Privacy policy

Notice pursuant to art. 13 Reg. UE 2016/679 (General Data Protection Regulation or GDPR) and art. 13 D.Lgs. 196/2003 (Privacy Code) and amendments thereto

CheckSig S.r.l., with registered office in Milan MI, piazza Liberty 8 CAP 20121, Tax and VAT Number 11028330964, PEC email address:, is the Data Controller of data subject who visit website and of customers who access the services provided by CheckSig.

CheckSig understands that you are aware of and care about your own personal privacy interests and we take that seriously. This Privacy Notice describes CheckSig’s policies and practices regarding its collection and use of your personal data and sets forth your privacy rights. This Privacy Notice is drafted in a clear and intelligible way and accessible to the general public.

We recognize that information privacy is an ongoing responsibility and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

The notice is not valid for external links. Data Controller is not to be considered responsible for third parties’ web pages.


Any information relating to an identified or identifiable natural person (“data subject); an identifiable natural person is one who can directly or indirectly be identified, in particular by reference to an identifier such as a name, and identification number, a location data, an online identifier or to one or more specific factors to the physical, physiological, genetic, mental, economic, cultural or social identity (C26, C27, C30).

As a rule, the Website can be used without have to provide any personal data. Personal data are collected within specific sections of the website and via electronic forms only to access CheckSig services (i.e. request an appointment with our representatives). In this case, CheckSig, as Data Controller, collects and processes: first name and surname, email address and phone number.

During the onboarding process of the data subject, for personal identification purposes and in order to comply with the obligations concerning anti-money laundering and the fight against terrorist financing, additional personal data are collected through off-line questionnaires, direct requests and video-calls.

This may include:

  • Identification Information – such as date and place of birth; place of residence; postal address, if different from residence; government identification numbers, which may include identification document’s number, issuing authority, date of issue and expiry and tax code;
  • Sensory Information – such as images and video-audio recordings collected for identity verification; recordings left on answering machines;
  • Employment Information – such as job title, source of wealth;
  • Institutional Information – such as for institutional customers, we may collect additional information, including: institution’s legal name; proof of legal existence (which may include articles of incorporation, certificate of formation, business license, trust instrument, or other comparable legal document);
  • Transaction Information – such as trading activities, including order, deposits or withdrawals; Digital Asset data and Personal Information published on a blockchain.

In any case, CheckSig does not collect data from persons younger than 18 and does not process sensitive data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, or health status.

Personal data of the user are processed:

  • With no specific consent of the data subject (Article 6(b), (c) and (f) GDPR), for the following purposes:
    • comply with pre-contract and contract obligations of CheckSig;
    • carry out all measures and actions upon request of the data subject;
    • comply with the obligations set out under the D.Lgs. 231/2001, D.Lgs. 231/2007 and amendments thereto (anti-money laundering);
    • pursue legitimate rights and interests (such as the right of defence before the Court);
  • Only upon specific and separate consent (Articles 23 and 130 of the Privacy Code and Article 7 GDPR), for the following marketing purposes:
    • send by e-mail, post and/or sms and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and assess the satisfaction rate on service quality;
    • send via e-mail, mail and/or sms and/or telephone contacts commercial and/or promotional communications from third parties (such as, for example, business partners).


With regards to the personal data provided with no specific consent, the partial or incorrect and the lack of the provision of any personal data may result in the impossibility to provide the business services required and in any case prevent CheckSig from perform its contractual and legal obligations towards customers, employees, suppliers, business partners and, in general, all those connected with CheckSig itself.


Data processing is carried out through: data collection, recording, management, retention, consultation, processing, modification, selection, extraction, comparison, application, interconnection, blocking, communication, erasure and destruction. Personal data are processed both in paper and electronic and/or automated form with methods and tools in compliance with the security measures set forth in art. 32 of the GDPR and Annex B of the Privacy Code, by parties specifically appointed by CheckSig in compliance with the provisions of art. 30 of the Privacy Code, or parties in charge of personal data processing under the direct control of CheckSig as provided for by Article 4, paragraph 10, of the GDPR. In order to comply with all obligations regarding anti-money laundering, CheckSig, as Data Controller, makes use of third-party services, duly authorized through specific outsourcing contracts.

Data Controller or Data Processor shall process and retain Personal Data for the shortest time necessary to fulfill the purposes set out and only for the time necessary to complete the retention as provided for by the GDPR. Both the processing and retention, however, are set for no more than 10 years from the term of the processing agreement entered into for service purposes, and for no more than 12 months from data collection for marketing purposes. After these retention periods, personal data will be blocked, destroyed or made anonymous in accordance with legal requirements.


Provided data will be shared with recipients who will treat them as data processors (art. 28 Reg. UE 2016/679) and/or as natural person acting under the controller’s or processor’s authority (art. 29 Reg. UE 2016/679) for former purposes. Namely, data will be shared with:

  • employees or consultants of the Data Controller who are in charge of the processing activity;
  • CheckSig’s partner companies, in Italy and abroad, having provided sufficient guarantees to put in place appropriate technical and organisational measures to ensure that the processing thereof complies with legal requirements;
  • to third parties or other parties which carry out activities on behalf of the Data Controller and act as independent data controllers with their own privacy policies, available to the data subject;
  • to Supervisory Boards (such as FIU, Bank of Italy, OAM, IVASS, etc.), Judicial Authorities, other entities to whom the communication is compulsory by law for the fulfilment of said purposes.

Personal data will be transferred to countries within or outside the UE, notably in Switzerland, only upon specific consent of each data subject, to countries that guarantee an adequate level of protection of the personal data collected and only after entering into agreements containing standard clauses approved by the European Commission, which guarantee that the processing of personal data complies with legal principles and requirements set out in the GDPR.


Under the GDPR, the data subject may freely exercise, at any time, the following rights under the artt. 15-21, to:

  • obtain from the Data Controller the access to the personal data;
  • request their rectification, erasure or processing restriction;
  • object, in whole or in part, on a legitimate grounds to the processing of personal data.

The data subject is also entitled to the rights to be forgotten, the right to restrict processing, the right to data portability, and without prejudice to any other administrative or judicial remedy, in case you consider the processing conflicting with Reg. UE 2016/679, pursuant to article 15 lett. f) the right to lodge a complaint with a supervisory authority (

The interested party may, at any time, apply his/her rights by sending a request drawn up on the basis of the form prepared by the Personal Data Protection Authority, available here, to be sent by registered letter with return receipt addressed to CheckSig S.r.l., at its registered office or by email.