POLICY FOR THE PROCESSING OF CUSTOMER PERSONAL DATA WITH CONSENT

Henoto S.p.A. (hereinafter referred to as “HENOTO” for the sake of brevity), with its registered office in Bologna (BO), Via A. Maserati 18, enrolled in the Bologna Register of Companies under No. 555349, Tax Code and VAT No. 03275590283, in the person of its Managing Director Engineer Giovanni Giuliani P.E.C. address: henoto@pec.it (hereinafter, "Data Controller"), as Data Controller. It informs you that the data you provide will be processed in accordance with current regulations.

1. Purpose of the Processing

The Controller only processes common data and in particular personal identification data (e.g. name, surname, company name, tax code, VAT number, address, telephone number, e-mail address, bank and payment references – hereinafter, “Personal Data”) provided by you to the Controller or third parties (subject to the consent given to the third party for the transfer of the data) or from us obtained from Public Sources (public registers, lists, acts and documents available to anyone) for the purposes and by the persons referred to in Articles 2) and 4) below.

2. Objective for the processing

Your personal data will be processed for the following purposes: a) fulfilling of pre-contractual (sending estimates) and contractual obligations deriving from the existing relationship with the undersigned (fulfilment of the contract, access to the fair / site, issuing and signing of the delivery report, issuing of the invoice); b) compliance with the provisions of law and regulations (for example, tax returns to judicial authorities if requested, notices to be provided to public bodies for any authorization requests, correspondence with the fair organisers); c) to exercise the rights of the Data Controller, for example the right to legal defence; The provision of data for the aforementioned purposes is mandatory. The lack of data and / or any express refusal to process data will make it impossible for the Data Controller to fulfil the contract, without prejudice to the provisions of article 7 below. d) Subject to express consent, promotional communications, marketing activities and through automated and non-automated systems (telephone contact with operator) and profiling.

3. Methods of processing and storage

Your personal data is processed using the methods indicated in Article 4 of the Privacy Code and Article 4, No. 2) of the GDPR, and more precisely: collection, recording, storage, consultation, processing, extraction, use, blocking, communication, erasure and destruction of data. The personal data is processed both on paper and electronically. In any case, the logical and physical security of the data and, in general, the confidentiality of the Personal Data processed will be guaranteed, by implementing all the necessary technical and organizational measures adequate to guarantee their security.

4. Data access and processing.

4a) For the purposes referred to in Article 2 points a) to c) above, your data will be processed or simply made accessible for the purposes referred to above: by the personnel (employees and collaborators) of the Controller, who will act by virtue of a deed of appointment as appointees and under the liability of the Controller, by companies belonging to the Henoto (meaning companies controlled or affiliated by the Controller) by companies of the Bologna Fiere SpA Group and/or consultants and/or subcontractors of the Data Controller, as well as external companies that provide services, including IT services, to which the Data Controller entrusts the performance of certain services for the pursuit of the purposes set out in Article 2 above, who will act, where appropriate, as external data processors. 4b) For the purposes referred to in Article 2d) above, without prejudice to the express consent of the data subject, your data may be accessed or processed not only by the parties referred to in Article 4a) above, but also by third party companies (Interevent Srl, MagNews platform), based on service contracts and, where applicable, by virtue of their appointment as external data processors.

5. Transfer of Personal Data

Personal Data are stored on servers located at the Data Controller's premises and in the cloud and will be transferred to Henoto only for the purposes set out in Article 2 points a) to c) above and subject to the provisions of Article 7 below.

6. Personal Data retention period.

The Data Controller will process the Personal Data for the purposes referred to in Article 2 from a) to c) above, for the time necessary to fulfil the aforementioned purposes and in any case for no more than 10 years from the termination of the relationship for the purposes of protection under the statute of limitation. For processing subject to consent, Personal Data will be processed for the purposes set out in Article 2d) above for a maximum period of three years, unless the consent is revoked at any time by the Data Subject, to be specified in the manner indicated at the bottom of the relevant communication.

7. Recipients and categories of recipients.

In addition to the recipients referred to in Article 4 and to the subcontracting service providers and suppliers of goods, in the event that data transfer is necessary and essential for fulfilment of the contract. The Data Controller may communicate some of your personal data to third parties, provided that you have given your express consent. In the event of appointment concerning the supply of exhibition stands in territories other than Italian ones, the Data Controller may communicate some of your data to subjects residing abroad, exclusively for the purposes and if essential to the fulfilment of contractual obligations. The transfer of data is regulated, as required by law, by appointment of the third parties as Data Processor. The list of Data Processors is updated by the Data Controller and is available for consultation at the Data Controller's registered office.

8. Rights of the data subject.

In your capacity as a data subject you have the rights referred to in Article 7 of the Privacy Code and Articles from 15 to 21 GDPR including: •Right of access - To obtain confirmation of whether or not your personal data is being processed and, if so, to receive information regarding, among others: the purpose of the processing, the categories of personal data processed and the retention period, recipients to whom it may be communicated (Article 15 of the GDPR); •Right of rectification - To obtain, without undue delay, the correction of inaccurate personal data concerning you, as well as the integration of incomplete personal data (Article 16 of the GDPR); •Right to erasure - To obtain, without undue delay, the erasure of personal data concerning you, in the cases provided for by the GDPR (Article 17 of the GDPR); •Right to the restriction of processing - To obtain the restriction of processing, in the cases provided for by the GDPR (Article 18 of the GDPR); •Right to data portability - To receive the personal data concerning you in a structured format, in common use and readable by an automatic device, and to have the data transferred to another Data Controller without hindrance, in the cases provided for by the GDPR (Article 20 of the GDPR); •Right to object - To object to the processing of personal data concerning you, unless there are legitimate reasons for continuing the processing (Article 21 of the GDPR); •Right to file a complaint to the competent supervisory authority - To file a complaint to the Data Protection Authority Piazza di Montecitorio, 121, 00186, Rome (RM).

9. Procedures for exercising rights.

You may exercise your rights at any time by sending: - a written notice to privacy@henoto.com It should be noted that, the data controller will respond to the request within 30 days and, in the event of acceptance of the request, the Data Controller ensure that third parties responsible for processing employee data are duly notified. If the request is accepted, the Data Controller undertakes to delete it also from any archives, allowing remote verification by the user. If you intend to lodge a complaint regarding the methods of processing your data or regarding the response to your requests, you have the right to submit a request directly to the Supervisory Authority.