(information provided in accordance with Regulations (EU) No. 679/2016 on personal data protection, known as the “General Data Protection Regulation” (GDP))
On this page are described the procedures for the administration of the site with regard to the processing of personal data related to users who consult the website. The information is provided for this site only and not for other pages that users may consult by clicking on links.
Unione di Banche Italiane S.p.A. (hereinafter the “Bank”) with registered office at 8 Piazza Vittorio Veneto, 24122 - Bergamo, Data Controller of your personal data, provides the following information.
DATA PROTECTION OFFICER
The Bank has appointed a Data Protection Officer (DPO) who may be contacted at the following addresses:
postal address: UBI Banca S.p.A.- Data Protection Officer: 4 Via Don Angelo Battistoni, 60035 Jesi (Ancona)
email address: DPO@ubibanca.it
certified email address (PEC): DPO.email@example.com
SCOPE OF DATA PROCESSING
Data processing connected with the web services of this site is carried out only by the technical personnel of the office responsible for data processing or by persons who may be engaged for occasional maintenance operations. Data may also be processed by persons engaged by UBI Sistemi e Servizi S.p.a., the services company of the UBI Banca Group appointed as the Data Processor for the management of the IT system. Personal data furnished voluntarily by users who make use of site functions or send in requests for information is used for the sole purpose of providing the service requested.
ENTITIES OR CATEGORIES OF ENTITIES TO WHOM THE PERSONAL DATA MAY BE COMMUNICATED
In order to pursue the above aims, the Bank may communicate your data, by transmitting it, to specific persons, including individuals abroad, belonging to the following list of categories:
entities identified by law;
entities that provide banking, financial or insurance services;
companies belonging to the Unione di Banche Italiane banking Group, or in any case to its subsidiaries or associates;
entities that provide services for the management of the Bank’s IT system;
entities that carry out document filing activities;
entities that provide assistance to customers (e.g. by telephone);
entities that carry out activities for the supervision, audit and certification of activities performed by the Bank, which may be also in the interests of customers.
The entities belonging to the above-mentioned categories shall use data received in their capacity as independent “Controllers”, except in those cases where “Data Processors” with specific responsibilities have been appointed by the Bank. An up-to-date list of Data Processors is available by clicking on the relative link at the foot of this information page. The personal data of users is not made public.
PERSONAL DATA CATEGORIES
a) Navigation data
During the course of their normal functioning, the IT systems and software procedures employed for the functioning of this website acquire some personal data, the transmission of which is implicit in the use of internet communication protocols. It is information that is not acquired to be associated with the persons identified, but which by its nature could, by means of processing and associations with data held by third parties, be used to identify users. The data that falls within this category are the IP addresses or the domain names of the computers used which connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of requests, the method used to submit requests to the server, the size of the file obtained in reply, the numerical code indicating the state of the reply given by the server (successful, error, etc.) and other parameters of the operating system and IT environment of the user. This data is used for the sole purpose of acquiring anonymous statistical information on the use of the site and to monitor it for correct functioning.
b) Data provided voluntarily by users
The use of some of the functionalities available on the site involves the acquisition of personal data provided by users and their subsequent use for specific purposes stated when the data is acquired. Specific summary information will be progressively reported or displayed on the pages of the site used for particular on-request services.
Cookies are strings of text, small in size, which sites visited by users send to their terminals (usually a browser), where they are stored and then sent back to the same sites the next time they are visited by those users. During the navigation of a site, users may also receive on their terminals cookies that are sent by other sites or web servers (known as “third parties”) on which some items (e.g. images, maps, sounds, specific links to images on other domains) may be present on the site that the user is visiting. Cookies are usually present on users’ browsers in large numbers and may sometimes remain there for long periods of times. They are used for different purposes: for IT authentication, monitoring sessions, storing information on specific configurations concerning users who access services, etc. For the purposes of the information provided here, information relating to cookies also applies for similar tools which allow the identification of users or of terminals (e.g. web beacons, web bugs, clear gifs, etc.). The types of cookies used on this website are given below.
c1. Technical cookies
Technical cookies are used for the sole purpose of “carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.
Technical cookies can be classified as follows:
navigation or session cookies, which guarantee normal navigation and use of the website (allowing, for example, a purchase to be made or authentication to be carried out for access to reserved areas);
analytics cookies (e.g. Google Analytics), similar to technical cookies, where they are used directly by a website administrator to acquire information in aggregate form on the number of users and on how these visit the site;
functionality cookies, which allow users to navigate on the basis of a series of criteria they have selected (e.g. the language, products selected for purchase) in order to improve the service provided for them.
We underline in particular that the tool Google Analytics, used on this website, acquires the IP addresses of visitors to provide an indication of their geographical location. This method is known as IP geolocation. Google Analytics does not report information on the actual IP addresses of visitors. By using a method known as IP masking, Google Analytics communicates information in a way that allows only part of the IP address to be used for geolocation, rather than the entire address.
c2. Profiling cookies
Profiling cookies are designed to create user profiles and they are used to send advertising messages on the basis of the preferences displayed by users during their navigation on the Internet.
This website only uses profiling cookies managed by third parties (no profiling cookies are used by the site publisher).
These cookies, listed below and for which user consent is necessary, are used for advertising services, targeting for advertising purposes, customisation of the site content, tracking and performance optimisation.
Management of cookies by using browser settings
Each user may set their browser to receive a warning of the presence of a cookie and decide whether to accept it or refuse it. It is also possible to automatically refuse to receive cookies by enabling the special opt-out option on browsers. While total or partial deactivation of cookies may compromise the use of site functionalities we nevertheless inform you that it is possible to change the security settings on your browser at any time by clicking on the following links:
OPTIONAL DATA THAT IS GIVEN
Apart from that which has been stated regarding navigation data and excluding data acquired by means of technical cookies for which consent is not required, users are free to provide personal data in order to use functionalities and services made available on the site. Failure to give this information may make it impossible to obtain what has been requested.
DATA PROCESSING PROCEDURES AND DATA STORAGE TIMES
Personal data, including that provided voluntarily by users, is processed using manual and/or automated tools strictly for the time needed to achieve the aims for which it has been acquired and in any event in a manner designed to guarantee the security, protection and confidentiality of users’ data. Except for cases where data is processed for legal purposes and in cases of hypothetical computer crimes which damage the site, data on website contacts has a life of not longer than seven days, while data provided voluntarily by users is stored strictly for the time necessary to respond to requests. Only if a user grants consent – where relevant – for processing for commercial purposes will data be stored for not longer than 12 months. Specific security measures are employed to prevent the loss of data, illicit or incorrect use of it and unauthorised access to it. More specifically, in those sections of the site in which personal data is acquired on users (e.g. in forms specially designed to request information) data is encrypted using security technology known as Secure Sockets Layer (SSL), which encrypts the information before it is exchanged via internet, thereby making it incomprehensible to unauthorised persons and guaranteeing its confidentiality. However, the use of SSL requires a compatible browser.
SECURITY MEASURES USED TO GUARANTEE THE AUTHENTICITY OF THE SITE
A web server digital certificate (SSL) is used to guarantee the authenticity of the site. It allows users to check that they are connected to the www.ubibanca.com website. A check can be carried out by clicking on the icon of a small lock (below to the right, or to the right of the address bar depending on browser version) to check that the certification path is as follows:
VeriSign Class 3 Public Primary CA
Incorp.by Ref. LIABILITY LTD.( c ) 97 Verisign
DATA SUBJECT RIGHTS
The Bank informs you that the GDPR guarantees the exercise of specific rights to protect data subjects. More specifically it provides for a Right of Access, which allows data subjects to obtain confirmation as to whether or not personal data concerning them is being processed (Art. 15 GDPR), and, where that is the case, to obtain the information provided for by the regulation and to receive a copy of it in accordance with the legal conditions. The following rights may also be exercised:
Rectification of inaccurate personal data and to have incomplete personal data completed (Art. 16 GDPR);
Erasure (the “right to be forgotten”) of personal data where particular conditions or grounds apply such as for example that the personal data is no longer necessary in relation to the purposes for which it was collected or where there is no legal ground for processing it (Art. 17 GDPR);
Restriction on processing personal data, for example while waiting for rectification or correction (Art. 18 GDPR);
Portability of personal data to another controller if the processing is automated and based on consent or on a contract (Art. 20 GDPR);
Objection to processing for specific purposes such as direct marketing (Art. 21 GDPR). Objection is always possible and free of charge in cases of advertising, commercial communication and market research purposes. A data subject may also object to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Art. 22 GDPR) unless the processing is necessary for entering into, or the performance of, a contract based on consent or authorised by law.
In any event, where personal data processing is based on the issue of consent, the data subject has the right to withdraw that consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
To exercise these rights a specific request may be made to the DPO using the contact details given in this privacy notice, making sure that a copy of an identity document and tax code is attached to the request.
Last updated in May 2018.