PERSONAL DATA PROTECTION POLICY UNDER GDPR

1. SCOPE, PURPOSE, AND RECIPIENTS

The Company is committed to complying with applicable laws and regulations regarding the protection of personal data in the countries where it operates. This Policy establishes the basic principles with which the Company processes the personal data of consumers, clients, suppliers, business partners, employees, and other individuals. It also outlines the responsibilities of its business departments and employees during the processing of personal data.
This policy applies to the Company and companies it directly or indirectly controls that operate within the European Economic Area (EEA) or process the personal data of data subjects within the EEA.
The recipients of this document include all employees, permanent or temporary, and all collaborators working on behalf of the Company.

2. REFERENCE DOCUMENTS

Regulation (EU) 2016/679 of April 27, 2016 (hereinafter GDPR), Legislative Decree no. 196 of June 30, 2003 (Privacy Code) and subsequent amendments. Data Retention Policy Guidelines for data listing and mapping of processing activities Description of the Data Protection Officer's Role Procedure for data subject access request Data protection impact assessment methodology Data breach notification procedure SGI Manual

3. SUBJECT AND PURPOSE

The GDPR establishes rules for the protection of individuals with regard to the processing of personal data and the free movement of such data (Article 1).

4. MATERIAL SCOPE OF APPLICATION

Within the material scope of the Regulation are: Personal data processed entirely or partially by automated means. Personal data contained in a filing system or intended to be included. Outside the material scope are: Personal data used in activities not subject to EU law. Personal data used in customs controls and asylum and immigration practices. Personal data used in purely personal activities. Personal data used for crime prevention, etc.

5. TERRITORIAL SCOPE OF APPLICATION

The Regulation applies to: Personal data used in activities not subject to EU law. Personal data used in customs controls and asylum and immigration practices. Personal data used in purely personal activities. Personal data used for crime prevention, etc.

6. DEFINITIONS

Compared to the Privacy Code (Legislative Decree no. 196 of 30/06/2003), the definition of sensitive and judicial data has been eliminated. Now, it refers to: Data controllers and processors in the Union, regardless of where the processing takes place.
Data controllers and processors not resident in the Union when processing activities involve: - Goods or services, whether payment is required or not. - Monitoring the behavior of data subjects within the EU.
Data controllers not established in the Union but in a place where the law of a Member State applies.
Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health or sex life or sexual orientation of the person. Health data: personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, revealing information about their health status.
Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health or sex life or sexual orientation of the person.
Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person providing unique information about their physiology or health, resulting particularly from the analysis of a biological sample from the individual; Biometric data: personal data obtained by specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person enabling or confirming the unique identification of that person, such as facial images or fingerprint data.
The following definitions of terms used in this document are taken from the General Data Protection Regulation of the European Union (GDPR): Personal Data: any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Data Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Protection Officer (DPO): the natural person, company, public authority, or private organization designated by the controller to carry out specific and defined tasks related to the management and control of data processing. The appointment of a DPO is mandatory: - if the processing is carried out by a public authority or body; - if the core activities of the controller or processor consist of processing that requires regular and systematic monitoring of data subjects on a large scale; or - if the core activities of the controller or processor consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.
The mandatory appointment of a DPO may also be provided for in additional cases based on national law or EU law. If a DPO is appointed voluntarily, the same requirements apply - in terms of criteria for appointment, position, and tasks - as for DPOs appointed mandatory (Article 37 GDPR).
Processing: any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination, or otherwise making available, comparison or interconnection, restriction, erasure, or destruction.
Data Subject's Consent: any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Anonymization: Irreversible deidentification of personal data in such a way that the individual cannot be identified using reasonable time, costs, and technology by the controller or any other person to identify the data subject. Data protection principles should therefore not apply to anonymous information, i.e., information that does not relate to an identified or identifiable natural person.
Pseudonymization: the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that such personal data is not attributed to an identified or identifiable natural person. Pseudonymization reduces but does not completely eliminate the possibility of linking personal data to the data subject. As pseudonymized data is still personal data, the processing of pseudonymized data should comply with the principles of personal data processing.
Cross-Border Processing: processing of personal data taking place within the activities of establishments in more than one Member State of a controller or data processor in the Union where the controller or processor is established in more than one Member State; or the processing of personal data taking place within the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State; Supervisory Authority: an independent public authority established by a Member State pursuant to Article 51 of the EU GDPR; for Italy, it is the Garante per la protezione dei dati personali (GARANTE) located at Piazza di Monte Citorio n. 121 - 00186 Rome - www.gpdp.it - www.garanteprivacy.it Email: [email protected] Fax: (+39) 06.69677.3785 Switchboard: (+39) 06.69677.1

7. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The principles applicable to data protection outline the responsibilities of organizations in managing personal data. The Data Controller is responsible for adhering to these principles and must be able to demonstrate compliance.

LAWFULNESS, FAIRNESS, AND TRANSPARENCY

Personal data must be processed lawfully, fairly, and transparently with respect to the data subject. Processing is lawful only if and to the extent that at least ONE of the following conditions applies: The data subject has given consent for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party. Processing is necessary to comply with a legal obligation of the data controller. Processing is necessary to protect the vital interests of the data subject. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Processing is necessary for the legitimate interests pursued by the data controller.

LIMITATION OF PURPOSE

Personal data must be collected for specified, explicit, and legitimate purposes and subsequently processed in a manner that is not incompatible with those purposes.

DATA MINIMIZATION

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The company must apply anonymization or pseudonymization to personal data, if possible, to reduce the risk to data subjects.

ACCURACY

Personal data must be accurate and, if necessary, kept up to date; all reasonable measures must be taken to promptly erase or rectify inaccurate data with respect to the purposes for which they are processed.

LIMITATION OF STORAGE PERIOD

Data must be kept in a form that allows the identification of data subjects for no longer than is necessary for the purposes for which they are processed.

INTEGRITY AND CONFIDENTIALITY

Taking into account available technologies and other security measures, the Company has implemented technical and organizational measures to ensure an adequate level of security for personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

ACCOUNTABILITY

The Data Controller is responsible for complying with the above-described principles, and through the proper application and observation of this policy, can demonstrate it.

8. DATA PROTECTION PRINCIPLES IN BUSINESS ACTIVITIES

The Company has implemented data protection principles into its privacy management system, ensuring regulatory compliance at various operational stages, from collection to processing. The Company's goal is to adopt and constantly improve its organizational and operational processes to collect the least amount of personal data possible. If personal data is collected by third parties, the data processor must ensure that personal data is collected legally. Manual of the Privacy Organizational Model under Regulation (EU) 2016/679 Rev. 01 of 14/09/2018 INTERNAL USE DOCUMENT Page 13 of 44

USE, STORAGE, AND DISPOSAL

The purposes, methods, recording limit, and storage period of personal data must be consistent with the information in the Privacy Policy. The company must maintain the accuracy, integrity, confidentiality, and relevance of personal data according to the purpose of processing. Adequate security mechanisms must be used to protect personal data to prevent theft, improper use, or abuse and to prevent personal data breaches. The Data Controller is responsible for compliance with the requirements listed in this section.

DISCLOSURE TO THIRD PARTIES

Every time the Company uses a third-party provider or business partner for personal data processing on its behalf, it is necessary to obtain guarantees that the third party provides security measures to safeguard personal data appropriate to the associated risks (e.g., inappropriate use of personal data, unauthorized disclosure, etc.). The Company is committed to contractually require the provider or business partner to provide an adequate level of data protection (GDPR-NRET External Data Processing Officer Appointment Form). Providers or business partners must process personal data only to fulfill their contractual obligations to the Company or under instructions from the Company and not for other purposes. When the Company processes personal data jointly with an independent third party, it must explicitly specify the responsibilities of both itself and the third party in the relevant contract or any other legally binding document.

TRANSBORDER TRANSFER OF PERSONAL DATA

The Company does not perform transfers of personal data abroad; however, if personal data is to be transferred from the European Economic Area (EEA), appropriate protective measures, including the signing of a data transfer agreement as required by the European Union, must be used, and if necessary, authorization from the relevant Data Protection Authority must be obtained.

RIGHT OF ACCESS BY DATA SUBJECTS

The company is responsible for providing data subjects with a reasonable mechanism for access, allowing them to access their personal data and enabling them to update, correct, delete, or transmit their personal data, if necessary or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.

DATA PORTABILITY

Data subjects have the right to receive, upon request, a copy of the data they have provided in a structured format and to transmit this data to another controller, free of charge. The company is responsible for ensuring that such requests are processed within one month, are not excessive, and do not affect the rights regarding personal data of other individuals.

RIGHT TO BE FORGOTTEN

Upon request, data subjects have the right to obtain from the Company the erasure of their personal data if one of the following reasons exists: Personal data is no longer necessary for the purposes for which it was collected or otherwise processed. The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing. The data subject objects to the processing, and there are no overriding legitimate grounds for the processing. Personal data has been unlawfully processed. Personal data must be erased to comply with a legal obligation.

9. GUIDELINES ON PROPER PROCESSING

Personal data must be processed only if explicitly authorized by the Data Controller. The Controller determines whether to carry out a Data Protection Impact Assessment for each data processing activity based on the Data Protection Impact Assessment guidelines.

COMMUNICATION TO DATA SUBJECTS

At the time of collection or before the collection of personal data for any type of processing activity, but not limited to the sale of products, services, or marketing activities, the Data Controller is responsible for adequately informing data subjects of the following: the identity and contact details of the Data Controller; if appointed, the identity and contact details of the Data Protection Officer (DPO); methods and purposes of data processing; legal bases for data processing; categories of recipients; potential data transfers (if any); the retention period; data subject's rights regarding their personal data; whether the data will be shared with third parties and the security measures established by the Company to protect personal data; consequences of not consenting to the processing. This information is provided through the Privacy Policy (GDPR-IC Model for Customers; GDPR-IF for Suppliers). The company, in compliance with the principle of Accountability, must obtain confirmation from the data subject that they have read and understood the content of the information through a specific declaration on the copy of the information.

OBTAINING CONSENT

Whenever the processing of personal data is based on the data subject's consent or other legitimate reasons, the Controller is responsible for: keeping a record of such consent (by preserving the consent form signed by the data subject); providing data subjects with options to give consent; informing data subjects and ensuring that the given consent (whenever consent is used as the legal basis for processing) can be revoked at any time. When the collection of personal data relates to a minor under the age of 16, the Controller must ensure that the consent of the parental responsibility holder is provided before collection using the specific form. When requested to correct, modify, or destroy personal data records, the Controller must ensure that such requests are handled within a reasonable timeframe and must also record the requests and maintain a record of them. Personal data must be processed only for the purposes for which it was originally collected. If the Company wishes to process personal data collected for another purpose, the Company must obtain consent from data subjects in a clear and concise written form. Any such request should include the original purpose for which the data was collected and the new or additional purposes. The request must also include the reason for the change in purpose. Now and in the future, the Controller must ensure that the collection methods comply with the law, good practices, and relevant industry standards. The Controller is responsible for creating and maintaining a record of Privacy Notices.

PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

It is prohibited to process personal data revealing: race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health data; a person's sex life; sexual orientation. Exceptions: the data subject has given explicit consent; processing is necessary for the establishment, exercise, or defense of specific legal claims or whenever courts are acting in their judicial capacity; processing is necessary for reasons of substantial public interest, based on Union or Member State law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject; processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to a contract with a health professional; processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law that provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular the professional secrecy; processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Lawfulness of processing is a prerequisite.

10. REQUIREMENTS FOR THE PROCESSING OF EMPLOYEE PERSONAL DATA

Any processing of employee personal data by departments and individuals within the Company must be for a legitimate purpose and must meet the following requirements.

COMMUNICATION TO EMPLOYEES

For the transparency of employee personal data processing, when a department or an individual within the Company collects personal data of an employee, the employee must be informed of the types of data collected, the purposes and types of processing, the employee's rights, and the security measures taken to protect personal data. This information is provided through a specific Personal Data Processing Information (GDPR-ID Form).

COMMUNICATION TO CANDIDATES

The same transparency ensured for the processing of employee personal data is also guaranteed for the collection of personal data from a candidate during an interview for potential employment. The candidate must be informed of the types of data collected, the purposes and types of processing, their rights, and the security measures adopted to protect personal data. This information is provided through a specific Personal Data Processing Information (GDPR-ICL Model).

CHOICE AND CONSENT OF EMPLOYEES

In principle, the Company can process employee personal data for legitimate purposes as an employer and generally can do so without obtaining the employee's consent to improve the efficiency of internal operations. Security and human resources management activities such as interviews, hiring, termination of employment, attendance, compensation and benefits, employee services, health, and safety at work may involve the processing of sensitive personal data.

COLLECTION

Company departments and individuals must collect employee personal data for legitimate purposes and must adhere to the Data Minimization principle. If a candidate's job or employee's personal data is collected by a third party (such as temporary employment agencies), the Company must make every effort to ensure that this third party obtains personal data by legitimate means. No company department or individual may collect candidate or employee personal data in a manner that is not compliant with the law or company ethics.

USE, STORAGE, AND DISPOSAL

Company departments and individuals must use, store, and dispose of employee personal data consistently with the communication to the employee. They must also ensure its accuracy, integrity, and relevance. The company has implemented adequate security measures to protect employee personal data from accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure, in accordance with the information security policy and other documents describing data security. Company departments and individuals must not unlawfully destroy or modify employee personal data. They must not access, sell, or unlawfully or unauthorized provide employee personal data to third parties. In the course of business operations, the Controller will decide whether employee personal data will be processed in the following ways to minimize the risk to data protection: employee personal data may be anonymized for irreversible deidentification purposes; or data may be aggregated into statistical or research results. (The principles of personal data processing do not apply to anonymized data and aggregated data as they are not personal data).

DISCLOSURE TO THIRD PARTIES

When company departments and individuals need to disclose employee personal data to a supplier, a business partner, or third parties, they must seek to ensure that the supplier, business partner, or other third parties provide security measures to safeguard employee personal data that are adequate to the associated risks. They should also require the third party to provide the same level of data protection they provide to the Company by contract or other agreement (GDPR-NRET Form). Furthermore, when company departments and individuals disclose employee personal data in response to a request from law enforcement or a judicial authority, they must first inform the Data Protection Officer (DPO) who is authorized by the Company to make a coordinated effort to manage the request.

TRANSFER OF EMPLOYEE PERSONAL DATA ACROSS BORDERS

The company does not make cross-border transfers of data; however, if it becomes necessary to do so, before transferring personal data, company departments and individuals must consult the Data Protection Officer (DPO) or the Controller to determine whether the cross-border transfer is necessary and legitimate.

EMPLOYEE ACCESS

Company departments must provide reasonable means for employees to access the personal data held about them and allow employees to update, correct, delete, or transmit their personal data if necessary or required by law. When responding to an employee's access request, company departments may not provide any personal data until they have verified the employee's identity. The company must ensure that it knows the identity of the person making the request before being able to send the personal data to that person.

RESPONSIBILITY

The Human Resources Department is responsible for managing the protection of employee personal data.

11. COMPANY ORGANIZATION

The GDPR introduces new organizational obligations. The responsibility to ensure adequate processing of personal data lies with anyone working for or with the Company and having access to personal data processed by the Company; to this end, the Company has implemented its own Privacy organizational chart. The main areas of responsibility are identifiable in the following organizational roles: The Data Controller, who makes decisions and approves the Company's general data protection strategies. This role is covered by the current legal representative. The Data Protection Officer (DPO), who is responsible for managing the personal data protection program and is responsible for the development and promotion of personal data protection policies from start to finish, as defined in the Data Protection Officer Role Description. The System Administrator, who is responsible for ensuring that all systems, services, and equipment used for data recording meet acceptable security standards. Conduct regular checks and scans to ensure that security hardware and software are functioning properly. The Internal Audit, which is responsible for internal checks on compliance with personal data protection procedures and policies. Authorized Individuals, employees formally authorized to perform processing operations by the data controller.

12. GENERAL OBLIGATIONS

RECORDS OF PROCESSING ACTIVITIES

The Data Controller must keep a record of processing activities containing the following information: contact details of the Data Controller and, where applicable, the joint Data Controller and the Data Protection Officer; purposes of the processing; categories of data subjects; categories of personal data processed; categories of recipients to whom personal data has been or will be disclosed; where applicable, transfers of personal data to a third country or international organization; where possible, the envisaged deadlines for the erasure of different categories of data; where possible, a general description of the technical and organizational security measures.

RESPONSE TO PERSONAL DATA BREACH INCIDENTS

When the Company becomes aware of a suspected or actual personal data breach, the Controller, assisted by the DPO, must conduct an internal investigation and take appropriate corrective measures promptly, based on the Personal Data Breach Response and Communication Procedure.

AUDIT AND ACCOUNTABILITY

The Internal Audit is responsible for verifying how company departments implement this policy. Any employee who violates this Policy will be subject to disciplinary action and may also be liable for civil or criminal liability if their conduct violates laws or regulations.

CONFLICTS WITH THE LAW

This policy is intended to comply with the laws and regulations of the establishment location and the countries where the Company operates.