DATA CONTROLLER:

– Company name: MELOGRANO CONSULTING & Services srl

– Address: LARGA, 31 – 20122 Milan (MI)

– telephone number: 02/45371310

– e-mail address: privacy@melogranocs.it

– Common name of the Holder MELOGRANO

TYPE OF DATA, PURPOSE OF TREATMENT

The collection and processing will be carried out on the following types of data

– identification data: name, surname, fiscal code, etc.

– contact data: telephone number, e-mail, address, etc.

– bank data: IBAN, credit card number, etc.

– In incidental/occasional form for the purposes of assistance requested by customers and for pre-contractual stages: special categories of data (formerly sensitive data): data revealing racial or ethnic origin, political opinions, religious or philosophical conventions, trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or sex life or sexual orientation

For the following purposes:

a. Establishment and execution of the contractual relationship (role of intermediary invoicing and other electronic documents, customer support of document services, etc.)

b. Fulfilling obligations under applicable regulations and legislation

c. If necessary, to ascertain, exercise or defend the rights of the Owner in judicial or extrajudicial proceedings

d. Marketing: e.g. sms and e-mail, telephone calls with operator and traditional mail for promotional and commercial proposals related to services/products offered by the Company or reporting of company events, as well as market research and statistical analysis (when required, these treatments will be performed only on subjects who have given specific consent)

LEGAL BASIS OF THE TREATMENT

The applicable legal bases of processing identified by the GDPR are:

– Performance of a contract to which you are a party (or pre-contractual)

– Need to comply with legal obligations

– Legitimate interest of the Controller [communication to customers and resellers of additional and complementary services to those usually purchased]

– Consent is optional and revocable at any time without prejudice to you, even with regard to processing based on consent given before revocation

DATA RETENTION PERIOD OR THE CRITERIA FOLLOWED TO ESTABLISH SUCH PERIOD

The period of data retention can be determined in the following periods:

– 10 years after termination of the contract (administrative data and documents sent for digital storage) – a maximum of 4 months data related to documents processed through the invoicing portal FatturePA. Only the header data of documents can be kept for a maximum of 24 months.

– In case of litigation for the duration of the litigation and the terms of appeal

– For marketing purposes: 24 months from their registration

Once the above mentioned retention periods have expired, the data will be destroyed, deleted or made anonymous, compatibly with the state of the art technology.

OBLIGATION TO PROVIDE DATA

The conferment of data for the purposes referred to in letters a), b) and c) above are mandatory. In case of failure to provide data, it will not be possible to proceed with the contractual relationship.

THIRD PARTY RECIPIENTS OF DATA

The data may be transmitted to parties other than the Data Controller.

The data may also be transmitted to parties who process the data on behalf of the Company as Data Processors on the basis of a legally binding agreement to protect the data.

Categories of subjects, e.g.:

a. IT providers (e.g., data back-up services, e-mail, WEB/cloud computing, hosting, network monitoring, e-mailing, website maintenance, etc.)

b. consultants (e.g. payroll, competent doctor, safety in the workplace, professionals, etc.)

c. authorities and supervisory and control bodies, public or private individuals who have the right to request the data.

The list of Data Processors is constantly updated and available at the Data Controller’s head office.

SUBJECTS AUTHORIZED TO THE TREATMENT

The data may be processed by workers in relation to their duties, expressly authorized and adequately trained to treatment.

DATA TRANSFER TO THIRD COUNTRIES (EXTRA EU/EEA)

The data may be transferred abroad to countries outside the EU on the basis of the following legal bases depending on the country:

– transfer to Third Countries whose level of data protection has been deemed adequate by the European Commission ex art. 45 of the GDPR

– Existence of adequate Standard Clauses (SC) when the previous basis is not applicable (e.g. USA after the ‘Schrems 2’ ruling).

A copy of the data can be obtained by sending an email to privacy@melogranocs.it

RIGHTS OF THE DATA SUBJECT – COMPLAINT TO THE SUPERVISORY AUTHORITY

Data subjects have the following rights:

a. access, to:

◦ know whether any data processing is taking place, for what purposes, on what data, recipients or categories of recipients to whom the personal data have been or will be communicated, when possible, the expected period of storage of personal data or, if this is not possible, the criteria used to determine this period, what are the rights of the data subject, information on their origin, whether there is an automated decision-making process, including profiling (at least in such cases with significant information on the logic used, importance and consequences of this process), what are the appropriate safeguards if the data is transferred to a Third Country

Obtaining a copy of the personal data being processed without infringing on the rights and freedoms of others.

b. rectification of inaccurate data and integration taking into account the purposes of processing,

c. cancellation in the following cases: a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the person concerned withdraws consent if there is no other legal basis for the processing; c) the person concerned objects to the processing in the absence of rights or obligations to the contrary prevailing; d) personal data have been processed unlawfully; e) there is a legal obligation to do so on the part of the Data Controller e) personal data have been collected in relation to the provision of services on the Internet

d. limitation of processing due to a dispute over the accuracy of the data, for processing that is unlawful because it is excessive, for the establishment, exercise or defense of a legal claim (even if the data controller no longer needs the data), in the event of opposition (pending verification of the existence of such a right in practice)

e. objection (in case of processing necessary for the performance of a task of public interest or for legitimate interests of the Controller, including profiling) for reasons related to the particular s-tuction of the data subject, unless other rights of public interest or legal obligations prevail

f. opposition to the receipt of commercial communications by automated means (e-mail, etc..) for treatment with the purpose of direct marketing, including profiling

g. portability of data in common electronic format and interoperable, even directly to another operator if technically possible, in case of treatment with automated tools

h. In the cases referred to in letters b), c) and d), the data controller shall inform each of the recipients to whom the personal data have been transmitted of any rectification or erasure or restriction of processing carried out unless this proves impossible or involves a disproportionate effort

In order to exercise his/her rights, the data subject may contact: privacy@melogranocs.it

Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State in which they usually reside or work or in the State in which the alleged infringement occurred.

Melograno Consulting & Services S.r.l.

Registered and Operational Office: 20122 Milan – Via Larga n. 31 – Tel + 39 02 45371310 (ra) Fax +39 02 91293119

Milan Companies Registry – Fiscal Code and VAT number IT 07379750156 – REA Milan 1173701 – Share Capital € 10.000,00 iv

privacy: privacy@melogranocs.it website: www.melogranocs.it pec: melogranocs@sicurezzapostale.it