Privacy notice on the processing of personal data collected through the completion of forms on the website

In certain sections of the website, there are forms that website visitors (“Data Subjects”) – whether they are customers of the Bank or not – may voluntarily fill in with their personal data to submit a request for contact or information. These forms may be used, for example, to request the activation of services, receive information about the Bank’s activities or services, or directly request the activation of a specific service.
Regarding the collection of data through these forms, the Bank, in its capacity as Data Controller, provides the following information pursuant to Article 13 of EU Regulation no. 679/2016 on General Data Protection (hereinafter, GDPR)

  1. Personal data sources

The data held by the Bank are freely provided by the data subject through the appropriate forms or templates available in the specific section of the website or are contained in the documentation that may be voluntarily sent to the Bank.

The Bank might also have other information already stored on the data subject, having obtained it through a pre-existing relationship with the Bank or through an occasional transaction conducted at the Bank’s branches, which required the identification of the individual and the collection of their data. In all cases, the data acquired by the Bank are processed in compliance with the GDPR as well as the confidentiality obligations inherent to its activities.
The data in question may include, for example: personal information (name and surname), date and place of birth, tax code, postal address (home address), phone numbers, e-mail address or certified e-mail address); while for companies, data such as the company name and VAT number may also be required.
 

  1. Data processing purpose

Personal data are processed by the Bank for the following purposes:

  1. management and processing of any requests submitted by the data subject (for example, requests regarding products/services offered by the Bank, location and opening hours of branches, clarifications on documents received, the activation of services);
  2.  contact for an appointment with the branch network or other offices of the Bank. 
    The provision of data for the above purposes is optional. However, the refusal to provide the data (even partially) may make it impossible for the Bank to provide the service requested or to efficiently manage and process the request in a timely manner. It should be noted that it is not necessary to obtain the data subject’s consent in this instance, as the legal basis legitimising the processing of such data by the Bank is the necessity to obtain the data in order to manage and fulfill the request submitted (Article 6, paragraph 1, letter b).   
  3. sending newsletters, invitations to events organised by the Bank, marketing campaigns (e.g. competitions or prize draws), promotion or sale of the products and services of the Bank or of third parties, carried out either by traditional means (paper mail and/or operator calls), or by automated systems (calls without operator assistance, interactive voice response system, email, fax, SMS, MMS, social media and other messaging and electronic communication services, reserved web area and APPs).
    The provision of data for these purposes is not compulsory and refusal to provide it will not, in any way, affect the processing and management of the request submitted by the data subject and/or the continuation of their contractual relationships with the Bank. It should be noted that the prior consent of the data subject is required, as the legal basis legitimising the processing of such data is the acquisition of free and unconditional consent. 
    The data subject may express their preferences regarding the data processing above using the specific options contained in the various forms. 

It should be noted that if the data subject has an active relationship with the Bank, the consents given in the standard privacy forms will prevail over those given in the forms on the website. The data subject may, at any time, modify their consent choices with respect to the privacy forms by going into their branch or through the Digital Banking section “my profile/Password and Security/Privacy” or, finally, by writing to the addresses specified in section 8, “Rights of the Data Subject”.
 

  1. Data processing methods

Data are processed using manual, computerised and electronic tools strictly for the purposes described above so as to guarantee the security and confidentiality of the data.

  1. Categories of recipients to whom the data may be disclosed

The data may be disclosed to other companies of the MPS Group – which might be used by the Bank for the purposes outlined in this privacy policy – or, for the same reasons, to third-party companies with which the Bank collaborates. 
The persons to whom the data may be disclosed or who may become aware of the data belong to the following categories and use the data received in their capacity as independent Data Controllers or Data Processors pursuant to Article 28 of the GDPR:

  • IT companies for site maintenance;
  • call centres;

Furthermore, the following categories of persons may need to access the data as part of the tasks assigned to them: Bank employees, collaborators appointed as data processors or persons authorised to process data under the GDPR.

  1. Data retention times

Data is kept for the time strictly necessary to fulfil the purposes for which the data was collected, in compliance with the prescribed terms or with the data retention terms established by law, or for a longer period if the data has to be kept for the protection of the rights of the Data Controller.
If the data subject has given their consent for the marketing purposes referred to in iii) above, the data is retained for two years from the date they were obtained.

  1. Transfer of data abroad

For certain activities, the Bank uses trusted parties – sometimes operating outside the European Union – that carry out technical, organisational or management tasks on behalf of the Bank. In this case, data is transferred on the basis of the provisions of applicable legislation (Chapter V of the GDPR – Transfer of personal data to third countries or international organisations), including the application of standard contractual clauses laid down by the European Commission for transfers to third-party companies or for ensuring the level of adequacy determined for the personal data protection system of the importing country.

  1. Rights of the data subject

In relation to data processing purposes, the data subject is entitled to exercise the rights established under Articles 15 et seq. of the GDPR, in particular the:

  • right to rectification of inaccurate personal data;
  • right to erasure (or “right to be forgotten”), if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if the data subject withdraws their consent on which the processing is based (where the consent is optional and where there is no other legal basis for the processing);
  • right to restriction of processing, the right to obtain from the Bank restriction of access to personal data by all parties having a service contract or employment contract with the Bank. In some cases, the Bank reserves the right to allow access to a restricted number of persons in order to ensure the security, integrity and accuracy of such data;
  • right to data portability, the right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format with the possibility to transmit those data to another Controller. This right does not apply to non-automated processing (such as paper archives or registers); furthermore, data that is subject to portability only includes data processed with the data subject’s consent and data that has been provided by the data subject;
  • right to object, i.e. the right to object to the processing of personal data on grounds relating to the visitor’s particular situation; 
  • right to submit a complaint to the Data Protection Authority, to be sent to the Garante per la Protezione dei dati personali, piazza Venezia n. 11 – 00187 Roma (garante@gpdp.it; phone + 39 06 69677.1; fax + 39 06 69677.3785).

Moreover, pursuant to Article 7, paragraph 3 of the GDPR, the data subject has the right to withdraw their consent at any time; the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
To exercise the above rights, the data subject may directly contact the branches of the Bank or the DPO and Privacy Compliance Staff Unit in Via A. Moro n. 11/13 - 53100 Siena (fax + 39 0577 296520; e-mail: privacy@mps.it). 

  1. Data Controller and Data Protection Officer

The Data Controller is Banca Monte dei Paschi di Siena S.p.A. with registered office in Piazza Salimbeni n. 3, Siena.
The Data Protection Officer (or DPO) can be contacted by the data subject for all matters relating to the processing of their personal data and for exercising the rights provided for by the GDPR, by writing to: