INFORMATION ON THE PROCESSING OF PERSONAL DATA (Ex Art. 12 and 13 of EU Regulation 2016/679 Of the European Parliament and of the Council) Dear Sirs, The Company Gefond S.r.l. with registered office in Via Triboniano, 103 - 20156 Milan P.IVA 11194610157, as the Data Controller, informs you that the EU Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation"), establishes rules on the protection of individuals with regard to the processing of personal data, as well as rules on the free movement of such data. The Regulation protects the fundamental rights and freedoms of natural persons, in particular the right to protection of personal data. The data controller (natural or legal person who determines the purposes and means of the processing of personal data) shall take appropriate measures to provide the data subject with all information regarding the processing. According to the indicated legislation, such processing will be based on the principles of fairness, lawfulness and transparency and protection of your privacy and rights. Pursuant to Articles 12 and 13 of the EU Regulation 2016/679, in the event that data relating to the data subject is collected from the data subject, the Data Controller shall provide the data subject with the following information at the time the personal data is obtained:

1. Object of Processing
The Data Controller processes personal, identifying data concerning a natural person (data subject) such as, for example, first name, last name, identification number, company name, address, telephone, e-mail, bank and payment references etc....... communicated by you in connection with the conclusion of contracts for the services of the Data Controller.

2. Data Controller and Representative of the Data Controller
The Data Controller is: Gefond S.r.l.. c/o Gefond S.r.l. with registered office in Via Triboniano, 103 - 20156 Milano P.IVA 11194610157, Tel +39 02 3340154 / Fax +39 02 33401961, gefond@gefond.it The Representative of the Data Controller (where applicable) is: GEFOND SRL The updated list of Data Processors (where applicable) and Data Processors is kept at the registered office of the Data Controller.

3. Data Protection Officer (where applicable)
The Data Protection Officer is: GEFOND SRL

4. Purposes of data processing
The data you provide will be processed without your express Consent for the following purposes: 2A) performance of a contract 3A) performance of pre-contractual measures 4A) legal obligation to which the data controller is subject 7A) pursuit of the legitimate interest of the data controller or third parties. The processing of data is lawful in that: 2C) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject, 3C) the processing is necessary to comply with a legal obligation to which the data controller is subject, 4C) the processing is necessary for the protection of the vital interests of the data subject or another natural person; 6C) the processing is necessary for the pursuit of the legitimate interests of the data controller or a third party, provided that the interests or the fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail, particularly if the data subject is a child.) The Data Controller, in accordance with Article 13 paragraph 3, undertakes not to use the personal data acquired for processing purposes other than those for which they were collected, without having provided further information to the data subject regarding this different purpose and any additional relevant information referred to in paragraph 2, or without having requested additional consent (where mandatory).

5. Legitimate interests of the data controller (where applicable only if the conditions of lawfulness of processing in 3 are of type 6C)
Data processing is based on the following legitimate interests: possible right of defense in court.

6. Modalities of data processing
The processing of personal data is carried out by means of the operations indicated in Article 4 paragraph 2) and namely: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, deletion or destruction; The data processing is carried out by using instruments and procedures suitable to guarantee their security and confidentiality. Personal data will be processed in the following ways: ■ paper-based manual ■ computerized manual (without automated decision making) ■ other: Video recording

7. Dissemination of data
Without the need for express consent (ex art. 6 lett. b) and c)), the Data Controller may communicate your data for the above purposes to Supervisory Bodies, Judicial Authorities, insurance companies, as well as to those subjects to whom the communication is compulsory by law for the fulfillment of the said purposes. These subjects will process the data in their capacity as autonomous data controllers. ■ data may be/will be communicated to the following categories of recipients: external managers who take part in the business process solely to fulfill specific legal obligations and in compliance with contractual obligations, public and private entities with tax, social security, welfare and insurance purposes

8. Dissemination of Data to a Third Country or International Organization
■ Personal data will not be transferred to a Third Country or to an International Organization.

9. Nature of provision of data and consequences of refusal to answer
The Data Controller is obliged to inform the data subject whether the provision of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and whether the data subject has an obligation to provide the personal data as well as the possible consequences of failure to provide such data; The provision of data is: ■ obligatory (Point 4, letters A) In case the provision of data for the purposes indicated is obligatory the reason for the obligation is due to execution of a contract or pre-contractual measures. In the case where the provision of data for the purposes indicated is mandatory any refusal to provide such data: ■ could result in non-performance of the contract, ■ could result in partial performance of the contract, ■ failure to continue the relationship, ■ failure to provide services.

10. Retention of Data
The Owner will process personal data for the time strictly necessary to fulfill the above purposes and in any case for no longer than 10 years after the termination of the relationship for the Service Purposes. ■ The personal data processed will be retained until: 10 years after the termination of the contract.

11. Security Measures
The Data Controller, in accordance with Article 32 of EU Regulation 2016/679, has taken physical, technical and organizational data protection measures to ensure an adequate level of security against the risk of accidental or unlawful destruction, loss, misuse or alteration.

12. Rights of the data subject
At any time, the data subject may exercise his or her rights vis-à-vis the data controller. Article 13 letter b) of the EU Regulation 2016/679, stipulates that when personal data are obtained, the data controller shall provide the data subject with the existence of the following rights necessary to ensure fair and transparent processing of personal data:

- access to data (Art. 15)
- rectification of data processing (Art. 16)
- deletion of data (Art. 17)
- limitation of data processing (Art. 18)
- objection to data processing (Art. 21)
- to data portability (Art. 20).
In addition to the rights under Article 13, the EU Regulation provides that the data subject may exercise additional rights:

- revocation of consent (Art. 7)
- filing a complaint with a supervisory authority (Art. 77).
Attached are the articles that deal specifically with individual rights of the Data Subject.

13. Right to revoke consent (Art. 7)
Article 7 paragraph 3, stipulates that the Data Subject has the right to revoke his/her consent at any time in the following cases: - where the processing is based on the consent given to the processing of his or her data for one or more specific purposes (Art. 6(1)(a)), - where the processing relates to special categories of personal data (personal data revealing racial or ethnic origin, political opinions religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation) and is based on consent given to the processing of one's own data for one or more specific purposes (Article 9(2)(a)). Withdrawal of consent does not affect the lawfulness of the processing based on the consent given before the withdrawal. Prior to giving consent, the data subject shall be informed of this. Consent shall be withdrawn as easily as it is given.

14. Right to lodge a complaint with a supervisory authority (Art. 77)
Article 77, stipulates that the data subject, if he or she considers that the processing concerning him or her is in breach of this Regulation, has the right to lodge a complaint with a supervisory authority, namely in the Member State in which he or she normally resides, works, or of the place where the alleged breach occurred. This is without prejudice to any other administrative or judicial remedy. The data controller shall inform the data subject of the possibility of lodging a complaint with a supervisory authority and of seeking judicial remedy. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status or outcome of the complaint, including the possibility of judicial remedy under Article 78. The 'data subject shall also have the right to an effective judicial remedy if the supervisory authority that does not deal with a complaint or does not inform the data subject within three months of the status or outcome of the proposed complaint. This is without prejudice to any other administrative or judicial remedy.

15. Procedures for exercising the rights of the data subject
The data subject may at any time exercise his/her rights by sending to the Data Controller and/or the Data Processor (where appointed): - a registered letter A.R to the address: c/o Gefond S.r.l. with registered office in via Montefeltro, 6 - 20156 Milano P.IVA 11194610157, - an e-mail to the address: gefondsrl@sicurezzapostale.it The Data Controller GEFOND SRL Milan Li 31.07.2019 _________________________________________ Signature (in full and legible)