Personal data protection notice

Informativa privacy

Download our privacy policies in pdf format

Personal Data Protection Notice
Focus On Your Rights

1. Your privacy

At Intesa Sanpaolo Private Banking S.p.A. we know the value of your personal data and we constantly strive to process them confidentially and securely so that you may entrust them to us with peace of mind.
In this notice we will show you which categories of data we handle and why; which data sources we draw on; how we process data, with whom we share it and for how long we store it. We will then review each of your rights, set forth in the GDPR (General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), providing you with the information you need to exercise them.
We are at your service to ensure adequate, timely and rigorous protection of your data.

2. To whom is this notice addressed?

To each of our customers; and therefore to you who already have a contractual relationship with us or who are about to establish one.
This notice is also addressed to all those who, in various capacities, have connections with our customers or their guarantors (e.g. legal representatives, directors, shareholders, beneficial owners, attorneys, delegates or signatories).
Finally, this notice is addressed to those whose data have been provided to us by other parties at the pre-contractual stages or in the performance of a contract and to those who require us to carry out an occasional transaction.
Its content may concern you as a natural person, sole proprietor or freelancer.
We may need to amend or supplement it, due to regulatory obligations or as a result of organisational changes. In this case, we will notify you through our channels (e.g. apps and internet banking). You may consult the latest version at any time in the “Privacy” section of our website and by using our apps.

3. What do we mean by data processing? Who is the data controller?

The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person”.
The GDPR also defines precisely what is meant by “processing”, i.e. “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
As the "Data Controller", Intesa Sanpaolo Private Banking, acting in full compliance with the principles of fairness, lawfulness and transparency, determines the means and purposes of each of these "operations" that involve, even only potentially, your personal data; it does all this while ensuring your confidentiality and fully protecting your rights.

4. What personal data do we process?

The personal data we process and protect belong to the following categories:
  • identification and personal data, such as your name and surname, business name, tax code, VAT number, date and place of birth, address of residence/domicile, tax domicile, correspondence address, gender, nationality and data relating to identification documents;
  • image data, such as a photograph on an identification document;
  • contact details, such as landline and mobile phone numbers, ordinary and certified e-mail addresses;
  • data relating to personal and family situations, such as marital status and composition of family units;
  • financial data: economic, capital and credit data;
  • data relating to the relationships you have with us, such as transaction data, your reference branch, your classification according to the European MIFID Directive and your credit rating;
  • data belonging to “special” categories, e.g. biometric data and health data. These are data that were previously defined as "sensitive" and require "special" protection and specific consent;
  • judicial data relating to criminal convictions and offences or security measures.

5. Why are we asking you to provide us with your data?

We need your data to prepare, conclude and properly perform contracts and to fulfil the relevant legal obligations.
If you decide not to provide us with your data, we will be unable to provide you with our services.

6. From whom do we collect your data? How do we process them?

The data we process may originate:
  • Directly: if you communicated them to us on the occasions when you interacted with us;
  • Indirectly: if we have collected them from third parties or from sources accessible to the public (e.g. the Chamber of Commerce and Professional Registers), in compliance with the relevant regulations.
We take care of your data in any case: we process them using manual, computerised and telematic tools and we guarantee their security and confidentiality.

7. What is the underlying basis on which we process your data? For what purposes do we process your data?

The processing of personal data is lawful only if its purpose has a valid legal basis, i.e. it is included among those provided for by the GDPR.
We will show you briefly, with respect to the different legal bases provided for, what processing we carry out and the aims we pursue.
a) Consent
(Article 6.1(a) of the GDPR
and Article 9.2(a) of the GDPR)
These types of processing are only possible if you have given your consent for the specific purpose.
You always have the right to withdraw all or part of the consents given.
We carry out direct and indirect marketing and profiling activities, and in particular:
  • we perform activities functional to the promotion and sale of products and services of companies belonging to the Intesa Sanpaolo Group or of third party companies and conduct customer satisfaction surveys both through the use of automated systems for calling or communicating a call without the intervention of an operator and electronic communications (e-mail, SMS, MMS or other), and also through the use of paper mail and telephone calls through an operator;
  • by processing your information (e.g. current account transactions, changes in your financial situation, location and movements) and the identification of categories (clusters) we assess and predict aspects concerning, among other things, interests, preferences, consumer choices and habits, in order to offer you more personalised and appropriate products and services.
We process data belonging to “special” categories only if strictly necessary for specific purposes, for example for the provision of services and products in the context of social impact and welfare initiatives.
b) Contract and pre-contractual measures
(Article 6.1(b) of the GDPR)
We provide the services requested and perform the contracts or actions relating to the pre-contractual phases.
c) Obligation by law
(Article 6.1(c) of the GDPR)
We comply with regulatory requirements, for example in the field of taxation and anti-money laundering, anti-corruption and fraud prevention in payment services. 
We comply with Authority provisions, for example in relation to monitoring of operational and credit risks at banking group level.
d) Legitimate interest
(Article 6.1(f) of the GDPR
We pursue the legitimate interests of ourselves or of third parties, which are shown to be lawful, concrete and specific, after having ascertained that this does not compromise your fundamental rights and freedoms.
These include, for example, physical security, security of IT systems and networks, prevention of fraud and the production of statistics.
The full list of legitimate interests that we pursue is described in the annex "Legitimate interests”, the latest version of which is always available in the "Privacy" section of our website .

8. How do we process your data to assess credit risk?

European regulations require us to assess and update credit risk, in order to ensure the Intesa Sanpaolo Group’s financial stability and capital adequacy. We therefore process your data using a profiling technique that enables us to assess and maintain your "financial" health status up to date by calculating a risk score (a rating) based on your movements and on possible overdrafts on current accounts you have opened with our Group and, if you authorise us, also on accounts you hold with other banks. The assessment system also uses data that you already provide us with other documents, such as tax returns or financial statements. The rating calculated in this way will be taken into account, along with other information and parameters, also to:
  • provide you with an informed reply when you ask us for a loan, credit line or a credit card;
  • assess your reliability and timeliness in making payments, if you have taken out a loan. 
The methodology and logic of this processing are described in the annex “Profiled credit risk assessment", which is also available in the "Privacy" section of our website .

9. Who might receive the data you have provided us with?

We may disclose your data to other parties, both within and outside the European Union, but only for the specific purposes indicated in the notice according to the legal bases provided by the GDPR.
The following may receive your data:
  1. the Authorities and the parties to whom the communication of the data is due in compliance with regulatory obligations;
  1. the public information systems of public administrations. These include:
  • the Bank of Italy Central Credit Register (Centrale Rischi);
  • the Central Means of Payment Antifraud Office (UCAMP);
  • Public administrative fraud prevention system for consumer credit with specific reference to identity theft (SCIPAFI);
  • the Tax Database - Archive of relations with financial operators;
  1. parties belonging to the Intesa Sanpaolo Group;
  2. parties with whom we have commercial agreements;
  3. parties which act as our intermediaries and agents;
  4. parties that operate in the following sectors:
  • banking, financial and insurance services;
  • payment systems and circuits;
  • measurement of financial risks to prevent and monitor insolvency risk;
  • management of asset and credit recovery;
  • tax collection and treasury management;
  • physical security (e.g. guard and video surveillance services);
  • provision and management of IT and telecommunications procedures and systems;
  • computer security;
  • the professions (e.g. appraisers, notaries and lawyers, inclusive of litigation services);
  • auditing of accounts and consultancy in general;
  • service quality surveys and market analysis and research;
  • advertising and commercial promotion of products and/or services;
  • management of customer relations (e.g. in relation to communication and assistance);
  • logistics;
  • the storage of data and documents (both on paper and electronic media).
A detailed list of the recipients of personal data is available from our branches on request.

10. How do we protect your data when we transfer them outside the European Union or to international organisations?

We normally process your data within the European Union; for technical or operational reasons, we may, however, transfer the data to:
  • countries outside the European Union or international organisations which, as determined by the European Commission, ensure an adequate level of protection;
  • other countries, based, in this case, on one of the "appropriate safeguards" or on one of the specific exceptions provided for by the GDPR.
Furthermore, your data contained in the messages regarding financial transfers (e.g. foreign credit transfers) may be transmitted, for the exclusive purpose of preventing and fighting terrorism and its financing, to the public authorities of the United States of America, with which the European Union has concluded a specific agreement1.

11. How long do we hold your data for?

We are legally obliged to keep your data for a period of 10 years from the termination of the contractual relationship or, when they have been collected by virtue of an occasional transaction, from the date of the transaction itself.
We will process them for a longer period only in the cases expressly provided for by law or to pursue a legitimate interest of ourselves or of third parties.

12. How can you contact us?

These are the details for contacting us: You may in any event contact any of our local branches: a list and contact details are available in the "Search for a branch" section of our website .

13. Who is the “Data Protection Officer”? How can you contact him?

The "Data Protection Officer" (DPO) is a guarantee officer that we have appointed, as expressly required by the GDPR. You may contact the DPO for all matters relating to the processing of your personal data and to exercise your rights under the GDPR, by contacting him at the following e-mail address:

14. What are your rights?

The GDPR grants you the following rights:

Right to object (pursuant to Article 21 of the GDPR): if your personal data are processed by us for direct marketing purposes, you have the right to object to the processing and any profiling activities related to them at any time; if you exercise this right, your personal data will no longer be processed for this purpose.
You can also exercise the right to object to the processing we carry out to perform tasks in the public interest, to exercise public powers or to pursue a legitimate interest of ourselves or third parties. In these cases, the processing will no longer be carried out unless there are reasons that oblige us to proceed or it is necessary to establish, exercise or defend a legal claim.

Right of Access (pursuant to Article 15 of the GDPR): you have the right to obtain confirmation as to whether or not personal data concerning you is being processed by us, to have information on the processing in progress and to receive a copy of the data.

Right to Erasure (pursuant to Article 17 of the GDPR): the GDPR provides for a series of cases in which you have the right to obtain the erasure of personal data concerning you (for example, if the data is no longer necessary for the purposes for which it was processed or if you have withdrawn the consent on which the processing is based and there is no other legal basis for processing it).

Automated decision-making including profiling (pursuant to Article 22 GDPR): normally we do not make decisions based solely on the automated processing of your personal data except in specific areas and only when the decision is related to the conclusion or performance of a contract, is based on your explicit consent or is authorised by law.
In the first two cases (contract and consent) we guarantee your right to obtain human intervention, to express your point of view and to contest the decision.
You always have the right to receive meaningful information on the logic involved, as well as on the significance and the consequences of automated processing.

Right to Restriction (pursuant to Article 18 GDPR): the GDPR provides for a series of cases in which you have the right to obtain the restriction of the processing of personal data concerning you (for example, for the period necessary to carry out the appropriate checks on the personal data of which you have contested the accuracy).

Right to Data Portability (pursuant to Article 20 GDPR): the GDPR provides for a series of cases in which you have the right to receive the personal data that you have provided us with and which concern you in a structured, commonly used and machine-readable format. The GDPR also protects your right to transmit those data to another data controller without hindrance on our part.

Right to Rectification (pursuant to Article 16 of the GDPR): you have the right to obtain the rectification of inaccurate personal data concerning you and the completion of incomplete data.

Right to Lodge a Complaint (pursuant to Article 77 of the GDPR): if you consider that the processing of your data by us is infringing the regulations on the processing of personal data, you have the right to lodge a complaint with the Supervisory Authority for the protection of personal data.

Your rights are described in the document "Focus on your rights" available in the "Privacy" section of the website


15. Why are you being asked for “consents”?

As described in section 7, direct and indirect marketing and commercial profiling actions carried out by Intesa Sanpaolo Private Banking S.p.A. (“the Bank”) are subject to the existence of specific consents that, if you wish, you may grant to us, thereby allowing us to make our best commercial offers to you.

16. Contacts and forms for the exercise of your rights

In the "Privacy" section of the website you will find a form that you can use to exercise your rights.
To exercise your rights, you may write to: You may also visit any of our branches.
We will carry out all the necessary actions and communications free of charge. Only if your requests are demonstrably unfounded or excessive, due in particular to their repetitive character, may we charge you a fee, taking into account the administrative costs incurred, or alternatively refuse to meet your requests.

Annex 1 - Legitimate interests

Article 6.1(f) of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 (GDPR - General Data Protection Regulation) authorises us to process personal data concerning you without the need to ask for your consent, where the processing is necessary for the pursuit of a legitimate interest of ourselves or third parties, provided that the interest does not override your interests or fundamental rights and freedoms.
With this document, we provide you with an up-to-date list of legitimate interests of ourselves or of those of third parties that we pursue in connection with our operations.
We remind you that, pursuant to Article 21 of the GDPR, you have the right to object to the processing of personal data concerning you at any time, if the processing is performed for the pursuit of our interests, including profiling.
Should you object, we will refrain from processing your personal data further unless there are legitimate reasons to proceed with the processing (reasons that override your interests, rights and freedoms), or the processing is necessary for the establishment, exercise or defence of legal claims.
For comprehensive information on the rights that the GDPR recognises in relation to the processing of your personal data, please refer to the "Focus on your rights" document in the "Privacy" section of the website www.
List of legitimate interests:
  • safeguarding physical security, understood as the security of people and company assets, including through the acquisition of images and videos in the context of video surveillance systems;
  • monitoring the security of IT systems and networks to protect the confidentiality, integrity and availability of personal data;
  • adoption of appropriate safeguards to prevent fraud and mitigate other risks (e.g. with regard to corporate administrative liability, anti-money laundering and anti-corruption) in compliance with legal obligations incumbent on the Data Controller;
  • the exercise and defence of a right (including the right of claim), in any place;
  • transmission of personal data within the group of companies for internal administrative purposes;
  • processing of personal data belonging to third parties in the context of the performance of agreements and/or contracts with the Bank's counterparties, inclusive of the pre-contractual phase;
  • carrying out activities not attributable to the performance of contracts but relevant to customer relationships (e.g. customer care and assistance);
  • management of corporate and strategic operations such as, for example, mergers, demergers and sales of business lines;
  • development and updating of predictive and descriptive models through the production of statistics and reports with the following aims:
  1. definition of new products and services;
  2. verification of the performance of products and services for their improvement;
  3. verification of the effectiveness of processes and/or the operation of units;
  4. data quality improvement;
  5. construction of general models of customer behaviour based on statistical analyses of quantitative/qualitative information with the aim of maintaining standards of the offer of products and services high enough to meet customer demands;
  6. improving user experiences on websites and apps.

Annex 2 - Profiled credit risk assessment

European regulations on prudential supervision require banks to assess credit risk internally and to keep this assessment constantly up-to-date in order to ensure their financial stability and capital adequacy including at Banking Group level 2.
To measure credit risk internally, we have developed a model that is also based on an analysis of current account movements over a 12-month period.
In particular, we analyse movements on current accounts on the basis of the data obtainable from accounts, including joint accounts, that you hold with us, with Group Banks and, if you have consented, also with other banks not belonging to the Group 3
In the absence of movements, we use the data that you have provided us with directly or that can be obtained from tax returns, financial statements and any further documentation that may be asked for.
Analysis of this information enables us to assess credit risk more effectively and we express this is as a rating, the values of which are divided into classes.
The personal data used for profiling, functional to the assignment of a rating, are specifically processed to pursue the following aims:
  1. to assess your creditworthiness should you apply for credit. The processing of your personal data is necessary in order to respond to your request;
  2. to allow us to periodically update ratings and to constantly monitor credit risks, including at Group level, on customers granted credit and on those holding a current account for more than three months (in the latter case, we monitor the potential credit risk deriving from possible account overdrafts). The processing of your personal data is mandatory as it is required by law and does not require your consent;
  3. with regard to the processing of data deriving from IT systems managed by private entities that concerns consumer credit, reliability and timeliness of payments (CIS – Credit Information System), to pursue our legitimate interest inherent in the accurate measurement of credit risk and in the accurate assessment of the reliability and timeliness of payments. The processing of your personal data does not compromise your fundamental rights and freedoms and does not require your consent.
If the data in our possession, including those held at other Group Banks, are not sufficient, you may be asked for additional personal data; it is understood that you will be free to choose whether or not to disclose data relating to accounts held with other banks.
If the profiling functional to the assignment of a rating takes place as part of a fully automated decision-making process, you will be specifically notified and, where necessary, we will request your explicit consent in compliance with the provisions of Article 22 of the GDPR "Automated individual decision-making, including profiling".

As for the profiling carried out for the aforementioned credit risk assessment, we use a model that processes and supplements information from various sources through the use of statistical techniques and credit technology best practices.
In this process, in observance of the rules for granting and managing credit, we use statistical algorithms that enable credit risk to be assessed and predicted with a high degree of accuracy.
The personal data processed are those strictly necessary to ensure the accuracy of the credit assessment, the effectiveness of the algorithms used and their reliability over time.
To ensure the fairness and proper use of the process employed, we also subject the calculation methods we use to regular checks, both internal and external, so that they remain appropriate, effective and non-discriminatory over time.
To achieve this, we have defined appropriate safeguards to ensure compliance with regulatory requirements over time, as well as the proper functioning of the statistical models and the related calculation logic. We carry out periodic updates of the time series data used for the estimation of the models, regular checks to ensure the accuracy of the data processed and regular checks on the functioning of the algorithms used and the results achieved

Notice to legal person, entities or association

If you represent a legal person, entity or association, we inform you that consent is required to authorise us to use automated systems for calling or communicating a call without the intervention of an operator and electronic communications (e-mail, SMS, MMS or other) to carry out promotional activities or market research.
The granting of consent authorises the Bank to carry out the same processing also by means of paper mail or telephone calls through an operator.
1 O.J. European Union L 195/5 of 27.7.2010.
2 The subject is regulated mainly by Regulation (EU) no. 575/2013 ("Capital Requirements Regulation" - CRR), by Directive 2013/36/EU of 26 June 2013 ("Capital Requirements Directive" - CRD IV), by the guidelines adopted by the European Commission, by the European Banking Authority, and by the related implementing rules also issued by the Bank of Italy.
3 The data taken from the accounts you hold with banks outside the Group are those that you have provided to us by delivering your account statements, or by using our account information service. This service is a function of a remote service (My Key for individuals and My Key Business) that enables customers to use an electronic link to acquire information on balances and movements relating to payment accounts, accessible online, that a customer holds with other banks or payment service providers. "Online accessible payment accounts" are the accounts (e.g. current accounts) that a customer can access using a bank's or the payment service provider' s internet/mobile banking service where the accounts are opened.