Privacy Policy for the User
Rights of the Data Subject
How to exercise rights and/or request information on processing
List of privacy policies 


Dear User,

This privacy policy is provided to you in accordance with Art. 13 of Regulation 2016/679/EU - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter, also, “the Regulation” or “GDPR”).Here you will find information on the processing of your personal data, consequent to browsing on the web spaces and using the services made available to you via the internet website.
You will be provided with specific and/or supplementary information on the processing of your personal data on every occasion when we collect them, in your interaction with the website or by virtue of contractual relationships established with our Company; you can consult them at any time by clicking on the links present in the specific section “List of Privacy Policies” at the bottom of this page.

Attention: this Privacy Policy does not relate to web services provided by third parties used or consulted by you or reached via hypertext links. In that regard, we invite you to consult the privacy policies and notices provided by the aforementioned third parties in the appropriate places.


Privacy Rules: The GDPR, the Privacy Code, the Measures of the Data Protection Authority and in general all external rules on the protection of natural persons with regard to the processing of Personal Data. 

GDPR or Regulation: European Union Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation).

Personal Data: Any information relating to an identified or identifiable natural person. This also means, as well as any data provided by the User through any forms within the individual areas of the Web Services, also data relating to browsing.

Data Subject: The identified or identifiable natural person to whom the Personal Data refer. 

Browsing Data: The IT systems and software procedures that operate the Web Services acquire, during their normal functioning, some data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated with identified data subjects but that, by its very nature, may allow, through processing and association with data held by third parties, for users to be identified. However, if the browsing session occurs subject to accessing the Reserved Area (known as log in), the data collected are associated with the personal account of the User.

The browsing data include:

  • IP addresses or domain names of the computers used by users who connect to the website; 
  • addresses in URI (Uniform Resource Identifier) notation of the requested resources; 
  • time of the request; 
  • method used to submit the request to the server; 
  • size of the file obtained in response; 
  • numerical code indicating the status of the response given by the server (successful, error, etc.);
  • other parameters relating to the operating system and IT environment of the User.

Data provided by the User: These are data sent voluntarily and knowingly by the User by sending communications (e.g. by email to the addresses present in the web domain) or by completing specific forms, if present within the spaces provided by the Services.

The Data provided voluntarily by the User are only those strictly necessary for the purposes pursued each time by the Services (for precise indications regarding the categories of data collected from time to time, see the relevant individual privacy policies). By way of example, they may be the following data:

  • personal details;
  • contact details (e.g. email address);
  • contractual position of the User-Customer;
  • geolocation (if the User has expressed consent to the collection of location data);
  • use of the individual Services made available to the User;
  • events and circumstances illustrated by the User in his or her messages (in that regard, for his or her best protection, the User is asked not to provide information that does not strictly relate to the subject of the request and the nature of the Services provided by the Company).

Data Controller or Controller: The entity that determines the means and purposes of personal data processing. In reference to the Web Services, it is the Company of the Unipol Group to which this website refers and whose references are shown at the foot of each page, as well as at the start of the “Privacy Policy for the User”.

Services or Web Services: The services provided via the internet, used by way of the website and/or any Apps 

User: The person (natural person) who browses, consults, accesses or uses the Web Services

DPO: The Data Protection Officer. The User may request clarifications in relation to the processing of personal data or exercise his or her rights by contacting the DPO, by the procedures and in the forms indicated in the section “How to exercise rights and/or request information on processing

Data Protection Authority: In Italy, the Garante per la protezione dei dati personali, namely, the Italian national data protection authority. For further information, see the website of the Data Protection Authority.

Cookies: Cookies are information recorded on your device (e.g. on your browser memory) when you visit a website or use a web application. 

Each cookie may contain different data, such as, for example, the name of the server from which it originates, a numerical identifier, etc.

Consult the cookie policy for further information.


We provide below some useful information regarding personal data processing carried out by way of the Web Services.

In particular, we wish to inform you:

of the identification and contact details of the Controller;

of the contact details of the Data Protection Officer (DPO);

of the categories of personal data processed via Web Services;

of the purposes for which the personal data are processed from time to time;

of the grounds that legitimate the processing of the aforementioned data (so-called legal bases);

of the duration of their storage, always strictly necessary to pursue the declared purposes;

of the categories of recipients of the communication of data.

Data Controller Registered office
Unipol Gruppo S.p.A. Via Stalingrado 45, Bologna – 40128

Categories of personal data, purposes and legal bases of processing and storage periods

Categories of personal data

Processing purpose

Legal bases

Data storage periods

Browsing data

To facilitate web browsing and provision of the Services

Necessary for the performance of a contract to which the data subject is party or to provide a service at the request of the same

For the duration of browsing within the services

To obtain anonymous statistical information on use of the Web Services, for the sole purpose of checking their correct functioning

Legitimate interest of the Company

The data collected are aggregated and made no longer attributable to the individual user who carried out the browsing

Data provided by the User: provision of Web Services

Governance Section – Participation in Shareholders' Meeting

Necessary for the performance of a contract to which the data subject is party

For the duration of the Shareholders' Meeting. The personal data, subsequently collected in minutes relating to the Shareholders' Meeting, may be stored for further periods for administrative-accounting requirements and based upon the provisions of the regulations applicable each time (in general, 10 years)

To send questions for the Shareholders' Meeting

Legitimate interest in the correct and fruitful conduct of the Shareholders' Meeting

For the duration of the Shareholders' Meeting. The questions will be subsequently stored, contained in the specific minutes, without reference to individual names

Information request

Necessary to execute requests made by the data subject (also prior to entering into a contract)

The time necessary to provide the response

Reinsurance Portal: for the assignment and management of user authentication details for accessing the Portal, the application used for sharing documentation with Reinsurers and Brokers (e.g. treaties and documentation attached to the same) issued by UnipolSai in relation to reinsurance

Legitimate interest in the correct management of relationships with reinsurers

For the account activation period. Subsequently, they may be stored for further periods for administrative-accounting requirements and based upon the provisions of the regulations applicable each time (in general, 10 years)

Investor Teams Portal, for sending clarification requests in that regard

Legitimate interest

The time necessary to provide the response

The provision of your personal data is free and optional. We remind you, however, that, for the pursuit of some purposes (to provide you with the appropriate responses requested, for registration to the Reserved Area or for the provision of individual services) they are essential; if you do not provide them, in those cases, it may not be possible to proceed with the pursuit of the aforementioned purposes.

We invite you, in any case, to consult the individual privacy policies for further details. 

Methods of processing and recipients of data communications

The data indicated above will not be disseminated and may only be known by collaborators of our Company specifically authorised to process them. They may also be acquired and/or processed by other companies of the Unipol Group and/or by other companies. Processing operations may be carried out by external entities to which we entrust the conduct of activities on our behalf, and with which we enter into agreements aimed at regulating the data processing.
The data may, finally, be communicated subject to express request to public authorities or forces of order.
Personal data are always processed subject to adopting suitable security measures to guarantee the confidentiality, availability and integrity of the data themselves.


The Web Services may use technical, analytical, and profiling cookies, both of first and third parties.
Cookies are essential for improving the Services and providing products always in line with the preferences of Users.
Any use of profiling cookies and/or third party cookies will always be subject to the issuance of your prior consent.
To find out more, click here.


The privacy regulation (Articles 15-22 of the Regulation) guarantees to the User, in the capacity of data subject, the right to access data relating to him or her, as well as to obtain its rectification and/or supplementation, erasure or portability. The privacy regulation also attributes to the User the right to request the restriction of data processing and to object to the processing, as well as the possibility of withdrawing any consent provided (the withdrawal does not affect the lawfulness of processing carried out up until that time).


Of what does it consist?

Grounds for its exercise

Access to data

The User may request from the Data Controller:
  1. confirmation that data is being processed relating to him or her;
  2. a copy of the personal data relating to him or her;
  3. information on the processing of personal data (e.g. legal bases, storage periods, categories of data recipients, etc.)

The User may always submit that request

Rectification or supplementation of data

The User may ask the Data Controller to:
  1. rectify
  2. update
  3. modify

the personal data processed

If the processed data are inaccurate or incomplete

Erasure of data

The User may ask the Data Controller to erase the personal data being processed

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. the User withdraws consent on which the processing is based, and there is no other legal basis for processing;
  3. the User objects to processing in accordance with Art. 21 and there is no other prevailing legitimate reason to carry out the processing;
  4. the personal data have been processed illegally;
  5. the personal data must be erased to comply with a legal obligation envisaged by European Union law or by the Member State to which the data controller is subject

Restriction of processing of personal data

The User may ask the Controller not to carry out, except for storage alone, any processing operation on his or her personal data, except with the consent of the User or to protect its rights

  1. the User disputes the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of those personal data;
  2. the processing is illegal and the data subject objects to the erasure of the personal data and asks instead for their use to be restricted;
  3. although the controller no longer needs them for the processing purposes, the personal data are needed by the data subject for the establishment, exercise or defence of legal claims;
  4. the User has objected to processing, pending the check of any prevalence of the legitimate reasons of the controller over those of the data subject

Objection to personal data processing

The User may object to processing based upon legitimate interest (including the sending of promotional communication) or a public interest

There must be reasons connected to the particular situation of the User, except if the objection is to processing for purposes of direct marketing

Objection to an automated decision-making process

The User may object to automated decision-making processes. If that process is necessary to perform a contract, is based upon explicit consent, is authorised by law or a regulation of the State or European Union, the User has the right to obtain the human intervention by the Controller, to express his or her opinion and to dispute the decision

There is a decision based solely on automated processing, including profiling, which produces legal effects relating to him or her or that similarly significantly affects the User

Portability of personal data

The User has the right to receive in a structured, commonly-used and machine readable format the personal data relating to him or her

Provided that all of the following presuppositions are in place:
  1. the data were provided by the User;
  2. the processing is based on consent or on a contract;
  3. the processing is carried out with automated means

Withdrawal of consent

The User may withdraw the consent provided. The withdrawal does not affect the lawfulness of the processing carried out up until that time



The “Data Protection Officer” is available for any doubt or clarification, to exercise the rights of the Data Subjects and to provide the updated list of categories of data recipients. 

Data Protection Officer or DPO

This is subject to your right to contact the Data Protection (Data Protection Authority), also by lodging a complaint, where considered necessary to protect your personal data and your rights in that regard.


We set out below the list of privacy policies: 

Privacy policy for suppliers (Italian version only)

Privacy policy for submitting applications on the Job Posting portal (Italian version only)

Privacy policy for participants at the Ordinary Shareholders' Meeting (Italian version only)

Privacy policy for participants at the Ordinary Shareholders' Meeting by way of streaming (Italian version only)

Privacy policy for Directors, Auditors and Corporate Bodies (Italian version only)

Privacy Policy for Shareholders (Italian version only)

Information for holders of key functions (Italian version only)

Back to Menu

Last updated:Jun 26 2024