CUSTOMER PRIVACY POLICY CA ITALIA

Information to data subjects (pursuant to Articles 13 and 14 of Regulation (EU) 679/2016)

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

Crédit Agricole Italia S.p.A. - Registered Office Via Università, 1 - 43121 Parma, Italy, in its capacity as the data controller (“CA Italia”) undertakes to protect the Personal Data, as exhaustively defined below, of its Customers. In general, all the information and data provided to CA Italia by its Customers or by third parties, within the use of CA Italia services (“Services”) as defined in Section 3 below, shall be processed by CA Italia in a lawful, fair and transparent manner. For further information about the processing of your Personal Data, please contact CA Italia Data Protection Officer at the address: dpo@credit-agricole.it

2. TYPES OF DATA PROCESSED

Through the Services it provides, Crédit Agricole Italia collects and processes information about its customers as individuals, whereby customers are identified or identifiable, as well as information on other persons which may be provided to CA Italia during the provision of the Services (e.g. credit transfers payees). The information that makes the customer or a third party identified or identifiable is classified as “Personal Data”. The types of Personal Data that may be processed by CA Italia through the Services are:

  • Contact Personal Data: including, by way of example and not limited to, first name, last name, Taxpayer Identification Number, mobile phone number and e-mail address, as well as the data and image of the identity document.
  • Sensitive Personal Data: special categories of Personal Data, such as data regarding health, racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, which may be provided (consciously or not) through the use of the Services by Customers (e.g. through payment via credit transfers or credit/debit cards to religious associations, political parties or trade unions, or completing questionnaires to apply for insurance policies to be entered into with third parties for which CA Italia is the data processor only).
  • Personal Data of third parties: Personal Data provided by Customers but regarding third-party natural persons (e.g. the phone number or e-mail address of spouses that are not customers of the Bank). For these data, the Customer shall be an independent data controller, i.e. the Customer providing these data shall take all obligations and liability under the law, releasing CA Italy from liability and holding it harmless from any complaint, demand, claims for compensation of damage caused by the data processing, etc., which may be lodged against CA Italia by third parties whose Personal Data are processed through the use of the Services violating the applicable legislation on personal data protection. In any case, Customers that provide Personal Data of third parties through the use of the Services shall hereby warrant - taking all associated liability - that the processing by CA Italia of said information has a suitable legal basis and is therefore lawful (e.g. consent).
  • Personal Data from databanks: Personal Data exchanged with third parties that are authorized, as specified below, to provide credit information to be used in the provision of specific Services (e.g. granting of consumer loans)

3. PURPOSES OF PROCESSING

The Personal Data described above shall be processed for the following purposes:

a) To respond to your specific requests for assistance or information (“Response”);

b) To comply with obligations resulting from or functional to financial contracts entered into with Crédit Agricole Italia, which may include processing of so-called sensitive Personal Data or the communication or cross-referencing of Personal Data from databanks for loan application processing activities (e.g. collection of preliminary information to open current accounts or to grant credit lines, loans or mortgage loans; the issuance of debit/credit cards and the provision of related services, jointly “Services”). As better described in the “Informativa integrativa sui Sistemi di Informazioni Creditizie”, which can be found on the website or at our branches, to provide some Services (e.g. mortgage loans) the customer’s creditworthiness and any fraudulent or unlawful conducts must be assessed, in order to classify the customer in a specific risk level. This activity is performed analyzing Personal Data coming from databanks set up for credit risk assessment and for the prevention of frauds and unlawful conducts, or simply Personal Data communicated by the Customer to Crédit Agricole Italia. It is a semi-automated assessment process, as, after the IT algorithms (which are regularly updated to prevent mistakes) have collected and processed these pieces of information and delivered a score of the customer’s reliability and solvency (credit scoring), Crédit Agricole Italia always has the requested Service confirmed or denied by specialist personnel (hereinafter the provision of the Services is referred to as “Service Provision”);

c) To comply with any legal, accounting and tax obligations (e.g.: obligations for Customer Due diligence and communication of your Personal Data in compliance with the applicable legislation on anti-money-laundering and terrorist financing, obligations under the legislation on assessment and suppression of tax violations, law on usury, Central Credit Registers, as well as any future obligations laid down by the national and EU legislation ) (jointly “Compliance”);

d) To carry out direct marketing activities via e-mail for Services similar to those previously used or purchased, unless the Customer objects to said activities writing to the addresses given in Section 8 below, right at the beginning or later on upon receipt of the related messages (“Soft Spam”);

e) To make market studies, surveys and statistics; to send information and promotional material of Crédit Agricole Italia and/or of third parties or surveys aimed at improving Crédit Agricole Italia Services via mail, phone, e-mail, SMS, MMS and/or through Crédit Agricole Italia’s official pages on social networks (“Marketing”);

f) To communicate collected Personal Data to third parties operating in various business sectors (“Communication to third parties”);

g) To create a profile of the Customer enabling us to know him or her and understand his or her actual needs and habits, also consumption ones. Said needs and habits are understood observing the user and his or her use of the Services (e.g. whether he or she purchases online, whether he or she prefers to use the Mobile App or to go to his or her Branch, to make cash withdrawals at one Branch rather than at another, whether it may be interesting for him or her to apply for home loan, car loan, etc.) (jointly “Preference Analysis”). This purpose is connected to the Marketing one (e.g. to offer rebates on the purchase of train tickets only to those that travel often by train, vouchers to those that often purchase online, etc.) as well as to the Service Provision one (e.g. if the Mobile App, the Website or the Services provided by one of our Branches are to be improved).

4. LEGAL BASIS AND OPTIONALITY OF PROCESSING

The legal bases on which Crédit Agricole Italia processes your Personal Data, for the purposes set out in Paragraph 3 above, are the following:

  • Response and Service Provision: data processing for these purposes is based on the need to provide the Customer with a response or Service. When the Service Provision involves so-called sensitive Personal Data, their processing is based, alternatively, on the need to provide a Service (e.g. credit transfer to a trade union association) or on consent (e.g. when, in the capacity as data processor, Crédit Agricole Italia asks the Customer to complete a questionnaire prepared by a third party). When the Service Provision concerns Personal Data coming from databanks, their processing is based on the legitimate interest and consent, where required by the applicable legislation in force at the relevant time (at present, only for keeping positive credit information of the Customer stored in the databanks). Providing Personal Data to Crédit Agricole Italia for these purposes is not mandatory, but, it they are not provided, Crédit Agricole Italia cannot provide you with any Service or Response.
  • Compliance: the basis for data processing for this purpose is that Crédit Agricole Italia must comply with any and all its legal obligations. In this regard, the Personal Data provided by Customers to Crédit Agricole Italia may be communicated to the Authorities listed in Paragraph 5 to comply with accounting, tax or other obligations.
  • Soft Spam: data processing for this purpose is based on Crédit Agricole Italia’s interest in sending to its Customers marketing communications via e-mail concerning Services that are similar to those they have already used. The Customer can opt out from these communications via e-mail, right at the beginning or upon receipt of following communications.
  • Marketing and Preference Analysis and Communication to third parties: data processing for these purposes is based on the Customer’s specific consent and, since 25 May 2018, on Crédit Agricole Italia’s legitimate interest in pursuing those purposes, if approved by the competent Supervisory Authority. Giving your consent for these purposes is not mandatory and you are entitled at any time to object to any exercise by Crédit Agricole Italia of its legitimate interest, if indeed exercised. Customers are entitled to withdraw their previously given consent or object to the exercise by Crédit Agricole Italia of its legitimate interest following the instructions given in Paragraph 8 below.

5. RECIPIENTS AND TRANSFER OF PERSONAL DATA

Personal Data may be shared with:

  • Natural persons authorized by CA Italia to process Personal Data after signing a non-disclosure agreement (e.g. employees and system administrators of CA Italia);
  • Entities that typically operate as data processors, including, by way of example and not limited to, companies providing help desk services, advisory services, e-mail and mailing services, etc.);
  • Entities, institutions or authorities which the Personal Data shall mandatorily be communicated because of the Service Provision (e.g. managers of credit reporting services, the SWIFT system, which the data must be communicated to in case of credit transfers to foreign countries, in foreign currencies or to a non-resident payee, with the SWIFT system operating as an independent data controller to which reference is made for further information (www.swift.com) or to comply with applicable laws, orders issued by competent Authorities, for the Compliance purpose (e.g. Consap, the State-owned Insurance Services Concessionaire, the Tax Register, Judicial Authority, US Authorities in case of communication to the SWIFT system);
  • Companies belonging to the Crédit Agricole Italia Banking Group for administrative and accounting purposes;
  • Parties for the purpose of Communication to third parties (jointly “Recipients”).

6. TRANSFER OF PERSONAL DATA

Some Personal Data of Customers may be communicated to Recipients that are outside the European Economic Area (e.g. in case of credit transfers to countries outside the EEA, in foreign currencies or to non-resident payees, in which the data are transferred to the United States of America as stated by SWIFT in its information to data subjects, which can be found at www.swift.com). Crédit Agricole Italia ensures that its Customers’ Personal Data are processed by said Recipients in compliance with the applicable legislation. Indeed, data are transferred with appropriate safeguards, such as adequacy decisions, standard contractual clauses approved by the European Commission or other legal instruments. Further information can be obtained writing to the Data Protection Officer at the address: dpo@credit-agricole.it

7. PERSONAL DATA STORAGE PERIOD

Having regard to the Response and Service Provision purposes, Personal Data shall be kept only for the time necessary for pursuing these purposes. Conversely, for Soft Spam, Marketing, Preference Analysis and Communication to third parties purposes, Personal Data shall be kept until the related consent is withdrawn (which shall be periodically renewed) or in case of objection to the exercise by Crédit Agricole Italia of its legitimate interest. In any case, the above shall apply without prejudice to any longer period required under the applicable legislation, including Article 2946 of the Italian Civil Code, and for the Compliance purpose. Further information can be obtained writing to the Data Protection Officer at the address: dpo@credit-agricole.it

8. THE RIGHTS THAT CUSTOMERS ARE ENTITLED TO EXERCISE

The Customer has the right to obtain the following from Crédit Agricole Italia, at any time:

  • Access to his or her Personal Data (or to a copy thereof), as well as further information on the processing underway of his or her Personal Data;
  • The rectification or update of his or her Personal Data processed by Crédit Agricole Italia, if said data are incomplete or not up to date;
  • The erasure of his or her Personal Data from Crédit Agricole Italia’s databases in the cases provided for by the applicable legislation in force at the relevant time;
  • Restriction of the processing of his or her Personal Data by Crédit Agricole Italia;
  • The Personal Data concerning him or her in a structured, commonly used and machine-readable format; The Customer is also entitled to:
  • Object to the processing of his or her Personal Data by Crédit Agricole Italia (e.g. Soft Spam);
  • Withdraw his or her consent for the Marketing, Preference Analysis and Communication to third parties purposes or to object to the exercise by Crédit Agricole Italia of its legitimate interest.

In addition to the above, the Customer is entitled to exercise his or her rights, including the right to object to the exercise by Crédit Agricole Italia of its legitimate interest in pursuing the Marketing, Preference Analysis and Communication to third parties purposes, also writing to Crédit Agricole Italia at the address: privacy@credit-agricole.it.

In any case, the Customer is entitled to lodge a complaint with the competent Supervisory Authority (Garante per la Protezione dei Dati Personali, the Italian Data Protection Authority).

9. AMENDMENTS

Crédit Agricole Italia shall be entitled to amend or simply update the contents hereof, fully or in part, also subsequent to changes in the applicable legislation. Crédit Agricole Italia shall inform its Customers of any said changes as soon as they are implemented and they shall become binding as soon as they are published on its Website or communicated to its Customers in any other way (e.g. at ATMs or branches). Therefore, Crédit Agricole Italia invites its Customers to pay attention to the latest version of information to data subjects circulated via said channels in order to be always up to date with any developments

Copyright © 2024 Gruppo Bancario Crédit Agricole Italia - Tutti i diritti riservati - P.IVA 02113530345