PRIVACY POLICY
This privacy policy(the "Privacy Policy") describes the processing activities of the personal data referring to the users of this web site (accessible at www.unicreditartcollection.eu and, hereinafter, the "Site").
The Privacy Policy is provided pursuant to art. 13 of Regulation (EU) 2016/679 ("GDPR") by the Controller (as defined below).
The Privacy Policy is provided only for the Site, and not for other websites that may be consulted by the user through the Site.
DATA CONTROLLER AND DATA PROTECTION OFFICER
Your data will be processed by UniCredit S.p.A., with registered office at Piazza Gae Aulenti n. 3, Tower A, 20154 Milan, as data controller (hereinafter, also the "Controller").
The Data Protection Officer appointed by UniCredit S.p.A. may be contacted at UniCredit S.p.A., Data Protection Office, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan, email: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.
CATEGORIES OF DATA PROCESSED
Navigation data
During their normal operation, the information systems and software procedures used for the functions of this websites collect certain personal data, the transmission of which is implicit in the use of Internet, based on the TCP/IP protocol.
This is information which is not gathered to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by others, enable the users to be identified.
This category of data includes the "IP addresses" or domain names of the computers used by users who visit the Site, the addresses in URI (Uniform Resource Identifier) format of the resources requested, the time of the request, the method used in submitting the request to the web server, the dimensions of the file obtained in response, the numerical code indicating the state of the response given by the web server and other parameters relating to the user's operating system and IT environment.
Such data are used for the sole purpose of handling user requests pursuant to art. 6, let. b) of the GDPR and to check its correct functioning, pursuant to art. 6, let. f) of the GDPR.
It should be noted that the aforementioned data could be used to ascertain responsibility in case of computer crimes against the Site or other websites connected or linked to it.
Data provided by the user
The personal data provided by the user by filling in the forms on the Site will be processed by the Controller for the sole purpose of managing the user's requests, as well as for the purpose of fulfilling the legal obligations to which the Data Controller is subject.
The legal basis applicable to the processing is that of art. 6, lett. b) and c) of the GDPR.
COOKIES
Further information about the cookies installed through the Site are available at the link: www.unicreditartcollection.eu/cookie-policy/.
Optionality of conferment of personal data
Apart from the navigation data, users are free to provide their personal data included in the specific electronic request forms, in the sections of the website prepared for the particular services on request.
It should be noted, however, that failure to provide such information may make it impossible to fulfil the request.
Processing method and security measures
The personal data are processed with automated and non-automated instruments, only for the time strictly necessary to achieve the purposes for which they have been collected.
Specific security measures are implemented to prevent loss of data, illegal or incorrect uses and unauthorized access.
In particular, in the sections of the Site where personal data are requested from users navigating the Site, the channel through which the data transit is encrypted by means of the security technology Secure Sockets Layer & Transport Layer Security, abbreviated as SSL/TLS. The SSL/TLS technology makes available an encrypted channel in which information transits before it is exchanged via internet between the user's computer and the Controller central systems, making it incomprehensible to unauthorized persons and thus guaranteeing the confidentiality of the information transmitted.
The use of SSL/TLS requires however a compatible browser capable of "swapping" a security key with a minimum length of 128 bits, necessary to establish the said secure connection with the Controller central systems.
RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The data may be communicated:
i) to those subjects (e.g. administrative, judicial, supervisory and control authorities) to whom such communication must be made in compliance with an obligation provided for by law, by a regulation or by the EU regulations;
ii) third parties, suppliers of products and/or services, whether or not part of the UniCredit Group.
These recipients, depending on the cases, process personal data as Autonomous Data Controller or Data Processor.
Your data may also be disclosed to persons authorized to process personal data, in relation to the data necessary to perform the tasks assigned to them, natural persons belonging to the following categories: workers employed by the Controller or seconded to it, temporary workers, interns, consultants and employees of external companies appointed as data processors.
RIGHTS OF THE DATA SUBJECTS
The GDPR grants individuals, sole proprietorships and/or freelancers specific rights the rights referred to in art. From 15 to 22 of GDPR, including the right to know what personal data is held by the Controller and how it is used (Right of Access), to obtain the updating, rectification or, if interested, integration of such data, as well as their erasure, transformation into anonymous form or limitation.
PERIOD OF DATA STORAGE AND RIGHT TO ERASURE (i.e. RIGHT TO BE FORGOTTEN)
The Controller processes your personal data for the time strictly necessary to achieve the purposes described above.
At the end of the applicable retention period, personal data relating to the user will be deleted or stored in a form that does not permit the identification of the user (e.g., irreversible anonymization), unless their further processing is necessary for one or more of the following purposes: i) resolution of pre-litigation and/or litigation initiated before the expiry of the retention period; ii) to follow up investigations/inspections by internal control functions and/or external authorities started before the expiry of the retention period; iii) to follow up requests from Italian and/or foreign public authorities received/notified to the Controller before the expiry of the retention period.
HOW EXERCISE THE DATA SUBJECTS' RIGHTS
In order to exercise the rights described in the previous paragraphs, the user may apply to: unicreditartcollection@unicredit.eu.
The deadline for the reply is one (1) month, which may be extended by two (2) months in particularly complex cases; in these cases, the Controller will provide at least one interim communication within one (1) month.
The exercise of the rights is, in principle, free of charge; the Controller reserves the right to charge a fee in the event of manifestly unfounded or excessive requests (including repetitive ones).
COMPLAINT OR REPORT TO THE PERSONAL DATA PROTECTION AUTHORITY
The Controller informs you that you have the right to file a complaint or a report to the Italian Data Protection Authority or alternatively to appeal to the judicial authority.