1. Data processed
As a rule, the Website can be used without having to provide any personal data. Should the Website be accessed for information only (opening no account), we are not going to collect any personal data, except for those transmitted by the user’s browser or terminal device and IP address in order to enable access to the Website. In this case, data transmitted to SanctisFundMe CUA shall be, by way of example: (i) date and place of the request; (ii) the type and version of the browser used; (iii) the OS; (iv) page views and navigation paths of the Website; and (v) information on the timing, frequency and layout of the use of the Website, and in general all the use-related data offered by SanctisFundMe CUA automatic tracking system, whereby, in any case, anonymous information is collected to report use-related trends.
Personal data are collected within specific sections of the Website via electronic forms, only to access SanctisFundMe CUA services. In this case, personal data collected between the user and SanctisFundMe CUA for service use consist of two different categories, depending on whether you do or do not exceed the annual volumes and/or if SanctisFundMe CUA at its own discretion requested additional information as specified in the TECs.
In the first case, SanctisFundMe CUA, as Data Controller, collects and processes personal data, nickname, and e-mail address (hereinafter “Personal Data” or “Data”), communicated by the user when opening an account and registering on the Website. In the latter case, since the account is to be verified for personal identification purposes, Personal Data required will also be those necessary for identification, and may include, without limitation: (i) first name and surname; (ii) date of birth; (iii) place of birth; (iv) place of residence; (v) domicile, if different from residence; (vi) tax number, if issued; (vii) references to identification document and date of issue and expiry, etc.
SanctisFundMe CUA does not collect data from persons younger than 18 and does not process sensitive data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, or health status.
2. Checking and identification
Once the user has registered on the website, if the user exceeds the annual volume of transactions specified in the TECs,SanctisFundMe CUA is obliged to fulfill its obligations concerning KYC and AML Laws and the fight against terrorist financing. SanctisFundMe CUA reserves the right to perform such due diligence at any time for any User, even if the limits specified in the TECs have not been reached, without providing the need to provide a reason for the request.
SanctisFundMe CUA is obliged to verify the User’s identity by means of a valid identification document, keep specific information taken from this document, check the authenticity of such document together with all additional information, including documents, which must be requested and which, during the relationship, must be updated. Therefore, the User must provide all the information additional to that required for opening the account, which will be requested through electronic forms also providing for the possibility to upload documents, or through questionnaires that will be submitted and that SanctisFundMe CUA will request to fill off-line.
A detailed and updated list of these parties is available to the user; a formal request should be addressed to SanctisFundMe CUA.
3. Legal basis and purpose for processing.
Personal Data of the user are processed:
A) with no specific consent of the data subject (Article 6(b), (c) and (f) GDPR), for the following purposes:
use the Website services;
comply with pre-contract, contract and tax obligations of SanctisFundMe CUA or carry out all measures and actions upon request of the data subject, as well as arising from all existing relationships with users, customers, collaborators, business partners, suppliers, and consultants;
comply with the obligations set out under the law, any Regulation, EU legislation or any Authority order ( as, for example, concerning anti-money laundering);
pursue legitimate rights and interests (such as the right of defense before the Court);
B) only upon specific and separate consent (Articles 23 and 130 of the Privacy Code and Article 7 GDPR), for the following marketing purposes:
send by e-mail, post and/or sms and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and assess the satisfaction rate on service quality;
send via e-mail, mail and/or sms and/or telephone contacts commercial and/or promotional communications from third parties (such as, for example, business partners).
In any case, SanctisFundMe CUA shall, insofar as possible, ask the data subject’s consent even when the legal basis for Personal Data processing is based on the purposes referred to in paragraph 3.A).
4. Data provision
Personal Data must be provided for the purposes referred to in paragraph 3.A).
If the data are not provided by the data subject, SanctisFundMe CUA cannot guarantee the provision of business services, nor can it perform its contractual obligations towards customers, employees, suppliers, business partners and, in general, all those connected with SanctisFundMe CUA. In such cases, the Company further states that even the partial or incorrect provision of Personal Data may result in the impossibility to provide services and in any case prevents SanctisFundMe CUA from fulfilling the pre-contract, contract and tax requirements it is required to fulfill.
If consent to personal data processing is required to the data subject and the latter discontinues the consent to the provision of Personal Data already made, it shall remain mandatory and basic condition for the performance of all the purposes specified under paragraph 3.A) above. Should the data subject fail to provide his/her Personal Data, given that SanctisFundMe CUA is unable to fulfill its obligations, SanctisFundMe CUA shall not be deemed liable, resulting in the termination of any previous relationship or otherwise being unable to continue the same.
Data provision for the purposes referred to in paragraph 3.B) is optional.
The data subject may therefore decide not to provide any Personal Data or to subsequently refuse the possibility of processing any data already provided. In this case, the data subject shall not receive newsletters, commercial communications and advertising material relating to the services offered by the Data Controller, whilst remaining entitled to use company and contractual services referred to in paragraph 3.A), without prejudice to the foregoing.
5. Data processing and retention
Personal Data processing is carried out by means of procedures indicated in art. 4 Privacy Code and art. 4 no 2) GDPR. Specifically, data processing is carried out through: data collection, recording, management, retention, consultation, processing, modification, selection, extraction, comparison, application, interconnection, blocking, communication, erasure and destruction.
Personal Data are processed both in paper and electronic and/or automated form with methods and tools in compliance with the security measures set forth in art. 32 of the GDPR and Annex B of the Privacy Code, by parties specifically appointed by SanctisFundMe CUA in compliance with the provisions of art. 30 of the Privacy Code, or parties in charge of personal data processing under the direct control of SanctisFundMe CUA as provided for by Article 4, paragraph 10, of the GDPR. As anticipated, the treatment may be entrusted, by means of specific agreements, also to third parties, appointed as data processors and acting on written order of SanctisFundMe CUA itself, as Data Controller.
Data Controller or Data Processor shall process and retain Personal Data for the shortest time necessary to fulfill the purposes set out in paragraph 3, and only for the time necessary to complete the retention as provided for by the GDPR. Both the processing and retention, however, are set for no more than 10 years from the term of the processing agreement entered into for service purposes, and for no more than 12 months from data collection for marketing purposes. After these retention periods, Personal Data will be blocked, destroyed or made anonymous in accordance with legal requirements.
6. Data access and international data migration
Personal Data may be accessed for the purposes referred to in paragraphs 3.A) and 3.B):
to employees or consultants of the Data Controller (if any) who are in charge of the processing under the direct authority and instructions of SanctisFundMe CUA;
to SanctisFundMe CUA’s partner companies, in the UK and abroad, in their capacity as data controllers and/or system administrators pursuant to art. 28 of the GDPR acting as Personal Data Processors on behalf of the Data Controller and having provided sufficient guarantees to put in place appropriate technical and organisational measures to ensure that the processing thereof complies with legal requirements;
to third parties or other parties, such as, without limitation, financial institutions, payment institutions or other financial intermediaries, firms, consultants, insurance carriers, which carry out activities on behalf of the Data Controller and act as independent data controllers with their own privacy policies, available to the data subject.
Without specific consent (art. 24 letters a), b), and d) Privacy Code and art. 6 letters b) and c) GDPR), the Data Controller may disclose Personal Data of the data subject for the purposes set forth in paragraph 3.A) to Supervisory Boards, Judicial Authorities, insurance companies for the provision of insurance services, as well as to whom the communication is compulsory by law for the fulfillment of said purposes. Said parties will process the data in their capacity as autonomous data controllers and the Personal Data of the data subject will not be disclosed.
Personal Data will be retained on servers located within the European Union. Should it become necessary, Data Controller will be entitled to move servers also to non-EU countries.
In such a case, Data Controller hereby ensures that the transfer of data to non-EU countries will take place only upon specific consent of each data subject, to countries that guarantee an adequate level of protection of Personal Data and only after entering into agreements containing standard clauses approved by the European Commission, which guarantee that the processing of Personal Data complies with legal principles and requirements set out in the GDPR.
Cookies are used on the Website. By using cookies, SanctisFundMe CUA can provide Website users with more user-friendly services that would not be possible without cookie setting. By means of a cookie, the information on the Website may be optimized as cookies enable the identification of Website users. The purpose of this identification is to make it easier for users to access the Website. The user, for example, is not obliged to enter the access data every time they visit the Website, since these data are already acquired by the Website through the cookies saved in the user’s IT system.
The data subject may at any time prevent the setting of cookies when accessing the Website by setting the corresponding Internet browser used, and can therefore permanently deny the setting of cookies. In addition, cookies that have already been set can be deleted at any time via an Internet browser or other software. This is possible with every common Internet browser. If the data subject disables cookie settings in the Internet browser used, not all functions of the Website may be fully available.
8. Rights of data subjects and how to apply
The data subject is entitled to the rights set forth in Article. 7 Privacy Code and Art. 15 GDPR and precisely the following:
i) obtain confirmation as to whether or not personal data concerning him/her exist, regardless of their being already recorded;
ii) obtain the indication: a) of the origin of Personal Data; b) of the purposes and methods of processing; c) of the logic applied in the case of processing with the aid of electronic tools; and d) of the identification details of the Data Controller, Data Processors and other persons in charge;
iii) obtain: a) the updating, correction or integration of data; b) the erasure, anonymization or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected; c) certification that the operations as per letters a) and b) have been notified, also with regard to their contents, to those whom the data were communicated or disseminated, unless this requirement proves impossible or involves a clearly disproportionate effort;
iv) object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials by means of traditional marketing systems, or automated call without operator, by e-mail, telephone and/or mail
The data subject is also entitled to the rights under Articles 16-21 GDPR, namely the right to be forgotten, the right to restrict processing, the right to data portability, and the right to submit a complaint to the Data Protection Authority.
Lastly, if consent is required to the processing of personal data by the data subject, the latter may revoke the provision of the Personal Data already carried out.
The interested party may, at any time, apply his/her rights by sending a request via email to SanctisFundMe CUA at the address firstname.lastname@example.org.
9. Data Controller, data processor and person in charge.
Data controller is SanctisFundMe CUA, with registered office SanctisFundMe CUA, 3rd floor, 166 College Road Harrow, HA1 1BH, Middlesex.
In order to comply with the GDPR, SanctisFundMe CUA has been drafting a privacy organisational model, identifying roles and responsibilities in the processing of Personal Data, and identifying in particular, as internal privacy contact persons, the Persons in charge of the Organisational Units or Offices who, limited to the processing of data under their responsibility, are responsible for implementing the data protection model in compliance with legal requirements. Data Controller shall appoint in writing as Data Processors, pursuant to art. 30 of the Privacy Code, employees of the company functions or, if necessary, through the appointment of a suitable third party, for pursuing the above purposes and providing suitable instructions.
Personal Data may be processed by third parties the Company relies on for purposes of identification procedures, verification of the authenticity of identity documents, database access, or to perform payment services made available to customers. These persons will be independent Data Controllers or will be appointed as Data Processors.
The updated list of data processors and persons in charge of processing is kept at the registered office of the Data Controller.
This Disclosure may change; we recommend reviewing updates that will be notified time by time.
Last updated 15/06/2019