INFORMATION NOTICE ON PERSONAL DATA PROCESSING 

PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (GDPR)

www.meritosgr.it

Last update: 04/02/2025

With this document, MERITO SOCIETA’ DI GESTIONE DEL RISPARMIO S.P.A., owner of the website www.meritosgr.it (hereinafter only the Website” or Site”), intends to provide information on the methods of management of the Site itself in relation to the processing and protection of personal data (“data”) of the persons who navigate on it or who in any event contact the company in any of the ways envisaged on the Website (hereinafter “users” or “data subject”).

This document represents an Information Notice pursuant to Article 13 of the European Regulation of April 27, 2016 No. 679 (“GDPR”) and is valid solely and exclusively for the Site and not for other sites or web pages that can be consulted by the user through links or other interactive links that may be activated through the Site. Users are therefore invited to read the privacy notice on data processing rendered by the owner of each site to which they may be redirected in the course of navigation.

Please note that this Policy may be subject to change as a result of the introduction of new regulations or as a result of changes to the Site, so users are invited to periodically visit the Privacy” section of the Website.

This Policy does not exclude that further information on the processing of personal data is also provided to Data Subjects in different ways, for example by sending specific information following the activation or request of a specific service.

1. Identity and contact details of the Data Controller.

The Data Controller of the processing of personal data for the purposes described in this Information Notice isMERITO SOCIETA’ DI GESTIONE DEL RISPARMIO, VAT number: 11342960967, with registered office in Milano, Via Mascheroni, 420123 (“Data Controller” or “Company”).

For all questions relating to the processing of data, for the exercise of the rights arising from the GDPR (on this point, see §9 below), as well as for any doubts or clarifications regarding this Information Notice, the data subject may contact the Data Controller by sending a registered letter with advice of receipt to the registered office of the Company, a certified e-mail to the address meritospa@legalmail.it, or a communication to the following e-mail address: info@meritospa.it .

2.Purpose and legal basis of processing.

Personal data is processed for the following purposes:

a. to ensure the proper functioning of the web pages and their contents and to obtain statistical information on the use of services;
b. to follow up on requests sent by the user by using the means indicated on the Site (e.g. e-mail contact) and to manage related activities;
c. evaluating applications for open positions at the Company, or spontaneous applications sent by the data subject. Considering the purpose of personnel search and selection, candidates are invited to indicate in their Curriculum Vitae only the data necessary to assess their candidature and to schedule a possible job interview, refraining from including information that is not strictly pertinent to the aforementioned purposes. Please note that further information on data processing may be submitted to candidates during the selection procedure;
d. ‘soft spam’ activities. Please note that in Italy the Privacy Code (art. 130, co. 4, Legislative Decree 196/2003 and subsequent amendments) allows soft spam. This means that without having to obtain the explicit consent of the data subject, it is possible to use the e-mail address that was provided with a previous purchase, for the purpose of direct sales of products or services similar to those that the data subject has already purchased from the Data Controller, provided that the data subject does not object to such use. It should be noted that the data subject may object to this processing at any time by contacting the Data Controller at the addresses referred to in §1, or by clicking on the special link to object to the receipt of communications considered as undesired, present in e-mails with commercial content sent by the Data Controller.

Please also note that:

in relation to the purposes referred to in point a), the legal basis lies in the legitimate interest of the Data Controller (art. 6.1(f), GDPR) in ensuring the proper functioning of the Site and its improvement;
in relation to the purposes referred to in point b), the legal basis resides, depending on the case: i) in the need to execute pre-contractual measures taken at the request of the data subject (Art. 6.1(b) GDPR); ii) or, in the legitimate interest of the Controller (Art. 6.1(f) GDPR) consisting in the need to respond to the data subject’s requests, taking into account the data subject’s reasonable expectations, where the request is not pre-contractual in nature;
in relation to the purposes referred to in point c), the legal basis of the processing is mainly that provided for in Article 6(b) of the GDPR: ‘processing is necessary for the performance of pre-contractual measures taken at the request of the data subject’. Should the processing involve data disclosing the data subject’s state of health, for the purpose of employing workers belonging to protected categories, the processing will be based on Article 9(2)(b) GDPR: ‘Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the data controller or the data subject in the field of employment law’. If the data subject, despite the invitation not to provide it, communicates further special categories of data as defined in Article 9(1) of the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, etc.), the processing of such data will be conditional on the prior consent of the data subject pursuant to Article 9(2)(a) of the GDPR, clarifying that, if such data are not relevant to the purpose of recruitment and selection, such information will not be used;
in relation to the purpose referred to in point d), the processing is based on the legitimate interest of the Data Controller in carrying out soft spam activities towards its customers, within the limits and under the conditions set out in Art. 130, para. 4, of Legislative Decree 196/2003 and subsequent amendments. Please note that the data subject may object at any time to the receipt of commercial communications deemed as undesired by contacting the Data Controller at the addresses referred to in §1, or by clicking on the specific link to object to the receipt of communications deemed as undesired, present in e-mails with commercial content sent by the Data Controller.
3. Nature of data provision and consequences of not giving.

The provision of data for the purposes referred to in point a) is optional but nevertheless necessary for the proper functioning and use of the Website. Any refusal to provide data for the aforementioned purposes may therefore make it impossible to navigate on the Site, to view all of its contents and to access its services. The provision of data for the purposes set out in points b) and c) is optional; however, refusal to provide data for the aforementioned purposes will make it impossible to process the data subject’s requests or to evaluate his/her application. The provision of data for the purposes referred to in point d) is optional; refusal will make it impossible for the Data Controller to carry out soft spamactivities through the Data Subject, while it will not have any negative consequences with regard to the purposes referred to in points a), b) and c).

4. Type of data processed.

In pursuit of the purposes indicated above, the following categories of data will be processed:

Navigation data: the computer systems and software procedures used to operate the Website acquire, during their normal operation, some data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified data subject, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment. This data is used for the sole purpose of obtaining statistical information on the use of the Website and to check its correct functioning. The data could be used to ascertain responsibility in the event of computer crimes against the Site or other users, for example at the request of the Authority or the supervisory bodies in charge. The above information may be collected automatically through cookies and other similar technologies. For more information, and to personalise your browsing choices, we invite you to consult our cookie policy;
Data provided by the user: by way of example, identification data (name, surname), contact data (telephone number, e-mail address). Data will be processed in accordance with the principles of correctness, lawfulness and transparency, as well as in compliance with the principle of minimization, i.e. by acquiring and processing data only to the extent necessary in relation to the purposes pursued. With specific reference to the collection of data in relation to the purposes referred to in point c), it should be noted that the data collected are identification data (first name, surname, place and date of birth, photograph if applicable), contact data (address, telephone number, e-mail) and data relating to the education, qualifications, professional experience, technical knowledge of the data subject. Unless expressly required by a job advertisement addressed to workers belonging to protected categories, the candidate is invited not to communicate data concerning health, nor data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning sexual life or sexual orientation, and any information in any case referable to the particular categories referred to in art. 9, paragraph 1, of the GDPR. In the event that the Curriculum Vitae transmitted also contains data falling into these categories, or if such data are provided on the occasion of any subsequent job interviews aimed at verifying the skills and conditions necessary for a possible employment, the relevant processings will be carried out only if the candidate has given his/her consent to the processing of such types of data, clarifying that we shall refrain from using data that are not strictly pertinent to the purpose pursued.
5. Processing Methods.

Data processing is carried out using paper and IT tools, in compliance with the provisions on the protection of personal data and, in particular, with the technical and organizational measures set out in Article 32.1 GDPR, as well as with the observance of all precautionary measures to ensure the integrity, confidentiality and availability of the data. Please note that the processing referred to in this Notice is not subject to automated decision-making processes.

6. Categories of recipients of data.

Data is not disseminated. Data is processed by persons belonging to the Company’s organisation, specifically authorizedand instructed by the Data Controller pursuant to Art. 29 of the GDPR. Data may be communicated, strictly in relation to the purposes indicated above, to the following subjects or categories of subjects:

a. third parties and companies that provide services to the Data Controller, such as – by way of example – the management of the information system and telecommunications networks (including e-mail), the development and management of the Website, etc.;
b. firms, companies or professionals in the context of assistance and consultancy relationships;
c. competent Authorities for the fulfilment of legal obligations.

Please note that the subjects under letter c) process the data as independent Data Controllers. In relation to the categories of subjects referred to in letters a) and b), on the other hand, the Data Controller undertakes to rely exclusively on subjects that provide adequate guarantees regarding data protection, appointing them, where required by current legislation, as Data Processors pursuant to Article 28 GDPR. The updated list of appointed Data Processors is available at the Data Controller and the data subject may view it upon request.

7. Transfer of personal data to third countries.

In general, the Data Controller does not transfer data to countries outside the European Union/EEA Area. In any case, should the transfer become necessary for the realization of the purposes referred to in this Privacy Notice, the Data Controller hereby ensures that the transfer will take place in full compliance with the conditions set out in Chapter V of the GDPR (Art. 44 et seq.), in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not prejudiced. The transfer will therefore take place to countries that the European Commission has deemed to guarantee an adequate level of protection, in accordance with the provisions of Article 44 GDPR or in compliance with specific standard contractual clauses approved by the European Commission pursuant to Article 46 GDPR, provided that the recipient of the data provides adequate safeguards and that the data subjects have enforceable rights and effective remedies. Any exceptions to the above will only take place in compliance with Article 49 GDPR.

8. Data retention period.

Data collected to ensure the operation of the web pages and their contents and to obtain statistical information on the use of services (letter a) is kept for the time necessary to achieve the purposes for which they were collected and, in any case, in accordance with our cookie policy, where applicable. Data processed to follow up user requests (letter b) is kept for the time necessary to provide the answer to the person concerned and, in any case, no longer than 24 months from the processing of the request, unless a contractual relationship is subsequently established, in which case the data will be kept for 10 years from the termination of the relationship, in accordance with current legislation. Data relating to any applications (letter c) shall be kept for 24 months after collection. For the purpose of soft spam (letter e) data isprocessed for 3 years after the last purchase. Please note that, once the aforementioned retention period has expired, Data will be subject to deletion or irreversible anonymization. However, a longer retention period may be determined by legitimate requests made by the Authorities or by the Controller’s participation in litigation involving the processing of data.

9. Rights of the data subject.

The data subject may exercise the rights granted to him or her by the GDPR at any time, in the manner described in § 1above. In particular, the Data Subject has the following rights:

Right of access

The data subject may ask us whether or not we are processing any of his or her personal data and, if we are, may be granted access to a copy of such data. When the data subject requests access to such data, we will also provide additional information, such as the purposes of processing, the categories of personal data concerned, and any other information required for the data subject to exercise this right.

Right to rectification

The data subject has the right to request that his or her Data be rectified if inaccurate or incomplete. If requested, we will correct inaccurate personal data and supplement any incomplete data, taking into account the purpose of processing.

Right to erasure

The data subject has the right to request that his or her personal data be erased. The erasure of personal data can only take place in certain cases, listed in Article 17 of the GDPR. This includes cases in which the personal data of the data subject are no longer required for the initial purposes for which they were processed, and cases in which they have been processed unlawfully. In relation to how we provide certain services, we inform you that it may take some time before backup copies are erased. We also inform you that the Data Controller will, within the limits of the state of the art, erase the personal data of the data subject, unless the storage of the same is required by law.

Right to restriction of processing

The data subject has the right to obtain restriction of processing of his or her personal data, which means that we stop processing the data of the data subject for a certain amount of time. This right may apply to circumstances (Art. 18 of the GDPR) including situations in which the accuracy of personal data has been questioned, but it may take time to verify its (in)accuracy. If the data subject has obtained restriction of the processing of his or her data, we will inform him or her before this restriction is revoked.

Right to object

The data subject has the right to object to the processing of his or her personal data, which means that the data subject can ask us to stop processing such personal data for certain purposes. This right is only granted to the data subject under specific circumstances (Art. 21 of the GDPR) and, specifically, in cases in which the legal basis for processing is the Data Controller’s legitimate interest.

Right to Data Portability

The right to Data portability entails that the data subject may request us to provide his or her personal data in a structured, commonly used and machine-readable format, and may request that such data be transmitted directly to another Data Controller, provided this is technically feasible.

Right to withdraw consent

The data subject has the right to withdraw his or her consent to the processing of personal data at any time, if the processing is based on his or her consent. In any case, the withdrawal of consent does not jeopardize the lawfulness of the processing based on the consent before the withdrawal.

10. Right to lodge a complaint with the supervisory authority.

The data subject also has the right to lodge a complaint with the supervisory authority, if he or she considers that the processing of his or her data violates the GDPR and/or current legislation on the processing of personal data. Please note that in Italy this Authority is represented by the Guarantor for the Protection of Personal Data. The data subject residing abroad may lodge complaints with the designated Supervisory Authorities in the country of residence.