MARZOTTO SIM information sheet concerning data protection requirements
On May 25th 2018, the Regulation (EU) n. 2016/679 issued on April 27th, 2016 on “the protection of natural persons with regard to the processing of personal data and on the free movement of such data” also known as GDPR, came into force.
According to art. 13 of GDPR; Marzotto SIM (hereinafter “the SIM”) as the “controller”, has the duty to inform data subject about the reasons on the basis of personal data processing, about implemented controls and about rights held by data subjects.
Data processing in Marzotto SIM
The SIM collects personal data of data subject (professional clients) while offering investment and ancillary services. Moreover, the SIM collects personal data of employees, tied agents and providers within its human resources and payroll processes, or within the scope of the agreements concerning outsourcing of corporate functions. Collection of personal data is needed in order to allow the SIM to fulfill its contractual obligations. As a consequence there is no need of specific consent by the data subject. The eventual refuse by data subjects may result in the impossibility for the SIM to fulfill its contractual obligations.
Collection of personal data by the SIM is mainly carried out without automated or IT procedure. Filing/storage of personal data is carried out through IT procedures. IT procedures linked with optical filing of personal data are defined within the internal framework of the company and are coherent with the principle of prudence and with the best practices concerning IT security.
Only for the purposes of human resources and payroll procedures, the SIM may collect data concerning health of employees and tied agents. Such data are acquired and processed (also by “external processors” if applicable) with the aim to comply with currently in force laws and regulations. Moreover, the SIM does not collect genetic and biometric data of clients, employees, tied agents and providers/outsourcers.
Duties and responsibilities
The “controller” is Marzotto SIM S.p.A,. Data subject may contact the processor at the following address:
MARZOTTO SIM S.p.A.
Piazza Repubblica 32, 20124 Milano (ITALIA)
The SIM also appointed “external processors”. In particular: the outsourcer of IT security, the outsourcer of the company’s IT system, and the external consultant that supports the company with reference to its human resources and payroll procedures. An updated list of external processors is available by contacting the SIM.
In compliance with the aim of data processing run by the company, the SIM collects and processes personal data of professional clients, employees, tied agents and providers/outsourcer, through its “officers” within each business relationships. Each employee or tied agent of the company is appointed as data protection officer.
Moreover, data processing consist of processing of information related to individuals made available by public sources which are freely accessible (e.g. public register, chamber of commerce, news industry, internet). Such data may be transferred by third parties (e.g. information agencies, credit bureau).
Personal data covered by the GDPR consist of personal information (e.g. individual’s name, birth date, birth place, residential address), identification data (e.g. information reported on the individual’s ID) and authentication data (e.g signature specimen).
Moreover, personal data protected by the GDPR may be referred to a specific order (e.g cash transfer or sell/purchase of a financial instrument), to other data necessary to fulfill contractual obligation, to information linked to the economic situation of the clients and other similar data.
Purposes of personal data processing
In compliance with article 6, sub 1 letter b) of the GDPR, personal data processing by the SIM is necessary to fulfill obligations as set in signed contracts and agreements. In such case, the aim of the processing is linked with the specific investment or ancillary service offered to each client (core business), and/or with supporting activities which is possible only if regulated by agreements with employees, tied agents, providers and outsourcers (e.g. working contract, outsourcing of company’s function etc.).
With reference to such aspect, data processing carried out by the SIM may also be consistent with the company’s need of profiling its counterparties/partners.
Moreover, data processing by Marzotto SIM (in particular these of professional clients) also has purposes different from the fulfilment of contractual obligations (e.g. marketing purposes). In these circumstances, each data subject is required to express its consent. Personal data may be collected for:
• Assessing quality of services provided to clients;
• Promoting of offering of the SIM’s products and services, also through phone call, company’s presentations, email etc.;
• Studying market trends, also through interviews with clients;
• Public relations.
Acquisition of data for the above-mentioned purposes is not mandatory and a specific consent by the client is required. The consent may also be revoked at any time, without consequences regarding data processing carried out by the SIM before that moment.
Data processing carried out by the SIM in order to fulfill contractual obligations (core business) is needed in order to comply with law and regulation or with public interests (art. 6, sub 1, letters c) and e) of GDPR). For example, processing of personal data is needed when it allows the SIM to comply with anti-money laundering/terrorism financing regulations, with periodic reporting duties towards Tax Authorities, or with supervisory regulations as set by Bank of Italy, CONSOB and other Public Authorities.
The purposes of data processing carried out by the SIM also cover the suitability and appropriateness check required before the offering of investment and ancillary services. Collected data are processed for the purposes of internal controls concerning identity, age and prevention of fraud and money laundering, the proper fulfillment of tax duties, and – from a general point of view – each risk management activities required.
Management of personal data
Personal data collected from data subject are processed by each organizational unit of the SIM, which needs them in order to fulfill contractual and regulatory duties/obligations. As specified in previous paragraphs, third parties such as the SIM’s providers and outsourcers may access personal data, while assuring same standard of confidentiality and protection. Such external parties are appointed as external processors.
Moreover, personal data collected within the data processing may be transmitted to other third parties, if such other third parties are:
• Public bodies or Regulatory Authorities, on the basis of specific requirements set by laws and regulations;
• Banks or financial institutions towards which data are transmitted with the purposes to fulfill contractual obligations (e.g.: brokers needed to trade financial instruments, depository banks, settlement banks etc.).
Other recipients may be identified in entities for with the data subject (client, employee, tied agent, provider/outsourcer) has already expressed its written consent
Transfer of data in other countries or outside the EU
The SIM may transfer personal data collected for the purposes of the processing to other entities or countries outside Italy or the EU only if it is required by laws and regulations or if it is needed to fulfill contractual obligation (e.g. trade order concerning financial instruments, cash transfer to/from banks etc.). Transfer of personal data outside EU is carried out only according to the consent expressed by professional clients, employees, tied agents and providers/outsourcers.
Filing of personal data
In accordance with the above mentioned purposes of data processing, the SIM processes and files personal data for the period needed to fulfill contractual obligation. Once personal data are no more necessary, they are cancelled unless their availability is required to fulfill administrative, tax and regulatory duties. In such circumstances, the filing/conservation period lasts not longer than 10 years.
Rights of the data subject
In compliance with art. 15 of the GDPR each data subject has the right to access and to consult its data. Moreover it has the right to amend the data collected by the SIM according to art. 16.
Under specific circumstances set by the GDPR, each data subject has the right to ask the SIM the cancellation of data (art. 17), to ask restrictions in the data processing (art. 18) or challenge data (art. 21). If applicable, each data subject also has the right to ask for the portability of personal data (art. 20).
In conclusion, each data subject has the right to raise complaints towards the so called “Autorità Garante” (art. 77), if he deems that data processing by the SIM breaches the law.
As said before, each data subject has the power to revoke the consent to the data processing at any time. Such right is also applicable to consent expressed before GDPR came into force. Revocation of the consent only gilts for the future and does not affect data processing as carried out before it.
For particular reasons linked with the situation of each data subject, he also has the right to make opposition to the data processing carried out by the SIM (art. 6, sub 1, letters e) and f) of the GDPR). Such right also applies to profiling activities carried out by the SIM. Under such circumstances, the SIM will interrupt processing of personal data of the opposing data subject, unless data processing is needed in compliance with public interest of laws and regulations (or in coherence with the SIM’s or the data subject interest).
Similarly, the application of cancellation, restriction, limitation, revocation rights by a single data subject may result in the capability of the SIM to fulfill its contractual obligation towards the same data subject.
Automated or IT processes
While offering investment or ancillary services, or within a working relationship with employees and tied agents or within a business partnership with providers/outsourcers, the SIM does not implement automated decision-making processes as defined by art. 22 of GDPR. In case an automated decision-making process is put in place, the SIM is obliged to inform each data subject.
The SIM implements automated/IT procedures for the processing of personal data (profiling). Profiling is carried out in order to comply with laws and regulations (e.g. suitability or appropriateness evaluation before offering investment or ancillary services, money laundering risk evaluation, reporting duties towards Tax Authorities). Such measures are needed in order to fulfill duties to which the SIM is subject and to protects the data subject interests.