INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR

POTENTIAL CUSTOMERS, CUSTOMERS AND SUPPLIERS Pursuant to Art. 13 of the EU Regulation 2016/679

PREMISE

Dear Client, Potential Client, Supplier,
Pursuant to the legislation on the protection of personal data (EU Regulation 2016/679), we inform you that the personal data you provide, in the
context of an existing relationship with us, will be treated in compliance with the aforementioned Regulation and with the confidentiality obligations
inspiring our business. The processing of your personal data (and/or of third parties communicated by you) will be based on principles of correctness,
lawfulness, transparency, minimization, purpose limitation and storage. To protect your privacy and your rights, we shall be using security measures
to guarantee integrity and confidentiality, and to avoid undue access of your personal data to third parties or unauthorised personnel.

INDICATION OF THE SUBJECT ENTITLED TO PROCESS YOUR PERSONAL DATA

Panaro S.r.L. (Ltd.), in the person of its pro-tempore legal representative, is the subject entitled to use your personal data – Tel. n° 0039-059/793340,
E-mail: [email protected].

THE PERSON RESPONSIBLE FOR THE DATA PROTECTION

Doctor Cesare Grandi is the person responsible for the Data Protection. For this assignment, he is domiciled at Eco Sistemi S.r.L. (Eco Systems Ltd.)
at the following address: Via Caselline, n° 609 – 41058 – Vignola (Modena) – Italy. He can be contacted at this E-mail address: [email protected]. The person responsible for the Data Protection needs to be contacted by those who want to get information on their own personal data
processing and/or about the relevant Supervisory Authority.

PERSONAL DATA SUBJECT TO PROCESSING

The person entitled to process your personal data informs you that the data subject to processing are the following:
• The personal data pursuant to Art. 4, paragraph 1 of the EU Regulation 2016/679, i.e. any information relating to an identified or identifiable
natural person.
• Particular categories of data as per Art. 9 of the EU Regulation 2016/679. These categories include the personal information revealing
someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, a Trade Union’s membership, as well as the
processing of genetic data, biometric data meant to identify in a unique way a natural person, data relating to a person’s health, sexual
life, or sexual orientation.

PURPOSE OF THE TREATMENT OF PERSONAL DATA AND LEGAL BASIS.

Your personal data will be processed for purposes related to the management of the ordinary administrative, technical and commercial relationships
such as budgeting, filing of personal data lists, customers’ and suppliers’ book-keeping, invoicing and payment management, shipping
administration, both paper and electronic communications (direct and indirect marketing) and the possible acquisition of images (video surveillance).
Furthermore, we may communicate your personal data to third parties for technical and operational needs strictly connected to the purposes set
out above and, in particular, to the following categories of subjects:
a) To bodies, professionals, companies or other entities entrusted by us with the processing of data linked to the fulfilment of administrative,
accounting, insurance, technical and managerial obligations relevant to the ordinary performance of our economic activity, including credit
recovery;
b) To professionals, companies or other entities entrusted by us with the processing of data connected with direct and indirect marketing as
far as the ordinary performance of economic-commercial activity is concerned;
c) To Public Authorities and Administrations for purposes related to the accomplishment of legal obligations;
d) To banks, Financial Institutions, or other subjects to whom the transfer of the aforementioned data proves necessary for the performance
of our company’s business in relation to the fulfilment, on our side, of the contractual obligations we have undertaken with you;
e) To suppliers of installation, assistance and maintenance services for plants, IT and telematics systems, and to suppliers of all other
services functionally linked to the subject of the Contract and required for its fulfilment, as well as to suppliers of those services which
are instrumental to the arrangement of our administrative and commercial activities;
f) To suppliers of those services (installation, assistance and maintenance of plants) that are functional and needed for the fulfilment of the
contractual provisions, with reference to the Legislative Decree 81/08 too.
Failure to provide personal data, and to give consent to some personal information processing, will make it impossible for us to execute the Contract
and to fulfil its obligations, and we will not be able to manage the mutual commercial relations correctly.
Based on the consent freely and clearly expressed by you, we inform you that we could send you commercial and/or promotional communications
relating to the products and services we offer.

The processing of the personal data collected for the purposes described above – including any possible sensitive data such as “particular categories
of data” and those relating to the country of origin – requires the consent freely and clearly expressed by you at the bottom of this information notice.

ADDITIONAL PURPOSES FOR PERSONAL DATA PROCESSING

Depending on your explicit and manifest consent, to be reported by filling in the information sheet at the end, your personal data may also be
processed for each of the following purposes:
• Sending via E-mail, post, telephone messages, telephone calls and newsletters of commercial and/or promotional communications, the
forwarding of advertising material about products supplied by our company, as well as communications to assess the satisfaction degree
and their quality (the so-called direct-marketing);
• Carrying out activities of an informative, commercial, advertising and promotional nature also by forwarding communications through IT
or paper means (the so-called indirect marketing). Your personal data may also be processed and sent to third parties, i.e. business
partners.
• The possible acquisition of images (personal data) for the security and protection of assets and people and for private security too (videosurveillance);
• For the creation of your commercial profile and/or the analysis of your preferences, habits or consumption choices.
NATURE OF THE PROVISION OF PERSONAL DATA
The provision of personal data and their subsequent processing by our company (by the person in charge of them), for the previously mentioned
purposes, are two essential steps for the establishment, continuation and correct management of the relationship between the person entitled to
get them and the person providing them. In compliance with the Law, the EU Regulation and Legislation, the provision of personal data is understood
as mandatory. Failure to provide the requested personal data will cause a partial or total impossibility to perfect and manage the existing or future
relationship.

PERSONAL DATA PROCESSING METHODS

Personal data will be processed, by the people in charge of them, with manual, IT and telematics tools within the scope and according to the purposes
specified above. They will always be treated with security and confidentiality by keeping to the provisions set out by the Guarantor for their protection.
Specifically, the personal data processing will take place by using suitable methods and tools that can guarantee their security (Art. 24, 25 and 32
of the EU Regulation 679/2016). Moreover, the processing of personal data will be carried out both through automated procedures and nonautomated means (paper archives) to which all technical and organisational measures will be applied to ensure a level of security appropriate to the
risk.
The processing of your personal data will take place and be carried out:
• Through the company’s Intranet, by means of which we shall carry out operations involving your personal data including those of a
sensitive nature too;
• By authorised subjects entitled to this task. These people are identified in advance, suitably instructed, and consequently appointed to
deal with your personal data. We may also ask for the intervention of external consultants or third-party companies assigned as data
processors;
• By using security measures designed to guarantee the integrity and confidentiality of the party to whom the personal data refer. These
measures will also avoid the undue access to the personal data concerned by unauthorised third parties or personnel.
We shall process your personal data exclusively for the management of the contract on the legal bases that can be found in the current legislation
and that follow the principle of data minimisation (e.g. prohibition of processing personal data if it is not strictly related to the work activity, etc…etc..).
Your personal data may also be processed to execute a contract or take the pre-contractual measures upon your request, and/or to fulfil the legal
obligations our company must undergo, or in case of legitimate interests of ours (fraud prevention, protection of the company’s assets, safety of
our networks and information).

TRANSFER OF PERSONAL DATA ABROAD

We may transfer your personal data abroad, even to non-EU countries. This will enable us to perform a commercial relationship correctly, i.e. to carry
out our ordinary economic activity. Besides, we may share your personal data with subsidiaries or companies that are part of our Corporate Group, or
because they are processed using tools or software from third-party companies that use cloud technologies.
We will transfer them provided such foreign countries ensure adequate levels of regulatory protection. The transfer of your personal data to non-EU
countries that do not ensure adequate levels of protection will only take place prior to the conclusion of specific contracts between the Person
entitled to deal with your data and the above-mentioned third parties. Such contracts must contain safeguard clauses and appropriate guarantees
aimed at protecting the personal data (e.g. standard contract clauses approved by the European Union Commission). Alternatively, we must be in
the presence of some other requirements in conformity with the applicable Italian and European legislation.

PERSONAL DATA COMMUNICATION SCOPE

The person entitled to deal with your personal data may communicate them to all those subjects or entities who have the right to their access as
provided by the Law or secondary legislation.
This may apply to:
• INPS (The National Institute for Social Security) or INAIL (The National Institute for Insurance against Accidents at Work);
• Banking and Financial Institutions, Insurance Companies and/or Brokers;
• CAF (Tax Assistance Centre)
• Supervisory Bodies
• Trade Unions and/or Employees’ Patronages
• Joint Bodies in labour matters
• Corporate Retirement Foundations
• Financial Administrations
• Competent Local Health Units
• Ministry of Defence - CMO (Chief Marketing Officer)
• Ministry of Infrastructures and Transport
• Ministry of Economy and Finance
• Ministry of Labour and Social Policies
• ISTAT (The National Institute of Statistics)
• Courts and Judicial Offices, General and District State Attorneys, Court of Auditors,
• Bodies in charge of Health Supervision or, for investigative purposes, the Judicial Police;
• People, Companies or Professional Firms providing assistance and consultancy in accounting, administrative, legal, tax and financial
matters, and for health and safety at work too;
• Suppliers (people, companies, professional firms, etc…etc…) who provide services functionally linked to, and needed for, the regular
performance of work activities;
• Public Entities;
• Business or Entrepreneurs’ Associations;
• Customers and Suppliers (Companies, Employers, People, etc…etc…);
• The Chamber of Commerce, Industry, Crafts, and Agriculture.

SYSTEM ADMINISTRATORS AND THE SPREADING OF IMAGES

Our company has also identified some professional people that, as system administrators, are in charge of the management and maintenance of
the data processing systems with which such data are processed. The identification details of the system administrators, with the joint list of the
functions assigned to them, are shown in an internal document available for consultation at our Company’s Management Office.
Your personal data will not be spread out, whereas your image might be (paper publications, social network, company’s website, etc…etc…)
exclusively upon your free and manifest consent.

DURATION OF PERSONAL DATA STORAGE

We shall process your personal data just for the time strictly needed to achieve the purposes and aims previously mentioned. The criteria used to
determine the retention period are established by:
• Specific rules and regulations governing the work relationship;
• The Italian law in terms of their prescription and protection of the legitimate interests of the person/company entitled to them (Art. 2946
of the Civil Code, Art. 2947, paragraphs 1 and 3 of the Civil Code), including the prescription terms for the personal data of a contributory
and social security nature;
• The civil and fiscal legislation as far as the processing of administrative-accounting personal data is concerned.

RIGHTS OF THE PARTY PROVIDING PERSONAL DATA

Pursuant to Article 13, paragraph 2, and Articles from 15 to 21 of the EU Regulation 2016/679, we inform you that concerning the processing of your
personal data you may exercise the following rights:
a) The right to obtain access to the personal data and the following information:
o The confirmation that your own personal data are being processed or that they are not;
o The purposes of the processing;
o The personal data categories;
o The recipients, or categories of recipients, to whom the personal data have been or will be disclosed;
o If the personal data have not been collected from you directly, the right to have access to every information about their origin;
o The existence of an automated decision-making process including proliferation;
o A copy of the personal data that are being processed.

b) The right to rectify and integrate the personal data provided;
c) The right to have your personal data erased (“Right to be forgotten”) if one of the following reasons exists:

1. There is no more need for the personal data collected in relation to the purposes for which they had been collected or
   otherwise processed;

2. You withdraw your consent to process your personal data provided there is no other legal basis for their treatment;

3. You oppose to the processing of your personal data and there is no overriding legitimate reason to proceed with their
   treatment;

4. The personal data have been processed unlawfully;

5. The personal data must be erased to fulfil a legal obligation under the EU Law, or the Law of the Member State the
   Person/Company entitled to them is subjected.
   If the Person/Company entitled to process the personal data has made them public and must forcibly erase them, they are to inform the other people
   processing the same data of the request to delete any link, copy or reproduction of them.
   d) The right to limit the processing in the event that:

6. There is a dispute about the accuracy of your personal data. Their use is limited to the period of time needed by the Person
   entitled to their treatment to verify their correctness;

7. The personal data processing is unlawful, but you may oppose to their cancellation by requesting, instead, their use
   limitation;

8. Although the Person/company entitled to the processing of the personal data does not need them anymore for the set
   purposes, you may still need their processing to ascertain, exercise or defend a right in Court.

9. The party involved has opposed to the processing of his/her personal data, pending the verification of the possible
   prevailing relevance of the legitimate reasons of the Person/company entitled to the treatment, compared to the reasons
   for opposing to the treatment set forth by him/her.
   e) The right to lodge a complaint with the Guarantor for the protection of the personal data by following the procedures and the indications
   published on the official website of the Authority www.garanteprivacy.it .

f) The right to data portability, or the right to receive, in a commonly used structured format that is readable by an automatic device, the
personal data of your concern that have been supplied to someone entitled to their processing. Possibly, also the right to forward them to
another Person/company entitled to their treatment when their processing is based on consent, or on a contract, and is carried out through
automated means. There where it is technically possible, the party providing his/her personal data has the right to obtain the direct
transmission of them from one person/company to another.
g) The right to oppose at any time to the personal data processing, including profiling, and in particular in the following instances:

1. Prior to an explanation of the reasons why, when the processing of your personal data is based on the legitimate interest
   of the Person/company entitled to them;
2. When the personal data are processed for direct marketing purposes.

h) The right not to be subjected to a decision solely based on automated processing, including profiling, except when such decision is needed
for the conclusion or execution of a contract between the interested party and a Person/company entitled to the treatment. In addition,
when such decision is authorised by the EU Law or by the Member State Law to which the Person/company entitled to the personal data
processing must abide. On the other hand, also when that decision has your explicit consent.

HOW TO EXERCISE YOUR RIGHTS

You may exercise your rights at any time by sending an E-mail to the following address: [email protected] (The word “Privacy” must be
specified in the subject).