pursuant to Law No. 130/99, in all its aspects and operational phases.
Subjects belonging to the categories to which the data may be communicated will use such data as Data Controllers under the law, in full autonomy, being unrelated to the original processing. A detailed and updated list of names of these subjects is available at the offices of the Company and other Controllers.
Personal data collected in the performance of this contract will be retained for ten (10) years from the conclusion of the transaction subject to any additional retention requirements under other applicable regulations.
RIGHTS UNDER ARTICLES 15-22 OF THE GENERAL DATA PROTECTION REGULATION
In relation to the processing operations described in this notice and in accordance with Articles 15-22 of the EU Regulation, the data subject is informed that he/she has the right:
- to request from the Data Controller access to the personal data concerning him/her and information about the processing carried out on them;
- to the rectification of data or the deletion of data in the hypotheses referred to in Article 17 of the Regulation and consistent with other retention obligations on the part of the data controller;
- to revoke the consent given previously;
- to the limitation of processing in the hypotheses referred to in Art.18 of the Regulation;
- to data portability, i.e., the right to receive in a structured, commonly used and machine-readable format the personal data concerning him or her, and the right to transmit such data to another data controller without hindrance from the controller to whom he or she has provided them, where the processing is based on consent, on a contract, or is carried out by automated means;
- not to be subjected to a decision based solely on automated processing that produces legal effects concerning him or her or affects him or her in a similarly significant way.
Any rectification or erasure or restriction of processing carried out at the request of the data subject – unless this proves impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the personal data have been transmitted. The Data Controller may notify the data subject of these recipients if the data subject so requests.
In addition to the rights described above and in accordance with the same methods of exercise, the data subject has the right to object, at any time, to the processing of personal data concerning him or her if the processing is carried out in pursuit of the legitimate interest of the Data Controller. The Data Controller will refrain from further processing of personal data unless it demonstrates the existence of compelling legitimate grounds for processing that override the rights of the data subject, or for the establishment, exercise or defense of a legal claim.
To exercise these rights, the data subject may contact the Data Protection Officer (DPO) free of charge, unless unfounded or excessive requests are made, by contacting him or her at the contact details above. The Company will provide feedback to your requests, if in line with applicable regulations, in the timeframe mentioned above. In order to ensure the protection of your data, it may be necessary to verify your identity before your requests are acted upon.
You also have the right to file a complaint with the Garante per la protezione dei dati personali if you believe that your rights have not been respected, following the procedures and directions published on the Authority’s official website at www.garanteprivacy.it.
In order to exercise the rights under Article 15 of the EU Regulation 2016/679 summarized above, the data subject should contact the Data Controllers by registered letter with return receipt and e-mail at the above addresses or the Data Protection Officer at the following address: firstname.lastname@example.org