CODE OF ETHICS

As a company that provides, among other things, services similar to fraud prevention, the Ineo srl adopted and notified the Guarantor of Privacy, on 13 March 2015, the following code of ethics.

Preamble
In view of the social importance of fraud prevention and the sensitivity and complexity of the operations carried out in processing all or even only one of the planned activities such as collection, the analysis and evaluation of information relevant to the prevention of fraud concerning both the identity of the entity and the veracity of the declarations made and the proposed documentation of the finding of any other element useful for the investigation ascertain the availability and reliability of the applicant and the information submitted by the applicant, operators consider it appropriate to establish uniform rules for the professional category of undertakings providing such services (hereinafter also anti-fraud companies), in application of the rules, including regulations, referred to in T.U.L.P.S (R.D. No. 773/1931), the relevant Implementation Regulation (R.D. 635/1940) and D.Lgs 30.6.2003 n. 196 and of the EU 679/2016. The professional activity of fraud prevention, in its broadest sense, is based on the scrupulous observance of the fundamental rules of moral integrity, professional responsibility and confidentiality beyond the normal observance of all the law in force.

Premise
The anti-fraud companies subscribe to this code of ethics and good conduct on the basis of the following premises:

1. the processing of personal data, carried out as part of the anti-fraud activity described here, must be carried out in compliance with the rights, fundamental freedoms and dignity of the data subjects, in particular the right to the protection of personal data, the right to privacy and the right to personal identity;

2. this Code identifies adequate safeguards and methods of processing to protect the rights of data subjects to be observed in pursuing the purposes of credit protection and risk containment, in order to prevent fraud, improve the assessment of the risk assumed and thus facilitate access to and the provision of credit;

3. all those who use personal data for the above purposes must comply with the ethical rules established by this Code as an essential condition for the lawfulness and correctness of the processing;

4. this Code does not cover information systems owned by public bodies and, in particular, the public system for the administrative prevention of fraud in the field of consumer credit, with specific reference to identity theft based on a central computerized file pursuant to article 30-ter, paragraph 2, of D. Lgs. 13.8.2010 n. 141.

• Art. 1. Definitions

  1. The premises and the preamble form an integral part of this code of ethics and good conduct, for the purposes of which the definitions listed in the Code on the protection of personal data (art. 4 of Legislative Decree no. 30.6.2003 n. 196 and of the reg. EU 679/2016) are applied, hereinafter called "Code". For the same purposes, the following definitions shall also apply:

  2. "consumer" means the private person requesting financing by giving consent to the processing of data, including for "anti-fraud" control measures and by providing the information and documents analyzed in the anti-fraud procedure.

  3. "anti-fraud processing" means the activity concerning separately or jointly the collection, analysis, processing, reporting of any information that may be useful for:

  4. assess the veracity and completeness of the consumer’s proposed documentation and the personal information provided;

  5. prevent fraud of any kind, both in terms of the identity of the person and his ability to repay any financing;

  6. "anti-fraud company" means a private entity which, in compliance with this code of ethics, carries out anti-fraud work in the capacity of appointee, manager or owner of the processing of personal data for the purposes indicated here, with the right consent expressed by the "consumer";

  7. "intermediary" means the private person responsible for the processing of personal data collected in connection with requests/credit reports, which by virtue of a contract or agreement with the anti-fraud company, is the right consent collected by the consumer, provide anti-fraud information and documents to receive an anti-fraud report or report.
     The intermediary may be:

  8. a bank;

  9. a financial intermediary;

  10. an agent or mediator registered in the OAM;

  11. another private entity which, in the exercise of a commercial or professional activity, grants deferred payment of the consideration for the supply of goods or services;

  12. "anti-fraud report" means the feedback given to the intermediary regarding the anti-fraud processing requested on the information and/or documentation proposed by the consumer for funding.

  13. "data retention time" means the period during which the anti-fraud report remains available to the requesting intermediary.

• Art. 2. Purpose of processing

  1. The processing of personal data for anti-fraud purposes is carried out by the anti-fraud company and the intermediary exclusively for fraud prevention-related purposes in its broadest sense, d the protection of credit and the containment of the related risks and, in particular, to assess the veracity of the information and documentation proposed by the consumer.

  2. No other purpose may be pursued, in particular with regard to market research and the promotion, advertising or direct sale of products or services.

• Art. 3. Methods of collection and protection of data processed

  1. The anti-fraud company acquires the personal data processed, with the consent of the consumer, from:

  2. Intermediaries from which the consumer has applied for financing;

  3. Public information sources;

  4. Sources of private information authorized for this purpose;

  5. Internal database, if any.

  6. The anti-fraud company adopts appropriate verification procedures to ensure the security and protection and privacy of the data processed and reported.

• Art. 4. Consent to processing

  1. At the time of collection of personal data given to the requests for credit, the Intermediary collects the consent of the consumer pursuant to art. 13 of the Code also with regard to the communication of the data themselves or parts of them to anti-fraud companies for the processing of personal data for the purposes and in the manner indicated here.

• Art. 5. Storage and updating of data

  1. Personal data relating to consumers who require credit, communicated by intermediaries, and information resulting from research and analysis of anti-fraud processing, may be kept for the time necessary for the relevant investigation.

• Art. 6. Data security measures

  1. Personal data processed in the context of anti-fraud processing, are confidential and may not be disclosed to third parties, outside the cases provided for by the Code and in the previous articles.

  2. Natural persons who, in their capacity as controllers or processors designated by the anti-fraud company or intermediaries, have access to the information processed or to anti-fraud reports, maintain the confidentiality of personal data acquired and are liable for the breach of confidentiality obligations arising from the use of data or disclosure to third parties for purposes other than or incompatible with the purpose referred to in art. 2 of this Code or otherwise not permitted.

  3. The anti-fraud company and intermediaries shall take appropriate technical, logical, IT, procedural, physical and organizational measures to ensure security, the integrity and confidentiality of personal data and any electronic communications in accordance with personal data protection regulations

• Art. 7. Transitional and final provisions

  1. The measures necessary for the application of this Code of Ethics and Good Conduct shall be taken by the entities required to comply with it by 30 June 2015.

  2. In order to enable the proper implementation of the provisions of this Code to be monitored, each anti-fraud company shall communicate to the Guarantor, no later than two months after the deadline referred to in Coma 1 and in the manner indicated by the latter, in addition to their identification details and contact details, a general description of how to provide the relevant services and access by intermediaries to anti-fraud reports, which makes it possible to assess the adequacy of measures, including technical and organizational, adopted for the application of this Code.

  3. The communications referred to in coma 2 shall be sent to the Guarantor, even after the aforementioned deadline, by any private person who, as an anti-fraud company, intends to process personal data subject to the scope of this Code.

  4. In order to ensure that the provisions of this Code are complied with in good time, without prejudice to the powers of the Code of Verification and Control, the Guarantor may agree with the anti-fraud company to carry out other periodic checks at the places where the processing of personal data takes place

• Art. 8. Effective Date

  1. This Code shall apply from the date of its signature.