Privacy Notice on the Processing of Users’ Personal Data

This privacy notice is provided, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679, hereinafter the “GDPR”, to users, hereinafter the “Users” or the “User”, of the RealEstate.IT website and the RealEstate.IT application, hereinafter the “Website” and the “App”, owned by Real Estate Information Technology S.r.l., with registered office in Laion (BZ), Zona Industriale Pontives 17, acting as Data Controller pursuant to Article 4(1)(7) GDPR, hereinafter the “Controller” or “REIT”.

The purpose of this notice is to inform Users of the Website and App about the purposes and methods of processing personal data by the Controller, as well as the ways in which Users may exercise the rights provided for under the GDPR.

The services offered by the Controller are intended for persons over the age of 18. Should the Controller become aware that it is processing data relating to minors under the age of 18, it reserves the right to unilaterally discontinue the provision of the service offered and to delete the data acquired.

Users assume responsibility for any communication of third-party data, warranting that they have the full right to communicate such data. The Controller shall be free from any liability towards third parties arising from the unlawful use of their data.

This privacy notice does not apply to other websites that may be reached through links present on the Website/App, including, by way of example, the websites of the Organismo Agenti e Mediatori Creditizi, banks, CONSOB, and similar entities.

This privacy notice does, however, apply where the REIT service is integrated into partner websites in “co-branded” mode or in mobile/app versions.

1. Principles Applicable to the Processing of Personal Data

The Controller informs data subjects that, in compliance with the GDPR, Legislative Decree No. 196/2003, the so-called “Privacy Code”, and the guidelines issued by the Italian Data Protection Authority, hereinafter jointly referred to as the “Privacy Legislation”, the processing of personal data is carried out in accordance with the principles of fairness, lawfulness, transparency, protection of confidentiality, and protection of fundamental rights.

2. Subject Matter of the Processing

The User data that may be processed by the Controller are specified below.

Personal data acquired automatically when visiting the Website/App

Browsing data.
The Controller automatically collects data relating to the device used by the User, such as a PC, tablet, mobile phone, or other mobile device, and to the User’s connection. Such data may include, by way of example, the IP address, date and time of access, hardware and software information, information on events concerning the device, and any crash data.

Data on the use of the Website/App.
The Controller collects information on how the User has used the Website/App, including, by way of example, the pages and content viewed, searches performed, third-party applications present on the Website that are used by the User, and links to third-party websites and applications clicked by the User.

Personal data provided by the User

Mandatory data provided for completion of the questionnaire on the Website.
The Controller collects identifying, financial, and family-related information about the User in order to prepare a free mortgage estimate. By way of example, the Controller collects the following personal data:

  • number of members of the household;
  • number of persons with income;
  • date of birth of the applicant;
  • employment status of the applicant, such as permanent employee, fixed-term employee, self-employed with VAT number, or pensioner;
  • in the case of a self-employed person with a VAT number, the duration of the current employment/business position;
  • in the case of a fixed-term employee, the sector in which they work, public or private;
  • net monthly income received by the applicant;
  • number of monthly salary payments received by the applicant;
  • number of active loans or financing arrangements.

Mandatory data provided for the Mortgage Estimate through the Website.
The Controller collects the information required on a mandatory basis in order to provide the mortgage estimate generated through the Website. By way of example, the Controller processes the following personal data:

  • first name;
  • surname;
  • email address;
  • mobile phone number.

Mandatory data provided for activation of the App.
The Controller collects the information required on a mandatory basis for activation of the App, such as, by way of example, first name, surname, and telephone number, verified by OTP.

Mandatory data provided for the Mortgage Estimate through the App.
If the questionnaire is completed through the App, the Controller collects identifying, financial, and family-related information about the User in order to provide a free mortgage estimate. By way of example, the Controller processes the following personal data:

  • number of members of the household;
  • number of persons with income;
  • first name and surname;
  • email address;
  • date of birth;
  • employment status, such as permanent employee, fixed-term employee, self-employed with VAT number, or pensioner;
  • in the case of a self-employed person with a VAT number, the duration of the current employment/business position;
  • in the case of a fixed-term employee, the sector in which they work, public or private;
  • net monthly income;
  • number of monthly salary payments received by the applicant;
  • number of active loans or financing arrangements.

Mandatory data provided for anti-money laundering checks, including identification and the anti-money laundering questionnaire.
In the context of the Mutuo a Distanza service, for the purposes of anti-money laundering checks, the Controller collects the following information:

  • personal details, including first name, surname, sex, tax code, and place of birth;
  • work activity or profession, such as employee/worker, freelancer, homemaker, and similar;
  • employment relationship, such as fixed-term worker, self-employed person, and similar;
  • sector or type of economic activity, such as agriculture and timber, weapons and ammunition, healthcare, and similar;
  • countries in which the work activity is carried out;
  • net annual income bracket, such as EUR 0 to EUR 15,000, EUR 15,001 to EUR 30,000, and similar;
  • source of wealth, such as employment income, sale of real estate, and similar.

Mandatory data provided for signing documents, including the mediation mandate.
For the remote signing of documents, the Controller processes the following personal data of the User:

  • first name and surname;
  • email address;
  • telephone number.

Optional data

Data provided through requests for information by email.
If the User explicitly and voluntarily requests information by email at the addresses indicated on the Website, the Controller acquires the User’s email address, first name and surname, and any personal data included in the communication.

Personal data collected through cookies

Data provided through the use of cookies.
The Controller uses cookies to collect data on the User’s activity through the Website/App and on the User’s preferences, as well as other technical data relating to the User. For further information on the use of cookies, the User may consult the Cookie Policy.

3. Purposes and Legal Basis of Processing

Through the Website/App, REIT processes the User’s personal data in order to:

  • provide the services offered by the Controller through the Website/App;
  • operate and improve the Website and the App;
  • operate and improve the services provided by the Controller through the Website/App;
  • keep the services provided by the Controller through the Website/App secure, protected, and operational.

The processing carried out for the above purposes is based, pursuant to Article 6(1)(b) GDPR, on the performance of a contract to which the data subject is party or on the performance of pre-contractual measures taken at the request of the data subject.

REIT also processes the User’s personal data for the following purposes:

  • to prevent, detect, and mitigate fraud, security breaches, and potentially prohibited or unlawful activities;
  • to resolve disputes with the User;
  • to identify and resolve problems encountered by the User when using the Website/App, such as blocked or non-functioning pages, and to provide the User with a better experience;
  • to collect statistical information, in aggregate form, on the number of Users visiting the Website/App and on how Users visit the Website/App;
  • to send communications concerning any service disruptions relating to the services offered.

The processing carried out for the above purposes is based, pursuant to Article 6(1)(f) GDPR, on the pursuit of the legitimate interest of the Controller or of third parties, while respecting the interests or fundamental rights and freedoms of the data subject.

REIT also processes the User’s personal data in order to:

  • carry out marketing activities.

Processing carried out for marketing purposes is based, pursuant to Article 6(1)(a) GDPR, on the specific consent given by the data subject.

4. Mutuo a Distanza — Remote Mortgage Service, “MAD”

This privacy notice also aims to inform Users about the purposes and methods of processing personal data in the context of the Mutuo a Distanza service, the so-called “MAD” service.

In such case, REIT may act as Data Processor pursuant to Article 28 GDPR on behalf of the partner bank, which shall act as Data Controller pursuant to Article 4(1)(7) GDPR with regard to the document-collection phase and any subsequent step aimed at obtaining the mortgage.

As Data Processor, REIT may process the following personal data.

Data provided for the collection of documentation requested by the partner bank.
REIT collects, on behalf of the bank, identifying data and, depending on the User’s employment status, economic and income-related data, such as, by way of example:

  • first name, surname, date of birth, through acquisition of an identity document;
  • residence, through acquisition of a residence certificate;
  • family status certificate;
  • separation/divorce documentation;
  • residence permit/card;
  • marital status, through acquisition of the marriage certificate;
  • ownership of savings securities or other assets;
  • lease agreements entered into, for the verification of rental income received;
  • inheritance documents;
  • personal bank statement;
  • payslips/annual liquidation statement, pension documentation;
  • employment documentation, through acquisition of a service certificate showing date of hiring and type of contract;
  • CUD tax certification;
  • ownership of company shares;
  • registration with the Chamber of Commerce or professional registers.

Mandatory data collected for signing documentation.
For the remote signing of documents, REIT collects, on behalf of the bank, the following personal data of the User:

  • first name and surname;
  • email address;
  • telephone number.

The personal data provided by Users will be processed pursuant to Article 6(1)(b) GDPR in order to provide the MAD service and therefore facilitate contact between the User and the partner bank.

5. Methods of Processing and Retention of Personal Data

The Controller ensures that personal data are processed in full compliance with the GDPR and the privacy legislation in force in Italy, using manual, IT, or telematic systems.

Processing is carried out through automated tools capable of storing, managing, and transmitting the data.

The data collected will be protected using physical and logical methods designed to minimize the risks of unauthorized access, disclosure, loss, and destruction of the data, pursuant to Articles 25 and 32 GDPR.

Data processing shall last no longer than is necessary to fulfil the purposes for which the data were collected.

Unless the Controller receives a deletion request, personal data will be retained for a period not exceeding 10 years, starting from the date of the User’s last access to the Website/App or from the moment the contract entered into with REIT has ceased.

The User’s personal data may be retained for longer periods where this is necessary to comply with legal obligations incumbent upon the Controller or to protect a right in legal proceedings.

Upon expiry of these retention periods, the User’s data will be deleted or permanently anonymized.

6. Recipients of Personal Data

The personal data collected may be processed by persons or categories of persons acting, pursuant to Article 28 GDPR, as Data Processors or, pursuant to Article 29 GDPR, as persons authorized to process the data.

Outside the above cases, personal data shall not be disclosed except to persons, entities, and authorities to whom disclosure is mandatory under legal or regulatory provisions. In particular, data may be disclosed for the fulfilment of obligations under Legislative Decree No. 231/2007 on anti-money laundering.

7. Transfer of Data to a Third Country or an International Organization

Personal data collected through the Website/App may be transferred outside Italy and, where applicable, outside the European Economic Area, solely and exclusively for the performance of the services requested through the Website/App, to provide the most appropriate responses to requests made, and to improve the services offered.

Any transfer of data, including outside the European Union/European Economic Area, shall take place in full compliance with the GDPR and, where necessary, with the Standard Contractual Clauses.

8. Rights of the Data Subject

The User has the right to request at any time:

  1. confirmation as to whether or not personal data concerning them exist, even if not yet recorded, in a concise, transparent, intelligible, and easily accessible form, using clear and plain language;
  2. information on:
    • the origin of the personal data;
    • the purposes and methods of processing;
    • the legitimate interests pursued by the Controller or by third parties;
    • any recipients or categories of recipients of the personal data;
    • any intention of the Controller to transfer personal data to a third country or to an international organization;
    • the personal-data retention period;
    • the logic involved, as well as the significance and envisaged consequences of such processing for the data subject, in the case of processing carried out by electronic means as part of an automated collection and/or profiling process;
    • the identification details of the Controller, the Data Processors, any designated representative, and the Data Protection Officer, the so-called DPO;
    • the persons and categories of persons to whom the personal data may be communicated or who may become aware of them in their capacity as designated representative in the territory of the State, Data Processors, or persons in charge of processing;
  3. the possibility of lodging a complaint with a supervisory authority;
  4. the updating, rectification, or, where the User has an interest, completion of the data;
  5. the deletion, anonymization, or blocking of data processed unlawfully, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
  6. restriction of processing;
  7. portability of the personal data concerning the User to another Data Controller;
  8. withdrawal of consent to processing;
  9. objection, in whole or in part, on legitimate grounds, to the processing of personal data concerning the User, even where such data are relevant to the purpose of collection.

To exercise these rights, the data subject may contact the Controller at any time by sending a written request, without formalities, to: privacy@realestate.it

The Controller shall respond to the User’s requests no later than one month from receipt. In view of the complexity and number of requests received by the Controller, this period may be extended by two months. In such case, within one month of receiving the request, the Controller shall inform the User of the extension and the reasons for it.

If the response is not considered satisfactory, the User may lodge a complaint with the Italian Data Protection Authority.

9. Data Controller and Data Protection Officer

The Data Controller is Real Estate Information Technology S.r.l., with registered office in Laion (BZ), Zona Industriale Pontives 17, Postcode 39040.
Email: privacy@realestate.it

Pursuant to Article 37 GDPR, the Controller has appointed a Data Protection Officer, the so-called DPO, who can be contacted at the following email address: dpo@realestate.it

10. Amendments

This privacy notice may be subject to amendments. If substantial changes are made to REIT’s use of data relating to the User, REIT shall notify the User by publishing such changes with maximum visibility on its pages.

Last updated: 5 July 2023