* * *

Acciai Speciali Terni S.p.A., with registered office in Terni, Viale Benedetto Brin no. 218, Tax Code 11222300151, VAT No. 00715760559, as controller of the processing of personal data of its customers (hereinafter “Data Controller”), informs you, pursuant to art. 13 of Leg. Decree no. 196 of June 30, 2003, (hereinafter, “Privacy Code”) and art. 13 of EU Regulation no. 2016/679 (hereinafter, “Regulation” that your personal data concerning, connected to and/or instrumental to the execution of the sale contract, may be processed with the following methods and for the following purposes:

  1. Purpose and legal basis of the processing

Your personal data, including personal details, fiscal data, as well as the details of your bank account, will be processed (for the definition of ‘processing’, see art. 4, par. 1, letter a) of the Privacy Code, as well as art. 4, par. 1, no. 2 of the Regulation) for purposes related to the compliance with the laws and regulations in force concerning civil, fiscal and tax matters, as well as the provisions issued by the competent authorities, the verification of the requisites established by the anti-mafia legislation, the activities relating to the management of the contractual relationship in compliance with current legislation, the need for defending a right in court or in the appropriate forums provided for by current laws and regulations.

The legal basis of the processing is identified (by mere way of example) in the constitution, execution and possible termination of the sale contract between you and the Company, and in the obligations related to the same contract and/or directly and/or indirectly arising from the same.

  1. Processing methods

The processing will take place with appropriate tools to ensure the security and confidentiality of the data, in compliance with the provisions of articles 31 et seq. of the Privacy Code and Annex B to the Privacy Code (“Technical specifications regarding minimum security measures”), as well as in compliance with the provision of Chapter II (Principles) and Chapter IV (Data Controller and Data Processor) of the Regulation.

The processing may also be performed through automated tools to store, manage or transmit the data. In addition, personal data may be processed to disclose the existence of criminal convictions as well as criminal proceedings in progress pursuant to Presidential Decree no. 313 of 14/11/2002, as amended. (“Consolidated text of the laws and regulations on criminal records, the register of administrative penalties following offenses and related pending charges (Text A)”); this data will be processed – in addition to what has already been specified in general for all data – in compliance with the provisions of art. 27 of the Privacy Code and the principles of art. 10 of the Regulation.

The processing of your personal data is carried out by means of the operations indicated in art. 4 of the Privacy Code and art. 4, no. 2) of the Regulation, to which reference should be made for any purpose.

The data provided will be kept at our Company for the entire duration of the contract and, thereafter, for all the time necessary for purposes related to the fulfilment of regulatory obligations regarding administrative, accounting, fiscal and civil legal provisions.

The Data Controller, upon written request of the party concerned Data Subject, will provide a copy of the personal data being processed. In case of further copies requested by the Data Subject, the Data Controller will charge a fee commensurate with the administrative costs. The right to obtain a copy by the Data Subject must not affect the rights and freedoms of others.

  1. Access to data

Your data may be made accessible, for the purposes set out in articles 1 and 2, to the following subjects:

  1. Employees and collaborators of the Data Controller, in their capacity as internal managers and/or data processors and/or system administrators.
  2. third parties who carry out activities outsourced by the Data Controller, in their capacity (by way of mere example: credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, external data controllers and/or external system administrators, for the time strictly necessary for the optimal execution of this service).
  3. Subjects who are entrusted with the maintenance and development of our information system, for the time strictly necessary for the optimal execution of this service.
  1. Data communication

Without your express consent (pursuant to art. 24, letters a), b), d) of the Privacy Code and art. 6, letters b) and c) of the Regulation), the Data Controller may communicate your data, for the purposes referred to in art. 1, to supervisory bodies, judicial authorities and all other parties to whom the communication is mandatory by law for the accomplishment of the aforementioned purposes.

  1. Data transfers

The processing and storage of personal data will take place on servers, located within the European Union, of the Data Controller and/or third-party companies duly appointed as Data Processors. Currently the servers are located in Italy. The data will not be transferred outside the European Union. In any case, it is understood that the Data Controller, where necessary, will have the right to move the location of the servers, currently in Italy, within the European Union and/or to non-EU countries. In this case, the Data Controller guarantees as of now that the transfer data outside the EU will take place in accordance with articles 44 et seq. of the Regulation and the applicable legal provisions by stipulating, if necessary, agreements that guarantee an adequate level of protection.

  1. Nature of the data provision and consequences of refusing to answer

The provision of data for the purposes referred to in art. 1 is mandatory. The acquired data, object of this information, are essential for the finalisation of the contractual relationship and for the subsequent execution of the contractual relationship deriving from the same. Any refusal to provide the requested data and/or their inaccuracy could make it impossible to:

  1. Be compliant with laws and regulations in force concerning civil, fiscal and tax matters as well as with the provisions issued by the competent authorities.
  2. Verify the requisites envisioned by anti-mafia legislation.
  3. Guarantee the correct regulatory, technical and economic management of the contractual relationship.
  4. Act in defence of a right in court or in the appropriate forums provided for by current legal and regulatory provisions.
  1. Rights of the Data Subject

In your capacity as a Data Subject, we inform you that you have the possibility to exercise all the rights set out by art. 7 of the Privacy Code and by art. 15 of the Regulation, namely:

  1. The right to obtain confirmation as to the existence or not of personal data concerning yourself, even if not yet recorded, and its communication in such a way as to be readily understood
  2. The right to obtain the indication of i) the origin of the personal data ii) the processing purposes and methods iii) the logic applied in case of processing carried out with electronic instruments, iv) the identity of the data controller, data processors and the representative appointed pursuant to art. 5, paragraph 2 of the Privacy Code and by art. 3, paragraph 1 of the Regulation, v) the entities or categories of recipients to whom the data may be communicated or who can learn about them, such as appointed representatives in the National territory, officials or processing officers.
  3. The right to obtain: i) the updating, rectification or, where interested, the integration of data; ii) the cancellation, anonymization or blocking of data processed unlawfully, including data the retention of which is unnecessary for the purposes for which the data were collected or subsequently processed; iii) the certification that the operations described under letters i) and ii) have been notified, also as regards their content, to those to whom the data were disclosed, except where such obligation proves to be impossible or involves a manifestly disproportionate effort with respect to the protected right.
  4. The right to oppose, partially or totally i) for legitimate reasons concerning the processing of personal data, even if pertinent to the purpose of the collection.
  5. The right to obtain, also, pursuant to art. 15 of the Regulation, the confirmation of the ongoing processing of personal data concerning him or her and, in this case, to obtain access to the personal data and the following information: i) the categories of personal data in question; ii) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organisations; iii) when possible, the planned retention period of the personal data or, if not possible, the criteria used to determine that period; iv) the existence of the right of the data subject to request the Data Controller to rectify or delete personal data or limit the processing of personal data concerning him or her or to oppose their treatment; v) the right to lodge a complaint with a supervisory authority, pursuant to art. 77 et seq. of the Regulation; vi) if the data are not collected from the data subject, all available information regarding their origin; (vii) the existence of an automated decision-making process, including the profiling referred to in art. 22, paragraphs 1 and 4 of the Regulation, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such treatment for the data subject; viii) the right to be informed of the existence of adequate safeguards pursuant to art. 46 of the Regulation regarding the transfer, if the personal data are transferred to a third country or to an international organisation.
  6. The Data Subject will also (where applicable) have the rights referred to in articles 16-21 of the Regulations (Right of rectification, right to be forgotten, right of limitation to the treatment, right to data portability, right of opposition).

We inform you that the Company undertakes to respond to your requests no later than one month after receipt of the same; this deadline could be extended depending on the complexity or the number of requests. The Company will explain the reason for such extension within one month of your request.

The outcome of your request may be provided in writing or in electronic format.

  1. How to exercise your rights

The Data Subject may at any time exercise the rights referred to in art. 7 of the Privacy Code and art. 15 of the Regulation in the following ways:

  1. Sending a registered letter with return receipt to: Acciai Speciali Terni S.p.A., c.o. the Head of Human Resources, Viale Benedetto Brin 218, 05100 Terni.
  2. Sending an email to the address: [email protected]
  1. Data Controller, Data Processor and persons authorised to process personal data

The Data Controller is Acciai Speciali Terni S.p.A.. The updated list of data processors and persons authorised to process the data is kept at the Data Controller’s headquarters.

  1. Changes to this Information

This information may change. It is therefore advisable to regularly check this information and refer to the latest version.