Policy Privacy Statement on the Protection of Personal Data

The company C.I.M.E.S. SpA (hereinafter "Data Controller" or "Company") as Data Controller of personal data pursuant to and for the purposes of Regulation 2016/679 EU (hereinafter the "Regulation"), in accordance with Articles 13 and 14 of the Regulation provides data subjects with information on the processing of their personal data, which will be based on principles of correctness, lawfulness, transparency and protection of confidentiality and their personal rights, in accordance with the legislative provisions of current legislation.

Nature and type of data collected

In our work, we process common personal data belonging to customers and potential customers and suppliers, or people referring to companies or organizations of these categories of subjects with whom we have commercial and professional relationships. Most of the personal data that we collect and use are provided directly by the data subjects, other personal data we process may come from public sources.

Among the data subject to treatment, we use the basic contact information such as name and surname, e-mail address, telephone numbers, place of work and work address, role in the company or job position, information on the economic activity of the data subject.

Furthermore, we may acquire other personal data from sales or purchase contracts, from business cards, from websites and profiles on Social Media, from digital or printed publications, from the same people during normal professional relationships. Of these subjects we treat only common personal data and not particular / sensitive data as per Art. 9.

Purpose and legal basis of the processing

The data will be processed for the following purposes related to the implementation of legislative or contractual obligations, or for the execution of obligations related to contractual or pre-contractual measures:

• Correct and complete execution of the contract with customers and suppliers
• Performance of obligations that are mandatory by law
• Management of relationships with customers and suppliers and with their contact persons;
• Supply of contracted products or contracted services;
• Management of purchases and sales and scheduling of work activities;
• Storage of sales and purchase documents and those related to the data subjects;

The provision of mandatory data for the fulfillment of legislative or contractual obligations is necessary: any failure to communicate, or incorrect communication, of the data processed, may cause the Data Controller to be unable to guarantee the adequacy of the processing itself and the achievement of the purposes for which the data are used.

In exercising its legitimate interest as a legal basis, the Data Controller may also use the data for the following purposes:

• Direct marketing activities for information and updates on products and services;
• Quality management and detection of the degree of satisfaction of customers and suppliers
• Exercise of the defense of the Data Controller or of third parties, including in judicial proceedings;
• Management of litigation and/or debt collection.

Processing Modalities

Personal data will be processed with manual and computerized procedures, in compliance with the principles set out in Articles 5 and 6 of the Regulations and through the adoption of the appropriate security measures pursuant to Art. 32. Data will be processed only by authorized personnel and instructed by the Data Controller pursuant to Art. 29, or even by third parties, competent Data processors pursuant to Art. 28 of the Regulation.

Data communication

For the purposes having been indicated, personal data will be communicated exclusively to competent subjects for the performance of the necessary services, with a guarantee of protection of the rights of the data subject:

• Personnel within the company
• Companies, consultants or other third parties, also in associated form, for services that are functional to our activities;
• Private bodies and/or public bodies to whom communication is due for legal obligations;
• Transport companies, logistics companies, postal services;
• Banks, insurance companies, society of commercial information, credit or debt collection.

More information on the subjects to whom the data may be communicated will be provided to the data subjects in the exercise of their rights pursuant to Article 15 of the Regulation. The personal data processed will not be disseminated in any way and will not be transferred outside of Europe.

Storage

In compliance with the principles of lawfulness, purpose limitation and data minimization, the retention period of your personal data is established for a period of time not exceeding the achievement of the purposes for which they are collected and processed, or will be stored for the duration of the contractual or commercial relationship with the interested party or with his/her organization, in accordance with any legal obligations for the storage of tax documents or with related legal value.

European Regulation 2016/679 (EU) - Articles 15 to 22 - Rights of the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, even if not yet registered, and their communication in intelligible form. The data subject has the right to obtain the indication:
of the origin of the personal data;

• the purposes and methods of the processing;
• the type of logic applied when electronic instruments are used for data processing;
• the identifying details of the Data Controller, Data Processors and designated representative pursuant to Art. 5, paragraph 2
• of the subjects or the subject categories to whom the personal data can be communicated or that can get to know them as appointed representative in the territory of the State, data processors or persons in charge of the processing.

The Data Subject has the right to obtain:

• the updating, the rectification of inaccurate personal data concerning him or her, and the right to have incomplete personal data completed;
• the erasure, the transformation into anonymous form or the blocking of data processed in violation of the law, including those that do not need to be stored for the purposes for which the data were collected or subsequently processed;
• the certification that the operations referred to in subparagraphs a) and b) have been brought to the attention, also with regard to their content, of those to whom the data have been communicated or disseminated, except in the case in which such fulfillment proves impossible or involves a use of means manifestly disproportionate to the protected right;
• portability of the data

The data subject has the right to object, in whole or in part:

• to the processing of personal data concerning him or her for legitimate reasons, even if pertinent to the purpose of the collection;
• to the processing of personal data concerning him or her for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.

To exercise his or her rights, the data subject must contact the Data Controller:
C.I.M.E.S. SpA - via R.Guastalla 4, 46029 Suzzara (MN) Mail: info@cimesgroup.it Certified E-mail: cimes@legalmail.it

The data subject may also lodge a complaint, in accordance with the methods and times, to the Italian data protection authority: please visit the website www.garanteprivacy.it for more information.