PRIVACY

INFORMATION NOTICE CONCERNING THE PROCESSING OF PERSONAL DATA

FRANPLAST S.P.A., in its capacity as Data Controller, hereby informs you, as required by Articles 13-14 of EU Regulation 2016/679 (hereinafter «GDPR»), that your personal data will be processed according to the methods and for the purposes indicated below.

Definitions

• Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
• The Data Controller determines the purposes and means of the processing of personal data.
• Personal Data means «any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person» (Art. 4 GDPR).

Purposes of Processing, Legal Basis, and Source of Data
The Data Controller processes personal data communicated to the same within the scope of its business activities as described in the Register of Companies (R.I.). The company is primarily engaged in the production and processing of resins, plastics, elastomers, and rubbers, as well as their sale and marketing, including through import-export, agents, and concessions.
The data are processed for the conclusion of contracts (written or oral) or for the performance of agreed terms. The data provided, by way of example, by the client (including potential clients), may concern the legal representatives (or other operators) of the client company itself or of the Data Controller, potential clients, suppliers, consultants, and commercial partners. The updating, verification, and use of personal data relating to members of a company may also result from access to public registers in which the company is registered (e.g., Register of Companies – Official Archive of the Chamber of Commerce).

Personal data are processed to:

• Carry out the agreed activity (e.g., provision of the activity agreed with the data subject); the legal basis is contractual and pre-contractual pursuant to Art. 6,1.b GDPR;
• Pursue a legitimate interest of the Data Controller: within the limits of what can be reasonably expected, the Data Controller has the right to effectively carry out its activities, such as performing direct marketing, sending communications, responding to requests, or taking legal action or defending itself in court. Personal data may be legitimately and freely communicated to the Data Controller without having been requested. In such cases, the data are received within the scope of general business activities and processed for legitimate interest pursuant to Art. 6,1.f GDPR;
• Data freely sent by the data subject are lawfully processed based on the consent of the data subject pursuant to Art. 6,1.a GDPR;
• Comply with a legal obligation, for example, tax compliance (legal basis pursuant to Art. 6,1.c GDPR).

What Data are Processed
For the purposes indicated in this notice, the Data Controller processes common (so-called ordinary) personal data such as identification, contact, and payment data, qualifications, activities performed, and roles assigned/held (e.g., name, surname, tax code, address, telephone number, e-mail and other contact details, organization of belonging, IBAN, job title, CV, activities).

Categories of Recipients
Without prejudice to communications carried out in compliance with legal and contractual obligations, all data collected and processed may be communicated exclusively for the purposes specified above to external companies or professional firms providing assistance for the fulfillment of legal obligations and the exercise of rights arising from the business activity (e.g., accountants, lawyers, labor/safety/quality consultants), credit institutions, public administrations, and authorities for the performance of institutional functions within the limits established by law or regulations (e.g., Revenue Agency, Local Authorities). Recipients of the data also include IT companies or operators providing IT services or assistance (e.g., cloud storage services, hosting services, data traffic managers, managers of services offered on the website), and subjects in charge of communication (e.g., LinkedIn management).
To pursue the purposes described above, personal data are known by subjects operating as persons authorized by the Data Controller to process personal data; these subjects assist or work for the Data Controller to enable the efficient performance of its activities (e.g., sole director, collaborators, employees or assimilated personnel, corporate bodies). In some cases, the subjects belonging to the categories listed above operate as independent data controllers. Further details can be obtained by contacting the Data Controller.

Period of Retention of Your Personal Data
Personal data will be processed by the Data Controller for the time necessary for the establishment and management of the existing relationship. Data subject to statutory retention obligations or potentially necessary for the protection of rights arising from the relationship will be stored in accordance with the relevant regulations; such retention period generally corresponds to 10 years from the date of last use.

Methods of Processing
The processing of personal data will take place using tools suitable for guaranteeing security and confidentiality in accordance with the provisions of Art. 32 GDPR.

Data Transfer
Any transfer of personal data outside the EU is governed by specific contracts intended to require the recipient to comply with the adequate safeguards provided by current privacy legislation, or to subjects who benefit from an adequacy decision (Art. 44 et seq. GDPR); a copy of the appropriate safeguards can be requested by contacting the Data Controller and obtained if the stated intention to transfer has been materialized.

Consequences of Failure to Provide Data
Failure to provide the data required for contractual and pre-contractual purposes will make it impossible for the Data Controller to fulfill the requests and its legal obligations. No consequences are foreseen for the failure to provide data for the legitimate interest purposes described above.

Rights of the Data Subject
As a Data Subject, you are granted all the rights provided for by personal data protection legislation. With particular reference to Articles 15 to 21 of the GDPR, the following rights are highlighted:

• Right of access (Art. 15 GDPR): the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to your personal data, including a copy thereof;
• Right to rectification (Art. 16 GDPR): the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data;
• Right to erasure (Right to be forgotten) (Art. 17 GDPR): the right to obtain, without undue delay, the erasure of personal data as provided for by the terms indicated in EU Regulation 2016/679;
• Right to restriction of processing (Art. 18 GDPR): this allows for the restriction of processing when: a) the Data Subject contests the accuracy of the personal data; b) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; c) although the Data Controller no longer needs them for the purposes of processing, the personal data are required by the Data Subject for the establishment, exercise, or defense of legal claims; d) the Data Subject has objected to processing, as indicated below, pending verification whether the legitimate grounds of the Data Controller override those of the Data Subject;
• Right to data portability (Art. 20 GDPR): the right to receive the personal data concerning you, which you provided to the Data Controller, in a structured, commonly used, and machine-readable format and the right to transmit those data to another controller without hindrance, where the processing is based on consent and is carried out by automated means. Furthermore, the right to have your personal data transmitted directly from one controller to another, where technically feasible;
• Right to object (Art. 21 GDPR): the right to object, at any time, to the processing of personal data concerning you based on the lawful condition of legitimate interest, including profiling, unless there are legitimate grounds for the Data Controller to continue the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims. It is specified that the Controller does not carry out profiling or direct marketing activities aimed at natural persons;
• Withdrawal of consent: the right to withdraw previously given consent without affecting the lawfulness of processing based on consent before its withdrawal; processing may continue only if another suitable legal basis exists;
• Right to lodge a complaint with the Data Protection Authority. For more information, you can consult the website of the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali): www.gpdp.it.

Primary Method for Exercising Rights
You may exercise your rights at any time through the contact channels provided. To ensure receipt of the request, we recommend sending a registered letter with return receipt to FRANPLAST S.P.A. at its registered office in Via Per Monterotondo 5, CAP 25050, Provaglio d’Iseo (BS) or a PEC (certified e-mail) to pec@pec.franplast.it.

Data Controller and Additional Contact Details
The Data Controller is FRANPLAST S.P.A., with registered office in Via Per Monterotondo 5, CAP 25050, Provaglio d’Iseo (BS), tel +39 030 9823606, email: privacy@franplast.it, VAT number, Tax Code and Registration No. in the Register of Companies: 00291200178, REA Number: BS – 155423.

GENERAL INFORMATION NOTICE – NATURAL PERSONS
Rev.00 of 02/26