DISCLOSURE REGARDING PERSONAL DATA PROCESSING

Dear Company,
We wish to inform you that Generalfinance S.p.A., in the context of its factoring agreement with the Assignor (the “Agreement“), will also obtain certain data about the debtors whose receivables were assigned (the “Assigned Debtors“). That data will be processed to perform the Agreement and the other activities instrumental and connected to the Agreement, namely: activities preliminary to executing it; to satisfy obligations thereunder; to perform administrative, tax and accounting obligations and requirements under law; for business communications; to offer and manage goods and services; for relationships with outside collaborators; to implement a system of commercial information and [obtain information] about payment habits; for all other operating and managerial activities associated with the existing relationship with the Assignor; and to comply with disclosure and signposting obligations under law. In that regard, you will find some information below that we request that you read carefully.

Who is the controller of the processing?
The controller of the personal data processing is GENERALFINANCE S.p.A., which has its registered office in Milan (MI-20157), at Via Giorgio Stephenson 43A, tel. 015.8484301 (“Generalfinance“), represented by its Managing Director.

What categories of personal data will be processed by Generalfinance and where will they be collected?
The data being processed will be identifying information (VAT number, tax code and registered office, ABI [Italian Banking Association Number] and CAB [Bank Routing Code]) and data about the receivables proposed to be assigned that are provided by the Assignor to perform the Agreement and activities related thereto (e.g., collection and/or payment operations, such as wire transfers).
The personal data are collected directly from the client and from public databases.
Due to the nature of the activity performed and the products and services offered to clients, normally Generalfinance does not obtain and, thus, does not process sensitive data. However, while performing the Agreement, if Generalfinance happens to learn of particular categories of personal data (such as data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or data about a person’s health, sex life or sexual orientation), pursuant to Article 9 of the European Personal Data Protection Regulation (2016/679), we will ask for your specific consent to process such data in advance, which we will use solely to satisfy legal obligations and to perform the Agreement.

What are the legal bases for processing the data, and for what purposes will the data be processed?
Generalfinance processes the data it obtains to perform the Agreement and satisfy legal obligations in the context of providing the financing it is authorised to provide, which includes factoring in particular and, with that, advancing the compensation, administrative and accounting management, and collecting the assigned receivables. Those data are processed to perform the preliminary analysis when the contractual relationship is begun, monitor the risk assumed by Generalfinance and proper performance of the relationship, manage the receivables assigned and perform other instrumental and connected activities (activity preliminary to executing the Agreement; satisfying the obligations under the Agreement; performing administrative, tax and accounting obligations and requirements under law; for business communications; offering and managing goods and services; for relationships with outside collaborators; implementing a system of commercial information and information about payment habits; and all other operating and managerial activities associated with the Relationship). In greater detail, the purposes of the processing are:

1. compliance with legal obligations (for example, obligations to perform adequate customer due diligence required by the anti-money laundering laws ? Italian Legislative Decree 231/07), regulations, EU laws or orders issued by Authorities entitled to do so under law and by supervisory and audit bodies. In this case, providing the personal data is obligatory, and processing that data does not require the data subject?s consent;
2. performing activities that are strictly connected and instrumental to managing relationships with customers (for example, obtaining preliminary information in preparation for establishing a relationship or entering into an Agreement, performing operations based on obligations under the Agreement entered into with clients, reviews and assessments of the results and trends in the relationships and the risks associated therewith, etc.). In this case, providing the personal data is not obligatory, but refusing to provide them may ? based on the association between the data and the requested service ? make it impossible for Generalfinance to establish or continue the Relationship or provide the requested service. Processing such data does not require the data subject’s consent;
3. complying with other formalities of an accounting, administrative or tax nature, the data processing for the performance of which is not conditioned on obtaining the data subject’s consent;
4. functional for Generalfinance’s business, such as:
a. surveying clients’ degree of satisfaction with the quality of services provided through personal or telephone interviews, questionnaires, etc.;
b. promotion and sale of Generalfinance’s products and services or offers from its subsidiaries or affiliates by letters, telephone communication, advertising materials, automated communications systems, etc.;
c. developing market studies and research by personal or telephone interviews, questionnaires, etc.; and
d. performing public relations activities.

In this case, providing the data is not obligatory and its processing requires the data subject?s consent.

How will the data be processed?
In connection with the purposes indicated above, the personal data is processed using manual, computer and electronic tools according to logic that is strictly connected to those purposes and in a manner that ensures the security and confidentiality of the data. The manual and computer processing is performed using tools that guarantee the security and confidentiality of the data being processed in a lawful manner and according to the principle of fairness. The data are collected and recorded for specified explicit and lawful purposes; their accuracy is verified and updated periodically with information obtained during the relationship with the client; the data are pertinent, complete and not excessive in relation to the purposes; and are retained solely for the period of time necessary to pursue the purposes for which they were collected.

Who can the data be disclosed to?
Generalfinance may disclose the Assigned Debtors’ data to parties designated and authorised to process them, parties to whom the disclosure is required and governed by laws or regulations, and parties that collaborate with Generalfinance to more effectively carry out the services provided to clients. In more detail, Generalfinance may disclose your data to third parties in the categories listed below:

a. to perform legal obligations:
o parties responsible for the audit and certification of the financial statements;
o supervisory and audit authorities and bodies and, in general, public or private parties with quasi-public functions;
o supervisory authorities and bodies (Bank of Italy, the Italian Ministry of the Economy and Finance (MEF), the CONSOB [Italian Companies and Stock Exchange Commission], EBA, etc.);
o companies supporting fraud prevention;
o parties that, pursuant to a specific outsourcing relationship, perform some of Generalfinance’s functions or activities;
o databases or archives at institutions or public or supervisory authorities such as the archive created at the MEF pursuant to Article 30-ter, paragraphs 7 and 7-bis, and Article 30-quinquies of Italian Legislative Decree No. 141 of 13 August 2010, solely for purposes of preventing identity theft. In this case, the results of the data authentication verification procedure will not be disseminated, but may be disclosed to supervisory and audit authorities and bodies.
b. to perform the Agreement:
o parties that manage the commercial information system and payment habits used;
o parties that manage debt collection or provide professional consulting services and tax, legal and judicial assistance;
o parties that, pursuant to a specific outsourcing relationship, perform some of Generalfinance?s functions or activities;
o parties that support credit investigation, assessment, providing, collection and insurance activities;
o the Credit Bureau at Bank of Italy and other private parties to evaluate creditworthiness; and
o parties that insure Generalfinance?s receivables portfolio.

Can the data be transferred to non-European Union countries?
Generalfinance may transfer the personal data abroad, making them available to other factoring companies, parties that manage debt collection or provide professional consulting services and tax, legal and judicial assistance, or parties that support credit investigation, assessment, providing, collection and insurance activities, but only for reasons closely connected to the purposes of the processing and, in particular, to properly perform the Agreement and manage the assigned receivables.

Can the personal data result in profiling?
Generalfinance does not process the personal data so that it be used for profiling for marketing purposes. However, for purposes of properly performing the Agreement and, in particular, for purposes associated with obtaining an accurate assessment of clients? risk profiles and complying with applicable laws combatting money laundering and financing of terrorism, laws on transparency in relationships between clients and banking and financial intermediaries and, more broadly, industry laws governing the activities of financial intermediaries, the personal data collected by Generalfinance may be processed to develop a characteristic profile for the client.

How long will the data be retained?
Generalfinance retains the personal data in a form that allows the data subjects to be identified for a period of time necessary to achieve the specific purposes of the processing, in accordance with contractual and/or legal (e.g., tax, anti-money laundering and anti-fraud) obligations.

What are your rights?
As the data subject of the processing, you may exercise the specific data protection rights listed below:

a. right of access: the right to obtain from the controller confirmation as to whether personal data concerning you are being processed, and, where that is the case, to obtain access to the personal data and detailed information about the origin, purposes, categories of data processed, the recipients to whom the data will be disclosed and/or transferred and more;
b. right of rectification: the right to obtain from the controller without undue delay the rectification of inaccurate personal data and the right to have incomplete personal data completed, including by means of providing a supplementary statement;
c. right to erasure (“right to be forgotten”): : the right to obtain from the controller the erasure of personal data without undue delay where: (i) the personal data are no longer necessary in relation to the purposes of the processing; (ii) the consent on which the processing is based is withdrawn and there is no other legal ground for the processing; (iii) the personal data were unlawfully processed; (iv) the personal data must be erased to comply with a legal obligation;
d. right to object to the processing: the right to object, at any time, to personal data processing whose legal basis is a legitimate interest pursued by the controller and/or processing for marketing purposes, including profiling. Where the data subject objects to processing for marketing purposes, the personal data shall no longer be processed for such purposes;
e. right to restrict the processing: : the right to obtain from the controller restriction of processing, in cases where the accuracy of the personal data is contested (for a period necessary for the controller to verify the accuracy of that personal data), if the processing is unlawful and/or the data subject objects to the processing;
f. right to data portability: the right to receive the personal data in a structured, commonly used and machine-readable format and transmit those data to another controller where technically feasible, but only in cases where the processing is based on consent or contract and only for data processed using electronic tools;
g. right to make a claim to a supervisory authority: without prejudice to any other administrative or judicial recourse, a data subject who believes that the processing involving him or her infringes the Regulation has the right to make a claim to the supervisory authority of the State where he/she customarily lives or works or where the alleged infringement occurred.

We also inform you that you have the right to withdraw, at any time, any consent you have given to specific optional activities, without prejudicing the legality of processing performed prior to the withdrawal.

How can you exercise your rights?
To exercise your rights, you may contact: Claims Office, Via Carso no. 36 (BI-13900) Biella, including by e-mail to: privacy@generalfinance.it. You will be given information about the action taken in regard to your request without undue delay and, in any event, within one month of receipt.

Generalfinance s.p.a.

 

GLOSSARIO SULLA PROTEZIONE DEI DATI PERSONALI

Autorità Garante per la protezione dei dati personali: autorità amministrativa indipendente istituita dalla legge n. 675 del 31 dicembre 1996 preposta alla vigilanza sul rispetto della normativa sulla protezione dei dati;

Dati personali: ai sensi dell’art. 4, comma 1, n.1, si tratti di “qualsiasi informazione riguardante una persona fisica identificata o identificabile («interessato»); si considera identificabile la persona fisica che può essere identificata, direttamente o indirettamente, con particolare riferimento a un identificativo come il nome, un numero di identificazione, dati relativi all’ubicazione, un identificativo online o a uno o più elementi caratteristici della sua identità fisica, fisiologica, genetica, psichica, economica, culturale o sociale.”;

Profilazione: ai sensi dell’art. 4, comma 1, n. 4 del Regolamento, si tratta di “qualsiasi forma di trattamento automatizzato di dati personali consistente nell’utilizzo di tali dati personali per valutare determinati aspetti personali relativi a una persona fisica, in particolare per analizzare o prevedere aspetti riguardanti il rendimento professionale, la situazione economica, la salute, le preferenze personali, gli interessi, l’affidabilità, il comportamento, l’ubicazione o gli spostamenti di detta persona fisica.”;

Regolamento: il Regolamento UE 2016/679 del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonché alla libera circolazione di tali dati e che abroga la Direttiva 95/46/CE;

Responsabile del trattamento: ai sensi dell’art. 4, comma 1, n. 8 del Regolamento, si tratta della “persona fisica o giuridica, l’autorità pubblica, il servizio o altro organismo che tratta dati personali per conto del titolare del trattamento.”;

Responsabile della protezione dei dati (RPD) o Data Protection Officer (DPO): figura introdotta dal Regolamento, avente tra i principali compiti quello di informare e fornire consulenza al Titolare, Responsabili e Incaricati in merito alla protezione dei dati; sorvegliare l’osservanza del Regolamento; fornire pareri in merito alla valutazione d’impatto sulla protezione dei dati; cooperare con l’autorità di controllo.

Titolare del trattamento: ai sensi dell’art. 4, comma 1, n. 7 del Regolamento, si tratta della “persona fisica o giuridica, l’autorità pubblica, il servizio o altro organismo che, singolarmente o insieme ad altri, determina le finalità e i mezzi del trattamento di dati personali […].”;

Trattamento di dati personali: ai sensi dell’art. 4, comma 1, n. 2 del Regolamento, si tratta di “qualsiasi operazione o insieme di operazioni, compiute con o senza l’ausilio di processi automatizzati e applicate a dati personali o insiemi di dati personali, come la raccolta, la registrazione, l’organizzazione, la strutturazione, la conservazione, l’adattamento o la modifica, l’estrazione, la consultazione, l’uso, la comunicazione mediante trasmissione, diffusione o qualsiasi altra forma di messa a disposizione, il raffronto o l’interconnessione, la limitazione, la cancellazione o la distruzione.”.