PRIVACY NOTICE REGARDING WEBSITE BROWSING

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter referred to as the “Regulation” or “GDPR”), with regard to the processing of your personal data, the undersigned insurance intermediaries, in consideration of the internal agreement pursuant to Article 26 of the aforementioned Regulation (hereinafter also referred to as “Joint Controllers” for brevity), whose identities and contact details are provided below, hereby inform you of the following.

1. Identity and contact details of the Joint Controllers
   The Joint Controllers of the data processing pursuant to Articles 4, no. 7, and 26 of the Regulation are the insurance intermediaries:

• PARODI E TIGANI SRL, registered office and operational headquarters: Via Antonio Cecchi 15/5, 16129 Genoa, Italy, VAT no. 01683940991, Tel: +39 010 8970200, Fax: +39 010 463174, Email: privacy@parodietigani.it, Certified Email (PEC): pec@pec.parodietigani.it; and
• P&T INSURANCE BROKER SRL, operational headquarters: Via Antonio Cecchi 15/5, 16129 Genoa, Italy, registered office: Via Giacomo Buranello 14/22, 16149 Genoa, Italy, VAT no. 02241140991, Tel: +39 010 8933123, Fax: +39 010 8935637, Email: info@ptbroker.it, Certified Email (PEC): ptinsurancebroker@pec.it.

You may contact the Joint Controllers by writing to the addresses indicated above or by sending an email to the aforementioned email addresses.

1. Processing of personal data for purposes related to insurance distribution activities or related to insurance assistance and consultancy activities.
   The personal data that you directly provide or that are otherwise collected by the undersigned Joint Controllers will be processed exclusively for purposes connected with insurance distribution activities or related to insurance assistance and consultancy activities, as well as for the creation of specific databases exclusively owned by the undersigned Joint Controllers, functional to the insurance distribution and consultancy activities carried out by the intermediaries (for example, presenting and/or illustrating the contents of insurance contracts; assessing your insurance needs and requirements to identify a proposal that meets them; supporting and guiding you in selecting and signing a contract suitable and/or appropriate to your risk profile; providing you with information useful for making informed decisions and managing the contractual relationship; preparing any personalized recommendations regarding insurance products; etc.).
   Moreover, the undersigned will process the personal data provided by you, or already held by them, to manage claims related to the exercise of insurance distribution activities.
   The legal basis for the processing for these purposes is Article 6(1)(b) of the GDPR (“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”).

   All data provided by the data subject are therefore processed solely for activities connected with the Joint Controllers’ operations, in particular for the registration of personal data in computer databases (DB) and databases owned (or used) by the undersigned, for the management of collections and payments, and to comply with obligations established by law and by regulations issued by Supervisory Authorities (e.g., sending communications and information regarding complaints management under ISVAP Regulation No. 24 of 19 May 2008, as amended).
   The legal basis for the processing for the aforementioned purposes is Article 6(1)(c) of the GDPR (“processing is necessary for compliance with a legal obligation to which the controller is subject”).

   Your personal data will be processed independently by the undersigned intermediaries, irrespective of mandates undertaken or forms of collaboration adopted or to be adopted with other intermediaries in the exercise of their activities, pursuant to and for the purposes of Article 22(10) of Legislative Decree No. 179 of 18 October 2012, as converted with amendments by Law No. 221 of 17 December 2012.
   Therefore, in the event of termination of a mandate by the Joint Controllers or of collaboration with another intermediary, you expressly authorize the Joint Controllers to continue processing and retaining all of your informational assets, including data relating to insurance contracts previously concluded (in paper and digital format), as such data form part of databases (DB) and data banks owned by the undersigned intermediaries.

   For the purposes of such processing, the Joint Controllers may become aware of data falling within the special categories of personal data referred to in Article 9 of the Regulation (e.g., health data) and personal data relating to criminal convictions and offences referred to in Article 10, within the limits of authorizations provided by law or regulations.
   The legal basis for the processing of special categories of personal data that you provide is your explicit consent pursuant to Article 9(2)(a) of the GDPR (“the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”).
   The processing of personal data relating to criminal convictions and offences pursuant to Article 10 of the GDPR is permitted within the limits and conditions provided for by law or regulations (specifically, in the cases referred to in Article 2-octies of Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018).

   Processing of personal data for promotional and marketing purposes.
   Your personal data may also be processed by the undersigned Joint Controllers, should you give your specific consent pursuant to Article 7 of the GDPR, for promotional and marketing purposes; in particular, your personal data may be used for information and commercial promotion of insurance products and services, as well as for surveys on your satisfaction with products and services already received, and for market research, using both traditional methods (e.g., postal mail and/or calls with an operator) and electronic communication tools such as email, fax, SMS, MMS, apps, or through other platforms such as social networks (e.g., Facebook, Twitter, LinkedIn, WhatsApp) or messaging platforms (e.g., WhatsApp).
   The legal basis for the processing for the purposes referred to in Section 2, letter c) of this notice is the consent of the data subject pursuant to Article 6(1)(a) of the GDPR (“the data subject has given consent to the processing of his or her personal data for one or more specific purposes”).

   Please note that the consent you provide for receiving commercial and promotional communications via automated means or means considered equivalent under Article 130, paragraphs 1 and 2, of Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018 (such as emails, faxes, SMS, MMS, etc.) also extends to traditional contact methods, such as postal mail and/or operator-assisted phone calls.

   Processing of personal data for communication to third parties for marketing purposes.
   Should you give your specific consent pursuant to Article 7 of the GDPR, your data may also be processed for communication to third parties operating in the telecommunications, banking, financial, insurance, and IT (Information Technology) sectors, for direct marketing and sales activities, who will process them for their own promotional and marketing purposes, using both traditional means (e.g., postal mail and/or calls with an operator) and electronic communication tools such as email, fax, SMS, and MMS.
   The legal basis for the processing for the purposes referred to in Section 2, letter d) of this notice is the consent of the data subject pursuant to Article 6(1)(a) of the GDPR.

   Data processing methods.
   The processing of your personal data may be carried out using electronic or otherwise automated means (including recording telephone conversations or communications in distance selling), in particular through databases (DB) and data banks owned (or used) by the undersigned, with procedures and methods strictly necessary for the pursuit of the purposes described above.
   By signing this document, you also authorize the Joint Controllers to retain and/or digitally archive the insurance contracts intermediated.
   For relevant communications, data necessary for distance communications (by way of example: email, fax, SMS, MMS, apps, Facebook, Twitter, LinkedIn, WhatsApp, etc.) will also be used.
   The processing will be carried out using systems designed to store, manage, and transmit such data, based on the information in our possession and with your commitment to promptly communicate any corrections, integrations, and/or updates.

The processing of personal data provided by you will be carried out by individuals expressly and specifically appointed by the Joint Controllers, operating either at their headquarters (registered office and/or operational headquarters) or – where applicable – at peripheral offices and/or other facilities (branch offices, sub-agencies, remote offices, etc.).
These individuals, who are part of the insurance sector or related sectors with purely organizational functions, will process your data in accordance with the instructions received from the Joint Controllers, either as data processors (pursuant to Article 28 of the GDPR) or as persons authorized to process data (pursuant to Article 29 of the GDPR) or as expressly designated data processors; this includes employees or collaborators assigned to the intermediaries’ structures, exclusively within the scope of their assigned functions and strictly for the specific purposes indicated in this privacy notice.
Your data may – to comply with obligations arising from primary and secondary legislation and/or contractual obligations – be communicated to other insurance intermediaries with whom the undersigned Joint Controllers have established or will establish horizontal collaboration agreements (pursuant to Article 22, paragraph 10 of Legislative Decree No. 179 of 18 October 2012, converted with amendments by Law No. 221 of 17 December 2012).
The data provided may also be processed by the Joint Controllers or communicated to third parties where such processing is functional to legal and contractual obligations, such as other entities in the insurance sector including insurers, co-insurers, reinsurers, agents, sub-agents, agency producers, insurance brokers (e.g., banks and securities brokerage firms); lawyers, claims adjusters, and repair shops; service companies responsible for claims management, settlement and payment, as well as IT, storage, or other technical/organizational service companies.
Your data may also be communicated to companies or professionals where data communication is required by law (e.g., Central Accident Database, Department of Motor Vehicles).
Furthermore, subject to your specific consent pursuant to Article 7 of the GDPR, your data may also be communicated to entities operating in the telecommunications, banking, financial, insurance, and IT sectors, within the scope of direct sales of goods and services, who will process your data for their own promotional and marketing purposes as indicated in Section 2, letter c) of this notice.
Your personal data will not be subject to dissemination.

No personal data will be transferred to a third country outside the European Union or to international organizations.

Personal data will be stored in compliance with Article 5(1)(e) of the GDPR, in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data will be retained according to the following criteria:

• For the time strictly necessary to achieve the “purposes related to insurance distribution activities” and “purposes related to insurance assistance and consultancy activities” for which they are processed;
• For the time strictly necessary to comply with the retention obligations under civil, accounting, fiscal, and regulatory laws (generally, 10 years from the termination of the contractual relationship with the data subject);
• For promotional and marketing purposes, until the data subject revokes their consent and in any case no later than 24 months from the termination of the contractual relationship.

At the end of the retention period, the data you provided will be deleted or anonymized.

Pursuant to Articles 15 et seq. of the GDPR, the data subject has the right to request from each Joint Controller:

• Access to their personal data;
• Rectification or erasure of such data or restriction of processing concerning the data subject;
• Objection to the processing;
• Data portability under Article 20 of the GDPR;
• Where processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the withdrawal of consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

We inform you that the data subject’s right to object to the processing of their personal data for direct marketing purposes under Article 21 of the GDPR extends to both automated and traditional contact methods.
However, the data subject may exercise this right in part (e.g., objecting only to promotional communications sent via automated tools).
To exercise the above rights, the data subject may contact the Joint Controllers at the addresses indicated in Section 1 of this notice.

Without prejudice to any other administrative or judicial remedy, the data subject who believes that the processing of their personal data violates the GDPR has the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged violation pursuant to Article 77 of the GDPR (the Italian supervisory authority is the Garante per la protezione dei dati personali).

The communication of your personal data and the consequent processing by the undersigned is necessary for the establishment, continuation, and proper management of the contractual relationship; therefore, such communication must be considered mandatory based on law, regulation, European regulation, or provisions issued by legally authorized authorities and supervisory and control bodies (e.g., Central Accident Database, Department of Motor Vehicles, IVASS).
The communication of your personal data may also be strictly necessary for the conclusion of new relationships or for the management and execution of existing legal relationships or claims management.
Refusal to provide the requested personal data may result in the undersigned being unable to establish, conclude, or manage the contractual relationship and thus the inability to enter into or execute insurance contracts or manage claims.

In case of processing for promotional and marketing purposes as indicated in Section 2, letter b), and communication to third parties for promotional and marketing purposes as indicated in Section 2, letter c), your possible refusal will only prevent the performance of information and promotional activities regarding insurance products by the undersigned or the communication of your data for promotional purposes to third parties in the mentioned sectors.

Pursuant to Article 13(2)(f) of the GDPR, we inform you that the personal data collected will not be subject to any automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR.

Should the Joint Controllers intend to process personal data for a purpose other than that for which they were collected, they will provide the data subject with information regarding the new purpose and any other relevant information pursuant to Article 13(2) of the GDPR prior to such further processing.