GDPR Reg. EU 679/2016 – Website Privacy Policy and Mobile App Privacy Notice (Cherry Bank and Cherry Face to face)

We would like to inform that the processing of your personal data will take place in compliance with current legislation on privacy and will be based on principles of correctness, lawfulness, transparency and data protection. To this end, based on the provisions of Article 13 and 14 of the European Regulation 2016/679 (GDPR), we indicate below the general information regarding the processing of personal data carried out through this website and by mobile apps (Cherry Bank and Cherry Face to face reported in paragraph 7).

1. Who the Data Controller and the Data Protection Officer (DPO) are.

The Data Controller of the processing of personal data is Cherry Bank S.p.A. based in Padua (Pd), Via San Marco 11, 35129 Padua.
The Data Controller has appointed a Data Protection Officer (“Data Protection Officer” or “DPO”), whom you may contact, writing to:

• Cherry Bank based at Via San Marco 11, 35129 Padova, Att.ne “Data Protection Officer”
• By sending an e-mail to: privacy@cherrybank.it
• By sending a certified e-mail message to the PEC address: privacy@pec.cherrybank.it

In order to exercise your rights, listed in point I below of this Notice, as well as for any other request, you may contact the “Privacy & Data Protection” Function at the following address:

• Cherry Bank with head office in via San Marco 11, 35129 Padova, Att.ne “Data Protection Officer”
• By sending an e-mail to the address: privacy@cherrybank.it
• By sending a certified e-mail message to the PEC address: privacy@pec.cherrybank.it

2. Methods of data processing on this website

2.1. Navigation data
The computer systems and procedures that manage this Web site acquire certain personal data whose transmission is implicit in the use of Internet communication protocols. For example, such data include. the IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server and other parameters relating to the operating system to the hardware used by the user. This is information that is not collected to be associated with identified interested parties, but which by its very nature could, through processing and association with data held by third parties, nevertheless allow it to be able to identify users. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning and are deleted after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes caused to this site.

2.2. Cookies
The site uses cookies to improve the user’s browsing experience. Cookies are usually text strings that the websites visited by the user or third-party sites, place and store within the device used by the user for navigation. The site uses technical cookies where possible subject to anonymization; these are necessary for the proper functioning of a website and to allow user navigation; without them, the user may not be able to view the pages correctly or use some services. The site also uses statistical cookies, also called analytics cookies, used only to produce aggregate statistics in relation to the single website visited. Session cookies (non-persistent) are used, strictly limited to what is necessary for the safe and efficient navigation of the sites.
Go to Cookie Policy.

2.3. Purpose and legal basis
The data you provide may be processed for:

1. Purpose: the performance of necessary operations aimed at providing the services and/or information that you may have requested such as browsing through the pages of the site, registration to restricted areas, assistance and re-contact, request for information via e-mail, etc. Legal Basis: the need to respond to your request for information or execute your requests to receive a service directly available through the site.
2. Purpose: The provision of technological services such as mailing-list, newsletters, remote or local support and maintenance, etc.. Such service is also related to that provided by specifically authorized third parties. Legal Basis: the need to respond to your request for information or execute your requests to receive a service directly available through the site.
3. Purpose: activity arising from obligations of laws, regulations or measures from time to time in force and applicable to the services and services offered through the site. Legal Basis: the need to fulfill a legal obligation.
4. Purpose: statistical processing of aggregate data in relation to site performance. Legal Basis: this is anonymized data, i.e., data from which it is not possible to re-identify a natural person.
5. Purpose: Evaluations regarding the use of the Bank’s site. Legal Basis: consent.
6. Purpose: to optimize the commercial offer. Legal Basis: consent.
7. Purpose: to send advertising and/or commercial proposals based on the interests you have expressed by accessing the pages and using the services available on this site. Legal Basis: consent.

3. Data provided voluntarily

In order to access some restricted services (such as Home Banking,App systems), it is mandatory to register and enter some personal data. The provision of some identifying data is necessary in order to authenticate and verify the legitimacy of access, in the different levels of the reserved areas, to the individuals who access them.

4. Transfer of data outside the EU

The Data Controller may transfer your personal data, to the categories of recipients listed above, both to EU and non-EU countries (in the latter case, this will be exclusively to countries that guarantee an adequate level of protection in accordance with the GDPR or to Third Parties that guarantee the proper processing of data in compliance with the European legislation in force by virtue of Standard Contractual Clause).

5. Categories of Recipients of Personal Data

Depending on the operation or service requested, customer/user data may be communicated by the owner to third party companies entrusted with tasks of a technical and organizational nature that will process the data as an autonomous owner or as an external manager (e.g. site maintenance company, manager of the reserved section, manager of the Internet Banking\Digital Banking platform, app manager). The data may also be communicated to those third parties in order to fulfill an obligation provided for by law or in case of a measure of the Authority.

6. Processing methods, security measures, and retention times

Personal data are processed by automated means for the time strictly necessary to achieve the purposes for which they were collected and stored digitally. Specific security measures are in place to prevent data destruction or loss, unauthorized access, or unlawful use.

7.Privacy Notice for Mobile Apps (Cherry Bank and Cherry Face to face)

7.1 Who the Data Controller and the Data Protection Officer (DPO) are.

The Data Controller of the processing of personal data is Cherry Bank S.p.A. based in Padua (Pd), Via San Marco 11, 35129 Padua. The Data Controller has appointed a Data Protection Officer (“Data Protection Officer” or “DPO”), whom you may contact, writing to:

• Cherry Bank based at Via San Marco 11, 35129 Padova, Att.ne “Data Protection Officer”
• By sending an e-mail to: privacy@cherrybank.it
• By sending a certified e-mail message to the PEC address: privacy@pec.cherrybank.it

In order to exercise your rights, listed in point I below of this Notice, as well as for any other request, you may contact the “Privacy & Data Protection” Function at the following address:

• Cherry Bank with head office in via San Marco 11, 35129 Padova, Att.ne “Data Protection Officer”
• By sending an e-mail to the address: privacy@cherrybank.it
• By sending a certified e-mail message to the PEC address: privacy@pec.cherrybank.it

7.2 Type of data processed

We would like to inform you that exist products / services that use mobile applications available for download on the main Marketplaces (Google Play Store e App Store di Apple). Specifically, these applications are Cherry Bank and Cherry Face to Face. These applications are developed, updated and maintained by third parties with whom the Bank has entered into specific supply contracts with DPA as Processor pursuant to art. 28 of the GDPR. Personal data are processed by the Data Controller to allow you to use all the features provided by the applications and to ensure their correct functioning. Once installed, the App may ask you to access some information and features on your device such as:

• Personal data, such as Name, Email address, User ID, Address and Telephone number (eg for the operation of the App)
• Photo (eg to use QR Code-based services)
• Files and documents (eg to allow you to save or open documents)
• Contacts (eg to save the data of your contacts in the App)
• Device ID (eg for the operation of the App)

Also :

• The Apps do not share user data with other organizations or companies
• Data is encrypted in transit
• Data is transferred via a secure connection

7.3 Purpose of the processing:

The purposes of the processing on the App object of this paragraph are:

• Purpose directly connected to the correct functioning of the App
• Purpose connected to the obligations established by law, by regulations, by legislation community, as well as by provisions issued by the competent Authorities.

7.4 Legal basis

The legal basis on the Apps covered by this paragraph are:

• Fulfillment of a contractual obligation
• Fulfillment of a legal obligation
• Legitimate interest

7.5 Retention and Deletion of Data

We invite you to read the information relating to the Privacy of the Apps covered by this paragraph reported on the Google Play Store and Apple App Store page of Cherry Bank and Cherry Face to face. For any further information, we also invite you to read the information relating to the device you are using, available within your Device and the specific information available in the MarketPlace relating to applications.

For more information on saving and deleting data on the device, please refer to the manufacturers of the operating systems used. The interested party may, however, consult the privacy information made available on the following sites:

• App Store: https://www.apple.com/legal/internet-services/itunes/it/terms.html
• Google Play: https://play.google.com/intl/it_it/about/play-terms.html

At any time you can obtain the termination of the processing described here carried out through the Bank’s applications by uninstalling them from your device.

8. Rights of the data subject under EU Regulation 679/2016.

In relation to the processing operations described in this Notice, as a data subject you may, under the conditions provided by the GDPR, exercise the rights enshrined in Articles 15 to 22 of the GDPR and, in particular, the following rights:

• Right of access – art.15 EU Regulation 679/2016.
• Right of rectification – art.16 EU Regulation 679/2016.
• Right of deletion – art.17 EU Regulation 679/2016.
• Right to restriction of processing – art.18 EU Regulation 679/2016.
• Obligation to notify in case of rectification or erasure of personal data or restriction of processing – art.19 EU Regulation 679/2016.
• Right to data portability – art.20 EU Regulation 679/2016.
• Right to object – art.21 EU Regulation 679/2016.
• Right not to be subject to automated decision making – art.22 EU Regulation 679/2016.

The exercise of your rights as a data subject is free of charge under Article 12 GDPR. However, in the case of requests that are manifestly unfounded or excessive, including due to their repetitiveness, the Data Controller may charge a reasonable fee, in light of the administrative costs incurred in handling your request, or deny satisfaction of your request. In any case, you may exercise your rights by contacting the mailbox dpo@cherrybank.it attaching a copy of your ID. In any case, you will always have the right to lodge a complaint with the competent supervisory authority (Garante per la Protezione dei Dati Personali), in accordance with Article 77 GDPR, if you believe that the processing of your data is contrary to the current Privacy Regulations.