DATA PROCESSING NOTICE
EU Regulation 2016/679 – Legislative Decree 196/03 and subsequent amendments

Balocco S.p.A., as the Data Controller of personal data, hereinafter also referred to as the “Controller” or “Balocco”, is committed to protecting and respecting your privacy in accordance with Legislative Decree 196/03, as amended by Legislative Decree 101/18, and with the European Regulation 2016/679. This Notice describes your privacy rights regarding the information that will be processed and the measures we adopt to protect it.

Involved Parties

Table 1 below contains the details of the Data Controller and the channels through which it can be contacted:

tab.1

For some activities, Balocco S.p.A. will act as joint controller together with Piazza Castello S.r.l. and Bottega Balocco S.r.l.; the following table contains their contact details:

tab.2

Balocco has appointed a Data Protection Officer (DPO), Mr. Cesare Vidotto, who can be contacted through the following channels:

tab.3

1. Which personal data are collected and processed?

The personal data collected and processed for the purposes indicated in point 3 include, by way of example but not limited to:

2. Purposes of data collection and processing

The collected data will be used for the following purposes:

• Accounting;

• Management of disputes;

• Supplier management;

• Credit management;

• Workplace safety management;

• Interaction with the company website.

3. Legal bases of the processing

Balocco S.p.A. processes the data in its possession on the basis of the following legal grounds:

• Legitimate interest of the Controller;

• Fulfillment of a legal obligation;

• Agreement between the parties;

• Explicit consent of the data subject

4. Mandatory nature of data provision

Providing personal data to the Data Controller is voluntary, but necessary in order to fulfill the purposes indicated in point 3.

5. Automated processing of personal data

The data collected for the purposes referred to in point 3 are not used to make decisions based on automated decision-making processes.

6. Retention period of personal data

The data, both analog and digital, will be processed until the end of the current contract.

From that moment onwards, only the data that the law requires to be retained for the prescribed period — regarding employment relationships and tax obligations — will be stored and processed, as shown in the table below:

At the end of this period, digital data will be deleted using “wiping” or “shredding” techniques, or otherwise anonymized and retained solely for statistical purposes; analog data will be disposed of after processing aimed at making them unintelligible. In any case, the data subject may request the return of any documents provided to the Data Controller.

7. Communication of personal data to External Processors

The data collected by the Controller may be transferred to trusted parties previously appointed as Data Processors.

These parties include: accountants, IT consultants, and other consulting companies.

The Controller may carry out audits on its External Processors to assess their adequacy.

8. Transfer of personal data to non-EU countries

The processed data will not be transferred to countries outside the European Union. Should future software or procedures require such transfers, the Controller will ensure that the transfer is made only to countries able to guarantee an adequate level of security, demonstrated through adequacy decisions, standard contractual clauses, or BCR (Binding Corporate Rules).

9. Rights of the data subjects

• Right to access and obtain a copy of personal data: the data subject has the right to know whether the Controller holds data concerning them, as well as their origin, purposes, categories of collected data, recipients to whom the data are sent (both within and outside the EU), the existence of automated decision-making or profiling processes, and the data retention period.

• Right to rectify and delete your personal data: the data subject may request that the Controller modify, update, integrate, or delete the data in its possession;

• Right to restriction of processing: the data subject may request that the Controller restrict access to the data in its possession, meaning they can no longer be used for the various processing activities.

• Right to withdraw consent: the data subject may withdraw their consent to processing at any time, without affecting the lawfulness of the processing carried out before the withdrawal.

• Right to data portability: the data subject may exercise this right when the processing is necessary for the performance of a contract and when they have provided consent for the data processing. The data subject may request that the data be sent in a clear, readable format that does not require proprietary software, or, if technically feasible, that the data be automatically transmitted to the new Controller.

• Right to object: the data subject may raise objections by contacting the Data Controller or the competent Supervisory Authority

10. Protection levels adopted by the Controller

The Controller protects the data in its possession, regardless of the format in which they are stored.

***********************

11. Right to object

The data subject may object to processing when their interests prevail over the legitimate interest of the Controller.