PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLE 13 OF THE REGULATION (EU) 2016/679 (GDPR)

We inform you that the data you provide to us will be processed exclusively for the purpose of managing the reporting system provided for in accordance with Legislative Decree no. 24/2023. These data will be processed in compliance with applicable legislation, including Regulation (EU) 2016/679 “General Data Protection Regulation” (“GDPR”), Legislative Decree no. 196/2003 (“Italian Privacy Code”) and Legislative Decree no. 51/2018, as well as additional applicable provisions regarding the protection of personal data.

1. Contact details of the Data Controller and the Data Protection Officer

The data controller is Studio Legale PedersoliGattai (hereinafter also the “Data Controller” or the “Firm”) with headquarters in via Principe Amedeo, 5, 20121 — Milan. You can contact the Data Controller by email at info@pglex.it, or by regular mail at the address indicated above.

The Firm has appointed a Data Protection Officer (the “DPO”), as the data protection officer, who can be contacted at the e-mail address: pedersoligattai.dpo@avvera.it.

2. Purpose and legal basis of the processing

In order to be able to correctly manage the reporting process (so-called whistleblowing), implemented by the Firm, in accordance with Legislative Decree no. 24/2023, the Data Controller may process the personal data you spontaneously provide – including any special categories of personal data and/or data relating to criminal convictions and crimes – for the sole purpose of managing the reporting of illegal conduct in accordance with the provisions of sector legislation. Furthermore, if, following the verifications resulting from the report, the illegal conduct is founded, the personal data collected through the whistleblowing system may also be processed for the defense of a right in court by the Data Controller.

In particular, due to the methods of sending the report provided by the Studio (anonymous or non-anonymous) and the content of the report itself, the Data Controller may process the following categories of personal data:

1. a. so-called common data (e.g., name, surname, contact data, etc.) relating to you (unless you use anonymous reporting) and the people indicated in the report;

1. b. any other information, qualifiable as personal data, that you (so-called whistleblower) should decide to share with the Data Controller to better substantiate your report (such data could also include special categories of personal data or data relating to criminal convictions and crimes).

The processing of your personal data, including those of the subjects that may be indicated in your report, is lawful pursuant to articles 6(1)(c), 9(2)(b) and 10 of the GDPR (Legislative Decree no. 24/2023 and Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019).

If the personal data collected as part of the report are processed to ascertain, exercise, or defend a right in court, the processing is lawful pursuant to articles 6(1)(f), 9(2)(f) of the GDPR and 2-octies, paragraph 3, of the Italian Privacy Code.

Furthermore, should you request an in-person interview (in-person meeting), according to the procedure adopted by the Firm, for reporting purposes, it will be necessary to obtain your prior consent in order to record the interview itself on a device, according to Article 14 of Legislative Decree no. 24/2023. In this case, the Firm will collect your consent in the manner provided for by the GDPR.

All personal data that you must provide through the report and any other personal information provided pending the report (i.e. when the management and verification process has not yet been completed), will be included as part of the processing activities carried out by the Data Controller.

In any case, if you provide personal data that is not relevant or relevant, for the management of the report, the Firm will not process such data and delete them immediately.

3. Methods of processing

The processing of personal data is carried out for the above purposes, according to Article 5 of the GDPR, both on paper and computer support, as well as by means of electronic tools.

The processing is carried out by the Firm, through subjects within the Data Controller’s organization specifically authorized and instructed to carry out the processing activities described in this information (e.g. an alternative function in case of conflict of interest, as provided for in the appropriate procedure adopted by the Firm in the field of whistleblowing), as well as by subjects outside the Firm who, on behalf of the same Firm, perform services of various kinds as better specified in the following paragraph 6.

Your personal data will not be transferred outside the European Union and/or the European Economic Area (“EEA”).

4. Nature of the provision of data and consequences of the refusal

The provision of the personal data referred to in this statement is necessary for the correct management of the report you submit and to comply with the legal obligations that derive from it. Failure to communicate personal data may make it impossible to take charge of the report and manage the process implemented by the Firm in the field of whistleblowing, as well as to fulfill, in whole or in part, the legal obligations that derive from it.

The possibility of being able to make the report anonymously (without, therefore, knowing your identity) remains unchanged. In this case, any refusal to provide your data will have no consequences, without prejudice to the provisions of the procedure adopted by the Firm in the field of whistleblowing.

5. Criteria used to determine the retention periods of personal data

Your data will be kept for the time necessary to manage the report and in any case no longer than five (5) years starting from the date of communication of the outcome of the reporting procedure, without

prejudice to longer storage times determined by requests and/or orders from the Authorities or by the defense of the Firm’s rights in court.

Once these terms have expired, your data will be deleted or removed from the Data Controller’s systems.

If the facts described in the report are not relevant under the applicable legislation, the personal data collected will be deleted immediately after ascertaining the non-relevance of the report itself.

6. Recipients of personal data

As part of the purposes indicated in point 2 of this privacy notice, your personal data may be communicated to the following categories of recipients:

– data processors, pursuant to Article 28 of the GDPR, appointed from time to time (e.g., provider of the platform used for reporting);

– Management body and committees of the Firm;

– companies and professionals that the Data Controller uses to protect their rights (e.g., lawyers, private investigators, technical consultants, etc.);

– judges and courts, on the basis of any request or as part of a trial;

– public authorities authorized by law, in case of verifications, investigations and/or inspections.

The complete list of these subjects or categories of subjects is available at the headquarters of the Data Controller. In any case, your personal data will not be disseminated.

7. Rights of the data subjects

Within the limits provided under Article 2-undecies of the Italian Privacy Code, you have the right to exercise at any time the rights recognized by articles 15 to 22 and 77 of the GDPR, as briefly summarized below:

– Right of access: you can request information about the processing we carry out on your data or to confirm that the Data Controller processes your personal data. In this case, you can ask us to provide a copy of your data and to verify what data we have.

– Right to rectification: you have the right to ask us to rectify your personal data if they are not correct, including the right to request the integration of incomplete personal data.

– Right to erasure: you have the right to ask us to delete the data (or part of it) that you have provided to us, including those that do not need to be kept in relation to the purposes for which the data were collected or otherwise processed.

– Right to restriction of processing: you can ask us to limit the processing of your personal data if the legal hypotheses are met.

– Right to object: you can object to the processing of your personal data, without prejudice to the existence of an overriding legitimate reason for the continuation of such processing.

– Right to portability: you can obtain from the Studio, in a structured format, commonly used and readable by an automatic device, the personal data you have communicated to us, in order to transmit them to another subject. This right is applicable if the Firm processes such data through automated tools, on the basis of consent or for the purpose of providing services.

– Revocation of consent: if the processing is based on consent, you can revoke it at any time, without prejudice to the lawfulness of the processing carried out before said revocation.

– Right not to be subjected to automated decision-making: you can request not to be subjected to processing based solely on an automated decision-making process, including profiling, that produces legal effects that concern you or that have a similar significant impact on your person. This right cannot be exercised if: i) the processing is necessary for the conclusion of a contract between you and the Data Controller; ii) the processing is authorized by law; iii) the processing is based on your consent.

– Right to lodge a complaint with the Supervisory Authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent Supervisory Authority (Italian Data Protection Authority) if you believe that the treatments carried out violate current legislation on the protection of personal data.

Without prejudice to the methods provided by the Italian Data Protection Authority to promote a possible complaint, for all other rights you may send a request to the Data Controller or to the DPO through the contact details indicated in paragraph 1 of this information.