In its capacity as Data Controller, Assicurazioni Generali S.p.A. is entitled to process the personal data of its stakeholders (customers, employees, shareholders, suppliers, trustees, internet users etc.) in the ordinary management of existing relations and to acquire consent if necessary. Data processing for commercial purposes is carried out only if specifically authorised by Data Subjects.
Only personal data that are strictly necessary are processed both on paper and with the help of electronic instruments; some data may be essential and their lack may prevent the management of existing relations. Such data are processed by our collaborators in their capacity as Data Processors or Persons in charge of the processing; for some kinds of services we also avail ourselves of outsourcers which carry out technical, organisational and operational tasks on our behalf in Italy or abroad. Personal data are not subject to dissemination unless specifically provided for by the law.
All Data Subjects can exercise their rights of access and know what personal data are held by us, their origins and how they are used. They shall also be entitled to call for the data to be updated, rectified, supplemented or deleted, ask for them to be blocked or object to their processing, and require further information on the processing of personal data by contacting the Data Processor under Section 7: Privacy, Via Marocchesa, 14 31021 Mogliano Veneto (TV) Italy, email@example.com.
Assicurazioni Generali S.p.A., acting as Data Controller, attaches utmost importance to confidentiality, protection and safety of information, particularly personal data concerning their customers and people who get in touch with the Company.
This section outlines the methods used to administer this site with regard to the processing of users’ personal data. Pursuant to Art. 13 of Legislative Decree 196/2003 (Personal Data Protection Code), this information is also provided to subjects interacting with the services provided over the Internet by Assicurazioni Generali (Data Controller).
For this reason, Net surfers are invited to preliminarily visit the other sections hereto attached, which give an overview of Company guidelines on protection of personal data. Please consult the information note clicking on the present LINK to achieve all the information required by article 13 of Legislative Decree no. 196/2003 (Personal Data Protection Code) concerning the processing of the internet users’ personal data.
Information is provided for and applies to Assicurazioni Generali Web sites only. It is not applicable to any other Web site linked to the Generali site.
Surfers are required to provide personal data only if they want to get in contact with us or ask for advice. In such cases – totally voluntary – Surfers are required to read the Information as established by the Law and to provide only data strictly necessary to handle their requests.
Surfers browsing our Web site are not required to provide any personal data. However, as the technology used by our Company stores data concerning tools employed by users, which help track the latter.
We are pleased to provide useful information on the methods of active and passive collection of information concerning subjects/means interacting with this Web site, as well as on the security measures taken by the Company.
While surfing a web site, it is technically possible to collect data even without a user’s explicit registration to the service or without his active role. This type of collection is called “passive data collection”.
The use of IP addresses, cookies and other session identifiers, Internet tags, and surfing data, including the possibility to exclude them and their implications, are shown below.
As regards the passive data collection:
- the web site does not use IP address (Internet Protocol Addresses) to collect information. However, IP addresses are stored as surfing data;
- it uses surfing data as aggregate data for statistical purposes only;
- it does not use Internet tags.
As regards the active data collection – if previewed – it is worth the following policy:
- E-Mail: Data received by e-mails sent to the Web site are used to reply tequests only. This data are stored for statistical purposes only and to check whether there are any precedents.
Names may be included in specific Mailing List only if expressly requested by Surfers wishing to receive certain documents (press releases, financial statements, etc.) on a periodical basis.
- Registration: To access a number of services, Surfers are required to fill in a specific form. This information is used to reply to the sender’s request and to provide requested services only.
- Forums: specific conduct rules will be set out. Data will not be used for any other purpose.
Assicurazioni Generali process personal data concerning third parties – insured people, injured parties, real and potential customers, collaborators, etc. Assicurazioni Generali have always taken all necessary steps to guarantee data confidentiality and security, in line with new technological developments, particularly in the field of computer technology.
- The Data Controller is the Company, which has appointed Maurizio Basso as the person in charge of the implementation of privacy legislation at corporate level;
- Privacy Department has been appointed “Department responsible for replying to data subjects in the event they exercise the rights under Art. 7” , with privacy interface functions from and to outside. Data subjects may apply to the Privacy Department to exercise their rights of access and obtain any further information on privacy;
- Privacy Data Processors have been appointed to guarantee compliance with privacy legislation and the instructions given to the whole legislation;
- Those who process personal data are referred to as “Persons in charge of the processing”. They have been provided with specific instructions and benefit from an ongoing training programme;
- Due to specific technical and organisational requirements, the Company avails itself of third parties who are responsible for parts of the process. They may act in their capacity as “Persons in charge of the processing”, or “Data Processors” of the Company, or operate autonomously as “Data Controllers” of subsequent processing having the same purposes as the Company.
The Company can only access personal information as is strictly necessary to perform specific services or for the purposes for which such information has been collected by providing the specific Information (i.e.: on contracts for Non-life business and for Life business). Particular importance is attached to sensitive data, which are processed only after having ascertained that processing of such data in anonymous form on a case by case basis is not possible.
The Company shall process all personal information by taking all necessary physical and IT security measures, in accordance with the arrangements laid down in the Privacy Code and in the technical specifications thereto attached.
At the end of the processing, the Company shall store processed data and, if such obligation does not exist or if such term has elapsed, shall erase or anonymize the data.
Data subjects may apply to the structure Privacy for any information on personal data, namely:
- to obtain confirmation as to whether or not personal data concerning him/her exist and communication of such data in intelligible form;
- to be informed of the source of the personal data, of the purposes and methods of the processing and of the logic applied to the processing if the latter is carried out thanks to electronic means;
- to obtain a list of the entities or categories of entity to whom or which the personal data may be communicated and who may get to know said data in their capacity as data processor(s) or person(s) in charge of the processing (see for example the list of the entities to whom or which the personal data may be communicated for purposes related to the provision of insurance services);
- to require the updating or rectification of the processed data, and erasure, anonymization or blocking of data that has been processed unlawfully;
- to object, in whole or in part, to the processing of personal data concerning him/her on legitimate grounds or for commercial purposes.
Data Controller: ASSICURAZIONI GENERALI S.p.A.
Data Controller representative for privacy purposes: Maurizio BASSO.
Data Processor in the event that Data subjects exercise their rights under Art. 7 of Legislative Decree no. 196/2003: Privacy, Via Marocchesa, 14 31021 Mogliano Veneto (TV) Italy, firstname.lastname@example.org.
Internal Data Processors
Area of Responsibility: Regional Office EMEA
Area of Responsibility: Group Compliance
Area of Responsibility: Group Communications & Public Affairs
Area of Responsibility: Group Legal Affairs
Area of Responsibility: Group Special Situations
Area of Responsibility: Corporate Affairs
Area of Responsibility: Group CIO HR Business Partner
Area of Responsibility: Group Life Underwriting Risks
Area of Responsibility: Group HR Governance & PMO
Area of Responsibility: Group Mergers & Acquisitions
Area of Responsibility: P&C Corporate
Area of Responsibility: Group Chief Marketing & Customer Officer
Gerardo DI FILIPPO
Area of Responsibility: Group Risk Capital Calculation, Process and Reporting
Anna DORO TEMPESTINI
Area of Responsibility: Group Regulatory Intelligence
Area of Responsibility: Group Operational and IT Risk
Area of Responsibility: Connected Insurance Products
Area of Responsibility: Group Chief Information & Digital Officer
Area of Responsibility: Investor & Rating Agency Relations
Mario HUGUENEY RICCO’
Area of Responsibility: Global Claims & Insurance Operational Guidelines
Area of Responsibility: Group Audit
Area of Responsibility: Group Reward and Institutional HR Processes
Area of Responsibility: Group Corporate Finance
Anna Chiara LUCCHINI
Area of Responsibility: Leadership Development & Group Academy
Josè-Alberto MACIÁN VILLANUEVA
Area of Responsibility: Global P&C Retail
Juan Josè MAILLO VILLA
Area of responsibility: European Works Council Relations
Area of Responsibility: General Manager Support Unit
Roberto MARTIN REGUERA
Area of Responsibility: Group Risk Internal Model Validation
Area of Responsibility: Group Investments General Counsel
Area of Responsibility: Global HR Operations & GBL HR Business Partner
Area of Responsibility: Group Strategic Planning, Control & Integrated Reporting
Gian Paolo MELONCELLI
Area of Responsibility: Group Strategy & Business Transformation Accelerator
Area of Responsibility: Head Office HR Business Partner
Area of Responsibility: Insurance Effectiveness
Area of Responsibility: Global Life
Area of Responsibility: Group Financial & Credit Risks
Area of Responsibility: Group Supervisory Affairs and Group entities Corporate Matters
Area of Responsibility: Global Corporate & Commercial
Area of Responsibility: Group Enterprise Risk Management
Area of Responsibility: Group Non-Life Underwriting Risks
Area of Responsibility: Group Organization & Change Management
Area of Responsibility: Group Private Equity
Area of Responsibility: Group Corporate Security
Area of Responsibility: Global Accident & Health
Area of Responsibility: Group Chief Reinsurance Officer
Els VAN DE WATER
Area of Responsibility: Group Control Functions HR Business Partner
Area of Responsibility: Group Internal Regulations and Functional Governance
Area of Responsibility: Group Alternative Fixed Income
External Data Processors
Accenture S.p.A., based in Milan at 17, Via M. Quadrio
Data processing type: Support to the IT management
APS Advanced People Strategies Ltd., based in Mulberry House, Lamport Drive, Daventry, Northamptonshire NN11 8YH, UK.Data processing Type: Empolyee assessment
Banca Generali S.p.A., based in Trieste at 4, Via Machiavelli
Data processing type: Employees securities management
Centro Processi Assicurativi S.r.l., based in Milan at 11, Via Santa Radegonda
Data processing type: Adminstrative activities concerning claims settlement on Group health insurance policies covered by the contract between this Company and the data processor Generali Business Solutions S.C.p.A., a Generali Group company
Comdata S.p.A., based in Milan at 33, Via A. Kuliscioff.
Data Processing type: Customers’ requests management services, from Home Insurance channel.
Computer Share S.p.A., based in Milan at 19, Via Mascheroni
Data processing type: Full tech meeting management
Data Reply s.r.l., based in Torino, at 110, Corso Francia.
Data Processing Type: Analitics platform services.
Deloitte Consulting s.r.l., based in Milan at 25, via Tortona. Data Processing Type: Cloud Computing services management
Deloitte XBS s.r.l., based in Milan at 25, via Tortona. Data Processing Type: Cloud Computing services management
Europ Assistance Italia S.p.A., based in Milan at 8, piazza Trento.Data Processing Type: Claims management assistance class
Generali Business Solutions S.C.p.A., based in Trieste at 4, Via Machiavelli. Data processing type: staff administration, purchase management, general archives management, mail and forwarding management, financial accounting – technical – administrative and financial statement management, cash-flow management; Human Resources; Tax Consulting; Legal Affairs; Corporate Affairs; Anti-money Laundering; Privacy
Generali Shared Services S.c.a.r.l., based in Trieste at 2, Piazza Duca degli Abruzzi
Data processing type: IT system management
Generali Italia S.p.A., based in Mogliano Veneto (TV) at 14, Via Marocchesa
Data processing type: claims settlement, Life and Non-Life portfolio management, facultative reinsurance and complaints
Global Shares, based in Clonakilty, Unit 2, Building D, West Cork Business and Technology Park, Co. Cork, Ireland
Data processing type: Equity compensation management solutions, stock plan and equity administration services.
Mercer Italia S.r.l., based in Milano, viale Bodio 33. Data processing type: Empolyee assessment
Oracle Italia Srl, based in Cinisello Balsamo (MI) at 136,V.le Fulvio Testi. Data processing type: Support Services for the management of employment relations
Sicuritalia S.p.A. based in Como at 2, Via Belvedere.
Data processing type: Activities related to access management and video surveillance services
Sodali S.p.A. based in Roma at 43, Via XXIV Maggio.
Data processing type: Corporate Governance Advisory Services.
TAG Europe Limited, based in London, 12th Aldegate Tower, 2 Leman Street
Data processing type: Marketing Collaborative Platform management
For further privacy information:
Assicurazioni Generali S.p.A.
Via Marocchesa, 14
31021 Mogliano V.to (TV) – Italy
Fax 0039 041 5492235
- An identifier for the user’s computer assigned by the Internet service provider;
- the IP address alone is not considered personal data because it is often assigned at random, i.e. it changes every time according to the connection;
- it may be used for diagnostic and optimising purposes by the service provider.
- strings of information, sent by the service provider server to the user’s computer. They contain the user name, so that the administrator may identify the user’s computer and track his/her favourite sites on the Web.
Cookies may be:
- – transient, also called session or “per-session” cookies , if they are erased when the user ends the connection. They are used to optimise navigation;
- – persistent, if they are stored on a user’s hard drive, unless the user himself/herself deletes the cookies; they are used to collect a large variety of information, which can be tracked by the supplier of the service for different purposes.
Computer functions made up by smaller cookie strings, mainly used to record technical information such as user IP and browser type. They are also called invisible GIFs, clear GIFs, 1-by-1 GIFs or single-pixel GIFs.
- Files residing on the provider servers, also called log files, clickstream data, server logs; they may automatically register data relating to a connection for different purposes:
- – accounting-administrative functions
- – tracking of type of user access (e.g.: system administration, type of browser, date and time of visit, images or texts selected, purchases (if any), file download, screen set-up, etc.) also to improve the contents of the site.
Electronic mail service managed by a provider through the Internet.
- A list used for sending e-mails and/or newsletters.
- A list of addresses which automatically receives forwarded messages.
- The user is required to provide some data, either on an obligatory or a voluntary basis, to improve the relation, with possible contractual implications inherent to the type of services provided.
- Specific information and, if appropriate, the relevant consent are required.
The definitions below are drawn up with reference to Legislative Decree no. 196 dated 30 June 2003, “Personal Data Protection Code” and the following changes and updates.
“Processing” – Section 4, paragraph 1 (a)
‘Processing’ shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a database.
“Personal data” – Section 4, paragraph 1 (b)
‘Personal data’ shall mean any information relating to natural persons that are or can be identified, even indirectly, by reference to any other information including a personal identification number.
“Sensitive Data” – Section 4, paragraph 1 (d)
‘Sensitive data’ shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.
“Judicial Data” – Section 4, paragraph 1 (e)
‘Judicial data’ shall mean personal data disclosing the measures referred to in Section 3, paragraph 1 from (a) to (o) and (r) to (u), of Presidential Decree no. 313 of 14 November 2002 concerning the criminal record office, the register of offence-related administrative sanctions and the relevant current charges, or the status of being either defendant or the subject of investigations pursuant to Sections 60 and 61 of the Criminal Procedure Code.
“Data Controller” – Section 4, paragraph 1 (f)
‘Data controller’ shall mean any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine purposes and methods of the processing of personal data and the relevant means, including security matters.
“Data Processor” – Section 4, paragraph 1 (g)
‘Data processor’ shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on the controller’s behalf.
“Data Processor under Section 7 of Legislative Decree no. 196/2003”
‘Data processor under Section 7 of Legislative Decree no. 196/2003’ shall mean any person authorised by the data controller or processor to carry out processing operations in the event that Data subjects exercise their rights under Art. 7 of Legislative Decree no. 196/2003
“Person in charge of the processing” – Section 4, paragraph 1 (h)
‘Persons in charge of the processing” shall mean the natural persons that have been authorised by the data controller or processor to carry out processing operations.
“Information to Data Subjects” – Section 13, paragraph 1
The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to:
a) the purposes and modalities of the processing for which the data are intended;
b) the obligatory or voluntary nature of providing the requested data;
c) the consequences if (s)he fails to reply;
d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data;
e) the rights as per Section 7;
f) the identification data concerning the data controller and, where designated, the data controller’s representative in the State’s territory pursuant to Section 5 and the data processor. If several data processors have been designated by the data controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of data processors shall be specified. If a data processor has been designated to provide responses to data subjects in case the rights as per Section 7 are exercised, such data processor shall be referred to.
“Data Subject” – Section 4, paragraph 1 (i)
‘Data subject’ shall mean any natural person that is the subject of the personal data.
“Right to Access Personal Data and other Rights” – Section 7
Right to Access Personal Data and Other Rights
1. A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.
2. A data subject shall have the right to be informed:
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controllers, data processors and the representative designated as per Section 5, paragraph 2;
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.
3. A data subject shall have the right to obtain:
a) updating, rectification or, where interested therein, integration of the data;
b) erasure, anonymisation or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part:
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.
“Consent” – Section 23
Processing of personal data by private entities or profit-seeking public bodies shall only be allowed if the data subject gives his/her express consent. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations thereof. The data subject’s consent shall only be deemed to be effective if it is given freely and specifically with regard to a clearly identified processing operation, if it is documented in writing, and if the data subject has been provided with the information referred to in Section 13. Consent shall be given in writing if the processing concerns sensitive data.
“Communication” – Section 4, paragraph 1 (l)
‘Communication’ shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data.
“Dissemination” – Section 4, paragraph 1 (m)
‘Dissemination’ shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data.
‘Outsourcer’ shall mean any external supplier entrusted with the Company’s activities and processes.