Merchant Information

INFORMATION TO MERCHANTS AFFILIATED WITH ATM BRAND SERVICES^® PURSUANT TO ART. 14 OF REGULATION 2016/679/EU

Acceptance of physical and/or virtual payment cards bearing the BANCOMAT brand^® and the acceptance of the ATM digital instrument^® Pay for smartphone payments (jointly”services”) are reserved for merchants who have signed a special agreement contract (”Affiliated Merchants” or”Exhibitors”) with its member bank (”Adherents”) to the ATM circuit^® (”Circuit”). As part of the Services indicated above, BANCOMAT S.p.A. manages and governs the technological infrastructure aimed at processing and processing the transactions carried out within its Circuits.

Hereby, pursuant to art. 14 of the General Regulation 2016/679/EU on data protection (”GDPR”) — and in accordance with national legislation Pro Tempore in force (collectively with the GDPR,”Privacy Policy”) — we would like to provide appropriate information about the treatments carried out by BANCOMAT S.p.A., as data controller (”titular” or”ATM”), in relation to the personal data of the Affiliated Merchants for the use of the Services mentioned above.

‍

TYPE OF DATA PROCESSED

Personal data (”Data”) processed as part of the Services consist of data, directly or indirectly, identifying natural person Merchants such as, by way of example, the name and surname, tax code, VAT number, IBAN, user code.

It should be noted that the above-mentioned Data are provided to the Data Controller - by virtue of its role as manager of the Circuit to which the Services themselves are related - by the Members also through the technical structures appointed by them.

‍

PURPOSE AND LEGAL BASIS OF THE TREATMENT

The Data is processed for the following purposes and on the basis of the conditions of lawfulness (“legal bases”) indicated respectively:

1. to ensure the correct provision of the Services - including the processing of the transactions/payments made on the Circuit, the monitoring of the correct performance of the Services, the management of any disputes or disclaimers such as, for example, lack of accreditation, double charges, incorrect amounts, transactions with a non-compliant outcome - executing the contract with the Member of which the Merchant is an interested party (ex art. 6, paragraph 1, letter b of the GDPR);
2. for the fulfillment of any legal obligations - even at the administrative level - such as: the invoicing of the Services, the execution of orders or requests from public authorities (pursuant to art. 6, paragraph 1, letter c of the GDPR);
3. for the pursuit of the legitimate interest of the Data Controller in (i) exercise their rights in any judicial offices, (ii) monitor and monitor any fraudulent events that may occur on them and (iii) anonymize the Data for statistical purposes (ex art. 6, paragraph 1, letter f of the GDPR).

The provision of Data for the purposes indicated above (with particular reference to points i. and ii.), in addition to being necessary to allow the proper functioning of the Services, is made mandatory by the technical functioning of the Circuit itself. Therefore, the subsequent request for cancellation of the same, makes it impossible for Merchants to continue to use the Services and to operate within the Circuit by accepting payments by physical and/or dematerialized card and smartphone.

The same Data, aggregated and irreversibly transformed into anonymous form, may be used for statistical purposes and for sector studies. This information and anonymized data may be used to create reports relating to the performance of related Services within the reference market. These reports may be used for internal analysis and/or shared with third parties (for example, Members) who are interested in them, but any marketing purpose is excluded.

It should be noted, then, that, as part of the purpose related to the tax credit on electronic payment commissions governed by art. 22, of Legislative Decree no. 124/2019, BANCOMAT processes - as data controller - the Data of Merchants, for the sole purpose of allowing them to enjoy the benefits associated with the tax credit, as required by the Provision of the Revenue Agency of 30 June 2022, issued in implementation of art. 22, paragraph 5, of Legislative Decree no. 124/2019. For detailed information regarding this treatment, please refer to the dedicated privacy policy [Privacy for Reporting to the Revenue Agency].

‍

METHODS OF TREATMENT

The Data are processed by the Data Controller, through specially authorized and specifically trained personnel, and - outside - by subjects who, appointed as data processors (”Managers”), provide activities that are instrumental to the operation of the Services. The Data is processed exclusively for the pursuit of the purposes indicated above and through the use of automated and non-automated tools, ensuring the adoption of technical and organizational measures aimed at preventing any security breaches that may result in their destruction, loss, modification, unauthorized disclosure or illegal access.

Among the Managers, by way of example and not exhaustive, are: the provider of the technological platform necessary to allow the provision of the Services and the processing of transactions; the provider of the Tokenization technological platform; the providers of management and technological maintenance services for the Data Controller's systems. The updated list of all Managers may be requested from the Data Controller at the addresses indicated below.

In addition to what may be mandatory by law, the Data may also be communicated to third party data controllers (for example, any external professionals and legal advisors and the external auditing firm), as well as to public authorities in various capacities invested with supervisory and control tasks against BANCOMAT and/or to the judicial authority and police forces, if it is necessary to report a crime or, in any case, to pursue their legitimate interest in exercising a right in court.

In any case, the Data will not be subject to dissemination, meaning that they are made available to unspecified subjects.

The processing of Data outside the European Economic Area is not envisaged, except to the extent that the above-mentioned Managers need, for the purpose of carrying out the activities necessary for the functioning of the Services, to transfer the Data - or access them - to/from non-EU countries. In any case, if it is necessary to carry out non-EU data processing, the same will take place in full compliance with the principles contained in articles 44 et seq. of the GDPR.

‍

DATA RETENTION PERIOD

Without prejudice to compliance with legal obligations and/or the establishment of any disputes, the Data related to the use of the Services will be kept for ten years from the termination of the agreement with the member bank; the Data relating to individual transactions will be kept for ten years from the date they were carried out.

‍

DATA CONTROLLER AND DATA PROTECTION OFFICER

The data controller is BANCOMAT, in the person of the pro tempore Chief Executive Officer, with registered office in Piazzale Luigi Sturzo 15, 00144, Rome.

Pursuant to art. 37 et seq. of the GDPR, BANCOMAT has appointed a Data Protection Officer domiciled for the function at its registered office and always reachable at the e-mail address privacy@bancomat.it.

For more information on the processing of personal data carried out by Member Banks, please refer to the contract between the Member and the Affiliated Merchant.

Further data processing may be carried out in the face of particular initiatives and additional functionalities and value-added services made available from time to time by the Data Controller and that the Member chooses to make available to the Merchants, with the consequent updating of this Information.

‍

RIGHTS OF INTERESTED PARTIES

The subjects to whom the Data refer (”Interested”) can exercise at any time, free of charge and without formalities, the rights referred to in articles 15 to 22 of the GDPR, including, in particular, the right to request access to personal data, the correction or cancellation of the same, the limitation of processing, as well as the right to data portability or the right to object to processing in the cases referred to in art. 21 GDPR.

Requests relating to the exercise of the rights described above should be addressed to BANCOMAT at the headquarters address, located in Piazzale Luigi Sturzo 15, 00144, Rome, or to the following e-mail address: privacy@bancomat.it. In response to these requests, the Data Protection Officer is appointed (”DPO”) designated by BANCOMAT pursuant to articles 37 et seq. of the GDPR.

Finally, if interested parties believe that the processing of their personal data carried out in relation to the above-mentioned Services is carried out in violation of the provisions of the GDPR, they have the right to lodge a complaint with the Guarantor, as required by art. 77 of the GDPR itself or to take appropriate legal action (art. 79 GDPR).

The text of this information is subject to periodic changes. It is advisable to check the BANCOMAT institutional website for the always updated version of the same

‍