Privacy Policy

In this section, we outline the methods for managing the site, with reference to the processing of the personal data of users who consult it. This statement is also provided, pursuant to art. 13 and 14 of the Regulation (EU) 2016/679, to those who use the web services of the Intesa Sanpaolo Group's banks (hereinafter, “bank”), which can be accessed via the internet from the web address: www.imi.intesasanpaolo.com

This document also takes into account the Recommendation no. 2/2001, which the European authorities for personal data protection adopted to identify the minimum requirements for collecting personal data online.

The statement is only provided for the site www.imi.intesasanpaolo.com and not for other websites that the user may consult via links.

The Data controller is Intesa Sanpaolo S.p.A. with legal headquarters in Turin, Piazza San Carlo, 156 - 10121.

Intesa Sanpaolo has nominated the “Data Protection Officer (DPO)”, selecting it from within its organisation, as set forth in article 37 of the Regulation (EU) 2016/679.

The Data Protection Officer is a new figure whose role consists in monitoring the fulfilment of the Regulation itself and assessing risks for the interested parties (customers, potential customers, employees, and suppliers) for all personal data processing performed by Intesa Sanpaolo.

The DPO provides support to Intesa Sanpaolo in informing employees regarding their obligations deriving from the Regulation and other provisions regarding data protection, and, moreover, cooperates with the Italian Data Protection Authority and is the point of contact, for Intesa Sanpaolo, on every matter connected to personal data processing.
 

The processing connected to web services on this site is only performed by technical staff from the department responsible for the processing. No data deriving from the web service will be communicated or disseminated.

The personal data provided by users that send requests for informational material are used for the sole purpose of performing the service requested and are only communicated to third parties if it is necessary to achieve this end.

The personal data are processed using automated tools and for the time strictly necessary to achieve the purposes for which they have been collected. Specific safety measures are observed to prevent the loss of data, its illegal or incorrect use, and unauthorised access.

The IT systems and software processes behind the operation of this website acquire, during their normal operation and only for the length of the connection, certain personal data the transmission of which is implicit in the use of Internet communication protocols.

This includes information that is not collected to be associated with identified parties, but that due to their nature could, through processing and association with data held by third parties, make it possible to identify users.

This category of data includes: IP addresses or domain names of the computers that the users use and that are connected to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the state of the response given by the server (success or error, etc.), and other parameters relating to the user’s operating system and IT environment.

These data may be used:

• to fulfil requirements set forth by national and EU regulations, as well as provisions issued by the Supervisory and Monitoring Authorities, including in relation to obligations to monitor operational and creditworthiness risks on a banking group level;
• to verify responsibility in case of hypothetical computer crimes to the detriment of the site and for verification in the event of any legal cases.

Except in these cases, at present the data collected (both via the website and via apps) remain on the servers for a period of 12 months.

The data are, in addition, used in order to obtain anonymous statistical information on the use of the site and to monitor the correct operation thereof.

The optional, explicit, and voluntary sending of emails to the addresses indicated on this site entail the successive acquisition of the sender’s address, which is necessary to respond to the requests, as well as any other personal data inserted in the correspondence.

The use of personal data for any sending of advertising material, commercial information, sale of products or services by the Bank, may only take place subject to the consent of the sender, indicated by ticking the appropriate box.

Specific summary statements will be progressively provided or displayed on the pages of the site dedicated to particular services on request.

Right of access
You may obtain confirmation from the Bank as to whether or not Personal Data concerning you are being processed and, in that case, obtain access to the Personal Data and to the information provided by Art. 15 of the Regulation, including, by way of example: the processing purposes, the categories of Personal Data processed, etc.

If the Personal Data are transferred to a third country or to an international organisation, you have the right to be informed of the existence of appropriate safeguards relating to the transfer.
If requested, the Bank may provide you with a copy of the Personal Data subject to processing. For any further copies the Bank may charge you a reasonable contribution to the costs, based on the administrative costs. If the request in question is submitted by electronic means and unless otherwise indicated, the Bank will provide the information to you in a commonly used electronic form.

Right to rectification
You may obtain the rectification of your inaccurate Personal Data from the Bank, as well as, taking the processing purposes into account, the completion of your incomplete Personal Data, by providing a supplementary statement.

Right to erasure
You may obtain the erasure of your Personal Data from the Controller, where one of the grounds indicated in Art. 17 of the Regulation subsists, including, by way of example, if the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or if the consent on which the processing of your Personal Data is based has been withdrawn by you and there is no other legal ground for the processing. Please note that the Bank shall not proceed with the erasure of your Personal Data: if its processing is necessary, for example, for compliance with a legal obligation, for reasons of public interest, for the establishment, exercise or defence of legal claims.

Right to restriction of processing
You may obtain restrictions on the processing of your Personal Data where one of the circumstances provided by Art. 18 of the Regulation applies, including, for example: in response to your contesting the accuracy of your Personal Data that is subject to processing or if your Personal Data are necessary for the establishment, exercise, or defence of a legal claim, despite the Bank no longer needing them for the processing purposes.

Right to data portability
If the processing of your Personal Data is based upon consent or is necessary to implement a contract or pre-contractual measures and the processing is carried out by automated means, you may:

• ask to be given the Personal Data you provided in a structured, commonly used and machine-readable format (for example: by a computer and/or tablet);
• transmit your Personal Data to another Data Controller, without hindrance from the Bank.

You may also ask for the Bank to transmit your Personal Data to another Data Controller indicated by you, where technically feasible for the Bank. In this case, it is your duty to provide us with all the correct details of the new Data Controller to which you intend to transfer your Personal Data and provide us with appropriate written authorisation.

Right to object
You may object at any time to the processing of your Personal Data where the processing is carried out to perform an activity in the public interest or to pursue a legitimate interest of the Controller (including profiling activity). Should you decide to exercise the right to object as described here, the Bank will refrain from further processing your personal data, unless there are legitimate grounds for the processing (which override the interests, rights and freedoms of the data subject), or if the processing is necessary for the establishment, exercise or defence of legal claims.

Automated individual decision-making, including profiling
If creditworthiness requirements subsist and for certain amount thresholds, the Bank performs automated decision-making processes for, among other activities, issuing credit cards, for applications for personal loans and consumer finance loans, and providing, in such cases, further details within a specific privacy policy and obtaining explicit consent for that purpose.

The Regulation provides that the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which results in legal consequences concerning him or her or similarly significantly affects him or her, unless the above-mentioned decision:

a) is necessary for concluding or executing a contract between you and the Bank;
b) is authorised by EU or Italian law;
c) is based on your explicit consent.

In the cases referred to in points a) and c), the Bank shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, and you shall have at least the right to obtain human intervention on the part of the Bank, to express your point of view, or to contest the decision.

Right to lodge a claim with the Italian Data Protection Authority
Without prejudice to your right to take action in any other administrative or jurisdictional venue, if you believe that the processing of your personal Data by the Controller is occurring in breach of the Regulation and/or the applicable legislation, you may lodge a complaint with the competent Data Protection Authority.