Information on the processing of personal data

Pursuant to art. 13 of EU Regulation 2016/679 of 27/04/2016, hereinafter referred to as GDPR (General Data Protection Regulation), Sagitta SGR S.p.A. (hereinafter, “Sagitta”), with registered office in Via Lanzone n. 31 – 20123 – Milan (MI), in its capacity as controller of personal data, specifies the following:

Nature of the data processed
Sagitta processes personal, fiscal and economic data and in any case data of a common nature, necessary for the performance of contractual relations with the persons concerned (hereinafter the “Interested Party” or the “Interested Parties”).

Data controller
The controller is Sagitta SGR S.p.A. (“Controller”) with registered office in Milan – Via Lanzone n. 31.

Purpose of processing
The data are processed:

  1. for purposes strictly related and instrumental to the management of the contractual relationship (e.g. acquisition of information prior to the conclusion of the contract; contractual fulfilment and execution of transactions for the provision of investment services, administrative and accounting management of the relationship);
  2. for purposes connected with the fulfilment of obligations provided by laws, regulations and Community legislation, as well as provisions issued by Authorities empowered to do so by law and by supervisory and control bodies. The processing of personal data for the above purposes does not require express consent (Art. 6, letter b, of the GDPR).
  3. only with the consent of the interested party, for commercial and marketing purposes aimed at providing and/or proposing new products or services. The data will be processed for the entire duration of the contractual relationship and also subsequently to allow the fulfilment of legal obligations and for administrative and possibly commercial purposes;
  4. development of studies and market research.

The processing of personal data for the purposes referred to in points c) and d) above requires express consent (Article 7 of the GDPR). This consent concerns both the automated and traditional methods of communication described above. The data subject shall always have the right to object easily and free of charge, in whole or in part, to the processing of data for said purposes, for example by excluding automated contact methods and expressing his/her wish to receive commercial and promotional communications exclusively through traditional contact methods.

Mandatory or optional nature of providing data and consequences of a refusal to provide personal data
As regards the data that Sagitta is obliged to know, in order to fulfil the obligations provided by laws, regulations and Community legislation, or by provisions issued by Authorities legitimated to do so by the law and by supervisory and control bodies, failure to provide such data shall make it impossible to establish or continue the relationship, insofar as such data are necessary for the performance of the same. As for the data that Sagitta is not obliged to know, failure to provide them shall be evaluated on a case by case basis and shall determine the consequent decisions, in relation to the importance of the data requested and not provided for the Sagitta organisation.

Methods of data processing
The processing of personal data is carried out by means of the operations indicated in Article 4 no. 2) of the GDPR, for the above purposes, both on paper and computer, by means of electronic or otherwise automated tools, in compliance with the regulations in force in particular on confidentiality and security and in accordance with the principles of correctness, lawfulness and transparency and protection of the customer’s rights.

The processing is carried out directly by the data controller’s organisation, its managers and/or delegates.

Categories of persons to whom the data may be communicated or who may become aware of the data in their capacity as data processors or persons in charge of processing.
The personal data shall not be disclosed by Sagitta, the term meaning the disclosure to unspecified persons in any way, including by making them available or consulting them. The personal data may be communicated, by which term is meant the disclosure to one or more specific persons, in the following terms:

  • to subjects who can access the data by virtue of provisions of the law, regulations or Community legislation, within the limits provided by these rules;
  • to subjects who need access to the data for purposes ancillary to the relationship between the data subject and Sagitta, within the limits strictly necessary to carry out the ancillary tasks (subjects carrying out administrative, data processing, enveloping and mailing services, auditors and subjects in charge of certifying the financial statements);
  • to consultants of Sagitta (i.e. persons entrusted with the protection of the interests of Sagitta in judicial, extrajudicial, administrative and debt collection proceedings, such as professionals, as well as other consultants for the fulfilment of all other administrative and accounting obligations) to the extent necessary to carry out their duties.

In addition, the following categories of persons may become aware of the personal data of the data subject, in their capacity as data processors or persons in charge of processing:

  • managers, directors and members of the board of statutory auditors of Sagitta;
  • certain categories of employees of the same company.

Period of retention of personal data
Personal data shall be retained for the entire duration expressed by the contract concluded with the Controller, after which the data shall be retained for the fulfilment of the terms provided by law for the retention of administrative documents, after which it shall be deleted.

Data transfer
Personal data are stored on servers located within the European Union. In any case, it is understood that the data controller may move the servers outside the EU if necessary. In this case, the data controller assures as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses provided by the European Commission.

Where we process your data within the European Economic Area (“EEA”) personal data in those locations is protected by European data protection law, specifically the GDPR. We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with our data protection, confidentiality and security standards.

Sagitta is a company that is part of Arrow Global Group Plc (“AGG” and / or “Arrow”), headquartered in the UK. As a result of Brexit, with effect from 1 January 2021, the UK stops being treated as part of the European Union and the European Economic Area (“EEA”) and, as a result, if your data is transferred to the UK it will be protected by UK privacy laws from that date. Looking after your data is very important to us, and Brexit will not change that.

We only share personal data with others outside of the EEA when we are legally permitted to do so, namely where:

  • the EU Commission has decided that the relevant country has adequate protective rules in relation to data protection in place (an “adequacy decision”);
  • we have entered into the relevant “standard contractual clauses” with the recipient of your personal data (these are a set of obligations about how your data is protected and used); or
  • we can rely on another basis under the law such as that we have to share the personal data because this is necessary for the purpose of a court case, investigation or to protect our legal rights.

Rights of the data subject
The data subject has the rights set out in Article 15 of the GDPR and specifically the rights to:

  1. obtain confirmation of the existence or otherwise of personal data concerning him/her, even if not yet recorded, and their communication in intelligible form;
  2. obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing carried out with the aid of electronic instruments; d) the identification details of the data controller, the data processors and the representative designated pursuant to Article 3(1) of the GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, data processors or persons in charge of processing;
  3. obtain: a) the updating, rectification or, when interested, the integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
  4. oppose, in whole or in part: a) on legitimate grounds, the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys, by means of automated calling systems without the intervention of an operator by e-mail and/or by traditional marketing methods via telephone and/or paper mail. Please note that the data subject’s right to object, as set out in point b) above, for the purposes of direct marketing using automated methods is extended to traditional methods and that, in any case, the data subject may exercise his/her right to object in whole or in part. Therefore, the interested party may decide to receive only communications by traditional means or only automated communications or neither of the two types of communication. Where applicable, he/she also has the rights referred to in Articles 16-21 of the GDPR (right of rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Supervisory Authority.

In order to exercise the rights under Article 15 of the GDPR or for questions or information regarding the processing of personal data and the security measures adopted, the data subject may in any case forward a request to our company at the following address:

Sagitta SGR S.p.A. – Via Lanzone n. 31, Milan (MI) – E-mail trattamentodati@sagittasgr.it.

2021/10 – version n. 1