PRIVACY POLICY

This privacy notice, pursuant to Article 13 of EU Regulation 2016/679, is intended to inform data subjects about the processing of personal data that may be carried out by Change Italia S.r.l., VAT No. 12670861009, as Data Controller, in order to perform face-to-face identification procedures required by current legislation on anti-money laundering and counter-terrorism financing (including, in particular, Legislative Decree 231/2007 and implementing regulations, EU Directive 2018/843 and EU Directive 2015/849) for currency exchange services.

Data Controller: Change Italia S.r.l., VAT No. 12670861009, registered office in Rome (RM), Via Galvani 27, PEC changeitalia@legalmail.it, e-mail: customerservice.changeitalia@gmail.com.

Purpose of processing: (1) to carry out direct identification procedures of applicants as required by current legislation using innovative remote face-to-face identification methods for currency exchange operations; (2) to demonstrate the correct execution of identity verification by authorized personnel under current anti-money laundering and counter-terrorism regulations; (3) to send promotional communications and/or conduct statistical and customer satisfaction surveys regarding services offered by the Data Controller.

Legal basis of processing: for purposes under point (1): (a) performance of the contractual relationship (Art. 6(1)(b), EU Reg. 679/2016) for providing the requested currency exchange service; (b) compliance with legal obligations under anti-money laundering and counter-terrorism laws (Art. 6(1)(c), EU Reg. 679/2016). For purposes under point (2): (c) legitimate interest of the Data Controller (Art. 6(1)(f), EU Reg. 679/2016) to use appropriate remote identification tools and ensure correct execution of control operations. For purposes under point (3): Art. 130(4), Legislative Decree 196/2003 (“soft-spam”) and legitimate interest of the Data Controller for promotion of similar services, balanced with data subject rights and expectations. Recipients may opt out at any time.

Data processed: name, surname, identification document, and image of the data subject’s face.

Processing methods: data will be processed electronically by viewing recordings by authorized operators and storing a single frame of the data subject’s face. The recording device is activated only for identification, transmits data to authorized operators, and the image is stored for 60 days linked to transaction ID and date. Other personal data collected for the requested transaction will be stored according to applicable laws. Security measures are in place to prevent unauthorized access. Processing occurs within the EU.

Provision of data: direct identification is required by law and can only be carried out by certified personnel. Refusal to provide an image prevents service delivery at this location; the customer must visit a branch offering in-person identification.

Recipients: access to images is restricted to authorized personnel. Extracted images are not shared except upon request by authorities. Transaction data is made available to authorities as required by law.

Data subject rights: data subjects may exercise rights under Articles 15+ of EU Regulation 679/2016, including access, rectification, deletion, portability, withdrawal of consent, and objection to processing (including soft-spam), without prejudice to the Controller’s legitimate interests.

Complaint: data subjects may file a complaint with the Supervisory Authority (Garante per la protezione dei dati personali) or seek judicial protection in case of unlawful processing, delays, or obstruction of rights.