INFORMATION ON PROCESSING OF PERSONAL DATA AS REQUIRED BY ARTICLE 13 OF ITALIAN LEGISLATIVE DECREE 196/03

Under Italian Legislative Decree 196/03 (the Italian Data Privacy Code, or the “Code”), MEDIOBANCA S.p.A. (the “Bank”), with registered office in Piazzetta Cuccia 1, Milan, as the “Owner” of the data processing, is required to provide certain information regarding the use of personal data.

Source of personal data

Personal data of customers/market counterparties are acquired by the Bank in the exercise of activities on a proprietary basis or on behalf of third parties (e.g. companies forming part of the Mediobanca Banking Group, other banks and financial intermediaries). If the Bank acquires data from external companies for purposes of market research and direct offers of products or services, information will be provided as and when the data is recorded at the Bank, and without prejudice to the foregoing, no later than the first contact.

All data is processed in accordance with the Code and the obligations to confidentiality on which the Bank’s activity has always been based.

Purpose of data processing

Personal data are processed as part of the Bank’s ordinary activity for the following purposes:

  1. purposes closely related and instrumental to handling relations with customers/market counterparties (e.g. acquiring preliminary information in order to complete a contract, execute transactions pursuant to obligations deriving from the contract thus completed, etc.);
  2. purposes related to obligations under law, regulations and EU directives and to regulations issued by authorities authorized to do so by law and by regulatory and supervisory bodies (e.g. central risk databases, laws on usury, anti-money-laundering, etc.);
  3. purposes functional to the Bank’s activity for which the interested party is entitled to express or withhold his/her consent.

With reference to the purposes stated under a) and b) above, the processing and disclosure of your personal data by the Bank does not require your consent in cases where such treatment or disclosure is required in order to comply with the foregoing obligations and requests. For the other purposes, each interested party is entitled to withhold their consent to the processing and/or disclosure of their personal data from the Bank without thereby being prejudiced in any way.

Data processing methods

For the purposes listed above, personal data are processed according to criteria related to the said purposes, and without prejudice to the foregoing, in such a way as to guarantee the security and confidentiality of the said data.

Trades and operatioms executed using telephonic and electronic equipment

The increasing number of trades made using telephonic and electronic equipment means that systems have to be used to record communications.

The systems in use in the Bank’s dealing room to record telephone and electronic traffic stipulate, according to the different characteristics of the individuals being recorded:

  • full recording of all inbound and outbound conversations on the telephone lines of each trader;
  • full recording of all data traffic deriving from the use of electronic communications systems or integrated platforms in use at the Bank to handle orders.

The use of recording equipment and the storage and possible disclosure of data is intended to protect the company’s assets, and the individuals involved, from damages that may be incurred from disagreements or disputes arising from transactions/trades completed by telephone or using electronic platforms, and to allow internal controls to be carried out and the inspections stipulated by law and/or regulations by the relevant parties to take place.

It should be noted in this regard that Consob too, under resolution no. 16190 issued on 31 October 2007 regarding regulations for intermediaries, requires banks to record investors’ orders and cancellations made by telephone or electronically.

Therefore, for transactions executed with customers/market counterparties, the Bank records telephone conversations or electronic data traffic, and stores the recordings for the length of time required by law or regulations.

Categories of individuals to whom the data may be disclosed or who may come into possession of the data by virtue of their position or appointment

For the purposes set forth above, the Bank may disclose your personal data to third parties belonging to the following categories of individuals:

  • authorities and supervisory bodies, judicial authorities, and in generaly entities of public relevance (e.g. Bank of Italy and Consob);
  • other Mediobanca Banking Group companies.

Furthermore, in order to carry out its activities the Bank uses a data processing services company (Mediobanca Innovation Services, 100%-owned and part of the Mediobanca Banking Group) while retaining ownership of and liability for data processing.

In some cases the Bank also uses other banks to execute instructions received, or companies which transmit data to other banks.

Parties belonging to the categories of entity to which the data may be disclosed will treat the data as its “owners” as defined in the Code, in complete independence, being extraneous to the original data processing carried out by the Bank.

A detailed list of such companies is available at the headquarters of Mediobanca.

Certain categories of person, having been appointed to process data, are authorized to access your personal data in order to perform the duties with which they have been charged. In particular, the Bank has designated members of its own staff, advisors and other collaborators to process your data.

Other individuals designated by the Bank as responsible for data processing may also come to know your personal data.

A list of such persons is available at the headquarters of Mediobanca.

With reference to telephone recordings only, the data may also be transferred outside Italy by the platform manager, in accordance with the legal or regulatory provisions applicable to it.

No provision is made for any form of disclosure of processed data.

Interested parties’ rights

The interested parties’ rights versus the Owner of the processing are described in Article 7 of Italian Legislative Decree 196/03, transcribed in full hereunder:

  1. The interested party is entitled to receive confirmation of the existence or otherwise of personal data regarding them, even if said data has not yet been recorded, and to have such data communicated to them in intelligible form.
  2. The interested party is entitled to receive an indication:
    1. of the origin of the personal data;
    2. of the purposes and methods of processing;
    3. of the rationale applied in the case of processing using electronic instruments;
    4. of the identification details for the Owner, persons responsible and appointed representative pursuant to Article 5, paragraph 2 hereof;
    5. of the parties and categories of parties to which the personal data may be disclosed or which may come to know the personal data by virtue of their capacity as appointed representative in the national territory, as persons responsible or otherwise appointed.
  3. The interested party is entitled to obtain:
    1. update, amendment or, if they have an interest in so doing, addition to the data;
    2. deletion, rendering anonymous or blocking of data processed in breach of the law, including data which does not have to be st ored in relation to the purposes for which it was obtained or subsequently processed;
    3. statement that the operations contemplated under the foregoing letters a) and b) have been brought to the attention, including as regards their contents, of those to whom such data have been notified or disclosed, save in cases where such measure is impossible or involves a use of means which is manifestly disproportionate to the right thus safeguarded.
  4. The interested party is entitled to object, in part or in whole:
    1. on legitimate grounds, to the processing of personal data regarding them, even if relevant to the purpose for which the data was collected;
    2. to the processing of personal data regarding them for purposes of sending advertising or direct sales material or to carry out market research or for commercial communications.

Data Controller

The Data Controller is Mediobanca – Banca di Credito Finanziario S.p.A., headquartered in Milan – P.tta E. Cuccia, 1.

Further enquiries and demands concerning the exercise of the rights under art. 7 of the Decree may be addressed in writing to privacy@mediobanca.com.

Moreover, an updated list of external processors appointed by the Bank is available at Mediobanca’s headquarters. 

Last update: 04/12/2017