1) Data provided voluntarily by users

The user may voluntarily provide the Controller with its personal data, with specific reference to personal information, e-mail address and other contact data, in the following circumstances:

• sending communications by e-mail to the addresses provided in this website;
• filling in online contact forms present on this website to request assistance;
• subscribing to the periodical newsletter;
• taking part in surveys to investigate the quality of services offered;
• creating a personal account and using the services connected to the account.

The personal data provided are collected, processed and stored by the process Controller for the following purposes:

• to respond to communications received;
• to respond to the requests for assistance (including reports on any disservice);
• to send newsletters and other information and/or advertising material for products and services offered by the process Controller;
• to generate and manage user accounts;
• to process data collected during surveys conducted to assess the level of satisfaction with services provided.

The personal data supplied are processed by the Controller solely for the time needed to achieve the purpose they were collected for. Once that purpose has been achieved, the personal data are deleted or made irreversibly anonymous.

Users using the forums, or other channels, to publish their contents, hence including their personal data, on this website, acknowledge that information made public can be read, collected and used by third parties who have no relationship with the Controller, also to send unwanted messages. The Controller declares that it is not responsible for any improper use that third parties could make of the personal data that users decided to publish through the channels mentioned.

2) Navigation data

During their normal operations and solely for the connection duration, the information systems operating this website acquire some personal data transmitted implicitly on using internet communication protocols. This information is not collected to be associated with identified data subjects but, for its very nature, could enable user identification through processing and association with data held by third parties. This data category includes: IP addresses or the names of computers used by users to connect to this website; URI (Uniform Resource Identifier) addresses of the resources requested, the time requests are made, the method used to submit requests to the server, the size of the file obtained in response, the numerical code indicating the status of the answer given by the server (successful, error, etc.), the characteristics of the browser used for navigation purposes, the size of the window in which the browser is performed in the device used, and other parameters related to the user’s operating system and computer environment. These data are only to collect anonymous statistics on how this website is used and to check it operates correctly, and are deleted straight after processing. The data could be used to ascertain responsibilities in any hypothetical computer crimes damaging the website. In that occurrence too, the contact data do not last longer than seven days.

Cookies are small strings of text that the website sends and memorises in the user’s device; to then be used by the website itself at the user’s next visit. During navigation, the user’s device may also receive cookies sent by different websites or web servers (belonging to so-called “third parties”), on which there could be elements (for example, images, maps, sounds, specific links to the pages of other domains) present on the website visited. Cookies are used for different purposes such as performing IT authentication, monitoring sessions, memorising information on specific configurations concerning users accessing the server.

Personal data collected by the website are processed automatically for the time strictly needed to achieve collection purposes. Where needed, processing performed by the Controller on data collected from the website could be based on automated decision-making processes that produce legal effects or have a similar significant effect on the data subject such as, for example, processing performed using profiling cookies. Suitable technical and organisational security measures are complied with to prevent damage, whether material or immaterial (e.g. loss of control of the personal data or limiting rights, discrimination, theft or usurping identity, financial losses, unauthorised decryption of pseudonymisation, prejudice to reputation, loss of the confidentiality of personal data protected by professional secret or any other significant economic or social damage).

In order to pursue the stated purposes, or when indispensable or required by the law or by authorities with the necessary power, the Data Controller reserves the right to communicate the data to both natural and legal persons who operate as separate autonomous data controllers or as data processors appointed for this purpose. In particular, for the provision of web services provided through cookies, users’ personal data may be communicated to third parties specifically indicated in the website’s cookie banner.

The personal data may be known, related to tasks performed, by Controller employees, including internees, temporary workers, consultants, all specifically authorised, instructed and appointed as processors.

Lastly, no data coming from the web services are circulated.

When needed to perform the purposes mentioned, the data of the data subject could be transferred abroad, to non-EU Countries/organisations that guarantee a personal data protection level deemed suitable by the European Commission with a decision; or, in any case, based on other suitable guarantees, for example the Standard Contractual Clauses adopted by the European Commission. A copy of any data transferred abroad and the list of the non-EU Countries/organisations to which the data has been transferred can be obtained from the Controller by submitting a specific request by ordinary mail sent to the registered office of the Controller or by e-mail sent to privacy@bancaifis.it.

Pursuant to articles from 15 to 22, the Regulation attributes specific rights to the data subject. More specifically, the data subject can obtain: a) confirmation of whether its personal data is being processed or not and, in that case, access to that data; b) rectification of incorrect personal data and integration of any incomplete data; c) erasure of its personal data in cases where it is permitted by the Regulation; d) restriction to processing, for hypotheses set forth in the Regulation; e) communication, to recipients that the personal data were transmitted to, of the requests to rectify/erase the personal data and restrict processing received from the data subject, except when that should prove impossible or imply a disproportionate effort; f) reception, in a structured, commonly-used format readable by an automatic device, of the personal data provided to the Controller and their transmission to another controller, at any time, even if relations possibly held with the Controller should cease. The data subject also has the right to object at any time to its personal data being processed. In those cases, the Controller is obliged to abstain from any further processing, with no prejudice to reasons permitted by the Regulation. The data subject also has the right not to be subjected to a decision based solely on automated processing, including profiling, that causes legal effects concerning him/her and significantly affecting his/her person; unless that decision: a) is needed to finalise or execute a contract between the data subject and the Controller; b) is authorised by Union law or that of the member State the Processor is subject to; c) is based on the specific data subject consent. For the aforementioned letters a) and c), the data subject has the right to obtain human intervention from the Controller, to express its opinion and dispute the decision. Requests may be submitted by ordinary mail sent to the registered office of the Processor or by email sent to odo@ifis.pl. The data subject also has the right to submit a complaint to the data protection Authority pursuant to art. 77 of Regulation (EU) 2016/679, and to take legal action pursuant to arts. 78 and 79 of the Regulation itself.