made pursuant to articles 13 and 14 of EU Regulation 2016/679

Regolamento Generale sulla protezione dei dati personali


General regulations on the protection of personal data


Below we provide customers, including potential customers, guarantors, co-debtors, third-party payers and third parties in general who come into contact with our Company (the “Data Subjects“), a summary description of the essential characteristics of the processing of their personal data carried out by Cherry 106 SpA, with registered office in Rome (ZIP code 00142), Via Benedetto Croce n.40, tax code and VAT number 08508011007, which acts as Data Controller (hereinafter the “Owner” or the “Company“). The treatment will take place in compliance with EU Regulation 2016/679 – General data protection regulations (the “Regulations“) and Legislative Decree 30 June 2003, n.196 as amended by Legislative Decree 101/2018, below the “Code“).


Data” means “any information concerning an identified or identifiable natural person” and “Treatment” “any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction


For further details, please refer to the detailed information that follows.


The information on the processing of personal data is made available in summary form in the following Summary Table on Treatment, which makes it easy to find essential information relating to the processing of personal data. Detailed information is also available later in the document, providing a complete picture of the information that we are required to provide pursuant to art. 13 of the GDPR.


  • Who is the Owner?

The Owner is: Cherry 106 Spa Via Benedetto Croce n.40, Roma 00142, tax code and VAT number 08508011007


  • What personal Data do we process?

Personal, delivery and financial data, information relating to telephone calls with our call center and sometimes judicial information


  • Why do we process Personal Data? (Purpose)
  1. Compliance with legal obligations, regulations, community legislation
  2. Execution of obligations and exercise of rights deriving from the relationship with the interested party, both those current and being finalized
  3. Assessment, exercise or defense, also in court, of the Company’s rights


  • What is the treatment based on? (Legal basis)
  1. Execution of contract or pre-contractual measures (art.6 (1), letter b. GDPR)
  2. Compliance with legal obligations (art.6 (1), letter c. GDPR)
  3. Legitimate interest (art.6 (1), letter f. GDPR)
d. Consent


  • How do we treat Personal Data?

In computer and paper form, with the observance of precautionary measures applicable by the Owner that guarantee its security, confidentiality and control.

The data may also be stored and processed on servers located outside the European Community but within the area of application of the Privacy Shield Treaty


  • Who do we disclose Personal Data to? (Categories of Recipients)
  1. Subjects with a legitimate right to access the Data;
  2. Those appointed and authorized by the Owner
  3. Service providers, who act as Data Processors pursuant to art.28 GDPR;
  4. Subjects to whom communication is necessary for the fulfillment of contractual obligations;
  5. Public authorities
  6. Third parties

The personal data processed by the Owner are not subject to disclosure.


  • How long do we keep Personal Data for?

Personal data will be kept for the time necessary to pursue the purposes listed above. In any case, the processing cannot have a longer duration, for each piece of data processed, than the limitation period for the exercise of the rights related to that data.

Criteria used to determine the additional data retention period:

  1. Pursuit of purposes related to the processing
  2. Conservation time required by law
  3. Revocation of consent by the interested party (in case of treatment based on consent)
  4. Maximum term allowed by current legislation to protect the rights and/or interests of the Owner


  • Is the provision of personal data mandatory or optional?

For the processing of data carried out on the basis of the contractual relationship, the provision of data is mandatory



  • What happens in case of refusal to communicate personal data?

Refusal may result in the inability to provide the service or the violation of a legal obligation or a contractually assumed obligation


  • What rights does the person concerned have?

The interested party has the right to:

  1. Access the data in our possession and request its communication in an intelligible form;
  2. Request updating, correction and/or integration;
  3. Request cancellation (“right to be forgotten”);
  4. Ask about the limitation of the treatment;
  5. Request notification regarding the updating, rectification, cancellation, limitation;
  6. Request data portability;
  7. Oppose processing and to refuse automated decision-making, including profiling;
  8. Revoke the consent given;
  9. Make a complaint to a supervisory authority.


1 – Identity and contact details of the Owner

The Owner is Cherry 106 S.p.A., with registered office in Rome (ZIP code 00142), Via Benedetto Croce n. 40, tax code and VAT number 08508011007, tel.  +39 06 5037097, email


2 – Data sources

The Data subject to Processing activities by the Owner are acquired directly by the Company and/or through third parties appointed for this purpose (e.g. by consulting public databases, public registers, etc.), or following the acquisition by the same of the receivables deriving from the relationship between the interested party (as a debtor, co-obligation or guarantor) and the transferring financial and/or banking institution.


3 – Type of data processed

The Company collects and processes the data of the interested parties for the purposes specified in point 4 below. Below is an example list of the data being processed:

(i)          personal data, such as name, surname, marital status, title, date and place of birth, identity document number, tax code;

(ii)         contact details, such as home address, email address and telephone numbers;

(iii)        financial data, such as bank details, statement of assets, credit information;

(iv)        data relating to credit acquired, such as extinguished relationships, movements, balances, the contract number from which the credit derives, any pending legal proceedings, transactions that have taken place;

(v)         (if transmitted directly by the interested party), data relating to telephone recordings;

(vi)        civil and criminal judicial data.


4 – Purpose of the Treatment and legal basis of the Data processing

The Data will be processed, in compliance with the aforementioned legislation, for the following purposes:

1)           fulfillment of legal obligations, regulations, EU legislation as well as orders/provisions of Public Authorities and/or Supervisory Bodies (for example, in tax or accounting matters, invoicing, anti-money laundering, fight against tax evasion, counter  terrorism, etc.);

2)           execution of obligations and exercise of rights deriving from the relationship existing with the interested party or necessary for the conclusion of a contract as well as for the execution of other activities related and instrumental to the execution and management of the relationship (e.g. payment management, checks on the progress of the relationship, credit insurance, assistance and support, etc.);

3)           assessment, exercise or defense also in court of the Company’s rights (e.g. for the purposes of recovery or credit protection; protection of company assets; assignment of credits, credit monitoring, dispute management).

4)           statistical research and/or analysis on aggregate or anonymous data, without the possibility of identifying the interested party; direct or indirect marketing activities also performed by third parties but only on financial products and related services (requires consent)

5)           promotion and provision of additional and optional services such as by way of example: information services, alerts and payment instruments (requires consent)

Data processing for the aforementioned purposes is mandatory.

Data processing can take place with or without the consent of the interested party as necessary for the execution of the contractual relationship and for the fulfillment of the related legal obligations (art.6, paragraph 1, letters b) and c) of the Regulations), as well as on the basis of the legitimate interest of the Company in ascertaining, exercising or defending the rights of the Company in court, in assessing the ability of the interested party to correctly execute the obligations deriving from the existing relationship (Article 6, paragraph 1, letter f) of the Regulations).

Finally, the data of the interested party will undergo an anonymization process, intended to make them no longer attributable to the person of the interested party.  These anonymous data will be used by the Company and possibly by other associated companies.


5 – Methods of data processing

Data processing will take place with the support of manual, paper, IT or telematic means, in compliance with the Regulations and Code, and, in any case, in order to guarantee the security and confidentiality of the data and prevent its disclosure or unauthorized use, alteration or destruction by means of efficient physical, logical and organizational security measures.


If necessary for the pursuit of the purposes referred to in paragraph 4, the Data of the interested party could be transferred abroad, to countries/organizations outside the EU that guarantee compliance with the processing methods provided for by the GDPR.

The Data Controller will carry out the treatments through a personalized and non-automated evaluation process;  the use of software is to be considered as exclusive support for human activity and does not replace it.


6 – Recipients of the Data

The data acquired through the site are communicated to the recipients to the extent strictly necessary in relation to the aforementioned purposes.

The Data may be brought to the attention of (limited to the respective area of competence):

  1. a) subjects to whom the communication of data is necessary for the operation and provision of services and contractual or pre-contractual performance, who act as Data Processors, pursuant to written agreements entered into with the Owner;
  2. b) persons in charge and persons authorized by the Owner who have committed themselves to confidentiality or are subject to an adequate legal obligation of confidentiality (e.g. employees and collaborators of the Company);
  3. c) Third parties, in a relationship of autonomous ownership or joint ownership with the Owner, for the promotion and provision of additional and optional financial services, such as but not limited to: employee loans, financial or payment services and others.

The data will not be disseminated.

In order to fulfill legal obligations, regulations, community legislation or contractual obligations, as well as to exercise any rights in court, the following third parties may have access to the Data of the interested party (i) banks, lenders, credit and financial institutions;  (ii) tax, legal or accounting consultants;  (iii) companies that provide the Owner  with instrumental credit recovery services;  (iv) companies that provide the Owner with services instrumental to the management of the contractual relationship (e.g. suppliers of management applications);  (v) authorities and bodies, public and private, of supervision and control (e.g. Bank of Italy, Inland Revenue, Bank of Italy Risk Center, judicial authority, etc.).

Where necessary, the Company will appoint the recipients of the Data as Data Processors, pursuant to art. 28 of the Regulations.  A list of all Data Processors can be requested by means of a communication to be sent to the addresses indicated in point 8. The communication of personal data to the categories of recipients listed above may involve the transfer of personal data both within the EU and non-EU (in the latter, the case will only concern countries adhering to the Privacy Shield protocol or countries that guarantee an adequate level of protection in accordance with the provisions of the GDPR).

No personal data will be disclosed.


7 – Data retention period

For the purposes indicated above, the Data will be kept for the time strictly necessary to achieve the purposes for which they were collected and processed. The criterion for determining the actual data retention period will be represented by the limitation period of the actions deriving from the relationship in place with the interested party. Without prejudice to the need to retain data for the purpose of fulfilling legal obligations of the Company or for the assessment, exercise or defense in court of the Company’s rights, the Data of the interested party will not be kept for a period longer than 10 years from the termination of the relationship, except for specific interruption of the prescription, after which the same data will be irreversibly destroyed or anonymized, unless their further conservation is necessary to fulfill legal obligations or to fulfill orders given by Public Authorities and/or Supervisory Bodies.


  1. Mandatory and optional nature of the provision of personal data

For the contractual services performed directly by the Owner towards the interested party, the provision of data is mandatory;  for all optional services including communications and offers of additional services (art 4.5 and 4.6) the provision of data is optional and based on consent which is revocable at any time.


9 – Rights of the interested party

By sending a communication to the Company’s registered office or to the address, each interested party may at any time exercise the rights referred to in article 15 and subsequent articles of the Regulations, including: (i) obtain confirmation that a processing of data concerning him or her is in progress; (ii) obtain access to their data and to the information indicated in art.  15 of the Regulations; (iii) obtain the correction of inaccurate data concerning him without undue delay or integration of incomplete data; (iv) request the deletion of data concerning him without undue delay;  (v) request the limitation of the processing of data concerning him; (vi) be informed of any corrections or cancellations or limitations of the processing carried out in relation to the data concerning him; (vii) receive the data concerning him in a structured format, commonly used and readable by an automatic device; (viii) oppose at any time, for reasons related to their particular situation, to the processing of data concerning him carried out on the basis of the legitimate interest of the Company. The complete list of the rights of the interested party can be found on

The exercise of the aforementioned rights is not subject to any form constraint and is free of charge. We provide feedback to the interested party’s request within one month of receiving it. In case of particular complexity, the term could be extended; in these cases, the Company undertakes to provide at least one interlocutory communication within one month of receiving the request.

In case of exercise of one of the rights provided by the Regulation, the Company reserves the right to verify the identity of the interested party, requesting to send a photocopy of an identity document that certifies the legitimacy of the request. Once the identity of the interested party has been confirmed, the photocopy received will be immediately destroyed.


10 – Complaint to the supervisory authority

If the interested party believes that the processing concerning him violates the provisions of the Regulation, he can lodge a complaint with the Guarantor authority for the protection of personal data (, or with the Guarantor authority of the country in which he usually resides, works or the place where the alleged violation occurred.


11 – Data Protection Officer

The Data Protection Officer (DPO) appointed by the Company pursuant to art.37 of the Regulations can be contacted at the registered office or at the email address:

Cherry 106 S.p.a.