Privacy Policy

of the BCC Iccrea Group website

Dear user,
We inform you that your personal data will be processed in accordance with current privacy laws and will be based on the principles of propriety, lawfulness, transparency and data protection. To this end, in compliance with the provisions of Article 13 of European Regulation 2016/679 (GDPR), we hereby provide you with general information regarding the processing of personal data on this website. Other specific information will be presented where necessary, directly on the web pages where the data is collected, in order to provide you with any type of service.
This policy refers exclusively to the data of those who interact with the services accessible from the website www.gruppobcciccrea.it (the website), without extending to other sites that the user may reach via links on the website.

Contact details of the Data Controller and DPO

The data controller is Iccrea Banca SpA with registered office at Via Lucrezia Romana 41/47 - 00178 Rome.
In compliance with the GDPR, the data controller has appointed a Data Protection Officer (DPO), whom you may contact to request explanations regarding this Policy or to exercise your rights under the data protection legislation described in the following text. You may use one of the following means to contact the DPO:
Via email: dpo@iccrea.bcc.it
Via post: Via Lucrezia Romana 41/47 - 00178 Rome, addressed to: Data Protection Officer (DPO)

For any communication from you to the DPO, your request must include your contact details, which are indispensable for us to be able to identify and contact you.

Type of data processed

Browsing data

In the course of their normal operation, the computer systems and software procedures used to operate this website acquire certain data whose transmission is implicit in the use of internet communication protocols.
This category of data includes the IP addresses or domain names of the computers used by users connecting to the website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.
This information is not collected in order to be associated with identified data subjects, as the data is only used to obtain anonymous statistical information on the use of the site and to check its correct operation, but by its very nature could allow users to be identified through processing and association with data held by third parties.
Note that the data could be used by the competent authorities to ascertain liability in the event of any computer crimes.

Cookie

The website makes use of cookies to improve the user's browsing experience. More information on the types of cookies used, their purposes and how to disable them can be found in the cookie policy.

Data provided voluntarily by the user

The provision of certain identifying data is necessary to authenticate and verify the authorisation of individuals accessing the various levels of restricted areas. The optional, explicit and voluntary sending of electronic mail to the addresses indicated on this website results in the acquisition of the sender's address, which is necessary to reply to requests, as well as any other personal data included in the message. Where necessary, specific summary notices will be progressively provided or displayed on the pages of the website used for particular services on request.

Purposes

The data you provide may be processed to:
1) Perform operations that are strictly necessary in order to provide the services and/or information that you may have requested (browsing the pages of the website, registering in the personal areas, requesting support and to be contacted, requesting appointments, requesting information by email, etc.).
2) Provide technological services (mailing lists, newsletters, remote or local support and maintenance, etc.), also by specifically authorised third parties.
3) Activities imposed by laws, regulations or measures in force from time to time and applicable to the services and products offered through the website.
4) Calculate statistics based on aggregate data with respect to the website’s performance.
5) Assess users’ use of the website.
6) Optimise the commercial offer, including by means of focused and selected analyses.
7) Send advertising and/or commercial proposals based on the profiling of your data, implemented in order to be able to identify information and commercial proposals tuned to the interests you have expressed by browsing the pages and using the services available on this website.

On the pages of the website where your personal data is explicitly collected you will find further specific privacy notices where necessary, as well as the methods for obtaining your consent in cases where the data controller uses this legal basis for processing.

Legal basis

Your personal data will be processed based on one or more of the following conditions. Specifically, with regard to the processing carried out for the purposes described above:

  • • Points 1 and 2 have as their legal basis the need to respond to your request for information or to execute your request to receive a service directly available through the website. It is therefore a matter of voluntarily providing data that is strictly necessary and connected to a pre-contractual and/or contractual phase or functional to respond to your specific request. As such the data collected from time to time is mandatory, and if you do not intend to provide it, it will not be possible to provide the service or respond to your request.
  • Point 3 has as a legal basis the need to comply with a legal obligation such as for example the obligation to implement security measures envisaged by specific laws in the banking/financial/insurance sector that are applicable to certain services provided through the website, and as such this data and the related processing are mandatory.
  • Since the data processed for Point 4 is anonymised, i.e. data from which it is not possible to directly or indirectly re-identify a natural person, such data is no longer personal data and therefore the processing thereof is exempt from the application of privacy laws, and no special legal basis is required.
  • • Points 5, 6 and 7 will have as their legal basis your informed, free consent, which will be requested on specific pages of the website and preceded by a specific notice from us or cookie policy. In this case the provision of data is absolutely free, and in the absence of your consent the data will in no way be collected and used for these purposes.

Where the data controller can rely on another legal basis (legitimate interest, public interest, etc.) you will be provided with a specific Notice.

Processing methods, security measures and retention times

All data will be processed primarily in electronic format. Personal data as well as any other information that can be associated directly or indirectly with a specific user are collected and processed by applying technical and organisational security measures such as to ensure a level of security appropriate to the risk, taking into account the state of the art and the costs of implementation, or, where applicable, security measures prescribed by specific regulations including but not limited to measures envisaged by applicable provisions issued by the Italian Data Protection Authority or by specific banking/financial/insurance rules and regulations, and will be accessible only to specifically authorised personnel.
Precisely with regard to data protection aspects, pursuant to Article 33 of the GDPR you are invited to inform the data controller of any circumstances or events from which a potential “personal data breach” may arise in order to allow for an immediate assessment and the adoption of possible actions to counter such event, sending a communication to databreach@iccrea.bcc.it. Note that a personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
The measures adopted by the data controller do not exempt the user/customer from paying the necessary attention to the use of passwords/PINs of appropriate complexity where required, which they shall update periodically as well as carefully guard and make inaccessible to others in order to avoid their improper and unauthorised use.
The personal data processed will be stored in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed (by way of example, the data relating to requests for assistance are kept for a period of time limited to the resolution of the problem reported), without prejudice to the need to store them for a longer period following requests by the competent authorities for the prevention and prosecution of offences, or in any case to assert or defend a right in court.

Categories of Recipients of personal data

Depending on the operation or service, customer/user data may be disclosed by the data controller to specialised companies entrusted with tasks of a technical or organisational nature that will process the data as autonomous data controllers or designated data processors (e.g. website maintenance companies).
The data may also be disclosed to those parties to whom such disclosure must be made in fulfilment of an obligation laid down by law, regulation or EU legislation, as well as a consequence of an order by authorities.

Transfer of data outside the EU

The customer's/user's personal data may be transferred to third countries outside the European Union under one of the following conditions: it is either a third country deemed adequate pursuant to Article 45 of Regulation EU 2016/679 or a country for which the data controller provides adequate or appropriate data protection guarantees pursuant to Articles 46 and 47 of the aforementioned EU Regulation, and always provided that the data subjects have enforceable rights and effective remedies, or that one or more of the exceptions pursuant to Article 49 of the aforementioned EU Regulation, paragraph 1, letters a) - g), are applicable from time to time.

Rights of Data Subjects

With regard to the processing of your personal data through this website, where applicable you may exercise your rights as a data subject under the GDPR at any time. Specifically, you may:
Access your personal data, obtaining evidence of the purposes pursued by the data controller, the categories of data involved, the recipients the data may be disclosed to, the applicable retention period, the existence of automated decision-making processes (including profiling), and, at least in such cases, meaningful information on the logic used, as well as the relevance and possible consequences for the data subject, where not already indicated in the text of this Policy.

  • Access your personal data, obtaining evidence of the purposes pursued by the data controller, the categories of data involved, the recipients the data may be disclosed to, the applicable retention period, the existence of automated decision-making processes (including profiling), and, at least in such cases, meaningful information on the logic used, as well as the relevance and possible consequences for the data subject, where not already indicated in the text of this Policy.
  • In the cases envisaged by law, obtain the erasure of your data.
  • In the cases envisaged by law, obtain the erasure of your data.
  • Obtain the restriction of the processing, or object to the processing when allowed under the provisions of the law applicable to the specific case.
  • In the cases envisaged by law, request the portability of the data that you have provided to the data controller, i.e. receive them in a structured, commonly used and machine-readable format, and also request the transmission of such data to another data controller if technically feasible.
  • If you consider it appropriate, lodge a complaint with the supervisory authority.
  • For the processing of personal data for which the legal basis is consent, you may always withdraw such consent, and more specifically exercise your right to object to direct marketing.
To exercise your rights simply contact the DPO using the details provided at the beginning of this Policy.
For more information on your rights and on privacy regulations in general, please visit the website of the Italian Data Protection Authority at https://www.garanteprivacy.it

Policy published on: 25-06-2021

Privacy archive