Privacy

REGULATION
WEB
CLIENTS
SIC
REGULATORY FRAMEWORK
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also defined GDPR (General Data Protection Regulation)
  • Italian Data Protection Authority’s decision of 8 May 2014 – Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies.
DATA CONTROLLER

On the website www.creditofondiario.eu data referring to identified or identifiable natural persons is subject to be processed. The “Data Controller” of such processing is Credito Fondiario S.p.A., Via Piemonte 38, 00187 Rome, Italy.

TYPES OF PERSONAL DATA PROCESSED

Navigation Data

The computer-based systems and the software procedures involved in the working of this website can, in the course of their normal service, acquire some personal information, the transmission of which is implied in the use of the protocols of internet communication. This information is not collected to be associated to any identified individual, but, by its own nature might lead to the identification of users. This category of data includes IP addresses or the names stored in the domain of the computers used by those who access the site, the addresses in notation URI (Uniform Resource Identifier) of the required resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the digit code showing the state of the reply given by the server (good, error, etc.) and other parameters connected with the operating system and the structure and conditions of the user’s computer. This data is used only to get anonymous statistical information about the use of the site and to check its correct performance, and is deleted immediately after processing. The data might be used to investigate responsibility, should there be any breaches against the site, and for any possible criminal investigation in the event that it is required.

Data voluntarily provided by the user

The optional, explicit and voluntary forwarding of personal data to the email addresses on this site implies the subsequent acquisition of the data provided by the sender, which is essential to the delivery of the required service. Specific, concise information will be reported or displayed on the pages of the site set up for particular services on demand.

COOKIES

This site uses the service offered by Google Analytics.

Google Analytics uses “cookies” to anonymously collect and analyze information on how websites are used. Such information (the user’s IP address included) is collected by Google Analytics, which elaborates it in order to file reports for Credito Fondiario S.p.A. operators about the use of this website. Google does not associate IP addresses to any other collected data and does not try to connect an IP address to a user’s identity. Google can also communicate this information to third parties in case it is required by law or such third parties use the information on behalf of Google.

 

Cookie declaration:

Necessary (3)

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Name Provider Purpose Expiry Type
CookieConsent creditofondiario.eu Stores the user’s cookie consent state for the current domain 1 year HTTP Cookie
cookielawinfo-checkbox-necessary creditofondiario.eu Determines whether the visitor has accepted the cookie consent box. 1 day HTTP Cookie
cookielawinfo-checkbox-non-necessary creditofondiario.eu Determines whether the visitor has accepted the cookie consent box. 1 year HTTP Cookie

Statistics (7)

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Name Provider Purpose Expiry Type
_ga [x2] creditofondiario.eu
twinesocial.com
Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 2 years HTTP Cookie
_gat [x2] creditofondiario.eu
twinesocial.com
Used by Google Analytics to throttle request rate 1 day HTTP Cookie
_gid [x2] creditofondiario.eu
twinesocial.com
Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 1 day HTTP Cookie
collect google-analytics.com Used to send data to Google Analytics about the visitor’s device and behavior. Tracks the visitor across devices and marketing channels. Session Pixel Tracker

Other cookies(2)

Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.

Nome Provider Purpose Expiry Type
pusherTransportEncrypted apps.twinesocial.com Used by twinesocial.com platform to show last Linkedin’s postspiattaforma twinesocial.com Persistent HTML Local Storage
twine_session twinesocial.com Used by twinesocial.com platform to show last Linkedin’s postspiattaforma twinesocial.com    

For further information regarding how data is gathered and used by Google, we recommend
visiting the website:  www.google.it/policies/privacy/partners/

COOKIES MANAGEMENT

Please note that the complete or partial disabling of technical cookies might affect the functionality of this website. However, you can enable or disable cookies by changing the security settings of your browser.

It is also possible to selectively disable Google Analytics by installing on your browser the optout add-on provided by Google. To disable Google Analytics, click on the following link: https://tools.google.com/dlpage/gaoptout

OPTIONAL DATA SUBMISSION

Apart from that specified for online browsing data, the user is free to provide personal data. However, failing to provide such data may lead to the requested service not being available for use or to a limited use of the website.

PROCESSING ARRANGEMENTS

Personal data is processed with automated instruments only for the necessary time to attain the purposes for which the data was collected. Specific security procedures are maintained to prevent the risks of data loss, unauthorized access or unlawful processing operations. Credito Fondiario S.p.A. has adopted all Minimum-Security Measures required by law and operates in accordance with the agreed international standards. It has also taken further security measures to minimize risks regarding the confidentiality, integrity and availability of the personal data collected and processed.

SHARING, COMMUNICATION AND CIRCULATION OF DATA

The data we collect may be transferred or communicated to other companies for activities closely connected and instrumental to the efficiency of the service, such as the management of the IT system. Personal information may be forwarded to third parties solely and exclusively if this is essential to execute requests from the Judicial Authorities or from the Police. No data deriving from the web service will be circulated.

DATA SUBJECT’S RIGHTS

The user may at any time exercise its rights under the legal framework on data protection (i.e. the GDPR), including:

  • Right of access
    • The right to obtain confirmation as to whether or not personal data or special categories of personal data concerning him or her are being processed.

  • Right to rectification
    • The right to obtain the rectification of personal data from Credito Fondiario.

  • Right to erasure
    • The right to obtain from Credito Fondiario the erasure of personal data, in case the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. In certain cases provided for by the laws and regulations applicable to the banking sector (see Italian Consolidated Banking Act, Bank of Italy Circular No. 285), Credito Fondiario reserves its right to comply with the right of erasure (by way of example but not exhaustive) when the personal data are necessary to ascertain, exercise or defend a right in court.

  • Right to restriction of processing
    • The right to obtain from Credito Fondiario restriction of processing of personal data by all contractors and employees of Credito Fondiario. In certain case, Credito Fondiario reserves the rights to consent the access to a limited number of persons to guarantee security, integrity and correctness of the personal data.
  • Right to data portability
    • The right to obtain from Credito Fondiario the transmission of personal data in a structured and commonly used format. Such transmission may be requested to a portable device (USB stick or hard drive or PC) or to another controller.

  • Right to object
    • The right to object the processing of personal data carried out from Credito Fondiario.

To exercise these rights please send an email to the following address: dpo@creditofondiario.eu.

 

CHANGES TO CURRENT PRIVACY POLICY

Credito Fondiario S.p.A. regularly checks its own privacy and security policy and, if necessary, reviews it in accordance with the amendments introduced by law, the organization, or prompted by technological developments. Any changes to this policy will be published on this page.

QUERIES, COMPLAINTS AND SUGGESTIONS

Further information, requests, suggestions and complaints or concerns about the privacy policy or the way the company treats their personal data, should be addressed to Credito Fondiario S.p.A. at Via Piemonte 38, 00187 Rome, Italy, in writing.

Under EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation),
Credito Fondiario S.p.A., with registered office in Via Piemonte n. 38 00187 Roma (hereinafter referred to as the “Bank”) — certified email: creditofondiario@legalmail.it — both in its own right and as agent of the securitization vehicles (hereinafter referred to as the “Data Controller”) represented by it as a special servicer, is required to provide certain information regarding the use of personal data.

SOURCE OF PERSONAL DATA

The personal data held by the Bank and the other Data Controllers are collected directly from the data subject or from third parties, in which case the information referred to herein shall be provided to the data subject when the data is recorded, or if their communication is envisaged, no later than the first communication. This information may not include the elements already known to the person providing the data and is not due in the cases provided for by law.

SENSITIVE DATA

As a general rule, the Bank and the other Data Controllers do not require the indication of data that Article 9, Paragraph 1, of the General Data Protection Regulations identifies as belonging to the category of details (e.g., data revealing racial and ethnic origin, religious beliefs, political opinions, health and sex life). In the event that, occasionally and unintentionally, the Bank and the other Data Controllers come into possession of “sensitive” data, the law requires a specific expression of consent for their processing, which can be found in the attached form.

PURPOSE OF DATA PROCESSING

The data collected by the Bank and the other Data Controllers will be processed lawfully and fairly, in compliance with the aforementioned law and confidentiality obligations, and will be used solely and exclusively for the purposes described below:

  • purposes strictly connected and instrumental to the management of the relationship with the interested party (for example, acquisition of information prior to the conclusion of financing and/or restructuring contracts, execution of operations on the basis of the obligations deriving from the contract itself, etc.);
  • purposes related to obligations arising from laws, regulations and European legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies;
  • institutional purposes as purposes connected and instrumental to fiscal accounting management, supervisory reporting and other obligations connected with credit management;
  • purposes related to debt collection management;
  • purposes related to the management of executive and bankruptcy procedures as well as to the experiment of attempts to define them out of court and in any case to carry out other activities functional to the recovery of receivables;
  • purposes functional to the activity of the Data Controller, for which the interested party has the right to express or deny consent, such as the promotion and sale of products and services of the Data Subject and third parties through letter, telephone or remote communication systems.

Please note that your data will be kept for the period of time strictly necessary, with the utmost confidentiality and in compliance with appropriate security measures. The processing is carried out with reference only to the categories of data, data subjects and recipients of the communication strictly related to this compliance, keeping the data no longer than the period required for such compliance.

MODALITIES OF PROCESSING

In relation to the indicated purposes, the processing of personal data is carried out through manual processing, computer and telematic tools and, in any case, such as to ensure the security and confidentiality of the same, even in the case of use of remote communication techniques.

CATEGORIES OF SUBJECT TO WHOM THE DATA MAX MAY BE BE COMMUNICATED

The data provided by you may be communicated for the purposes described above to:

  • companies belonging to Groups of Controllers;
  • companies that provide banking, insurance and financial services;
  • payment service companies, credit card companies etc;
  • companies that carry out technical-legal-administrative-accounting investigations of files and/or administrative-accounting management of relationships;
  • companies that carry out activities of transmission, enveloping, transport and sorting of the communications concerned to the person concerned;
  • companies that provide filing services for the documentation relating to the relationship with the person concerned;
  • companies that provide services relating to debt collection and services connected with and instrumental to the management of the relationship with the party concerned (for example: acquisition of information prior to and/or subsequent to the conclusion of financing and/or restructuring contracts);
  • management companies of national and international systems for the control of risks and fraud against financial intermediaries, banks and interested parties and debt collection, including CRIF S.p.A. with registered office in Via M. Fantin, 1 – 3 – 40131 Bologna (BO), which will hold them as independent holders in both paper and automated mode.
    Such data will also be communicated for the same purposes to entities belonging to the CRIF S.p.A. credit protection bureau, to CRIF Group companies and to other companies, including foreign companies, operating in the granting of loans including payment extensions. Such processing will be carried out for the time necessary to achieve the said purpose, i.e., it will be stored according to the time of permanence of the data in use in the sector of private risk centres. CRIF S.p.A. has appointed IBM Italia, with registered office in Circonvallazione Idroscalo — 20090 Segrate (MI), as data processor. The updated list of those responsible may be collected at the registered office of CRIF S.p.A. or sent by the latter at the express request of the person concerned. The provision of data is necessary in order to allow the Institute to adequately assess credit risk;
  • persons, companies, associations or professional firms providing services or activities of assistance and advice to the Data Controllers, with particular but not exclusive reference to accounting, administrative, legal, tax and financial matters;
  • companies auditing and certificating the financial statements;
  • payment services management companies;
  • persons to whom the right to access the Data is recognized by provisions of law and secondary legislation or by provisions issued by authorities empowered to do so by law;
  • people, companies, associations, including professional associations that carry out activities of promotion and sale of products distributed by the Data Controllers;
  • company which verify the level of customer satisfaction;
  • companies that take care of the organization of securitization transactions pursuant to Law no. 130/99, in all its aspects and operational phases.
  • The subjects belonging to the categories to which the data may be communicated will use such data as Data Controllers in accordance with the law, in full autonomy, being extraneous to the original processing. A detailed and up-to-date list of such persons is available at the offices of the Bank and the other Holders.
DATA RETENTION

Personal data collected in performance of this contract will be retained for ten (10) years after the conclusion of the transaction, without prejudice to any additional retention obligations under other applicable regulations.

RIGHTS UNDER ARTICLE 15 OF THE GENERAL DATA PROTECTION REGULATION

In full compliance with the provisions of Article 15 of EU Regulation 2016/679, the Bank and the other Data Controllers hereby inform you that you are entitled, inter alia, to obtain:

  • the confirmation of whether personal data concerning you exist, even if not yet recorded;
  • the communication in an intelligible form of the same data and their origin, as well as the logic of the method and purposes on which the processing is based;
  • the identification details of the Data Controller, the data protection managers of each individual Data Controller, if designated, as well as the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, managers or persons in charge;
  • the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed, updating, rectification or, if interested therein, integration of data; certification that these operations have been notified, also as regards their contents, to those to whom the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate to the protected right.
    You also have the right to object, in whole or in part, for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of collection and to object, in whole or in part, to the processing of personal data concerning you, provided for purposes of commercial information or sending advertising materials or direct selling or for carrying out market research or interactive commercial communication and to be informed by the Data Controller, no later than when the data are communicated or disseminated, of the possibility to exercise this right free of charge or the right to lodge a complaint to a supervisory authority.
    In order to exercise the rights as set forth in Article 15 of EU Regulation 2016/679 summarized above, the data subject must contact the Data Controller by registered letter with return receipt and electronic mail at the addresses indicated above or the Data Protection Officer at the following email address: dpo@creditofondiario.eu.

We inform you that the Managers of Italian Credit Information Systems (SIC), including CRIF, to which Credito Fondiario adheres, have adapted their operations to the “Code of Conduct for information systems managed by private parties in terms of consumer credit, reliability and punctuality of payments” (hereinafter referred to as the “Code”), approved by the Authority for the protection of personal data with Provision no. 163 of 12 September 2019.

The Code replaces the previous “Code of Ethics and Good Conduct” and largely re-proposes its structure, general principles and content, aligning its provisions with the General Data Protection Regulation (GDPR).

With the approval of the Code, the Authority has therefore formally recognized its full compliance with the principles and rules of the GDPR.

Credito Fondiario, in its capacity as a member of the SIC, as a partial modification/integration of the information provided to it at the time, sets out the main innovations introduced below:

  • It is no longer necessary to obtain the consent of the person concerned in order to provide positive credit information to the SIC and it is therefore no longer possible from now on to revoke any credit information you may have provided in the past. Indeed, the processing of personal data by the operator and the participants in the SIC, according to the terms and conditions set out in the Code, is lawful under Article 6, Paragraph, 1 letter f) of the GDPR, as it is necessary for the pursuit of legitimate interests of the participants in the use of the SIC. If you had not given your consent to the processing of positive data at the time of the request for financing or had subsequently revoked it, as a result of the above the refusal will no longer be valid and the Company will also provide the SIC with your positive data;
  • the retention times of credit information by SICs have been changed, namely:
    • those of a positive nature relating to a terminated relationship may be retained by SICs for up to sixty months from the date of termination of the relationship or expiry of the relevant contract. Positive information may be further stored in the system if negative credit information is found to be present in relation to other credit relationships with the same party;

      unsuccessful or waived requests may be stored in the credit information system no later than ninety days from the date of their update;

  • the possibility of registering the personal data of the supplier of leased assets has been introduced in order to prevent fraud for these types of financing.
    Full information on the purposes, methods and times of data storage is available on the websites of the companies that own the Credit Information Systems (SIC): • CRIF www.crif.it,
    The updated information of our Company is attached to this communication and is available in the “Privacy” section of Credito Fondiario S.p.a. website.

Information on the Code of Conduct for the Processing of Personal Data for the Purposes of Commercial Information

HOW WE USE YOUR DATA

(This information, referred to in Articles 13 and 14 of EU Regulation 679/2016 (GDPR) is also provided on behalf of credit information systems)

Dear Customer,

Credito Fondiario, as data controller, informs you that in order to comply with your request, it will use some data concerning you. This is information that you provide us with or that we obtain by consulting certain databases.

These databases (Credit Information System or SIC), containing information about the persons concerned, are consulted to assess, assume or manage a credit risk, to evaluate the reliability and punctuality of the payments of the person concerned and are managed by private individuals and participated by private entities belonging to the categories that you will find in the information provided by the managers of the SICs.

This information will be held with us; some of the information you provide us with, together with information arising from your payment behavior in relation to the relationship you are going to establish, may be communicated to the SICs from time to time.

This means that the persons belonging to the above-mentioned categories, to whom you will ask to establish a relationship, will be able to know if you have made a request to us and if you pay regularly.

The processing and communication of your data is a necessary requirement for the conclusion of the contract. Without this data, we may not be able to comply with your request.

The storage of this information by the databases is carried out on the basis of the legitimate interest of the data controller to consult the SICs.

DATA PROCESSING MADE BY OUR COMPANY

Your data will not be transferred by us to a third country outside the EU or to an international organization.

According to the terms, methods and within the limits of applicability established by current legislation, you have the right to know your data and to exercise the various rights provided for in Articles 15 to 22 of GDPR relating to their use (rectification, updating, cancellation, limitation of processing, opposition, etc.).

You may file a complaint with the Authority for the protection of Personal Data (www.garanteprivacy.it), as well as use the other means of protection provided by applicable law.

We store your data at our company for the time necessary to manage your contractual relationship and to comply with legal obligations (for example, for the provisions of Article 2220 of the Italian Civil Code on the conservation of accounting records).

For any request concerning your data, please use in your interest the facsimile on the website www.garanteprivacy.it, forwarding it to

our company: Credito Fondiario S.p.a. — Ufficio Amministrazione — Via Piemonte, 38 00187 ROMA — Telephone 0039 06 5796743 — Fax 0039 06 5796254 — website address www.creditofondiario.eu — e-mail info@creditofondiario.eu.

and/or the companies indicated below, to which we will communicate your data:

  • CRIF S.p.A.

Your data are not used in the automated decision making process of a credit application.

We would also like to inform you that you can contact our Data Protection Officer at the following address: dpo@creditofondiario.eu.

TREATMENT CARRIED OUT BY THE MANAGER OF SICS

In order to better assess the credit risk, as well as the reliability and punctuality of payments, we communicate some data (personal data, including the person who may be co-obliged, type of contract, amount of credit, method of reimbursement) to the SIC systems, which are governed by the relevant Code of Conduct for the processing of personal data for commercial information purposes (“Code of Conduct”), approved by the Authority for the protection of personal data, by Resolution of 12/06/2019, no. 127 (website www.garanteprivacy.it) and that hold the status of independent data controller. The data are also made accessible to the various private entities belonging to the categories that you will find in the information provided by the SIC managers, available through the channels listed below.

The data concerning you are periodically updated with information acquired during the course of the relationship (payment trends, residual debt exposure, status of the relationship).

Within the scope of the SIC, your data will be processed according to methods of organization, comparison and processing strictly necessary to pursue the purposes described above and in particular to extract from the credit information system the information ascribed to you.

Your data are not subject to any particular statistical processing in order to give you a synthetic judgement or a score on your degree of reliability and solvency (so-called credit scoring). Some additional information may be provided if your request is not accepted.

The credit information systems to which we adhere are managed by:

IDENTIFICATION DETAILS:

CRIF S.p.a. — registered office in Bologna, Via M. Fantin, n. 1-3, Public Relations Office: Via Zanardi, n. 41 — 40131 Bologna — Tel. 0039 051 6458900, website www.consumatori.crif.com / CONTACT DATA: for any further information regarding the processing of personal data processed by Crif S.p.a., the data subjects may contact the data protection officer appointed by Crif S.p.a. at the following addresses: e-mail dirprivacy@crif.com, or certified e-mail crif@pec.crif. com / SYSTEM TYPE: positive and negative / DATA STORAGE TIMES: these times are indicated in the table below / USE OF AUTOMATED CREDIT SCORING SYSTEMS: yes / EXISTENCE OF AUTOMATED DECISIONAL PROCESS: no / OTHER: CRIF S.p.a. adheres to an international circuit of credit information systems operating in various European and non-European countries and, therefore, the data processed may be communicated (if all legal requirements are met) to other companies, including foreign companies, which operate — in compliance with their country’s legislation — as independent operators of the aforementioned credit information systems and therefore pursue the same processing purposes as the system managed by CRIF S.p.a. (list of foreign affiliated systems available at www.crif.it).

You have the right to access data concerning you at any time. Please contact our company Credito Fondiario S.p.a.Ufficio AmministrazioneVia Piemonte, 38 00187 ROMA — Telephone 0039 06 5796743 — Fax 0039 06 5796254 — www.creditofondiario.eu — e-mail info@creditofondiario.eu, or the managers of credit information systems, at the above-mentioned addresses. 

Likewise, you may request the correction, updating or integration of inaccurate or incomplete data, or the cancellation or blocking of data processed in violation of the law, or oppose their use for legitimate reasons to be highlighted in the request (Articles 15 to 22 of the EU Regulation, excluding Article 20).  

DATA RETENTION TIMES IN CREDIT INFORMATION SYSTEMS:
Type Time
Financing requests For the time necessary for the relevant investigation and in any case no later than 180 days from the date of submission of the request, or 90 days in the event of rejection of the request or renunciation of the same
Delinquency of two instalments or two months then repaid 12 months after regularization
Higher delays resolved also on transaction 24 months after regularization
Negative events (i.e. delinquencies, severe default, NPLs) 36 months from the contractual expiry date of the relationship or, in the case of other relevant events in relation to the payment, from the date on which their last update was necessary and in any case also in the latter case, up to a maximum of 60 months from the expiry date of the relationship as resulting from the contract
Positive relationships (without delays or other negative events)

No later than 60 months from the date of termination of the relationship or expiry of the relevant contract, or from the first update made in the month following those dates.

The above information may be further stored if the system contains, in relation to other credit relationships relating to the same party concerned, negative credit information concerning delays or defaults that have not been regularized