Declaration of Authorization to the processing of personal identification, sensitive and judicial data pursuant to Legislative Decree no. 196/2003 and EU Regulation 2016/679. The User, hereinafter also referred to as “Interested” in the meaning of the letter “i” of the art. 4 Legislative Decree n. 196/03, that is to say, “natural person, legal person, entity or association to which personal data refer”,

Given that

• the User / Interested party is the person who accesses the website www.emanuelamazza.it (hereinafter referred to as THE WEBSITE only) by registering their Personal Data for the use of the features allowed by the website, of greater age and in possession of the capacity to understand and desire;

• pursuant to Article 23 (“Consent”) of Legislative Decree no. 196/03, the processing of personal data by private individuals is allowed only with the express consent of the interested party provided freely and with specific reference to an identified treatment, as well as documented in writing and preceded by the information referred to in art. 13 Legislative Decree no. 196/03; likewise for the application of the EU Regulation 2016/679 “Consent” means any manifestation of free will, specific, informed and unambiguous of the interested party with whom he expresses his assent, through unequivocal positive declaration or action, that the personal data that concern him are subject to treatment; always in accordance with the art. 23 (“Consent”) of Legislative Decree no. 196/03 if the processing also concerns, or only, data c.d. “Sensitive” Consent must be expressed in writing except in the cases referred to in Article 26 paragraph 4 letter “c” whose content declares to know and whose text acknowledges to be the one shown in note 1 at the foot of this authorization;

• for the application of the EU Regulation 2016/679 the term “Interested” refers to any identified or identifiable natural person, considering identifiable the natural person that can be identified, directly or indirectly, with particular reference to an identifier such as the name, the identification number, location data, an online identifier or one or more characteristic elements of its physical, physiological, genetic, mental, economic, cultural or social identity;

• for the application of the EU Regulation 2016/679 the “Personal Data” is intended as information of any type concerning the interested party, “Genetic Data” means the data relating to the genetic inherited or acquired characteristics of a natural person who provide unequivocal information on the physiology or health of the person and resulting from the examination of a biological sample, “Biometric Data” means the personal data obtained from a specific technical treatment relating to the physical, physiological or behavioral characteristics of a natural person who allow or confirm the unique identification, such as the facial image or fingerprint data, and “Health Data” means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health.

• for the application of the EU Regulation 2016/679 for “Treatment” means any operation or set of operations, carried out also with the aid of automated processes, applied to personal data, including the collection, registration, organization, the structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, cancellation or destruction; “Cross-border Treatment” means the processing of personal data that takes place in the context of establishments (understood as the directional choice of the Data Controller and the place where the main processing activities are performed by the Data Processor) in addition of a member state of the EU or in establishments located in a single member state but which may substantially affect interested parties from several member states;

• for the application of the EU Regulation 2016/679 for “Profiling” means any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or foresee aspects concerning professional performance, economic situation, personal preferences, health, interests, reliability, behavior, location or travel of the Interested Party;

• for the application of the EU Regulation 2016/679 for “Pseudonymisation” means the processing of personal data in such a way that they can no longer be attributed to a specific interested party without the use of additional information, provided that such additional information are kept separately and subject to technical and organizational measures intended to ensure that such personal data are not attributed to an identified or identifiable natural person;

• for the application of EU Regulation 2016/679 for “Data Controller” means the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data, “Data Processor” means the natural or legal person, public authority, service or other body that processes data on behalf of the Data Controller, “Addressee” means the natural or legal person, public authority, service or another body that receives communications of personal data, whether or not they are third parties, “Third parties” means a person other than the Data Subject, the Data Controller, the Data Processor, the persons authorized for processing by the Data Controller or by the Data Processor and by the Addressee;

• for the application of the EU Regulation 2016/679 for “Control Authority” means any authority appointed to verify the correct application of the EU Regulation 2016/679 in the Italian Republic, in particular the Guarantor for the Protection of Personal Data based in Rome, Piazza di Monte Citorio n. 121 – pec: protocollo@pec.gpdp.it.

In compliance with the provisions of article 13 (“Information”) of Legislative Decree n. 196/03, whose content declares to know and whose full text recognizes to be the one shown in note 2 at the foot of this authorization, and pursuant to art. 7 (“Conditions for Consent”) and art. 12 of EU Regulation 2016/679, declares to have been previously informed of the following:

The identification details of the Data Controller are:

EMC Srls – email: privacy@emanuelamazza.it.

The Data Processor can be contacted at the following email address: email privacy@emanuelamazza.it.

Any modification of the name of the Data Processor will also be communicated together with the renewal of this consent, by modifying therein contemplated the name of the Data Processor.

The Personal Data are processed in a lawful, correct and transparent manner and only for purposes related to the performance of the functions permitted by the WEBSITE.

The Personal Data will be collected exclusively for commercial purposes in accordance with the purpose for which the User / Interested has registered with the WEBSITE and, in any case, for purposes connected and / or instrumental to the management activities of the WEBSITE, excluding – therefore – any different and / or conflicting use with the interests of the User / Interested, without prejudice to the legal obligations of the Data Controller or Data Processor.

The Personal Data processed will be exclusively limited and relevant to the operation of the WEB SITE to which the User / Interested has registered.

The Personal Data will be accurate and, if necessary, updated according to the indications of the User / Interested person at the time of registration.

The Personal Data will be kept for the period necessary for the activities subject to the permitted processing and for a further maximum period of 2 (two) months from the termination of the treatment allowed. In any case, the processing can never exceed ten years, except for express renewal of the consent by the interested party.

Personal data will be processed using methods that guarantee security and exclude even partial loss or destruction (eg system backup, copy storage, anti-virus systems, change of data access passwords for the Data Controller with the Data Controller with appropriate periodicity).

The acquisition and processing of Personal Data will also take place for the purposes envisaged by the legislation on anti-money laundering as introduced by Community Directive no. 2001/97 CE, by Legislative Decree n. 56/2004 and following mod. and int. of transposition and implementation of Ministerial Decrees, and is aware of the possibility that the same data will be communicated to the Italian Exchange Office for the verification of the correct fulfillment of the aforementioned obligations.

The provision of Personal Data is a mere option and not an obligation, unless expressly required by law, but it is necessary for registration to the WEBSITE and the relative consent to the Treatment is a condition for registration. The provision of Personal Data occurs whenever the interested party accesses the WEBSITE for registration and accesses it for the management / use of the services offered by it or connects his account on a third party site to his WEB SITE account where permitted by the latter.

If the interested party is authorized to use mobile applications connected to the WEBSITE, the data relating to the position of the interested party, including general information (for example, IP address, post code) and more specific information, will be given, stored and processed. (eg GPS-based features on mobile devices used to access the platform or specific features of the platform). If the interested party accesses the WEB SITE from a mobile device and does not want the device to provide information on its location, it can disable the GPS or other location tracking features on the device, provided that this is allowed by the device.

The User / Interested is aware of the Treatment of the “Log Data”, which are data automatically recorded by our servers or server spaces, even sites at Third Parties, whenever the User / Interested person accesses the WEBSITE or uses it , regardless of whether or not you are a registered user or have logged into your account; these data are, by way of example, the IP address, the date and time of access, text fonts, the hardware and software used to access, the sites and URLs from which it comes and exit, the number of clicks, the pages viewed and the order of these pages, as well as the amount of time spent on particular pages. These data are also subject to a separate consent that the interested party already issues to the Data Controller who carries out the activity of search engine on the web. browsers (eg Google) and can be used for analytics services and to track the activities of the User / interested party resulting from the interaction with the WEBSITE.

No personal user data is acquired from the WEB SITE through the c.d. Cookies. We do not use cookies to transmit information of a personal nature, nor do we use persistent cookies of any kind, or systems for tracking users. The use of session cookies (which are not stored permanently on the user’s computer and disappear when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to allow the Safe and efficient site exploration. The session cookies used on this site avoid the use of other computer techniques that are potentially detrimental to the confidentiality of users’ browsing and do not allow the acquisition of personal identification data of the user. Cookies to integrate products and functions of third-party software (Google Maps, YouTube videos, integrations with social networks, online payments, etc.) integrate functions developed by third parties within the site pages in order to share the contents of the site or for the use of third-party software services (such as software to generate maps and additional software that offer additional services). These cookies are sent by third-party domains and by partner sites that offer their functionality on the pages of the website. You can view the management of your browser’s cookies on the website of the relevant manufacturer (eg: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc.).

The interested party can disable the use of cookies through his browser settings, but the practices and data processing will be changed as a result of a “Do Not Track” signal in the http header from his browser or mobile application. The activities of the person concerned are tracked if he clicks on an advertisement for the WEB SITE services on third party sites or platforms such as search engines and social networks.

The WEBSITE may allow third parties to collect information on users’ online activities.

The interested party consents to the transmission of Personal Data to third parties (eg web providers for the management and maintenance of the site and of the management programs used in the organization of the Data Controller, Accountant for the accounting and fiscal needs related to the business of the Data Controller).

The WEBSITE may use social plugins provided and managed by third parties, such as the Facebook Like button or similar Linkedin, Twitter or Google Plus applications; with the use of similar plugins, the Interested party could send to third parties the information he is viewing on a specific part of the WEB SITE. If the person concerned has not logged into his account with a third party, the third party should not become aware of his identity unless otherwise consented to the processing of personal data by the interested party directly to the third party. If the person concerned has logged into his account with the third party, then the third party may be able to link information relating to the visit of the interested party to the WEB SITE to his account with the third party. Similarly, its interactions with the social plugin could be recorded by the Third. Such methods of access to the data of the interested party by the third party are not related to the functionalities of the WEBSITE and the processing is not carried out by the Data Controller nor by the person responsible for the processing of the WEB SITE, but by the third party to whom the interested party should have allowed data processing. The interested party declares to know the privacy policy of these Third Parties and their practices regarding the processing of personal data and declares to have validly authorized their treatment, exempting the Data Controller and the Data Processor for the WEB SITE from liability.

Failing to provide the data required for registration and browsing, access to the WEBSITE will not be accepted and / or continued and the account will not be enabled or will be canceled if the consent to the renewal of personal data processing authorization is denied.

If the processing of personal data is authorized, of whatever nature including sensitive or judicial, genetic, biometric or health-related data, these, within the limits and for the purposes connected to the authorized treatment, may be known to Italian public subjects and the competent Italian Judicial Authorities for the institutional purposes of their own and, therefore, of the subjects in those same offices in charge of their transposition and / or treatment.

The WEBSITE may allow the collection by third parties, previously authorized by the User / Interested, of information on the online activities of the Users also for the profiling of purchases made by the User and for commercial purposes.

The Data Controller does not transfer data of the interested party abroad or to third countries.

WEBSITE collects and processes data also for third-party commercial purposes, including but not limited to the profiling of Users (eg Google Analytics, Google Fonts).

The person concerned will be guaranteed all the rights as better specified in the art. 7 (“Right to access personal data and other rights”) Legislative Decree n. 196/03 whose content declares to know and whose full text recognizes to be the one shown in note 5 at the foot of this authorization.

The User / Interested party is guaranteed, pursuant to EU Regulation 2016/679 and to be exercised by request to the Data Processor:

– the right of access (art. 15 of the said EU Regulation) to the data to verify the existence of a treatment of the data in progress and to verify the purposes of the treatment, category of processed data, recipients of any communications of the given treaty, the period of preservation of the given treaty, the possible existence of an automated decision-making procedure, including profiling pursuant to art. 22, paragraph 1 and 4 of EU Regulation 2016/679;

– the right to rectification, including integration of the incomplete data (art. 16 of said EU Regulation);

– the right to cancellation (art. 17 of the aforementioned EU Regulation) of data without delay at the request of the interested party and if:

• they are no longer necessary for the purposes of processing;

• the consent to the processing is revoked;

• the person concerned is opposed to the Treatment pursuant to art. 21 of the EU Regulation;

• the data have been processed illegally;

• the cancellation obligation is imposed by Italian or EU regulatory provisions.

The cancellation obligation does not apply in the case of exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation that requires the processing, for reasons of public interest or public order that impose the treatment, for the purpose of justice that justifies the treatment.

– the right to limitation of treatment (art. 18 of said EU Regulation) when the interested party disputes the accuracy of the personal data processed for the period necessary for the consequent verifications, the processing is illicit and the interested party opposes the cancellation, the The Data Controller does not need to continue the processing but the interested party requests its prosecution for purposes of justice and for the exercise of the rights of defense in court and when the interested party has opposed the processing pending verification of the prevalence of the reasons data of the Data Controller.

– the obligation for the Data Controller to communicate (art. 19 of said EU Regulation) to any Recipients of personal data processed any cancellations, adjustments, processing limitations.

– the right to the portability of personal data (Article 20 of the aforementioned EU Regulation) as the right to delivery to the interested party on a structured format of common and lasting use, readable by automatic devices, even in multiple copies, by e-mail to the address specifically indicated by the User / interested party free of charge, and as a right to transfer Personal Data to another Data Controller, without impediment, if the processing is carried out by automated means as in the case in question;

– the right to object to the processing of their Personal Data (Article 21 of the aforementioned EU Regulation), without prejudice to the right of the Data Controller to prove the existence of legitimate cogent reasons for proceeding with the processing anyway;

– the right not to be subjected to automated decisions, including profiling, unless such decision-making is necessary for the stipulation of the contract or its execution between the Data Subject and the Data Controller, is permitted by a source of national or community law, it can be considered already permitted by the explicit consent of the interested party (art. 22 of said EU Regulation).

The Data Controller declares that there are no specific risks connected to the processing of the Personal Data of the interested party, that they have evaluated every burden and risk of conservation and treatment, and that they have carefully selected the best types of caution to guarantee the confidentiality and intangibility of the personal data of the interested party.

The Data Controller reserves the right to use every best security method of the data including encryption, pseudonymisation and encryption of the processed personal data.

In any case, the Data Controller declares to use suitable anti-intrusion and anti-violation systems also at the servers, or server spaces, in its availability or in any case used by him at third-party.

The processing of personal – identifying – sensitive and judicial data will take place within the limits of the law as established by art. 25 Legislative Decree no. 196/03 whose content declares to know and whose text acknowledges to be the one shown in note 6 at the bottom of this authorization, as well as for the purposes set out above, may be subject, in addition to processing, to communication and / or dissemination in the technical meaning as better illustrated in letters “a”, “l” and “m” of paragraph 1 of art. 4 Legislative Decree no. 196/03 and that acknowledges to be the one referred to in note 7 at the foot of this authorization.

The interested party undertakes to keep personal data up to date and to this end will communicate to the Data Controller any need for modification or updating.

All the above, the User / Interested person spontaneously declares to authorize, in compliance with what is indicated above and more generally the provisions of the Legislative Decree 196/03 and EU Regulation 2016/679, the processing of his/her personal data.

________________________

Information about Legislative Decree No. 196 of June 30, 2003

1. ART.26 paragraph 4 letter “c” – GUARANTEES FOR SENSITIVE DATA: “(…) 4. Sensitive data can be processed even without consent, subject to authorization by the Guarantor: c) when processing is necessary for of carrying out defensive investigations pursuant to the law of 7 December 2000 n. 397 or – in any case – to assert or defend in court a right, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit. If the data are suitable to reveal the state of health and the sexual life the right must be of equal rank to that of the interested party or consisting in a right of the personality or in another fundamental or inviolable right or freedom (…) ” .

2. ART.13 – INFORMATION: “1. The interested party or the person from whom the personal data are collected are previously informed orally or in writing as to: a) the purposes and methods of the processing for which the data are intended; b) the mandatory or optional nature of providing data; c) the consequences of a possible refusal; d) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as managers or agents, and the scope of dissemination of the data; e) the rights referred to in Article 7; f) the identification details of the owner and, if designated, of the representative in the territory of the State pursuant to art. 5 and of the manager. When the owner has designated more managers, at least one of them is indicated, indicating the site of the communication network the methods through which the updated list of those responsible is easily accessible. When a responsible person has been designated to reply to the interested party in the event of exercise of the rights pursuant to art. 7 this manager is indicated. 2. The information referred to in paragraph 1 also contains the elements required by specific provisions of this code and may not include the elements already known to the person providing the data or whose knowledge may hinder a concrete performance by a public subject of functions inspections or controls carried out for purposes of defense or security of the State or for the prevention, detection or repression of crimes. 3. The Guarantor may identify simplified procedures for the disclosure provided in particular by telephone assistance and information services to the public. 4. If personal data are not collected from the data subject, the information referred to in paragraph 1, including the categories of data processed, is given to the data subject when the data is registered or, when their communication is provided, not beyond the first communication. 5. the provision referred to in paragraph 4 does not apply when: a) the data is processed on the basis of an obligation established by law, regulation or community law; b) the data are processed for the purpose of carrying out defensive investigations pursuant to the law of 7 December 2000 n. 397 or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit; c) the information to the interested party involves the use of means that the Guarantor – prescribing any appropriate measures – declares manifestly disproportionate with respect to the protected right, or is revealed – in the opinion of the Guarantor – impossible ”.

3. ART.4 – DEFINITIONS: (…) b) <personal data>, any information relating to a natural person, legal person, entity or association, identified or identifiable, even indirectly, by reference to any other information, including a number of personal identification; c) <identification data>, personal data that allow the direct identification of the interested party; d) <sensitive data>, the personal data that can reveal the racial and ethnic origin, the religious, philosophical or other convictions, the political opinions, the adhesion to parties, trade unions, associations or organizations of a religious, philosophical character , political or trade union, as well as the personal data suitable to reveal the state of health and sexual life; e) <judicial data>, the personal data suitable for revealing measures pursuant to art. 3 paragraph 1, letters from a) to o) and from r) to u) of the D.P.R. 14.11.2002 n. 313, in the matter of criminal records, of the registry of administrative sanctions depending on the crime and the related pending charges, or the status of defendant or suspect pursuant to articles 60 and 61 of the criminal procedure code “.

4. ART.4 – DEFINITIONS: (…) f) <holder>, the natural person, the legal person, the public administration and any other body, association or body which they are in charge of – also jointly with the other owner, the decisions regarding the purposes, the methods of processing personal data and the tools used, including the security profile; g) <responsible>, the natural person, the legal person, the public administration and any other body, association or organization appointed by the owner to process personal data; h) <persons in charge>, the natural persons authorized to carry out processing operations by the owner or manager “.

5. ART. 7 – RIGHT OF ACCESS TO PERSONAL DATA AND OTHER RIGHTS: 1. The interested party has the right to obtain confirmation of the existence or not of personal data concerning him / her even if not yet recorded and their communication in intelligible form. 2. The interested party has the right to obtain the indication: a) of the origin of the personal data, b) of the purposes and methods of the processing; c) the logic applied in the case of processing carried out with the aid of electronic instruments; d) of the identification data concerning the data controller, data processors and the representative designated pursuant to art. 5 paragraph 2; e) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the State, managers or appointees. 3. The interested party has the right to obtain: a) updating, rectification or – when interested – integration of data; b) the deletion, transformation into anonymous form or blocking of data processed in violation of the law, including data which does not need to be kept for the purposes for which the data was collected or subsequently processed; c) the attestation that the operations referred to in letters “a” to “b” have been brought to the attention also as regards their content of those to whom the data have been communicated or disseminated, except in the case in which such fulfillment proves impossible or involves the use of means manifestly disproportionate with respect to the protected right. 4. The interested party has the right to object in whole or in part: a) for legitimate reasons to the processing of personal data concerning him, even if pertinent to the purpose of the collection; b) to the processing of personal data concerning him for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication “.

6. ART.25 – PROHIBITIONS OF COMMUNICATION AND DIFFUSION: “1. The communication and dissemination are prohibited, in addition to the prohibition established by the Guarantor or the Judicial Authority: a) with reference to the personal data for which the cancellation was ordered, or when the period of time indicated in the art has expired . 11 paragraph 1, letter “e”; b) for purposes other than those indicated in the notification of treatment, where required. 2. It is without prejudice to the communication or dissemination of data required, in accordance with the law, by police forces, by the judicial authority, by training and security bodies, by other public subjects pursuant to art. 58, paragraph 2, for purposes of defense or state security or prevention, detection or repression of crimes “.

7. ART.4 – DEFINITIONS: (…) to <treatment> any operation or set of operations, carried out even without the aid of electronic tools, concerning the collection, registration, organization, storage, consultation, l ‘processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, deletion and destruction of data even if not recorded in a database (. ..); l) <communication> giving knowledge of personal data to one or more specific subjects, different from the interested party, from the owner’s representative in the state territory, from the person in charge and from the appointees in any form, also through their provision or consultation ; m) <dissemination> giving knowledge of personal data to undetermined subjects, in any form including through their provision or consultation ”.