Privacy Policy

Source of Personal Data

You provide your personal data to Widiba through use of the website, at the time of commencing the relationship, or while using the services offered by the Bank. You can also provide data with the aid or by means of the following:

• The network of Financial Advisors;
• The network of AXA Agents;
• Credit or debt transactions arranged by other parties;
• Data acquired from external companies for commercial purposes, market surveys, direct offers of products and services.

Categories of personal data

The personal data processed by the Bank includes, for example:

1. identification and personal details collected within the scope of the banking relationship;
   
   • name, surname, date and place of birth, residence;
   • contact information (e.g. landline and mobile number, email and mail address, certified email);
   • family situation (e.g. marital status, number of family members, relationship with other clients);
   • tax data: tax code/vat number, matrimonial property regime;
   • information on education (e.g. level of education) and employment (e.g. profession and business sector, remuneration, seniority, etc.);
   • data related to identity documents (e.g. number, place and date issued, issuing authority);
   • information relating to the type of digital equipment used for Digital Banking, smartphones/ tablets (e.g. IP address, serial number, UUID device, IMSI, IMEI, WIFI interface MAC address, SIM ICCID);
   • classification as politically exposed person or connected to politically exposed person;s


2. information relating to products and services intermediated by the Bank, owned or used by the client or towards which the client has expressed interest;
   
   • types of products owned, services used (e.g. current account, investment account);
   • information on the use of products and services (e.g. current account or payment card balance and transactions);
   • information on equity, income and financial position (e.g. value of property, securities/funds portfolio, policies, tax returns, mortgage and rent expenses, debt position with other intermediaries, origin of funds);
   • data related to methods of interaction with the Bank and use of the contact channels made available ( e.g. branches, Financial Advisors, websites, apps, social pages, meetings, calls, chats, emails, interviews, telephone conversations);


3. information about your behaviour in relations with the financial services sector;
   
   • information about events (e.g. protesting, foreclosure, etc.) and relations with third party intermediaries (e.g. non-performing loans, overdrafts, etc.);
   • summary assessments (e.g. credit scoring) issued by third parties (e.g. Crif S.p.A., CERVED, Experian Italia S.p.A. etc.);


4. information about expectations, knowledge, habits, preferences and behaviours, detected by means of: i) questionnaires required by law (e.g. Mifid, KYC), (ii) sample surveys, iii) analysis of the use of products and services intermediated by the bank or by third parties; (iv) access to databases;
   
   • data revealing tastes, preferences, life consumption and saving habits provided in response to questionnaires;
   • satisfaction ratings (e.g. relating to products and services offered, physical and digital channels, public relations managers);
   • macro needs (e.g. insurance coverage linked to sporting activities or health risk management, life projects to understand which products may be useful over time);
   • behaviour (e.g. hobbies, use of digital channels, use of the services of other financial intermediaries);
   • session cookies on the Bank’s websites;


5. videos;s
   
   • images taken by the video surveillance systems installed by the Bank to protect the safety of persons, goods and assets.


6. Geolocation data
   
   • information that allows you to confirm your presence in a certain place at a precise moment, for example by analysing the places from which you have made withdrawals and payments.

Data categories for associated banks

The PSD2 directive on payments allows for the sharing of data between the various players in the banking ecosystem. Banca Widiba offers its clients the opportunity to access the information of other banking intermediaries (e.g. IBAN, balance, transactions, cards) through a shared Open Banking platform, by entering the internet/mobile banking credentials issued by the Bank or the payment service providers with which they have an account. Clients may access the service subject to providing explicit consent in their restricted area.

Categories of sensitive and judicial data

Sensitive data

>As a result of specific operations or services requested by you (e.g. taking out life insurance policies, making ongoing payments through standing orders or deducting trade union and political party membership fees from the salary), the Bank may come into possession of data referred to as “ssensitive” insofar as it makes it possible to infer whether you belong to such groups and information relating to your state of health, your racial or ethnic origin, your religious beliefs and your sexual orientation.

Sensitive data also includes biometric data, i.e. data obtained by technological means relating to the physical, physiological or behavioural characteristics of a natural person enabling his or her unambiguous identification; such data is collected by the Bank only with your specific consent.

• Data retrieved from court-based and other registries (e.g. real estate charges and burdens, mortgages/judicial foreclosures)
• Antimafia criminal record office

Purposes of data processing

Some of your personal data is processed as part of Widiba’s normal business activities for the following purposes:

1. Purposes closely connected with and instrumental to managing and implementing the obligations arising from the contractual and precontractual relationship established with Widiba, including all necessary preliminary checks involving the data communicated. Such checks are carried out by communicating your personal data to third parties; any refusal to consent would prevent Widiba from concluding and executing the contract. For such purposes, the legal basis for processing data is the need to execute a contract or to follow up specific requests, also of a precontractual nature. Providing data is not mandatory but any refusal to do so, even in part, would make it impossible for the Bank to carry out the operations and provide the services requested;
2. To fulfil the obligations provided for by laws, regulations, EU legislation (e.g. anti-money laundering and anti-terrorism legislation, supervisory provisions for banks, FATCA, etc.). For such purposes, the legal basis for processing data, which in some cases may include profiling, is the need to avail of personal data to fulfil a legal obligation to which the Data Controller is subject;
3. To protect your image and to secure the identity of clients and assets. The aim of these purposes is to fight continuous fraud and embezzlement attempts by fraudsters. For such purposes, the Bank will analyse information relating to some of your connection data and your transaction habits. For such purposes, the legal basis for processing data, which may also envisage the use of profiling techniques, is the legitimate interest of the Bank, against which you may exercise your right to object to your data being processed within the limits of art. 21 of the GDPR;
4. Client profiling for commercial purposes, carried out by Widiba to analyse your consumer choices and habits and to offer you a more personalised service. For such purposes, the Bank will analyse information relating to your relationship with Widiba, identifying your consumption propensities in a general manner (e.g. the branch nearest to your residence, or the simple possession and balance of a credit or prepaid card, etc.). The legal basis for processing data, also by means of profiling techniques, is the legitimate interest of the Bank, against which you may exercise your unconditional right to object to your data being processed, requesting immediate interruption of such data processing without prejudice to the establishment, continuation and management of your contractual relations with the Bank;
5. Market research, statistical studies and assessments of the degree of satisfaction with the products and services of Widiba and of the Monte dei Paschi di Siena Banking Group;
6. Commercial purposes, such as sending newsletters, and the promotion or sale of the products and/or services of Widiba, of the Monte dei Paschi di Siena Banking Group or of third party companies;
7. Client profiling for commercial purposes, carried out by Widiba to analyse your browsing experiences and your attention to communications, if the data that can be used for such purposes reveals particularly sensitive information about your private sphere and your behavioural habits (e.g. an analysis of the descriptions of your bank transfers, etc.);
8. Public relations, carried out through social networks, chats and e-mails, as well as invitations to participate in events;
9. Activities involving advanced identification techniques and the processing of biometric data, for example:
   
   • how devices are used (PC, Tablet, smartphone);
   • identification of devices used for site navigation;
   • location of devices used when operating the website;
   • voice issuance, when a vocal password is recorded;
   • use of a handwritten signature, when this is recorded.

The legal basis for processing data, also by means of profiling techniques, is the free provision of your informed consent, which consent may be withdrawn at any time without prejudice to the establishment, continuation and management of your contractual relations with the Bank.

Processing methods

All the processing, whether automatic or manual, described in point 3 is carried out by Widiba for the above-mentioned purposes.

Processing for commercial purposes may be carried out directly by Widiba or by third party companies using both traditional systems (paper mail or operator calls) and automated systems (calls with no operator, e-mail, fax, SMS, MMS, etc.).

As regards identifying the habits and consumption propensities of clients, cookies may also be used, in accordance with the guarantees and necessary measures laid down by the GDPR.

Widiba does not have its own commercial network of branches, but you can contact a Monte dei Paschi di Siena branch directly. Consequently, your Personal Data may be processed by the Bank to allow you to execute a number of banking transactions. These transactions are:

• “face-to-face” identification to open a contract;
• withdrawals and payments of money in cash;
• issuing bank drafts;
• executing cash transfers and direct debits (SCT - SEPA Credit Transfer);
• payment of F23 and F24 tax forms;
• other banking transactions requested by you at the counter.

Processing duration

Based on the various aims and purposes for which your data was collected, this will be stored for the period of time prescribed by the relevant legislation, or for the time strictly required to achieve said purposes (e.g. the Consolidated Banking Law lays down 10 years following closure of the contract and that, for special client orders and instructions or for telephone banking services, Widiba can record telephone conversations, which may be used as proof and to safeguard its rights in the event of disputes). With regard to the purposes of commercial profiling and direct marketing, your data will be used for a maximum of twelve months and twenty-four months respectively.

Parties or categories of parties to whom personal data may be communicated or who may become acquainted with same in their capacity as Data Processing Officers or as Persons in charge of data processing

To fulfil the purposes described in point 5 above, the Bank may communicate data to certain subjects, including foreign ones (in this regard, see the following chapter on the transfer of data abroad), belonging to the following categories who use the data received in their capacity as independent Data Controllers or Data Processors in accordance with art. 28 of the GDPR. A complete and up-to-date list containing, among other things, their full names may be requested, free of charge, from the DPO and Privacy Compliance staff, at the addresses given in paragraph 1):

1. To parties to whom said communication must be made to fulfil obligations laid down by laws, regulations or EU legislation. In particular, Widiba is obliged to communicate your data to the Centrale dei Rischi (Central Credit Register) of the Bank of Italy. The Central Credit Register provides information on financial risks and, by collecting information from banks on the risks associated with their clients, informs said banks of any debt position in relation to the banking system. This reporting requirement exists as from EUR 30,000.00 for all risks, whether direct (cash and non-cash loans) or indirect (personal guarantees issued to other subjects). Non-performing debts must be reported regardless of the amount;
2. To financial intermediaries belonging to the Monte dei Paschi di Siena Banking Group, in accordance with the provisions of art. 46, paragraph 4 of Legislative Decree no. 231 of 21 November 2007, which provides the option to communicate such reports to other financial intermediaries belonging to the same group, also in third party countries (in compliance with the provisions of the GDPR), with consequent processing by same;
3. To companies belonging to the Monte dei Paschi di Siena Banking Group, or subsidiaries or associate companies within the meaning of art. 2359 of the Italian Civil Code (also those abroad), or companies subject to joint control for all purposes of an administrative-accounting nature or to fulfil specific provisions of law;
4. To agencies or branches of Banca Monte dei Paschi di Siena.

Moreover, to fulfil the purposes described in point 3 above, Widiba may communicate your personal data to external companies, bodies or consortia, in Italy or abroad, belonging to the following categories:

1. companies or bodies that offer banking and financial services;
2. service companies for the acquisition, registering and processing of data deriving from documents or media supplied or originating from clients and having as their object the massive processing of payments, notes, cheques and other securities;
3. companies that print, transmit, envelope, transport and sort communications to/from clients;
4. companies that perform logistics services to deliver products requested by clients;
5. companies that archive documentation relating to relations with clients;
6. companies that process and transmit data;
7. private credit registers;
8. companies specialised in collecting and processing financial data;
9. parties who carry out market research to detect the degree of client satisfaction with the quality of services and activities carried out by the bank, and parties who promote and sell the products/services of the Bank and of the other companies of the Monte dei Paschi di Siena Banking Group;
10. companies that manage national and international systems to control fraud against banks and financial intermediaries (“Centrale di Allarme Interbancaria”, or Interbank Register of Bad Cheques and Payment Cards);
11. companies or professionals specialised in debt and asset recovery;
12. insurance companies, with regard to policies directly or indirectly related to transactions with clients;
13. companies engaged in assistance, advertising and sale to clients (e.g. call centres);
14. other companies engaged in services related and instrumental to managing client relationships (e.g. consultancy and legal firms);
15. rating or auditing companies;
16. affiliated companies and organisations;
17. companies on behalf of which the Bank acts as an intermediary to sell their products and/or services, detect the degree of client satisfaction, perform market surveys and commercial activities, etc.

Finally, within the context of processing data for the fulfilment of obligations, personal data may be notified to persons belonging to the following categories, suitably appointed by Widiba to the role of Data Processing Officers or “Persons authorised to perform data processing”:

1. employees of or persons seconded to the bank;
2. interns;
3. professional consultants;
4. financial consultants and agents operating payment services;
5. employees of companies appointed as Data Processing Officers.

Finally, if you own the stock of listed companies, please note that, unless you provide explicit refusal:

• pursuant to art art.83-duodecies of Legislative Decree 58/98 (Consolidated Law on Finance), Widiba shall communicate your identification data (e.g. name, surname and address) and the number of stocks deposited with Widiba to any Italian listed company that requests this information through a centralised management company (for example Monte Titoli);
• pursuant to art.136 of Consob resolution 11971/99 (Regulations for Issuers), Widiba shall communicate your identification data (e.g. name, surname and address) and the number of stocks deposited with Widiba to any proxy solicitors that request this information.

In the absence of an express prohibition, you will receive the proxy solicitor’s privacy policy at one of the addresses used for communications relating to investment accounts. You will be free to decide, case by case, whether or not to confer your proxy or to exercise your right to vote as deemed appropriate. In both cases, rest assured that you will not incur additional costs, obligations or duties as a result of communicating your identification data to third parties.

Transferring data abroad

Some data processing operations carried out by Widiba for the purposes listed above may involve your personal data being transferred abroad, either within and/or outside the European Union. In this case, Widiba guarantees observance of the GDPR, in particular as regards the provisions of art. 45, whereby transfers will only be towards countries that ensure adequate levels of protection.

Rights of data subjects (artt. 15-22 GDPR)

The GDPR focuses on the protection of individuals, and to this end provides a series of rights that may be exercised with respect to Widiba (the Data Controller):

Right of Access – the right to obtain confirmation as to whether or not personal data concerning you is being processed,the origin of any such data, the logic and purpose of the processing, the recipients or categories of recipients to whom said data may be communicated, and the period for which said personal data will be stored, where this can be defined.

Right to rectification – the right to obtain the rectification of your own data from Widiba. To exercise this right, it may be enough to access the Widiba website, using your credentials, and use the various features offered to exercise this right (e.g. change residence address, mobile phone number, password). To rectify any data other than that mentioned in this paragraph, please write to us using the above contact details.

Right to erasure (Right to be forgotten) – the right to get Widiba to erase your personal data if it is no longer necessary in relation to the purposes for which it was collected. In some cases provided for by the law that regulates the banking sector (see Consolidated Banking Law, Circular 285 of the Bank of Italy), Widiba will be unable to enforce this right (e.g. if such data is necessary for the establishment, exercise or defence of legal claims).

Right to restriction of processing – the right to obtain from Widiba restriction of processing by all those who have a service contract or an employment contract with the Bank. In some cases, the Bank reserves the right to allow access to a restricted number of persons for the purpose of ensuring the security, integrity and fairness of said data.

Right to data portability – the right to receive from Widiba the personal data concerning you in a structured, commonly used format. The data can be sent to a portable device (USB stick, USB disk, PC) or to another Data Controller. To exercise this right, simply access the Widiba website, using your credentials, and use the relevant feature.

Right to object – the right to object to data processing for reasons related to your particular situation, including the right to withdraw consent to data processing for the sending of advertising material or newsletters, for direct sales, for carrying out market research, for detecting the degree of satisfaction, and for profiling purposes. The right to object shall be deemed to be extended to the receipt of promotional communications made either by traditional or by automated means, without prejudice to the possibility of expressing your consent exclusively for the receipt of communications by traditional means.

To exercise the above rights where no online provision has already been made, and anyway in any case, you can email your requests to privacy@widiba.it or to the certified email address privacy@widipec.it.

To lodge a formal complaint, contact the Data Protection Supervisory Authority (Piazza Venezia no. 11 – 00187 Rome; garante@gpdp.it; phone + 39 06 69677.1; fax + 39 06 69677.3785) or the Judiciary directly.

Accessing, amending your Consent and Data

Through specific sections of your restricted area, accessed exclusively with your credentials, Widiba gives you the possibility to:

• access all your personal data as described in point 9;
• change any optional consent whenever you wish;
• edit any other personal data relating to you (change your residence/correspondence address, email address, mobile number, password).

INFORMATION ON THE PROTECTION OF PERSONAL DATA WITHIN THE FRAMEWORK OF S.W.I.F.T. FUND TRANSFERS

To carry out financial transactions (for example cross-border bank transfers) and certain specific national transactions requested by clients, an international messaging service is required. The service is managed by the "Society for Worldwide Interbank Financial Telecommunication" (SWIFT), based in Belgium. The Bank provides SWIFT (owner of the SWIFTNet Fin system) with the data required to perform the transactions, such as the names of the remitter, the beneficiary and their respective banks, the bank details and the amount. At present, Banks cannot carry out the above transactions without using this interbank network and without communicating the above data. However, you should know that:

• All client data used to execute financial transactions is currently - for operational security reasons - duplicated, transmitted and stored temporarily as backup copies by Swift, in a company server located in the United States of America;
• The data stored in this server can be used in the US in accordance with local legislation. Competent US authorities (in particular the Department of the Treasury) have had access to it or could access same again on the basis of further measures deemed adoptable according to US legislation on the fight against terrorism.
• The data subject retains his rights under the GDPR (for the privacy policy, see: http://www.swift.com).

Disclosure under the “Code of Conduct applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments” (hereinafter the “Code of Conduct”), approved by the Data Protection Supervisory Authority with Measure No. 163 of 12/09/2019

In addition to the above, the Bank intends to provide the data subject, also on behalf of the credit information systems, with appropriate information under art. 6 of the Code of Conduct applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments (September 2019 Measure of the Data Protection Supervisory Authority).

Please note that, in order to respond to client requests with regard to granting credit, we will be processing some personal data concerning you. This is information that you yourself give us or that we obtain through a number of databases. Such databases (Credit Information Systems or CIS) containing information about data subjects are consulted to evaluate, take on or manage credit risks, assessing the reliability and payment punctuality of data subjects, and are managed by private entities and owned by private undertakings belonging to the categories stated in the disclosures provided by CIS managers. This information will be stored at the bank; some of the information clients provide, together with information arising from their payment behaviour throughout the relationship, may be communicated to CISs periodically. This means that those belonging to the aforementioned categories, upon considering whether or not to establish a relationship with a client, will be able to know whether those same clients have submitted a request to the bank and whether they pay regularly. The processing and communication of data are necessary requirements for signing a contract. Without this information, the bank may not be able to respond to the request received. Retaining this information in databases is based on the lawful interest of the Data Controller to consult CISs.

Client data will not be transferred to a non-EU third country or to international organisations. According to the terms, methods and within the limits of applicability established by current law, clients are entitled to obtain confirmation as to whether or not personal data concerning them is being processed and to exercise the various rights related to its use (the right to have it rectified, updated, cancelled, to limit or object to its processing, etc.). Clients may lodge a complaint with the Data Protection Authority (www.garanteprivacy.it), or resort to the other means of protection provided for by applicable law. The bank stores client data care of our company for the time required to manage the contractual relationship and to fulfil all legal obligations (for example, as provided for in art. 2220 of the Italian Civil Code concerning the retention of accounting records).

The credit information systems used by Widiba are managed by:

• CRIF S.p.A. with registered offices in Bologna - Public Relations Office: Via Zanardi 41, 40131 Bologna. Fax: +39 051 6458940, Tel: +39 051 6458900, website: www.consumatori.crif.com
• •EXPERIAN-CERVED INFORMATION SERVICES S.p.A. - Registered Offices: Piazza dell’Indipendenza, 11/B, 00185 Rome, Italy, phone 199.183.538, website http://www.experian.it/

In order to better assess credit risk, reliability, and timeliness of payments, the Bank communicates certain personal data (personal details, also of any joint debtor, type of contract, credit amount, reimbursement method) to Credit Information Systems, which are governed by the relevant Code of Conduct (Code of Conduct applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments) and act as independent Data Controllers.

Data relating to clients is regularly updated with new information acquired throughout our relationship (payment position, debt exposure, credit status). Within the context of CISs, client data will be processed by means of organisation, comparison and elaboration operations considered strictly necessary to pursue the purposes described above. Such processing will be carried out either manually or using IT and online tools, in any case guaranteeing the security and confidentiality of the data, also in the case of using remote communication tools. Client data will be processed statistically to generate a summary assessment or score on your degree of reliability and solvency (your so-called credit scoring), taking into account the following main factors: number and characteristics of existing credit lines, evolution and history of ongoing or completed payments, presence and characteristics of any new credit requests, history of credit lines paid off. Additional information may be provided to you in the event of rejecting a credit request.

You have the right to access your data at any time, by contacting both Widiba and the CIS operators at the addresses specified above.

Similarly, you may also ask for your data to be amended, updated, corrected or completed and to have any data processed in violation of the law be cancelled or blocked, or to oppose its use for legitimate reasons to be specified in the request (articles 15 to 21 of the GDPR; art. 9 of the code of ethics).