Privacy Disclosure

The Rock Trading S.r.l., with registered office at Galleria del Corso, 2, 20122, Milan, Tax Number- VAT Number: IT-10120840961 is the data controller ("TRT", or even "Data Controller") of users who access and visit website and of customers who access the services thereof ("Site").

TRT, as Data Controller, provides the following disclosure ("Privacy Policy"), pursuant to Article 13 of Legislative Decree No. 231/2001. 196/2003 "Personal Data Protection Code" ("Privacy Code") and amendments thereto, as well as art. 13 of EU Regulation 2016/679 (or General Data Protection Regulation, hereinafter also referred to as the GDPR).

This Privacy Policy covers the methods for personal data collection, processing and treatment during website browsing and does not apply to other websites accessed through links; it has been drafted in a clear and intelligible way accessible to the general public, by means of icons as well, as provided for by art. 12, par. 7 of the GDPR, which will be amended at a later date, once those officially approved by the European Commission are available.

Privacy Policy is divided into the following paragraphs:

1. Data processed

As a rule, the Website can be used without having to provide any personal data. Should the Website be accessed for information only (opening no account), we are not going to collect any personal data, except for those transmitted by the user's browser or terminal device and IP address in order to enable access to the Website. In this case, data transmitted to TRT shall be, by way of example: (i) date and place of the request; (ii) the type and version of the browser used; (iii) the OS; (iv) page views and navigation paths of the Website; and (v) information on the timing, frequency and layout of the use of the Website, and in general all the use-related data offered by TRT automatic tracking system, whereby, in any case, anonymous information is collected to report use-related trends.

Personal data are collected within specific sections of the Website via electronic forms, only to access TRT services. In this case, personal data collected between the user and TRT for service use consist of two different categories, depending on whether you want to use the services only for the exchange and trading of virtual currencies, or you also want to access the services of conversion, purchase and sale of virtual currencies in exchange for currency legal tender or vice-versa.

In the first case, TRT, as Data Controller, collects and processes personal data, such as given name, family name, business name, address and e-mail address (hereinafter "Personal Data" or "Data"), communicated by the user when opening an account and registering on the Website. In the latter case, since the account is to be verified for personal identification purposes, Personal Data required will also be those necessary for identification, and may include, without limitation: (i) first name and surname; (ii) date of birth; (iii) place of birth; (iv) place of residence; (v) domicile, if different from residence; (vi) tax number, if issued; (vii) references to identification document and date of issue and expiry, etc.

TRT does not collect data from persons younger than 18 and does not process sensitive data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, or health status.

2. Checking and Identification

Once the user has registered on the website in order to use the services by accepting the Terms and Conditions relating to the Website and the services, TRT is obliged to fulfill its obligations as a service provider relating to the use of virtual currency, as per Legislative Decree 231/2001. 21 November 2007, no. 231, as amended by Legislative Decree 25 May 2017, no. 90, concerning anti-money laundering and the fight against terrorist financing, limited to the conversion of virtual currencies from or into legal tender currencies.

TRT is obliged to verify the User's identity by means of a valid identification document, keep specific information taken from this document, check the authenticity of such document together with all additional information, including documents, which must be requested and which, during the relationship, must be updated. Therefore, the User must provide all the information additional to that required for opening the account, which will be requested through electronic forms also providing for the possibility to upload documents, or through questionnaires that will be submitted and that TRT will request to fill off-line.

In order to comply with all obligations regarding anti-money laundering, TRT, as Data Controller, makes use of third-party services, duly authorized to process Personal Data through specific outsourcing contracts with TRT, or specific mandates to process such Personal Data; third parties are required, pursuant to the GDPR, to comply with TRT's Privacy Policy and with instructions on the storage and non-disclosure, nor misuse of Personal Data other than for the purpose of data processing.

A detailed and updated list of these parties is available to the user; a formal request should be addressed to TRT.

3. Legal basis and purpose for processing

Personal Data of the user are processed:

A) with no specific consent of the data subject (Article 6(b), (c) and (f) GDPR), for the following purposes:
  • use the Website services;
  • comply with pre-contract, contract and tax obligations of TRT or carry out all measures and actions upon request of the data subject, as well as arising from all existing relationships with users, customers, collaborators, business partners, suppliers, and consultants;
  • comply with the obligations set out under the law, any Regulation, EU legislation or any Authority order ( as, for example, concerning anti-money laundering);
  • pursue legitimate rights and interests (such as the right of defense before the Court);
B) only upon specific and separate consent (Articles 23 and 130 of the Privacy Code and Article 7 GDPR), for the following marketing purposes:
  • send by e-mail, post and/or sms and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and assess the satisfaction rate on service quality;
  • send via e-mail, mail and/or sms and/or telephone contacts commercial and/or promotional communications from third parties (such as, for example, business partners).
In any case, TRT shall, insofar as possible, ask the data subject's consent even when the legal basis for Personal Data processing is based on the purposes referred to in paragraph 3.A).

4. Data provision

Personal Data must be provided for the purposes referred to in paragraph 3.A).

If the data are not provided by the data subject, TRT cannot guarantee the provision of business services, nor can it perform its contractual obligations towards customers, employees, suppliers, business partners and, in general, all those connected with TRT. In such cases, the Company further states that even the partial or incorrect provision of Personal Data may result in the impossibility to provide services and in any case prevents TRT from fulfilling the pre-contract, contract and tax requirements it is required to fulfill.

If consent to personal data processing is required to the data subject and the latter discontinues the consent to the provision of Personal Data already made, it shall remain mandatory and basic condition for the performance of all the purposes specified under paragraph 3.A) above. Should the data subject fail to provide his/her Personal Data, given that TRT is unable to fulfill its obligations, TRT shall not be deemed liable, resulting in the termination of any previous relationship or otherwise being unable to continue the same.

Data provision for the purposes referred to in paragraph 3.B) is optional.

The data subject may therefore decide not to provide any Personal Data or to subsequently refuse the possibility of processing any data already provided. In this case, the data subject shall not receive newsletters, commercial communications and advertising material relating to the services offered by the Data Controller, whilst remaining entitled to use company and contractual services referred to in paragraph 3.A), without prejudice to the foregoing.

5. Data processing and retention

Personal Data processing is carried out by means of procedures indicated in art. 4 Privacy Code and art. 4 no 2) GDPR. Specifically, data processing is carried out through: data collection, recording, management, retention, consultation, processing, modification, selection, extraction, comparison, application, interconnection, blocking, communication, erasure and destruction.

Personal Data are processed both in paper and electronic and/or automated form with methods and tools in compliance with the security measures set forth in art. 32 of the GDPR and Annex B of the Privacy Code, by parties specifically appointed by TRT in compliance with the provisions of art. 30 of the Privacy Code, or parties in charge of personal data processing under the direct control of TRT as provided for by Article 4, paragraph 10, of the GDPR. As anticipated, the treatment may be entrusted, by means of specific agreements, also to third parties, appointed as data processors and acting on written order of TRT itself, as Data Controller.

Data Controller or Data Processor shall process and retain Personal Data for the shortest time necessary to fulfill the purposes set out in paragraph 3, and only for the time necessary to complete the retention as provided for by the GDPR. Both the processing and retention, however, are set for no more than 10 years from the term of the processing agreement entered into for service purposes, and for no more than 12 months from data collection for marketing purposes. After these retention periods, Personal Data will be blocked, destroyed or made anonymous in accordance with legal requirements.

6. Data-access and international data-migration

Personal Data may be accessed for the purposes referred to in paragraphs 3.A) and 3.B):
  • to employees or consultants of the Data Controller who are in charge of the processing under the direct authority and instructions of TRT;
  • to TRT's partner companies, in Italy and abroad, in their capacity as data controllers and/or system administrators pursuant to art. 28 of the GDPR acting as Personal Data Processors on behalf of the Data Controller and having provided sufficient guarantees to put in place appropriate technical and organisational measures to ensure that the processing thereof complies with legal requirements;
  • to third parties or other parties, such as, without limitation, financial institutions, payment institutions or other financial intermediaries, firms, consultants, insurance carriers, which carry out activities on behalf of the Data Controller and act as independent data controllers with their own privacy policies, available to the data subject.
Without specific consent (art. 24 letters a), b), and d) Privacy Code and art. 6 letters b) and c) GDPR), the Data Controller may disclose Personal Data of the data subject for the purposes set forth in paragraph 3.A) to Supervisory Boards (such as FIU, Bank of Italy, OAM, IVASS, etc.), Judicial Authorities, insurance companies for the provision of insurance services, as well as to whom the communication is compulsory by law for the fulfillment of said purposes. Said parties will process the data in their capacity as autonomous data controllers and the Personal Data of the data subject will not be disclosed.

Personal Data will be retained on servers located within the European Union. Should it become necessary, Data Controller will be entitled to move servers also to non-EU countries.

In such a case, Data Controller hereby ensures that the transfer of data to non-EU countries will take place only upon specific consent of each data subject, to countries that guarantee an adequate level of protection of Personal Data and only after entering into agreements containing standard clauses approved by the European Commission, which guarantee that the processing of Personal Data complies with legal principles and requirements set out in the GDPR.

7. Cookies

Cookies are used on the Website. By using cookies, TRT can provide Website users with more user-friendly services that would not be possible without cookie setting. By means of a cookie, the information on the Website may be optimized as cookies enable the identification of Website users. The purpose of this identification is to make it easier for users to access the Website. The user, for example, is not obliged to enter the access data every time they visit the Website, since these data are already acquired by the Website through the cookies saved in the user's IT system.

The data subject may at any time prevent the setting of cookies when accessing the Website by setting the corresponding Internet browser used, and can therefore permanently deny the setting of cookies. In addition, cookies that have already been set can be deleted at any time via an Internet browser or other software. This is possible with every common Internet browser. If the data subject disables cookie settings in the Internet browser used, not all functions of the Website may be fully available.

More information on cookies is contained in the Cookie Policy, available from the Website in a special section therefore the user is recommended to read it.

8. Rights of data subjects and how to apply

The data subject is entitled to the rights set forth in Article. 7 Privacy Code and Art. 15 GDPR and precisely the following:
  • i) obtain confirmation as to whether or not personal data concerning him/her exist, regardless of their being already recorded;
  • ii) obtain the indication: a) of the origin of Personal Data; b) of the purposes and methods of processing; c) of the logic applied in the case of processing with the aid of electronic tools; and d) of the identification details of the Data Controller, Data Processors and other persons in charge;
  • iii) obtain: a) the updating, correction or integration of data; b) the erasure, anonymization or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected; c) certification that the operations as per letters a) and b) have been notified, also with regard to their contents, to those whom the data were communicated or disseminated, unless this requirement proves impossible or involves a clearly disproportionate effort
  • iv) object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials by means of traditional marketing systems, or automated call without operator, by e-mail, telephone and/or mail
The data subject is also entitled to the rights under Articles 16-21 GDPR, namely the right to be forgotten, the right to restrict processing, the right to data portability, and the right to submit a complaint to the Data Protection Authority.

Lastly, if consent is required to the processing of personal data by the data subject, the latter may revoke the provision of the Personal Data already carried out.

The interested party may, at any time, apply his/her rights by sending a request drawn up on the basis of the form prepared by the Personal Data Protection Authority, available at the following link:, to be sent by: 1) registered letter with return receipt addressed to The Rock Trading S.r.l., at its registered office in Galleria del Corso, 2, 20122, Milan; or 2) by e-mail to:

9. Data controller, data processor and persons in charge

Data controller is The Rock Trading S.r.l., with registered office in Galleria del Corso, 2, 20122, Milan, in the person of its pro-tempore legal representative.

In order to comply with the GDPR, TRT has been drafting a privacy organisational model, identifying roles and responsibilities in the processing of Personal Data, and identifying in particular, as internal privacy contact persons, the Persons in charge of the Organisational Units or Offices who, limited to the processing of data under their responsibility, are responsible for implementing the data protection model in compliance with legal requirements. Data Controller shall appoint in writing as Data Processors, pursuant to art. 30 of the Privacy Code, employees of the company functions responsible for pursuing the above purposes and providing suitable instructions.

Personal Data may be processed by third parties the Company relies on for purposes of identification procedures, verification of the authenticity of identity documents, database access, or to perform payment services made available to customers. These persons will be independent Data Controllers or will be appointed as Data Processors.

The updated list of data processors and persons in charge of processing is kept at the registered office of the Data Controller.

10. Amendments to the Privacy Policy

This Disclosure may change; we recommend reviewing updates that will be notified time by time.
Last Update: 26-Apr-2018 12:00am