Privacy Notice on the processing of personal data of connected individuals of corporate/financial institutional customers
How HSBC Continental Europe, Italy collects, stores and processes Personal Data?
Before we begin
This notice (Privacy Notice) applies to all Personal Data processed by HSBC Continental Europe, Italy Via San Protaso 3 - 20121 Milano, tel. 02 724371, as data controller in the context of banking relationships between Us and Our corporate/financial institutional clients (a “Client” or the “Clients”).
This Privacy Notice explains what information in relation to Connected Individuals of Our Clients We collect, how We will use that information, who We will share it with, the circumstances when We will share it and the steps We will take to make sure it stays private and secure.
Wherever We use the term “Connected Individual”, this means individual(s) connected to any of Our Clients, acting in whatever capacity on behalf of any of Our Clients, including a guarantor, a director, officer or employee of a company, partners or members of a partnership, any substantial owner, controlling person, or beneficial owner, trustee, settlor or protector of a trust, authorised signatory of a designated account, recipient of a designated payment, a client’s attorney or representative, agent or nominee, individuals who are clients of a Client, or any other persons with whom a Client has a relationship relevant to their relationship to Us.
Clients must direct any individuals whose Personal Data we may collect and process, including Connected Individuals, to this Privacy Notice and make sure they are aware, prior to providing their Personal Data to Us or Our obtaining their Personal Data, that We are using their Personal Data as described. Such individuals must be aware of their rights.
Whenever We use the term “You” or “Your”, this means a Connected Individual(s) of one of Our Clients.
Wherever We use the term “We” or “Our” “Us”, We mean HSBC Continental Europe, Italy.
“HSBC Group” means all the companies owned and controlled (directly or indirectly) by HSBC Holdings plc, within the meaning of the definition of control applicable to it.
Some of the links on Our websites may redirect You to a non-HSBC website with its own privacy and information protection policies, which may be different to this notice. Connected individuals need to make sure they’re happy with their privacy notices when using other sites.
This Privacy Notice is provided in accordance with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, and on the free movement of such personal data, and repealing Directive 95/46/CE (Data Protection Directive), as supplemented and amended from time to time.
What Personal Data We collect
We will collect Your Personal Data from a range of sources. Some of it will come directly from You or from Our Client of which You are the Connected Individual, or from other individuals connected to Your business, whereas other Personal Data will be collected by HSBC or other HSBC Group companies. We may also collect information about You when You interact with Us, e.g. by visiting Our websites or mobile channels, calling Us or visiting Our offices.
Other information may come from publicly available sources (e.g. business registers, press, and Internet) or from external companies. We may also collect information by matching data sets (e.g. location data, if You use a mobile app with geo-localisation service).
Information We collect from other sources may include, in particular, information connected to communications (e.g. information from third party providers, press and online reports, communications from governmental and administrative authorities).
- Personal Data that You may provide to Us (including those of other Connected Individuals) may include, without limitation:
- Your personal details, e.g. name, previous name, gender, date and place of birth, photo ID, passport information, government-issued ID number, national ID cart and nationality;
- Your contact details, e.g. Your address, email address, landline and mobile numbers;
- other information that You give Us by filling in forms or by communicating with Us, whether face-to-face or by phone, email, online, or otherwise by participating in market research.
- Personal Data We collect or generate may include:
- information about Our relationship with the Client of which You are the Connected Individual, including the products and services You hold/use, the channels You use, Your ability to get and manage Your credit, Your payment history, transactions records, market trades, payments into Client accounts of which You are the Connected Individual and information concerning complaints and disputes;
- information We use to identify and authenticate You such as signature, log-in and authentication credentials and additional information that We receive from external sources that We need for checking Your identity;
- geo-localisation information;
- information included in customer documentation or in a record of instructions;
- marketing and sales information, such as details of the services You receive and Your preferences;
- cookies and similar technologies We use to recognise You, remember Your preferences and tailor the content We provide to You – Our cookie policy http://www.business.hsbc.it/en-gb/it/generic/cookie-policy contains more details about how We use cookies;
- information relating risk ratings, e.g. credit risk ratings or Client’s transactional behaviour;
- information relating to investigations data, e.g. due diligence checks for new relationships or during the ongoing business relationship with the Client of which You are the Connected Individual, international sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to checks on Our means of communication;
- information that We need to support Our regulatory obligations, e.g. information about transaction details, detection of any suspicious and unusual activity and information about parties connected to You or other individuals connected to Your business and/or the Client of which You are the Connected Individual.
How We will use Your Personal Data?
We will process Your Personal Data where We have your consent or We have a lawful reason for using it. These reasons include where:
- We need to process Your Personal Data to pursue Our legitimate business interest(s);
- We need to process the Personal Data to perform Our contract with Clients;
- We need to process the Personal Data to comply with a legal obligation;
- the use of Your Personal Data is in the public interest, such as for the purpose of preventing or detecting crime.
In particular, Personal Data may be processed, used and stored by Us and/or by third parties for the following purposes:
- the provision of services and to approve, manage, administer or effect any transactions that a Client may request or authorise;
- allowing Us to undertake data analytics to gather insights on Our Client’s business;
- the meeting of Our compliance obligations as well as compliance with other laws that the HSBC Group may be subject to;
- the prevention and detection of fraud risks and other crimes;
- the enforcement or defence of Our rights or those of a member of the HSBC Group;
- the pursue of Our legitimate business interest(s) such as to ensure compliance with Our internal operational requirements, including credit and risk management, system or data base development, enhancement and planning, insurance, audit and administrative purposes;
- the maintenance of Our or other members of the HSBC Group’s overall relationship with Clients, telling Clients and Connected Individuals about Our products, or carrying out market research.
More details are in Appendix 1 “How We use Your Personal data”.
Automated Decision Making
We may use automated systems to help Us make decisions, such as credit decisions, as well as carrying out fraud, money laundering and terrorism financing checks. We may use such proceedings that helps Us identifying the level of risk involved in Client or account activity, e.g. for credit, fraud or financial crime reasons, or to identify if someone else is using Your card without Your permission.
You may have a right of information on how We make automated decisions and may also have a right to request human intervention and to challenge the decision. More details can be found in the ‘Your Rights’ section below.
Marketing and market research
We may use Your information for market research and to identify trends. Market research agencies acting on Our behalf may get in touch with You (by post, telephone, email or other methods of communication) to invite You to take part in research.
Tracking or recording what You say or do
We may record and keep track of conversations You have with Us – including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of messaging – in order to use these recordings to check Your instructions to Us. We may use these recordings to assess, analyse and improve Our services, manage risk or to prevent and detect fraud and other crimes. We may capture numbers that We are called from and information about devices or software used.
Who We might share Your Personal Data with?
We may share Your Personal Data for the above purposes to the following data recipients:
- other HSBC Group companies and any sub-contractors, agents or service providers who work for or provide services to Us or other HSBC Group companies (including their employees, sub-contractors, directors and officers);
- the Client which You are the Connected Individual, anyone acting on Client’s behalf, payment recipients, beneficiaries, account nominees, intermediary, correspondent and agent banks clearing houses, credit card systems (MasterCard, Visa, etc) and market counterparties;
- any party to a transaction acquiring interest in or assuming risk in or in connection with the Our services;
- other financial institutions, tax authorities;
- other financial institutions, as necessary to conduct or assist other financial institutions to conduct credit checks, and/or credit reference agencies for the purposes of obtaining or providing credit references;
- any entity that has an interest in the products or services that We provide to the Client of which You are the Connected Individual, including if they take on the risk related to them;
- any HSBC Group company, newly-formed or incorporated company, (e.g. restructuring, acquisition or merger with other companies), or any company acquiring all or part of a HSBC Group company;
- auditors, regulators, independent administrative authorities, or dispute resolution bodies in order to fulfil their requests;
- other companies who do marketing or market research for Us;
- other parties involved in any disputed transactions;
- judicial or administrative authorities or administrative, civil and criminal courts;
- any member of HSBC Group in connection with or arising from any reporting obligations to any competent authorities of suspicious transactions by or involving a Client or Connected Individual or other third connected parties;
- anybody else that We have been instructed to share Personal Data with by a Client or anybody else who provides instructions or operates any of Clients accounts on their behalf any cultural, sport and entertainment event organizers acting on behalf of HSBC or with the sponsorship of HSBC or HSBC Group.
Transferring overseas Your Personal Information
Your Personal Data may be transferred to and stored in locations outside the European Union, including in countries that may not have the same level of protection of Italy or the European Union. We may need to transfer Personal Data to execute Our contract with the Client of which You are the Connected Individual, to fulfil a legal obligation, to protect the public interest or for Your or Our legitimate interests.
If We transfer Your Personal Data in a country outside the European union, We will ensure that Your Personal Data will be always protected. For this purpose, We will take relevant and appropriate measures for any Personal Data transfer (e.g. data encryption, express provision of contractual arrangements with the relevant data recipient, for example by introducing standard data protection clauses approved by the European Commission).
You can obtain more details of the protection given to Your Personal Data when it is transferred outside the European Union by contacting us. Please see ‘More details about Us’ section below.
Sharing Aggregated or Anonymised Information
We may share Your aggregated or anonymised information outside of HSBC Group with partners such as research groups, universities or advertisers. For example, We may share such information publicly to show trends about the general use of Our services. However, You won’t be able to be individually identified from this information.
How long We will keep Your Personal Data?
We may keep Your information whilst You are using Our services and platforms (e.g., Our website or mobile app), as Connected Individual(s) of Our Clients. Even if You decide to not use Our services and platforms anymore, We may need to retain Personal Data to comply with regulatory or legal requirements or where We may need it for Our legitimate purposes. If We don’t need to retain information for this period of time, We may destroy, delete or anonymise it more promptly.
We may need to retain Personal Data for a longer period to help Us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators.
Your Rights
You have a number of rights in relation to Your Personal Data. These rights include:
- the right to access Personal Data We hold about You and to obtain information about how We process it;
- in some circumstances, the right to receive certain information You have provided to Us in an electronic format and/or request that We transmit it to a third party, where it is not technically possible (please, note that such a right is applicable only on Personal Data You provided us);
- the right to modify or correct Your Personal Data;
- in some circumstances, the right to request that We erase Your Personal Data. (Please, note that We may continue to retain Your Personal Data if We’re entitled or required to retain it);
- the right to object to, and to request that We restrict, Our processing of Your Personal Data in some circumstances. (Again, please, note that We may continue to process Your Personal Data if We’re entitled or required to process it).
You can exercise Your rights by contacting Us. More details can be found in the ‘More details about Us’ section below.
You may submit a complaint to the Italian Privacy Authority to the following address:
Autorità Garante della Privacy
Piazza Venezia n. 11
00187 ROMA
Fax: (+39) 06.69677.3785
Centralino telefonico: (+39) 06. 696771
E-mail: garante@gpdp.it
Posta certificata: protocollo@pec.gpdp.it
What We expect from You?
You are responsible for making sure the Personal Data You (or the Client of which You are the Connected Individual) give Us is accurate and up to date; and You must tell Us if anything changes as soon as possible. In case You provided Us information about third parties, You are responsible for making sure You have obtained the relevant authorization.
How We keep Your Personal Data secure?
We use internal technical and organisational measures to keep Your Personal Data safe and secure which may include encryption, and other forms of security measures. We require Our staff and any third parties who carry out any work on behalf of HSBC to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
More details about Us
If You would like further information on this Privacy Notice, to exercise Your rights, or to contact Our Data Protection Officer (“DPO”), write to:
HSBC Continental Europe, ItalyVia San Protaso 3 - 20121 Milano
Or to DPO:
HSBC Continental Europe – Délégué à la Protection des Données
38, Avenue Klèber – 75116 Paris- (France)
e-mail: dataprotection@hsbc.fr
This Privacy Notice may be updated from time to time and the most recent version can be found online at www.hsbc.it
Appendix 1 – How We use Your Personal Data?
- Security and Business Continuity: We take measures to aid business continuity, information security (including physical security activities) in order to fulfil Our legal obligation and for internal risk strategy purposes as required in Our legitimate interest. We also implement Our security measures in order to protect Our employees and offices (in particular using a closed circuit television and monitoring recorded anti-social conduct).
- Risk Management: We will use Your Personal Data to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk, traded risk, operational risk and insurance risk. Depending on products and active services, Your Data may be used in order to identify any risk of market abuse. We will do this to fulfil Our legal obligation and also because We have a legitimate interest in using Your information for these purposes.
- Online Banking, Mobile Apps and other online product platforms: We will use Your Personal Data to allow Us to provide You with access to HSBC online platforms and mobile apps. The platform may allow You to directly or indirectly communicate with Us through mobile apps. We will use Your Personal Data in order to make them rapidly available to You. The lawful basis for using Your Personal Data for this purpose is to perform Our contract with Clients.
- Product and Service Improvement: We will use Your Personal Data to identify possible service and product improvements by analysing information (in particular their effectiveness and profitability).
The lawful basis for processing Your information for this purpose is Our legitimate interests. - Data Analytics for tailored services: We will perform analysis on Your Personal Data to identify relevant opportunities to promote Our products and services to existing or prospective customers. This may include reviewing historical customer transactional behaviour or comparison of customer activity so We can provide more targeted products and services. The lawful basis for using Your information in this way is Our legitimate interest.
- Marketing: We will use Your Personal Data to provide You/Clients with information about HSBC products and services, and also products and services from Our partners and other relevant third parties. The lawful basis for this is Our legitimate interest. We will use Your Personal Data in order to organize cultural, sport and entertainment events sponsored by HSBC or HSBC Group.
- Protecting Our legal rights: We may need to use Your Personal Data to protect Our legal rights such as in the case of defending or the protection of legal rights and interests (e.g. collecting money owed; enforcing or protecting Our security or defending rights of intellectual property), court actions, managing complaints or disputes, in the event of a restructuring of companies or other mergers or acquisition. We would use this on the basis of legitimate business interests.
- Banking operations support: We will use Your Personal Data to enable the provision and function of Our banking services in line with regulation, current laws and customer rights and interests, e.g. complaints management and exit management. We will use Your Personal Data within the purpose to provide administrative and accounting services, to manage IT activities and infrastructure, in line with regulation, current laws and customer rights and interests, e.g. complaints management and exit management. The lawful reasons for processing these are legitimate interest, legal obligation and in order to perform Our contract with You.
- Compliance with laws and regulations: We ensure to enforce compliance with any legislation and regulation in force. The lawful reasons for processing Your Personal Data are legal obligation, public interest and Our legitimate interest.
- To prevent and detect crime: We will use Your Personal Data for the adoption of measures in order to prevent crime and any other violation, such as monitoring, mitigation and fraud risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification. We do this to comply with Our legal obligations or public interest and because it’s in Our legitimate interest. We may share Your information with relevant agencies, law enforcement and other third parties where the law allows Us to for the purpose of preventing or detecting crime. Additionally We and other financial institutions may take steps to help prevent financial crime and manage risk. We will do this because We have a legitimate interest, a legal obligation to prevent or detect crime or it’s in the public interest. We may be required to use Your information, even if You or they have asked Us to stop using Your information. That could include, in particular:
- screening, intercepting and investigating any payments, instructions or communications You send or receive;
- investigating who You’re paying or who’s paying You;
- combining the information We have about You with information from other HSBC companies;
- checking whether the people or organisations You’re paying or receiving payments from are who they say they are, and aren’t subject to any sanctions.
- Cookies: When using applications online, We will ask You to consent to Our use of cookies. For this purpose, the legal basis for the processing of Your personal data is Your consent.