Notice pursuant to art. 13 of Regulation (EU) 2016/679.

Banca Finnat Euramerica SpA (hereinafter referred to as the “Bank” or “Data Controller”), in its capacity as data controller, hereby informs you of the processing of your personal data in relation to the sending of newsletters and invitations to events organised by the Bank.

Data Controller
Banca Finnat Euramerica SpA, based in Piazza del Gesù 49, Rome, Tel. 06.69933.1, e-mail: privacy.bfe@finnat.it

Data Protection Officer (DPO)
The Data Protection Officer can be contacted at : dpoprivacy@finnat.it.

Processing method
Personal data are processed in accordance with the principles of lawfulness, fairness, transparency and minimisation.
Processing is carried out by means of computerised and telematic tools (e.g. e-mail), in a manner strictly related to the stated purposes and by adopting appropriate technical and organisational measures to ensure the security and confidentiality of the data, preventing unauthorised access, loss or unlawful use.
No marketing, profiling or automated decision-making processes are carried out.

Source of personal data
The personal data are collected directly from the data subject.

Lawful purpose and basis for processing
Personal data (in particular contact details such as name, surname and e-mail) are processed for the following purposes::

1. Communications related to the contractual relationship: when a contractual relationship is in place, personal data may be used to send communications, including in the form of newsletters, connected to the services offered (e.g. relevant information related to the service, periodic reports). The lawful basis is the fulfilment of the contract pursuant to Article 6(1)(b) of GDPR. These communications are functional to the management of the contractual relationship and the provision of services. However, the data subject may at any time request not to receive such communications, without prejudice to the possibility for the Bank to send communications that are strictly necessary to fulfil legal obligations, guarantee security or manage the contractual relationship;
2. Newsletters and invitations to events: Personal data may be processed for the purpose of sending communications containing informational, institutional and promotional content (e.g., economic and financial analyses, Bank initiatives) that are not directly related to contractual obligations, as well as for sending invitations to events organised by the Bank. The lawful basis is the legitimate interest of the Data Controller pursuant to Article 6(1)(f) of GDPR. The Data Controller has carried out a Legitimate Interest Assessment (LIA), which found that this interest is compatible with the fundamental rights and freedoms of the data subject, also in view of:

• • the non-commercial nature of the communications; 
  • the reasonable expectations of the data subject; 
  • the possibility of objecting at any time.

Right to object
The data subject has the right to object at any time:

• to communication under point (b) (newsletters and events);
• to communication under point (a) to the extent indicated above.

Opposition may be exercised through the channels indicated by the Data Controller or through the tools provided within the received communications (e.g. unsubscribe link).

Categories of personal data processed
For the above-mentioned purposes, the Bank processes common personal data, such as:

• personal details (name, surname);
• contact details (e-mail address).

Categories of parties with whom data may be shared
Data may be processed by:

• personnel authorised by the Bank;
• service providers (e.g. IT services, communication delivery platforms).

These parties act as data processors pursuant to art. 28 of GDPR..

Extra-EU transfers
In the event data are transferred to countries outside the European Union, the Bank ensures an adequate level of data protection by means of adequacy decisions by the European Commission or by the adoption of Standard Contractual Clauses (SCC).
The data subject may request further information or a copy of the guarantees adopted by contacting the Data Controller.

Storage duration
Personal data are processed for the time strictly necessary to fulfil the purposes for which they were collected.
In particular:

• for the duration of the contractual relationship with the data subject;
• in the absence of interactions, for a maximum period of 3 years after the last contact;
• until any right to object has been exercised.

At the end of the above-mentioned periods, the data will be deleted or rendered anonymous, except in cases of further storage where permitted by applicable law.

Rights of the data subject
The data subject may exercise his or her rights under Articles 15-22 of GDPR at any time, including:

• right of access;
• right to rectification;
• right to erasure;
• right to the restriction of processing;
• right to object.

To exercise their rights, the data subject may contact the Data Controller at the above-mentioned contact details or the Data Protection Officer..

The data subject also has the right to submit a complaint to the Personal Data Protection Guarantor.

Over 128 years of constant growth to create value and consolidate the most important asset of all: our customers' trust.