EXTENDED INFORMATION PURSUANT TO ARTICLES 12, 13 AND, IF NECESSARY, 14 OF GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS REGARDING THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR) 1. The data controller provides below the Information pursuant to Articles 12, 13 and, if necessary, 14 of the GDPR related to the processing of personal data provided by the Client/data subject through the completion and signing of the Contract to purchase the goods/services offered for sale by the data controller itself, voluntarily uploading personal data to this website (the "Site") (in particular through the completion of forms) or simply navigating it. 1. Data controller and contact details Data controller: WASISCO S.r.l. (C.F. and VAT 07210700485, with office at Via Modigliani, 73). 2. Principles applicable to processing. In accordance with the provisions of the GDPR, the data controller constantly strives to ensure that personal data are: processed lawfully, fairly and transparently; collected for specified, legitimate, and determined purposes, and subsequently processed in a manner that is not incompatible with those purposes; relevant, appropriate, and limited to what is necessary for the purposes for which they are processed; accurate and, if necessary, kept up to date; retained for no longer than necessary for the purposes for which they are processed; processed, using appropriate technical and organizational measures, in a manner that ensures security; processed, when based on consent, upon freely given decision by the Client/data subject, based on a request presented in a way clearly distinguishable from the rest, in an understandable and easily accessible form, using simple and clear language. The data controller adopts appropriate technical and organizational measures to ensure the protection of personal data from the design stage and to ensure that only the data necessary for each specific purpose of processing are processed by default. The data controller collects and gives due consideration to feedback, observations, and comments from the Client/data subject sent to the contact details mentioned above, in order to implement a dynamic privacy management system that ensures effective protection of individuals regarding the processing of their data. This Information may be modified, in accordance with the evolution of the relevant legislation and the technical and organizational measures adopted from time to time by the data controller; the Client/data subject is therefore invited to periodically visit this section of the Site to review updates and the Information in the text in effect from time to time. 3. Methods of processing personal data. The processing of personal data is carried out manually and using electronic tools, with logics strictly related to the purposes indicated below and, in any case, in a way that ensures the security and confidentiality of the data itself. 4. Purposes of processing personal data. (4a) Purposes for which data processing is necessary. The personal data provided by the Client/data subject are mainly processed for the execution of the Contract and for credit management and, more generally, for the relationship arising from the Contract itself. The provision of data in the Contract or later, during the contractual relationship, for the aforementioned processing purposes is mandatory; therefore, the failure to provide, partially or inaccurately providing such data makes it impossible to conclude and/or execute the Contract and, for the Client/data subject, to use the products/services offered by the data controller, potentially exposing the Client/data subject to liabilities for breach of contract. The personal data provided by the Client/data subject may also be processed if necessary to fulfill a legal obligation to which the data controller is subject, to safeguard the vital interests of the Client/data subject or another individual, for the performance of a task carried out in the public interest or in the exercise of public authority vested in the data controller, or for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the Client/data subject do not override; in these cases, the provision of data is mandatory, and therefore, the failure to communicate these data may expose the Client/data subject to potential liabilities and sanctions provided for by the Legal System. (4b) Further purposes of processing following specific and explicit consent from the Client/data subject. In addition to the processing purposes mentioned above, the personal data provided/acquired may be processed, with the consent of the Client/data subject, by selecting the "Give consent" box in the Contract or using other social applications or web services of the data controller, also for conducting market surveys and for making commercial and promotional communications via telephone (including using the provided cell phone number) and automated contact systems (email, sms, mms, fax, etc.), on products/services of the data controller or companies of the Group to which the data controller may belong. Consent for the processing purposes referred to in this point (4b) is optional; therefore, following a possible refusal, the data will be processed only for the purposes indicated in the previous point (4a), unless specified below with reference to the legitimate interests of the data controller or third parties. 5. Categories of personal data processed. The data controller mainly processes identifying/contact data (name, surname, addresses, type and number of identification documents, phone numbers, email addresses, tax/billing nature, except for other data) and, if commercial transactions are provided, financial data (of a banking nature, particularly identifiers of current accounts, credit card numbers, except for others connected to the aforesaid commercial transactions). The processing carried out by the data controller, whether for the execution of the Contract or based on the explicit consent of the Client/data subject, generally does not concern special categories of personal data, known as sensitive (those revealing racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (related to criminal convictions and offenses). However, it cannot be ruled out that the data controller, in order to fulfill obligations arising from the Contract, may need to retain and/or treat sensitive, genetic and biometric data or judicial data of the Client/data subject or third parties, of which the Client/data subject has data controller status; in this case, the processing by the data controller is conducted under, conditions and limits of which the appointment of the data controller as data processor by the Client/data subject is made. The data controller processes, as data controller regarding the Site, and, potentially, as data processor appointed for this purpose (under the aforementioned terms) by the Client/data subject, also so-called navigation data. The information systems and software procedures used to operate the websites acquire, during their normal operation, some personal data, whose transmission is implicit in the use of internet communication protocols. These are information that are not collected to be associated with identified individuals, but which, by their nature, could allow the identification of the data subject. This category of information includes geolocation data, IP addresses, browser type, operating system, domain names, and addresses of websites from which access or exit was made, information on the pages visited by users within the Site, access time, time spent on each page, internal path analysis, and other parameters related to the user’s operating system and computing environment. These are, therefore, information that, by their nature, allow, through processing and associations also with data held by third parties, to identify users. Cookies may also be used on the Site, both session cookies (which are not stored on the data subject's computer and disappear when the browser is closed) and persistent cookies, for transmitting personal information, or systems for tracking the data subjects. 6. Source of personal data. The personal data that the data controller processes are directly collected from the data controller itself from the Client/data subject at the time of, and during the, navigation of this on the Site (or using other social applications or web services of the data controller), or, also through its salespeople, on the occasion of, or after, signing the Contract, during its execution, or from public sources. As mentioned above, the data controller, as data processor appointed for this purpose, in order to fulfill obligations arising from the Contract, may retain and/or process data, particularly navigation data, potentially including sensitive, genetic and biometric data or judicial data of third parties, which the Client/data subject holds as data controller, acquired, with the prior consent of said third parties, when navigating, and during the navigation of said third parties on the Site (or using other social applications or web services attributable to the data controller). 7. Legitimate interests. The legitimate interests of the data controller or third parties may constitute a valid legal basis for processing, provided that they do not override the interests or fundamental rights and freedoms of the data subject. Generally, there may be such legitimate interests when there is a relevant and appropriate relationship between the data controller and the data subject, for example, when the data subject is a customer of the data controller. In particular, it is a legitimate interest of the data controller to process the personal data of the Client/data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free flow of such data within the business group to which the data controller may belong, or related to traffic, in order to ensure the security of networks and information, meaning the ability of a network or a system to withstand unforeseen events or illegal acts that could compromise the availability, authenticity, integrity, and confidentiality of data. 8. Circulation of personal data. (8a) Communication of personal data – categories of recipients. In addition to the employees and collaborators of the data controller (who are authorized by the data controller to process under appropriate written operational instructions, in order to ensure the confidentiality and security of the data), some processing operations may also be performed by third parties, to whom the data controller entrusts certain activities, or part of them, functional to the purposes referred to in point (4a), thus both in execution of contractual and legal obligations, including, by way of non-exhaustive example, commercial and/or technical partners; companies providing banking and financial services; companies providing document storage services; debt collection agencies; auditing firms and certification of financial statements; rating companies; entities providing, on behalf of the data controller, assistance and professional consulting services; companies offering customer care services; factoring companies, credit securitization or in any other way cessionaires of credits; companies of the Group to which the data controller may belong; entities providing commercial information; IT service companies. The subjects belonging to the aforementioned categories process the personal data in their capacity as autonomous data controllers, or as data processors, regarding specific processing operations that fall within the contractual performance that those subjects execute on behalf/in the interest of the data controller; to the data processors, the data controller provides appropriate written operational instructions, particularly with respect to adopting minimum security measures, in order to ensure the confidentiality and security of the data. Some processing operations may be performed by third parties to whom the data controller entrusts certain activities, or part of them, also functionally to the purposes to which point (4b) refers, which include, by way of non-exhaustive example, commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; subjects providing assistance and consulting activities regarding competitions and prize operations. The subjects belonging to the aforementioned categories process personal data either as autonomous data controllers or as data processors, concerning specific data processing operations that fall within the contractual performances that those subjects execute for/on behalf of the data controller; to the data processors, the data controller provides appropriate written operational instructions, particularly with respect to adopting minimum security measures, in order to ensure the confidentiality and security of the data. An up-to-date list of the data processors with whom the data controller maintains relations is available upon written request to be sent to the headquarters of the data controller. Personal data may also be communicated, upon request, to the competent authorities, in compliance with obligations arising from mandatory legal provisions. (8b) Transfer of personal data to third countries. The personal data of the Client/data subject may also be transferred abroad, both to countries of the European Union and to countries outside the European Union and, in the latter case, on the basis of an adequacy decision, or within and with the adequate safeguards provided by the GDPR (therefore, in particular, in the presence of model contractual clauses for the protection of data approved by the European Commission), or, outside the above-mentioned hypotheses, upon one or more of the derogations provided by the GDPR (in particular, based on the explicit consent of the Client/data subject, or for the execution of the Contract concluded by the Client/data subject, or for the execution of a contract concluded between the data controller and another natural or legal person in favor of the Client/data subject, namely for the execution of activities assigned to it by the same data controller for the execution of the Contract concluded with the Client/data subject). In the case of data transfers to countries outside the European Union, the Client/data subject is allowed, upon written request to be sent to the headquarters of the data controller, to know the adequate safeguards, or the derogations, that legitimize cross-border processing. It is understood that, in the case of data transfer to countries outside the European Union, for any request concerning data, including for the exercise of the rights recognized by the GDPR to the Client/data subject, the latter may always validly contact the data controller. 9. Criteria for determining the period of retention of personal data. For the purposes referred to in point (4a) above, the period of retention of personal data provided by the Client/data subject and the consequent potential processing thereof corresponds to the period of limitation of rights/duties (legal, tax, etc.) arising from the Contract: typically 10 years, therefore, unless events interrupting the limitation occur that could effectively extend this period. For the purposes referred to in point (4b) above, the period of retention of the data released by the Client/data subject, and the consequent potential processing thereof, ends with the revocation of the consent previously granted by the Client/data subject itself, or, in the absence of such, in any case one year after the cessation of any relationship between the data controller and the Client/data subject. 10. Rights of the Client/data subject. The data controller recognizes – and facilitates the exercise by the Client/data subject of – all rights provided for by the GDPR, in particular the right to request access to one's personal data and to extract copies (art. 15 GDPR), to the rectification (art. 16 GDPR) and deletion of the same (art. 17 GDPR), to restriction of treatment concerning him/her (art. 18 GDPR), to data portability (art. 20 GDPR, where the requirements are met), and to object to processing concerning him/her (arts. 21 and 22 GDPR, for the cases mentioned therein and, in particular, to the processing for marketing purposes or that results in automated decision-making, including profiling that produces legal effects concerning her/him, where the requirements are met). The data controller also recognizes, to the Client/data subject, if processing is based on consent, the right to revoke that consent at any time, without affecting the lawfulness of the processing based on the consent given before the revocation. To do so, the Client/data subject can unsubscribe at any time on the Site (or on other social applications or web services of the data controller) or by using the dedicated link present at the bottom of each commercial communication received, or by contacting the data controller at the contact details mentioned above. The data controller also informs the Client/data subject of the right to lodge a complaint with the Personal Data Protection Authority, as the supervisory authority operating in Italy, and to bring a legal action, both against a decision of the Authority and against the data controller itself and/or a data processor. 11. Security of systems and personal data. Taking into account the state of the art and the costs of implementation, as well as the nature, object, context, and purposes of processing, as well as the risk, in terms of likelihood and severity, to the rights and freedoms of natural persons, the data controller adopts technical and organizational measures deemed appropriate to guarantee a level of security adequate to the risk, particularly ensuring, on a permanent basis, the confidentiality, integrity, availability, and resilience of the processing systems and services (also through the encryption of personal data, where necessary) and the ability to promptly restore the availability of data in case of physical or technical incident, and departing internal procedures aimed at testing, verifying, and regularly evaluating the adequacy of the technical and organizational measures employed. In evaluating the appropriate level of security, account is taken of the risks presented by processing that arise, in particular, from destruction, loss, alteration, unauthorized disclosure, or access, accidentally or unlawfully, to personal data transmitted, stored or otherwise processed. The data controller endeavors to ensure that anyone who acts under his authority and has access to personal data does not process such data unless instructed to do so by the same data controller. That said, the Client/data subject acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the data controller does not bear responsibility for acts or facts of third parties who, despite adequate precautions taken, should access the systems without due authorization. 12. Automated decision-making processes, including profiling. The data controller may perform automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimize the navigability of the Site (or user experience of other social applications or web services of the data controller) and to improve the purchasing experience, unless otherwise specified with regard to the rights of opposition and revocation of consent by the Client/data subject. Profiling refers to any form of automated processing of personal data aimed at evaluating certain aspects concerning a natural person, in particular to analyze or predict aspects related, for example, to personal preferences, interests, or location of that person, including for the purpose of creating profiles or homogeneous groups of subjects by characteristics, interests, or behaviors. The data controller does not carry out any automated processing that produces legal effects concerning the Client/data subject or that significantly affects her/him, unless this is necessary for the conclusion or execution of the Contract, is authorized by law, or is based on the explicit consent of the Client/data subject, in any case always recognizing to the latter the right to obtain human intervention, to express his/her opinion, and to contest the decision.