Privacy

Customers

Pursuant to EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free circulation of such data (G.D.P.R or General Data Protection Regulation),

Gardant Investor SGR S.p.A., headquartered at Via Curtatone 3, 00185 Rome (the “Company”) – PEC gardantinvestorsgrspa@legalmail.it- both in its own right and as an agent of the securitization vehicles (the “Data Controllers”) represented by it as servicer, is required to provide certain information regarding the use of personal data.

SOURCE OF PERSONAL DATA

The personal data held by the Company and other Data Controllers are collected directly from the data subject or from third parties, in which case the information referred to herein is provided to the data subject at the time of registration of the data, or if it is to be communicated, no later than the first communication.

This information may not include the elements already known to the person providing the data and is not due in cases provided for by law.

SENSITIVE DATA.

As a rule, the Company and the other Data Controllers do not require the indication of data that Article 9 paragraph 1 of the General Regulations On Data Protection identifies as belonging to the category of special data (e.g., data capable of revealing racial and ethnic origin, religious beliefs, political opinions, state of health and sexual life). In the event that occasionally and unintentionally the Company and other Data Controllers come into possession of “sensitive” data, for their processing the law requires a specific manifestation of consent, which you will find in the attached form.

PURPOSES OF PROCESSING

The data collected by the Company and other Data Controllers will be processed lawfully and fairly, in compliance with the aforementioned law and confidentiality obligations, and will be used solely and exclusively for the purposes described below:

– purposes strictly related and instrumental to the management of the relationship with the interested party (by way of example, acquisition of information preliminary to the conclusion of financing and/or restructuring contracts, execution of operations on the basis of obligations arising from the contract itself, etc.);

– purposes related to obligations arising from laws, regulations and EU legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies;

– institutional purposes such as purposes connected with and instrumental to tax accounting management, supervisory reporting as well as other obligations related to credit management;

– purposes related to credit recovery management;

– purposes related to the management of executive and insolvency procedures as well as related to the implementation of attempts to settle them out of court and, in any case, to the performance of other activities functional to credit recovery;

It should be noted that the data subject’s data will be kept for the period of time strictly necessary with the utmost confidentiality and in compliance with appropriate security measures. The processing is carried out with reference only to the categories of data, data subjects and recipients of communication strictly related to this fulfillment, storing, moreover, the data no longer than the period necessary for this fulfillment.

DATA PROCESSING METHODS

In relation to the stated purposes, the processing of personal data is carried out through manual processing, computer and telematic tools and, in any case, such as to ensure the security and confidentiality of the same, even in the case of the use of remote communication techniques.

CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED

The data you provide may be communicated by virtue of the purposes described above to:

– companies belonging to the Data Controllers corporate groups;

– companies that perform banking, insurance and financial services;

– companies that carry out technical-legal-administrative-accounting investigations of files and/or administrative-accounting management of reports;

– companies that carry out transmission, enveloping, transport and sorting activities of the communications concerned to the data subject;

– companies that carry out archiving services of the documentation related to the relationships with the interested party;

– companies that provide services inherent to debt collection and services related and instrumental to the management of the relationship with the interested party (by way of example: acquisition of preliminary and/or subsequent information to the conclusion of financing and/or restructuring contracts);

– persons, companies, associations or professional firms that provide services or activities of assistance and advice to the Data Controllers, with particular but not exclusive reference to issues in accounting, administrative, legal, tax and financial matters

– auditing and financial statement certification companies;

– subjects whose right to access the Data is recognized by provisions of the law and secondary regulations or by provisions issued by authorities empowered to do so by law;

– companies in charge of the organization of securitization operations pursuant to Law No. 130/99, in all its aspects and operational phases.

Subjects belonging to the categories to which the data may be communicated will use such data as Data Controllers under the law, in full autonomy, being unrelated to the original processing. A detailed and updated list of names of these subjects is available at the offices of the Company and other Controllers.

DATA RETENTION

Personal data collected in the performance of this contract will be retained for ten (10) years from the conclusion of the transaction subject to any additional retention requirements under other applicable regulations.

RIGHTS UNDER ARTICLES 15-22 OF THE GENERAL DATA PROTECTION REGULATION

In relation to the processing operations described in this notice and in accordance with Articles 15-22 of the EU Regulation, the data subject is informed that he/she has the right:

1. a) to request from the Data Controller access to the personal data concerning him/her and information about the processing carried out on them;
2. b) to the rectification of data or the deletion of data in the hypotheses referred to in Article 17 of the Regulation and consistent with other retention obligations on the part of the data controller;
3. c) to revoke the consent given previously;
4. d) to the limitation of processing in the hypotheses referred to in Art.18 of the Regulation;
5. e) to data portability, i.e., the right to receive in a structured, commonly used and machine-readable format the personal data concerning him or her, and the right to transmit such data to another data controller without hindrance from the controller to whom he or she has provided them, where the processing is based on consent, on a contract, or is carried out by automated means;
6. f) not to be subjected to a decision based solely on automated processing that produces legal effects concerning him or her or affects him or her in a similarly significant way.

Any rectification or erasure or restriction of processing carried out at the request of the data subject – unless this proves impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the personal data have been transmitted. The Data Controller may notify the data subject of these recipients if the data subject so requests.

In addition to the rights described above and in accordance with the same methods of exercise, the data subject has the right to object, at any time, to the processing of personal data concerning him or her if the processing is carried out in pursuit of the legitimate interest of the Data Controller. The Data Controller will refrain from further processing of personal data unless it demonstrates the existence of compelling legitimate grounds for processing that override the rights of the data subject, or for the establishment, exercise or defense of a legal claim.

To exercise these rights, the data subject may contact the Data Protection Officer (DPO) free of charge, unless unfounded or excessive requests are made, by contacting him or her at the contact details above. The Company will provide feedback to your requests, if in line with applicable regulations, in the timeframe mentioned above. In order to ensure the protection of your data, it may be necessary to verify your identity before your requests are acted upon.

You also have the right to file a complaint with the Garante per la protezione dei dati personali if you believe that your rights have not been respected, following the procedures and directions published on the Authority’s official website at www.garanteprivacy.it.

In order to exercise the rights under Article 15 of the EU Regulation 2016/679 summarized above, the data subject should contact the Data Controllers by registered letter with return receipt and e-mail at the above addresses or the Data Protection Officer at the following address: dpo@gardant.eu

Service Providers

Pursuant to the EU Regulation 2016/679 (G.D.P.R.) on the protection of individuals with regard to the processing of personal data and on the free circulation of such data, Gardant Investor SGR S.p.A., with registered office in Via Curtatone 3, 00185 Rome (the “Company”) – PEC gardantinvestorsgrspa@legalmail.it- both in its own right and as an agent of the securitization vehicles (the “Data Controllers”) represented by it as servicer, is required to provide certain information regarding the use of personal data.

SOURCE OF PERSONAL DATA

Please note that we will acquire or have already acquired directly from you your personal data subject to processing as described in this policy. In particular, we will acquire or have already acquired your common data.

SENSITIVE DATA

The Company in the performance of its activities and in the pursuit of the stated purposes, informs you that it will not process special categories of data, so-called “sensitive data,” such as personal data capable of revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,” as well as “genetic data, biometric data intended to uniquely identify a natural person, data relating to a person’s health or sex life or sexual orientation” (Article 9 of the GDPR).

Should sensitive personal data be processed, which are not covered by legal provisions or EU regulations, your specific consent should be requested.

Furthermore, the Company will not process your judicial data (Art. 10 of the GDPR).

PURPOSES OF PROCESSING

Your personal data are processed by the Company for the following purposes:

1. a) fulfillment of obligations required by law, regulation or EU legislation and for civil, accounting and tax purposes;
2. b) entering into and executing contractual relationships or pre-contractual measures between you and the Controller, such as invoicing, correspondence and management of the supplier register;
3. c) protection of Gardant’s rights arising from the contract (e.g. breach of contract, warnings), within the legitimate interest of the Owner.

With regard to the purposes indicated above, we inform you that the processing of your personal data by the Company, including the communication of such data to the parties referred to in paragraph 5 below, does not require your consent as processing is necessary for the performance of legal obligations (letter a), for the performance of obligations arising from the contract itself (letter b)) or for the pursuit of a legitimate interest of the Data Controller (letter c)). Any refusal to provide the data, in whole or in part, may result in the impossibility for the Company to execute the contract or to properly perform all the obligations.

However, the collection of this data will be guided by the cardinal principles, enucleated in the GDPR.

CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED

The Data Controller may communicate the data of data subjects to third parties as autonomous data controllers or data processors appointed by the Data Controller.

In particular, your data may be communicated to:

1. a) companies that manage software and/or hardware of the Data Controller or that manage computer archives on its behalf;
2. b) subjects to whom the communication of data is necessary or is otherwise functional for the management of the contractual relationship;
3. c) companies controlled by the Controller;
4. d) bodies of the public administration (agencies, ministries, social security and welfare institutions) in compliance with obligations required by law;
5. e) entities to which the right to access data is recognized by legal provisions or regulatory or EU regulations (e.g.: judicial authorities and police forces, sector supervisory authorities, auditing companies, rating companies, etc.).

Information pertaining to these entities, including the indication of the data controller and data processors, which is constantly updated and easily accessible, is available free of charge by contacting the DPO at the contact details above.

For the same purposes mentioned above, the data provided to the writer may be communicated to those authorized to process them (Subjects operating under the authority of the Data Controller and Subjects operating under the authority of the Data Processors appointed by the Data Controller).

DATA RETENTION

The Company will retain your personal data for the time necessary to achieve the purposes specified in this Notice, after which the data will be deleted in accordance with legal requirements.

In particular, in the case of termination of the relationship, personal data will be retained from the date of the event in order to fulfill the legal requirements for the retention of accounting records, as well as for any requests for further retention for judicial requirements and tax audits.

RIGHTS UNDER ARTICLES 15-22 OF THE GENERAL DATA PROTECTION REGULATION

In relation to the processing operations described in this information notice and pursuant to Articles 15-22 of the EU Regulation, the data subject is informed that he/she has the right:

1. a) to request from the Data Controller access to the personal data concerning him/her and information about the processing carried out on them;
2. b) to the rectification of the data or the deletion of the same in the cases referred to in Article 17 of the Regulation and consistent with other retention obligations on the part of the owner;
3. c) to revoke the consent given previously;
4. d) to the limitation of processing in the hypotheses referred to in Art.18 of the Regulation;
5. e) to data portability, i.e., the right to receive in a structured, commonly used and machine-readable format the personal data concerning him or her, and the right to transmit such data to another data controller without hindrance from the controller to whom he or she has provided them, when the processing is based on consent, on a contract, or is carried out by automated means

(f) not to be subjected to a decision based solely on automated processing that produces legal effects concerning him or her or affects him or her in a similarly significant way.

Any corrections or erasure or restriction of processing carried out at the request of the data subject – unless this proves impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the personal data have been transmitted. The Data Controller may notify the data subject of these recipients if the data subject so requests.

In addition to the rights described above and in accordance with the same methods of exercise, the data subject has the right to object, at any time, to the processing of personal data concerning him or her if the processing is carried out in pursuit of the legitimate interest of the Data Controller. The Data Controller will refrain from further processing of personal data unless it demonstrates the existence of compelling legitimate grounds for processing that override the rights of the data subject, or for the establishment, exercise or defense of a legal claim.

To exercise these rights, the data subject may contact the Data Protection Officer (DPO) free of charge, unless unfounded or excessive requests are made, by contacting him or her at the contact details above. The Company will provide feedback to your requests, if in line with applicable regulations, in the timeframe mentioned above. In order to ensure the protection of your data, it may be necessary to verify your identity before your requests are acted upon.

You also have the right to file a complaint with the Garante per la protezione dei dati personali if you believe that your rights have not been respected, following the procedures and directions published on the Authority’s official website at www.garanteprivacy.it.

In order to exercise the rights under Article 15 of the EU Regulation 2016/679 summarized above, the data subject should contact the Data Controllers by registered letter with return receipt and e-mail at the above addresses or the Data Protection Officer at the following address: dpo@gardant.eu

Model for the execution of the rights of the interested party

Modello per l’esecuzione dei diritti dell’interessato