Privacy notice — Prospect

PRIVACY NOTICE PURSUANT TO ART. 13 OF EU REGULATION 2016/679

for the pre-contractual, advertising and promotional activities carried out by the Companies controlled by, affiliated with or otherwise associated with Syneto (hereinafter also: “Syneto Group”), also as Joint Controllers of the processing pursuant to art. 26 of the GDPR, towards potential partners, distributors, resellers, customers and their contact persons (hereinafter also “prospects”)

For us, data protection is a very serious matter; we therefore wish to inform you about how your data is processed and about the rights you may exercise under the current data protection legislation, in particular EU Regulation 2016/679 (hereinafter also: “GDPR”).

This notice concerns the pre-contractual, advertising and promotional activities towards potential partners, distributors, resellers, customers and their contact persons (hereinafter also “prospects”), whose data is collected by the Companies of the Syneto Group indicated below, also separately and depending on the circumstances, at trade fairs, conferences, events, commercial meetings or in the context of the pre-contractual and commercial relationships established.

Such Companies act, in relation to the specific purposes set out in section 3, as Joint Controllers or, where expressly indicated, as independent Data Controllers.

For the processing activities not detailed in this notice and relating to the categories of data subjects mentioned above, please refer to the privacy notices issued by each Company in the context of the relationships maintained with those subjects.

1. Joint Controllers* and Data Protection Officers (DPO)

* The essential content of the joint controllership agreement is available to data subjects upon explicit request.

2. Categories of data subject to processing

The categories of “personal data” (pursuant to Art. 4.1 of the GDPR) processed by the Companies, as Data Controllers or Joint Controllers, may be, by way of example only but certainly not exhaustively:

• Personal and identifying data (such as, for example, first and last name, date of birth, place of birth, nationality, tax code, VAT number, etc.);
• Contact data (such as, for example, address, e-mail address, IP address, telephone number, etc.);
• For legal representatives, contact persons and employees of Companies or Entities, data relating to the role held within the Company or Entity.

3. Lawfulness and purposes of the processing

The processing of personal data is carried out in compliance with the provisions of the General Data Protection Regulation (GDPR) and any other applicable data protection legislation. Details are provided below:

3.1 Purposes aimed at the performance of a contract or pre-contractual measures (pursuant to art. 6, paragraph 1 (b) of the GDPR) pursued individually by each Company of the Syneto Group indicated in section 1 above, as an independent Data Controller

• a) Carrying out of pre-contractual activities, also with reference to the first contact with the prospect (including through the exchange or, in any case, receipt of business cards) and to the possible preparation and sending of quotes and/or catalogues for the products and services of the Data Controller.

The retention period of personal data, in relation to the purposes set out in this section, is:

For purpose: a, personal data is retained for the time strictly necessary to carry out the pre-contractual activities and to manage contacts with the prospect, including requests for information and the preparation and sending of offers or informational material.

3.2 Purposes covered by the data subject's consent (pursuant to art. 6, paragraph 1 (a) of the GDPR) pursued jointly by the Companies of the Syneto Group indicated in section 1 above, as Joint Controllers

• a) Performance by the Joint Controllers, operating in the IT sector, of advertising or promotional activities, in the broadest sense of the term (for example, sending newsletters and informational material, brochure requests, organisation of events, etc.) and of further marketing activities, through automated contact methods (for example: calls without an operator, e-mails, SMS and various messaging systems, including instant and internet-based ones, also to mobile phones) and non-automated methods (sending of paper mail and calls with an operator);
• b) Performance by the Joint Controllers, operating in the IT sector, of market research and surveys (by way of example, carrying out market studies and statistical analyses regarding the degree of satisfaction, through automated contact methods (for example: calls without an operator, e-mails, SMS and various messaging systems, including instant and internet-based ones, also to mobile phones) and non-automated methods (sending of paper mail and calls with an operator).

The retention period of personal data, in relation to the purpose set out in this section, is:

For purposes: a, b, 24 months from the granting of consent, unless revoked.

4. Recipients or categories of recipients of personal data (pursuant to art. 13 paragraph 1 (e) of the GDPR) *

Each Company, as Data Controller or Joint Controller, may communicate your data to:

• Internal offices and functions of each Company indicated in section 1 above;
• Companies and professional operators that provide IT services, including electronic data processing, software and cloud management, website management and IT consultancy;
• Qualified professionals for the purpose of studying and resolving any legal and contractual issues, including lawyers and tax advisors;
• Transport companies, mailing companies and hosting providers, postal couriers and companies that carry out enveloping and shipping activities of the material and communications indicated above;
• Marketing and communication companies and agencies, as well as IT, mailing and hosting service providers and software platforms used for the management of promotional campaigns and communications (including CRM systems), exclusively within the marketing purpose set out in section 3.2, letters a) and b), subject to the express consent of the data subject;
• Public Administrations, competent Authorities, public Bodies and Agencies in the context of the performance of their institutional duties.

* The complete and updated list of Recipients (pursuant to art. 4.9 of the GDPR) is available from each Company, as Data Controller or Joint Controller of the personal data processing, at the contact details indicated above.

5. Recipients or categories of recipients of personal data (pursuant to art. 13 paragraph 1 (f) of the GDPR) * and transfer of data to non-EU Countries

The Companies, as Data Controllers or Joint Controllers, inform you that they have no intention of transferring your data to countries outside the EU and the EEA for the purposes indicated above.

* The updated list of adequate non-EEA countries deemed adequate by the European Commission may be obtained on the website: Adequacy decisions (europa.eu)

6. Rights of the Data Subject (pursuant to art. 13 paragraph 2 (b) of the GDPR)

The data subject may exercise the following rights:

• right of access of the data subject [art. 15 of the EU Regulation] (the possibility to be informed about the processing carried out on their Personal Data and, where applicable, to receive a copy of it);
• right to rectification of one's Personal Data [art. 16 of the EU Regulation] (the data subject is entitled to the rectification of inaccurate personal data concerning them);
• right to erasure of one's Personal Data without undue delay (“right to be forgotten”) [art. 17 of the EU Regulation] (the data subject has, and will have, the right to the erasure of their data);
• right to restriction of processing of one's Personal Data in the cases provided for by art. 18 of the EU Regulation, including in the case of unlawful processing or of the data subject contesting the accuracy of the Personal Data [art. 18 of the EU Regulation];
• right to data portability [art. 20 of the EU Regulation], the data subject may request their Personal Data in a structured format in order to transmit them to another controller, in the cases provided for by the same article;
• right to object to the processing of one's Personal Data [art. 21 of the EU Regulation] (the data subject has, and will have, the right to object to the processing of their personal data);
• right not to be subject to automated decision-making, [art. 22 of the EU Regulation] (the data subject has, and will have, the right not to be subject to a decision based solely on automated processing).

Further information regarding the rights of the data subject may be obtained by requesting from the Companies, as Data Controllers or Joint Controllers, a full extract of the articles mentioned above.

With regard to the purposes for which consent is required, the Data Subject may withdraw their consent at any time and the effects shall take effect from the moment of withdrawal, without prejudice to the terms provided for by law. As a general rule, the withdrawal of consent has effect only for the future.

The above-mentioned rights may be exercised in accordance with the provisions of the Regulation by sending, among other things, an e-mail to the address: [email protected].

In compliance with art. 19 of the EU Regulation, the Companies, as Data Controllers or Joint Controllers, shall inform the recipients to whom the personal data has been communicated of any rectifications, erasures or restrictions of processing requested, where this is possible.

To allow a faster response to your requests made in the exercise of the rights indicated above, the same may be addressed to each Company, as Data Controller or Joint Controller, by sending them to the contact details indicated in point 1.

7. Right to lodge a complaint (pursuant to art. 13 paragraph 2 (d) of the GDPR)

The data subject, if they consider that their rights have been compromised, has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), in accordance with the procedures indicated by the same Authority at the following Internet address http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or by sending a written communication to the Italian Data Protection Authority.

8. Possible consequences of the failure to provide data and nature of the provision of data (pursuant to art. 13 paragraph 2 (e) of the GDPR)

8.1 In case of compliance with legal or contractual obligations

Please be informed that, where the purposes of the processing have as their legal basis a legal or contractual obligation (or even a pre-contractual one), the data subject must necessarily provide the requested data.

Otherwise, each Data Controller will be unable to proceed with the pursuit of the specific purposes of the processing.

8.2 In the case of the data subject's consent

For the purposes for which consent is required, the Data Subject may withdraw their consent at any time and the effects shall take effect from the moment of withdrawal, without prejudice to the terms provided for by law. As a general rule, the withdrawal of consent has effect only for the future. Therefore, the processing carried out before the withdrawal of consent shall not be affected and shall retain its lawfulness.

The failure to provide consent or the partial provision of consent (or its withdrawal) may not guarantee the full provision of the services or activities, with reference to the individual purposes for which consent is denied, and shall not constitute prejudice or impediment to the other purposes (and to the activities connected with them) not involved or expressly affected by the denial of consent or not based on such legal basis.

When the data is no longer necessary, taking into account the retention periods indicated above, it is regularly deleted. Should deletion prove impossible or only possible through a disproportionate effort due to a particular method of retention, the data may not be processed and must be archived in non-accessible areas.

9. Absence/Existence of a fully automated decision-making process pursuant to art. 22 of the GDPR

The use of purely automated decision-making processes as detailed in article 22 of the GDPR is currently excluded. Should it be decided in the future to introduce such processes for individual cases, the data subject will receive separate notice thereof where this is required by law, or through an update of this notice.

10. Methods of processing

Personal data will be processed in paper, computerised and telematic form and entered into the relevant databases, which may be accessed, and therefore known, by the staff expressly designated by each Company, as Data Controller or Joint Controller, as Processors and Authorised Persons for the processing of personal data, who may carry out consultation, use, processing, comparison and any other appropriate operation, including automated ones, in compliance with the legal provisions necessary to guarantee, among other things, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data in relation to the declared purposes.

This notice and subsequent updates are published on the websites of the Companies of the Syneto Group indicated in section 1 above (https://syneto.eu/ and https://orizon.one/).