In accordance with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679, hereinafter the "GDPR"), Widiba S.p.A. (hereinafter "Widiba") invites you to read the following information. This will help you express your consent to the processing of your personal data within the framework of the contract (hereinafter the "Contract") for the provision of banking, investment and accessory services by Widiba.
The General Data Protection Regulation (see GDPR art. 1)
The GDPR focuses on individuals in the European Union, laying down the guiding principles for the protection and circulation of personal data and protecting the rights and freedoms of "natural persons”. The regulation does not cover "legal persons" (firms, legal representatives, etc.).
Definitions (see GDPR art. 4)
You are the data subject, in your capacity as a "natural person" residing in an EU Member State.
The Data Controller is Widiba Bank S.p.a. with registered offices in Via Messina, 38 - Torre D, Milan, Italy.
The Data Protection Officer (hereinafter "DPO") will be domiciled, for the office, at the bank’s registered offices, and may be contacted to exercise your rights under GDPR arts. 15 to 21 as follows:
Banca Widiba S.p.A.
Via Messina, 38 – Torre D - 20154 MILAN
Certified Email: firstname.lastname@example.org
Personal Data is a set of information through which you can be identified, and includes: name, surname, tax code, residence, mobile phone number, email, website, account balance, website credentials.
Sensitive Data is data from which it is possible to determine your racial and ethnic origin, your religious beliefs, your political opinions, as well as your health and sexual orientation.
Processing is any automatic or manual transaction involving your personal/sensitive data.
Source of Personal Data
You provide your personal data to Bank Widiba through use of the website, at the time of commencing the relationship, or while using the services offered by the Bank. You can also provide data with the aid or by means of the following:
- The network of Financial Advisors;
- The network of Payment Services Agents (AXA Agents);
- Credit or debt transactions arranged by other parties;
- Data acquired from external companies for commercial purposes, market surveys, direct offers of products and services.
Categories of personal data
The personal data processed by the Bank includes, for example:
- identification and personal details collected within the scope of the banking relationship
- name, surname, date and place of birth, residence
- contact information (e.g. landline and mobile number, email and mail address, certified email)
- family situation (e.g. marital status, number of family members, relationship with other customers)
- tax data: tax code/vat number, matrimonial property regime
- information on education (e.g. level of education) and employment (e.g. profession and business sector, remuneration, seniority, etc.)
- data related to identity documents (e.g. number, place and date issued, issuing authority);
- information relating to the type of digital equipment used for Digital Banking, smartphones/ tablets (e.g. IP address, serial number, UUID device, IMSI, IMEI, WIFI interface MAC address, SIM ICCID)
- classification as politically exposed person or connected to politically exposed person
- information relating to products and services intermediated by the Bank, owned or used by the customer or towards which the customer has expressed interest
- types of products owned, services used (e.g. current account, investment account)
- information on the use of products and services (e.g. current account or payment card balance and transactions)
- information on equity, income and financial position (e.g. value of property, securities/funds portfolio, policies, tax returns, mortgage and rent expenses, debt position with other intermediaries, origin of funds)
- data related to methods of interaction with the Bank and use of the contact channels made available ( e.g. branches, Financial Advisors, websites, apps, social pages, meetings, calls, chats, emails, interviews, telephone conversations)
- information about your behaviour in relations with the financial services sector
- information about events (e.g. protesting, foreclosure, etc.) and relations with third party intermediaries (e.g. non-performing loans, overdrafts, etc.)
- summary assessments (e.g. credit scoring) issued by third parties (e.g. Crif S.p.A., CERVED, Experian Italia S.p.A. etc.)
- information about expectations, knowledge, habits, preferences and behaviours, detected by means of: i) questionnaires required by law (e.g. Mifid, KYC), (ii) sample surveys, iii) analysis of the use of products and services intermediated by the bank or by third parties; (iv) access to databases
- data revealing tastes, preferences, life consumption and saving habits provided in response to questionnaires
- satisfaction ratings (e.g. relating to products and services offered, physical and digital channels, public relations managers)
- macro needs (e.g. insurance coverage linked to sporting activities or health risk management, life projects to understand which products may be useful over time)
- behaviour (e.g. hobbies, use of digital channels, use of the services of other financial intermediaries)
- session cookies on the Bank’s websites
- images taken by the video surveillance systems installed by the Bank to protect the safety of persons, goods and assets
Data categories for associated banks
The PSD2 directive on payments allows for the sharing of data between the various players in the banking ecosystem. Banca Widiba offers its clients the opportunity to access the information of other banking intermediaries (e.g. IBAN, balance, transactions, cards) through a shared Open Banking platform, by entering the internet/mobile banking credentials issued by the Bank or the payment service providers with which they have an account. Such service is usable by signing a specific contract.
Categories of sensitive and judicial data
As a result of specific operations or services requested by you (e.g. taking out life insurance policies, making ongoing payments through standing orders or deducting trade union and political party membership fees from the salary), the Bank may come into possession of data referred to as "sensitive" insofar as it makes it possible to infer whether you belong to such groups and information relating to your state of health, your racial or ethnic origin, your religious beliefs and your sexual orientation.
Sensitive data also includes biometric data, i.e. data obtained by technological means relating to the physical, physiological or behavioural characteristics of a natural person enabling his or her unambiguous identification, such as voice or signature; the Bank collects such data. Sensitive data also includes information that places you in a certain place at a precise moment (geolocation data), for example by analysing the places where you have withdrawn cash or made payments.
- Data retrieved from court-based and other registries (e.g. real estate charges and burdens, mortgages/judicial foreclosures)
- Antimafia criminal record office
Purposes of data processing
Your personal data is processed as part of Widiba’s normal business activities for the following purposes, for which your consent is not required as any refusal to consent would prevent Widiba from concluding and executing the contract:
- To fulfil the obligations provided for by laws, regulations, EU legislation (e.g. anti-money laundering and anti-terrorism legislation, supervisory provisions for banks, FATCA, etc.);
- Purposes closely connected with and instrumental to managing and implementing the obligations arising from the contractual and precontractual relationship established with Widiba, including all necessary preliminary checks involving the data communicated. Such checks are carried out by communicating your personal data to third parties;
- Purposes ensuring the safety of our customers’ identity and assets, and safeguarding the Bank’s image. The aim of these purposes is to fight continuous fraud and embezzlement attempts by fraudsters. To achieve said purposes, we make use of advanced identification techniques and the processing of biometric data, for example:
- how devices are used (PCs, Tablets, Smartphones);
- identification of devices used to browse the website;
- identification of devices used to perform transactions on the website;
- requests for information enabling remote identification of the customer (identifying videos/photos);
- voice emission, in the case of a vocal password;
- handwritten signature, when recorded;
Moreover, should you need to disable your website login credentials (username/password), you can do so by calling the number 800225577 at any time. The operator answering the call may be a customer support employee of the MPS Group, to whom your Personal Data will be communicated;
- For the performance of specific transactions requested by you (for example, payment or deduction from your salary of trade union and political party membership fees) which might make it necessary to process your Sensitive Data;
Widiba performs other tasks functional to its business activities which require the Bank to process your Personal Data and for which your consent is optional and any refusal will in no way prejudge the establishment, continuation and management of your contractual relations with Widiba. These purposes may be summarised in:
- market research, statistical studies and assessments of the degree of satisfaction with the products and services of Widiba and of the Monte dei Paschi di Siena Banking Group;
- commercial purposes, such as sending newsletters, promotion or sale of the products and/or services of Widiba, of the Monte dei Paschi di Siena Banking Group or of third party companies;
- customer profiling for commercial purposes, carried out by Widiba to analyse your consumer choices, your browsing experiences and your attention to communications, so as to offer you a more personalised service;
- public relations, carried out through social networks, chats and e-mails, as well as invitations to participate in events.
You can express your consent to have your data processed for the aforesaid purposes when subscribing to the Widiba service contract and you can change your optional consent independently, as described in point 10 of this document, whenever you consider this necessary.
All processing, whether automatic or manual, is carried out by Widiba for the purposes described in paragraph 3 and complies with GDPR Articles 5 to 11.
More specifically, Widiba complies with the following principles as set forth by the GDPR:
- Lawfulness, i.e. data shall be processed exclusively to execute the contract and/or in observance of the consents provided;
- Minimisation, i.e. processing shall use the minimum amount of information needed for the purpose for which it was collected;
- Restriction, i.e. processing is restricted to the purposes described in paragraph 3;
- Safety, i.e. Widiba ensures application of the security measures envisaged by international standards and suggested by industry best practices. In particular, to ensure long term safety, in addition to advanced customer identification features, Widiba may also use other specific functions, also provided by third parties (e.g. internet providers, telephone operators, etc.), to identify and locate the devices used to execute the features offered;
- Fairness, i.e. Widiba provides you with the tools required to keep your data up-to-date (e.g. credentials, residence/correspondence address);
- Integrity, i.e. Widiba shall adopt the best data management practices so that the chances of making mistakes when managing your data are reduced to a minimum;
- Certification, i.e. Widiba complies with appropriate codes of conduct (Art. 40) and regularly submits its processing to data protection certification (Art. 42).
Processing for commercial purposes may be carried out directly by Widiba or by third party companies using both traditional systems (paper mail or operator calls) and automated systems (calls with no operator, e-mail, fax, SMS, MMS, etc.).
As regards identifying the habits and consumption propensities of customers, cookies may also be used, in accordance with the guarantees and necessary measures laid down by the GDPR.
Widiba does not have its own commercial network of branches, but you can contact a Monte dei Paschi di Siena branch directly. Consequently, your Personal Data may be processed by the Bank to allow you to execute a number of banking transactions. These transactions are:
- “face-to-face” identification to open a contract;
- withdrawals and payments of money in cash;
- issuing bank drafts;
- executing cash transfers and direct debits (SCT - SEPA Credit Transfer);
- payment of F23 and F24 tax forms;
- other banking transactions requested by you at the counter.
With reference to such activities, Widiba guarantees that Banca Monte dei Paschi will process your personal data exclusively to execute the transactions requested by you. Conferring your data for these purposes is mandatory, and any refusal to do so results in the Bank being unable to carry out the transactions required.
If you own the stock of listed companies, please note that, unless your provide explicit refusal:
- pursuant to art.83-duodecies of Legislative Decree 58/98 (Consolidated Law on Finance), Widiba shall communicate your identification data (e.g. name, surname and address) and the number of stocks deposited with Widiba to any Italian listed company that requests this information through a centralised management company (for example Monte Titoli);
- pursuant to art.136 of Consob resolution 11971/99 (Regulations for Issuers), Widiba shall communicate your identification data (e.g. name, surname and address) and the number of stocks deposited with Widiba to any proxy solicitors that request this information.
In both cases, rest assured that you will not incur additional costs, obligations or duties as a result of communicating your identification data to third parties.
If you wish to prevent your identification data from being communicated to the parties indicated above, you must contact Widiba and express your refusal in writing, by certified email, at email@example.com, attaching a copy of your identity document.
Please note that the desire expressed shall apply to all data connected to the account and, in the case of a joint account, Widiba shall act on the desire expressed also by a single account holder. This desire can be revoked at any time following the methods detailed above.
Based on the various aims and purposes for which your data was collected, this will be stored for the period of time prescribed by the relevant legislation, or for the time strictly required to achieve said purposes (e.g. the Consolidated Banking Law lays down 10 years following closure of the contract and that, for special customer orders and instructions or for telephone banking services, Widiba can record telephone conversations, which may be used as proof and to safeguard its rights in the event of disputes). As regards commercial purposes, your data will be stored for at most two years from the termination of each of your accounts.
Parties or categories of parties to whom personal data may be communicated or who may become acquainted with same in their capacity as Data Protection Officers or as Persons in charge of data processing
Without it being necessary to acquire your consent, Widiba can communicate your personal data in its possession:
- to parties to whom said communication must be made to fulfil obligations laid down by laws, regulations or EU legislation. In particular, Widiba is obliged to communicate your data to the Centrale dei Rischi (Central Credit Register) of the Bank of Italy. The Central Credit Register provides information on financial risks and, by collecting information from banks on the risks associated with their customers, informs said banks of any debt position in relation to the banking system. This reporting requirement exists as from EUR 30,000.00 for all risks, whether direct (cash and non-cash loans) or indirect (personal guarantees issued to other subjects). Non-performing debts must be reported regardless of the amount;
- to financial intermediaries belonging to the Monte dei Paschi di Siena Banking Group, in accordance with the provisions of art. 46, paragraph 4 of Legislative Decree no. 231 of 21 November 2007, which provides the option to communicate such reports to other financial intermediaries belonging to the same group, also in third party countries (in compliance with the provisions of the GDPR), with consequent processing by same;
- to companies belonging to the Monte dei Paschi di Siena Banking Group, or subsidiaries or associate companies within the meaning of art. 2359 of the Italian Civil Code (also those abroad), or companies subject to joint control for all purposes of an administrative-accounting nature or to fulfil specific provisions of law;
- to agencies or branches of Banca Monte dei Paschi di Siena.
Moreover, to fulfil the purposes described in point 3 above, Widiba may communicate your personal data to external companies, bodies or consortia, in Italy or abroad, belonging to the following categories:
- companies or bodies that offer banking and financial services;
- service companies for the acquisition, registering and processing of data deriving from documents or media supplied or originating from customers and having as their object the massive processing of payments, notes, cheques and other securities;
- companies that print, transmit, envelope, transport and sort communications to/from customers;
- companies that perform logistics services to deliver products requested by customers;
- companies that archive documentation relating to relations with customers;
- companies that process and transmit data;
- private credit registers;
- companies specialised in collecting and processing financial data;
- parties who carry out market research to detect the degree of customer satisfaction with the quality of services and activities carried out by the bank, and parties who promote and sell the products/services of the Bank and of the other companies of the Monte dei Paschi di Siena Banking Group;
- companies that manage national and international systems to control fraud against banks and financial intermediaries (“Centrale di Allarme Interbancaria”, or Interbank Register of Bad Cheques and Payment Cards);
- companies or professionals specialised in debt and asset recovery;
- insurance companies, with regard to policies directly or indirectly related to transactions with customers;
- companies engaged in assistance, advertising and sale to customers (e.g. call centres);
- other companies engaged in services related and instrumental to managing customer relationships (e.g. consultancy and legal firms);
- rating or auditing companies;
- affiliated companies and organisations;
- companies on behalf of which the Bank acts as an intermediary to sell their products and/or services, detect the degree of customer satisfaction, perform market surveys and commercial activities, etc.
Finally, within the context of processing data for the fulfilment of obligations, personal data may be notified to persons belonging to the following categories, suitably appointed by Widiba to the role of Data Protection Officers or Persons in charge of data processing:
- employees of or persons seconded to the bank;
- professional consultants;
- financial consultants and agents operating payment services;
- employees of companies appointed as Data Protection Officers.
Transferring Data Abroad
Some data processing operations carried out by Widiba for the purposes listed above may involve your personal data being transferred abroad, either within and/or outside the European Union. In this case, Widiba guarantees observance of the GDPR, in particular as regards the provisions of art. 45, whereby transfers will only be towards countries that ensure adequate levels of protection.
Rights of data subjects
The GDPR focuses on the protection of individuals, and to this end provides a series of rights that may be exercised with respect to Widiba (the Data Controller):
Right of Access - the right to request confirmation of the existence or otherwise of personal/sensitive data being processed. To exercise this right, simply access the Widiba website, using your credentials, and view/download all the relating information.
Right to rectification - the right to obtain the rectification of your own data from Widiba. To exercise this right, simply access the Widiba website, using your credentials, and use the various features offered to exercise this right (e.g. change residence address, mobile phone number, password).
Right to erasure (Right to be forgotten) - the right to get Widiba to erase your personal data if it is no longer necessary in relation to the purposes for which it was collected. In some cases provided for by the law that regulates the banking sector (see Consolidated Banking Law, Circular 285 of the Bank of Italy), Widiba will be unable to enforce this right (e.g. if such data is necessary for the establishment, exercise or defence of legal claims.
Right to restriction of processing - the right to obtain from Widiba restriction of processing by all those who have a service contract or an employment contract with the Bank. In some cases, the Bank reserves the right to allow access to a restricted number of persons for the purpose of ensuring the security, integrity and fairness of said data.
Right to data portability - the right to receive from Widiba the personal data concerning you in a structured, commonly used format. The data can be sent to a portable device (USB stick, USB disk, PC) or to another Data Controller. To exercise this right, simply access the Widiba website, using your credentials, and use the relevant feature.
Right to object - the right to object to your data being processed by Widiba. In this case, there are two possible scenarios:
- data processed to execute a contract, for which it is not possible to exercise this right if not by terminating said contract;
- data processed for commercial or profiling purposes, for which this right may be exercised simply by accessing the Widiba website, using your credentials, and editing your previously expressed consent.
Right to lodge a complaint - the right to lodge a complaint with a supervisory authority if you think your data is being processed in an unlawful manner.
To exercise the above rights, where no online provision has already been made (see point 10), you can in any case email your requests to firstname.lastname@example.org. or to the certified email email@example.com.
Access, amending your Consent and Data
Through specific sections of your restricted area, accessed exclusively with your credentials, Widiba gives you the possibility to:
- access all your personal data;
- change any optional consent whenever you wish;
- edit any other personal data relating to you (e.g. address, mobile phone number, password).
Code of Ethics and Code of Conduct for information systems managed by private entities with regard to consumer credit, reliability and payment punctuality
Please note that when applying for funding, cash loans or credit cards, Widiba may use some of your personal data. This is information that you yourself give us or that we obtain through a number of databases. Without this data, which we need to evaluate your reliability, you may not be granted the funding requested.
This information will be stored by us internally; some details will be recorded in large databases, set up to assess credit risk, which are managed by private entities and may be consulted by many subjects.
This means that other banks or finance companies to which you might apply for another loan, credit card, etc., also to purchase goods in instalments, may learn about any funding requests submitted by you to Widiba and whether or not you pay your instalments regularly.
Banks process such information to facilitate the granting of credit to customers.
We store your data at Widiba for all purposes connected with managing your loan and fulfilling statutory obligations.
In order to better assess credit risk, we communicate some personal data (personal details, also of any joint debtor, type of contract, credit amount, reimbursement method) to credit information systems, as indicated by the Code of Ethics on credit information systems (Provision of Garante Privacy, 12 September 2019).
Your personal data is regularly updated with new information acquired throughout our relationship (payment position, debt exposure, credit status). Within the context of credit information systems, your data will be processed by means of organisation, comparison and elaboration operations considered strictly necessary to pursue the purposes described above, and in particular to retrieve from the credit information system clear and unambiguous information relating to you. Such processing will be carried out either manually or using IT and online tools, in any case guaranteeing the security and confidentiality of the data, also in the case of using remote communication tools.
Your data will be processed statistically to generate a summary assessment or score on your degree of reliability and solvency (your so-called credit scoring), taking into account the following main factors: number and characteristics of existing credit lines, evolution and history of ongoing or completed payments, presence and characteristics of any new credit requests, history of credit lines paid off. Additional information may be provided to you in the event of rejecting a credit request.
The credit information systems used by Widiba are managed by:
- CRIF S.p.A. with registered offices in Bologna - Public Relations Office: Via Zanardi 41, 40131 Bologna. Fax: +39 051 6458940, Tel: +39 051 6458900, website: www.consumatori.crif.com
- EXPERIAN-CERVED INFORMATION SERVICES S.p.A. - Registered Offices: Piazza dell’Indipendenza, 11/B, 00185 Rome, Italy, tel. 199.183.538, website: http://www.experian.it/
Such systems contain positive and negative credit information relating to applications for and existing credit lines, irrespective of any infringements recorded in the system at the time of their occurrence.
The affiliates of the credit information systems managed by CRIF S.p.A. and EXPERIAN-CERVED INFORMATION SERVICES S.p.A. belong, in both cases, to the following categories: Banks, Financial Intermediaries, private parties who grant the deferred payment of goods or services as part of their commercial or professional activities.
The data retention times are those specified in the code of ethics and in the table provided at the end of this document. CRIF S.p.A. and EXPERIAN-CERVED INFORMATION SERVICES S.p.A. use automated credit scoring systems and techniques based on statistical analysis models and calculation algorithms that provide the Bank and other affiliates with useful reviews and scores to be used when investigating credit requests.
CRIF S.p.A. forms part of an international network of credit information systems operating in various European and non-European countries. Consequently , processed data may be communicated (in compliance with the law) to other companies, also abroad, operating - in compliance with the GDPR - as Data Controllers of the above credit information systems and pursuing the same processing purposes as the system managed by CRIF S.p.A. (For a list of affiliated foreign systems available, see www.crif.com.)
EXPERIAN-CERVED INFORMATION SERVICES S.p.A. also processes data obtained from public registers, lists, deeds or documents available to anyone, by every means (and also, therefore, through the use of automated credit scoring systems) and in compliance with the GDPR. The data processed by EXPERIAN-CERVED INFORMATION SERVICES S.p.A. can come to the attention of Experian Ltd, with headquarters in Nottingham (UK), which, in its capacity as Data Protection Officer, provides technological support services functional to such processing. The complete list of Data Protection Officers and every other information concerning the data processed by EXPERIAN-CERVED INFORMATION SERVICES S.p.A. is available at www.experian.it.
You have the right to access your data at any time, by contacting both Widiba and the Credit Information Systems managers at the addresses specified above.
Similarly, you may also ask for your data to be amended, updated, corrected or completed and to have any data processed in violation of the law be cancelled or blocked, or to oppose its use for legitimate reasons to be specified in the request (articles 15 to 21 of the GDPR; art. 8 of the code of ethics).