DATA PROCESSING FOR THE PURPOSES OF MARKETING, MARKET INTELLIGENCE, ADVERTISING OR PROMOTIONAL INFORMATION
TO NATURAL PERSONS PURSUANT TO ART. 13 AND 14 OF THE REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL OF 27 APRIL 2016 - REGULATION ON THE “PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA, AND ON THE FREE MOVEMENT OF SUCH DATA” AND THE REGULATORY PROVISIONS IN FORCE
The Regulation on the “protection of natural persons with regard to the processing of personal data, and on the free movement of such data” (hereinafter, the “Regulation”) and the other regulatory provisions in force on the matter contain a series of rules to guarantee that the processing of personal data is carried out in compliance with the rights and fundamental freedoms of persons.
SECTION 1 - IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
The Data Controller is Quaestio Capital Management Società di Gestione del Risparmio S.p.A., in brief, Quaestio Capital SGR S.p.A., with registered office in Corso Como 15, Milan, Italy, telephone +39 02-36765200, fax +39 02-72016207 (hereinafter, in brief, the “Data Controller”).
This Disclosure is provided by the Data Controller to the person whose data is to be processed (hereinafter, in brief, each person is a “Data Subject”), pursuant to and in accordance with the Regulation.
SECTION 2 - CONTACT DETAILS OF THE DATA PROTECTION OFFICER
The Data Controller has appointed the “ Data Protection Officer” (“DPO”) set out by the Regulation. For all issues relating to the processing of Personal Data and/or to exercise the rights set out in the Regulation, listed in Section 7 of this Disclosure, the Data Subject may contact the DPO at the following:
telephone: +39 02-36765200;
fax: +39 02-72016207;
post: Quaestio Capital SGR S.p.A., Attn: Data Protection Officer (DPO), Corso Como 15, 20154 MILANO (MI), ITALY.
SECTION 3 - CATEGORIES OF PERSONAL DATA, SOURCES, PURPOSES AND LEGAL BASIS FOR THE PROCESSING
Categories of Personal Data: For the purposes of marketing indicated below, the Data Controller shall acquire or may become aware of your Personal Data when, for example, your personal details (for example, name, surname, telephone number and email), the data regarding the level of education and employment/contract work of the Data Subject (“Personal Data”).
Sources, Purposes and Legal Basis for the Processing: The Personal Data regarding the Data Subject, communicated to the Data Controller directly by the Data Subject or through third parties, or collected from third parties and, in the latter cases, following verification of compliance with the conditions of lawfulness by the third parties, shall be processed by the Data Controller for the following marketing purposes:
(A) promotion of products and/or services of the Data Controller or, where authorised, of other companies in its group, by sending materials and/or informational/cmomercial/advertising communications through letters, telephone, email, text message, fax or other automated communications systems;
(B) recording of preferences, also in order to create products and/or services targeted to specific categories of potential customers, by drawing up market studies, research or surveys, including through in-person or telephone interviews, questionnaires, etc.
The legal basis for the processing is identified as the Data Subject’s consent to the processing of his/her Personal Data (Art. 6(1)(a) of the Regulation). Processing for that purposes is therefore optional and Data Subjects have the right to refuse their consent. If consent to the processing is not given, the Data Controller will not be able to carry out the marketing activities described herein in relation to you.
SECTION 4 - CATEGORIES OF RECIPIENTS OF THE DATA TO WHICH THE DATA SUBJECT’S PERSONAL DATA MAY BE COMMUNICATED
Firstly, Data Subjects are informed that, in order to more efficiently manage the processes and functions relating to the carrying out of the Data Controller’s institutional activities, it has adopted an organisational model, based on which it outsources certain activities, processes and functions to other parties.
In order to pursue the purposes set out in Section 3, also considering the outsourcing of certain processes, functions and activities, it may be necessary for the Data Controller to communicate the Personal Data of the Data Subject to third parties in the following categories of recipients:
(a) companies in the Data Controller’s group;
(b) public entities, supervisory authorities and bodies, legal authorities and, in general, public or private parties with public service functions (for example, the Personal Data Protection Authority);
(c) third parties, such as:
parties that provide services of management of the Data Controller’s IT system and telecommunication networks (including email) and administrative services;
parties that carry out technical or organisational duties on behalf of the Data Controller;
parties that carry out transmission, enveloping, transport and sorting of communications with current or potential customers;
parties that carry out archiving of documentation relating to relationships with current or potential customers;
parties that carry out assistance to current or potential customers;
parties that fulfil obligations of control, auditing or certification of activities implemented by the Data Controller.
The above-mentioned recipients may operate as separate controllers, co-controllers, processors and persons in charge of processing, that process the data under the authority of the Data Controller or the Data Processor (for example, employees of the Data Controller for carrying out the duties assigned to them) and may process the data of which they are recipients for the same purposes indicated above.
The updated list of those parties is available on request at the Data Controller’s registered office.
SECTION 5 – PLACE OF PROCESSING AND TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR AN INTERNATIONAL ORGANISATION OUTSIDE THE EUROPEAN UNION.
The processing of Personal Data shall be carried out by the Data Controller in Italy and Luxembourg. In relation to the technical infrastructures adopted or the organisation of the parties to which the personal data may be communicated pursuant to the previous article, processing may also take place in other Member States of the European Union, as well as outside the European Union, provided it occurs in countries that guarantee an adequate level of protection, according to that set out by the European Commission pursuant to Art. 45 of the Regulation, without prejudice to the Data Subject’s rights.
SECTION 6 - METHODS OF PROCESSING AND STORAGE TIMES OF PERSONAL DATA
The Personal Data of the Data Subject is processed using manual, IT and electronic instruments, with logic strictly correlated to the purposes of the processing and, in any event, in a manner that guarantees the security and confidentiality of the data.
All the data collected shall be processed in compliance with the requirements of the Regulation and, in particular, in a lawful, correct and transparent manner, for the purposes indicated above, in a manner that is appropriate, pertinent and limited to that necessary in relation to the purposes of the processing, and subject to appropriate technical and organisational security measures.
The Personal Data of the Data Subject are stored for a period of time not exceeding that necessary to achieve the purposes of the processing. In any event, storage of the data that is necessary pursuant to regulatory provisions applicable at all times shall remain valid. In particular, Personal Data processed for the purposes described in Section 3 (A) shall be stored for a period of no more than 24 (twenty four) months from the date the data was conferred, those pursuant to Section 3(B) for 12 (twelve) months, at the end of which the Data Controller may ask the Data Subject to renew his/her consent to processing, save for, in any case, the right to revoke any consent granted.
SECTION 7 - DATA SUBJECT’S RIGHTS
The Data Subject may, at any time, in relation to the Data Controller, exercise the rights set out in Articles 15 - 22 of the Regulation and Art. 7 of the Personal Data Protection Code, listed below, by sending a specific written request to the DPO, using the contact details indicated in Section 2 of this Disclosure, or, in the case under point 8 of this Section, to the Personal Data Protection Authority.
Using the same methods, the Data Subject may, at any time, revoke the consent expressed in relation to the purposes pursuant to this Disclosure, without this harming the lawfulness of the processing based on consent given prior to the revocation.
1. Right of access
The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data and the information set out in Art. 15 of the Regulation. This includes, by way of example, the purposes of the processing, the categories of Personal Data processed, the recipients or categories or recipient, as well as the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved.
Where the Personal Data is transferred to a third country or an international organisation, the Data Subject has the right to be informed of the existence of appropriate safeguards – pursuant to Art. 46 of the Regulation - relating to the transfer. If requested, the Data Controller may provide the Data Subject with a copy of the Personal Data processed. The Data Controller may charge a reasonable fee for any additional copies, based on administrative costs. If the request in question is submitted via electronic means, and unless otherwise indicated, the information shall be provided by the Company to the Data Subject in a commonly-used electronic format (for example, certified email or email). It is understood that the right to obtain said copy must not harm others’ rights and freedoms.
2. Right to rectification
The Data Subject has the right to obtain from the Data Controller the rectification of his/her Personal Data that is inaccurate, as well as, taking into account the purposes of the processing, have incomplete personal data completed, by providing a supplementary statement.
3. Right to erasure
The Data Subject has the right to obtain from the Data Controller the erasure of Personal Data concerning him/her, where one of the grounds set out in Art. 17 of the Regulation applies. By way of example, if the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or the Data Subject withdraws the consent on which the processing is based and there is no other legal ground for processing.
The Data Controller cannot erase the Personal Data of the Data Subject where their processing is required, by way of example, for the establishment, exercise or defence of legal rights.
4. Right to restriction of processing
The Data Subject may obtain the restriction of processing of his/her Personal Data where one of the cases set out in Art. 18 of the Regulation applies. In each of the cases envisaged by the rule in question, the Personal Data may be processed only for the purposes of storage, unless the Data Subject grants his/her consent, or such processing is necessary for the exercise or defence of a legal right of the Data Subject.
5. Right to data portability
Where the processing of the Personal Data of the Data Subject is based on his/her consent, the Data Subject may:
request that he/she receive the Personal Data provided in a structured, commonly used and machine-readable format (for example: computer and/or tablet);
transmit the Personal Data received to another data controller without hindrance from the Data Controller.
The Data Subject may also request that his/her Personal Data be transmitted by the Data Controller directly to another data controller indicated by the Data Subject, if that is technically feasible by the Data Controller. In this case, the Data Subject shall provide the Data Controller with all the exact details of the new data controller to which he/she intends to transfer his/her Personal Data, providing a specific written authorisation for transmission.
6. Right to object
Where the personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling to the extent that it is related to such direct marketing. Where the Data Subjects object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The right to object may be exercised either fully or partially, also with regard to the various methods used for processing for marketing purposes.
7. Automated individual decision-making, including profiling
According to the Regulation, the Data Subject has the right not to be subject to a decision based solely on automated processing of his/her Personal Data, including profiling, which produces legal effects concerning him or her or significantly affects him or her unless said decision is based on the Data Subject’s explicit consent.
The Data Controller shall implement suitable measures to safeguard the Data Subject’s rights, freedoms and legitimate interests. The Data Subject may object to any automated decision made if this has a legal effect or similarly significant effect. The Data Subject has the right to obtain information on the logic used and the consequences expected for that type of processing. The Data Subject may exercise the right to obtain human intervention on the part of the Data Controller, to express his or her point of view and to contest the decision.
8. Right to revoke consent
Any consent requested by the Data Controller and given by the Data Subject may be revoked at any time, without prejudice to the lawfulness of any processing carried out on the basis of the consent given and prior to the revocation.
9. Right to submit a complaint to the Data Protection Authority
Without prejudice to the Data Subject’s right to apply to any other court or administrative authority, if he/she considers that his or her Personal Data has been processed by the Data Controller in breach of the Regulation and/or of the applicable legislation, he or she may make a complaint to the Authority for the Protection of Personal Data using the following contact details: website: www.garanteprivacy.it; Piazza di Montecitorio no. 121 00186 ROME, Italy Fax: (+39) 06-696773785; telephone switchboard: (+39) 06-696771; Email: firstname.lastname@example.org.