In some areas of the website, there are forms that  visitors (“Data Subjects”) – whether they are customers of the Bank or not – may spontaneously fill in with their personal data to submit  a request for contact or information, for example to ask for the activation of services or receive information concerning the Bank’s activities or services. 

Regarding the collection of data through these forms, the Bank, in its capacity as Data Controller, provides the following information pursuant to Article 13 of EU Regulation no. 679/2016 on general data protection (hereinafter, GDPR).

1.    Personal data sources
The data in the Bank’s possession are freely provided by the data subject through the appropriate form or template present in the specific section of the website or are contained in the documentation that may be spontaneously sent to the Bank.
The Bank might also have other information already stored on the data subject, having obtained it following the establishment of a relationship with the Bank or an occasional transaction requested at the bank’s branches, which required the identification of the person and collection of their data. In any case, all data acquired by the Bank are processed in compliance with the GDPR as well as the confidentiality obligations that underlie the Bank’s activity.
The data in question may include, by way of example: personal data (name and surname), date and place of birth, tax code, postal address (home address), phone numbers, e-mail address or certified e-mail address); while for companies, a company name and VAT number may be required.

2.    Data processing purpose
Personal data are processed by the Bank for the following purposes:
i) management and processing of any requests submitted by the data subject (for example, requests regarding products/services offered by the Bank, location and opening hours of branches, clarifications on documents received).
The provision of data is optional. However, the refusal to provide it (even partially) may make it impossible for the Bank to manage and process the request in the best way possible and in a short time. It should be noted that obtaining the consent of the data subject is not necessary since the legal basis legitimising the Bank’s processing of such data is the need to have the data in order to manage and meet the request submitted by the data subject (Article 6, para. 1, letter b);
 
ii) contact for an appointment with the branch network or other offices of the Bank. 
Again, the provision of data is optional. However, the refusal to provide it (even partially) may make it impossible for the Bank to manage the request for an appointment in the best way possible.  It should be noted that obtaining the consent of the data subject is not necessary since the legal basis legitimising the Bank’s processing of such data is the need to have the data in order to manage and meet the request submitted by the data subject (Article 6, para. 1, letter b);
 
iii) sending newsletters, invitations to events organised by the Bank, marketing campaigns (e.g. competitions or prize draws), promotion or sale of the products and services of the Bank or of third parties, carried out either by traditional means (paper mail and/or operator calls), or by automated systems (calls without operator assistance, interactive voice response system, email, fax, SMS, MMS, social media and other messaging and electronic communication services, reserved web area and APPs).
The provision of data is not compulsory and refusal to provide it will not, in any way, affect the processing and management of the request submitted by the data subject and/or the continuation of their contractual relationships with the Bank. It should be noted that that the prior consent of the data subject is required since the legal basis legitimising the processing of such data is the acquisition of free and unconditional consent. 
The data subject may express their preferences regarding the data processing above using the specific options contained in the various forms. 

It should be noted that if the data subject has an active relationship with the Bank, the consents given in the standard privacy forms will prevail over those given in the forms on the website. The data subject may, at any time, modify their consent choices with respect to the privacy forms by going into their branch or through the Digital Banking section “my profile/Password and Security” or, finally, by writing to the addresses specified in section 8, “Rights of the Data Subject”.
 
iv) monitoring of access to the website or individual web pages for statistical purposes, using anonymised or aggregated data so that the data subject cannot be identified.

3.    Data processing by the Bank’s Partners
The Bank’s website may also include promotional offers for products and services sponsored by other companies of the Group, other selected companies or by the Bank in collaboration with other partners.
If the data subject opts in to one of these promotions, they will be informed in advance that their personal data will also be processed by the sponsor; if the data subject does not want companies to process their personal data, they can decide not to take part in the promotion.
Third-party companies that place advertisements on the Bank’s website or other websites accessible via a link, may collect the personal data of the data subject; since the data processing carried out by such companies is outside the Bank’s sphere of competence and responsibility, it cannot in any way be covered by this privacy policy.
Finally, on the basis of confidentiality agreements, the Bank may provide third parties (partners or advertisers) with statistical information on browsing activity (e.g. 45% of our users are female) for commercial and/or legal purposes, provided that the information is always kept anonymous and on an aggregate basis.

4.    Data processing methods
Data are processed using manual, computerised and electronic tools strictly for the purposes described above so as to guarantee the security and confidentiality of the data.

5.    Categories of recipients to whom the data may be disclosed
The data may be disclosed to other companies of the MPS Group – which might be used by the Bank for the purposes outlined in this privacy policy – or, for the same reasons, to third-party companies with which the Bank collaborates. 
The persons to whom the data may be disclosed or who may become aware of the data belong to the following categories and use the data received in their capacity as independent Data Controllers or Data Processors pursuant to Article 28 of the GDPR:
•    IT companies for site maintenance;
•    call centres;
Furthermore, the following categories of persons may need to access the data as part of the tasks assigned to them: Bank employees, collaborators appointed as data processors or persons authorised to process data under the GDPR.

6.    Data retention times
Data is kept for the time strictly necessary to fulfil the purposes for which the data was collected, in compliance with the prescribed terms or with the data retention terms established by law, or for a longer period if the data has to be kept for the protection of the rights of the Data Controller.
If the data subject has given their consent for the marketing purposes referred to in iii) above, the data is retained for two years from the date they were obtained.

7.    Transfer of data abroad
For certain activities, the Bank uses trusted parties – sometimes operating outside the European Union – that carry out technical, organisational or management tasks on behalf of the Bank. In this case, data is transferred on the basis of the provisions of applicable legislation (Chapter V of the GDPR – Transfer of personal data to third countries or international organisations), including the application of standard contractual clauses laid down by the European Commission for transfers to third-party companies or for ensuring the level of adequacy determined for the personal data protection system of the importing country.

8.    Rights of the data subject
In relation to data processing purposes, the data subject is entitled to exercise the rights established under Articles 15 et seq. of the GDPR, in particular the:
•    right of access, i.e. to obtain confirmation as to whether or not personal data concerning the data subject exists, where it comes from, the purposes of the processing, the recipients or categories of recipient to whom the personal data will be disclosed, where possible, the envisaged period for which the personal data will be stored;
•    right to rectification;
•    right to erasure (or “right to be forgotten”), if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if the data subject withdraws their consent on which the processing is based (where the consent is optional and where there is no other legal ground for the processing);
•    right to restriction of processing, the right to obtain from the Bank restriction of access to personal data by all parties having a service contract or employment contract with the Bank. In some cases, the Bank reserves the right to allow access to a restricted number of persons in order to ensure the security, integrity and accuracy of such data;
•    right to data portability, the right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format with the possibility to transmit those data to another Controller. This right does not apply to non-automated processing (such as paper archives or registers); furthermore, data that is subject to portability only includes data processed with the data subject’s consent and data that has been provided by the data subject;
•    right to object, i.e. the right to object to the processing of personal data on grounds relating to the visitor’s particular situation;
•    right to submit a complaint to the Data Protection Authority, to be sent to the Garante per la Protezione dei dati personali, piazza Venezia n. 11 – 00187 Roma (garante@gpdp.it; phone + 39 06 69677.1; fax + 39 06 69677.3785).
Moreover, pursuant to Article 7, paragraph 3 of the GDPR, the data subject has the right to withdraw their consent at any time; the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
To exercise the above rights, the data subject may directly contact the branches of the Bank or the DPO and Privacy Compliance Staff Unit in Via A. Moro n. 11/13 - 53100 Siena (fax + 39 0577 296520; e-mail: privacy@mps.it). 
A full and up-to-date list of the Bank’s internal and external Data Controllers and other third parties to whom the data are disclosed is also available from the DPO and Privacy Compliance Staff Unit.

9.    Data Controller and Data Protection Officer
The Data Controller is Banca Monte dei Paschi di Siena S.p.A. with registered office in Piazza Salimbeni n. 3, Siena.
The Data Protection Officer (or DPO) is the Head of the DPO and Privacy Compliance Staff Unit and can be contacted by the data subject for all matters relating to the processing of their personal data and for exercising the rights provided for by the GDPR, by writing to:
•    responsabileprotezionedeidati@postacert.gruppo.mps.it; (certified email)
•    responsabileprotezionedeidati@mps.it. (ordinary email)