ex Art. 13 of the Leg. Decree 196/2003 - Privacy Code – Art. 13 of the General Data Protection Regulation EU No. 2016/679 (“GDPR”).

ACEPI Activities

ACEPI - Associazione Italiana Certificati e Prodotti di Investimento – with registered office in piazza della Repubblica 32, Milan, Italy, TAX ID IT05524340964 and VAT IT09667620968, hereafter, “The Data Controller”), as controller of the personal data processing, informs you pursuant to Art.13 of the Legislative Decree dated 30.6.2003 No. 196 (hereafter, “Privacy Code”), and to Art. 13 of the EU Regulation No. 2016/679 (hereafter, “GDPR”) that it will continue to process your personal data for the purposes and with the modalities indicated as follows:

Aim of the processing
The Data Controller processes your personal identification data, (for example, name, surname, corporate name, address, telephone, e-mail, bank and payment data – hereafter, “personal data” or even “data”) that you disclosed when you entered into a contract with the Data Controller’s services.

Purpose of the processing
Your personal data is processed:
1. Without your explicit consent (Art. 24 points. a), b), and c) of the Privacy Code and Art. 6 points b), and e) of the GDPR), for the following Service Purposes:
• to enter into agreements in order to avail oneself of the Data Controller’s services;
• to fulfil contractual and fiscal obligations preceding a contract, or deriving from existing relationships with you;
• to enable to subscribe to the newsletter service provided by the Data Controller and any further Services should they be requested at a later date;
• to fulfil all obligations envisaged by the law, by a regulation, by EU regulations or by an order of the Authority (such as, for example, in the matter of anti-money laundering);
• to exercise the rights of the Data Controller, such as the right to defend the case;
2. Only prior to Your specific and explicit consent (Arts. 23 and 130 of the Privacy Code and Art. 7 of the GDPR), for the following Marketing purposes:
• To send you by e-mail, post and/or text message and/or telephone contacts, newsletters, business communication and/or advertising material on products or services offered by the Data Controller and customer satisfaction questionnaires on the quality of our services;
• To send you by e-mail, post and/or text message and/or telephone contacts, business communication and/or promotions on behalf of third parties (for example, business partners, etc.).
We bring to your notice that if you are already our customers and/or you have some business or institutional relationship or activity or collaboration with ACEPI we will be able to send you institutional or business communication regarding services and products of the Data Controller similar to the ones you have already used, unless you express your objection. (Art. 130 c 4 Privacy Code).

Processing procedures
The processing of your personal data is achieved by means of the operations as stated in Art. 4 of the Privacy Code and under Art 4. No. 2) of the GDPR and precisely: collection, recording, organization, conservation, consultation, processing, modification, selection, extraction, comparison, usage, interconnection, control, communication, erasure and destruction of data. Your personal data is subjected to paper, electronic and/or automated processing.
The Data Controller shall process your personal data for the time that is necessary to fulfil the afore-mentioned purposes and in any case not over 10 years from the termination of the relationship for the purposes of service and not over 5 years from the collection of data for Marketing or Profiling purposes.

Access to data
Your data may be made accessible for the purposes stated under Arts. 2. A) and 2.B):
• To the Data Controller’s employees and collaborators, in their capacity of being processors and/or internal people tasked with processing and/or system administrators;
• To third parties or other subjects (just as an indication, banking institutions, professional firms, consultants, insurance companies for the supply of insurance services, etc.) who conduct activities in outsourcing on behalf of the Data Controller, as external supervisors of the processing.

Data transfer
The personal data is stored on servers located within the European Union. It is at any rate understood that the Data Controller has the faculty of moving the servers outside the EU, should this become necessary. Under such circumstances, the Data Controller ensures with immediate effect that the transfer of data outside the EU will take place in compliance with all applicable provisions of the law, upon drawing up the standard contract provisions as envisaged by the EU.

The nature of entrusting data and the consequences of refusing to reply
Entrusting data for the purposes referring to Art. 2. A) is mandatory. In the absence thereof, we shall be unable to ensure the Services under Art. 2. A). On the contrary, entrusting data for the purposes referred to in Art 2.B) is optional. You may thus decide not to provide any data or to subsequently reject the possibility of processing data that has already been provided; in such cases, you will no longer be able to receive any newsletter, business communication and advertising material pertaining to the Services offered by the Data Controller. Nonetheless you will still be entitled to the Services referred to under Art. 2. A).

Personal data processing for business profiling
It is possible that for marketing purposes and for improving the service, the Data Controller proceeds to the processing of data known as “profiling”, in order to appraise certain aspects, to analyze or forecast aspects which may be relevant to the economic situation, preferences, interests, reliability, etc.
The practice of profiling may concern “single” or “aggregate” personal data deriving from detailed individual personal data; in other words, what may result following profiling is the availability of a much greater information domain compared to the information related to each data subject considered one by one. (Hereafter, Profiling Process)
In order to proceed to a Profiling Process, it is mandatory to obtain a specific, separate, explicit, documented, preventive and entirely optional consent.
In the perspective of total transparency ACEPI therefore informs you that the data collected on the basis of a specific consent for service may be subject to a Profiling Process for the same purposes as referred to under Art. 2. B).
In the event of a denial to consent to the Profiling Process, the Data Subject shall still be entitled to the provision of Services as referred to under art. 2. A).

Data Subject’s Rights
In connection with the processing of his/her personal data, every Data Subject has the rights provided under Art. 7 of the Privacy Code and under Art. 15 of the GDPR and, more specifically, the rights to:
• obtain the confirmation of the existence or not of personal data that relate to you, even if they have not registered yet, and their communication in an intelligible way.
• obtain the indication: a) of the source of the personal data; b) of the purposes and processing procedures; c) the logic applied in the event of processing carried out by electronic devices; d) the identification details of the Data Controller, the Data Processors and the designated representative pursuant to Art. 5, paragraph 2 of the Privacy Code and Art. 3, paragraph 1, of the GDPR; e) of the subjects or groups of subjects to whom the personal data may be communicated or who may learn about it in their capacity of designated representative on the State soil, of Data Processors or people tasked with processing;
• Obtain: a) the updating, rectification or when interested, the integration of data; b) the erasure, transformation to anonymity or the blocking of data processed in the event of breach of law, including the conservation of unnecessary data in relation to the purposes for which data was collected or subsequently processed; c) proof that operations referring to points a) and b) , even with regard to their content, have been brought to the knowledge of those to whom the data has been communicated or disseminated, except for the event in which such fulfilment is impossible or it implies the employment of means that are plainly disproportionate to the right to be protected;
• Object, in whole or in part: a) for legitimate reasons to the processing of personal data that concerns you, even if pertaining to the purpose of collection; b) to the processing of your own data for receiving advertising material, direct sales, for market research surveys or for business or institutional communication, by means of automated calling systems without operator by means of e-mails and/or through traditional marketing methods, i.e., by telephone and/or by mail. It is noted that the right to lodge an objection on the part of the Data Subject as mentioned under the afore-mentioned point b), for direct marketing purposes via automated processing is extended to the traditional ones and at any rate the Data Subject’s possibility to exercise the right to objection remains valid even only in part. Therefore, the Data Subject may decide to receive communication only via traditional channels, or only automated communication or neither of the two types of communication.
Where applicable, the Data Subject has the rights referred to under art. 16-21 of the GDPR (the right of rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to objection), as well as the right to lodge a claim with the Italian Data Protection Authority (Autorità Garante).

Ways to exercise one’s rights.
• a registered mail to ACEPI - Associazione Italiana Certificati e Prodotti di Investimento – PO BOX 350 – 20123 Milan - Italy;
• an e-mail addressed to:

Data Controller, Data Processor and people tasked with processing
The Data Controller is ACEPI - Associazione Italiana Certificati e Prodotti di Investimento – with registered office in piazza della Repubblica 32, 20124 Milan - Italy.
The details which enable you to contact the Data Controller quickly and to communicate with the latter directly and effectively, including the email address, are the following:
• Tel: +39 02 87189076
• Mobile: +39 331 6816842
• E-mail:
The updated list of Data Processors (where designated) and of the people tasked with processing is held at the Data Controller’s registered office.