By virtue of the nature of our business, on a daily basis, we collect, process and manage a significant volume of various kinds of personal customer data and information, both in paper and digital format.
Respect for privacy and the protection of information, as well as its integrity, reliability and usability are an essential commitment for us, which forms the basis of a relationship of trust with our customers and fulfils the legislative obligations that apply to our services.
We work constantly to improve our security control system, also through the implementation of Cyber Intelligence solutions and services.
PERSONAL DATA PROTECTION
We have defined the commitment and principles that guide us in the data protection domain in the group Personal data protection policy and we work on a daily basis to integrate it in our operations. In 2019, we concentrated on consolidating the necessary activities to comply with the rules of European Regulation 2016/679 (GDPR - General Data Protection Regulation). More specifically, we:
- reinforced the IT application security profiles;
- drafted new internal procedures and guidelines, in particular relating to the management of the personal data of potential customers and the management of privacy obligations related to group suppliers and individual companies;
- promoted the adoption of an electronic tool for registering data processing;
- continued with implementation activities for the fulfilment of personal data storage obligations;
- promoted and strengthened the privacy by design activities within the group.
We are constantly committed to guaranteeing the security, confidentiality, integrity and availability of information. In particular, we have adopted secure communication protocols certified by the authorities (GlobalTrust Certification Authority) and, when necessary, strong authentication tools to ensure protection in exchanging and accessing data.
In addition, we carry out continuous security checks and risk analysis activities, to guarantee adequate oversight, and organisational and technological controls on the entire perimeter of the group, as well as regular awareness campaigns for our employees, aimed at boosting company awareness of the themes of protection of the information managed.
Group policies and directives on data security risk management
Describes the objectives and general principles that the Mediobanca group adopts in processing the information to support the business requirements and guaranteeing respect for the legal or regulatory provisions and the risk management choices.
The Policy defines the organisational and methodological framework that the group adopts as part of IT risk management, in order to ensure effective and efficient measures for protecting IT resources and grading mitigation measures based on the risk profile.
Provides the criteria and rules to which users must adhere to guarantee that information is classified and managed appropriately, in order to ensure an adequate level of protection of the company’s information assets.
Describes the actions and rules to be adopted for the management of data encryption and masking activities, of the associated communication channels and backups, for applications identified on the basis of the analysis of IT risk and privacy criticality.
Provides the general criteria and rules which must be complied with for the management of log management systems and activities.
Defines the security objectives and principles which third parties must comply with in accordance with the risk appetite defined at company level and consistently with the internal regulations governing the processing of privileged and confidential information.