Privacy Policy

This document discloses Morrow Sodali data protection policies and practices on Personal Identifiable Information (hence on “personal data”) where Morrow Sodali is considered a Controller in accordance with the General Data Protection Regulation EU 679/16 (hence on “GDPR”).

Such personal data may be collected on any section and form of the website (hence on “Website”) or supplied by data subject in any form, electronic or printed by email, social network, telephone business card, etc.

This privacy policy gives information to Data Subject as per art. 13 and 14 of the GDPR.

Personal Data Processing Information

We collect and process only personal data that website visitors and data subject voluntarily supply to us us via a website form, an email message, social network communication, telephone or other direct or indirect forms of communication.

We generally collect using web forms the following categories of personal data:

  • Generic Personal Data (e.g. First and Last Name, Date of Birth, etc.)
  • Generic Contact Data (e.g. email, telephone, postal address, etc.)
  • Job information (Company, Job Role, etc)

Occasionally, we may collect the further categories of personal information

  • Shareholder voting intention
  • Financial Asset trading intentions

We may collect and process the following categories of personal data in the “work with us” section of this website, as well as using social networks, email or the postal service:

  • Generic Personal Data (e.g. First and Last Name, Date of Birth, etc.)
  • Generic Contact Data (e.g. email, telephone, postal address, etc.)
  • Career history and salary information (work career, salary history, CV details etc.)

Processing personal data may include collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, transmission, cancellation and destruction of data. Personal data may be processed and stored both in paper and electronic form with manual and/or automated processing.

Processing Purpose and Legal Basis for Processing

The legitimate purpose for processing your personal data is one of the following:

  • a) Performing direct marketing activities via email, sms, telephone or social network channels, i.e providing data subject with information and reports on financial markets, news on Morrow Sodali legal entities activities and events around the world, new products or services, changes to this privacy policy, etc. The legal basis for such processing is that the data subject has given consent to the processing of his or her personal data for this specific purpose (art. 6.1.a of the GDPR); or
  • b) If the data subject is a client of one Morrow Sodali legal entity, the purpose of direct marketing activities may be performed on the legal basis of their legitimate interests of the controller to inform or propose similar services (art. 6.1.f of the GDPR), where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data: or
  • c) Work and salary history information are collected and processed with the purpose of evaluating candidates for job positions within the Morrow Sodali organizations. Personal data are processed with the legal basis that processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (art. 6.1.b of the GDPR);

Technical and Organizationl Security Measures

The Controller takes all possible technical and organizational measures to protect personal data against loss of confidentiality, integrity and availability, as required by art. 32 and al. of the GDPR. Non-exhaustive examples of such measures include:

  • Access to Personal Data is controlled and performed only by trained people
  • Our systems are protected against virus/malware, updated periodically
  • Security patches and software updates are applied as soon as they are available
  • Periodic Backup of personal data is performed

These technical and organizational security measures are subject to continuous upgrade, and you may request the most updated version of such measures by contacting the Controller at the contacts detailed in the relevant section below.

Data Retention

We will retain personal data for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose (for example where we are required to retain personal information for longer than the purpose for which we originally collected it in order to comply with certain regulatory requirements). Our retention periods are based on business needs.

Personal data that are no longer needed are either irreversibly anonymized (and the anonymised information is retained) or securely destroyed in accordance with internal retention policy.

Personal Data Transfer and Sharing

In the fulfillment of the purpose stated in the relevant section this document, personal data may be transferred to the following recipients or categories of recipients:

  • Third party companies or other subjects that process data on behalf of the Controller as Data Processor ex art. 28 of the GDPR;
  • Supervisory Bodies, Judicial Authorities, Law Enforcement Agencies as well as to those subjects located within the European Economic Area (hence on “EEA”) to whom transmission is mandated by law. These subjects will process the data as independent data controllers.

Furthermore, the Controller may transfer and process personal data outside the EEA under one of the following conditions:

  • Personal data are transferred to a third country or an international organization where the Commission has decided that it ensures an adequate level of protection (art.46); or
  • the Controller has signed an agreement based on European Commission Standard Contractual Clauses with the third-party company or entity located outside the EEA (Art. 47); or
  • Personal data are transferred to to third countries outside EEA and the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards (art. 49); or
  • Personal data are transferred to Supervisory Bodies, Judicial Authorities, Law Enforcement Agencies, as well as to those subjects located outside the EEA to whom transmission is mandated by law. These subjects will process the data as independent data controllers.

Data Subject Rights

Data subjects, have the following rights set forth by the GDPR; and in particular:

  • a) Right to obtain confirmation as to whether or not personal data concerning the data subject are being processed by the Controller, and, where that is the case, access to the personal data in an intelligible form and to the other information.
  • b) Right to rectification of inaccurate personal data concerning the data subject. Considering the purposes of the processing, data subjects have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • c) Right to be forgotten or the right to obtain the erasure of personal data concerning the data subject to the provisions and limitation stated in art. 17 of the GDPR;
  • d) Right to obtain from the Controller restriction of the processing of your personal data according to the provisions and limitations of art. 18 of the GDPR.
  • e) Right to object, on grounds relating your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
  • f) Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • g) When the legal basis for the processing is based onto your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to Complain with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of habitual residence, place of work or place of the alleged infringement if you consider that the processing of relating personal data infringes the GDPR.

How to Exercise Rights

Data subjects may exercise their rights at any time, by contacting by contacting the Controller at the contacts detailed in the relevant section below.

Controller's Contact Details


Morrow Sodali S.p.A. - Via XXIV Maggio, 43 - 00187 Rome (Italy)
Telephone: +39 06 4521 2800

Data Protection Officer

Ing. Guido Zucchelli


Version 2.0 of 16/11/2020