Privacy
Data controller
The methods of managing the website relating to processing the personal data of users visiting the website are detailed in this section. This information is provided pursuant to Article 13 and 14 of of Regulation (EU) 2016/679 – GDPR, for those who use the services accessible online from the address:
www.intesasanpaolo.com e www.inbiz.intesasanpaolo.com
This document also takes into account Recommendation no. 2/2001 that the European data protection authorities adopted to identify the minimum requirements for online personal data collection.
This information is only provided for the websites www.intesasanpaolo.com e www.inbiz.intesasanpaolo.com, and does not apply to other websites which the user may access via links.
The Data Controller is Intesa Sanpaolo S.p.A. with registered office in Turin, Piazza San Carlo, 156 – 10121.
Personal Data Protection Notice for Customers
Intesa Sanpaolo is committed to guarantee adequate, timely and rigorous protection of your personal data. Find out how we process and protect your data.
Data and methods of web processing
The data processing related to this site’s web services is only handled by the technical personnel of the department responsible for data processing. No data from the web service is disclosed or disseminated. Personal data provided by users who request information is only used to carry out the service requested, and is only disclosed to third parties if necessary to provide said service.
PROCESSING METHODS
Personal data is processed by automated systems for the time strictly necessary to achieve the purposes for which it was collected. Specific security measures are taken in order to prevent a loss of data, its illegal or improper use, and unauthorized access to data.
BROWSING DATA
During normal use, the IT systems and software procedures for running this website acquire some personal data the transmission of which is implicit in the use of Internet communication protocols.
It concerns information that is not collected to be associated with specific individuals, but by their own very nature could, through the processing and association with data held by third parties, allow users to be identified
This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the users.
This data is processed for the following purposes:
- to fulfill the requirements dictated by national and community regulations as well as provisions issued by Supervisory and Control Autorithies, also in relation to the monitoring obligations of operational and credit risks at banking group level; the processing of your Personal Data to comply with regulatory requirements is mandatory and your consent is not required.
- to pursue a legitimate interest of Intesa Sanpaolo, Group companies or third parties if such interests are not in conflict with the interests or fundamental rights and freedoms of the data subjects (article 6.1 letter f of EU Regulation no. 679/2016), i.e.:
- the ascertainment of responsibility in the event of hypothetical computer crimes against the site and for investigations in the event of any disputes.
- obtain anonymous statistical information on the use of the site and to check its correct functioning, as well as for measurement purposes and improvement of the services offered and the Site.
- to pursue any further legitimate interests. In the latter case, the Data Controller may process your Personal Data only after informing you and having ascertained that the pursuit of its own legitimate interests or those of third parties does not compromise your fundamental rights and freedoms.
Browsing data (collected both via website and app) persists on the servers for a period of 12 months. Personal Data may also be processed for a longer term, where an act interrupting and/or suspending the prescription occurs which justifies the extension of data retention.
DATA PROVIDED VOLUNTARILY BY THE USER
The optional, explicit and voluntary sending of emails to the addresses indicated on this website subsequently involves obtaining the sender’s address, required in order to reply to requests, as well as obtaining any other personal data within the message. The use of personal data to send advertising material, commercial information, or the sale of products or services by the Bank may only occur if the data subject has given prior consent. Specific summary information will be progressively reported or displayed on the website’s pages, which provide particular services on request.
Data and methods of App Processing
The processing of personal data deriving from the installation and use of the Bank's APPs* (hereinafter "apps") is carried out to allow you to use the services distributed through this application.
In particular, after the download and installation of the app, the following data is automatically detected by the mobile device:
- Device information, IP addresses, model used, the name of the smartphone, as well as the type and version of the operating system used, device UUID, device root status
- Location of the device in order to understand if the operations you carry out are in your geographical area
- WI-FI connections in order to evaluate whether your network is secure
- Installed applications with technical details in order to check if malicious apps are installed
- Network, SIM: ICCID (Integrated Circuit ID, aka, SIM Serial Number), IMSI (International mobile subscriber identity), IMEI (International Mobile station Equipment Identity) MAC address
This information is collected through the so-called SDKs present within the app, sent to wwww.impresasanpaolo.com from the Intesa Sanpaolo Mobile app and to wwww.inbiz.impresasanpaolo.com from the Intesa Sanpaolo Inbiz app, analyzed and archived for security/anti-fraud purposes, as well as avoid anomalies in the display of contents and irregular stops.
To provide the services, the app also accesses the following data:
- Credentials (user + pin) issued by the Bank for services
- Nickname
- Images via camera
- Fingerprint/face ID
Personal data is used to make the app available, maintain and improve it, and communicate with users.
The download of the app is also used as numerical data for the sole purpose of obtaining anonymous statistical information about the number of users who download the app.
If the user provides the relevant permission, the Intesa Sanpaolo Mobile App will collect location data, in use and even when closed or not in use, to guarantee a greater level of security and to help the user find the branches, the automatic cash registers, the shops where it is possible to pay with Bancomat Pay®
Furthermore, the position of the device can be used to propose banking products and services or those connected to nearby commercial activities (Proximity Marketing) in line with the needs and on the basis of the privacy consents previously expressed.
* Intesa Sanpaolo Mobile, Intesa Sanpaolo prepagate, Intesa Sanpaolo Investimenti, Move and Pay Business, Intesa Sanpaolo Inbiz
PROCESSING METHODS
Personal data is processed by automated systems for the time strictly necessary to achieve the purposes for which it was collected. Specific security measures are taken in order to prevent a loss of data, its illegal or improper use, and unauthorized access to data.
The IT systems and software procedures responsible for the operation of the apps (App Store or Google Play) acquire, during their normal operation, some data that can in any case be referred to the user, the transmission of which is implicit in the use of communication protocols. internet, smartphones and devices used. The bank is not involved in such processing nor can it be held responsible for it.
The data subjects may, however, consult the privacy information notice made available on the following sites:
App Store: https://www.apple.com/legal/internet-services/itunes/it/terms.html
Google Play: https://play.google.com/intl/it_it/about/play-terms.html
BROWSING DATA
During normal use, the IT systems and software procedures for running this app acquire some personal data the transmission of which is implicit in the use of Internet communication protocols.
It concerns information that is not collected to be associated with specific individuals, but by their own very nature could, through the processing and association with data held by third parties, allow users to be identified.
This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the users.
This data is processed for the following purposes:
- to fulfill the requirements dictated by national and community regulations as well as provisions issued by Supervisory and Control Autorithies, also in relation to the monitoring obligations of operational and credit risks at banking group level; the processing of your Personal Data to comply with regulatory requirements is mandatory and your consent is not required.
- to pursue a legitimate interest of Intesa Sanpaolo, Group companies or third parties if such interests are not in conflict with the interests or fundamental rights and freedoms of the data subjects (article 6.1 letter f of EU Regulation no. 679/2016), i.e.:
- the ascertainment of responsibility in the event of hypothetical computer crimes against the site and for investigations in the event of any disputes.
- obtain anonymous statistical information on the use of the site and to check its correct functioning, as well as for measurement purposes and improvement of the services offered and the Site.
- to pursue any further legitimate interests. In the latter case, the Data Controller may process your Personal Data only after informing you and having ascertained that the pursuit of its own legitimate interests or those of third parties does not compromise your fundamental rights and freedoms.
Browsing data (collected both via website and app) persists on the servers for a period of 12 months. Personal Data may also be processed for a longer term, where an act interrupting and/or suspending the prescription occurs which justifies the extension of data retention.
Regarding the data saved by the app in the device keystore, based on the operating system used:
- Android: the data is saved in the shared preferences until the customer executes “Delete data” from Application Management or uninstalls the App;
- IOS: data is saved in the keystore.
The bank is not involved in such processing; for further information regarding saving and deleting data on the device we invite you to refer to the manufacturers of the operating systems in use.
Rights of the data subject
In the capacity as Data subject, you may exercise, at any time towards the Data Controller, the rights provided by the Regulation (right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object).
Any communications and actions undertaken by the Bank, against the exercise of the rights listed below, will be completed free of charge. However, if your requests are manifestly groundless or excessive, particularly due to their repetitive nature, the Bank may charge to you a cost contribution, considering the administrative costs incurred, or refuse to satisfy your requests.
Without prejudice to your right to take action in any other administrative or jurisdictional venue, if you believe that the processing of your Personal Data by the Controller is occurring in breach of the Regulation and/or the applicable legislation, you may lodge a complaint with the Data Protection Supervisor.
For any requests regarding the processing of your Personal Data and/or to exercise the rights provided for by the Regulation, you can refer to:
Intesa Sanpaolo S.p.A. Piazza San Carlo 156, 10121 Torino.
Email: dpo@intesasanpaolo.com
DPO - Data protection officer
Intesa Sanpaolo has appointed, within its organisation, the "Data Protection Officer (DPO)", as required by article 37 of EU Regulation 2016/679.
The Data Protection Officer is a new figure whose role consists in monitoring compliance with the Regulation itself, assessing the risks data subjects (customers, potential customers, employees, suppliers) of any processing of personal data carried out by Intesa Sanpaolo.
The DPO supports Intesa Sanpaolo in informing its employees about the obligations deriving from the Regulation and other provisions regarding data protection.
It also cooperates with the Data Protection Authority and is the point of contact for Intesa Sanpaolo on any issue related to the processing of personal data.
You can contact the DPO for any requests regarding the processing of your Personal Data and/or to exercise the rights provided for by the Regulation at the following address:
Intesa Sanpaolo S.p.A. Piazza San Carlo 156, 10121 Torino.
Email: dpo@intesasanpaolo.com
Supplementary information on the protection of personal data pursuant to European Regulation 2016/679 - Use of the APP
Processing of personal data for the use of the APP and the provision of the Services.
Intesa Sanpaolo S.p.A., with registered office in Piazza San Carlo 156, 10121 Turin, as data controller (hereinafter also the "Bank" or the "Data Controller"), intends to integrate with this information notice (the "Notice") , for the activities referred to in the subject only, the general information notice already provided pursuant to European Regulation 2016/679 (hereinafter the "Regulation"), available on the website www.intesasanpaolo.com (Privacy section), to which refers to the parts not expressly regulated by this integration.
In particular, with this Information the Bank wishes to provide you with some information regarding the processing of personal data deriving from the installation of the APP, necessary for its correct use and safe functioning. Through the APP you will be able to use the services already subscribed and which will be provided to you through the APP (hereinafter the "Services").
SECTION 1 – SOURCES, CATEGORIES OF PERSONAL DATA, PURPOSE AND LEGAL BASIS OF THE PROCESSING.
1.1.1 Sources and categories of personal data.
The personal data that the Bank processes are provided by you using the APP. The personal data processed includes the following information.
1.1.2 Data collected by the APP on the mobile device used.
When you access the APP, some information is collected directly from the device used, such as the type of device, the operating system, the language, the telephone operator or the internet provider, the IP address (1), the date , time, other installed applications with technical details (in order to check if malicious apps are installed) and unique identifiers(2). This information is collected through the so-called SDK(3) present within the App, sent to www.intesasanpaolo.com from the Intesa Sanpaolo Mobile app and to wwww.inbiz.intesasanpaolo.com from the Intesa Sanpaolo Inbiz app, analyzed and archived for security/anti-fraud purposes , as well as to avoid anomalies in the display of contents and irregular stops.
Depending on the services activated, the APP may require access to some features on the mobile device such as: the camera (for example to make cash withdrawals with the cardless functionality); the contact book for making payments via the ATM function); memory (for example to allow you to save or open documents); the calling system, to make calls directly from the APP; push notifications to authorize orders and operations on the current account (such as, for example, payments via credit cards or bank transfers in the SEPA and non-SEPA areas, payments of MAV and RAV bills, telephone top-ups, etc.); the authentication system used to access the APP, such as the user code, fingerprints or facial recognition if used. In these cases the APP only receives a unique numerical code from the device which confirms that the user code, fingerprint or facial characteristics belong to the same person authorized to use the device. Under no circumstances will the APP collect fingerprints or facial characteristics recorded by the mobile device, given that the fingerprint check is not carried out by the Bank's procedures but by software installed on the mobile device by the manufacturer. All fingerprints set within your smartphone are therefore enabled to operate on the APP, only if this functionality has been activated on the APP itself.
(1) IP address means a unique number used by internet browsers, the device and the APP to connect to the internet. This number is generated by the person who provides you with the internet connection service and allows you to identify, in addition to you, also the connection service provider and/or the approximate geographical area in which you are located. Without this information it is not possible to connect to the internet; it is also used to provide you services via the APP, as well as to collect information on your location.
(2) These are the advertising identifiers made available by mobile device manufacturers, such as Apple's IDFA and Android's AAIG, but also the MAC Address and IMEI. Regarding the latter two identifiers (MAC Address and IMEI), we specify that they will only be used to guarantee the security of authentication and transactions.
(3) These are software libraries that are installed together with the APP. They allow the collection of data in the same way as cookies on the browser. Through the SDKs we may collect information about your device including unique identifiers. The SDKs used on the APP are therefore information of a technical nature and are used exclusively to verify the correct functioning of the same, the generation of temporary passwords (so-called OTP) and for anti-fraud purposes.
1.1.3 Information about your location.
The location information is collected in order to allow the use of certain functions upon your request (for example to view the Bank branches or express checkouts closest to you) and to verify any unusual or suspicious access to the APP by countries other than those from which you usually access. Your location can be determined by manually entering an address, city or postal code, your device's sensors(4) and your IP address.
Information about your location may be deactivated by you from your device settings. If you wish to limit information on your location, you can activate location tracking from your device only while using the APP or, alternatively, by providing us only with your address or postal code.
(4) Depending on the device, these are sensors such as accelerometer, gyroscope, bluetooth, Wi-fi and GPS which, in one way or another, share the information collected with the device itself and therefore with the APP. If enabled by the device settings, this information also allows us to obtain information on your location.
1.2. PURPOSE AND LEGAL BASIS OF THE PROCESSING.
1.2.1 Processing necessary for the execution of a contract or pre-contractual measures adopted at the request of the interested party (art. 6, par. 1, letter b of the Regulation).
Your personal data, collected by the APP installed on your mobile device, referred to in paragraph 1.1.2, are processed by the Bank to provide you with the Services that you have already subscribed to, both with the Bank and with the other banks of the Intesa Sanpaolo group S.p.A., or which you intend to subscribe subsequently, in a simpler and more immediate way via the APP. By way of example and not exhaustively, you will be able to carry out all payment operations linked to your account on the APP, pay utilities (e.g. electricity and gas bills) simply by scanning a QR code using the device's camera and make bank transfers to subjects registered in the address book of your device. Through the APP you will also be able to access your account without having to enter your credentials (user code and PIN), activating access using fingerprints or facial recognition. The aforementioned data processing will be carried out using the profiling logic described in the following paragraph 2.1.1 of Section 2.
The personal data and information referred to in paragraphs 1.1.2 and 1.1.3 may also be processed:
a) to detect anomalies in the Services such as, by way of example and not limited to, the anomalous opening of the APP, of a link or of a section contained therein to avoid the occurrence of a disservice, also through profiling;
b) to measure the effectiveness of the Services by creating aggregate information, for example through the analysis of your interactions with the APP or by taking into account your reports or suggestions.Aggregated information is statistical information extracted and purified from your personal data, so that it is no longer attributable to you. The Bank uses this information to measure the effectiveness of the Services.
The processing of your data referred to in paragraphs 1.1.2 and 1.1.3 is therefore necessary for the execution of a contract of which you are a party or for the execution of pre-contractual measures adopted at your request. Therefore, the provision of your personal data necessary for the use of the APP is not mandatory, but the refusal to provide such data or part of them could make it impossible, totally or partially, to use the Services via the APP.
1.2.2 Profiling carried out to prevent the risk of fraud.
In order to prevent the risk of any fraudulent or illicit behaviour, the Bank has developed a model based on the analysis of the data referred to in paragraphs 1.1.2 (data collected by the APP on the mobile device used) and 1.1.3 ( information on your position) which are processed through the application of a profiling technique, better described in the following paragraph 2.1. This processing allows for a more effective assessment of the risk of suffering fraud and, consequently, allows the Bank to prevent this risk more efficiently.
Profiling functional to the prevention of fraud is part of a fully automated decision-making process, according to the methods described in the following paragraph 2.1.2.
SECTION 2 - PROCESSING METHODS, AUTOMATED DECISION MAKING, INCLUDING PROFILING AND STORAGE TIMES OF PERSONAL DATA.
2.1 Processing methods
Your personal data are processed in full compliance with the principle of proportionality of processing, according to which the same data and the methods of their processing are relevant and not excessive in relation to the purposes pursued.
2.1.1 Profiling.
With regards to the profiling carried out for the purposes of execution of the contract and for the prevention of fraud risk, referred to in the previous paragraphs 1.2.1 and 1.2.2, the Bank uses an internally estimated model which processes the data collected by the APP on the mobile device used (referred to in paragraph 1.1.2) and information on its position (referred to in paragraph 1.1.3) through the use of statistical algorithms, developed internally, which allow a predictive evaluation of any anomalies in the operation of the App and fraud risk. In this sense, the personal data processed are those strictly necessary to guarantee the accuracy of the evaluation carried out by the Bank, the effectiveness of the algorithms used and their reliability over time.
The technology used to carry out profiling activities provides rules that exclude profiling on particular categories of personal data, as the same, on the data in question, is not considered functional to the pursuit of the processing purposes referred to in paragraph 1.2.1 and 1.2.2.
2.1.2 Automated decision making, including profiling.
The Bank, in order to prevent any fraud or illegal behavior that may jeopardize the security of the Services used via the APP (for example if the use of the APP is detected in ways other than those permitted or if it is accessed from a country other than those from which the user usually connects), apply a totally automated decision-making process, through the profiling of the data indicated in paragraphs 1.1.2 and 1.1.3. This means that, on the basis of the profiling carried out, decisions can be made with the use of technological means without human intervention and therefore in a totally automated way.
In this process, the Bank makes use of statistical algorithms, developed internally, which allow it to evaluate the traceability of operations conducted via APP to the customer in order to prevent fraud.
More specifically, personal data are subject to specific statistical processing in order to attribute to the device from which the operation is performed a summary judgment regarding the traceability of the device itself to the customer. To assign the rating, the Bank uses an internal model that processes and integrates the information collected through the use of statistical and analytical techniques.
The automated decision is based not only on synthetic judgement, but also on statistical rules that verify whether the device possesses the minimum characteristics to guarantee the App operates in a secure context. This process allows the Bank to mitigate the risk of suffering IT fraud and crimes.
In consideration of this, and to guarantee the fairness and correctness of the process used, the Bank subjects the methods of evaluating the degree of reliability and security of the device to regular checks. To this end, the Bank has defined appropriate safeguards to guarantee the correct functioning of the statistical models used and the related calculation logic over time.
The decision based on automated processing (for example the inhibition of the use of the APP on the mobile device where it was installed, following the detection of fraudulent behavior) is necessary to prevent cases of fraud via the APP and is based on fulfillment of specific obligations established by European Union law and domestic law, aimed at guaranteeing the prevention, investigation and identification of cases of fraud. The decision therefore finds its legal basis on art. 22, par. 2, letter. b) of the Regulation.
This automated decision-making process could therefore make it impossible to use the App, in the event that the operating system on which it is installed is compromised.
2.2 RETENTION PERIOD
The personal data collected and processed for the purposes indicated in Section 1 of this information will be kept for 12 (twelve) months. The Bank, in its quality of data controller, will not communicate or disseminate to third parties, other than the Bank itself, any other personal data or particular categories of personal data collected through the APP.
SECTION 3 - CATEGORIES OF RECIPIENTS TO WHOM YOUR PERSONAL DATA MAY BE COMMUNICATED
To allow you to use the services provided by the banks of the Intesa Sanpaolo S.p.A. group via the APP. with which you have a current account or other relationship connected to the My Key or Inbiz service, as well as for the pursuit of the other purposes indicated in paragraph 1.2.1 of this Information, Intesa Sanpaolo S.p.A. will communicate to the aforementioned group banks the personal data referred to in paragraphs 1.1.2 and 1.1.3. The aforementioned banks will process such data in the capacity of data controllers.