Notice on the processing of personal data

Dear Sir / Madam / Company, pursuant to Regulation (EU) 2016/679 on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (hereinafter, the
“Regulation” or “GDPR”), Guber Banca S.p.A., as Data Controller (hereinafter, “Guber”, the “Bank” or the
“Controller”), provides you with the following notice.

 

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016< on
the protection of individuals with regard to the processing of personal data and on the free movement of
such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter, the
“Regulation” or “GDPR”), Guber Banca, with registered office in Via Corfù n. 102, 25124 – Brescia (BS)
(hereinafter, the “Bank” or the “Controller”), provides you with the following information on “processing”:
i.e. any operation or set of operations, carried out with or without the aid of automated processes and
applied to personal data or sets of personal data, such as the collection, recording, organization, structuring,
storage, adaptation or modification, extraction, consultation, use, communication by transmission,
dissemination or any other form of making available, comparison or interconnection, limitation, deletion or
destruction, of the following “personal data”:
– personal data: any information concerning an identified or identifiable natural person (“interested
party”); an identifiable person is one who can be identified, directly or indirectly, with particular
reference to an identifier such as a name, an identification number, location data, an online identifier
or one or more characteristic elements of his/her physical, physiological, genetic, psychic, economic,
cultural or social identity;

– special categories of personal data: personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs or trade union membership, genetic data, biometric data intended
to uniquely identify a natural person, data concerning a person’s health or sex life or sexual
orientation;

– personal data relating to criminal convictions and offences: personal data relating to criminal
convictions and offences or related security measures, essentially corresponding to “judicial data”,
i.e. personal data disclosing measures pursuant to Article 3, paragraph 1, letters a) to o) and r) to
u), of D. P.R. November 14, 2002, n. 313, on the subject of criminal records, registry of
administrative sanctions dependent on crime and the related pending loads, or the quality of accused
or investigated under Articles 60 and 61 of the Code of Criminal Procedure.

 

1. Purposes and methods of processing

 

1.1 The processing of personal data is directed exclusively to the achievement of the following purposes

a) for preliminary requirements to the provision of our services, to fulfill in a correct and timely manner all
the obligations arising from the contractual relationship with you established, the obligations arising from
the law or regulations in force, with particular reference to the fiscal and public security, as well as for the
protection of credit positions arising from the aforementioned contractual relationship;
b) for management, administrative and accounting purposes;
c) for marketing purposes, including profiling related to marketing.
d) for purposes of verification and verification of documentation, which may include special data relating to
vulnerable persons.

Should it become necessary to process your personal data for a purpose other than that for which they were
collected, prior to such further processing, the Data Controller will provide you with information regarding
the different purpose and any further information necessary to ensure correct and transparent processing.
This does not exclude the case in which such purpose can be considered compatible with the initial purpose
according to the law.

1.2 As part of the Owner’s activities, your personal data will be processed in compliance with the law, in
accordance with the principles of correctness and lawfulness, necessity and relevance, in the protection of
your privacy and your rights and will be carried out through the use of manual and computer tools, with
logic strictly related to the above purposes and, in any case, to ensure the security and confidentiality of
data.

 

2. NATURE OF DATA CONFERMENT AND CONSEQUENCES OF NON-COMMUNICATION

 

The conferment of the data is compulsory for the purposes of the processing illustrated above. An eventual
refusal to provide the above mentioned data could compromise the establishment of the relationship with
the Bank.

 

3. COMMUNICATION AND DISSEMINATION OF DATA

 

Your personal data are not and will not be disclosed. Your data may be communicated
a) to all those subjects (including Public Authorities) who have access to personal data by virtue of
regulatory or administrative measures;
b) to third parties, both in Italy and abroad, within the European Union, in order to allow the achievement
of the purpose of the assignment given and, in particular, to these categories of subjects (i) other debt
collection companies, (ii) commercial information companies, professionals, collaborators (internal and/or
external), (iii) lawyers, attorneys, consultants, judicial authorities, banks, credit and financial institutions,
insurance institutions, (iv) partner companies with which Guber has reached commercial agreements for
the achievement of its corporate purposes;
c) companies, consultants or professionals responsible for the installation, maintenance, updating and, in
general, the management of Guber Banca S.p.A.’s hardware and software or which the Bank uses to provide
its services;
d) to companies in charge of accounting management, invoicing and the preparation of financial statements;
e) to other companies belonging to our Group;
f) to all those public and/or private subjects, natural and/or legal persons (legal, administrative and fiscal
consultancy firms, Judicial Offices, Chambers of Commerce, Chambers and Offices of Labour, etc.), if the
communication is necessary or functional to the correct fulfilment of the contractual obligations undertaken,
as well as the obligations deriving from the law.

 

4. TRANSFER OF PERSONAL DATA

 

The management and storage of personal data will take place in Europe. They are not directly communicated
to recipients operating outside the European Economic Area (EEA) and subject to a foreign jurisdiction, with
the exception of the transfer of personal data to companies based in non-EU countries that are part of the
same group of companies in compliance with the Binding Corporate Rules (BCR).

 

5. PERSONAL DATA CONTROLLER

 

The Data Controller of personal data is Guber Banca S.p.A., with registered office in Via Corfù n. 102, 25124
– Brescia (BS). It is responsible for the basic choices regarding the purposes and methods of data processing,
also with regard to security. All instances and requests relating to the processing of personal data concerning
you may be addressed to the Data Controller at the following contact details
(a) Guber Banca, Via Corfù n. 102, 25124 – Brescia (BS);
b) email address: trattamentodati@guber.it.

 

6. DATA PROTECTION OFFICER

 

The Data Controller has appointed a Data Protection Officer pursuant to article 37 of the Regulation who
can be contacted at trattamentodati@guber.it.

 

7. PERSONAL DATA RETENTION

 

The personal data concerning you will be kept only for the time necessary to ensure the proper provision of
services offered by the Bank and in any case no longer than 10 years after the termination of our contractual
relationship.

 

8. PERSONAL DATA SECURITY

 

The Data Controller has adopted adequate technical and organizational measures to ensure a level of
security appropriate to the risk in accordance with the requirements contained in art. 32 of the GDPR.

 

9. RIGHTS OF THE INTERESTED PARTY

 

Pursuant to Articles. 15 et seq. of Chapter III and art. 77 of the Regulation, you may, at any time, exercise
your rights to:
a. access to personal data;
b. ask for the rectification or cancellation of the same or the limitation of the treatment of the same;
c. object to the processing;
d. portability of data;
e. complain to the supervisory authority (Privacy Guarantor).
The above rights may be exercised at any time by sending a request to the Data Controller by mail or email
to the aforementioned contact details. The deadline for the response to the interested party, starting from
the receipt of the request, is one (1) month extendable up to three (3) months in cases of particular
complexity.