INFORMATION NOTE RELATIVE TO NATURAL PERSONS IN ACCORDANCE WITH ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL OF 27 APRIL 2016 - REGULATION ON THE “PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA”.

The Regulation on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter the “Regulation”) contains a series of rules aimed at guaranteeing that personal data processing is carried out with respect for people’s rights and fundamental freedoms.

This document also takes into account Recommendation no. 2/2001 that the European Authorities for the Protection of Personal Data have adopted to identify the minimum requisites for the collection of personal data on-line. The information note is issued solely for the website www.quaestiocapital.com and not also for other websites that the user may consult via links contained in the website.

Before you send personal data, we invite you to carefully read this information note (the “Information Note”) and the full text of the Regulation.

This Information Note is published by Quaestio Capital Management Società di Gestione del Risparmio S.p.A., and regards the manner in which the site is managed with regard to the processing of the personal data of the users who consult the site (hereinafter, for brevity, the “Subject” in reference to each user and the “Subjects” in reference to all users in general) according to and for the effects of the Regulation.

 

SECTION 1 - THE DATA CONTROLLER’S IDENTITY AND CONTACT DATA

The Data Controller is Quaestio Capital Management Società di Gestione del Risparmio S.p.A., or Quaestio Capital SGR S.p.A. in its abridged form, with registered office at Corso Como 15, Milan, Italy, telephone no. 02 36765200, fax no. 02 72016207 (hereinafter, for brevity, the “Controller”).

SECTION 2 - THE DATA PROTECTION OFFICER’S CONTACT DATA

The Controller has appointed a “Data Protection Officer” (or “DPO”) in compliance with the Regulation. For all matters relative to personal data processing and/or to exercise the rights provided under the Regulation and listed in Section 7 of this Information Note, the Subject/s can contact the DPO at the following addresses/numbers:
By telephone at the number 02 36765200;
By fax at the number 02 72016207;
By e-mail at dpo@quaestiocapital.com;
By ordinary post at Quaestio Capital SGR S.p.A., DPO, Corso Como 15, 20154 MILANO (MI).

SECTION 3 - PERSONAL DATA CATEGORIES AND SOURCES AND THE PURPOSES AND LEGAL BASIS OF THE PROCESSING

- Personal data categories: The personal data that the Controller processes include, for example, identity data (for example first name, surname, place and date of birth, tax identification number, home address), identification document details, bank account identification details (for example IBAN, ABI [Italian banking association number], CAB [bank routing code], and current account or administered deposit number), data relating to the family and to personal situations and data regarding the educational level and work of the Subjects, and for legal persons, the personal data of the legal representative/agent/effective owner (in accordance with Legislative Decree no. 231/2007 as subsequently amended) (the “Personal Data”).
The Controller, in the exercise of its activity, does not process “sensitive” data concerning the Subject/s (sensitive data are data that can reveal racial and ethnic origins, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, as well as personal data that can reveal state of health and sexual life), unless a certain transaction requested by a Subject involves the possible knowledge of sensitive data, regarding which the Subject will be requested to express specific additional consent.

- Sources, purposes and legal basis of the processing: Personal Data regarding the Subject/s communicated to the Controller directly by the Subject/s or via third parties (such as, for example, the subjects appointed to place/distribute products and/or services) or obtained from third parties (such as, for example, from agents, representatives, guardians, joint holders or public archives) and, in these latter cases, after verifying that such third parties comply with relative applicable laws, are processed by the Controller - or by the subjects indicated in the successive Section 4 - within the sphere of the activities performed by the Controller for the following purposes:

a) The performance of services and the fulfilment of agreements: the processing of the Subjects’ personal data to offer products and/or to perform requested services and to fulfil the relative agreements (including acts in the pre-contractual phase and the activities necessary to comply with specific requests of the Subject/s) and to carry out the activities connected with the closure of the aforesaid contractual agreements. The relative processing does not request the consent of the Subject/s, but should the Personal Data be denied the Controller will not be able to carry out what has been requested.

b) Compliance with the prescriptions of national and Community provisions: The processing of the Subjects’ personal data in order to comply with legal prescriptions is obligatory and does not require the Subjects’ consent. The processing is obligatory, for example, when prescribed by anti-money-laundering provisions (such as, for example, to comply with the obligations of adequate verification of the clientele and of identifying the effective holder, and of communicating the Subject’s data and/or those of the effective holder in accordance with the provisions of Legislative Decree 231/07 as subsequently amended), tax or anti-corruption provisions or provisions for the prevention of fraud in payment services or to comply with the instructions or requests of the Authorities and/or supervisory and control bodies (such as the monitoring of operating and credit risks at banking group level).

c) Marketing purposes: (A) the promotion and sale of the Controller’s products and/or services or, when authorised, those of other companies of the group to which the Controller belongs, involving the forwarding of material and/or communications of an informative/commercial/advertising nature by letter, telephone or automated communication systems, etc.; (B) to measure (i) the degree of customer satisfaction with the products and/or services offered or with the activities performed by the Controller, and/or (ii) the customers’ preferences also for the purpose of creating products and/or services for specific categories of customers, carried out by the development of studies, research or market surveys, also by means of personal or telephonic interviews, questionnaires, etc. The processing for these purposes is optional and the consent of the Subject/s is required. Therefore, the Subject/s are entitled to refuse their consent for the processing of the Personal Data for such purposes, without this involving prejudicial consequences for the contractual agreement in force with the Controller.

d) The Controller's legitimate interest in the processing: the personal data are processed to pursue a legitimate interest of the Controller, such as: (i) to prevent fraud and/or (ii) to pursue other legitimate interests. In the latter case the Controller may process the personal data of the Subject/s only after informing the latter and after ascertaining that the pursuit of said Controller’s legitimate interests or those of third parties does not compromise the Subjects’ rights and fundamental freedoms; their consent is not required.

SECTION 4 - CATEGORIES OF SUBJECTS TO WHICH THE PERSONAL DATA MAY BE COMMUNICATED

As a preliminary matter, the Subjects are informed of the fact that, for the more efficient management of the processing and of the functions inherent to the performance of the Controller’s institutional activity, the latter has adopted an organisational model according to which it has outsourced certain activities, processes and functions to other companies, which may or may not belong to the same group to which the Controller belongs.

To pursue the purposes indicated in Section 3, also in consideration of the aforesaid outsourcing of certain processes, functions and activities, the Controller may have to communicate the personal data of the Subject/s to third parties belonging to the following categories:

(a) Companies of the group to which the Controller belongs. We inform you that the Controller may communicate information relating to the transactions carried out by the Subject/s, if they are deemed “suspect” as contemplated by the laws on anti-money-laundering and terrorism (Legislative Decree 231/07 as subsequently amended) to other banking and insurance intermediaries belonging to its own group;

(b) public entities, Authorities and supervisory bodies, judicial authorities and, in general, public or private subjects with duties of public importance (for example, the Bank of Italy, Consob [the Italian securities and exchange authority], CSSF [the Luxembourg securities and exchange authority] and the Revenue Agency);

(c) third parties (such as, for example, firms and self-employed professionals) operating both in and outside the European Union, such as:
- bank, financial and insurance intermediaries, including the subjects which, on various grounds, intervene in the processes of the production, administration, distribution and control of the products and/or services offered by the Controller, in order to execute the instructions of the Subject/s and to settle the fees contemplated by the agreements stipulated with the latter;
- subjects that provide services for the management of the Controller’s information system and telecommunications networks (including e-mail) and administrative services;
- subjects that perform duties of a technical or organisational nature for the Controller;
- subjects that perform transmission, envelope-filling, transport and sorting activities for communications with the clientele;
- subjects that perform activities for the filing of the documentation relative to agreements stipulated with the clientele;
- subjects that perform assistance activities in favour of the clientele (such as, for example, call centres and help desks);
- professionals or firms involved within the sphere of assistance and consultancy agreements or agreements for the supply of other services provided by the Controller;
- subjects that provide for the audit, review and certification of the activities carried out by the Controller;
- companies or banks that provide deposit services and centralised deposit bodies (the Bank of Italy, Monte Titoli, etc.) or authorised depositories.

The above-mentioned recipients may operate in the capacity of separate holders, co-holders and appointed subjects that process the data under the Controller’s or the data processing manager's authority (such as persons employed by the Controller to carry out the duties assigned to them) and may process the data that they receive for the same above-indicated purposes.

The up-dated list of such subjects is available on request from the Controller’s registered office.

SECTION 5 – THE PLACE OF THE PROCESSING AND TRANSFER OF THE PERSONAL DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANISATION OUTSIDE THE EUROPEAN UNION.

The personal data will be processed by the Controller in Italy and in Luxembourg. With regard to the technical infrastructures adopted or the organisation of the subjects to which the personal data may be communicated in accordance with the preceding article, the processing could also be carried out in other European Union countries or outside the European Union, but only in countries that guarantee an adequate level of protection. At any moment, the Subject/s may deny their consent to the transfer of their data outside the European Union, however they will be warned of the total or partial impossibility of providing the service requested.

SECTION 6 - PROCESSING METHODS AND THE PERIOD FOR WHICH THE PERSONAL DATA ARE KEPT

The personal data of the Subject/s are processed by means of manual, electronic and digital tools, according to logics strictly linked to the purposes of the processing and, in any case, in a manner that guarantees the security and confidentiality of the data. In compliance with the regulatory provisions issued by Consob, the instructions and/or orders that are issued by telephone or forwarded electronically by the Subject/s are recorded on magnetic media or equivalent devices and kept for at least five years. All the data collected will be processed for the above-indicated purposes in compliance with the prescriptions of the Regulation and, in particular, in a legal,correct and transparent manner which is also adequate and pertinent, only as far as necessary for the purposes for which they are processed, subject to technical and organisational security measures, and only by technical personnel of the service appointed to carry out the processing. No data deriving from the web service will be communicated or circulated. The personal data supplied by users who forward requests to receive informative material will be used only to perform the requested service or performance and will be communicated to third parties only if this is necessary for that purpose.
The personal data of the Subject/s are kept no longer than necessary for achieving the purposes for which they are processed (the legal limits to such periods always holding firm).
With reference to the data collected for the “Performance of services and the fulfilment of agreements”, the documents and the digital information will be kept for at least 10 (ten) years.The personal data collected for “Compliance with the prescriptions of national and Community provisions” is a “Legitimate interest of the Data Controller” are kept in the management systems, for example, for 5 (five) years from the conclusion of an agreement and for 10 (ten) years from the last relative entry in the accounting systems).
The personal data processed for “Marketing purposes” will be kept for no more than 24 (twenty-four) months from the conferment of the data, on conclusion of which term the Controller could request the Subject/s to renew their consent to the processing.

SECTION 7 - THE RIGHTS OF THE SUBJECT/S

The Subject/s may exercise towards the Controller the rights, which are listed below, provided under Articles 15 - 22 of the Regulation and Art. 7 of the Personal Data Protection Code; the Subject/s can exercise said rights at any moment, by sending a specific written request to the DPO using the contact data given in Section 2 of this Information Note, or, in the case referred to under point 8 of this Section, to the Personal Data Protection Authority.

In the same manner, the Subject/s can at any moment revoke the consent expressed in relation to the purposes referred to in this Information Note, without this prejudicing the legitimacy of the processing based on consent issued before the revocation.

• 1. Right of access
The Subject/s has/have the right to obtain from the Controller confirmation that the processing of their personal data is or is not in progress and, if it is in progress, to obtain access to the personal data and to the information contemplated by Art. 15 of the Regulation, including, for example, the purposes of the processing and the categories of the personal data processed, and confirmation of the existence or non-existence of an automated decision-making process, including the circulation of the data and, at least in such cases, meaningful information on the logics.
If the personal data are transferred to a third country or an international organisation, the Subject/s - in accordance with Article 46 of the Regulation - has/have the right to be informed of the existence of adequate guarantees relative to the transfer.
If requested, the Controller may send the Subject/s a copy of the personal data that are processed. For further copies, the Controller may request a contribution to the expense reasonably based on the administrative costs. If the request in question is presented by digital means, and unless other indications are given, the Company will transmit the information to the Subject/s in a commonly used digital format. It remains understood that the right to obtain such a copy must not harm the rights and freedoms of other subjects.

• 2. Right to rectification
The Subject/s has/have the right to obtain from the Controller the rectification of their personal data that are found to be incorrect and also, taking into account the purposes of the processing, for additions to be made to the same if they are found to be incomplete, for which they must submit an additional declaration.

• 3. Cancellation right
The Subject/s has/have the right to obtain from the Controller the cancellation of their personal data in the case of any one of the reasons contemplated by Art. 17 of the Regulation, for example, if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed or if the consent on which the personal data processing was based has been revoked by the Subject/s and there are no other legal grounds for the processing.

The Controller may not cancel the personal data of the Subject/s if their processing is necessary, for example, to comply with a legal obligation, for reasons of public interest or to prove, exercise or defend a right before a court of law.

• 4. The right to limited processing
The Subject/s may obtain a limitation to the processing of their personal data in any one of the cases contemplated by Art. 18 of the Regulation. In each of the cases contemplated by said provision, the personal data may be processed solely for their conservation, unless the Subject/s has/have given their consent, or if the processing is necessary to exercise or defend a right of the Subject/s before a court of law, or to protect the rights of another natural or legal person or for reasons of relevant public interest of the European Union or a Member State.

5. Data portability right
If the processing of the personal data of the Subject/s is based on consent or is necessary for the fulfilment of an agreement or for pre-contractual measures and is carried out by automated means, the Subject/s can:
- request to receive the personal data that they have provided in a commonly used structured format which can be read by automatic devices (for example, by a computer and/or a tablet);
- transmit the personal data received to another data controller without impediment on the part of the Controller.

The Subject/s may also request their personal data to be transmitted by the Controller directly to another data controller indicated by said Subject/s, if this is technically feasible for the Controller. In such a case, the Subject/s must precisely communicate to the Controller all the details of the new controller to which they wish their personal data to be transferred, giving specific written authorisation for the transmission.

6. Right of opposition
The Subject/s has/have the right to oppose the processing of their personal data at any moment if the processing is carried out for an activity of public interest or for the pursuit of a legitimate interest of the Controller (including profiling).
If the Subject/s decide to exercise the right of opposition described herein, the Controller shall abstain from any further processing of the personal data, unless there are legitimate reasons for proceeding with the processing (reasons that prevail of the interests, rights and freedoms of the Subject/s), or unless the processing is necessary to prove, exercise or defend a right before a court of law.

7. Automated decision-making process relative to natural persons, including profiling
If the Controller adopts decisions based solely on automated processing, said Controller must inform the Subject/s that under the Regulation they must not be subjected to such a decision based solely on the automated processing of the personal data, including profiling, if said decision produces legal effects that regard said Subject/s or has a significant influence on the same, unless said decision:
a) is necessary for the conclusion of an agreement between the Subject/s and the Controller;
b) is authorised by Italian or European law;
c) is based on the explicit consent of the Subject/s
In the cases under letters a) and c), the Controller will implement appropriate measures to protect the rights of the Subject/s and their freedoms and legitimate interests, and the Subject/s can exercise the right to obtain human intervention on the part of the Controller, to express their opinion, and to oppose the decision.

8. The right to complain to the Personal Data Protection Authority
Without prejudice to the right of the Subject/s to apply to any administrative or law court, should they maintain that the Controller has processed their personal data in breach of the Regulation and/or the applicable laws, said Subject/s may file a complaint to the competent Personal Data Protection Authority, at the following addresses/numbers: Piazza di Montecitorio no. 121 00186 ROME Fax: (+39) 06.69677.3785 Telephone switchboard: (+39) 06.696771 e-mail: garante@gpdp.it.