Information pursuant to Article 14 of EU Regulation 679/2016 (“GDPR”).

 

Banca Monte dei Paschi di Siena S.p.A. (hereinafter, "the Bank"), in its capacity as Data Controller, provides the following information regarding the processing of personal data.

 

1. Personal data sources

    

   The personal data - consisting of personal information, contact information, country, employment and company - are acquired by the Bank through third parties appointed to register participants (hereinafter, also “data subjects”) in the presentation of the Bank's results ("Event"). In their capacity as data controllers, the third parties process the data acquired directly from the data subject and the related information is available on the group website in the section:
   

   • https://www.choruscallitalia.it/chisiamo/etica%20e%20compliance
   • https://www.intrado.com/en/legal-privacy?redir=west#digital-communications

 

2. Data processing purpose

    

   Personal data are used by the Bank exclusively for purposes related to the analysis and monitoring of the participants in the Event, in compliance with the data minimisation principle set out in Article 5, paragraph 1 letter c of the GDPR. The provision of data is optional. However, any refusal to provide such data will make it impossible to participate in the Event. For this purpose, the legal basis for the processing of the data is the legitimate interest of the Bank, against which the right to object may be exercised within the limits of the provisions of Article 21 of the GDPR.

 

3. Data processing methods

    

   Data are processed using manual, computerised and electronic tools strictly for the purposes described above and in such a way as to guarantee the security and confidentiality of the data.

 

4. Categories of recipients to whom the data may be disclosed

    

   The Bank does not disclose or distribute the personal data it acquires to third parties.
   Bank employees who need to access and process the data as part of the tasks assigned to them, may become aware of the data in their capacity as persons authorised to process the data under the direct authority of the Data Controller or Processor.

 

5. Data retention times

    

   The data are kept for a period of 12 months from the date they were collected, after which time they are deleted unless a different data retention period is established by law or the data has to be kept for the protection of the rights of the Data Controller.

 

6. Rights of the data subject

    

   In relation to data processing purposes, the data subject is entitled to exercise the rights established under Articles 15 et seq. of the GDPR, in particular the:
   

   • right of access, i.e. to obtain confirmation as to whether or not personal data concerning the data subject exists, where it comes from, the purposes of the processing, the recipients or categories of recipient to whom the personal data will be disclosed, where possible, the envisaged period for which the personal data will be stored;
   • right to rectification;
   • right to erasure (or “right to be forgotten”), if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if the data subject withdraws their consent on which the processing is based (where the consent is optional and where there is no other legal ground for the processing);
   • right to restriction of processing, the right to obtain from the Bank restriction of access to personal data by all parties having a service contract or employment contract with the Bank. In some cases, the Bank reserves the right to allow access to a restricted number of persons in order to ensure the security, integrity and accuracy of such data;
   • right to data portability, the right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format with the possibility to transmit those data to another Controller. This right does not apply to non-automated processing (such as paper archives or registers); furthermore, data that is subject to portability only includes data processed with the data subject’s consent and data that has been provided by the data subject;
   • right to object, i.e. the right to object to the processing of personal data on grounds relating to the visitor’s particular situation;
   • right to submit a complaint to the Data Protection Authority, to be sent to the Garante per la Protezione dei dati personali, piazza Venezia n. 11 – 00187 Roma (garante@gpdp.it; phone + 39 06 69677 1; fax + 39 06 69677 3785).
   
   To exercise the above rights, the data subject may directly contact the branch where their accounts are held and/or the branch used to request transactions or services. Alternatively, the data subject can contact the DPO and Privacy Advisory Staff Unit in Via A. Moro 11/13 - 53100 Siena (fax + 39 0577 296520; e-mail: privacy@mps.it).

 

7. Data Controller and Data Protection Officer

    

   The Data Controller is Banca Monte dei Paschi di Siena S.p.A. with registered office in Piazza Salimbeni n. 3, Siena.
   The Data Protection Officer (or DPO) is the Head of the DPO and Privacy Advisory Staff Unit and can be contacted by the data subject for all matters relating to the processing of their personal data and for exercising the rights provided for by the GDPR, by writing to:
   responsabileprotezionedeidati@postacert.gruppo.mps.it (certified email) or responsabileprotezionedati@mps.it (ordinary email).