Protection of personal data and data security

Describes the objectives and general principles that the Mediobanca group adopts in processing the information to support the business requirements and guaranteeing respect for the legal or regulatory provisions and the risk management choices.

The Policy defines the organisational and methodological framework that the group adopts as part of IT risk management, in order to ensure effective and efficient measures for protecting IT resources and grading mitigation measures based on the risk profile.

Provides the criteria and rules to which users must adhere to guarantee that information is classified and managed appropriately, in order to ensure an adequate level of protection of the company’s information assets.

Describes the actions and rules to be adopted for the management of data encryption and masking activities, of the associated communication channels and backups, for applications identified on the basis of the analysis of IT risk and privacy criticality.

Provides the general criteria and rules which must be complied with for the management of log management systems and activities.

Defines the security objectives and principles which third parties must comply with in accordance with the risk appetite defined at company level and consistently with the internal regulations governing the processing of privileged and confidential information.

• Group Personal Data Protection Policy: this document defines the general principles to which the Mediobanca Group must adhere in order to guarantee the protection of personal data which it processes in the course of its activities; 
• Group Information Security Policy: this describes the objectives and general principles which the Mediobanca Group adopts in processing information to support the needs of its business and to ensure that the legal or regulatory requirements and choices in respect of risk management are duly observed. The Policy is in the process of being updated, to bring it in line with the new regulatory requisites and based on the technological changes in the IT system provided for in the IT Strategic Plan. The revised version of the Policy was approved by the Board of Directors in December 2021; 
• Group IT risk management policy: this Group policy defines the organizational and methodological framework which the Mediobanca Group adopts in the area of IT risk management, to ensure the protection measures in force for IT resources are efficient and effective, and to tailor mitigation measures based on the risk profile; 
• Group Directive on IT and Security Incident Management: describes the actions to be adopted in order to manage incidents relating to IT systems and the security of information which generate, or could generate disruptions for users or impact on the company’s business, or entail risks for the protection of personal data;
• Group Directive on Systems Administrator Management: establishes the rules in order to regulate the activities performed by systems administrators, in accordance with the requirements of the Provision issued by the Italian Data Protection Authority, and identifies operating roles and responsibilities in the systems administrator process; 
• Directive on information classification and management: this directive sets out the criteria and rules with which users must comply to ensure that information is classified and managed correctly, and so guarantee an adequate level of protection for the company’s information capital. The Directive has been updated to incorporate revision of the information classification levels and the related security rules; 
• Group Directive on data masking and encryption: this directive describes the actions and rules to adopt in managing the activities of encryption and masking of data, its communication channels and backup, for applications identified based on IT risk and privacy criticality analysis; 
• Group Directive on Log Tracking and Management: this directive sets down the criteria and general rules to be followed in systems and log management activities; 
• Group Directive on Security in Relations with Third Parties: this directive defines the security objectives and principles with which third parties must comply in accordance with the risk appetite defined at company level and consistent with the internal regulations on treatment of inside and confidential information; 
• Manual for data processing records: defines the methodological approach to be used in drawing up and maintaining personal data records, the structure and minimum content of the records, the operating methods used to compile them and the instances in which the records are to be updated; 
• Manual on risk analysis and data protection impact assessment (DPIA): defines the guidelines for executing risk analysis and DPIAs, outlining the methodological approach, the cases in which a DPIA has to be performed, the valuation metrics and the cases in which the analysis or assessment are to be updated; 
• Manual on personal data retention: defines the criteria for identifying the retention periods for the different categories of personal data processed and the general rules according to which company procedures are to be drawn up to guarantee that the requirements in the area of data retention are applied;
• Group Manual on the Principles of Privacy by Design and by Default: aims to consolidate these principles in initiatives involving the processing of personal data, through general rules of involvement of the competent structures, and to guarantee the implementation of suitable measures technical and organizational, aimed at effectively implementing the principles of data protection, integrating the necessary guarantees in the treatment to satisfy the regulatory requirements, both at the time of determining the means of treatment and at the time of the treatment itself.
• Group directive on personal data breaches: serves to govern the activities relating to management of data breaches, including assignation of specific responsibilities; 
• Operating procedure on risk analysis and DPIA in data privacy: describes the processes involved in performing risk analysis and DPIA; 
• Operating procedure on the rights of interested parties in data privacy: describes the management of data subjects’ rights, making it easier for them to exercise their right to request access to data, to ask for data to be amended or deleted, or to exercise their right to oppose the data processing; 
• Operating procedure on matters pertaining to consent in data privacy: describes how the issue of consent is managed, enabling the data subjects to withdraw or alter their consent in a straightforward manner;
• Operating procedure on management of data privacy issues in relation to providers: governs the preparatory activities for identifying the data privacy profiles of providers who process personal data of which the Bank is the controller; 
• Group directive on management of tracking bank operations: provides the general criteria and rules that Mediobanca has adopted in order to meet the obligations prescribed under resolution no. 192/11, published by the Italian authority, to identify and analyse possible undue access to clients’ personal data; 
• Operating procedure on records of processing activities in data privacy: governs the process of instituting and maintaining the records of data processing activities required by the EU regulations (GDPR); 
• Operating procedure on management of personal data deletion: governs, for each category of data subject, the regular process of large-scale deletion of personal data; 
• Group directive on third-party IT risk management: establishes the criteria for identifying the scope of the IT third parties, and the actions to be taken with each of them in order to strengthen the risk management coverage.