Privacy

Data controller

The methods of managing the website relating to processing the personal data of users visiting the website are detailed in this section. This information is provided pursuant to Article 13 and 14 of of Regulation (EU) 2016/679 – GDPR, for those who use the services accessible online from the address: www.inbiz.intesasanpaolo.com

This document also takes into account Recommendation no. 2/2001 that the European data protection authorities adopted to identify the minimum requirements for online personal data collection.

This information is only provided for the website  www.inbiz.intesasanpaolo.com, and does not apply to other websites which the user may access via links.

The Data Controller is Intesa Sanpaolo S.p.A. with registered office in Turin, Piazza San Carlo, 156 – 10121.

Personal Data Protection Notice for Customers

Intesa Sanpaolo is committed to guarantee adequate, timely and rigorous protection of your personal data. Find out how we process and protect your data.

• Complete Information notice


• Other privacy documents
  
  

Data and methods of web processing

The data processing related to this site’s web services is only handled by the technical personnel of the department responsible for data processing. No data from the web service is disclosed or disseminated. Personal data provided by users who request information is only used to carry out the service requested, and is only disclosed to third parties if necessary to provide said service.

PROCESSING METHODS

Personal data is processed by automated systems for the time strictly necessary to achieve the purposes for which it was collected. Specific security measures are taken in order to prevent a loss of data, its illegal or improper use, and unauthorized access to data.

BROWSING DATA

During normal use, the IT systems and software procedures for running this website acquire some personal data the transmission of which is implicit in the use of Internet communication protocols.

It concerns information that is not collected to be associated with specific individuals, but by their own very nature could, through the processing and association with data held by third parties, allow users to be identified

This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the users.

This data is processed for the following purposes:

• to fulfill the requirements dictated by national and community regulations as well as provisions issued by Supervisory and Control Autorithies, also in relation to the monitoring obligations of operational and credit risks at banking group level; the processing of your Personal Data to comply with regulatory requirements is mandatory and your consent is not required.


• to pursue a legitimate interest of Intesa Sanpaolo, Group companies or third parties if such interests are not in conflict with the interests or fundamental rights and freedoms of the data subjects (article 6.1 letter f of EU Regulation no. 679/2016), i.e.:
  
  
  • the ascertainment of responsibility in the event of hypothetical computer crimes against the site and for investigations in the event of any disputes.
  
  
  • obtain anonymous statistical information on the use of the site and to check its correct functioning, as well as for measurement purposes and improvement of the services offered and the Site.
  
  
  • to pursue any further legitimate interests. In the latter case, the Data Controller may process your Personal Data only after informing you and having ascertained that the pursuit of its own legitimate interests or those of third parties does not compromise your fundamental rights and freedoms.
  
  
  
  

Browsing data (collected both via website and app) persists on the servers for a period of 12 months. Personal Data may also be processed for a longer term, where an act interrupting and/or suspending the prescription occurs which justifies the extension of data retention.

DATA PROVIDED VOLUNTARILY BY THE USER

The optional, explicit and voluntary sending of emails to the addresses indicated on this website subsequently involves obtaining the sender’s address, required in order to reply to requests, as well as obtaining any other personal data within the message. The use of personal data to send advertising material, commercial information, or the sale of products or services by the Bank may only occur if the data subject has given prior consent. Specific summary information will be progressively reported or displayed on the website’s pages, which provide particular services on request.

Data and methods of App Processing

The processing of personal data deriving from the installation and use of the Bank's APPs* (hereinafter "apps") is carried out to allow you to use the services distributed through this application.

In particular, after the download and installation of the app, the following data is automatically detected by the mobile device:

• Device information, IP addresses, model used, the name of the smartphone, as well as the type and version of the operating system used, device UUID, device root status


• Location of the device in order to understand if the operations you carry out are in your geographical area


• WI-FI connections in order to evaluate whether your network is secure


• Installed applications with technical details in order to check if malicious apps are installed. The Intesa Sanpaolo Inbiz app, as a financial and banking services app, needs to have visibility of installed apps solely for security and anti-fraud purposes. At each login and each time the app is brought to the foreground, any malicious apps are detected and the risk index of possible ongoing fraud is raised by preventing the transaction from being executed for security purposes.


• Network, SIM: ICCID (Integrated Circuit ID, aka, SIM Serial Number), IMSI (International mobile subscriber identity), IMEI (International Mobile station Equipment Identity), MAC address

This information is collected through the so-called SDKs present within the app, sent to wwww.inbiz.impresasanpaolo.com from the Intesa Sanpaolo Inbiz app, analyzed and archived for security/anti-fraud purposes, as well as avoid anomalies in the display of contents and irregular stops.

To provide the services, the app also accesses the following data:

• Credentials (user + pin) issued by the Bank for services


• Nickname


• Images via camera


• Fingerprint/face ID

Personal data is used to make the app available, maintain and improve it, and communicate with users.

The download of the app is also used as numerical data for the sole purpose of obtaining anonymous statistical information about the number of users who download the app.

If the user provides the relevant permission, the Intesa Sanpaolo Mobile App will collect location data, in use and even when closed or not in use, to guarantee a greater level of security and to help the user find the branches, the automatic cash registers, the shops where it is possible to pay with Bancomat Pay®

Furthermore, the position of the device can be used to propose banking products and services or those connected to nearby commercial activities (Proximity Marketing) in line with the needs and on the basis of the privacy consents previously expressed.

* Intesa Sanpaolo Mobile, Intesa Sanpaolo Investimenti, Intesa Sanpaolo Inbiz

PROCESSING METHODS

Personal data is processed by automated systems for the time strictly necessary to achieve the purposes for which it was collected. Specific security measures are taken in order to prevent a loss of data, its illegal or improper use, and unauthorized access to data.

The IT systems and software procedures responsible for the operation of the apps (App Store or Google Play) acquire, during their normal operation, some data that can in any case be referred to the user, the transmission of which is implicit in the use of communication protocols. internet, smartphones and devices used. The bank is not involved in such processing nor can it be held responsible for it.

The data subjects may, however, consult the privacy information notice made available on the following sites:

App Store: https://www.apple.com/legal/internet-services/itunes/it/terms.html

Google Play: https://play.google.com/intl/it_it/about/play-terms.html

 

BROWSING DATA

During normal use, the IT systems and software procedures for running this app acquire some personal data the transmission of which is implicit in the use of Internet communication protocols.

It concerns information that is not collected to be associated with specific individuals, but by their own very nature could, through the processing and association with data held by third parties, allow users to be identified.

This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the users.

This data is processed for the following purposes:

• to fulfill the requirements dictated by national and community regulations as well as provisions issued by Supervisory and Control Autorithies, also in relation to the monitoring obligations of operational and credit risks at banking group level; the processing of your Personal Data to comply with regulatory requirements is mandatory and your consent is not required.


• to pursue a legitimate interest of Intesa Sanpaolo, Group companies or third parties if such interests are not in conflict with the interests or fundamental rights and freedoms of the data subjects (article 6.1 letter f of EU Regulation no. 679/2016), i.e.:
  
  
  • the ascertainment of responsibility in the event of hypothetical computer crimes against the site and for investigations in the event of any disputes.
  
  
  • obtain anonymous statistical information on the use of the site and to check its correct functioning, as well as for measurement purposes and improvement of the services offered and the Site.
  
  
  • to pursue any further legitimate interests. In the latter case, the Data Controller may process your Personal Data only after informing you and having ascertained that the pursuit of its own legitimate interests or those of third parties does not compromise your fundamental rights and freedoms.
  
  
  
  

Browsing data (collected both via website and app) persists on the servers for a period of 12 months. Personal Data may also be processed for a longer term, where an act interrupting and/or suspending the prescription occurs which justifies the extension of data retention.

Regarding the data saved by the app in the device keystore, based on the operating system used:

• Android: the data is saved in the shared preferences until the customer executes “Delete data” from Application Management or uninstalls the App;


• IOS: data is saved in the keystore.

The bank is not involved in such processing; for further information regarding saving and deleting data on the device we invite you to refer to the manufacturers of the operating systems in use.

Rights of the data subject

In the capacity as Data subject, you may exercise, at any time towards the Data Controller, the rights provided by the Regulation (right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object).

Any communications and actions undertaken by the Bank, against the exercise of the rights listed below, will be completed free of charge. However, if your requests are manifestly groundless or excessive, particularly due to their repetitive nature, the Bank may charge to you a cost contribution, considering the administrative costs incurred, or refuse to satisfy your requests.

Without prejudice to your right to take action in any other administrative or jurisdictional venue, if you believe that the processing of your Personal Data by the Controller is occurring in breach of the Regulation and/or the applicable legislation, you may lodge a complaint with the Data Protection Supervisor.

For any requests regarding the processing of your Personal Data and/or to exercise the rights provided for by the Regulation, you can refer to:

Intesa Sanpaolo S.p.A. Piazza San Carlo 156, 10121 Torino.

Email: dpo@intesasanpaolo.com

 

DPO - Data protection officer

Intesa Sanpaolo has appointed, within its organisation, the "Data Protection Officer (DPO)", as required by article 37 of EU Regulation 2016/679.

The Data Protection Officer is a new figure whose role consists in monitoring compliance with the Regulation itself, assessing the risks data subjects (customers, potential customers, employees, suppliers) of any processing of personal data carried out by Intesa Sanpaolo.

The DPO supports Intesa Sanpaolo in informing its employees about the obligations deriving from the Regulation and other provisions regarding data protection.

It also cooperates with the Data Protection Authority and is the point of contact for Intesa Sanpaolo on any issue related to the processing of personal data.

You can contact the DPO for any requests regarding the processing of your Personal Data and/or to exercise the rights provided for by the Regulation at the following address:

Intesa Sanpaolo S.p.A. Piazza San Carlo 156, 10121 Torino.

Email: dpo@intesasanpaolo.com

 

Personal data protection policy for the use of the app

1. YOUR PRIVACY

Intesa Sanpaolo S.p.A. cares about your privacy. Through our APP, you can operate quickly and easily, wherever you are, with high standards of security and confidentiality.

Here we provide you with detailed information on how we process and protect your personal data when you download and use the Intesa Sanpaolo Inbiz APP and the Services that you have subscribed to and that we provide through the APP.

As the data controller, Intesa Sanpaolo S.p.A., with registered office in Piazza San Carlo 156, 10121 Turin, Italy, processes the personal data resulting from the installation and use of the APP necessary for its correct use and safe operation.

This policy complements the Client policy that has already been provided to you, in accordance with European Regulation 2016/679 ("GDPR - General Data Protection Regulation"), available at www.intesasanpaolo.com (Privacy section), where we covered general topics of privacy and confidentiality of personal data.

 

2. WHAT PERSONAL DATA DO WE PROCESS?

The regulations define "personal data" as information that identifies you or makes you identifiable as a natural person.

The personal data we process and protect when you use our App fall into the following categories:

a.     Information about the device you use, such as the type, operating system, language, telephone or internet provider, network connection address (IP address), date, time, other installed applications with technical details and the so-called unique identifiers (i.e. advertising identifiers provided by the device manufacturer)

b.     Information on your location (so-called geolocation) taken directly from your device, following your request to use certain services such as displaying the fast cash machines nearest to you;

c.     Other information obtained from the APP services: depending on the services you request from us, we may process certain data obtained through the features of your device that the APP may request access to, such as:

• Your contacts in the address book – to facilitate the execution of operations such as phone top-ups;


• Data contained in the memory - e.g., to allow you to save or open documents;


• Data on your call system - to make calls directly from the APP;


• Data on your push notification system - to be able to send you push notifications useful for authorising current account orders and operations such as, for example, credit card payments;


• Data contained in the calendar to save deadlines in your agenda;


• Data contained in the photo gallery - for example, to retrieve images of documents.

The fingerprint or facial recognition authentication functionality, which may be enabled to operate on the APP without entering the owner code and PIN, is carried out by software installed on the device by the manufacturer and therefore does not involve the processing of biometric data in the procedures managed by the Bank.

 

3. WHY DO WE NEED TO PROCESS YOUR DATA?

We need your data to enable safe and proper functioning of the APP and the services you have activated.

If you decide not to provide us with your data or part of your data, you may find yourself totally or partially unable to use the APP and its services.

 

4. HOW DO WE COLLECT YOUR DATA?

The data we process may be obtained:

Directly: you provide them to us by logging in and using the APP.

Indirectly: if we have collected them from your device through analysis by the software within the APP and also through the camera and/or microphone functionalities if you have allowed access.

The data we collect are sent to our systems and analysed and archived.

 

5. WHAT IS THE BASIS FOR OUR PROCESSING? FOR WHAT PURPOSES DO WE PROCESS DATA?

We can only process your data if the purpose of the processing is supported by a legal basis under the GDPR.

We will briefly explain the processing we carry out and the purposes for which we do so.

THE LEGAL BASIS

a)   Contract and pre-contractual measures (Art. 6.1(b) of the GDPR)

OUR PURPOSES

We provide the services you have subscribed to with the Bank and other Group Banks and that you wish to request from us more easily and quickly via the APP.

We provide high standards of service by detecting any anomalies (e.g., abnormal opening of the APP, a link or section thereof, or through geolocation, unusual or suspicious access to it from a country other than the one from which you usually access it) and thus avoiding disruptions.

b) Legal obligation (Art. 6.1(c) of the GDPR)

OUR PURPOSES

We assess the risks of fraud and prevent them, as required by EU and national law.

We recognise transactions suspected of being fraudulent and/or attempted fraud perpetrated against clients, by means of an automated decision-making process, including profiling.

 

6. HOW DO WE COLLECT DATA ON YOUR LOCATION?

We can detect your position:

• when you manually enter an address, city or postcode on the APP


• via your device's sensors, such as Bluetooth, Wi-Fi, GPS, accelerometer, gyroscope. If present and enabled in the settings, these sensors share the information collected with the device and thus with the APP and allow geolocation information to be obtained


• via the Internet connection address (IP address)

This information is only detected when you are using the APP.

You can always disable this information from your device settings or limit it by only activating location tracking while using the APP or by only providing us with your address and postcode.

 

7. PROFILING AND AUTOMATED DECISION-MAKING PROCESSES FOR FRAUD PREVENTION

We take care of your data and process them using IT tools with methods related to the purposes of the processing and we guarantee their security and confidentiality.

In order to prevent the risk of fraud, we have developed a model that processes the data collected by the APP through the use of statistical algorithms that allow a predictive assessment of any anomalies in the operation of the APP. Data are analysed and processed by applying a profiling technique which allows effective fraud prevention.

This profiling, which is based on the data collected on your device and information on your location, is carried out by means of a fully automated decision-making process, i.e., it makes decisions using technological means, without any human intervention.

In particular circumstances, i.e., when the operating system on which the APP is installed is compromised, the fraud prevention process may go as far as to temporarily inhibit the use of the APP.

To ensure the fairness and correctness of this automated decision-making process the method for assessing the reliability and security of the device undergoes regular checks and we have defined appropriate measures to ensure the proper functioning of the statistical models used and the correctness of their calculation logic over time.

Decisions made by the system to allow you to securely execute banking transactions are made in fulfilment of specific obligations under European Union law and domestic law, aimed at ensuring the prevention, investigation and detection of fraud. The processing of personal data in this case finds its legal basis in article 22, par. 2, letter b) of the Regulation.

 

8. HOW LONG DO WE KEEP YOUR DATA?

We retain your data for a period of 12 months from when we collected them. The data retention periods stipulated in the Client policy already in your hands do not change.

 

9. WHO COULD RECEIVE THE DATA YOU PROVIDED?

We may disclose your personal data to the Intesa Sanpaolo Group Banks with which you have a current account relationship or another relationship linked to the My Key service, only for the specific purposes indicated in the policy according to the legal bases provided by the GDPR.

 

10. YOUR RIGHTS

As also specified in our general policy, if you wish to obtain more information on the processing of your personal data or to exercise your rights under the GDPR, you can send a request in writing to the Data Protection Officer at dpo@intesasanpaolo.com or by PEC at: privacy@pec.intesasanpaolo.com attaching the Form for the exercise of rights that you can find in the "Privacy" section of the website www.intesasanpaolo.com.

 

GLOSSARY

IP Address: is a unique number used by Browser, Device and App to connect to the Internet. This number is generated by the provider of your Internet connection service and allows identification of the provider and/or the approximate geographical area in which you are located as well as your identification. Without such data you cannot connect to the Internet, and we use it to provide you with the Services but also to collect information about your location.

Unique Identifiers: this is information that can uniquely identify you through your Device and/or Application. Advertising identifiers provided by manufacturers such as Apple's IDFA and Android's AAIG are considered as included in this category. On this topic, we would like to point out that, in line with the opinions of the European Supervising Authorities, we do not use other Unique Identifiers such as MAC Address and IMEI as you cannot reset them. To find out how to reset or not share Unique Identifiers with us, go to the section "Set your preferences for Data collected by Device and Application".

Software Development Kit (SDK) and related technologies: this is information that applications record and/or read on your device. Typically, these technologies allow the use of an application to be analysed.

Aggregated information: this is statistical information extracted and filtered (free of your personal data) so that it is no longer traceable to you. We use this information to measure the effectiveness of our services.

Geolocation and Device Sensors: these are sensors such as accelerometer, gyroscope, Bluetooth, Wi-fi and GPS that, if enabled within the device settings, share the information collected with the App and allow us to obtain information on your location.