INFORMATION TO APPLICANTS TO REGISTER ON THE “ BANCOMAT ON LINE ” PLATFORM IN ACCORDANCE WITH ARTICLES 13 AND 14 OF EU REGULATION 2016/679 “ GENERAL DATA PROTECTION REGULATION

We hereby inform you that Regulation (EU) 2016/679 (“GDPR”) and the applicable Italian legislation periodically in force (“Privacy Legislation”) – including the provisions issued by the Data Protection Authority (“Authority”) – set out rules regarding the protection of individuals with regard to the processing of personal data, safeguarding their fundamental rights and freedom and, in particular, the right to the protection of personal data.

Pursuant to Art. 13 and Art. 14 of the GDPR, we hereby inform you of the methods and purposes with which BANCOMAT S.p.A., with sole headquarters at Via Vittorio Veneto, 54b, 00187, Rome, as the Data Controller, will process your personal data.

Please read this privacy policy carefully before providing us with any personal data relating to you.

The policy relates to the processing of personal data of users (“Users” or “Data Subjects”) who, as parties interested in using the documentary content (“Circuit Documents”) and/or services (“Services”) offered by BANCOMAT S.p.A. to its customers, including through the provision of specific applications (“Applications”), who intend to request the opening of a specific account (“Account”) to allow access to the online platform owned by BANCOMAT S.p.A. containing these Circuit Documents and Services (“Platform”), accessible through the website www.bancomat.it (“Website”) and contained within the web application called “BANCOMAT ON LINE” (“BOL”).

***

The personal data relating to the Data Subjects is collected by BANCOMAT S.p.A. directly from them at the time of signing the contract related to the use of the Platform entered into with BANCOMAT S.p.A. (“Contract”), at the time of their registration request to the Platform or their subscription to the Services accessible via BOL, through the completion of the relevant form (“Form”), as well as during the use of the Platform (navigation data) or, indirectly, through information provided by a third party within the business organisation to which the Data Subject belongs, who has requested the opening of an Account in their name to allow access to the Platform.

The personal data processed by BANCOMAT S.p.A. is the data indicated below.

1) Data provided voluntarily.

The data acquired:

ü  at the time of signing the Contract;

ü  when completing the registration Form for access to BOL or to the individual Services accessible through BOL;

ü  when requesting the opening of new Accounts.

The data:

·          personal data (first name and last name);

·          contact details (e-mail, landline/mobile phone number);

·          position/professional qualification/department to which they belong.

2) Navigation data.

This data is acquired automatically when using BOL.

The computer systems and software procedures used to operate BOL automatically obtain, notably, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects. However, by its very nature it may allow users to be identified, through processing and by association with data held by third parties. This category of data includes the IP addresses or domain names of the computers used by users connecting to the Website, the Uniform Resource Identifier (URI) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s response (success, error, etc.) and other parameters related to your operating system and IT environment. Except as provided in relation to the use of cookies, this data is used for the sole purpose of obtaining anonymous statistical information on the use of BOL and to check its correct functioning and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against BOL. Browsing data is processed for the legitimate interest of the Data Controller to guarantee the security of BOL, check its correct functioning and obtain anonymous statistics in relation to its use (Art. 6, paragraph 1 (f) of the GDPR).

3)  Personal data collected through cookies or similar technologies .

This data is acquired automatically when using BOL through the use of technical and similar cookies. No tracking is performed using this tool.

The user can view the complete Cookie Policy at the following address:

https://bol.bancomat.it/Home/Cookies.

*****

All the aforementioned personal data is collected and used by BANCOMAT S.p.A. in full compliance with the applicable privacy legislation, as well as the confidentiality obligations to which our operations have always adhered, for the purposes and based on the following legal grounds:

a)         pursuant to Art. 6, paragraph 1 (c) of the GDPR, to fulfil the obligations provided by current tax legislation (invoicing of costs for access to the Platform);

b)         pursuant to Art. 6, paragraph 1 (b) of the GDPR, to negotiate the conditions relating to the Contract to be entered into with BANCOMAT S.p.A. for access to BOL or in order to execute the same downstream of the stipulation;

c)         pursuant to Art. 6, paragraph 1 (f) of the GDPR, to pursue the legitimate interest of BANCOMAT S.p.A.:

·          to efficiently manage the Users who access the Platform, entering the related data in a database managed electronically on the IT systems of BANCOMAT S.p.A.;

·          to exercise or defend a right in court or out-of-court, including in case of breaches of the Contract or violations of the law.

*****

The Services accessible to BOL Users include those made available through specific Applications and their purpose is to:

ü  monitor fraudulent activities that may involve cards and the acceptance network of the circuits (“Circuits”) owned by BANCOMAT S.p.A. - BANCOMAT®, PagoBANCOMAT® and BANCOMAT Pay® and disseminate information regarding the most advanced tampering methods and the precautions to prevent and counteract them (“Fraud Reporting Oversight” or “Oversight);

ü  manage any accounting disputes and/or commercial disputes (arising from the purchase of goods and/or services through e-commerce and/or m-commerce channels) between the Issuer and Acquirer parties involved, as well as coordinate these and the activities necessary for resolving such issues (“ Dispute Portal ” or “Portal);

ü  centrally manage the files of the ATM and POS terminals as well as all the equipment functional to the acceptance of withdrawal and payment transactions on the Circuits, guaranteeing the registration of the same equipment and of the affiliated merchants, as well as the monitoring and control of transactions (“RAC Archive);

ü  process the approval requests and manage the related procedure (“Approval);

ü  allow Users to receive support in relation to the Services if they request it (“Trouble Ticketing”).

The personal data processed by BANCOMAT S.p.A. within the scope of these Applications – corresponding to personal data (first and last name), contact details (e-mail, landline/mobile phone number), position/professional qualification/department of the User authorised to operate on the Platform – is collected and used by BANCOMAT S.p.A., in the same way as the aforementioned data, in full compliance with the applicable privacy legislation and the confidentiality obligations that apply to us, based on the following legal grounds:

a)       pursuant to Art. 6, paragraph 1 (c) of the GDPR, to fulfil any legal obligations and/or requests and/or commitments undertaken towards the administrative and judicial authorities, as well as the surveillance authorities responsible for verifying and monitoring the regularity of the operations performed on the Circuits;

b)       pursuant to Art. 6, paragraph 1 (b) of the GDPR, in order to execute the Contract and/or the request for subscription to the Services and to manage the related activities;

c)       pursuant to Art. 6, paragraph 1 (f) of the GDPR, to pursue the legitimate interest of BANCOMAT S.p.A.:

-           to control the performance of transactions and guarantee the correct monitoring of the Circuits, monitoring fraudulent events, in order to prevent or promptly identify the existence of possible fraud and identify suitable countermeasures to avoid the occurrence of the same or restore the correct performance of the Circuits;

-           to manage the relationships between the circuit members (Issuer and Acquirer Banks or the “Members”), in relation to any disputes arising with reference to the purchase of goods and/or services by the relative customers (cardholder users and affiliated merchants) through the e/m‑commerce channel;

-           to ensure the constant updating of the archives containing the data relating to the equipment operating on the Circuits;

-           to exercise or defend a right in court or out-of-court in the event of breach of the Contract and/or the Services or breaches of the law.

Personal data may also be used - in aggregate form - for statistical purposes.

*****

The provision of personal data is optional but necessary, as failure to provide it will make it impossible to enter into the Contract with BANCOMAT S.p.A. and execute it or allow access to the Platform.

Personal data will be processed using automated and non-automated tools, by specifically authorised and specially trained staff and with logic strictly related to the processing purposes and, in any case, in such a way as to guarantee its security and confidentiality. Appropriate security measures are observed to prevent data loss, or illegal or incorrect use and unauthorised access.

Without prejudice to the rights referred to in Articles 15 et seq. of the GDPR, data collected by signing the Contract will be kept for a maximum period of 10 (ten) years from the date of termination of effectiveness of the Contract, for the purpose of fulfilling the legal obligations provided for by the Italian Civil Code and by tax laws relating to corporate document storage obligations, without prejudice to any extensions due to events such as disputes that interrupt the legal limitation period. The data collected during registration to the Platform via the Form or in the case of a request for the creation of new Accounts will be retained for as long as the BOL account remains active and for 1 (one) year from the date the Account is closed, unless the retention of such data is necessary to comply with legal obligations or for the management of any disputes.

Your personal data may be disclosed to employees and collaborators of BANCOMAT S.p.A. who deal with the management and maintenance of BOL and its contents, customer support, the signing and execution of the Contract, as well as the fulfilment of the tax law obligations. The data may also be disclosed to the following categories of subjects, who, as data processors or – where the conditions set out by applicable law are met – as independent data controllers, provide BANCOMAT S.p.A. with services instrumental to the performance of its business:  IT service providers; management service providers; administrative service providers; external professionals and consultants; independent auditing firms, whose names can always be requested from BANCOMAT S.p.A. at the contact details provided below.

In particular, the data may be communicated to the following third parties:

-           banks and payment institutions, in order to be able to make or receive payments in relation to the Contract;

-           competent tax and fiscal authorities, pursuant to legal provisions;

-           judicial authorities or police forces, if it is necessary to report a crime or, in any case, to pursue a legitimate interest in exercising or defending a right in court;

-           lawyers, where necessary to pursue a legitimate interest in exercising or defending a right in court and out of court.

Without prejudice to the foregoing, personal data will not be disclosed to third parties and will not be subject to “dissemination,” meaning transmission to unspecified parties, except for the fulfilment of any legal obligations or in compliance with an order from a judicial authority or police forces legally authorised to act accordingly.

As a general rule , the processing of personal data outside the European Economic Area is not required, except to the extent that some of the aforementioned parties – data processors or controllers (e.g. independent auditing firms) – may need to transfer the data to third countries in order to undertake their respective activities. Where this is considered necessary, each transfer will be performed in compliance with the conditions set forth in Articles 44 et seq. of the GDPR.

Each Data Subject retains the right to exercise, where permitted by law, the following rights under Articles 15 to 22 of the GDPR, at any time, free of charge and without formalities: the right to request access to personal data (i.e. the right to obtain confirmation as to whether or not personal data concerning them is being processed and, accordingly, to access the data, obtain a copy, and access the information outlined in Art. 15 of the GDPR); the right to rectification (i.e. the right to have inaccurate data concerning them corrected or incomplete data completed) or erasure (i.e. the right to have data erased where one of the grounds listed in Art. 17, paragraph 1 of the GDPR applies and none of the conditions in paragraph 2 of the same article exist); the right to restriction of processing (i.e. the right, in the cases outlined in Art. 18 of the GDPR, to ensure that stored data is marked with the aim of limiting its future processing); and the right to data portability (i.e. the right, in the cases specified in Art. 20 of the GDPR, to receive the data concerning them in a structured, commonly used and automated machine-readable format, as well as to transmit that data to another data controller without hindrance).

Furthermore, each Data Subject has the right to object, at any time, for reasons connected to their particular situation , to the processing of their personal data pursuant to Art. 6, paragraph 1 (f) of the GDPR.

Requests relating to the exercise of the rights described above should be addressed to BANCOMAT S.p.A., with sole headquarters at Via Vittorio Veneto, 54b, 00187, Rome; e-mail: privacy@bancomat.it. The Data Protection Officer appointed by BANCOMAT S.p.A. is responsible for responding to such requests, in accordance with Articles 37 et seq. of the GDPR.

Data Subjects who believe that the processing of their personal data, as specified in this information notice, breaches the provisions of the GDPR have the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) as provided for under Art. 77 of the GDPR, or to seek redress through the appropriate judicial authorities (Art. 79 of the GDPR).

The updated version of this information will always be available to Data Subjects on the page of the Website containing access to BOL and the related Services.

Please note that further information regarding the processing of personal data of contractual counterparts (Members, Certification/Approval Applicants, delegated parties) is available on the website www.bancomat.it, in the “Privacy” section.

The Data Controller

BANCOMAT S.p.A.