PRIVACY POLICY FOR THE PROCESSING OF PERSONAL DATA

(Regulation (EU) 2016/679 "GDPR")

Specto S.r.l., VAT n. 10937690963 (hereinafter, the “Data Controller“), with registered office in Milan, Via Giulio e Corrado Venini no. 18, in its capacity as data controller, informs you pursuant to Art. 13 Legislative Decree no. 196 of 30.6.2003 (hereinafter, “Privacy Code“) and Art. 13 EU Regulation no. 2016/679 (hereinafter, “GDPR“) that your data will be processed in the following ways and for the following purposes:

1. Object of processing

The Data Controller processes personal datas, identifying data (e.g. first name, last name, company name, address, telephone number, e-mail, bank and payment references) hereinafter referred to as “personal data” or also “data” communicated by you in connection with the conclusion of contracts for the Data Controller’s services.

2. Purpose of processing

Your personal data are processed:

a) Without your express consent, as the processing is required by law, for the following service purposes:

– Purposes connected to obligations established by laws, regulations, community legislation and imposed by Authorities legitimated by the law and by Supervisory and Control Bodies (for example anti-money laundering legislation, etc.).

b) Only with your specific and separate consent, and in case of refusal the Data Controller shall not follow up the request, and the activities requested for the execution of the contract shall not be carried out, for the following purposes:

– Contractual, connected and instrumental purposes at the conclusion of the contract with the Data Controller its execution, the management of payments and any default by the customer (debt collection and litigation).

3. Processing methods

The processing of your personal data is carried out by means of the operations indicated in art. 4 Privacy Code and art. 4 n. 2) GDPR and precisely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data are subject to both paper and electronic and/or automated processing.

The data is kept for all that is necessary to manage the contract and comply with legal obligations, and in any case for no longer than 5 years from the termination of the relationship for the service purposes. The data shall be periodically updated with information acquired during the course of the relationship.

4. Access to data

Your data may be made accessible for the purposes set out in Article 2:

a) professionals also in the form of associates, consultants or counterparties who may intervene in the execution of the assignment;

b) companies, entities, external consortia, banks and lending banks, intermediaries, insurance companies, for the execution of the provisions received or for the provision of services requested;

c) subjects that carry out activities of control, revision and certification of the activities carried out by the Data Controller, possibly also in the interest of the client;

d) subjects that provide services for the management of the information system.

5. Data Communication

Without the need for your express consent (pursuant to Article 24 letters a), b) and d) of the Privacy Code and Article 6 letters b) and c) of the GDPR), the Data Controller may disclose your data for the purposes set out in Article 2.a to supervisory bodies (such as IVASS), judicial authorities, insurance companies for the provision of insurance services, and to those parties to whom disclosure is required by law for the performance of the aforementioned purposes. These subjects will process the data in their capacity as autonomous data controllers. Your data will not be disseminated.

6. Data transfer

Personal data are stored on servers located in Italy, within the European Union. It is in any case understood that the Data Controller, should it become necessary, will have the right to move the servers outside the EU. In this case, the Data Controller assures as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses provided for by the European Commission.

7. Rights of the data subject

In your capacity as data subject, you have the rights set forth in Art. 7 Privacy Code and Art. 15 GDPR and specifically the rights to:

I. obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet registered, and its communication in intelligible form;

II. to obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing carried out with the aid of electronic instruments; d) the identity of the Data Controller, Data Processors and the representative designated pursuant to Art. 5, paragraph 2 of the Privacy Code and Art. 3, paragraph 1 of the GDPR; e) the entities or categories of entity to whom or which the personal data may be communicated or who or which may become aware of them in their capacity as designated representative(s) in the territory of the State, data processor(s) or person(s) in charge of processing;

III. obtain: a) the updating, rectification or, where interested therein, integration of the data; b) the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;

IV. to object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning you, even though they are relevant to the purpose of the collection; b) oppose the processing in the case of treatment for direct marketing purposes; c) to oppose an automated decision-making process concerning natural persons, including profiling; d) withdraw the consent at any time without prejudice to the lawfulness of the treatment based on the consent given prior to the revocation.

Where applicable, he/she also has the rights set forth in Articles 16-21 GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Data Protection Authority.

8. Procedures for exercising rights

You may exercise your rights at any time by sending an e-mail to: info@spectophotonics.com

9. Data Controller

The Data Controller is Specto S.r.l. CF and P.IVA 10937690963, with registered office in Milan, Via Giulio e Corrado Venini no. 18, email: info@spectophotonics.com; pec: specto@pec.it. The updated list of data processors and persons in charge of the processing is kept at the registered office of the Data Controller.

10. Data Protection Officer (DPO)

Pursuant to the GDPR, Specto S.r.l. has not provided for a Data Protection Officer (DPO), however a resource has been appointed and trained and can be contacted at the following e-mail address: info@spectophotonics.com.