POLICY REGARDING THE PROCESSING OF PERSONAL DATA OF USERS REGISTERED WITH THE GEWISS PLATFORM PURSUANT TO REGULATION (EU) 2016/679 ("GDPR")

Gewiss S.p.A intends to provide you, as the data subject, with information on the processing of your personal data carried out following your registration on the Gewiss Platform (the "Platform"), which is necessary for the purposes of using the App that you are about to download onto your device.

1. The Data Controller

The Data Controller is Gewiss S.p.A. (the "Controller" or "Gewiss"), tax code and VAT number 00385040167, with registered offices in Via Domenico Bosatelli, 1 - 24069 Cenate Sotto (BG) - Italy, email address: privacy@gewiss.com.

2. Contact details of the Gewiss Data Protection Officer (DPO)

The Data Controller has appointed a Data Protection Officer ("DPO"), pursuant to articles 37 - 39 GDPR. If necessary, the DPO may be contacted at the following email address: dpo@pec.gewiss.com.

3. Personal data subject to processing

The Controller will process the following Personal Data that you have communicated (hereinafter referred to as the "Personal Data"):

Registration Data: the Personal Data you provide or that Gewiss collects for the purpose of registration (such as, for example, first name, last name, email, date of birth, address). You can also access the services by using credentials provided by the social networks Facebook, Google and Apple ("social login").

4. Identity Management System

Gewiss has created an Identity Management system that allows users registered with the Platform to access all Gewiss websites/services/apps (hereinafter referred to as the "Services"), regardless of the device used, by entering their authentication credentials.

Therefore, once registered for one of the aforementioned Services, users will be able to access one of the others (subject to acceptance of the relative contractual terms and conditions and specific supplementary policies on the processing of personal data), using their own credentials (email address and password) and without having to register again.

5. Purpose and legal basis for processing

The Data Controller will process your Personal Data for the fulfilment of specific purposes and in the presence of a specific legal basis as provided for by the GDPR.

In particular the purposes for which your Personal Data are processed by the Controller as well as the legal basis of the data processing and period of data storage are listed below:

a) Personal data used: Registration data.

Purpose of data processing: Enabling users to register with and use the Services.

Legal basis for processing: Performance of a contract to which the data subject is party.

b) Personal data used: Registration data.

Purpose of data processing: Compliance with responsibilities set out by applicable regulations and national and supranational law.

Legal basis for processing: The need to perform legal obligations.

c) Personal data used: Registration data.

Purpose of data processing: Purpose of data processing: If necessary, to ascertain, exercise or defend the rights of the Data Controller in legal proceedings.

Legal basis for processing: Legitimate interest.

Data storage period relating to points a), b) and c):

Duration of contract plus 10 years from termination.

In the case of legal disputes, the Personal Data will be held for the entire duration of the same, until the end of the time limits for the exercising of appeals.

d) Personal data used: Registration data.

Purpose of data processing: Controlling of logical access to corporate information systems, in order to guarantee the security of persons and assets.

Legal basis for processing: Legitimate interest.

Storage period relating to point d):

6 months from conferment.

e) Personal data used: Registration data.

Purpose of data processing: Marketing purposes: for example, the sending - either through automatic means of contact (such as SMS, MMS and email) and traditional means (such as telephone calls with an operator and traditional mail) - of advertising and commercial communications regarding services/products offered by the Company or information regarding company events, as well the carrying out of market research and statistical analysis.

Legal basis for processing: Legal basis for processing: Consent (optional and revocable at any time)

Period of data retention relating to point e):

until revocation of consent and in any case no longer than 24 months from registration.

At the end of the aforementioned periods of conservation, the Personal Data will be destroyed, erased or rendered anonymous.

6. Mandatory nature of the provision of Personal Data

The provision of data marked with an asterisk (*) in the registration form is obligatory for the conclusion and fulfilment of the contract. Refusal to provide the aforementioned information will therefore hinder registration to the website/service/App.

7. Recipients of personal data

The Personal Data, within the scope of the aforementioned purpose, may be communicated to one or more of the categories of subjects appointed as Data Processors as indicated in detail below, such as, for example:

- professional firms.

- companies offering email services.

- companies offering website maintenance services.

- external companies offering support in carrying out market studies.

- a Gewiss Group company.

The Personal Data may be communicated to external subjects acting as autonomous Data Controllers, for example authorities and supervisory and control bodies, other companies in the Gewiss Group and, in general, subjects, either public or private, entitled to request the Data.

8. Persons authorised to carry out processing

The Personal Data may be processed by employees of the business functions charged with the fulfilment of the purposes indicated above, who are expressly authorised for the processing and have received appropriate operating instructions.

9. Transfer of Personal Data outside the European Economic Area (EEA)

Personal Data will be processed within the EEA. If, for technical and/or operational reasons, it is necessary to use parties located outside the EEA, processing will be regulated in accordance with the GDPR, and therefore all necessary precautions will be taken in order to ensure the protection of the Data, pursuant to Article 46 of the GDPR.

10. Rights of the data subject

The Data Subject, in relation to the personal data provided, has the right to exercise at any time and in accordance with the provisions of the GDPR the rights established by the latter and shown below:

- Right to withdraw consent (art. 7, paragraph 3, GDPR): the right to revoke consent without prejudice to the lawfulness of processing based on consent granted before revocation.

- Data subject's right of access (art. 15 GDPR): the right to obtain confirmation of the existence or otherwise of one's Personal Data, and a copy thereof in intelligible form.

- Right to correction (art. 16 GDPR): the right to correct inaccurate Personal Data.

- Right to erasure, the "right to be forgotten" (art. 17 GDPR): the right to the erasure of one's personal data.

- Right to the limitation of processing (art. 18 GDPR): the right to obtain the limitation of the processing of one's Personal Data, e.g. if the accuracy of the data is disputed or in the case of unlawful processing.

- Right to data portability (art. 20 GDPR): the right to receive in a structured, commonly used and machine-readable format one's Personal Data provided to the Controller and the right to transmit said data to another Controller if the processing is carried out on the basis of consent or a contract and by automated means.

- Right to object (art. 21 GDPR): the right to object to the processing of one's Personal Data.

- Right not to be subject to automated decision-making (art. 22 GDPR): the right not to be subject to a decision based solely on automated processing.

These rights may be exercised by the Data Subject by contacting the Controller at the following email address: privacy@gewiss.com.

The Data Subject also has the right to lodge a complaint to the Italian Data Protection Authority.

11. Amendments to the Privacy Policy

Gewiss reserves the right to update or amend this Policy periodically and at any time. In this case, Gewiss will provide you with a clearly visible notice that, depending on the circumstances, may for example be displayed within the App or transmitted by email. You are therefore invited to read these notices carefully.