PRIVACY POLICY

PRIVACY POLICY on the protection of personal data PURSUANT TO REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016

NFORMATION RELATING TO THE PRIVACY POLICY OF THE SITE

This document provides you with essential information pursuant to Art. 13 of Leg. Decree no. 196 of 30.06.2003 (hereinafter, the "Privacy Code") and Art. 13 of EU Regulation no. 2016/679 (hereinafter, the "GDPR") on the processing of your personal data by Altaeco S.p.a. in relation to your browsing, specifically as regards the following websites and the use of their services offered:

• www.altaeco.com
• www.ceramicabardelli.com
• www.appiani.it
• www.gabbianelli.com
• www.ceramicavogue.it

DATA PROCESSING

  1. Data Controller, Data Processor

The Data Controller is Altaeco S.p.a, with registered office and main facility located at Via Giovanni Pascoli No. 4/6 - 20010 Vittuone (MI), PI 09965410153 EAI number 1332411.

The updated list of data processors to process data is kept at the registered office of the Data Controller.

  1. Scope of processing

The Data Controller processes personal data, identifying data and non-specific data (such as name, surname, company name, address, telephone, e-mail, hereinafter referred to as "personal data" or "data"), communicated by you when registering on the above-mentioned sites of the Data Controller (hereinafter, the "Sites"), taking part in opinion polls and customer satisfaction surveys, filling in registration forms through the Website, on-line requests for clarifications or requests for support, the sending of newsletters and/or direct email marketing, and the download of TEXTURE and/or BIM files.

  1. Processing purposes

Your personal data are processed:

A) without your express consent (Article 24(a), (b), (c) of the Privacy Code and Art. 6(b), (e) of the GDPR), for the following Service Purposes:

  • manage and maintain the Site;

  • allow you to use any of the Services requested by you as a download of TEXTURE and/or BIM files;

  • process a contract request;

  • fulfil obligations laid down by law, by regulations, by EU legislation or by an order of the Authority;

  • prevent or discover fraudulent or malicious activities that are harmful to the Site;

  • exercise the rights of the Data Processor, such as to exercise a right in court;

In the cases indicated above, the legal basis of the processing of your personal data is that of executing a contract with you, in providing you with a service that you have specifically requested, in following up on a legal obligation, or in protecting our legitimate interest.

B) Only subject to your specific and express consent (Articles 23 and 130 of the Privacy Code and Article 7 of the GDPR), for the following purposes:

  • send you satisfaction surveys, newsletters/direct email marketing, invitations to events or opportunities to register for events held organised by the Data Controller.

  1. Data processing methods

Your personal data is processed by means of the operations indicated in Art. 4 of the Privacy code and Art. 4(2) of the GDPR, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data. Your personal data are subjected to both paper-based and electronic and/or automated processing activities.

  1. Retention period of data processed

The Data Controller will process personal data for the period of time necessary to fulfil the aforementioned purposes, and for no more than 10 years from the termination of the relationship for Service Purposes.

  1. Security measures

The Data Controller has taken appropriate security measures to protect your data against the risk of loss, misuse or alteration. In particular, it has adopted the measures referred to in Articles 32-34 of the Privacy Code and Art. 32 of the GDPR regarding access to paper and digital archives through security procedures, such as spaces accessible only to appointed personnel and equipped with a physical means of closure (such as locks) or electronic key (such as a password). The use of automated decision-making processes, including profiling, does not represent an increase in the risk for data breaches for the data subject, as these processes and profiling have the sole purpose of allowing the Data Processor management that is free of human error in executing that indicated by the data subject, and in the efficient organisation of the information collected with the purpose of facilitating the data subject in using the services requested. The software used is equipped with all of the technical and procedural measures required to prevent any kind of violation of processed and profiled data.

  1. Access to data

Your data may be made accessible for the purposes referred to in Art. 2.A. and 2.B.:

• to employees and collaborators of the Data Processor in their capacity as persons in charge and/or internal managers of the processing activity;

• to third-party companies or other subjects (such as commercial agents, consultants, etc.) who are outsourced to perform activities on behalf of the Data Controller in their capacity as external data processors.

  1. Communication of data

Without your express consent (pursuant to Article 24(a), (b), (c) of the Privacy Code and Art. 6(b), (c) of the GDPR), the Data Controller may communicate your data for the purposes referred to in Art. 2.A to Supervisory Bodies, judicial authorities, and subjects to whom communication is mandatory by law for the achievement of such purposes. Your data will not be disseminated.

  1. Data transfer

Personal data are stored on servers of the Data Controller, located in Venice (Italy) and/or on servers located within the European Union belonging to third-party companies who are assigned and duly appointed as Data Processors.

  1. Nature of providing data and consequences of their non-provision

The provision of data for the purposes referred to in Art. 2.A. is mandatory. In their absence, we can neither guarantee registration to the Site nor the services under Art. 2.A.

The provision of data for the purposes referred to in Art. 2.B. is optional. You can therefore decide not to provide any data or to subsequently deny the processing of data already provided. In this case, you will not receive communications regarding customer satisfaction surveys, newsletters/direct email marketing, invitations to events or opportunities to register for events held organised by the Data Controller. You will continue to have a right to the Services referred to in Art. 2.A.

  1. Rights of the data subject

In your capacity as a data subject, you enjoy the rights referred to in Art. 7 of the Privacy Code and Art. 15 of the GDPR, namely:

• i. obtain confirmation as to whether or not personal data concerning you are being processed, and their communication in an intelligible form;

• ii. obtain the indication of: a) the origin of personal data; b) the processing purposes and methods; c) the logic applied if processing is carried out with the aid of electronic instruments; d) the identification of the controller, processors and designated representative pursuant to Art. 5, paragraph 2 of the Privacy Code, and Art. 3, paragraph 1 of the GDPR; e) of persons or categories of persons to whom the personal data may be communicated or may become aware of the data as an appointed representative in the country, or designated or authorised persons;

• iii. obtain: a) the update, rectification or, when applicable, the integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) an attestation that the operations referred to in letters (a) and (b) have been brought to the attention of those to whom the data have been communicated or disseminated, also as regards their content, except in cases in which such fulfilment proves impossible or involves a use of means manifestly disproportionate to the protected right;

• iv. to oppose the following, in whole or in part: a) the processing of personal data concerning you for legitimate reasons, even if pertinent to the purpose of its collection; b) the processing of personal data concerning you for the purpose of sending advertising material, direct sales material or for carrying out market research or commercial communications by e-mail and/or through traditional marketing methods, by telephone and/or post. It is noted that for direct marketing purposes through automated methods, the right of opposition of the data subject as set out in point (b) above extends to traditional methods and that the possibility remains for the data subject to exercise the right to object, even if only partially. Therefore, the data subject can decide to only receive communications using traditional methods, only automated communications, or neither of the two types of communication.

Where applicable, you also have the rights referred to in Articles 16-21 of the GDPR (Right of rectification, right to be forgotten, right of limitation of processing, right to data portability, right of opposition), as well as the right to lodge complaints with the Guarantor Authority.

  1. Methods of exercising your rights

You may exercise the rights referred to in point 10) above at any time by sending:

a letter by ordinary post to Altaeco at Via Giovanni Pascoli No. 4/6 - 20010 Vittuone, Milan (MI);

• an e-mail to privacy@altaeco.com