Policy statement for customers

A. Introduction

Dear Customer, before your data is processed, please find below the Privacy Policy provided by Ersel Banca Privata S.p.A. (“the Bank”), necessary for the protection of your personal data, in accordance with the relevant legislation.

The information set out below will help you understand:

• which entities process your data and how to contact them;
• how your data is analysed and why.

Please also be advised that the Data Controller has appointed a Data Protection Officer (“DPO”) pursuant to Article 37 of the GDPR, whom you may contact to exercise your rights and receive any other information relating to your rights and/or this Policy, by writing to dpo@ersel.it.

B. Useful contact details

Ersel Banca Privata S.p.A. is the company that processes your data and is considered the Data Controller for legal purposes. In this capacity, it is responsible for ensuring that the necessary and appropriate organisational and technical safeguards are in place to protect your data. The company's registered office is at Piazza Solferino 11, 10121 Turin.

In addition, the Bank has appointed a Data Protection Officer to ensure compliance with the rules for protecting your privacy, who can be contacted for matters concerning the processing of your data at the following address: dpo@ersel.it.

You will find more information about your rights in the dedicated section D. “Your rights” of this document.

C. Information on processing

Please be advised that the personal data you provide us with will be processed in accordance with current privacy legislation. The Bank therefore undertakes to process it in accordance with the principles of correctness, lawfulness and transparency, in compliance with the purposes set out below, collecting it to the extent necessary and accurate for processing, using it only through reliance on personnel authorised and trained for this purpose to ensure you the necessary confidentiality of the information provided.

In particular, the Bank may use your data:

1. to enable the proper legal, technical and economic management of the contractual relationship, and more specifically the proper performance of the contract and all related activities (i.e. management of current accounts and deposits, financial intermediation services, product subscription, etc.); the legal basis for this purpose is the performance of a contract to which you are party or the performance of pre-contractual measures taken at your request, pursuant to Article 6(1)(b) of the GDPR;
2. to comply with legal provisions in civil and criminal matters and tax matters, with EU regulations, as well as with standards, codes, procedures approved by authorities and other competent institutions (e.g., tax and duty assessments, anti-money laundering, fraud prevention, Bank of Italy Risks Database, communications to combat terrorism and child pornography etc.); the legal basis for this purpose is the fulfilment of a legal obligation to which the Data Controller is subject pursuant to Article 6(1)(c) of the GDPR;
3. to assert or defend a right in judicial proceedings, as well as in administrative proceedings or in arbitration and conciliation procedures in cases provided for by laws, European legislation and regulations; the legal basis for this purpose is the pursuit of a legitimate interest of the Controller, pursuant to Article 6(1)(f) of the GDPR;

In addition, if by signing a contract you have requested the provision of particular services for which the completion and evaluation of the MIFID Questionnaire is required by regulation, the data and answers you have entered will be analysed and evaluated in order to determine your risk profile.

Moreover, the Bank may only use your data with your free, specific, informed and unequivocal consent for the following purposes:

4. functional activities of the Bank (carried out directly or through the work of specialised companies appointed for this purpose as external data processors), e.g. for monitoring of the quality of the services offered, market research and surveys, satisfaction surveys on the quality of services offered, questionnaires, interviews, etc.; the legal basis for data processing is the granting of your consent, pursuant to Article 6(1)(a) of the GDPR;
5. “direct” marketing activities via e-mail, in relation to services or products of the Data Controller and/or of the companies in the Data Controller's Group, similar to those you have already purchased; the legal basis for the processing of the data is the granting of your consent, pursuant to Article 6(1)(a) of the GDPR;
6. promotion and sale of “dedicated” products and services of the Data Controller and/or of the companies of the Data Controller's Group, specifically identified through customer profiling techniques aimed at analysing and forecasting information relating to your preferences, habits, consumption choices, including through the use of automated techniques or systems, also implemented through the enrichment of data with information acquired from third parties (enrichment). The legal basis for this purpose is your consent pursuant to Article 6(1)(a) of the GDPR;
7. with regard to any personal data of a special nature, these are processed by the Data Controller in connection with the above-mentioned purposes; the legal basis for the processing of such data is consent, pursuant to Article 9(2)(a) of the GDPR. 

For the purpose set out in points (1), (2), and (3) above, the provision of your personal data is mandatory; your refusal to provide such data in the pre-contractual phase will make it impossible for the Data Controller to conclude the contract and/or provide you with the requested services. 

With reference to the purposes referred to in paragraphs (4), (5) and (6) above, the provision of your personal data for the purposes described there is optional and your refusal to authorise processing would not affect the conclusion or execution of the contract, but would only make it impossible for the Data Controller to update you on its products and/or initiatives or to develop promotional initiatives for you that are more in line with your profile.

With reference to the purposes set out in point (7) above, failure to provide your personal data of a special nature pursuant to Article 9(1) of the GDPR, or failure to grant your consent to its processing, will make it impossible for the Data Controller to conclude the contract and/or to provide you with the services requested and/or to carry out the other processing operations referred to in this paragraph, where the data exists and is relevant. 

D. Retention period of your data

The retention period of your personal data:  

• for the purposes set out in paragraph C.(1), (2) and (3) above, shall correspond to the entire duration of the contractual relationship and, after termination thereof, shall continue for a period of 10 years, unless further obligations are prescribed by law;
• for the purposes set out in paragraph C.(4), (5) and (6) above, will last 2 years from the date of issue of the relevant consent or until you decide to revoke your consent, where given, or, where applicable, until you decide to exercise your right to object to the processing;
• for the cases referred to in paragraph C.(7) above, will be equal to the term referred to in the preceding lines according to the purposes of the processing.

Processing is carried out in compliance with the requirements of the GDPR, according to the principles of fairness, lawfulness and transparency and the protection of your rights as described therein. The personal data shall be processed through the use of electronic, telematic and paper media, subject to security measures suited to ensuring the privacy of the personal data and preventing undue access by unauthorised entities. Telephone calls whereby you submit orders and/or instructions will be recorded on a magnetic medium in accordance with European MiFID II Rules.

E. Transfer and access to your data

The Bank – without the need to ask for your consent – may disclose your personal data to a category of persons set out in more detail below, such as, for example:

• Group companies, in order to perform administrative and service activities;
• third parties (such as credit institutions, asset management companies, professional firms, consultants, insurance companies for the provision of insurance services, etc.) that may carry out outsourced activities on behalf of the Data Controller, in their capacity as external data processors or Autonomous Data Controllers;
• judicial authorities, tax authorities, social security authorities, administrative and sector authorities, as well as those to whom communication is mandatory by law. These parties will process the data in their capacity as autonomous data controllers.

Furthermore, your data may be accessed by all persons within the Bank (contractors, trainees, employees, etc.) who have been specifically appointed as authorised to process them.
The Data Controller does not intend to transfer your personal data outside the European Union.

F. Your rights

In relation to the processing described in this Policy, as data subject, you may, under the conditions set out in the GDPR, exercise the rights set out in Articles 15 - 21 of the GDPR, in particular: 

• right of access: the right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to your personal data – including a copy thereof – and communication of, inter alia, the information referred to in Article 15 of the GDPR;
• right of rectification: the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data pursuant to Article 16 of the GDPR; 
• right to erasure (right to be forgotten): the right to obtain, without undue delay, the erasure of personal data concerning you, in the cases referred to in Article 17 of the GDPR; the right to erasure does not apply to the extent that the processing is necessary for the performance of a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
• right to restriction of processing: the right to obtain restriction of processing, in the cases indicated in Article 18 of the GDPR;
• right to data portability: the right to receive, in a structured, commonly used and machine-readable format, personal data concerning you provided to the Data Controller and the right to transmit them to another data controller without hindrance, where the processing is based on consent and is carried out by automated means, in accordance with Article 20 of the GDPR. Furthermore, the right to have your personal data transmitted directly by the Data Controller to another data controller if this is technically feasible;
• right to object: the right to object to the processing of personal data concerning you, unless there are legitimate grounds for the Data Controller to continue the processing, pursuant to Article 21 of the GDPR; 
• right to revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given before revocation;
• right to lodge a complaint with the Personal Data Protection Authority, Piazza Venezia n. 11, 00187, Rome (RM).

The exercise of your rights as data subject is free of charge pursuant to Article 12 of the GDPR. However, in the case of requests that are manifestly unfounded or excessive, including by reason of their repetitiveness, the Data Controller may charge you a reasonable fee, in the light of the administrative costs incurred in handling your request, or refuse to grant your request. 

Finally, please be advised that the Data Controller may request further information necessary to confirm the identity of the data subject. 

To this end, the Bank has made available to you on its website www.ersel.it the form for exercising your rights, to be sent by e-mail to the address privacy@ersel.it. You may also send it by registered mail to the postal address Ersel Banca Privata S.p.A., Piazza Solferino 11, 10121 Turin for the attention of the DPO.

Please note that the Bank undertakes to reply to your request in one month, except in cases of particular complexity, for which it may take up to three months. In any event, the Bank will explain to you the reason for the delay within one month of your request.

The outcome of your request will be provided to you in writing or electronically. If you request rectification, erasure or restriction of processing, the Bank undertakes to communicate the results of your requests to each of the recipients of your data, unless this proves impossible or involves a disproportionate effort.

Please note that revocation of consent does not affect the lawfulness of processing based on consent before revocation.

Be advised that the Bank may reject your request if your claims are manifestly unfounded, excessive or repetitive. The Bank has set up a register to track related requests for action. 

The Holder
Ersel Banca Privata S.p.A.