PERSONAL DATA PRIVACY STATEMENT

DBInformation S.p.A, with registered offices in Centro Direzionale Milanofiori, Strada 4, Palazzo A, Scala 2 – 20057 Assago (MI), Tax code 09293820156 and VAT number 09293820156 (hereinafter “DATA CONTROLLER”), in the capacity of the Data Controller, hereby wishes to inform you that in accordance with the terms of art. 13 of EU General Data Protection Regulation 2016/679 (hereinafter “GDPR”) that your data will be processed in the following ways and for the following purposes:

1. Data processing object
The Data Controller will process the personal identification data (such as, name, surname, company name, address, phone number, e-mail, bank reference and payment details) hereinafter “PERSONAL DATA ” or also “DATA”, provided by you, on the finalization of the service contracts of the Data Controller in general.

2. Data processing purpose

Your personal data is processed:
A) without your explicit consent in accordance with the terms of art. 6, for the following purposes:
• Finalization of Data Controller’s service contracts;
• The fulfillment of pre-contract, contract and tax obligations relating to the business relationship in force with you;
• Fulfillment of the obligations envisaged by a law, a regulation a community norm or an Authority order, (for example, relating to anti money laundering measures);
• The application of the Data Controller’s rights, as for example for legal defence;
B) Only with your explicit and specific consent (art. 7), for the following marketing purposes:
• Sending you newsletters, commercial bulletins, and/or promotional material on the products and service offered by the Data Controller by e-mail, post and/or text, and/or by phone contact, as well as for the purpose of service quality satisfaction surveys;
• Sending you commercial and/or promotional notices from third parties (as for example, business partners and other companies in the Group) via e-mail, post and/or texts, and/or phone contact;
C) Only with your prior and specific consent (art. 7), providing third parties (including, but not limited to, sponsors or partners of the Controller) the actual data. These third parties will be able to use this same data in their capacity as independent data controllers for the purposes of providing commercial or marketing information.

We wish to point out that if you are already our clients, it could be that we will send you commercial information relative to products and services of the Data Controller similar to those that you have already used, unless we receive your specific dissent.

3.Data processing methods
The processing of your data is undertaken by means of the operations indicated in art. 4 paragraph; and more specifically through the collection, recording, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of the same data. Your personal data will be subjected to processing both in paper, electronic and/or automated format.
The Data Controller will process the data for the period necessary to fulfill the purposes as indicated above; and in any event for a period of not over 10 years from the date of termination of the relationship for the purposes of the service, and for not over 5 years from date of data collection for marketing purposes.

4. Data access
Your data may be made available for the purposes indicated in art. 2.A) and 2.B) of the present statement.
• To the employees and collaborators of the Data Controller or of any associated companies in Italy or abroad, in their capacity as the internal data processors and/or system administrators;
• To third parties or other organizations (by way of example, credit institutes, professional and legal offices, administrative service and payroll companies, consultants, those delegated for the organization of events, marketing and commercial service operations, telemarketing companies, etc.) that are involved in outsourcing operations on behalf of the Data Controller, in their capacity as external data processors. In accordance with the provisions of the Italian Data Protection Authority (Garante per la protezione dei dati personali), dated 30th November 2005, DB Information SpA has tasked Legalassociati Milano, Via Privata G. De Grassi 3 – 20123 Milano and InnolvaSpA, via Dei Valtorta 48 – 20127 Milan with debt collection operations on its behalf, and for this purpose has appointed the same as the Data Processor for the data related to this specific operations.

5. Data communication
The Data Controller may communicate your Personal Data without requiring any explicit consent (art. 6), for the purposes as indicated in art. 2.A of the present statement; to surveillance organizations, judicial authorities, insurance companies for the provision of insurance services, as well as to those parties to which the communication of such data is compulsory for the fulfillment of such purposes.
These parties will process this data in their capacity as independent Data Controllers.
Your data will not be disclosed.

6. Data transfer
The personal data is stored in servers located within the European Union. It however remains understood that should it be necessary, the Data Controller will have the right to move the servers outside the EU. In which case the Data Controller, provides immediate assurance, that the transfer of data outside the EU will take place in accordance with the provisions of the applicable laws, with the prior stipulation of the standard contract clauses envisaged by the European Commission.

7. Nature of data transfer and the consequences of refusal to respond
The transfer of data for the purposes as indicated in art. 2.A of the present statement is compulsory. Otherwise we shall be unable to guarantee the services as indicated in art. 2.A.
On the contrary the transfer of data for the purposes as indicated in art. 2.B and 2.C of the present statement is optional. Therefore you can decide not to transfer any data or to refuse the processing of data already provided, in such a case you will be unable to receive newsletters, advertising or promotional material relating to the Services offered by the Data Controller or by third parties.
You will however continue to have the right to the services indicated in art. 2.A.

8. Data Subject rights
As the Data Subject, you have the rights as indicated in art.15 and more specifically the right to:
i. Obtain a confirmation of the existence or not, of personal data concerning you, even if it is not registered, or available in an incomprehensible form;
ii. Obtain details of a) the origin of the personal data; b) the purposes, and means of, processing; c) the applied logic in the case of processing undertaken with the aid of electronic instruments; d) the identification details of the Data Controller, of the Data processors and of the designated representative in accordance with the terms of art. 3, paragraph 1; and) the parties or the categories of parties to which this personal data can be communicated or that may come to know of the same, in their capacity as designated representative within the country, or in their capacity as responsible parties or representatives.;
iii. Obtain: a) an update, an amendment or should it be necessary, an integration of the data; b) the cancellation, the transformation in anonymous form or the blocking of data in violation of the law, including that for which conservation is not necessary in relation to the purposes for which the data has been collected and subsequently processed; c) the declaration that the operations as indicated in the article letters a) and b) have been disclosed, in relation to their content also, to those to which they have been communicated or disclosed, with the exception of those cases in which such a fulfillment is impossible or involves the use of means that are clearly out of proportion to the actual protected right;
iv. oppose, either totally or partially: a) the processing of the personal data concerning them for legitimate reasons, even if pertinent to the purpose of the data collection exercise; b) the processing of the personal data that concerns them for the purposes of the dispatch of promotional or direct sales material or for the purposes of undertaking market research or advertising, through the use of automated systems without human intervention, through e-mail and/or through traditional marketing means, by phone and /or paper post. It must be pointed out that the right of opposition by the Data Subject, as indicated in the previous point b), for the purposes of direct marketing through automated means, also extends to traditional methods and that the Data Subject retains the right to only partial opposition. Therefore the Data Subject may decide to receive communication solely through traditional means, or only by means of automated communication or alternatively neither of the two types of communication.
Where applicable the Data Subject has also has the following rights:
i. Right to amendment (art. 16)
ii. Right to cancellation (“Right to be forgotten”) (art. 17)
iii. Right to data processing restriction (art. 18)
iv. Obligation of notification in the event of the amendment or cancellation of personal data or processing restriction (art. 19)
v. Right of data portability (art. 20)
vi. Right of opposition (art. 21)
As well as the right to complaint to the Italian Data Protection Authority.

9. Rights enforcement
Rights can be enforced at any time by sending:
• A registered letter with return receipt to DBInformation S.p.A, Centro Direzionale Milanofiori, Strada 4, Palazzo A, Scala 2 – 20057 Assago (MI)
• By sending an e-mail to infoprivacy@dbinformation.it
• By accessing the Italian Data Protection Authority site http://www.garanteprivacy.it

10. Data Controller, Data Processor and Person tasked with processing

The Data Controller is DBInformation S.p.A, with registered offices in Centro Direzionale Milanofiori, Strada 4, Palazzo A, Scala 2 – 20057 Assago (MI), Tax code 09293820156 and VAT number 09293820156
The updated list of the Data Processors and Persons tasked with processing is kept at the registered offices of the Data Controller.