DATA PRIVACY

Mediobanca – Banca di Credito Finanziario S.p.A. (“Mediobanca”) considers the data protection a fundamental principle to be guaranteed in the provision of its services.

Mediobanca is committed to safeguarding the protection and confidentiality of personal data, designing and implementing privacy procedures and standards in compliance with the principles set out by the Regulation (EU) 2016/679 on the protection of personal data (“GDPR”), by the Legislative Decree 30 June 2003, n. 196, containing the Personal Data Protection Code, as well as the provisions of the national and European authorities dealing with the matter.
For further information regarding the protection of personal data processed by Mediobanca, you may refer to the  Summary of Mediobanca’s Data Protection Policy.

In accordance with the new GDPR provisions, Mediobanca has appointed a Data Protection Officer.

The Data Protection Officer may be reached at the following email addresses:

• DPO.mediobanca@mediobanca.com;
• dpomediobanca@pec.mediobanca.com.

Mediobanca uses Data processors in relation to the processing of personal data. For further information please refer to the relevant  List of Processors.

Most relevant Mediobanca privacy information notices:

Private Banking

• Client information notice  (in Italian language only)
• Prospect information notice  (in Italian language only) 
• Online banking app information notice (in Italian language only)

Corporate Investment Banking  

• Client information notice

Other privacy information notices

• Public Offering of Financial Products information notice (only in italian language)
• Video surveillance information notice 
• Mediobanca website information notice

MOST RELEVANT ORGANISATIONAL MEASURES 

In addition to the above-mentioned Data Protection Policy, the most relevant organizational measures include:
Manual on Management of the Record of Processing Activities
This manual outlines the methodological approach for creating and maintaining the register, its structure and minimum content, the operational methods of compilation, and instances requiring updates.
Manual on Risk Analysis and Data Protection Impact Assessment (DPIA) 
This manual provides guidelines for conducting risk analysis and DPIA. It details the methodological approach, situations where DPIA is necessary, evaluation metrics, and instances requiring updates.
Manual on Personal Data Retention 
This manual establishes the criteria for determining the retention period for different categories of processed personal data. It also sets the general rules for preparing company procedures to ensure compliance with retention requirements.
Group Manual on Privacy by Design and by Default Principles 
This manual applies the principles of privacy by design and by default to Mediobanca Group initiatives that involve personal data processing, in accordance with external and internal regulations.
Group Directive - Personal Data Breach (Data Breach) 
This directive aims to regulate activities related to data breach management and the specific responsibilities assigned.
Operational Procedure on Risk Analysis and DPIA in Privacy 
This procedure describes the processes for conducting risk analysis and DPIA.
Operational Procedure on Privacy Rights of Data Subjects 
This procedure outlines the management of data subjects’ rights, facilitating the exercise of data access requests, rectification, cancellation, and the right to object.
Operational Procedure on Privacy Consents 
This procedure describes the management of consent, ensuring data subjects can easily revoke or modify their consent.
Operational Procedure on Managing Privacy Profiles Related to Suppliers 
This procedure governs the activities leading to the identification of the privacy profile of suppliers who process personal data owned by the bank.
Directive on Managing Traceability of Banking Operations 
This directive provides the criteria and general rules that Mediobanca has adopted to comply with the obligations prescribed by Provision 192/11, issued by the Italian Data Protection Supervisory Authority (Garante Privacy), for identifying and analyzing potential unauthorized access to clients’ personal data.
Operational Procedure on the Processing Register in Privacy 
This procedure regulates the process of preparing and maintaining the record of processing activities, as required by the GDPR.
Operational Procedure on the Deletion of Personal Data 
This procedure regulates the periodic process of deleting personal data for each category of data subject.