INFORMATION ON THE PROCESSING OF PERSONAL DATA (Ex Art. 12 and 13 of EU Regulation 2016/679 Of the European Parliament and of the Council) Dear Sirs, The Company Gefond S.r.l. with registered office in Via Triboniano, 103 – 20156 Milan P.IVA 11194610157, as the Data Controller, informs you that the EU Regulation 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation”), establishes rules on the protection of individuals with regard to the processing of personal data, as well as rules on the free movement of such data. The Regulation protects the fundamental rights and freedoms of natural persons, in particular the right to protection of personal data. The data controller (natural or legal person who determines the purposes and means of the processing of personal data) shall take appropriate measures to provide the data subject with all information regarding the processing. According to the indicated legislation, such processing will be based on the principles of fairness, lawfulness and transparency and protection of your privacy and rights. Pursuant to Articles 12 and 13 of the EU Regulation 2016/679, in the event that data relating to the data subject is collected from the data subject, the Data Controller shall provide the data subject with the following information at the time the personal data is obtained:

1. Object of Treatment
The Data Controller processes the personal, identifying data concerning a natural person (data subject) such as, for example, first name, last name, identification number, company name, address, telephone, e-mail, bank and payment references etc……. communicated by you in connection with the conclusion of contracts for the services of the Data Controller.

2. Data Controller and Representative of the Data Controller.
The Data Controller is: Gefond S.r.l. c/o Gefond S.r.l. with registered office in Via Triboniano, 103 – 20156 Milano P.IVA 11194610157, Tel +39 02 3340154 / Fax +39 02 33401961, The Representative of the Data Controller (where applicable) is: GEFOND SRL The updated list of Data Processors (where applicable) and Data Processors is kept at the registered office of the Data Controller.

3. Data Protection Officer (where applicable)
The Data Protection Officer is: GEFOND SRL

4. Purpose of data processing
The data you provide will be processed without your express Consent for the following purposes: 2A) performance of a contract 3A) performance of pre-contractual measures 4A) legal obligation to which the data controller is subject 7A) pursuit of the legitimate interest of the data controller or third parties. The processing of data is lawful in that: 2C) the processing is necessary for the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the request of the data subject, 3C) the processing is necessary for compliance with a legal obligation to which the data controller is subject, 4C) the processing is necessary for the safeguarding of the vital interests of the data subject or another natural person; 6C) the processing is necessary for the pursuit of the legitimate interests of the data controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail, in particular if the data subject is a child.) The Data Controller, in accordance with Article 13 paragraph 3, undertakes not to use the personal data acquired for processing purposes other than those for which they were collected, without having provided further information to the data subject regarding this different purpose and any additional relevant information referred to in paragraph 2, or without having requested additional consent (where mandatory).

5. Legitimate interests of the data controller (where applicable only if the conditions for lawful processing in 3 are of type 6C)
Data processing is based on the following legitimate interests: possible right of defense in court.

6. Methods of data processing
The processing of personal data is carried out by means of the operations specified in Art. 4 paragraph 2) namely: the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, restriction, deletion or destruction; Data processing is carried out through the use of appropriate instruments and procedures to ensure their security and confidentiality. Personal data will be processed in the following ways: ■ paper-based manual ■ computerized manual (without automated decision making) ■ other: Videotaping

7. Data dissemination.
Without the need for express consent (ex art. 6 lett. (b) and (c)), the Data Controller may communicate your data for the above purposes to Supervisory Bodies, Judicial Authorities, insurance companies, as well as to those subjects to whom the communication is obligatory by law for the fulfillment of the said purposes. These parties will process the data in their capacity as autonomous data controllers. ■ data may/will be disclosed to the following categories of recipients: external data processors who take part in the business process solely to fulfill specific legal obligations and in compliance with contractual obligations, public and private entities with tax, social security, welfare and insurance purposes

8. Dissemination of data to a third country or international organization
■ Personal data will not be transferred to a Third Country or to an International organization.

9. Nature of data provision and consequences of refusal to respond
The Data Controller is obliged to inform the data subject whether the provision of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and whether the data subject has an obligation to provide the personal data as well as the possible consequences of not providing such data; The provision of data is: ■ obligatory (Point 4, letters A) Where the provision of data for the stated purposes is obligatory the reason for the obligation is due to performance of a contract or pre-contractual measures. Where the provision of data for the purposes indicated is mandatory, any refusal to provide such data: ■ could result in failure to execute the contract, ■ could result in partial execution of the contract, ■ failure to continue the relationship, ■ failure to provide services.

10. Data Retention
The Data Controller will process personal data for the time strictly necessary to fulfill the above purposes and in any case for no longer than 10 years after the termination of the relationship for the Service Purposes. ■ Personal data processed will be kept until: 10 years after the contract is terminated.

11. Security Measures.
The Holder, in accordance with Art. 32 of EU Regulation 2016/679, has taken physical, technical, and organizational data protection measures to ensure an adequate level of security against the risk of accidental or unlawful destruction, loss, misuse, or alteration.

12. Rights of the data subject
At any time the data subject may exercise his or her rights against the data controller. Art. 13 letter b) of EU Regulation 2016/679, stipulates that when personal data is obtained, the data controller shall provide the data subject with the existence of the following rights necessary to ensure fair and transparent processing of personal data:

– access to data (Art. 15)
– rectification of data processing (art. 16)
– deletion of data (Art. 17)
– limitation of data processing (Art. 18)
– Opposition to data processing (Art. 21)
– to data portability (Art. 20).
In addition to the rights under Article 13, the EU Regulation provides that the data subject may exercise additional rights:

– withdrawal of consent (Art. 7)
– Propose a complaint to a supervisory authority (Art. 77).
Attached are the articles that specifically deal with individual rights of the Data Subject.

13. Right to withdraw consent (Art. 7)
Article 7 paragraph 3, stipulates that the Data Subject has the right to withdraw his or her consent at any time in the following cases: – where the processing is based on the consent given to the processing of his or her data for one or more specific purposes (Art. 6(1)(a)), – where the processing relates to the special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation) and is based on consent given to the processing of one’s own data for one or more specific purposes (Article 9(2)(a)). Withdrawal of consent does not affect the lawfulness of processing based on the consent given before the withdrawal. Before giving consent, the person concerned shall be informed of this. Consent is revoked as easily as it is granted.

14. Right to file a complaint with a supervisory authority (Art. 77)
Art. 77, stipulates that the data subject, if he or she considers that the processing concerning him or her is in violation of this Regulation, has the right to lodge a complaint with a supervisory authority, namely in the member state where he or she normally resides, works or of the place where the alleged violation occurred. This is without prejudice to any other administrative or judicial recourse. The data controller shall inform the data subject of the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status or outcome of the complaint, including the possibility of judicial review under Article 78. The ‘data subject also has the right to an effective judicial remedy if the supervisory authority that does not deal with a complaint or does not inform the data subject within three months of the status or outcome of the proposed complaint. This is without prejudice to any other administrative or judicial recourse.

15. Ways of exercising the rights of the data subject
The interested party may at any time exercise the rights by sending to the Data Controller and/or the Data Processor (where appointed): – a registered letter A.R to the address: c/o Gefond S.r.l. with registered office in via Montefeltro, 6 – 20156 Milano P.IVA 11194610157, – an e-mail to the address: The Data Controller GEFOND SRL Milan Li 31.07.2019 _________________________________________ Signature (in full and legible)