Personal data protection

The new General Data Protection Regulation (GDPR) enters into application on 25 May 2018. It places greater responsibility on data processors and strengthens the rights of natural persons whose data is collected.

Access to certain pages of the site may be subject to the prior communication of your personal data. Only the data used for the performance of its services is stored by Intesa Sanpaolo Servitia S.A on electronic or other forms of storage.

The personal data communicated to it within this context is confidential and will never be transmitted to third parties without the prior approval of the data subject and in compliance with the laws of Luxembourg on the protection of data.

All site users have the right to obtain communication of the information concerning them, and the right to rectify this information, subject to providing evidence of their identity and in conformity with legislation on the protection of persons with regard to the processing of personal data.


Protection Of Personal Data

The purpose of this Privacy Notice is to inform you of how Intesa Sanpaolo Servitia S.A. (‘ISP Servitia’, “we”, “us” or “our”) processes your personal data in the course of its business operations.
This Privacy Notice is addressed at:

  • All clients and/or suppliers of ISP Servitia (whenever they are natural persons), or the respective individuals acting on their behalf
  • Visitors to ISP Servitia’s office premises
  • Job applicants and other recruitment candidates
  • ISP Servitia’s website use and use of cookies

For the avoidance of doubt, this Privacy Notice does not concern external consultants who are involved in the provision of exclusive professional services of ISP Servitia on a temporary basis.


Controller and Data Protection Officer

ISP Servitia is the data controller for all the processing operations described in this document. We control the ways your personal data are collected and the purposes for which we process them.
ISP Servitia has nominated a Data Protection Officer (DPO) who can be contacted at the following email address dpo@intesasanpaoloservitia.com.


Which Information Do We Collect, how and why?

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.
Personal data addressed by this Privacy Notice is processed to ensure standard business operations of ISP Servitia, recruitment management and collaboration with the clients and suppliers, and ensuring secure and sufficiently equipped working environment, which guarantees continued and uninterrupted business operations.

  • If you are job applicant, follow this link for more details on how we process your data: link
  • If you are a representative of ISP Servitia’s client, follow this link for more details on how we process your data: link
  • If you are a representative of ISP Servitia’s supplier, follow this link for more details on how we process your data: link
  • If you are using ISP Servitia’s website, follow this link for more details on how we process your data: link
  • If you are a visitor ISP Servitia’s premises, follow this link for more details on how we process your data: link
  • If you are a whistleblower reporting an offense, follow this link for more details on how we process your data: link


Do we process any special categories of personal data and do we use automated decision-making?

We do not process any special categories of personal data.
We would like to assure you, that none of the above processing activities involve automatic decision-making, nor profiling.


How long we keep your data (retention period)?

We keep your personal data as long as necessary to comply with a mandatory legal requirement, to the extent that such retention periods are prescribed in the applicable laws. All other personal data will be kept for no longer than necessary to fulfil its purpose. You can get any further information by contacting us at the following email (dpo@intesasanpaoloservitia.com).

When personal data is collected for multiple purposes, it is retained until the longest retention or storage period has expired. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer considered as personal data. Upon expiry of the applicable retention period we will securely destroy your personal data.


With whom do we share your data?
Your personal data may be shared with parties both internal and external to ISP Servitia:
Within ISP SERVITIA: The recipients of your personal data are normally ISP Servitia members of staff. They may also be interim workers, trainees, or external consultants working for ISP Servitia.
Outside of ISP SERVITIA: depending on the processing activity, we might be sharing your personal data with the following external parties:
  • Our parent company and other companies from the corporate network providing shared services
  • Competent statutory authorities when exercising their powers to receive or request information as provided under the law, for example: tax authorities, CSSF, etc.
  • Third party processors that are used by ISP Servitia to outsource certain services and activities, such as partnership banks, internal and external audit firms.

ISP Servitia further ensures that when third-party service providers process data on behalf of ISP Servitia, appropriate contractual safeguards are put in place to protect your personal data.
Please note that we may use or disclose your personal data, if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, or other legal processes.
Your personal data is processed exclusively in Luxembourg and in Italy. We do not share your personal data with parties that are located in jurisdictions outside the European Economic Area (some exceptions may apply with respect to personal data that we process through the use of cookies, which you can consult through this link.


What are your rights concerning your data?
You have various rights as an individual which you can exercise under certain circumstances in relation to your personal data that we hold. You have the right to access, rectify, delete or limit the processing of personal data collected concerning you:
  • Your right of access - you have the right to ask us for copies of your personal information.
  • Your right to rectification - you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing - you have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to lodge a complaint – you have the right to lodge a complaint about the way we process your personal data with the CNPD (Commission Nationale pour la protection des Donneés), located at: 15 Bd du Jazz, 4370 Belvaux, Luxembourg, www.cnpd.public.lu.

You can also contact us at dpo@intesasanpaoloservitia.com if you wish to make a request or lodge a complaint directly with us. You are not required to pay any charge for exercising your rights. If you make a request, we will undertake all necessary efforts to respond within a reasonable period of time.


How do we protect your personal data?

The security of your personal information is of great importance to Intesa Sanpaolo Servitia S.A. We use reasonable technical and organizational measures to protect your and our customer’s data from loss, damage, deletion, misuse, unauthorized access, disclosure or alteration.


Updates to our Privacy Notices

ISP Servitia keeps its Privacy Notice under regular review.
This Privacy Notice was last updated on 15/12/2023.

Contact information
If you have questions or concerns regarding this Privacy Notice, please do not hesitate to contact us at dpo@intesasanpaoloservitia.com or send your request to the following address 28, Bvd de Kockelscheuer – L-1821 Luxembourg.


Specific part applicable to job applicants
Purpose of the personal data processing Categories of personal data processed Lawful basis for processing
Recruitment of employees Finding, screening and soliciting appropriate talent to be hired on opened employment positions within the company and thus to support (as employees) ISP Servitia’s operations, which includes: approval of job openings, review and approval of selected candidates (a possible background checks could be performed), direct recruitment of employees or body-leasing for various functions in the organization. Names, contact details, educational and professional background, professional qualifications, recommendations from previous employers, hobbies and personal interests. Legitimate interest of ISP Servitia (**): During the recruitment process, the processing of your personal data is based on ISP Servitia’s legitimate interest, which is to screen, solicit and hire appropriate human capital that best meet our business needs.

Specific part applicable to clients
Purpose of the personal data processing Categories of personal data processed Lawful basis for processing
Business administration operations Ensuring compliant reporting of ISP Servitia in line with the applicable financial, commercial, accounting, tax and other regulatory regimes to which we are subject to, which includes:
(i) general accounting and financial administration,
(ii) regulatory checks in the context of AML/KYC when establishing client relationships,
(iii) internal and external audit activities,
(iv) management of the contractual relationships with clients,
(v) client and service management, service offering. 		Names, data of birth and other personal identifiers, job titles, corporate contact details, criminal/police record (on an exceptional basis), financial status related to your work at/with ISP Servitia, signatures. Legal obligation for ISP Servitia (*):
Processing activities (i), (ii) and (iii) related to business administration management are subject to the commercial, accounting, anti-money laundering and tax laws applicable to corporations in Luxembourg.

Legitimate interest of ISP Servitia (**):
Processing activities (iv) and (v) are exercised on the basis of ISP Servitia’s legitimate interest aimed at maximising the value in our service offering and relationships with clients.
Logical access management Ensuring secure, continuous and uninterrupted operations at ISP Servitia, whenever individuals external to ISP Servitia’s operations (such as clients and their representatives) need to access the company’s systems and platforms, which includes:
(i) logical access management and access monitoring,
(ii) implementation and use of a digital signature management system.
 		Names, job title, corporate contact details, access rights, IP address, active logs, mail exchange, authentication data for connecting to ISPS systems, personal signature. Legal obligation for ISP Servitia (*):
Being a regulated support PSF entity, ISP Servitia is subject to a strict regulation from the Commission de Surveillance du Secteur Financier (‘CSSF’) in terms of information security management. Processing activity (i) is based on the binding circulars of the CSSF, amongst which are Circular CSSF 11/503, CSSF Circular 12/554 and CSSF Circular CSSF 21/769.

Legitimate interest of ISP Servitia (**):
Processing activity (ii) is exercised on the basis of ISP legitimate interest relevant to the implementation of systems, software and platforms which maximise efficiency in our business operations, by automating certain processes and facilitating, supporting or reinforcing the relationships with clients.

(*) The non-provision of the personal data would have the consequence the failure to meet the respective mandatory requirements of the law.
(**) When the processing of personal data is based on our legitimate interest, we perform a balancing test, to make sure that this interest does not override the interests or fundamental rights and freedoms of the data subjects concerned.

Specific part applicable to suppliers
Purpose of the personal data processing Categories of personal data processed Lawful basis for processing
Business administration operations Ensuring compliant reporting of ISP Servitia in line with the applicable financial, commercial, accounting, tax and other regulatory regimes to which we are subject to, which includes:
(i) general accounting and financial administration,
(ii) internal and external audit activities,
(iii) management of the contractual relationships with suppliers,
(iv) supplier and service management, service offering. 		Names, personal identifiers, job titles, corporate contact details, financial status related to your work at/with ISP Servitia, signatures. Legal obligation for ISP Servitia (*):
Processing activities (i) and (ii) related to business administration management are subject to the commercial, accounting and tax laws applicable to corporations in Luxembourg.

Legitimate interest of ISP Servitia (**):
Processing activities (iii) and (iv) are exercised on the basis of ISP Servitia’s legitimate interest aimed at maximising the value in our service management and relationships with suppliers.
Logical access management Ensuring secure, coEnsuring secure, continuous and uninterrupted operations at ISP Servitia, whenever individuals external to ISP Servitia’s operations (such as suppliers and their representatives) need to access the company’s systems and platforms, which includes:
(i) logical access management and access monitoring,
(ii) implementation and use of a digital signature management system.
 		Names, job title, corporate contact details, access rights, IP address, active logs, mail exchange, authentication data for connecting to ISPS systems, personal signature. Legal obligation for ISP Servitia (*):
Being a regulated support PSF entity, ISP Servitia is subject to a strict regulation from the Commission de Surveillance du Secteur Financier (‘CSSF’) in terms of information security management. Processing activity (i) is based on the binding circulars of the CSSF, amongst which are Circular CSSF 11/503, CSSF Circular 12/554 and CSSF Circular CSSF 21/769.

Legitimate interest of ISP Servitia (**):
Processing activity (ii) is exercised on the basis of ISP legitimate interest relevant to the implementation of systems, software and platforms which maximise efficiency in our business operations, by automating certain processes and facilitating, supporting or reinforcing the relationships with suppliers.

(*) The non-provision of the personal data would have the consequence the failure to meet the respective mandatory requirements of the law.
(**) When the processing of personal data is based on our legitimate interest, we perform a balancing test, to make sure that this interest does not override the interests or fundamental rights and freedoms of the data subjects concerned.

Specific part applicable to website use and cookies
Our website does not use cookies.

Specific part applicable to visitors at the building (physical and logical access)
Purpose of the personal data processing Categories of personal data processed Lawful basis for processing
Physical access management Controlling the entry and exit of external visitors to ISP Servitia’s office premises thus ensuring secure physical environment of the people working on-site and protection of the information and personal data processed indoors, which includes:
(i) monitoring of the entry and exits to the building & key passageways,
(ii) signing non-disclosure agreements with visitors to the ISP Servitia’s premises. 		Names, place of employment, signatures, video image, physical movement in the shared areas of the office premises. Legitimate interest of ISP Servitia (**): Processing activities (i) and (ii) are exercised on the basis of ISP Servitia’s legitimate interest related to the restriction of the unauthorised access to our premises and ensure maximum security to our personnel and our tangible and information assets.
Wi-Fi Guest Management Allow ISP Servitia guests to use the Wi-Fi network Name, Username, email, company, personal or corporate number, IP Address, MAC number Legitimate interest of ISP Servitia

Specific part applicable to whistleblowers
Purpose of the personal data processing Categories of personal data processed Lawful basis for processing
Whistleblowing report management Ensuring that reports of misconduct, illegal activities or unethical behaviour within the organisation are received, assessed, investigated and appropriate action taken. This activity involves the collection and processing of personal data provided by whistleblowers in order to initiate the necessary investigations and implement measures to address the reported offences. - Whistleblower’s personal data (if applicable); - any information related include in the report received; Legal obligation for ISP Servitia: Processing activity is based on Law of May 16, 2023 transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019 on the protection of persons who report violations of Union law.
Legal | Links | Notice | Personal Data Protection | Whistleblowing

© 2022 All Rights Reserved. Company of