Pursuant to the current legislation on the protection of personal data (the “Privacy Regulations“) including the EU Regulation 2016/679 (the “GDPR“), as well as Italian Legislative Decree 196/2003 as amended by Italian Legislative Decree 101/2018 (“Privacy Code“), Geico S.p.A. (the “Company” or the “Data Controller“), as data controller, informs the users (hereinafter the “Users” or, individually, the “User“) of the website www.geico-spa.com (the “Website“), that it will process their personal data collected through the Website in the manner and for the purposes described below in this policy (the “Policy“).

The User, by browsing the Website, acknowledges having read and understood the content of this Policy.

1. Data Controller

The Data Controller is Geico S.p.A. with registered office in Cinisello Balsamo (MI), Via Pelizza da Volpedo 109/111, 20092, VAT no 00688580968, and can be contacted at the number +39 02 660221 or at the following e-mail address infoprivacy@geico-spa.com.

2. Type of data processed through the Website

The Company will only process the following types of personal data of Users who browse and interact with the web services of the Website, in particular:

Data collected during User’s navigation on the Website

Computer systems, cookie technology and software procedures used to operate the Website acquire, during their normal operation, some data whose transmission is implicit in the use of the Internet. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow Users to be identified.

This category of data includes, for example, the IP addresses or domain names of the computers used by the Users who connect to the Website, the pages visited by the Users within the Website, the domain names and addresses of the Internet sites from which the User has accessed the Website (by referral), the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the web server, the size of the file obtained in response, the numerical code indicating the status of the response sent by the web server, and other parameters relating to the type of browser (e.g. Internet Explorer, Google Chrome, Firefox), operating system (e.g. Windows) and the User’s computer environment.

These data are also collected using cookie technology, i.e. text files and numbers that are installed when browsing a website in the memory of the device (PC, smartphone or tablet) connected to the Internet through the browser application installed there. For further information on the cookies used on the Website, Users are invited to refer to the Cookie Policy at the following link: https://geico-spa.com/it/cookie-policy/.

Data provided directly by the User as part of communications with the Company

This refers to the data provided to the Company directly by the User (such as, by way of example but not limited to: name, surname, e-mail address, personal data of the sender possibly contained in e-mail communications or in the attachments thereto, etc.) following the sending of an e-mail or other communication to the Company’s contacts indicated on the Website.

3. Purposes and legal basis of data processing

The personal data provided (implicitly or directly) by the User will be processed without requiring the User’s prior consent, for the following purposes (“Purposes“):

1. to comply with legal obligations that the Company must fulfil. In this case, the legal basis for the processing consists of the legal obligation that the Data Controller must fulfil pursuant to Article 6, par. 1, letter c) of the GDPR;
2. to enable Users to browse the Website. In this case, the legal basis of the processing consists of the legitimate interest of the Data Controller, pursuant to Article 6, par. 1, letter f) of the GDPR, to: (i) inform the User, through the contents of the Website, about the activities carried out by the Company; (ii) improve the quality and structure of the Website, as well as to create new services, functionalities and/or features of the same; (iii) interact with the User interested in the Company’s services, through the contact references published on the Website;
3. to carry out the maintenance and technical assistance necessary to ensure the proper functioning of the Website and the services connected to it. In this case, the legal basis of the processing consists of the legitimate interest of the Data Controller, pursuant to Article 6, par. 1, letter f) of the GDPR, to: (i) prevent fraud or other crimes through the use of the Website; (ii) improve the quality and structure of the Website, as well as to create new services, functionalities and/or features of the same; (iii) manage and process statistical surveys (after data anonymisation) on the use of the Website;
4. to allow the Company to exercise its rights in court and to restrain unlawful conduct. In this case, the legal basis of the processing consists of the legitimate interest of the Data Controller, pursuant to Article 6, par. 1, letter f) of the GDPR, to: (i) prevent fraud or other crimes through the use of the Website; (ii) manage the Data Controller’s or a third party’s litigation in court.

If the legal basis of the processing is the legitimate interest of the Data Controller, the latter guarantees to have previously carried out an assessment aimed at ensuring the proportionality of the processing so that the rights and freedoms of the Users are not prejudiced, taking into account the reasonable expectations of the same in relation to the specific processing activity.

Users may request additional information about the above evaluation by sending an email to the following address infoprivacy@geico-spa.com.

The Data Controller also informs the User that s/he has the possibility to object at any time to the processing of his/her Personal Data carried out on the basis of legitimate interests of the Company.

If the Company intends to use the personal data collected for any other purpose that is incompatible with the aforementioned Purposes for which they were originally collected or authorised, the Company will inform the User in advance, possibly obtaining consent for further processing of the data.

4. Nature of the data provision

The data may be implicitly provided by the User automatically, by browsing the Website. Therefore, if you do not wish to provide any personal browsing data, please do not visit this Website, do not use this Website in any other way, or do not give your consent when offered this option in accordance with the Privacy Policy.

The provision of data directly by the User is instead optional. However, failure to provide them may result in the impossibility of receiving replies to communications sent by the User to the Company.

5. Methods of data processing

In relation to the indicated Purposes, the processing of Personal Data may consist of the activities indicated in Article 4, paragraph 1, no. 2) of the GDPR, namely: collection, recording, organisation, storage, consultation, processing, disclosure by transmission, or otherwise making available, restriction, erasure or destruction of Personal Data.

Data can be processed through automated tools, according to a logic strictly related to the purposes and, however, in such a way as to ensure the security and confidentiality of data, in addition to compliance with the specific obligations under the legislation in force and applicable from time to time.

6. Data Access and Disclosure

The data may be made accessible exclusively for the purposes mentioned above to the following subjects: employees and collaborators of the Data Controller, in their capacity as authorised data processors.

Even without the express consent of the User, the Company may communicate the User’s data for the purposes referred to in paragraph 3 above to supervisory and/or control bodies of the Company, judicial authorities and all other entities to whom the communication is required by law for the fulfilment of the mentioned Purposes, as independent data controllers.

In addition, the Company may entrust certain personal data processing operations carried out for the Purposes set out in Paragraph 3 above to categories of third parties, specifically appointed by the Company, if necessary, as data processors, including, by way of example but not limited to:

• the providers of technical services of the Website;
• the hosting providers that offer services for the hosting of the Website;
• communication agencies involved in market research activities that may be carried out by the Company using, in an anonymous form, the browsing data of the Users;
• press offices;
• event or conference organising parties.

The User’s personal data will not be subject to transfer to third parties other than those indicated in this Policy.

User data will not be disclosed to the public or to unspecified parties.

7. Data transfer outside the EU

The management and storage of data will take place on the Company’s servers located within the European Union and/or on the servers of third party companies duly appointed as data processors.

The User’s data may be transferred outside the European Union.

In any case, such transfer may only take place to those non-member countries which have been the subject of an adequacy decision and which, therefore, guarantee an adequate level of protection of personal data, or on the basis of standard contractual clauses validated by a European supervisory authority and conforming to the templates proposed by the Commission in Decision 2010/87/EU.

Adequacy decisions with reference to the countries of Japan and the United Kingdom are available at the following links.

https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32019D0419

https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32019D0419

For further information regarding adequacy decisions and/or standard contractual clauses with respect to other non-EU countries to which Personal Data may be transferred, please write to infoprivacy@geico-spa.com

8. Data retention period

Personal data will be stored and processed for the entire duration of the navigation and, after its termination, for whatever reason, for a period not exceeding 24 months (the “Retention Period“).

At the end of the Retention Period, personal data will be deleted, unless there are further legitimate interests of the Company and/or legal obligations that make it necessary to retain it, after minimisation.

9. Users’ Rights

In accordance with the law, the Users, in their capacity as data subjects, will always have the right to revoke any consent given, and may also at any time exercise the following rights:

1. the “right of access” and specifically to obtain confirmation of the existence or otherwise of personal data concerning him or her and their communication in intelligible form;
2. the “right to rectification“, i.e. the right to request the rectification or, if interested, the integration of personal data;
3. the “right to erasure“, i.e. the right to request the erasure, transformation into anonymous form of data processed in violation of the law, including data whose storage is not necessary in relation to the Purposes for which the Personal Data were collected or subsequently processed;
4. the “right to restriction of processing“, i.e. the right to obtain from the Data Controller the restriction of data processing in certain cases provided for under the Privacy Regulations;
5. the right to request from the Data Controller the list of the recipients to whom any rectification or erasure or restriction of processing was notified (in accordance with Articles 16, 17 and 18 GDPR, in fulfilment of the notification obligation except where this proves impossible or involves a disproportionate effort);
6. the “right to data portability“, i.e. the right to receive (or to transmit directly to another data controller) personal data in a structured, commonly used and machine-readable format;
7. the “right to object” i.e. the right to object, in whole or in part:

• to the processing of personal data carried out by the Data Controller for its own legitimate interest;
• to the processing of personal data carried out by the Data Controller for marketing or profiling purposes.

In the above cases, where necessary, the Data Controller will inform the third parties to whom the User’s personal data are communicated of the possible exercise of rights, except in specific cases where this is not possible or is too costly and, in any case, in accordance with the provisions of the Privacy Regulations.

Where processing is based on consent, the User will also be entitled to revoke, at any time, any consent given, it being understood that revocation of consent will not affect the lawfulness of processing based on consent prior to revocation.

10. Procedures for the exercise of rights and complaints to the Italian Data Protection Authority

The Data Subject may at any time exercise his/her Rights in the following ways:

• by email sent to: infoprivacy@geico-spa.com;
• by ordinary mail, to the address of the registered office of Geico S.p.A.: Via Pelizza da Volpedo 109/111, 20092, Cinisello Balsamo (MI), Italy.

The Data Controller informs the Data Subject that, pursuant to the Privacy Regulations, he or she has the right to lodge a complaint with the competent supervisory Authority (in particular in the Member State of his or her usual residence, place of work or place of the alleged breach), if he or she deems that his or her Personal Data are being processed in a manner that would result in a breach of the GDPR.

In order to facilitate the exercise of the right to lodge a complaint, the name and contact details of the European Union Supervisory Authorities are available at the following link https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Finally, if the User intends to lodge a complaint with the Supervisory Authority competent for the Italian territory (i.e. Italian Data Protection Authority), the complaint form is available at the following link: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/4535524.

Last updated 14 October 2021