Privacy Policy
H1 Finance S.r.l., in its capacity as data controller, informs you pursuant to Article 13 EU Regulation No. 2016/679 ("GDPR") that the data provided by users (the "Data Subject" or the "User") via the website https://www.h1card.com/ (the "Website"), regardless of the method and instrument used, will be processed in the following manner and for the following purposes.
The Data Controller is H1 Finance S.r.l., with registered office in Via Amilcare Ponchielli 51 - 24125, Bergamo (hereinafter, the "Data Controller").
The Data Controller provides the following e-mail address for any communication: privacy@h1card.com.
The Data Controller may designate one or more persons responsible for the processing of Personal Data pursuant to Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental or support activities by adopting all those technical and organisational measures that are appropriate to protect the rights, freedoms and legitimate interests that are recognised by law to the Data Subjects.
The processing shall concern single operations, or a set of operations, of the following personal data provided by the Data Subject when using the services provided by the Data Controller, through the Website, as described in the following table (the "Personal Data" or the "Data"):
Type |
Purpose of processing |
Legal basis |
Retention period |
Data identifying the Data Subject provided to create a "Customer Representative" or "User" profile: first name, last name, e-mail, telephone number.
|
|
Performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) of the GDPR). |
For the period of validity of the account. |
|
Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR).
|
For as long as required by law. In any case, for a maximum period of ten (10) years.
|
|
|
Legitimate interests pursued by the Data Controller (Article 6(1)(f) of the GDPR). |
For the period of validity of the account. |
|
Identification data required for KYC proceedings (natural person, executor, beneficial owner), including: name, surname, date and place of birth, tax code, profession, residential address, domicile address if different from residential address, identity document details, email address, certified email address. |
|
Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR).
|
For as long as required by law. In any case, for a maximum period of ten (10) years.
|
Data concerning the political exposure of the data subject |
|
Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR). |
For as long as required by law. In any case, for a maximum period of ten (10) years.
|
Data from credit card transactions H1 |
|
Performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) of the GDPR). |
For as long as required by law. In any case, for a maximum period of ten (10) years.
|
Data identifying the Data Subject in applications for open positions on the Website |
|
Performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) of the GDPR). |
For six (6) months from reception of the application by the User. |
|
Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR). |
For as long as required by law. In any case, for a maximum period of ten (10) years.
|
|
Data identifying the Data Subject provided to use the contact form: e-mail. |
|
Execution of pre-contractual measures taken at the request of the data subject (Article 6(1)(b) GDPR). |
For as long as necessary to meet the Data Subject's requests or for the performance of services. In any case, these data may not be kept for a period of more than ten (10) years from the fulfillment of the requests received from the Interested Party. |
Data voluntarily provided by the Data Subject via the contact form. |
|
Execution of pre-contractual measures taken at the request of the data subject (Article 6(1)(b) GDPR). |
For as long as necessary to meet the Data Subject's requests or for the performance of services. In any case, these data may not be kept for a period of more than ten (10) years from the fulfillment of the requests received from the Interested Party. |
Browsing data:
|
|
Legitimate interests pursued by the Data Controller (Article 6(1)(f) of the GDPR). |
Browsing data will be kept for the time necessary to perform analysis activities and comparative statistical processing, not exceeding seven (7) days, except in the event of any need for verification by the competent authorities. |
Cookies and other technologies for reading/storing information on the Data Subject's terminal device |
Please refer to the 'Cookie Policy', available at the following link: https://www.h1card.com/cookie-policy. |
Please refer to the 'Cookie Policy', available at the following link: https://www.h1card.com/cookie-policy . |
Please refer to the 'Cookie Policy', available at the following link: https://www.h1card.com/cookie-policy |
Please note that, with reference to browsing data, the information collected, while not intended to be associated with identified individuals, by its nature, if associated with other Data held by third parties (e.g. internet service providers), could allow the identification of the Data Subjects (e.g. IP addresses, domain names of the PCs used, URL addresses of the resources requested, time of the request, numeric code relating to the status of the response given by the server).
The processing of Personal Data:
The management and storage of the Data shall take place primarily in Europe, on servers of third-party companies duly appointed as data processors.
The Data Controller may provide access to the Website and the services therein also in other countries, in which case the transfer of Data to such countries is strictly limited to the actual need to be aware of it. The Data Controller will take the necessary measures to protect Users' Personal Data and prevent unauthorised access.
In the event that Personal Data is transferred to the systems used by the Data Controller and/or third-party companies entrusted and duly appointed as Data Processors even outside the European Union, the Data Controller guarantees the application of the European Commission's standard contractual clauses to ensure a secure international transfer of Personal Data, based on Articles 44, 45 and 46 of the GDPR.
In the event that such transfer takes place to countries that do not provide the same level of protection as provided by the GDPR or applicable legislation, or in any event an adequate level of protection for personal data, the Data Controller will ensure that each such recipient undertakes specific contractual obligations in accordance with applicable data protection legislation (including the signing of the Standard Contractual Clauses "SCC" approved by the European Commission). Alternatively, in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or adequate safeguards pursuant to Article 46 GDPR, including binding corporate rules, the Data Controller will request, pursuant to Art. 49 GDPR, the possibility of transferring personal data to a third country after obtaining specific consent from the Data Subject. In any case, the User may request further information regarding the transfer of Personal Data by contacting the e-mail address privacy@h1card.com.
Security Measures
The Data Controller has adopted a variety of security measures to protect Data against the risk of loss, misuse or alteration, consistent with the measures expressed in Article 32 of the GDPR. Processing is carried out using IT and/or telematic tools, with organisational methods and logics strictly related to the purposes indicated.
Without prejudice to the Data Subject's right to provide Personal Data to the Data Controller, the provision of Personal Data may be:
Should the Data Subject refuse to provide Personal Data to the Data Controller, this may make it impossible for the Data Controller to provide the requested services and make access to the Website available.
Furthermore, please consider that the revocation of one or more permissions and/or consents not given by the User may have consequences on the proper functioning and/or on the possibility to access and/or use the Website properly and/or provide the services by the Data Controller.
The retention period of the Personal Data is set out in the table in point 2 above.
At the end of the retention period the Personal Data will be deleted. Therefore, at the end of this period, the User will no longer be able to exercise the right to access, delete, rectify and the right to portability of Personal Data.
Personal Data will be stored by means of computerised archives, including portable devices, adopting appropriate measures to guarantee their security and to limit access to them exclusively to personnel authorised by the Data Controller and strictly for the purposes indicated above.
In order to provide certain services, the Data Controller may use the services of third-party partners, who will process the User's Personal Data as independent data controllers, therefore we recommend that you read the personal data processing notices available below:
For the purposes set out above, Personal Data may be made accessible or communicated to:
In any case, the Personal Data collected will not be disclosed.
The Data Subject may exercise the rights provided for by Chapter III of the GDPR within the limits and under the conditions provided therein:
The Data Subject may exercise his/her rights at any time by sending:
The Data Controller undertakes to provide the Data Subject with information on the action taken in respect of a request to exercise rights without undue delay and, in any case, at the latest within a period of 30 (thirty) days from receipt of the request, which may be extended to 3 (three) months only in particularly complex cases.
Any rectification or cancellation or limitation of the processing carried out at the explicit request of the Data Subject shall be communicated by the Data Controller to each of the recipients to whom the Personal Data have been transmitted, unless this proves impossible or involves a disproportionate effort for the Data Controller. The Data Controller may inform the Data Subject of the contact details of the recipients if so requested.
Data Subjects who believe that the processing of their Personal Data is in breach of the provisions of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority: i) by e-mail, at garante@gpdp.it or urp@gpdp.it; ii) by fax at 06.696773785; or iii) by post at the registered office located in Rome (Italy), Piazza Venezia n. 11 - Cap 00187, or alternatively by recourse to the Judicial Authority.
The updated list of data processors and persons in charge of processing is kept at the Data Controller's registered office.
This information notice may be amended and/or updated at any time. If the Data Controller intends to process your Personal Data for purposes other than those indicated in this Privacy Policy, it undertakes to provide you, prior to such further processing, with adequate information regarding such different purposes and to carry out such further processing in compliance with the regulations in force, collecting the specific consent of the Data Subject when required.
Last update: November 2023