Read This Document in:

Privacy Policy 

H1 Finance S.r.l., in its capacity as data controller, informs you pursuant to Article 13 EU Regulation No. 2016/679 ("GDPR") that the data provided by users (the "Data Subject" or the "User") via the website https://www.h1card.com/ (the "Website"), regardless of the method and instrument used, will be processed in the following manner and for the following purposes.

  1. The Data Controller

The Data Controller is H1 Finance S.r.l., with registered office in Via Amilcare Ponchielli 51 - 24125, Bergamo (hereinafter, the "Data Controller").

The Data Controller provides the following e-mail address for any communication: privacy@h1card.com.

The Data Controller may designate one or more persons responsible for the processing of Personal Data pursuant to Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental or support activities by adopting all those technical and organisational measures that are appropriate to protect the rights, freedoms and legitimate interests that are recognised by law to the Data Subjects.

  1. Description of the processing

The processing shall concern single operations, or a set of operations, of the following personal data provided by the Data Subject when using the services provided by the Data Controller, through the Website, as described in the following table (the "Personal Data" or the "Data"):

 

Type

Purpose of processing

Legal basis

Retention period

Data identifying the Data Subject provided to create a "Customer Representative" or "User" profile: first name, last name, e-mail, telephone number. 

 

 

 

 

 

 

 

 

 

 

 

 

 
  • Register the User’s account;
  • Allow the User to access the account and use the service.

Performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) of the GDPR).

For the period of validity of the account.
  • Fulfil obligations established by law, regulation, EU law or an order of the Authority.

 

Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR).

 

For as long as required by law. In any case, for a maximum period of ten (10) years.

 
  • Exercise the rights of the Data Controller, e.g. to exercise a right in court.
  • To send communications related to the activity with reference to which the Data Subject has provided his/her Data.
  • Manage, improve and maintain the Website.

Legitimate interests pursued by the Data Controller (Article 6(1)(f) of the GDPR).

For the period of validity of the account.

Identification data required for KYC proceedings (natural person, executor, beneficial owner), including: name, surname, date and place of birth, tax code, profession, residential address, domicile address if different from residential address, identity document details, email address, certified email address.
  • Perform anti-money laundering verifications as required by law.

Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR).

 

For as long as required by law. In any case, for a maximum period of ten (10) years.

 

Data concerning the political exposure of the data subject
  • Perform anti-money laundering verifications as required by law.

Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR).

For as long as required by law. In any case, for a maximum period of ten (10) years.

 

Data from credit card transactions H1
  • Process the payment made via the H1 credit card.

Performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) of the GDPR).

For as long as required by law. In any case, for a maximum period of ten (10) years.

 

Data identifying the Data Subject in applications for open positions on the Website
  • Evaluate potential new employees;
  • interviewing candidates.

Performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) of the GDPR).

For six (6) months from reception of the application by the User.
  • Fulfil obligations established by law, regulation, EU law or an order of the Authority.

Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR).

For as long as required by law. In any case, for a maximum period of ten (10) years.

 

Data identifying the Data Subject provided to use the contact form: e-mail.
  • Responding to requests from Data Subjects, who may be contacted by e-mail or other communication systems, if provided by them.

Execution of pre-contractual measures taken at the request of the data subject (Article 6(1)(b) GDPR).

For as long as necessary to meet the Data Subject's requests or for the performance of services. In any case, these data may not be kept for a period of more than ten (10) years from the fulfillment of the requests received from the Interested Party.

Data voluntarily provided by the Data Subject via the contact form.
  • Responding to requests from Data Subjects, who may be contacted by e-mail or other communication systems, if provided by them.

Execution of pre-contractual measures taken at the request of the data subject (Article 6(1)(b) GDPR).

For as long as necessary to meet the Data Subject's requests or for the performance of services. In any case, these data may not be kept for a period of more than ten (10) years from the fulfillment of the requests received from the Interested Party.

Browsing data:

  • IP addresses, addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the resources requested, time of the request, method used in submitting the request to the server, size of the file obtained in response, numerical code indicating the status of the response given by the server (successful, error, etc.);
  • other parameters relating to the operating system and the computer environment used by the data subject.
  • Obtain anonymous statistical information on the use of the Website and to check its correct functioning.

Legitimate interests pursued by the Data Controller (Article 6(1)(f) of the GDPR).

Browsing data will be kept for the time necessary to perform analysis activities and comparative statistical processing, not exceeding seven (7) days, except in the event of any need for verification by the competent authorities.

Cookies and other technologies for reading/storing information on the Data Subject's terminal device

Please refer to the 'Cookie Policy', available at the following link:  https://www.h1card.com/cookie-policy.

Please refer to the 'Cookie Policy', available at the following link:  https://www.h1card.com/cookie-policy .

Please refer to the 'Cookie Policy', available at the following link:  https://www.h1card.com/cookie-policy

Please note that, with reference to browsing data, the information collected, while not intended to be associated with identified individuals, by its nature, if associated with other Data held by third parties (e.g. internet service providers), could allow the identification of the Data Subjects (e.g. IP addresses, domain names of the PCs used, URL addresses of the resources requested, time of the request, numeric code relating to the status of the response given by the server).

  1. Processing modalities

The processing of Personal Data:

  1. is carried out by means of the operations indicated in Article 4, co. 1, no. 2 of the GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of Data;
  2. is also carried out with the aid of electronic or otherwise automated means;
  3. is also carried out through the use of electronic mail or other remote communication techniques.
  1. Transfer of Personal Data

The management and storage of the Data shall take place primarily in Europe, on servers of third-party companies duly appointed as data processors.

The Data Controller may provide access to the Website and the services therein also in other countries, in which case the transfer of Data to such countries is strictly limited to the actual need to be aware of it. The Data Controller will take the necessary measures to protect Users' Personal Data and prevent unauthorised access.

In the event that Personal Data is transferred to the systems used by the Data Controller and/or third-party companies entrusted and duly appointed as Data Processors even outside the European Union, the Data Controller guarantees the application of the European Commission's standard contractual clauses to ensure a secure international transfer of Personal Data, based on Articles 44, 45 and 46 of the GDPR.

In the event that such transfer takes place to countries that do not provide the same level of protection as provided by the GDPR or applicable legislation, or in any event an adequate level of protection for personal data, the Data Controller will ensure that each such recipient undertakes specific contractual obligations in accordance with applicable data protection legislation (including the signing of the Standard Contractual Clauses "SCC" approved by the European Commission). Alternatively, in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or adequate safeguards pursuant to Article 46 GDPR, including binding corporate rules, the Data Controller will request, pursuant to Art. 49 GDPR, the possibility of transferring personal data to a third country after obtaining specific consent from the Data Subject. In any case, the User may request further information regarding the transfer of Personal Data by contacting the e-mail address privacy@h1card.com.

Security Measures

The Data Controller has adopted a variety of security measures to protect Data against the risk of loss, misuse or alteration, consistent with the measures expressed in Article 32 of the GDPR. Processing is carried out using IT and/or telematic tools, with organisational methods and logics strictly related to the purposes indicated.

  1. Consequences of non-disclosure of Personal Data

Without prejudice to the Data Subject's right to provide Personal Data to the Data Controller, the provision of Personal Data may be:

  1. compulsory in order to provide the services accessible through the Website and for purposes related to the fulfilment of obligations provided for by applicable laws and/or regulations, as well as by provisions issued by the competent authorities/supervisory and/or control bodies;
  2. optional with reference to data voluntarily provided by the Data Subject.

Should the Data Subject refuse to provide Personal Data to the Data Controller, this may make it impossible for the Data Controller to provide the requested services and make access to the Website available.

Furthermore, please consider that the revocation of one or more permissions and/or consents not given by the User may have consequences on the proper functioning and/or on the possibility to access and/or use the Website properly and/or provide the services by the Data Controller.

  1. Retention and deletion of Data

The retention period of the Personal Data is set out in the table in point 2 above.

At the end of the retention period the Personal Data will be deleted. Therefore, at the end of this period, the User will no longer be able to exercise the right to access, delete, rectify and the right to portability of Personal Data.

Personal Data will be stored by means of computerised archives, including portable devices, adopting appropriate measures to guarantee their security and to limit access to them exclusively to personnel authorised by the Data Controller and strictly for the purposes indicated above.

  1. Third Party Partners

In order to provide certain services, the Data Controller may use the services of third-party partners, who will process the User's Personal Data as independent data controllers, therefore we recommend that you read the personal data processing notices available below:

  • Treezor Sas: https://www.treezor.com/privacy-policy/.
  1. Who we may disclose Personal Data to

For the purposes set out above, Personal Data may be made accessible or communicated to:

  1. employees and contractors of the Data Controller, in their capacity as authorised processors, within the scope of their respective duties and in accordance with their instructions. These individuals are in any case subject to the obligations of confidentiality and privacy;
  2. to third parties performing outsourced activities on behalf of the Data Controller and whose activities are connected, instrumental or in support of those of the Data Controller (e.g. management software)
  3. to all those public and/or private entities, natural and/or legal persons (such as, by way of example, legal, administrative and tax consultancy firms, funds or funds, including private welfare and assistance funds, Judicial Offices, Chambers of Commerce), if the communication is necessary or functional to the proper fulfillment of the contractual obligations undertaken, as well as the obligations arising from the law
  4. to all those entities (including Public Authorities) that have access to Personal Data by virtue of regulatory or administrative measures.

In any case, the Personal Data collected will not be disclosed.

  1. Rights of the Data Subject

The Data Subject may exercise the rights provided for by Chapter III of the GDPR within the limits and under the conditions provided therein:

  1. access to the Data (art. 15): the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him or her is being processed and, if so, to obtain access to the Personal Data in a commonly used electronic format and certain information on the processing (e.g. purposes, categories of Data processed, recipients, transfers outside the EU, implementation of profiling activities, etc.);
  2. rectification of the Data (art. 16): the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning him/her without undue delay and/or the integration of incomplete Personal Data, also by providing a supplementary declaration;
  3. erasure of Data or "right to be forgotten" (Art. 17): the Data Subject has the right to obtain from the Data Controller the erasure of Personal Data concerning him/her without undue delay and the Data Controller has the obligation to erase without undue delay the Personal Data;
  4. restriction of processing (Art. 18): the Data Subject has the right to obtain from the Data Controller the restriction of the processing;
  5. portability of the Data (Art. 20): the Data Subject has the right to receive in a structured, commonly used and machine-readable format the Personal Data concerning him/her that he/she has provided to a Data Controller and has the right to transmit such Data to another Data Controller without any hindrance from the Data Controller to whom he/she has provided them;
  6. objection to processing (Art. 21): the Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her in accordance with Article 6(1)(e) or (f) of the GDPR, including profiling on the basis of these provisions.
  1. Procedures for exercising rights

The Data Subject may exercise his/her rights at any time by sending:

  1. an e-mail to the address privacy@h1card.com;
  2. a registered letter A/R to H1 Finance S.r.l., with registered office in Via Amilcare Ponchielli 51 - 24125, Bergamo.

The Data Controller undertakes to provide the Data Subject with information on the action taken in respect of a request to exercise rights without undue delay and, in any case, at the latest within a period of 30 (thirty) days from receipt of the request, which may be extended to 3 (three) months only in particularly complex cases.

Any rectification or cancellation or limitation of the processing carried out at the explicit request of the Data Subject shall be communicated by the Data Controller to each of the recipients to whom the Personal Data have been transmitted, unless this proves impossible or involves a disproportionate effort for the Data Controller. The Data Controller may inform the Data Subject of the contact details of the recipients if so requested.

  1. Right to complain

Data Subjects who believe that the processing of their Personal Data is in breach of the provisions of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority: i) by e-mail, at garante@gpdp.it or urp@gpdp.it; ii) by fax at 06.696773785; or iii) by post at the registered office located in Rome (Italy), Piazza Venezia n. 11 - Cap 00187, or alternatively by recourse to the Judicial Authority.

  1. Managers and appointees

The updated list of data processors and persons in charge of processing is kept at the Data Controller's registered office.

  1. Amendments to this information notice

This information notice may be amended and/or updated at any time. If the Data Controller intends to process your Personal Data for purposes other than those indicated in this Privacy Policy, it undertakes to provide you, prior to such further processing, with adequate information regarding such different purposes and to carry out such further processing in compliance with the regulations in force, collecting the specific consent of the Data Subject when required.

Last update: November 2023