INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 EU REGULATION 2016/679 (REGULATION)

This notice describes the methods and purposes of the collection, use, consultation and processing of personal data performed by Meta System S.p.A., and the rights guaranteed to the data subjects by the current privacy legislation.

DATA CONTROLLER

The Data Controller is Meta System S.p.A. (hereinafter also Data Controller or Meta System), with its registered office in Reggio Emilia, 42124, via Galimberti 5, e-mail Privacy@metasystem.it

The designated Data Protection Officer (hereinafter also DPO) may be reached at dpo@metasystem.it.

CATEGORIES OF PERSONAL DATA

Meta System, before the conclusion of the contract, during and for the purpose of the correct performance of the contractual relationship with its customer/supplier, may collect, access, use, and more generally process the following Personal Data:

• Information on the customer/supplier: by way of example, tax code, name and surname, place and date of birth;
• Contact details of customer/supplier: telephone number, mobile phone number, fax number, e-mail address, residential address, home/office address, first name/surname and contact of the customer’s or supplier's employees or contact persons;
• Identification details: identification numbers issued by government agencies (for example, tax code, VAT number);
• Financial information: account number and bank account details and other financial information.

PURPOSES OF THE PROCESSING AND LEGAL BASIS

The collection and processing of personal data is carried out for the following purposes:

1. To fulfill precontractual/contractual obligations. The processing of your personal data is performed in order to carry out the preliminary and consequent activities related to the management of the contractual relationship, as well as those instrumental and functional to its performance;
2. To comply with obligations required by law including accounting and tax obligations;
3. Purposes related to the good performance of company activities - in compliance with current regulations, company policies, the quality system - and the protection, also before court of law, of the assets and of the relevant rights and interests of Meta System;
4. To performing due diligence process to potential investors and, therefore, the communication of the necessary data - excluding sensitive data - to these subjects.

Legal bases of the processing are: the execution of pre-contractual or contractual measures (art. 6.1.b) of the Regulation) with regards to the purposes referred to in point a); compliance with legal obligations (art.6.1.c) of the Regulation) with regards to the purpose under point b); the pursuit of a legitimate interest (art.6.1.f) of the Regulation) of Meta System with regards to the purposes under points c) and d).

PROCESSING MEANS

The processing for the above-mentioned purposes is performed with both automated and non-automated, means, in compliance with obligations of confidentiality and security provided for by art. 32 of the Regulation, and other relevant and applicable rules and regulations.

LOCATION OF PROCESSING

The data are mainly processed at the registered office of Meta System in Via T. Galimberti 5, 42142 Reggio Emilia and at its other operating offices. The data are also processed, on behalf of the Data Controller, by professionals and/or companies in charge of carrying out technical, development, management and administrative/accounting activities, as well as activities related to the provision of the service; all these subjects are designated as data processors.

The data may be accessible to other companies belonging to the Meta System Group for the same purposes as above mentioned and/or for administrative-accounting purposes pursuant to art. 6.1.f) and Recitals 47 and 48 of the Regulation.

With regard to the possible transfer of data to third countries, the data controller informs that the processing will take place according to one of the means allowed by current law, such as for example the consent of the data subject, the conclusion of standard clauses approved by the European Commission, the selection of subjects adhering to international programs for the free circulation of data (e.g. EU-USA Privacy Shield), or towards countries considered safe by the European Commission. It is possible to request more information to the Data Controller at the contacts above indicated.

MANDATORY PROVISION OF PERSONAL DATA

The provision of data is mandatory for all that is required by legal and contractual obligations and therefore any refusal to provide them in whole or in part may not allow the Data Controller to execute the contract or to correctly carry out all the obligations related to its execution.

DATA RECIPIENTS

Personal data will not be disseminated and, where necessary for the pursuit of the aforementioned purposes, it may be communicated by Meta System to:

• subjects entitled to access the data by virtue of a provision of law, regulation or community legislation, or based on a provision of the Judicial Authority or other public Authorities within the limits set by applicable rules or regulations;
• subjects authorized to access data necessary for the performance of activities auxiliary to the contractual relationship (for example, but not limited to: credit institutions, post offices or other companies providing similar services, consultants and freelancers including lawyers and accountants).

In the perimeter of Meta System the data may only be processed by authorized and instructed employees and collaborators pursuant to art. 29 of the Regulation.

Meta System Spa may also engage data processors pursuant to art. 28 of the Regulation, such as external companies to which the management and maintenance of IT systems are entrusted; for activities functional to the activities of Meta System. It is possible to request more information to the Data Controller at the contacts above indicated.

DATA RETENTION

Personal data processed for the purposes above indicated may be kept for the time necessary to fulfil contractual obligations, to fulfil all legal obligations or according to the terms prescribed by law, regulation or community legislation. Once this deadline has elapsed, personal data shall be securely erased or anonymized unless further processing (for a limited period) is required for the following purposes: compliance with retention periods established by commercial and tax law. More information about the data retention period and the criteria used to determine such period may be requested in writing to the data controller at the email address provided.

DATA SUBJECT’S RIGHTS

The data subject has the right to ask the data controller, at any time, to access his or her personal data; to have them rectified or erased; to object to the processing; to remove the content that they provided online at the time he was a minor; the data subject has the right to request the restriction of the processing, as well as to withdraw the consent at any time; to receive the personal data concerning him or her, which he or she has provided, in a structured, commonly used and machine-readable format; to lodge a complaint with the competent supervisory authority, if he or she considers that the processing of his or her data is not in compliance with the applicable legislation.

The data subject has the right to object to the processing of his or her personal data, by attaching the reasons justifying the objection; the data controller has the right to evaluate the request, and deny the objection if it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

To exercise the aforementioned rights, the requests must be addressed to the data controller in writing by e-mail to the above address.

PRIVACY POLICY ON VIDEO SURVEILLANCE IN ACCORDANCE WITH ART. 13 OF THE EUROPEAN REGULATION NO. 679/2016 (I.E. “GDPR”)

Meta System S.p.A. acting as Data Controller of personal data (hereinafter, “Data Controller”), in accordance with art. 13 of the EU Regulation No. 679/2016 (i.e. “GDPR”), hereby informs you that video surveillance systems are installed near the access areas of the company premises, in compliance with the provisions laid down by the GDPR, the general measures on video surveillance issued by the Italian Data Protection Authority and the Italian Law No. 300 of 20 May 1970 (“Workers’. Statute). This privacy policy is an integration of the privacy policies that are placed near the video cameras.

DATA CONTROLLER: META SYSTEM SPA Via Galimberti n.5, Reggio Emilia - e-mail: privacy@metasystem.it

DATA PROTECTION OFFICER (DPO): dpo@metasystem.it

VIDEO SURVEILLANCE SIGNS AND PERSONAL DATA PROCESSED

The Data Controller informs you that close circuit video surveillance systems are in function, properly indicated with specific signs before their coverage area, as provided for in the General Measure for Video Surveillance issued by the Italian Data Protection Authority on 8 April 2010 and in the FAQ of December 2020.

CATEGORIES OF DATA SUBJECTS

Customers or Users, Employees, Self-employed workers, Candidates, Consultants and Freelancers, Suppliers and Potential Suppliers, Third parties that pass through the coverage area of the cameras.

DATA PROCESSED

The video surveillance system collects data through the video cameras that are placed in the company buildings, both in Reggio Emilia and Mornago, in accordance with the purposes mentioned in the privacy notice; the recordings are stored within the terms set forth by the data protection and labour laws in force.

Video cameras monitor entry gates (when present), entry forecourts, accesses, passages and parking areas, including basement garages.

All video cameras are visible and identified by the relevant signs.

PURPOSES OF THE PROCESSING

Any personal data collected is processed in order to ensure the safety of people and the protection of the corporate assets and, in particular, to:

1. Prevent vandalism towards the company and people located outside the company premises (including basement garages);
2. Discourage possible acts of damage towards the company and people located outside the company premises;
3. Exercise the right of defence by the Company in judicial proceedings.

LEGAL BASIS FOR THE PROCESSING

The legal basis for the processing is the legitimate interest of the Data Controller.

PROVISION OF DATA AND BINDING NATURE OF THE PROCESSING

Accessing areas under video surveillance entails the collection, recording, storage and, in general, the use of the images of data subjects. The refusal to provide data means the impossibility for the Data Controller to permit the access to company premises that are under video surveillance.

PROCESSING METHODS

Personal data are processed through DVR (Digital Video Recorder), which is active 24 hours a day, in order to respect the purpose of ensuring the safety of people and the protection of the company assets and, in any event, to ensure the security and confidentiality of the data collected. All the supports are keept in protected areas that can only be accessed by properly authorised staff.

The processing of personal data is based on the principles of correctness, lawfulness, transparency and protection of the data subject’s privacy and rights. All data are processed according to the methods indicated in arts. 6, 32 of the GDPR and through the adoption of adequate safety measures.

DATA RETENTION PERIOD

The retention period for the images is of 72 hours from the moment in which they are taken, with the exception of requirements related to the stated purposes. After this period, the images will be completely erased once new images are overwritten. Exceptions are images that prove crimes. These will be kept for judicial purposes.

DATA PROVISION

Accessing areas under video surveillance also entails collecting, recording, storing and, in general, using the images of the data subjects, in accordance with the principle of data minimisation. The refusal to provide data involves the impossibility for the Data Controller to permit the access to company premises that are under video surveillance.

DATA RECIPIENTS

Images will not be communicated or disclosed to third parties. Data may be disclosed to entities acting as data controllers, such as surveillance and control bodies and any competent public bodies authorised to request data such as judicial and/or law enforcement authorities.

PERSONS AUTHORISED TO DATA PROCESSING

Live or recorded images may be processed on behalf of the Data Controller by the staff in charge of data processing ex art. 28 GDPR or appointed/authorised bodies ex art. 29 GDPR and art. 2 quaterdecies Legislative Decree 101/18, such as staff responsible for control and surveillance services, previously trained, and who is in charge of the maintenance of the video surveillance system.

DATA TRANSFER TO THIRD COUNTRIES

Personal data will not be disclosed to third Countries.

DATA SUBJECT’S RIGHTS

Data subjects may contact the Data Controller by sending an e-mail to the addresses above to:

1. ask to access his/her personal data, whether possible;
2. object to the processing;
3. request the restriction of processing and/or erasure, where applicable.

Data subjects may file a complaint with the competent supervisory Authority. The rights to updating or integrating, as well as the right to rectification are not exercisable given the nature of the data processed (collection of real-time images). The right to data portability is not exercisable since the processing is carried out in compliance with a legitimate interest of the data controller. The data subject may ask to see the images in which he/she believes he/she was filmed, by showing eligible identity documents to the request. The response to a request for access cannot include any data referring to third parties, unless the extraction of the processed data or the deletion of certain elements makes the personal data relating to the data subject incomprehensible. After the expiry of the retention period set forth above, it will be impossible to satisfy the request to access the data.