Privacy Disclaimer

INFORMATION NOTICE TO NATURAL PERSONS PURSUANT TO ARTICLE 13 AND 14 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 (HEREINAFTER “NOTICE”)

The Regulation on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter the “Regulation”) contains a series of rules aiming to guarantee that the processing of personal data takes place in compliance with the rights and fundamental freedoms of people. This Notice incorporates its requirements.

Identity and contact details of the data controller

Intesa Sanpaolo S.p.A., with registered office in Piazza San Carlo 156, 10121 Turin, Parent Company of the Intesa Sanpaolo international Banking Group, in its capacity as Data Controller (the “Bank” or the “Data Controller”) processes your personal data (the “Personal Data”) for the purposes indicated below.

Contact details of the data protection officer

Intesa Sanpaolo appointed the “data protection officer” as required by the Regulation (so-called “Data Protection Officer” or DPO). For all matters relating to the processing of your Personal Data and/or to exercise the rights provided for by the Regulation, you may contact the DPO at the following email address: dpo@intesasanpaolo.com

Categories of personal data, purposes and legal basis of the processing

Included among the Personal Data that the Bank processes, by way of example, are personal and contact details. Personal data are processed by the Bank in a lawful and fair way for the following purposes:

1. The sending of invitations and newsletters related to events scheduled at Gallerie d'Italia or other Intesa Sanpaolo cultural initiatives (service currently available only for the Gallerie d’Italia website and not for the app). The provision of personal data for this initial purpose is preliminary to the eventual choice to continue with the input of the data necessary to pursue additional purposes. Failure to provide personal data for this purpose will result in the impossibility of processing your requests. 

2. Legitimate interest of the Data Controller. The processing of your personal data may be necessary to pursue a legitimate interest of the Bank, i.e., to carry out fraud-prevention activities; to acquire images and videos relating to the video surveillance system for security purposes; and to pursue any further legitimate interests. In the latter case, the Bank may process your Personal Data only after having informed you and having ascertained that the pursuit of its legitimate interests or those of third parties does not compromise your fundamental rights and freedoms, and your consent is not required.

Categories of recipients to whom your personal data may be communicated

Within the Bank and the Intesa Sanpaolo Banking Group, only employees and external collaborators authorized to process your personal data, as well as structures that perform technical, support (IT services) and company control tasks on behalf of the Bank and Group, may have access to your personal data. For the pursuit of the above purposes, the Bank also needs to share your personal data with external subjects who either act as Data Processor or operate completely independently as separate Data Controllers. The list of these subjects, which is constantly updated, is available at the Bank’ branches.

Transfer of personal data to a third country or to an international organisation outside the European Union

Your Personal Data are processed by the Bank inside the European Union and are not disclosed. If necessary, for technical or operational reasons, the Bank reserves the right to transfer your Personal Data to countries outside the European Union for which there are “adequacy” decisions of the European Commission, or based on the appropriate safeguards or specific exemptions specified in the Regulation.

Processing method and personal data storage periods

Your Personal Data will be processed using manual, electronic and telematic tools, and in a way that ensures its security and confidentiality.

Your Personal Data are kept for a period not exceeding that necessary to achieve the purposes for which they are processed, save the retention period prescribed by law. Your Personal Data will be retained by the Bank for the duration of your subscription to the service, in particular in the event of the inactivity of the Gallerie d’Italia application for over two years and/or until you withdraw from it. It will then be permanently deleted from the archives.

Rights of the Data Subject

As Data Subject, you may exercise, at any time against the Data Controller, the rights provided by the Regulation listed below (right of access, right of rectification, erasure, restriction of processing, data portability, and objection) by contacting Intesa Sanpaolo - Piazza San Carlo 156 – 10121 Torino [email dpo@intesasanpaolo.com] (as regards the website and the application) and making explicit reference to your subscription to the mailing list “Gallerie d’Italia and other Intesa Sanpaolo cultural initiatives”, only for the Gallerie d’Italia website.