Assicurazioni Generali processes your personal data*

Assicurazioni Generali S.p.A. (hereinafter also the Company), with registered office in Trieste, at Piazza Duca Degli Abruzzi no. 2, processes your personal data as Data Controller*.

If you wish to receive more information, you can use the following postal address:

Assicurazioni Generali S.p.A.
Piazza Duca degli Abruzzi no. 2
34132 Trieste / P.O. Box 538

For any questions or if you wish to exercise a right in respect of the processing of your personal data, you can contact our Data Protection Officer*:

By traditional mail at:

dpoag@generali.com

By email at:

Assicurazioni Generali
Piazza Tre Torri no. 1
20145 Milano
to the attention of the Data Protection Officer.

How we use your personal data and on the basis of which ground

If collected (refer to Which personal data we use), we process your personal data in order to allow you to surf on our website heritage.generali.com, use all its features, ensure its proper functioning (including system administration activities) and improve your browsing experience.

Why the provision of your personal data is required

In order to allow you to surf our website, we may need some of your personal data; however, the relevant communication is optional.

Therefore, the failure in the communication or the partial or inaccurate communication may have, as consequence, only the impossibility to ensure the best browsing experience.

Which personal data we use

In case you browse on our website only for consultation purposes, processing of your personal data is not required. However, we use technologies that may involve the storage of some data related to the tools used, somehow referable to you, even in absence of your explicit registration as well as your active role.

In particular, this WEBSITE:

• Does not process IP addresses (Internet Protocol Addresses) to collect information, but it stores such IP addresses as surfing data;
• Uses surfing data as aggregate data for statistical purposes only;
• Uses its own and third parties’ cookies and other session identifiers (technical and profiling). Technical cookies are used in order to make surfing possible or to the extent this necessary to provide a requested service. Profiling cookies are of third parties and are used only for statistical purposes, on an anonymous basis, and are not aimed at providing you with a service in line with your preferences. It is possible to disable the use of cookies, depending on the browser used. In this case, your surfing experience could result not as easy as before. Such deactivation can be performed by referring to third-party sites, through links within our cookie policy or through the modification of the settings of the browser used (Google Chrome, Mozilla Firefox, Internet Explorer, Opera or Safari).

Without prejudice to the foregoing, there may be residual cases in which we actively collect your personal data. In particular:

• E-Mail: personal data received by the e-mail contact available on the website are used only to reply to your requests; such data are stored for statistical purposes only and to check whether there are any previous accesses;
• Specific mailing lists: specific individual names may be added to specific mailing lists only on the basis of your explicit consent to regularly receive the requested service (e.g., news, funds quotation, commercial information, etc.);

With whom we share your personal data

If collected, our staff processes your personal data with modalities and procedures, also in electronic form, appropriate to ensure an adequate level of security.

Your personal data can be shared only with third parties which have been assigned with the task to perform some activities concerning our employment relationship. Depending on the activity performed, third parties act as Data Processors*, Joint Controllers* or autonomous Data Controller.

Third parties cooperating with us can perform computer, telematics, financial, administrative activities. Third parties also include companies belonging to Generali Group.

Our staff and third parties which process your personal data for the purposes above indicated – exception for Data Controllers – receive proper instructions about the correct modalities of the processing. Your personal data are not disseminated.

Where we transfer your personal data

As a general rule, we do not transfer your personal data in Countries outside the European Economic Area.

In exceptional cases, limitedly for the purposes indicated above, we may transfer your personal data to a third party above described or to a public body requesting it, also in Countries outside the European Economic Area.

In any case, the transfer of Your personal data is performed in compliance with the applicable laws and international agreements in force, as well as on the basis of appropriate and suitable safeguards (such as, for example, transfer to a Country ensuring an adequate level of protection or adopting the standard contractual clauses approved by the EU Commission).

The rights you can exercise in respect of the processing of your personal data

You can exercise the following rights in respect to your personal data:

• Access
  You may request access to your personal data to receive information, for example, about the categories of personal data that the Company is currently processing;

• Rectify
  You may ask the Company to correct personal data that is inaccurate or incomplete;

• Erase
  you may ask the Company to erase personal data where one of the following grounds applies:

• • Where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; You withdraw consent on which the processing is based and where there is no other legal ground for the processing;
  • You object to automated decision-making and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing;
  • The personal data have been unlawfully processed;
  • The personal data have to be erased for compliance with legal obligation in Union or Member State law to which the Company is subject;
  • The personal data have been collected in relation to the offer of information society services.

• Restrict
  You may ask the Company to restrict how it processes your personal data, requesting only their storage, where one of the following applies:

• • You contest the accuracy of your personal data, for a period enabling the Company to verify the accuracy of your personal data;
  • The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • The Company no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
  • You have objected to processing pursuant to the right to object and automated decision-making, pending the verification whether the legitimate grounds for the Company override those of you.

• Portability
  You may ask the Company to transfer the personal data you have provided us to another organisation or / and ask to receive your personal data in a structured, commonly used and machine readable format.

In case you provided your consent to the processing of personal data, you may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

If your personal data are transferred outside the European Economic Area, you have the right to obtain copy of such data as well as indication of the Country/Countries where the personal data have been made available.

You can exercise your rights by contacting our Data Protection Officer at the contact details above indicated. The request of exercise of rights is free of charge, unless the request is manifestly unfounded or excessive.

Your right to object to the processing of your personal data

You have the right to object to the processing of your personal data and request the stop of the processing operations when they are based on the legitimate interest (refer to How we use your personal data and on the basis of which ground).

Your right to lodge a complaint to the Supervisory Authority

In case you consider that the processing of your personal data infringes the applicable privacy laws, you have the right to lodge a complaint to the Italian Personal Data Protection Authority – Garante per la Protezione dei Dati Personali* with the modalities indicated on the Authority’s website (www.garanteprivacy.it).

How long we retain your personal data

Your personal data can be retained for the time strictly necessary to perform the above indicated activities.

Changes and updates of the privacy notice

Also considering possible amendments of the applicable privacy laws, the Company may integrate and/or update, wholly or partially, this privacy notice. Any changes, integrations or updates will be communicated in compliance with applicable laws through publication on the Company’s website heritage.generali.com.

Assicurazioni Generali S.p.A. processes your personal data*

Assicurazioni Generali S.p.A. (hereinafter also the Company), with registered office in Trieste, Piazza Duca degli Abruzzi no. 2, processes your personal data as Data Controller*.

If you wish to receive more information, you can use the following postal address:

Assicurazioni Generali S.p.A.
Piazza Duca degli Abruzzi no. 2
34132 Trieste / P.O. Box 538

For any questions or if you wish to exercise a right in respect of the processing of your personal data, you can contact our Data Protection Officer*:

By email at:

dpoag@generali.com

By traditional mail at:

Assicurazioni Generali
Piazza Tre Torri no. 1
20145 Milano
to the attention of the Data Protection Officer

How we use your personal data and on the basis of which ground

We process your personal data with the purpose of performing all necessary activities for the services you have requested, including, for example:

1. Access to the headquarters of the Generali Heritage and Historical Archives and consultation of the documents held in there;
2. Participation in guided tours or other initiatives in which you have decided to take part (surveys, comment cards, etc.);
3. Receiving our newsletter.

Processing of your personal data for the purposes indicated under (1) and (2) is a processing necessary for the Company in order to provide the services you requested. Processing of your personal data for the purposes indicated under (3), finally, is based on your consent.

Why the provision of your personal data is required

For managing our relationship, communication of your personal data is required since necessary to provide the services you requested.

Therefore, the failure in the communication or the partial or inaccurate communication may have, as consequence, the impossibility to provide our services.

Which personal data we use

We process only the personal data strictly necessary to achieve the purposes above indicated. We mainly process:

• Biographical and identifying data;
• Contact details;
• Information on your educational profile;
• in addition to any other personal data provided by you, if any.

With whom we share your personal data

Our staff processes your personal data with methods and procedures, including in electronic form, suitable to guarantee an adequate level of security which, to the extent applicable, can be indicated in the audio/video release signed by you. Your personal data may only be shared with third parties who have been entrusted with the task of carrying out certain activities relating to the management of the relationship with the Company. Both our staff and third parties who process your personal data for the purposes indicated above – with the exception of independent Data Controllers – receive adequate instructions regarding the correct methods of processing. Furthermore, to the extent applicable, your personal data may be shared with other companies belonging to the Generali Group.

Where we transfer your personal data

As a general rule, we do not transfer your personal data to countries outside the European Economic Area. In exceptional cases, limited to the purposes indicated in the previous paragraph 2, we may transfer your personal data to where the recipients listed above may reside. In any case, the transfer of your personal data is carried out in compliance with applicable laws and international agreements in force, as well as on the basis of adequate and suitable guarantees (such as, for example, the transfer to a country that ensures an adequate level of protection or the adoption of the standard contractual clauses approved by the EU Commission). Where required by applicable laws, the Company will implement any additional measures as required by applicable laws.

The rights you can exercise in respect of the processing of your personal data

You can exercise the right of access, rectification, updating, integration, cancellation, limitation of processing, portability with respect to your personal data.
In the event that you have provided your consent to the processing of personal data, you can revoke your consent at any time, without prejudice to the lawfulness of the processing based on the consent before the revocation.
If your personal data is transferred outside the European Economic Area, you have the right to obtain a copy of such data as well as an indication of the country or countries in which the data were made available.
To the extent applicable, you have the right to object to the processing of your personal data and request the interruption of processing operations if based on legitimate grounds.
If you believe that the processing of your personal data violates applicable privacy laws, you have the right to lodge a complaint with a supervisory authority. It is possible to contact the Guarantor for the Protection of Personal Data using the methods indicated on the Authority’s website (www.garanteprivacy.it).
You can exercise your rights by contacting the Data Protection Officer at the contact details indicated above. The request to exercise the rights is free unless the request is manifestly unfounded or excessive.

How long we retain your personal data

Your personal data can be retained for the time strictly necessary to carry out the above mentioned activities. In particular, the data collected for purposes (1) and (2) will be retained for a period of 10 years after they have been collected to access the headquarters of the Generali Group Historical Archives and for the consultation of the documents held in there, except for the name, surname, and research associated with the visitor, which will in turn become part of the Historical Archives.
The data collected for purpose (3), will be retained from the granting of your consent to the processing for the entire duration of the provision of the service.

Changes and updates of the privacy notice

Also considering possible amendments of the applicable privacy laws, the Company may integrate and/or update, wholly or partially, this privacy notice. Any changes, integrations or updates will be communicated in compliance with applicable laws also through the Internet website heritage.generali.com.

For any questions or if you wish to exercise a right in respect of the processing of your personal data, you can contact our Data Protection Officer.

By email at:

dpoag@generali.com

By traditional mail at:

Assicurazioni Generali
Piazza Tre Torri no. 1
20145 Milano
to the attention of the Data Protection Officer

IP Address

• An identifier for the user’s computer assigned by the Internet service provider;
• the IP address alone is not considered personal data because it is often assigned at random, i.e. it changes every time according to the connection;
• it may be used for diagnostic and optimising purposes by the service provider.

Cookies

• strings of information, sent by the service provider server to the user’s computer. They contain the user name, so that the administrator may identify the user’s computer and track his/her favourite sites on the Web.
  Cookies may be:
  • transient, also called session or “per-session” cookies , if they are erased when the user ends the connection. They are used to optimise navigation;
  • persistent, if they are stored on a user’s hard drive, unless the user himself/herself deletes the cookies; they are used to collect a large variety of information, which can be tracked by the supplier of the service for different purposes.

• It is possible to check the use of cookies through specific browser set-ups: e.g. Internet Explorer permits, both for non-stored (per-session) cookies and stored cookies, to opt for full activation, activation after receiving a warning message and confirmation or deactivation.

Internet Tags

Computer functions made up by smaller cookie strings, mainly used to record technical information such as user IP and browser type. They are also called invisible GIFs, clear GIFs, 1-by-1 GIFs or single-pixel GIFs.

Surfing data

• Files residing on the provider servers, also called log files, clickstream data, server logs; they may automatically register data relating to a connection for different purposes:
• accounting-administrative functions
• tracking of type of user access (e.g.: system administration, type of browser, date and time of visit, images or texts selected, purchases (if any), file download, screen set-up, etc.) also to improve the contents of the site.

E-Mail

Electronic mail service managed by a provider through the Internet.

Mailing list

• A list used for sending e-mails and/or newsletters.
• A list of addresses which automatically receives forwarded messages.

Registration

• The user is required to provide some data, either on an obligatory or a voluntary basis, to improve the relation, with possible contractual implications inherent to the type of services provided.
• Specific information and, if appropriate, the relevant consent are required.

To help you understanding our privacy notice, please find below the meaning of the main terms contained therein.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, whether or not by automated means.

Personal data means any information relating, directly or indirectly, to a person (such as, for example, name, an identification number, location data, an online identifier, one or more elements able to identify the physical, physiological, genetic, mental, economic, cultural or social identity, etc.).

Special categories of data are the personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership as well as genetic data, biometric data where they uniquely identify a person, data concerning health or data concerning a person’s sex life or sexual orientation.

Genetic data are the personal data relating to the inherited or acquired genetic characteristics of a person which give unique information about the physiology or the health of said person and which result, in particular, from the analysis of a biological sample from the person in question.

Biometric data are the personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.

Data concerning health are the personal data related to the physical or mental health of a person, including the provision of health care services, which reveal information about his or her health status.

Judicial data are the personal data related to criminal convictions and offences or to the connected security measures afflicted to a person.

Data subject is the person whose personal data are processed.

Data controller is the individual or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (for example, the employer is the data controller in respect of its employees’ personal data since, with reference to the employment relationship, it decides the purposes and means of such processing).

Joint controller means the individual or legal person, public authority, agency or other body which, jointly with other data controllers, determines the purposes and means of the processing of personal data.

Data Processor means the individual or legal person, public authority, agency or other body which processes personal data on behalf of the data controller (for example, the company which provides the service of employees’ salaries calculation may be considered a data processor since it processes personal data on behalf of another company, the employer).

Consent means any data subject’s wish, by a statement or by a clear affirmative action, which signifies agreement to the processing of personal data relating to him or her. For the consent to be valid, the data subject’s wish needs to be freely given, specific for each processing operation, collected upon the provision of a privacy notice and clearly distinguishable from any other declarations.

Personal data breach means a breach of security (physical or IT) leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Protection Officer means a person in charge for performing support activities for the company functions and control activities in respect of the processing of personal data. It is also in charge for cooperating with the Supervisory Authority and it represents the contact point, also for the data subjects, for any matters connected with the processing of personal data.

The Garante per la Protezione dei Dati Personali is the Italian Supervisory Authority for the protection of personal data.

What is the personal data breach?*

The term personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This disclosure may occur, by way of example, for the following reasons:

• accidental loss: for example, personal data breach caused by loss of a USB flash drive containing personal data;
• theft: for example, personal data breach caused by theft of a notebook containing personal data;
• corporate infidelity: for example, personal data breach caused by an internal person who, having authorization to access personal data, produces a copy to be distributed in a public environment;
• unauthorized access: for example, personal data breach caused by unauthorized access to IT systems with subsequent disclosure of the acquired personal data information.

The new European regulation on the protection of personal data (GDPR) provides for, upon the occurrence of certain circumstances, the obligation to notify the breach to the competent Supervisory Authority no later than 72 hours from the awareness as well as the communication of such breach to the impacted data subjects.

With the aim to be compliant with the above indicated regulatory provisions and to ensure the protection of our stakeholders’ personal data, we have created the following section that enable you to report any suspected personal data breach.

To report a personal data brech, click here.