PRIVACY POLICY

This information notice, pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR), aims to inform data subjects about the processing of personal data that may be carried out by Change Italia S.r.l., VAT No. 12670861009, as Data Controller, for the purpose of conducting mandatory face-to-face identification and recognition operations required by current legislation on anti-money laundering and counter-terrorism financing (including, in particular, Legislative Decree 231/2007 and implementing provisions, EU Directive 2018/843, and EU Directive 2015/849) in order to provide currency exchange services.

Data Controller: Change Italia S.r.l., VAT No. 12670861009, with registered office in Rome (RM), Via Galvani No. 27, PEC: changeitalia@legalmail.it, e-mail: customerservice.changeitalia@gmail.com.

Purpose of Processing:

• To carry out direct identification procedures of the data subjects as required by applicable law, using innovative remote face-to-face identification methods, in order to complete currency exchange operations.
• To demonstrate the correct execution of identity verification activities through authorized personnel in accordance with current legislation on anti-money laundering and counter-terrorism financing.
• To send promotional communications via e-mail and/or conduct statistical surveys and customer satisfaction analyses on the services provided by the Data Controller.

Legal Basis for Processing: For purposes under point (1): a) The performance of a contract between the parties (Article 6(1)(b), GDPR) for the provision of the currency exchange service requested by the data subject; b) Compliance with legal obligations applicable to the Data Controller, in particular legislation on anti- money laundering and counter-terrorism financing (Article 6(1)(c), GDPR) for the direct identification of the data subject. For purposes under point (2): c) The legitimate interest of the Data Controller (Article 6(1)(f), GDPR) in using appropriate remote identification tools and verifying the correct execution of control operations under the Data Controller’s responsibility; such processing is carried out within the limits of what data subjects can reasonably expect in the relevant context, taking into account the innovative nature of the tools used for the transaction, balancing customer needs for speed and territorial availability of the service with regulatory compliance, and always ensuring the protection of the data subjects’ interests, rights, and freedoms. For purposes under point (3): The provision under Article 130(4) of Legislative Decree 196/2003 (“soft spam”) and the legitimate interest of the Data Controller (Article 6(1)(f), GDPR) to promote services similar to those already used by the data subject, balanced against the reasonable expectations of the data subject and the protection of their fundamental rights and freedoms. Sending such commercial communications does not require prior consent, and data subjects are always granted the right to object freely and easily (via opt-out), by contacting the Data Controller or by selecting the relevant link provided at the end of each communication.

Data Processed: Name, surname, identification document, image of the data subject’s face.

Processing Methods: Data will be processed electronically through the visualization of images by the authorized operator and the recording of a single frame of the data subject’s face. Processing will comply with the principles of relevance, completeness, and data minimization. In particular, the recording device: i) is activated by the on-site operator only during the identification phase, through a call to the authorized operator; ii) transmits the footage directly to the authorized and trained operator; iii) is active solely for the time necessary to recognize the data subject; iv) the authorized operator records a single frame of the subject’s face, which is linked to the transaction identification number and date for verification purposes and retained for 60 days. No other images are collected or stored; they are only evaluated in real time by the authorized operator. Other personal data necessary to complete the requested operation will be retained in accordance with applicable Italian law. Appropriate security measures are implemented to prevent data loss, unauthorized access, or misuse. All access is logged to monitor processing activities and detect potential violations. Data processing takes place within the European Union.

Provision of Data: Direct identification is mandatory under current law for the provision of currency exchange services and can only be carried out by certified and authorized personnel. Remote identification via camera and the provision of related data are necessary to complete the requested operation. Refusal to be recorded or to have a frame of one’s image taken will prevent service provision at this location, requiring the data subject to visit an authorized office for direct identification.

Categories of Recipients: Only personnel or authorized and trained subjects designated by the Data Controller will access the images, strictly within their duties. Extracted images will not be shared, except upon explicit request by competent authorities. Confirmation of successful remote identification, along with necessary identification data, will be documented and made available to authorities in compliance with applicable law.

Rights of the Data Subject: Data subjects may exercise their rights under Articles 15 et seq. GDPR, including: access, rectification, and deletion of data (unless retention is required by law or contractual obligations); data portability, withdrawal of consent for marketing purposes, and objection to processing, including soft spam, subject to the prevailing legitimate interest of the Data Controller.

Complaints: Data subjects have the right to lodge a complaint with the competent supervisory authority (Italian Data Protection Authority) in case of unlawful processing or obstruction of their rights, as well as to seek judicial remedies to defend their rights.