NOTICE PURSUANT TO ART. 13

OF EU REGULATION NO. 679/2016 OF APRIL 27, 2016

The current legislation on the processing of personal data, as provided for and contained in EU Regulation 2016/679 of April 27, 2016 – General Data Protection Regulation – concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data, contains provisions aimed at ensuring that said processing of personal data is carried out with respect for the rights and fundamental freedoms of natural persons, with particular regard to the protection of personal data.

1. Purpose of Processing

In compliance with the obligations set forth by the current legislation and any subsequent amendments, we wish to inform you that GIMATECH srl, as the Data Controller as specified in point 6 below, may carry out the processing of your personal data in order to fulfill the contractual obligations between you and the aforementioned Controller; specifically for:

Entering personal data into company electronic databases or, in any case, into paper archives; mandatory by law in the fiscal, tax, and accounting field; general accounting; personnel management; work safety; activities; collections and payments; marketing/promotion activities for the Controller’s products; information and/or material relating to its products; orders for products related to our business, their management and logistics, order fulfillment, and subsequent delivery ex your premises.

2. Processing methods and data retention periods

The processing of personal data will be carried out using electronic and paper means, according to principles of fairness, lawfulness, and transparency, so as to protect the confidentiality and rights of the Data Subject at all times, in accordance with current legislation.

Data processing—including collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, deletion, destruction of the same, and combinations of two or more of the aforementioned activities—will be carried out by staff appointed by GIMATECH srl using suitable technical and IT procedures and tools to safeguard the confidentiality and security of the data, and is functional for the fulfillment of the obligations under the existing contract/commercial relationship and necessary for the correct management of the relationship and implementation of the purposes indicated above; the Controller states that failure to provide such data may make it impossible for the Controller to fulfill the requirements for the execution of the said employment relationship.

For data processing for these purposes, your consent is not required, since the processing is necessary for the performance of a contract to which you are a party or for the implementation of pre-contractual measures taken at your request (Art. 6, paragraph 1, letter b) of the Regulation), and, where applicable, to comply with a legal obligation (Art. 6, paragraph 1, letter a) of the Regulation).

The data will be retained in accordance with current legislation, for a period not exceeding that necessary to achieve the purposes for which they are processed. In particular, in relation to the duration of the existing contractual relationship, the data will be retained for the periods defined by the relevant legislation and, upon termination of the relationship, for twelve years solely for civil purposes.

In any case, regarding marketing activities, in the case of expression of the optional consents required, it is noted that the data collected will be kept only for the time strictly necessary for managing the purposes indicated above, following criteria that comply with current regulations and ensure fairness and balance between the legitimate interest of the Controller and the rights and freedoms of the Data Subject. Therefore, in the absence of specific rules establishing different retention periods, GIMATECH srl will endeavor to use the data for these purposes for a reasonable period with respect to the interest expressed by the individual to whom the data refer for the Controller’s initiatives. In any case, GIMATECH srl will take every care to avoid using the data indefinitely, periodically verifying the actual continued interest of the Data Subject.

3. Nature of data provision and potential consequences of refusal

All personal data collected as part of this processing, including via third parties authorized to perform services necessary for the correct management of the relationship and therefore duly authorized by the Controller to guarantee and protect the rights of the Data Subject, will be processed exclusively by staff specifically authorized for this purpose in accordance with current legislation and strictly functional to managing the obligations under the contract between GIMATECH srl and the Data Subject.

The provision of data essential for the fulfillment of contractual obligations is mandatory; indeed, failure to provide such data will make it impossible to enter into the contract itself. The provision of data necessary to apply improved conditions is also mandatory in accordance with current regulatory and contractual provisions. Failure to provide such data will make it impossible to apply those conditions, although it does not prevent the execution of the contract.

4. Authorized persons for data processing—Disclosure and dissemination of data

The personal data collected are processed by authorized personnel who need to access them for the execution of their duties and by external parties who may act, depending on the case, as joint controllers or data processors.

Personal data may be disclosed to banks and/or insurance institutions or, in any case, to third parties appointed to carry out activities related and instrumental to this processing, as well as to authorities, public administrations, and third parties for the fulfillment of legal obligations.

The data will not be disseminated.

5. Rights of the Data Subject

EU Regulation 2016/679 grants the exercise of specific rights to be exercised as described within said Regulation; in particular:

confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the data (right of access – Art. 15 EU Reg. 2016/679); rectification of inaccurate personal data or completion of incomplete personal data (right of rectification – Art. 16 EU Reg. 2016/679); erasure of the data themselves, if any of the reasons provided by the Regulation exists (right to erasure – Art. 17 EU Reg. 2016/679); restriction of processing where one of the cases provided by the Regulation applies (right to restriction – Art. 18 EU Reg. 2016/679); to receive, in a structured, commonly used, and machine-readable format, the personal data provided to the Controller and to transmit such data to another Controller (right to portability – Art. 20 EU Reg. 2016/679);

The Data Subject also has the right to withdraw consent to the processing of their personal data at any time, without affecting the lawfulness of the processing based on consent before its withdrawal, and to object at any time to processing (right to object – Art. 21 EU Reg. 2016/679).

To exercise these rights and to obtain information regarding any transfer of your data to a third country, the Data Subject may make a written request to be sent to:

GIMATECH srl Via Enrico Mattei 11-M 35020 Due Carrare (Province of Padua) – ITALY

PEC: gimatech@pec.it

Without prejudice to any other administrative or judicial appeal, the Data Subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their data violates EU Regulation 2016/679.

6. Data Controller and Other Persons Appointed for Data Processing

The Data Controller is GIMATECH srl Via Enrico Mattei 11-M 35020 Due Carrare (Province of Padua) – ITALY.

A complete and updated list of all Data Processors and persons in charge of processing may be requested by making a written request to: GIMATECH srl Via Enrico Mattei 11-M 35020 Due Carrare (Province of Padua) – ITALY PEC: [gimatech@pec.it](mailto:gimatech@pec.it).

For any requirement, the Data Subject may send a written communication to the following email address: [info@gimatech.it](mailto:info@gimatech.it).

Specific rights to be exercised as described within the same EU Regulation, namely more specifically:

confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the data (right of access – Art. 15 EU Reg. 2016/679);

-rectification of inaccurate personal data or completion of incomplete personal data (right of rectification – Art. 16 EU Reg. 2016/679);

-erasure of the data themselves, if any of the reasons provided by the Regulation exists (right to erasure – Art. 17 EU Reg. 2016/679);

-restriction of processing where one of the cases provided by the Regulation applies (right to restriction – Art. 18 EU Reg. 2016/679);

-to receive, in a structured, commonly used, and machine-readable format, the personal data provided to the Controller and to transmit such data to another Controller (right to portability – Art. 20 EU Reg. 2016/679).

(easier to debug in console) (faster)