PRIVACY NOTES



This document describes the privacy policies on the processing of personal data adopted by Generali Real Estate S.p.A. (the Company), which manages GREta (Generali Real Estate tenant app). The Company, like its parent company, Assicurazioni Generali S.p.A. (Assicurazioni Generali), has always paid maximum attention to confidentiality, protection and safety of the information it processes, especially when they relate to personal data of clients and counterparties the Company interacts with.
 
Website’s users (the Data Subjects) are therefore invited to consult this privacy policy before accessing and browsing through the pages of this website. This privacy policy complies with the guidelines adopted by Assicurazioni Generali, and are applicable at group level in connection with the processing of personal data (the Personal Data, as defined in Article 4, paragraph 1, number 1 of Regulation EU No 2016/679 (General Data Protection Regulation, “GDPR”).          

This information is given pursuant to Articles 12 and 13 of GDPR by the Company, as data controller, to all Data Subjects with reference to the processing of their Personal Data collected via this website. This information is intended to be general and provided to any individual interacting with this website/app. The Company may provide Data Subjects with further specific information along with the relevant request of consent, if any, where consent is required in relation to the type of personal data and / or processing operations applied. This information will be provided in dedicated sections, where Data Subjects should make a specific request to the Company. Please be aware that legal entities, either a company, an organization and association, do not fall within the definition of “data subjects” and thus the provisions of GDPR do not apply to the processing of data and information concerning such entities. Notwithstanding the above, please consider that personal data of employees, managers, legal representative of legal entities shall be processed pursuant to and in accordance with the GDPR.  

This information applies exclusively in relation to the use of the this website only. It does not apply to the processing of Personal Data which might be collected through other websites of the entities of the Generali group that the Data Subject might access via any link found in the pages of this website.  

Personal Data collected by the Company from Data Subjects (including, in particular without limitation, name, surname, address, occupation, position held, employer / associated company, phone number and email address, information regarding financial reliability and integrity, etc.) shall be processed in accordance with the obligations to which the Company and any other entity of the Generali group acting as data controller and / or data processor is subject to under the GDPR.  

The Company collects Personal Data only if and when such collection is strictly necessary to provide the requested services.  Browsing this website for consultation purposes only does not entail the submission of any Personal Data. However, even without any active submission of Personal Data by the Data Subject, information, such as the IP addresses, domain name of Data Subjects’ device; the uniform resource identifiers of the requested resources, the time of Data Subjects’ request, the method Data Subjects use to submit such request to the server, the file size obtained in response, the numerical status code received in response by the server (e.g. successful, error, etc.), session IDs, are “passively” collected by the system and may be used for the purposes of creating profiles relating to the user of this website.      

As regards the passive collection of such information, the website:

  • ● does not use IP addresses to collect information although memorizes them within browsing data;

  • ● uses aggregated browsing data for statistical purposes;

  • ● uses cookies and other session IDs with the purpose of enable browsing or to the extent they are necessary to provide the service requested by the user in accordance with the so called e-Privacy Directive (Directive 2002/58/CE concerning the processing of personal data and the protection of privacy in the electronic communications sector) and relevant national implementing legal provisions. Moreover, cookies may be installed on this website also for pursuing other purposes. Data Subjects may obtain more information on these purposes and how the Company uses cookies by consulting the Cookie Policy.

 

PURPOSES AND LEGAL GROUNDS OF THE PROCESSING

The Personal Data may be lawfully processed by the Company by means of electronic tools and/or hard copies, according to Article 6 GDPR, when:  

  • ● processing is necessary for complying with a legal obligation to which the Company is subject (i.e. obligations under fiscal laws, anti money laundering legislation or employment legislation), under Article 6, let. c), GDPR;

  • ● processing is necessary for the performance of an agreement to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into an agreement (i.e. to access certain services, including forms to be populated by the Data Subject that has an interest in one of the properties of the Company, advertised on this website), under Article 6, let. b), GDPR;      

  • ● processing is necessary for the purpose of the legitimate interests pursued by the Company (i.e. the Company has a legitimate interest to process Personal Data collected, including browsing data, only for statistical purposes and to retrieve previous responses to similar enquiries to deal with enquiries efficiently), under Article 6, let. f), GDPR;  

  • ● the Data Subject has given consent to the processing of his/ her personal data for one or more specific purposes (i.e. to be regularly informed about Company initiatives such as events, seminars and marketing initiatives), under Article 6, let. a), GDPR.  If the Company intends to process Personal Data for a different purpose than the ones for which they were collected, before such further processing it will provide the Data Subject with any necessary information on this further purpose and any other pertinent information, and collect consent, where appropriate. Please note that in case Data Subjects send an e-mail using the e-mail addresses indicated on this website, for the purposes specified from time to time, the Company will collect and subsequently process the sender’s e-mail address and any other Personal Data included within the message, with the methods and purposes already indicated above. This submission will also entail the knowledge of these privacy notes.



 

METHODS OF PROCESSING

The Company shall process Personal Data collected from the Data Subjects in a lawful and proper manner, thereby ensuring confidentiality and safety of these Personal Data. The processing of Personal Data, which includes the collection of Personal Data and all other operations included in the definition of "processing" under Article 4, paragraph 1, No 2 GDPR (including, by way of example but not limited to, the recording, processing, communication, storage and destruction of Personal Data) shall be performed by manual, computerised and/or electronic, automated or similar means, employing organisational methods and processes strictly related to the purposes indicated. Personal Data is stored for the time necessary to fulfil the purposes for which it was collected (see below), in accordance with applicable laws and any orders issued by the Italian Data Protection Authority (“Garante per la protezione dei dati personali”). The information systems and software procedures relied upon to operate this website acquire personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols.
This data category includes the IP addresses and/or the domain names of the computers and terminal equipment used by any user, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, returned file size, a numerical code relating to server response status (successfully performed, error, etc.), and other parameters related to the user's operating system and computer environment. 
These data are necessary to use web-based services, and are also processed in order to: - extract statistical information on service usage (most visited pages, visitors by time/date, geographical areas of origin, etc.);
- check functioning of the services.
Browsing data are kept for no longer than seven days and are erased immediately after being aggregated (except where judicial authorities need such data to establish the commission of criminal offences).
 
The employees of the Company and / or the entities of the Generali group who process Personal Data have been appointed as employees in charge of the processing and operate on the basis of specific instructions received by the Company. The Personal Data collected for the purposes of the processing is only accessible by persons within the Generali group companies who need such access by virtue of their activities or duties, such as, by way of example, but not limited to: employees in charge of external and customer relations, secretarial staff, managers and officers of Generali group companies. Such persons are adequately trained to avoid accidental loss or unauthorized use of Personal Data.
 
Due to specific technical and organization needs, the Company may rely on third parties to carry out parts of its processing of Personal Data. Such third parties are appointed as data processors.  

After the completion of the processing of Personal Data, the Company will delete the data collected or will anonymize such data (i.e. by deleting any reference to the Data Subject), unless the Company is required to keep on processing such Personal Data by laws and / or regulations.  

The Company may disclose Personal Data to pursue the purposes for which they are collected, both within the Generali group or to: (i) the supervisory Authorities, (ii) third party suppliers acting on behalf of the Company in providing services, such as – by way of example – data management, technical support, legal advisory, marketing agencies, etc., whose support the Company may rely on for purposes strictly related to the purposes of the processing set out in this information given pursuant to Article 13 of GDPR.  

A list of data processors appointed by the Company may be requested by the Data Subject at any time. The provision of his / her Personal Data to the Company by the Data Subject is voluntary and discretionary, except for those data that have been automatically collected by means of the cookies. The Company does not process any Personal Data only based on automated decision-making processes.    

  

RIGHTS OF DATA SUBJECTS

the rights granted to the Data Subject, pursuant to articles 15 – 22 GDPR, are: Right of access (the Data Subject has the right to obtain confirmation of whether or not the Company is processing his / her Personal Data and to access the Personal Data processed by the latter)
Right of rectification (the Data Subject has the right to ask to the Company to obtain from the latter without undue delay the rectification of inaccurate Personal Data concerning him or her. If the Data Subject is registered on the website or on the app, he / she can access his / her profile and rectify his / her data in this way)
Right to erasure / right to be forgotten (the Data Subject has the right to obtain from the Company the erasure of Personal Data concerning him / her without undue delay where one of the requirements listed by Article 17 GDPR applies)
Right to restrict the processing (the Data Subject has the right to obtain from the Company restriction of processing where one of the requirements listed by Article 17 GDPR applies, in which case, Personal Data will be processed by the Company only as strictly necessary for exercising its rights and replying to any complaints)
Right to data portability (the Data Subject has the right to receive Personal Data concerning him / her, which he / she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller) Right to object (the Data Subject has the right to object on grounds relating to his / her particular situation, at any time to processing of Personal Data concerning him / her). Right not to be subject to a decision based solely on automated processing (the Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him / her or similarly significantly affects him / her)
Right to lodge a complaint (the Data Subject has the right to lodge a complaint with the competent supervisory authority where Personal Data processing is deemed illegitimate or otherwise not compliant with the GDPR (the Italian Supervisory Authority is the “Garante per la protezione dei dati personali” https://www.garanteprivacy.it /)
To exercise these rights or to get more information, Data Subjects may send their requests to privacy.gre@generali.com, indicating in the subject “exercise of rights under the GDPR” and inserting the reference in the body of the e-mail to the right they intend to exercise. Once the Company has processed the request received, it will send its reply within the terms indicated in Article 12 GDPR. Data Subjects may send the same request or enquiry to Company’s Data Protection Officer at dpo.gre@generali.com.
 

EXERCISE OF RIGHTS

The Company has appointed a Data Protection Officer, whose task is to act as the contact point for the Data Subjects on issues relating to personal data processing. The Data protection Officer is available at dpo.gre@generali.com. 

To ensure the compliance with the law and the guidelines applicable to all the functions of the Company, the following areas of Privacy Responsibility have been identified:

  • ● Human Resources & Organization


  • ● Real Estate Services Procurement


  • ● Administration and IT Services


  • ● Property


  • ● Facility


  • ● Building


    APPLICATION OF LEGISLATION Generali Real Estate S.p.A. is constantly committed to be compliant with the provisions of this policy, adapting its organization, from time to time, with any new provision if issued. For any question or concern regarding this policy, you can contact the Company‘s DPO, by writing to dpo.gre@generali.com. Generali Real Estate S.p.A., in any case, commits itself to collaborate with the competent authorities, to resolve any complaint regarding the transfer of personal data that are not resolved directly with the single users/ Data Subjects.       

    GLOSSARY

    IP Address: ID code that identifies the user’s computer and is assigned by the internet provider. It may not be considered as personal data because it is often dynamically assigned – it changes from time to time depending on the connection. It is used for diagnosis and optimization purposes by the provider.
    Cookies: Short strings of IT records. They are sent by the service provider’s server to the user’s computer attached to an ID that enables future activation. Thanks to cookies, the user’s computer and navigation preferences can be identified when the user accesses the website again. Cookies can be temporary (they are cancelled when the session terminates and are used to optimize browsing on the website) or permanent (they are installed on the user’s hard disk unless the user deletes them; they can record a wide range of information which can be retrieved later by the service provider for several purposes). By adequately setting the browser, the user can control how to use cookies. If you wish to have more information on cookies and how the Company uses cookies, please consult our Cookie Policy.
    Internet Tags: Strings shorter than cookies which are mainly used to record technical data such as the IP and the user’s browser. They are also known as “invisible GIFs”, “clear GIFs”, “1-by-1 GIFs”, “single-pixel GIFs”.
    Browsing data: Files archived in the provider’s server, also known as “log files”, “clickstream data”, “server logs”. They can automatically record data relating to the connection for purposes such as accounting and administrative activities and the User’s profile analysis (e.g. system management, browser type, date and time of visit, images and texts the user clicked on, purchases, file downloads, screen settings) with the aim to improve website content. Registration: Users are asked to fill a form with several personal data, which can be mandatory or discretionary, to fulfil a specific task. Depending on the services provided, the registration can entail contractual obligations. A specific disclaimer must be provided to the user when registering. If necessary, the user’s consent must be obtained.