Premise

This privacy notice is provided by Master Mind NPL 114 S.r.l., with registered office at Via Fra’ Paolo Sarpi 46/A, 35138 Padua (PD), Italy (hereinafter, the “Company” or the “Processor”), pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”), in connection with the activities of management and recovery of non‑performing loans carried out on behalf of the respective data controllers.

The Company acts as data Processor pursuant to Article 28 GDPR, on the basis of specific contractual agreements with purchasers of non‑performing loans or other principals who act as data Controllers.

Data Controller

The Data Controller is the purchaser of the credit or the principal that has entrusted the Company with the management of the debtor position.

The identification details and contact information of the Controller are indicated in the communications sent to the data subject (e.g. transfer notice or communication of mandate for loan management).

Master Mind NPL 114 S.r.l. processes personal data exclusively on behalf of the Controller and in accordance with the instructions provided by the latter.

The Company’s Data Protection Officer (DPO) is: Avv. Luigi Ciccarese – PEC: luigi.ciccarese@ordineavvocatipadova.it.

Categories of data processed

In the context of the activities carried out on behalf of the Controller, the Company may process:

• Identification and personal data (name, surname, date and place of birth, tax code, address, telephone numbers and e‑mail addresses);
• Economic, financial and credit data (contractual relationships, debtor positions, past‑due amounts, payments, repayment plans, restructurings);
• Accounting data and administrative documentation relating to the positions under management;
• Transactional and banking data, including for the purposes of regulatory compliance;
• Data contained in complaints and formal communications submitted by data subjects.

Processing may be carried out by electronic means and/or on paper, using methods strictly related to the purposes described above and limited to what is strictly necessary for the performance of the loan management activities entrusted to the Company.

Source of personal data

The personal data processed by the Company in the context of non‑performing loan management activities originate primarily from the Data Controller (purchaser of the credit or principal), who provides data sets relating to the debtor positions under management, including personal, tax, contractual, economic and accounting information.

During the management of the loans, the Company may also acquire additional personal data relating to the same data subjects (debtors, guarantors, jointly liable parties or other persons involved in the relationship) from further sources, such as:

• authorised third parties providing information necessary for the management of the position (for example, information from public registers, lawfully accessible databases, land registry information or contact details);
• directly from data subjects or their representatives (such as lawyers, advisers or delegates), in the course of interactions, negotiation of repayment plans or handling of complaints;
• other parties in any way involved in the debtor position (for example, jointly liable parties, heirs or guarantors), limited to data that are relevant and necessary.

In all cases, the data acquired relate exclusively to information relevant to the debtor position under management and are processed by the Company on behalf of the Controller and in accordance with the Controller’s instructions, as well as in compliance with Articles 13 and 14 GDPR.

Purposes and legal bases of processing

Personal data are processed by the Company exclusively on behalf of the Controller and within the limits of the instructions given by the latter, in order to enable the performance of the loan management activities covered by the mandate. In particular, processing is carried out for the following purposes:

• Management of debtor positions: debt collection, servicing activities, management of administrative and accounting files and other activities connected with the management of debtor positions. Processing is carried out to enable the Controller to perform contractual or legal obligations, on the basis of the legal grounds identified by the Controller pursuant to Article 6 GDPR.
• Assessments and restructurings: analysis and preparation of payment plans, restructurings and settlement agreements. Processing is carried out to enable the Controller to perform contractual or legal obligations, on the basis of the legal grounds identified by the Controller pursuant to Article 6 GDPR.
• Complaints handling: assessment and response to complaints submitted by debtors or other interested parties. Processing is carried out to enable the Controller to perform contractual or legal obligations, on the basis of the legal grounds identified by the Controller pursuant to Article 6 GDPR.
• Regulatory compliance: fulfilment of regulatory and supervisory obligations (including prudential reporting and credit registry reporting). Processing is carried out to enable the Controller to perform contractual or legal obligations, on the basis of the legal grounds identified by the Controller pursuant to Article 6 GDPR.

The legal bases for processing are determined by the Controller pursuant to Article 6 GDPR and may include, by way of example, the performance of a contract or pre‑contractual measures, compliance with legal obligations or the Controller’s legitimate interest in managing and protecting its credit.

The Company does not independently determine the purposes and legal bases of the processing, but acts exclusively as Processor pursuant to Article 28 GDPR.

The provision of personal data is necessary for the proper management of the debtor position; failure to provide relevant information may result in the impossibility to process requests or to agree and implement negotiated solutions.

Categories of data subjects

The personal data processed relate to the following categories of data subjects:

• debtors and guarantors;
• contractual counterparties;
• complainants;
• third parties involved in relationships connected with loan management.

In addition to the categories listed above, personal data may also concern other persons who are involved, in various capacities, in legal, property or contractual relationships connected with the management of non‑performing loans, including any jointly liable parties, heirs, legal representatives or delegates.

Recipients of personal data

Personal data processed by the Company in the context of loan management activities may be disclosed, within the limits of the instructions given by the Data Controller and in compliance with applicable law, to the following categories of recipients:

• providers of IT and management services, including companies providing application software, hosting, maintenance and technical support services;
• providers of document archiving, printing and mailing services;
• consultants, lawyers and professionals engaged in connection with the management of debtor positions or related disputes;
• group companies or contractual partners involved in the operational management of loans, within the limits of their respective responsibilities;
• judicial authorities, supervisory authorities and other public entities, in the cases provided for by law.

Where such parties process personal data on behalf of the Company, they are appointed as sub‑processors pursuant to Article 28 GDPR by means of a specific written agreement and act in compliance with the instructions given and the required security measures.

Personal data may also be disclosed to the Data Controller for reporting, monitoring and control activities relating to the management mandate.

An up‑to‑date list of sub‑processors is available upon request from the data subject.

Data retention period

The Company retains personal data processed on behalf of the Controller for as long as is strictly necessary for the performance of the mandate and, in any event, in accordance with the instructions provided by the Controller.

In particular:

• data relating to debtor positions are processed for the entire duration of the management activity and subsequently retained within the limits and for the periods established by the Controller, as well as for any applicable legal obligations;
• data relating to assessments, restructurings and repayment plans are processed for the duration of the agreement and for the time necessary for the protection of rights in judicial proceedings;
• data processed in the context of complaints handling are retained for the time necessary to conclude the procedure and for the periods provided for by the relevant regulations.

Upon termination of the relationship with the Controller, personal data will be returned or deleted in accordance with the contractual agreement pursuant to Article 28 GDPR, unless their further retention is required by law or necessary for the protection of the Company’s rights.

Processing methods and security measures

Personal data are processed using electronic and paper‑based tools, in compliance with the principles set out in the GDPR. The Company adopts appropriate technical and organisational measures, including:

• access to IT systems restricted to authorised personnel only, by means of individual credentials and authentication systems;
• periodic backup systems and antivirus and firewall protection solutions;
• logging and monitoring of access to systems;
• storage of paper documentation in secure premises with controlled access;
• appointment of sub‑processors subject to contractual confidentiality and security obligations;
• training of authorised staff on data processing in accordance with Article 29 GDPR.

The measures adopted are reviewed periodically, also in light of regulatory and technological developments.

Rights of data subjects

Data subjects may exercise the rights set out in Articles 15–22 GDPR (access, rectification, erasure, restriction, objection, portability where applicable) by contacting the Data Controller directly.

Requests may also be addressed to the Company using the contact details indicated in this notice; in such cases, the Company will promptly forward the request to the Controller and cooperate with the latter in handling it, in accordance with the instructions received.

Data subjects also have the right to lodge a complaint with the Italian Data Protection Authority pursuant to Article 77 GDPR.

Record of processing activities

The processing activities carried out by the Company on behalf of the Controllers are recorded in the Processor’s Record of Processing Activities, prepared pursuant to Article 30(2) GDPR.

The Record is updated periodically and made available to the competent Authority upon request or inspection.

Processing activities carried out as independent Controller

For specific activities closely related to its internal organisation and to regulatory obligations directly applicable to the Company (such as, by way of example, accounting and tax compliance, supervisory obligations or the management of disputes relating to its own business), Master Mind NPL 114 S.r.l. may act as an independent Data Controller.

In such cases, processing is carried out in compliance with the GDPR and applicable legislation, on the basis of the relevant legal grounds.

Updates to this notice

This privacy notice is subject to periodic review in order to ensure its continued adequacy and compliance with applicable legislation. In particular, it is reviewed at least annually and, in any event, updated whenever legislative, regulatory or organisational changes affect the way personal data are processed.