DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller is UniCredit Foundation with registered office at Prefettura di Milano on 21 maggio 2003, (the “Data Controller”).
The Data Protection Officer may be contacted at UniCredit S.p.A., Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milan, e-mail: Group.DPO@unicredit.eu, certified e-mail: Group.DPO@pec.unicredit.eu.
TYPE OF DATA AND PURPOSES OF PROCESSING
The computer systems and software procedures used to manage the Site collect, during their normal activities, certain data whose transmission is implicit in the use of the Internet, which is based on the TCP/IP protocol.
This is information that is not collected in order to be associated with identified interested parties, but by its very nature could make it possible to identify navigating users. This category of data includes the "IP addresses" or domain names of the computers used by users who connect to the Site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the web server, the size of the file obtained, the numerical code indicating the status of the response given by the web server and other parameters related to the user's operating system and computer environment.
This data is used for the sole purpose of processing the user's requests pursuant to art. 6, letter b) of the GDPR as well as to obtain anonymous statistical information on the use of the Site and to check its correct functioning, pursuant to art. 6, letter f) of the GDPR.
Please note that the aforementioned data could be used to ascertain responsibility in the event of computer crimes to the detriment of the Site or other websites connected or linked to it: except for this eventuality, navigation data are deleted immediately after the relevant statistical processing and in any case are kept for 24 months from the time of collection.
PROCESSING METHODS AND SECURITY MEASURES
Personal data are processed by automated and non-automated instruments only for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent the loss of data, unlawful or incorrect use and unauthorized access. In particular, in the sections of the Site set up for particular services, where personal data are requested from the user, the channel through which the data travel is encrypted using security technologies called Secure Sockets Layer & Transport Layer Security, abbreviated to SSL/TLS. SSL/TLS technology makes available an encrypted channel through which information travels before it is exchanged via the Internet between the user's computer and UniCredit Foundation's central systems, making it incomprehensible to unauthorized parties and thus guaranteeing the confidentiality of the information transmitted. SSL/TLS use requires a compatible browser capable of “exchanging” a security key with a minimum length of 128 bits, which is necessary to establish the aforementioned secure connection with UniCredit Foundation's central systems.
RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
Data may be communicated to:
i) entities to whom such communication must be made to in order to comply with an obligation of law, regulations or EU law;
ii) third parties, suppliers of products and/or services, whether or not belonging to the UniCredit Group.
These recipients, depending on the cases, process personal data as autonomous data controllers or as data processors. The categories of autonomous data controllers and the list of data processors to whom the data may be communicated can be consulted by accessing on the Section Privacy” of the web site www.unicredit.it.
Your data may also be disclosed to natural persons belonging to the following categories in their capacity as persons authorized to process personal data, in relation to the data necessary to perform the tasks assigned to them: workers employed by the Data Controller or seconded to it, temporary workers, interns, consultants and employees of external companies appointed as data processors.
RIGHTS OF DATA SUBJECTS
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”), grants natural persons, individual companies and/or the self- employed specific rights, including the right to know what personal data are held by the Data Controller and how said data are used (right of access), the right to have their data updated, rectified or, if there is an interest, integrated, as well as have their data erased, anonymised or to obtain the restriction of the processing.
DATA STORAGE PERIOD AND RIGHT TO ERASURE ("RIGHT TO BE FORGOTTEN")
The Data Controller will process the information collected for the period strictly necessary to pursue the predetermined purposes.
At the end of this storage period, the information collected will be erased or kept in a manner that does not allow for the identification of the user (e.g. irreversible anonymisation), unless further processing is necessary for one of the following reasons: i) to settle pre-litigation and/or litigation started before the end of the storage period; ii) to continue investigations/inspections of internal control functions and/or external authorities started before the end of the storage period; iii) to follow up requests from Italian and/or foreign public authorities received by/notified to the Data Controller before the end of the storage period.
HOW TO EXERCISE YOUR RIGHTS
You can exercise your rights as a data subject, indicated in the previous paragraph, by contacting: email@example.com
The deadline for replying is one (1) month, extendible to two (2) months in cases of particular complexity; in these cases, the Data Controller will provide at least initial communication within one (1) month.
The exercise of the rights is, in principle, free; the Data Controller reserves the right to charge a fee in the event of manifestly unfounded or excessive requests (including repetitive ones).
The Data Controller may request information necessary to identify the requesting party.
COMPLAINTS OR REPORTS TO THE ITALIAN DATA PROTECTION AUTHORITY
The Data Controller informs the user that he/she may file complaints or report to the Italian Data Protection Authority or alternatively file a complaint with the Judicial Authorities. The contacts of the Italian Data Protection Authority are available on the website: http://www.garanteprivacy.it.
For other requests please refer to:
Tel. +39 02 8862 0113
Piazza Gae Aulenti, 3 - UniCredit Tower A
20154 - Milano, Italia