Privacy

This privacy policy (the "Privacy Policy") describes the processing activities of the personal data referring to the users of the website that you are browsing (hereinafter, the "Site").
The Privacy Policy is provided pursuant to art. 13 and 14 of Regulation (EU) 2016/679 ("GDPR") by the Controller (as defined below).
Where not otherwise provided, the Privacy Policy is provided only for the Site, and not for other websites that may be consulted by the user through the Site.

 

DATA CONTROLLER AND DATA PROTECTION OFFICER

Your data will be processed by UniCredit S.p.A., with registered office at Piazza Gae Aulenti n. 3, Tower A, 20154 Milan, as data controller (hereinafter, also the "Controller").

 

UniCredit S.p.A.

Data Protection Office

Piazza Gae Aulenti n. 3, Tower A, 20154 Milano

E-mail: Group.DPO@unicredit.eu

PEC: Group.DPO@pec.unicredit.eu.

 

CATEGORIES OF DATA PROCESSED AND PURPOSES OF THE PROCESSING  

 

Navigation data

During their normal operation, the information systems and software procedures used for the functions of this websites collect certain personal data, the transmission of which is implicit in the use of Internet, based on the TCP/IP protocol.

This is information which is not gathered to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by others, enable the users to be identified.

This category of data includes the "IP addresses" or domain names of the computers used by users who visit the Site, the addresses in URI (Uniform Resource Identifier) format of the resources requested, the time of the request, the method used in submitting the request to the web server, the dimensions of the file obtained in response, the numerical code indicating the state of the response given by the web server and other parameters relating to the user's operating system and IT environment.

Such data are used for the sole purpose of handling user requests pursuant to art. 6, let. b) of the GDPR (personal data processing strictly necessary for the performance of an agreement) and to check its correct functioning, pursuant to art. 6, let. f) of the GDPR (personal data processing strictly necessary to pursue a legitimate interest of the data controller).

It should be noted that the aforementioned data could be used to ascertain responsibility in case of computer crimes against the Site or other websites connected or linked to it.

 

Data provided by the user

The personal data provided by the user by filling in the forms on the Site will be processed by the Controller for the sole purpose of managing the user's requests, as well as for the purpose of fulfilling the legal obligations to which the Data Controller is subject.

Depending on the case, the legal basis applicable to the processing is that of art. 6, lett. b) or c) of the GDPR (respectively, personal data processing strictly necessary to comply with a legal obligation or for the performance of an agreement).

 

COOKIES

Further information about the cookies installed through the Site are available at the link: Cookies Policy - UniCredit (unicreditgroup.eu)

 

OPTIONALITY OF CONFERMENT OF PERSONAL DATA

Apart from the navigation data, users are free to provide their personal data included in the specific electronic request forms, in the sections of the website prepared for the particular services on request.

It should be noted, however, that failure to provide such information may make it impossible to fulfil the request.

 

PROCESSING METHOD AND SECURITY MEASURES

The personal data are processed with automated and non-automated instruments, only for the time strictly necessary to achieve the purposes for which they have been collected.

Specific security measures are implemented to prevent loss of data, illegal or incorrect uses and unauthorized access.

 

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The data may be communicated:

i)  to those subjects (e.g. administrative, judicial, supervisory and control authorities) to whom such communication must be made in compliance with an obligation provided for by law, by a regulation or by the EU regulations;

ii) third parties, suppliers of products and/or services, whether or not part of the UniCredit Group.

These recipients, depending on the cases, process personal data as Autonomous Data Controller or Data Processor.

Your data may also be disclosed to persons authorized to process personal data, in relation to the data necessary to perform the tasks assigned to them, natural persons belonging to the following categories: workers employed by the Controller or seconded to it, temporary workers, interns, consultants and employees of external companies appointed as data processors.

 

TRANSFER OF DATA TO THIRD COUNTRIES

The Controller informs that personal data may be transferred also to countries not belonging to the European Union or to the European Economic Area (so-called Third Countries) recognized by the European Commission as having an adequate level of protection of personal data or, otherwise, only if an adequate level of protection of personal data compared to that of the European Union is contractually guaranteed by all Controller suppliers located in the Third Country (e.g. through the signing of Standard Contractual Clauses provided by the European Commission) and that the exercise of the rights of the data subject is always ensured.

Further information can be requested by writing to: Group.DPO@unicredit.eu

 

RIGHTS OF THE DATA SUBJECTS

The GDPR grants individuals, sole proprietorships and/or freelancers specific rights the rights referred to in art. From 15 to 22 of GDPR, including the right to know what personal data is held by the Controller and how it is used (Right of Access), to obtain the updating, rectification or, if interested, integration of such data, as well as their erasure, transformation into anonymous form or limitation.

Within the limits of the applicable law, each data subject may request to receive or request the transfer of personal data relating to him processed by the Data Controller for further use or to provide them to another Data Controller (Right to portability).

 

PERIOD OF DATA STORAGE AND RIGHT TO ERASURE (i.e. RIGHT TO BE FORGOTTEN)

The Controller processes your personal data for the time strictly necessary to achieve the purposes described above.

At the end of the applicable retention period, personal data relating to the user will be deleted or stored in a form that does not permit the identification of the user (e.g., irreversible anonymization), unless their further processing is necessary for one or more of the following purposes: i) resolution of pre-litigation and/or litigation initiated before the expiry of the retention period; ii) to follow up investigations/inspections by internal control functions and/or external authorities started before the expiry of the retention period; iii) to follow up requests from Italian and/or foreign public authorities received/notified to the Controller before the expiry of the retention period.

 

HOW EXERCISE THE DATA SUBJECTS' RIGHTS

In order to exercise the rights described in the previous paragraphs, the user may apply to:

UniCredit S.p.A., Claims, Via Del Lavoro n. 42, 40127 Bologna, fax +39 051.6407229, indirizzo e-mail: diritti.privacy@unicredit.eu.

The deadline for the reply is one (1) month, which may be extended by two (2) months in particularly complex cases; in these cases, the Controller will provide at least one interim communication within one (1) month.

The exercise of the rights is, in principle, free of charge; the Controller reserves the right to charge a fee in the event of manifestly unfounded or excessive requests (including repetitive ones).

 

COMPLAINT OR REPORT TO THE PERSONAL DATA PROTECTION AUTHORITY

The Controller informs you that you have the right to file a complaint or a report to the Italian Data Protection Authority or alternatively to appeal to the judicial authority.