INTRODUCTION In order to offer you the personalized and non-personalized services provided by its website, ACCAPIERRE S.R.L., as Data Controller, must process certain identification data necessary for the provision of the same. Pursuant to art. 13 GDPR 679/2016 – “European Regulation on the Protection of Personal Data” and in relation to personal data that concern you and that will be processed, ACCAPIERRE S.R.L. guarantees, within the framework of the regulatory provisions, that the processing of personal data is carried out in respect for fundamental rights and freedoms and the dignity of the person concerned with particular reference to confidentiality, personal identity, right and protection of personal data. This document describes how to manage the site www.accapierre.it in relation to the processing of personal data of those who interact with the services provided: the information is provided pursuant to the European Regulation on the protection of personal data” 679/2016 (hereinafter GDPR) only for the site in question and not for other sites that may be accessed via links, for which ACCAPIERRE S.R.L. is not in any way responsible. This information is therefore drawn up and personalized for visitors to the site www.accapierre.it and this document cancels and fully replaces any other document that was previously published on the subject of web privacy and cookies.

TYPES OF PROCESSED DATA Personal data may be collected automatically during navigation and use of the site and the services it provides or may be entered voluntarily by the user. Among the personal data collected by the Owner independently or through third parties, there could be, by way of example and not limited to: cookies, usage data, passwords, name, surname and email. Navigation data and other data The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or the domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, …) and other parameters relating to the operating system and the user’s computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct operation and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site at the request of the competent authorities. Any use of cookies – or other tracking tools – by this site or the owners of third party services used by it, unless otherwise specified, is intended to identify the user and record their preferences for purposes strictly related to the provision of the service requested by the user. Failure by the user to provide certain personal data may prevent the site from providing its services.

LEGAL BASIS OF PROCESSING Personal data are processed, as better explained in the next paragraph, exclusively for purposes related to the activity of ACCAPIERRE S.R.L. and the obligations connected with it; the legal bases are found in consent (e.g. for the processing of “special categories of personal data” or for marketing/profilation) and/or in the performance of a contract or a service managed by us or in the execution of pre-contractual measures taken by us. The legal bases can be found in consent (e.g. for the processing of “special categories of personal data” or for marketing/profilation) and/or in the performance of a contract or a service of our management to which the user is a party or in the execution of pre-contractual measures taken at the request of the user and/or in fulfilling legal obligations to which the undersigned Data Controller is subject and/or in the legitimate interest of the same.

PURPOSE OF PROCESSING User data are collected and processed for the following purposes: 1) performance of operations strictly connected and instrumental to the management of relations with users or visitors to the site, such as: – navigation; 2) collection, storage and processing of user data for – statistical analysis also in anonymous and/or aggregate form; THE FACULTY TO PROVIDE DATA, THE CONSEQUENCES OF REFUSAL AND THE MANAGEMENT OF CONSENT, WHERE APPLICABLE. The provision of data is optional, except for those indicated as mandatory to allow the user to access the services offered. The processing of the data for the fulfilment of the purpose, as per point 1 of the previous paragraph, is compulsory and any failure to communicate, or incorrect communication, of any of the information may limit and/or prevent the full use of the functions and services on the site. With regard to the optional provision of information, more information is provided on the cookies present on the site in the “Cookies Policy” document, which can be accessed both from this complete information notice and from the short information notice contained in the banner published on the site. At any time it will be possible to re-read the policy and, if necessary, modify the consent previously given, check and/or modify the status of the active services and, if necessary, request additional services.

METHOD OF TREATMENT Personal data may be processed with or without the aid of electronic or automated means, including by associating and integrating them with other databases, and also by means of cookies. In any case, the processing will be carried out in compliance with all precautionary measures that guarantee its security and confidentiality, for the time necessary to carry out the service requested by the user, or required by the purposes described in this document, and the user may always request the interruption of the processing or the cancellation of the data. ACCAPIERRE S.R.L. has also put in place all the computer security measures, in compliance with the methods indicated in the GDPR with the adoption of the security measures deemed appropriate to minimize the risk of violation of user privacy by third parties, updated constantly and whenever it proves essential. The data are processed at the operational headquarters of the Data Controller and in any other place where the parties involved in the processing are located. For further information, you can contact the Data Controller at the addresses specified below.

PRESERVATION TIMES Personal data will be processed for the time strictly necessary to achieve the purposes, described above, to fulfil contractual, legal and regulatory obligations, without prejudice to prescriptive and legal terms, respecting rights and complying with consequent obligations. In particular, the criteria used to determine the storage period are established by specific legal provisions (which regulate the sector in which ACCAPIERRE S.R.L. operates), and by tax regulations with regard to the processing of administrative-accounting data. With reference to data collected for commercial purposes (referred to in point 2), details are limited – for profiling activities – to 1 year from the date of acquisition and 2 years for direct marketing activities. Finally, the site user’s personal data may also be stored for as long as is permitted by Italian law to protect the legitimate interests of the Data Controller (art. 2947, co. 1 and 3 of the Italian Civil Code).

SCOPE OF DATA KNOWLEDGE The processing of personal data will be carried out, within the limits of the general authorisations issued by the Guarantor for the protection of personal data, by persons expressly and specifically authorised by ACCAPIERRE S.R.L. The data may also be processed by third parties (outsourcers), which we use for the provision of services related to the pursued purpose, which our organisation binds with appropriate contractual clauses or acts of formal appointment as External Managers for the processing carried out by them. In all cases, these subjects will process the data in accordance with the instructions received from the Data Controller, according to the operational profiles attributed to them in relation to the functions performed, limited to what is necessary and instrumental to the performance of specific operations within the scope of the services requested and exclusively for the achievement of the purposes indicated in this information notice. The list of data processors, which is constantly updated, may be requested by sending a communication in the manner indicated in the following point concerning the rights of the data subject.

COMMUNICATION AND DISSEMINATION The data may be communicated, by which term is meant giving knowledge of it to one or more specific subjects, in the following terms – to subjects, public and private, who can access the data by virtue of a provision of law, regulation or Community legislation, within the limits provided for by such rules (for example, social security and welfare institutions and bodies, associations of local authorities, public administrations and bodies, associations, foundations, associations and/or insurance bodies) – to subjects who need access to the data for purposes auxiliary to the relationship between the parties, within the limits strictly necessary to carry out the auxiliary tasks (for example, banks and credit institutions, service supply companies, carriers and shipping companies) – to our consultants, to the extent necessary to carry out their duties in our organization, subject to our letter of appointment imposing the duty of confidentiality and security – to companies (which provide auxiliary services, including computer services), subject to the signing of appropriate contractual clauses imposing the duty of confidentiality and security. The data will not be disseminated, by which term is meant giving knowledge to unspecified subjects in any way, even by making them available or consulting them, unless specific, free and informed consent is given for each type of processing.

DEFENCE IN COURT The user’s personal data may be used for the Holder’s defence in legal proceedings or in the preparatory phases of any such proceedings, against abuses in the use of the same or related services by the user. The user declares that he/she is aware that the Data Controller may be required to disclose the data at the request of public authorities.

HOLDER The Data Controller is ACCAPIERRE S.R.L. with registered office in Piazza dei Daini, 3 – 20126 Milan (MI) – ITALY. The Data Controller keeps an up-to-date list of the appointed data processors and guarantees that the data subject will be able to view it at the above-mentioned offices.

RIGHTS OF THE DATA SUBJECT Data subjects, to whom the personal data refer, are entitled to exercise their rights at any time (Right of access to personal data and other rights), in particular: the right to obtain confirmation of the existence or otherwise of their personal data, to access them and to know their content and origin, to verify their accuracy, to request their integration or updating, restriction of processing or portability. Rectification and blocking may be requested if the data are incomplete, incorrect or collected in violation of the regulations in force, and in this sense it is also possible to oppose their processing for legitimate reasons or any automated decision-making process (including profiling), just as it is also possible to request, for the same reasons, their deletion provided that this is done in compliance with the regulations in force and if there are no other conservation and processing obligations on ACCAPIERRE S.R.L.. Data subjects also have the right to object to the processing of their personal data for marketing purposes (indicated in point 2), even if carried out using automated methods of contact; this right also extends to traditional methods, and data subjects may exercise these rights in whole or in part (e.g. only to communications via text message, e-mail or telephone, or by objecting only to the sending of promotional communications using automated tools, etc.). With regard to the exercise of the rights listed above, as well as to know the updated list of those responsible for the processing of personal data, the person concerned may address his or her requests by means of specific communication by mail addressed to the same Company, or by e-mail: info@accapierre.it, also by sending communication to the e-mail address indicated, in order to obtain a timely reply. If the data subject has consented to the processing of personal data for a specific purpose, he/she is always entitled to withdraw his/her consent at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal. Please also note that the data subject always has the right to lodge a complaint with the Data Protection Authority to exercise his/her rights or any other matter relating to the processing of his/her personal data.

APPLICATION AND CHANGES TO THIS POLICY The Data Controller reserves the right to make changes to this privacy policy at any time by publishing them on this page. It is therefore advisable to consult this page often, taking as reference the date of the last modification indicated at the bottom. If you do not accept the changes made to this privacy policy, you must cease to use this site and the related services and may request the Data Controller to remove your personal data. Unless otherwise specified, the previous privacy policy will continue to apply to personal data collected up to that time.

In case of discrepancy in the translation, the Italian version will prevail in any case.

Date of Publication: 27 December 2021