Privacy Policy e Cookie Policy

PERSONAL DATA PROCESSING POLICY – BROWSING OF THE WEBSITE WWW.BCSM.SM
in accordance with Article 13 and Article 14 of Italian Law no. 171 of 21 December 2018 “Protection of natural persons with regard to the processing of Personal Data”


Preamble

This document is drawn up by the Central Bank of the Republic of San Marino (hereinafter “CBSM” or “Controller”), in its capacity of data controller and in compliance with the legislation in force on the protection of Personal Data, specifically Article 13 of Italian Law no. 171 of 21 December 2018 as amended, entitled “Protection of natural persons with regard to the processing of Personal Data" (hereinafter “Law”) and Article 13 of the EU Regulation 2016/679 (hereinafter “GDPR”). This document aims to provide information on the processing of the Personal Data that may be acquired for the establishment and management of contractual relationships between the Central Bank of San Marino and the suppliers or associated third-party companies. Personal Data (hereinafter “Personal Data”) are processed by CBSM and/or via third parties, by means of both electronic and non-electronic tools, for the purposes indicated below.
To define Personal Data, reference is made to the UK GDPR: “Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, either directly or indirectly, through identifiers such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity”. This privacy policy (hereinafter “Policy”) pertains to the processing carried out by CBSM concerning the Personal Data of users of the website https://www.bcsm.sm/ . Users are not required to provide their Personal Data to browse this website but only to access certain services in the personal area. In such cases, the collected Personal Data will be processed by CBSM, acting as the Data Controller, in accordance with the current regulations and confidentiality obligations related to privacy, within the scope of institutional communication activities.

CONTACT DETAILS OF THE CONTROLLER

Pursuant to Article 2 of the Law, the Data Controller acting for the purposes set out below is the Central Bank of the Republic of San Marino, whose headquarters and General Directorate are located at Via Del Voltone n. 120, 47890 – San Marino (Republic of San Marino).
For additional information, individuals can contact the Data Controller via email at privacy.titolare@bcsm.sm or by sending a written request to Banca Centrale della Repubblica di San Marino, Via del Voltone n. 120, 47890 – San Marino (RSM). Alternatively, the Data Controller can be contacted by phone at +378 0549 981010 or by fax at +378 0549 981019.

CONTACT DETAILS OF THE DATA PROTECTION OFFICERS

The Controller has appointed Ms Valentina Rabitti and Mr Nathaniel Casadei as “Data Protection Officers” (hereinafter, “DPOs”), in accordance with Chapter 4 of the Law. For all issues relating to the processing of Personal Data and/or to exercise the rights envisaged by the Law itself, listed in the section "Rights of the Data Subject" of this Policy, please, send an email to privacy.dpo@bcsm.sm.

PLACE OF PROCESSING

The processing related to the web services of this site physically takes place at the premises of the Central Bank of the Republic of San Marino, Via del Voltone, 120 - 47890 Cittą di San Marino - Republic of San Marino, and is carried out only by technical staff of the processing office or by designated individuals for occasional maintenance tasks. No data originating from the web service is transmitted or disclosed.

TYPES AND SOURCE OF PERSONAL DATA SUBJECT TO PROCESSING

Browsing data
The IT and software systems used for this website acquire, during their normal operation, certain types of Personal Data which are necessarily transmitted due to the Internet communication protocols. These are pieces of information which, due to their nature, might be linked back to specific users through further processing and association with data held by third parties, although the original data itself is not collected with the specific intention of identifying such individuals. This particularly applies to:

a) IP addresses or domain names of the computers used by users who connect to this website
b) addresses in URI (Uniform Resource Identifier) notation of the requested resources
c) time of the request
d) method used to submit the request to the server
e) size of the file obtained in response
f) numerical code indicating the outcome of the response given by the server (successful, error, etc.)
g) other parameters related to the user's operating system and computer environment

Such data is used for the sole purpose of obtaining anonymous statistical information about the use of the website and for ensuring its proper functioning. Indeed, it is deleted immediately after processing. The data might be used to ascertain responsibility in the event of computer-related crimes against the website. Barring such circumstance, contact web data is not stored for more than seven days.

Data provided voluntarily by the user

In order to access certain services, users are asked to sign up and provide some Personal Data. Some identifying data are required in order for CBSM to authenticate and verify that personal areas are accessed only by authorised individuals.
Any Personal Data included in emails sent to the addresses indicated on this site, as well as the sender’s address, will be acquired by CBSM in order to reply and fulfil any related requests. Failure to provide Personal Data necessary to communicate with CBSM or submit requests will result in CBSM’s inability to proceed.

Cookies

Cookies are short code strings that are sent to the user's browser (e.g., Firefox or Chrome) by the visited websites. Such strings are stored to be later transmitted back to the same websites during subsequent visits. The user's browser may simultaneously receive Cookies by other websites (so-called "third parties").

Performance Cookies

This website uses performance cookies only.
Performance cookies facilitate activities linked to identifying problems and improving the website. They can be divided into:
• Navigation Cookies, aimed at storing navigation preferences and enhancing the browsing experience on the website. These cookies do not gather information for commercial purposes but are necessary to provide certain services.
• Statistical Cookies, used to collect, in an anonymous and aggregated form, statistical information about users' browsing methods (e.g., number of visited pages and accesses, time spent on the site).
• Functional Cookies, used to provide specific services on the website (e.g., language choice between Italian/English). All information is collected anonymously.
The installation and use of Performance Cookies do not require the user's prior consent.
CBSM uses the following performance cookies:

a) JSESSIONID (stores the session ID, lasts for the session only, and is essential for the restricted area)
b) ACM-Language (set up in some cases to track the site's language and lasts for one year)
On the other hand, the following are used for the restricted area:
c) ACMUSER (contains the ID of the logged-in user)
d) ACMTRACK (contains an alphanumeric identifier that enables proper navigation and session management in reference to the CBSM website's personal areas)

 

Statistical cookies

Statistical cookies are used to collect information about the website’s usage. The Data Controller uses such information for statistical analysis, to improve the website and simplify its use, as well as to monitor its proper functioning. Such cookies collect anonymous information about the users' activity on the website, how they reached it, and the pages they visited. Cookies in this category are sent from either the website or third-party domains.
Such cookies, called "analytical cookies”, which are used to monitor the users' usage of the website for optimization purposes, are considered performance cookies, both when they are used directly by the website itself (i.e., without the intervention of third parties), and when they are created and provided by third parties and used by the website for mere statistical purposes, provided that suitable measures are taken to reduce their identifying power (such as masking significant portions of the IP address) and the third party explicitly commits not to "cross-reference" the information contained in such cookies with other information at its disposal. Therefore, the installation of such cookies does not require user consent, nor additional regulatory compliance.
 

The statistical cookies used by CBSM are "_ga" and "ga<CONTAINER-ID>" of Google Analytics 4. Google Analytics 4 cookies provide measurement statistics and performance analysis of the website, use IP masking, and are therefore only used to generate statistics on aggregated data, not to identify the user. For this reason, they are classified as performance cookies and do not require user consent for their use. For further information on Google Analytics 4, please, visit https://support.google.com/analytics/answer/10089681?hl=en.

 

How to Manage Cookies Within Your Browser

Users can manage their cookie preferences directly within their browser to prevent third parties from installing them or delete previously installed cookies, among others. If users disable all the cookies, the website’s functionality might be compromised.

 

Third-Party Websites

The website contains links to other websites (e.g., San Marino Rtv and LinkedIn) that have their own privacy policies. Upon visiting such websites, cookies may therefore be installed which are external to CBSM. These privacy policies may differ from the one adopted by the Data Controller, who shall therefore not be responsible for third-party websites. Please carefully read the privacy policies of the external platforms linked through the CBSM website before using them.
In the event that a service interaction with social networks is installed, traffic data may be collected in relation to the pages where it is installed, even if users do not use the service. To learn about the Personal Data collected, the location of processing, and all the details, please, see the privacy policies of the involved social networks, which are easily identified through specific logos or labels on the website pages.

 

SECTION 4 – PURPOSES AND LEGAL BASIS FOR THE PROCESSING

The Personal Data is processed for the following purposes:

a. to perform the operations strictly necessary to provide the services you may request, including the implicit request of navigation through the website pages. The collection of the data that is necessary to carry out the requested services takes place exclusively within the restricted area of the website. The website serves a purely informative purpose, and in no other part of it, apart from the personal areas, is the acquisition of your Personal Data requested.
b. to provide registered users with the Central Bank’s institutional services and manage the personal area of the website, among others.
c. to perform the activities set out by laws, regulations, or provisions.
d. to provide registered users with customised information within personal areas.
e. to collect any information flows in accordance with laws, regulations, or provisions.

The processing carried out for the purposes mentioned in the above list is based on the legal foundation - with respect to points a., b., and d. - of Article 5, paragraph 1, letter b) of Law No. 171/2018 and subsequent amendments, connected to the need to fulfill users’ explicit requests to receive services that are directly available through the website. As for the legal basis to points c. and e. above, reference is made to Article 5, paragraph 1, letters c) and e) of Law No. 171/2018 and subsequent amendments, connected to the public services provided by CBSM.
Generally speaking, this involves providing data that is strictly necessary and related to the exercise of an interest and/or compliance with legal and/or contractual obligations, which, as such, do not require consent.


PROCESSING METHODS

Personal Data may be processed according to the following methods:

• through electronic devices, i.e., software systems managed by third parties.
• using temporary anonymous processing.

Processing is carried out in compliance with the methods stated in Articles 5 (Lawfulness of processing) and 33 (Safe processing) of the Law. Particularly, the data of visitors/users is processed in a lawful and fair manner, adopting suitable security measures to prevent unauthorised access, disclosure, alteration, or unauthorised data destruction. Safety of Personal Data during the communication session with this website is protected through a digital certificate that employs an encryption protocol (TLS), thus encrypting the information. Apart from the Data Controller, certain categories of personnel involved in the organisation of the website, or external parties (such as third-party technical service providers, hosting providers) might also occasionally have access to the data.
In this regard, based on the roles and job duties carried out, employees are authorised to process Personal Data, within the limits of their competencies and in compliance with the instructions provided by the Data Controller.
Furthermore, Personal Data may be transmitted to External Data Processors, professionals, consulting firms, etc., under a specific appointment contract to ensure compliance with the principles of the Law and the current regulations. We are pleased to provide the list of entities to which we disclose the Personal Data, along with the associated usage constraints, whenever needed. Such list is kept at the CBSM headquarters. Such list is kept at the CBSM headquarters. CBSM does not process Personal Data through any automated decision-making processes, including profiling as mentioned in Article 22 of the Law.


DATA RETENTION PERIOD

In accordance with the principles of lawfulness, purpose limitation, and data minimization, as stated in Article 5 of the Law, the retention period for Personal Data is established as follows:

• should not exceed the period strictly necessary to provide the services.
• should not exceed the period strictly necessary to fulfil the purposes for which Data is collected and processed, in compliance with the mandatory timeframes established by the law.
• in any case, should not exceed seven days, excluding subsequent use for the investigation of any liabilities in possible computer-related offenses connected with this website.


TRANSMISSION TO THIRD COUNTRIES

The Data Controller does not transfer any Personal Data collected through the website to third countries or international organizations.


RIGHTS OF THE DATA SUBJECT

The Data Subject may exercise the following rights granted by the legislation on Personal Data Protection against CBSM at any time. To do so, the Data Subject must submit a specific written request to the Central Bank of the Republic of San Marino using one of the following means:

- recorded delivery letter addressed to Banca Centrale della Repubblica di San Marino, Via del Voltone no. 120 – 47890 San Marino (RSM)
- email to privacy.titolare@bcsm.sm 
- fax to + 378 0549/882328


Right of access
The Data Subject shall have the right to obtain confirmation from CBSM of whether its Personal Data is being processed, and, if so, request access to the Personal Data and information envisaged by Article 15 of the Law. This includes obtaining information about the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom the data may be disclosed, the applicable retention period, and the existence of automated decision-making processes, among others.


1. Right to rectification
The Data Subject has the right to obtain from CBSM, without undue delay, the rectification of their Personal Data, in case of inaccuracies. Additionally, considering the purposes of the processing, the Data Subject may request the completion of their data, if it is found incomplete, by providing a supplementary statement.


2. Right to erasure
The Data Subject has the right to request the erasure of their Personal Data from the Controller, if one of the reasons set forth by Article 17 of the Law applies. The Data Subject may exercise such right if their Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed or if consent to the processing has been revoked and there is no other legal basis for processing their Personal Data. However, the revocation of consent shall not affect the lawfulness of any processing carried out prior to such revocation. Please, note that CBSM may not be able to erase your Personal Data if its processing proves necessary to comply with a legal obligation, for reasons of public interest, or for legal purposes such as establishing, exercising, or defending legal claims. 


3. Right to restricted processing
The Data Subject may request that the processing of their Personal Data be restricted where one of the circumstances envisaged by Article 18 of the Law applies. This may include circumstances in which the Subject deems their data incorrect, or when the data is necessary for legal purposes such as establishing, exercising, or defending legal claims, even though CBSM no longer needs it for its original processing purposes.


4. Right to object
The Data Subject may object to the processing of their Personal Data at any time, especially if the processing is carried out for the performance of an activity in the public interest or for the pursuit of the Data Controller's legitimate interests, including profiling, as specified in Article 21 of the Law. Should the Data Subject decide to exercise their right to object, CBSM shall refrain from processing their Personal Data any further, unless there are compelling legitimate reasons for the processing which outweigh the interests, rights and freedoms of the Data Subject or for the establishment, exercise, or defence of legal claims.


5. Right to lodge a complaint with the Data Protection Authority
Without prejudice to the Data Subject’s right to seek remedies in any other administrative or judicial authority, they may lodge a complaint with the Data Protection Authority if they believe that the processing of their Personal Data by the Controller violates the Law and/or the applicable regulations.