Dear Customer/Supplier,

In accordance with Art. 13 of EU Regulation 679/2016 (hereinafter the “GDPR”), we would hereby inform you that the data you supply will be processed using methods and procedures able to guarantee that such personal data processing takes place in compliance with rights and fundamental freedoms and assures the dignity of the data subject, with specific reference to confidentiality, personal identity and the right to the protection of personal data.

We would remind you that the term “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 GDPR).

1. Object of processing and legal basis

The data is processed by MARGHERITI PIANTE DI MARGHERITI ENZO E DAVID S.S. SOC.AGR, in accordance with Art. 6 GDPR to fulfil contractual obligations and/or execute pre-contractual measures and refers to:

- Personal and identifying data, such as, for example, business name, VAT no., addresses, contact details;

- Data necessary for invoicing and payments, such as

IBAN;

- Contact details of reference persons interacting

with MARGHERITI PIANTE S.S.;

- Data relating to customer solvency;

2. Origin of data

The data is collected from the data subject, through the filling in of paper forms. It may also be collected at a later time through request forms on websites, telematic instruments and/or corporate applications;

3. Purposes of the processing

The personal data and any changes you may notify MARGHERITI PIANTE SS. of in the future is collected and processed for the following, exclusive purposes:

- WITHOUT EXPRESS CONSENT for purposes connected with the execution of the contract, based on the legal obligation to which the Data Controller is subject (to fulfil obligations deriving from the contract)

A) Fulfilment of pre-contractual, contractual and tax obligations deriving from the relationship in place;

B) Fulfilment of obligations deriving from the Law, Regulations, European Community rules or an Authority order;

C) Fulfilment of any requirements envisaged by Italian Legislative Decree no. 81/08 regarding health and safety at work;

D) Management of correspondence and communication;

E) Exercise of the controller's rights;

4. Processing methods

Processing is carried out by means of the operations specified by Art. 4 GDPR:

- collection of data from the data subject, by means of the compilation of paper forms using telematic instruments and/or corporate applications;

- recording and processing on computer storage devices and paper;

- organisation of archives in a prevalently automated manner, through corporate applications and computerised databases;

Data will be processed using tools able to guarantee its confidentiality, integrity and availability. Processing is carried out on paper and thereafter may take place by means of computer and/or automated systems and shall include all operations or sets of operations envisaged by Art. 4 of the GDPR and as necessary to the processing in question, including communication in regard to the subjects appointed to perform such processing.

5. Data retention time

The controller will retain the personal data for the time necessary to fulfil the above purposes and in any case for no more than 10 years from termination of contract. Once this deadline has passed, the data will be destroyed or made anonymous.

6. Access to processing

The data will be made accessible, for the purposes pursuant to point 3:

- to employees/collaborators in their capacity as authorised data processors, following suitable appointment;

- to third parties performing activities outsourced to them by the controller (by way of example: Banks for the economic treatment of customers and suppliers) - the list of external processors is available from the Controller.

- Welfare institutions for the fulfilment of all welfare, social security and insurance obligations;

- Companies or Entities that, on behalf of MARGHERITI PIANTE S.S., supply specific instrumental or supporting services, including debt collection services;

- Subjects whose faculty to access your personal data is acknowledged by provisions of law or secondary or Community regulations;

7. Disclosure of data

In any case, data will not be disclosed to any unauthorised third parties nor disseminated in any way. To this end, processing is carried out using security measures able to prevent the unauthorised access of data by third parties and guarantee due confidentiality.

Without the need for express consent, the Data Controller may disclose your data for the purposes pursuant to point 3, to the following parties:

- the Italian National Agency for the Safe Transport;

- Supervisory bodies, Legal authorities, Control entities;

- Other subjects whose faculty to access your personal data is acknowledged by provisions of Law or by secondary or Community regulations;

Such subjects will process the data as autonomous data controllers.

8. Transfer of data

The management and storage of personal data will take place on servers located within the European Union of the Controller and/or third party companies appointed and duly named as data processors. At present, the servers are located at the company’s registered office. The data will not be transferred outside the European Union.

9. Nature of the conferral of data and consequences of refusal to respond

The conferral of data for the purposes pursuant to point 3 is mandatory. Failure to do so will make it impossible to stipulate the contract and supply the relevant service.

10. Rights of the data subject

According to the GDPR, the data subject has the following rights in regard to the Data Controller:

- to obtain confirmation as to whether or not personal data concerning you is being processed and, if so, to obtain access to such personal data (Right of Withdrawal Art. 15)

- to obtain the rectification of inaccurate personal data concerning you without undue delay (Right to rectification Art. 16)

- to obtain the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where certain conditions are met (Right to be forgotten Art. 17)

- to obtain the restriction of processing in certain situations (Right to the restriction of processing Art. 18)

- to receive the personal data concerning you in a structured, commonly used and machine-readable format and to transmit such data to another controller without hindrance from the controller to which the personal data have been provided, in certain cases (Right to data portability Art. 20)

- to object at any time, for reasons linked to a specific situation, to the processing of personal data regarding you (Right to object Art. 21)

- to receive notification of any personal data breach suffered by the Data Controller, without undue delay (Art. 34)

- to revoke express consent at any time (Conditions for consent Art. 7)

The data subject also has the right to submit a complaint to the Data Protection Authority.

11. Data Controller

The Data Controller is the company MARGHERITI PIANTE DI MARGHERITI ENZO E DAVID S.S. SOC.AGRICOLA, Località Torri Chiusine snc, 53043 Chiusi (Siena) – telephone (0039) 0578/227686 – Fax (0039) 0578/21411 – e-mail: info@margheriti.it – certified e-mail: margheritipiante@legalmail.it.

A list of data supervisors and processors is kept at the Controller’s registered office.

12. How to exercise rights

Letter sent recorded delivery with advice of receipt to: MARGHERITI PIANTE DI MARGHERITI ENZO E DAVID S.S. SOC. AGR.

Località Torri Chiusine snc – 53043 Chiusi (Siena)

PEC (certified e-mail): margheritipiante@legalmail.it