UK
Leveraging PSD2
Account Aggregation - AISP
Dive deeper into transactional data and create value-added services
Payment Initiation - PISP
Accept A2A payments with the Fabrick licence
Bank coverage via API
Discover all of our connected banks
Mastering end-to-end payments
Fabrick Payment Orchestra
Enhance your payment management system and your information flows
Fabrick Payment Gateway
Accept payments on your website and app
Fabrick Advice
Leveraging SCA exemptions with real-time risk analysis
Fabrick Guaranteed payments
Secure payments with post-authorisation fraud checks and chargeback guarantee
Fabrick Payment Facilitator
Get pre-reconciled credits directly into your account
Unlocking banking services for businesses
Lending Place
Offer quick and easy loans
Industry
Banking and Financial Services
Fashion
Fintech
Ho.Re.Ca.
Insurance
Automotive
Customer stories
Insights
Articles
Whitepapers
Developers
Our APIs
Fabrick Producers
TPP Portal
Login Consumer Portal Fabrick
Corporate
Fabrick ecosystem
Our history
Our mission
Management Team
The Open Finance platform
Fabrick People
Our team
Why Fabrick
Career opportunities
Media Hub
Press releases
Press review
Events
Media kit
Privacy PolicyPrivacy POS, Cashin, E-commerce and Payment Facilitator service customers

Information on personal data processing

POS, CASHIN, E-COMMERCE AND PAYMENT FACILITATOR SERVICE CUSTOMERS

Version 1Last update on 04/2024

Under Articles 13 and 14 of EU Regulation 2016/679 (hereinafter referred to as the "Regulation"), also known as GDPR, Fabrick S.p.A. (hereinafter referred to as the "Company" and/or the "Controller") provides you with the following information regarding the characteristics of the processing it carries out on your personal data.

1) Who is the Controller of the processing of your personal data?

The Controller of the processing of your personal data is Fabrick S.p.A. with registered office in Biella, Piazza Gaudenzio Sella, No. 1.

2) How to contact the Data Protection Officer?

The Data Protection Officer (hereinafter "DPO" or "DPO - Data Protection Officer") can be contacted at the following addresses:

  • Postal address: Piazza Gaudenzio Sella No. 1, 13900 Biella (BI) - DPO
  • Email address: privacy@fabrick.com

3) What categories of personal data are processed and what are the sources of the data?

Your personal data - as a customer or legal representative of the company or freelancer or sole proprietor client - which the Company may process are:

  • personal, contact, and contractual data (e.g., name, surname, gender, date and place of birth, residential/domicile address, identity document, email, PEC, telephone, academic qualifications, registered office, VAT number, profession, sector of reference, website);
  • data revealing economic situation (e.g., banking data depending on the payment method, data relating to payment transactions, annual turnover);
  • multimedia data (e.g., recordings of phone calls and chats in case of customer support, username, access logs to the Controller's systems).

In the event of subscribing to services provided by the Controller as a Payment Institution authorized by the Bank of Italy, the Company is required to carry out the checks provided for by the current legislation on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (hereinafter, the "Anti-Money Laundering Legislation"). Therefore, in this case, the following categories of personal data relating to the legal representative and/or the declarant and/or the ultimate beneficial owner will also be collected:

  • personal, contact, and contractual data (e.g., name, surname, tax code);
  • sociodemographic data (e.g., data relating to income, profession, wealth);
  • public context information (e.g., performance of public or political functions, inclusion in blacklists and/or watchlists for control);
  • information related to overall operations (e.g., information related to payment transactions).

The above-mentioned data are provided by you personally to the Controller, also through your delegate, as part of the contract signing process and - where provided for - the checks carried out by the Company in compliance with the Anti-Money Laundering Legislation or emerged within the same, even during the relationship.

4) On what legal bases and for what purposes does the Company process your personal data?

The processing of your personal data is carried out by the Controller for the purpose of:

  1. managing the customer identification and onboarding process, authorizations for the use of services, contract signing, and relationship management, all necessary for the execution of the same, as well as providing assistance, by phone or chat, also during the subscription phase.
    2. The processing referred to in point a) is carried out as necessary for the performance of the contract or pre-contractual measures taken at your request, pursuant to Article 6, paragraph 1, letter b) of the Regulation. The provision of data is necessary, failure to provide one or more data will make it impossible to establish the relationship.
  2. comply with legal obligations and in particular, for example, Anti-Money Laundering - where applicable - accounting, tax, complaints, and dispute management obligations.
    3. The processing referred to in point b) is carried out to fulfill legal obligations to which the Controller is subject, pursuant to Article 6, paragraph 1, letter c), of the Regulation. The provision of data is mandatory, failure to provide one or more data will not allow the establishment of the relationship as any refusal would prevent the Controller from fulfilling the legal obligations incumbent upon it.
  3. carry out the following marketing activities:
    • customer satisfaction assessment on the quality of services provided;
    • conducting market studies and research;
    • development and sale of its own services and/or services of Sella Group companies and/or third parties, including sending informational, promotional, and commercial communications (activities may be carried out via email, SMS, push notifications, postal mail, operator telephone calls, and social networks).
  4. communicate your personal data to Sella Group companies to enable them to carry out their product and service development and sales activities.
    5. With regard to purposes c) and d), the legal basis legitimizing the processing is your consent pursuant to Article 6, paragraph 1, letter a) of the Regulation. The provision of your personal data for the aforementioned purposes is optional and does not affect the use of the products and/or services offered by the Company, nor the establishment of the relationship. Therefore, the mentioned processing, one or both, will be carried out only if you have given specific and separate consents. With particular reference to sending email communications regarding products or services similar to those purchased by you, we remind you that the Controller may process the data relating to the email addresses provided by you under the contractual scope for direct marketing purposes (so-called Soft Spam) even without your consent and provided that you do not object, immediately or subsequently, to such processing, by communicating it to the Company in the manners subsequently indicated.
  5. carry out quality checks of phone calls by listening to the relevant recordings;
  6. carry out, in aggregate form, qualitative and quantitative analyses of trends, in order to improve risk management, business strategies, and processes and to organize business activities necessary for the development of products and services;
  7. where the service requires it, prevent fraud in payments;
  8. manage any judicial and extrajudicial disputes.
With regard to purposes e), f), g), and h), the legal basis legitimizing the processing is the legitimate interest of the Controller in improving business strategies and processes and organizing business activities for the development of products and services, protecting itself and users of payment services from potential fraud, and defending itself in judicial and/or extrajudicial proceedings. The provision of your personal data for these purposes is necessary, as any refusal would not allow you to benefit from the products and/or services offered by the Company.

5) To whom can your personal data be communicated?

Your personal data may be known by the Company's staff authorized for processing by virtue of their work duties or by subjects who act as data processors - specifically appointed pursuant to Article 28 of the Regulation - or as independent data controllers. The various categories of recipients involved are as follows:

  • Public entities within the scope of legally required communications, authorities, and supervisory bodies (e.g., Bank of Italy, UIF, Judicial Authorities);
  • Entities responsible for auditing and certifying the balance sheet;
  • Companies providing fraud prevention services;
  • Archive established at the Ministry of Economy and Finance, pursuant to Legislative Decree August 13, 2010, No. 141, for the purpose of preventing identity theft;
  • Sella Group companies providing technological infrastructure for service delivery or customer census or, where applicable, performing Anti-Money Laundering compliance;
  • Entities supporting customer service activities;
  • Provider of advanced electronic signature service (AES), where used;
  • Providers of alternative payment instruments;
  • Marketing and market research companies supporting the Company;
  • Third-party companies supporting the Company in the development and improvement of services;
  • Suppliers of customer relationship management (CRM) software;
  • Entities managing debt collection or providing professional tax and legal consultancy and assistance services or investigative activities in case of contractual non-compliance.

6) Can your personal data be transferred to countries outside the European Economic Area?

For the pursuit of the aforementioned purposes, the Controller may transfer your personal data outside the European Economic Area (e.g., to the United States and India). Transfers are made exclusively to third countries for which the European Commission has recognized that they guarantee an adequate level of protection or in the presence of adequate safeguards, such as the standard contractual clauses adopted by the European Commission, or specific derogations provided for by the Regulation.

7) How long are your personal data kept?

The processing will have a duration necessary to achieve the aforementioned purposes. In particular, the data will be processed for the entire duration of the contractual relationship and subsequently retained in compliance with the terms provided by the relevant regulations (for example, accounting and tax). In the case of subscription to services provided as a Payment Institution, in compliance with the current provisions for the storage and availability of documents, data, and information for combating money laundering and terrorist financing, the data will be retained for ten years following the termination of the relationship. Data collected as part of the chat support service will be retained for one year, specifying that, within this service, controls have been implemented to automatically identify and anonymize certain categories of personal data (e.g., IBAN, credit card number) provided by you on your initiative, which will not be subject to retention.

8) What are your rights?

We inform you that as a data subject, you have the following rights regarding the processing of your personal data:

  1. Right of access: right to obtain from the Controller confirmation as to whether or not your personal data are being processed and, if so, to access them (without prejudice to the rights of others);
  2. Right to rectification: right to obtain from the Controller the rectification of inaccurate personal data concerning you without undue delay, as well as the completion of incomplete personal data, also by providing a supplementary statement;
  3. Right to erasure ("right to be forgotten"): right to obtain from the Controller the erasure of your personal data without undue delay. The Company must proceed with such erasure if, for example:
    • your personal data are no longer necessary for the purposes of the processing;
    • your personal data have been unlawfully processed;
    • your personal data must be erased to comply with a legal obligation;
  4. Right to restriction of processing: right to obtain from the Controller restriction of processing. The Company must proceed with such restriction if:
    • the accuracy of your personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data);
    • the processing is unlawful, and you have objected to the erasure of your personal data and requested the restriction of their processing;
    • your personal data (although no longer necessary for processing) are needed for the establishment, exercise, or defense of legal claims;
    • investigations into the possible prevalence of the Company's interests are ongoing if you have exercised the right to object as detailed below;
  5. Right to data portability: right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit such data to another Controller, only where processing is based on consent or a contract and only for data processed by electronic means;
  6. Right to object to processing: for reasons related to your particular situation, you have the right to object at any time to the processing of personal data based on the Controller's legitimate interests, unless the Company demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims. Additionally, you can object at any time to the processing of your personal data for direct marketing purposes, including profiling to the extent it is related to such direct marketing;
  7. Right to withdraw consent: you can manage and/or withdraw your consent to specific activities (for example, marketing and/or profiling) at any time, without affecting the lawfulness of processing carried out before the withdrawal;
  8. Right to lodge a complaint with a Supervisory Authority: without prejudice to any other administrative or judicial remedy, if you believe that the processing concerning you violates the Regulation, you have the right to lodge a complaint with the Supervisory Authority of the Member State where you habitually reside or work, or where the alleged infringement occurred.

To exercise the above rights, you can submit a request to the following addresses:

The Company will provide information about the action taken regarding the specific request without undue delay and at the latest within one month from receipt thereof. In any case, you can contact the Company and/or the DPO at the above addresses if you require further details or clarification regarding the processing of your personal data. If exercising the rights listed above may result in a real and concrete prejudice to the interests protected under the Anti-Money Laundering provisions, pursuant to Article 2-undecies of the Privacy Code, the scope of these rights and certain related obligations on the part of the Controller may be limited. In such circumstances, the exercise of these rights may be delayed, limited, or excluded, to the extent necessary and proportionate. If the conditions are met, you will be promptly sent a reasoned communication.