Skip to Header Skip to Content Skip to Footer

Privacy Policy

With reference to the processing of personal data belonging to users who visit the website, the ways in which the Gallerie d’Italia website and application are managed are detailed on this page. This Policy is provided, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679, for those who use web-based services accessible online from the address: Gallerie d'Italia and via the application.

This document also takes into account Recommendation no. 2/2001 that the European data protection authorities adopted to identify the minimum requirements for online personal data collection.

The Policy relates exclusively to the website of Gallerie d'Italia and does not apply to other websites accessed by the user via links. The same Policy is valid for the Gallerie d’Italia application.

The Data Controller is Intesa Sanpaolo S.p.A. with registered office in Turin, Piazza San Carlo, 156 – 10121.

Purpose of data processing

The data processing related to the web services of this website and application is performed exclusively by the technical personnel of the department responsible for data processing. No data from the web service is disclosed or disseminated.

Personal data provided by users who request information are only used to carry out the service requested, and are only disclosed to third parties if necessary for that purpose.

Data processing methods

Personal data are processed by automated systems for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are taken in order to prevent data loss, illegal or improper use and unauthorised access.

App data and processing methods

The processing of personal data resulting from the installation and use of the application is carried out to enable the use of the services distributed through this application.

Following the download and installation of the application, the model used, as well as the type and version of its operating system, are automatically detected from the mobile device. This information helps us to provide the services requested and manage the application, analyse its usage, protect the application and its content from improper or inappropriate use, and improve the user experience.

Personal data are used to provide access to the application, maintain and improve it, and communicate with users.

The download of the application is also used as numerical data for the sole purpose of collecting anonymous statistical information on the number of users who download the application.

The computer systems and software processes used to operate the application (App Store or Google Play) acquire, during their normal operation, certain data relating to the user whose transmission is implicit in the use of Internet communication protocols and the devices used. The Bank is not involved in such processing and therefore may not be held responsible for such processing.

The data subject may in any case consult the privacy information on the following sites:

App Store:

Google Play:

Data provided voluntarily by the user

The optional, explicit and voluntary sending of emails to the addresses indicated on this website and on the application involves the subsequent acquisition of the sender’s address, required in order to reply to the requests, as well as any other personal data included in the message. Providing personal data is optional but it is strictly necessary for managing requests made by the data subject and performing the services offered.

Rights of data subjects

Data subjects have the right to exercise, at any time against the Data Controller, the rights provided by the Regulation (right of access, rectification, erasure, restriction of processing, data portability, and objection) by sending a written request via email to or via post to Intesa Sanpaolo S.p.A., Piazza San Carlo, 156 10121 Turin.

Browsing data

Computer systems and software procedures responsible for the operation of this website and the application acquire, during their normal operation and only for the duration of the connection, some personal data whose transmission is implicit in the use of Internet communication protocols and the application. This is information that is not collected to be associated with identified data subjects, but which by its very nature could, through the processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers and mobile devices used by users who connect to the website and application, URI addresses (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the user’s IT environment.

This data are processed for the following purposes:
o to comply with national and European law and the regulations of supervisory and control bodies, also in relation to operating and credit risk monitoring obligations at banking Group level; the processing of personal data in order to comply with regulatory requirements is mandatory and your consent is not required.

o to pursue a legitimate interest of Intesa Sanpaolo, Group companies or third parties if such interests do not conflict with the interests or fundamental rights and freedoms of the data subjects (article 6.1 letter f of Regulation (EU) no. 679/2016), namely:

o to ascertain liability in the event of hypothetical computer crimes against the website, and for investigations should any disputes arise.

o to collect anonymous statistical information on the use of the website and application and to monitor their proper functioning, as well as for measurement purposes and to improve the services offered and the website and application.

o to pursue any other legitimate interests. In the latter case, the Data Controller may process your Personal Data only after informing you and having ascertained that achieving its legitimate interests or those of third parties does not compromise your fundamental rights and freedoms.

and your consent is not required.

The browsing data collected (both via the website and the application) are stored on the servers for a period of 7 days. Personal Data may, also, be processed for a longer period, if an act interrupting and/or suspending the statute of limitations occurs that justifies the extension of data retention..

With regard to the data saved by the application in the “keystore” of the mobile device, on the basis of the operating system used please note:

• Android: data is saved in “shared preferences” until the customer clicks on “Cancel data” in Manage Applications or uninstalls the application;

• IOS: data is saved in the “keystore”.

The Bank is not involved in this processing; for further information on the saving and erasure of data on mobile devices please contact the producers of the operating systems used.