INFORMATION PROVIDED PURSUANT TO ARTICLES 13-14 OF THE GDPR (GENERAL DATA PROTECTION REGULATION) 2016/679

According to the aforementioned regulations, such processing will be based on the principles of fairness, lawfulness, transparency, and the protection of your privacy and rights.

Pursuant to Article 13 of GDPR 2016/679, we therefore provide you with the following information:

A – Personal data (name, surname, identification document details and a copy of the same, phone number, email address, etc.) will be provided at the time of membership depending on the type of association requested.

Terme Italia SRL, as the data controller of your personal data, informs you about their use and your rights so that you can consciously express your consent, where required, and exercise the rights provided by the General Data Protection Regulation (European Regulation 679/2016, hereinafter: the Regulation). Your personal data (provided by you, by third parties, or obtained, within legal limits, from public lists) may be processed for the following expressly stated purposes: To fulfil a contractual or non-contractual obligation, to comply with a legal or regulatory requirement, to propose services or goods to the data subject, to conduct profiling, to transfer data to third parties, to send periodic communications.

The legal basis for processing is represented by: A Legal obligation or regulation, B Contract with the data subject or execution of a contract, C Legitimate interest of the data controller or third parties, D Vital and urgent interest of the data subject, E Explicit consent of the data subject, F Execution of a task in the public interest.

Below we specifically clarify the meaning of the types of purposes:

Legal: i.e., to fulfil obligations provided by law, by a regulation, by European Union regulations as well as by provisions issued by authorities authorised by law or competent supervisory or control bodies (in this case, your consent is not required as the processing of data is related to compliance with such obligations/provisions). Among the data processed for legal reasons are those related to tax regulations or anti-money laundering registers.

Contractual and more generally administrative-accounting: i.e., to fulfil obligations arising from contracts of which you are a part or to comply, before concluding the contract, with your specific requests, including through distance communication techniques, including a dedicated telephone call centre (in this case your consent is not necessary as the processing of data is functional to managing the relationship or fulfilling requests); these treatments also include purposes stemming from protecting mutual interests in judicial proceedings and for tax purposes or other legal obligations such as, for example,

the maintenance of an anti-money laundering register if applicable.

Direct marketing: data processing activities aimed at providing you with information and sending you informative, commercial and advertising material (also through distance communication techniques such as postal correspondence, phone calls including through automated calling systems, fax, email, SMS or MMS messages or others) on products, services or initiatives of the company to promote them, to carry out direct sales actions, to conduct market research, to verify the quality of products or services offered to you (also through phone calls or sending questionnaires). The processing of such data may occur based on your optional consent or on the legitimate interest of the company when deemed and assessed not conflicting with your rights.

Profiling: data processing activities aimed at optimising commercial offerings (also through targeted and selected analyses), to carry out targeted commercial communications, to conduct statistical research, to apply one or more profiles (for the purpose of making appropriate commercial decisions or analysing or predicting your personal preferences, behaviours and attitudes for commercial purposes). (In this case your consent is optional and does not affect the maintenance of relationships with the company).

Indirect marketing: i.e., by communicating your data to third parties so they can carry out their autonomous commercial activities as indicated in point 3 above. (In this case your consent is optional and does not affect the maintenance of relationships with the company).

Post-marketing: i.e., for further investigation after termination or revocation of relationships with the company regarding the reasons for discontinuation. (In this case your consent is optional and does not affect the maintenance of relationships with the company).

Special cases of data:

‘Particular’ data also known as ‘sensitive’, i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data related to health or sexual life or sexual orientation of a person (Art. 9 of the Regulation) or relating to criminal convictions and offences or related security measures (Art. 10 of the Regulation). Such data may only be processed with your explicit written consent if one of the reasons indicated in Article 9 paragraph 2 and Article 10 of the Regulation exists. Consent is free and optional but refusal of consent could impair the performance of one or more activities requested by you from the company specifically concerning facts for which it is essential to process such type of data.

Consent to process your data may be binding for concluding contracts with the Data Controller or with third parties. Only those data whose processing is essential for concluding the contract may be binding for concluding contracts; while you may freely grant or deny consent for non-essential data, particularly for profiling purposes, commercial communications, marketing.

You are under 18 years old and over 14 years old. Your data will therefore be processed with particular care regarding confidentiality and in the limited time necessary for fulfilling the services you have requested from the Data Controller, excluding purposes other than those underlying the existing relationship between you and the Data Controller. Your data may be subject to transfer to third parties for the purposes declared by the Data Controller. In particular, they may be transferred to third countries subject to an adequacy judgement or, failing that, upon your explicit consent.

B – METHODS OF DATA PROCESSING.

The processing of your data takes place through manual tools and via manual/paper storage as well as through electronic and automated tools, with methods strictly related to the aforementioned purposes. Where you have given consent, processing may also occur through profiling or comparison of data. The Company has adopted technical and organisational measures aimed at preventing and limiting the risk of loss, deterioration, theft of your data and ensuring their reasonable restoration in case of ‘data breach’.

Processing takes place in a manner that ensures the security, protection and confidentiality of your data.

Within the company, your personal data may be accessed by employees, managers and administrators or partners who have legal administrative roles or collaborators subject to self-employment contracts working within the company’s structure. This personnel has been provided adequate training and instructions suitable for safeguarding the preservation, maintenance, updating and security and confidentiality of your data. Consent for processing by such personnel is not required as it is inherent in the necessary procedures provided by law.

Outside the company, your data may be processed by:

collaborators subject to non-dependent employment contracts operating outside company structures commercial agents subject to non-dependent employment contracts operating outside company structures consultants of any kind (lawyers, doctors or chartered accountants, engineers, architects, labour consultants or other professionals registered or not in professional registers) who carry out technical support tasks on behalf of the company (particularly: legal services, IT services, shipping) and company control.

To pursue these purposes, the company may communicate or otherwise transmit your data to specific subjects, including foreign ones, who will use the received data as independent co-controllers unless designated by the company as “responsible” for their specific processing. You have the right to request and obtain a list of third parties to whom such data is transmitted.

Public bodies or public administrations for compliance with legal obligations.

The Data Controller uses IT systems in co-operation with third parties who thus become co-controllers of processing and relations with them are governed by a specific contractual agreement.

Those offering hosting services on their servers typically become external processors unless they have specific powers to decide on purposes or methods of processing; in that case they become controllers and thus it is necessary to regulate data processing with those using hosting services.

It is possible that the processor delegates processing of your data to other sub-processors who are also trained on how to correctly process such data.

Since the data you provide may consist of so-called ‘particular’ data also known as ‘sensitive’ under Art 9 of European Regulation, i.e., pertaining to racial origin, health, sexual orientations or habits, political thought orientations, trade union membership or philosophical beliefs or criminal conviction sentences (Art 10 of Regulation), processing may occur only with your written consent for the purposes indicated in this processing form unless defined as lawful under Regulation.

Since the data you provide may consist of so-called ‘biometric’ data such as fingerprints from hands, faces or signatures collected using technological tools, these will be processed in accordance with current legal provisions upon your consent where necessary and for the purposes indicated in this processing form.

The company may carry out video surveillance activities for security regarding its assets or individuals.

Your data may be subject to profiling activities which involve collecting and aggregating data concerning you for making appropriate commercial decisions or analysing or predicting your personal preferences, behaviours and attitudes for commercial purposes. Profiling may occur a) upon your consent b) based on our company’s legitimate interest. Failure to grant consent for profiling does not normally compromise regular development of relationships under which your data are processed. Conducting profiling activities could affect your rights and opportunities regarding offers from our company.

For your protection, the Data Controller has appointed a Data Protection Officer in person of Luca Rampazzo.

Your data may be transferred to a foreign country. In this case if it occurs within the European Union your data will be treated similarly to how they are treated in Italy. In case of transfer to countries outside the European Union they will be processed respecting rights provided in your favour by European Regulation. If your data are transferred outside an EU country they may be processed by subjects ensuring compliance with rights provided by European Regulation through voluntary adherence by them with general provisions.

Data transfer will occur in any case through tools that guarantee protection against third-party intrusions.

Your data have been collected directly from you and therefore we provide you in this form with the following information where applicable:

data controller and representative details data protection officer details

purposes and legal basis for processing recipients of data intention to transfer data abroad duration of storage period or criteria for determining duration right to access, rectification, erasure, objection to processing, portability right to withdraw consent if possible except for legal obligations possibility to lodge complaints with authority (Guarantor) if data are mandatory for contract execution or by law and consequences if consent is not granted if data are or will be subject to profiling and if so logic behind profiling existence of automated decision-making processes and right for individual concerned that decisions occur with human intervention.

Our company has obtained from third parties data concerning you. Therefore we provide you in this form with the following information where applicable:

data controller and representative details Data Protection Officer (RDP/DPO) details if applicable purposes and legal basis for processing categories of collected data recipients of data intention to transfer data abroad storage period or criteria for determining period rights related to access, withdrawal, rectification, erasure, portability, withdrawal of consent for processing limitation possibility for complaint to guarantor the source from which your data originated is as follows: the existence of automated decision-making processes and right for individual concerned that decisions occur with human intervention.

Your data will be retained by the Data Controller in respect of intended purposes for as long as necessary for fulfilling its relationship with you and ensuring mutual protection in judicial proceedings concerning rights as well as complying with legal obligations including those of a tax nature. Data not necessary for those latter purposes will be removed within maximum time limits provided by right to erasure as indicated further in this notice or at your request even within a shorter time frame if not conflicting with rights held by Data Controller.

Data concerning individuals that are not required to be retained due to specific legal obligations will be deleted within 10 years or 15 days after park opening for cameras.

Regarding profiling logics, the company declares as follows: gender, email address, phone number, postal code.

C – RIGHTS OF THE DATA SUBJECT

You can exercise at any time the following rights expressly recognised by Regulation:

You have the right to lodge a complaint at any time with national authority (Guarantor for personal data protection) if you believe that any right has been violated. You have the right that your data are always accurate and updated; therefore you can report or request updates at any time. You have the right to withdraw consent for processing unless prevented by law provisions or need for protecting rights held by controller even in judicial proceedings. In any case requesting withdrawal leads to a right to limit processing. You have the right to access your processed data held by Controller via written request even electronically. It is essential that you provide proof of identity which may also involve accessing our databases through credentials uniquely referable to you. You have a right to free access once; however you may be charged a fee for requests following first one. You have a right to receive a reply within thirty days from request. You have a right to receive your data in printable formats. You have a right to rectification and updating of your data; you can at any time request updating and correction if you find that our records are outdated or incorrect. In order to guarantee correct updating we invite you to notify us about any useful changes. You have a right to erasure concerning your personal data unless they are those that Controller must retain due specific legal obligation such as tax obligations anti-money laundering obligations or protection rights held by controller in litigation. If you contest accuracy concerning your personal data or lawfulness of processing or controller’s right to erase personal information then you have a right that your personal information remains stored but not processed except within limits necessary for resolving disputes over those records.

If Controller modifies or deletes wholly or partially your information you have a right to be informed about it and oppose modifications and deletions. You have a right that enables transferring your electronically stored processed information elsewhere within limits specified by Regulation providing it technically feasible allowing easy readability and acquisition by third parties. Data which you have a right transferring (portability) includes also automatic observation derived from activities conducted through Controller’s IT services such as searches performed and activity logs. You have a right opposing processing concerning your records profiling use thereof for direct marketing purposes profiling based on public interest research scientific historical statistical purposes. The company may under certain circumstances adopt automated procedures aimed at making decisions concerning you particularly deciding whether and under what conditions concluding contracts directly or through third parties with you. In this case you have a right requesting that before making binding decisions your position undergoes assessment by human operator who performs merit evaluation. The use of automated decision-making procedures could exclude you from certain proposals offers rights concluding contracts benefiting particular promotions. Since your information may be processed for carrying out e-commerce activities you have a right ensuring that they are processed according best IT practices available. Your information could therefore be transferred third parties completing in whole parts technical procedures related concluding executing contracts such as third-party servers logistics service providers transport managers. Your consent is always required; if consent is refused concerning processing necessary concluding transactions then Company might not provide requested services. Consent regarding essential processing must be separate from non-essential information collection purposes unrelated e-commerce contract conclusions. The company may under certain circumstances process your information communicating regarding commercial informative educational initiatives (so-called newsletters). In this case if necessary consent must be explicit distinct from other forms consent; you can withdraw granted consent regarding such purpose at any time.

You have a right consult during evaluations concerning security procedures related processing protecting your information.

D – INDICATION OF PARTIES INVOLVED IN PROCESSING

Your information may be processed by following parties:

[data controller] Terme Italia SRL [co-controllers] Feidos SpA [representative] Not applicable [data processors] See supplier list [RDP/DPO] Luca Rampazzo

E – MODALITIES FOR EXERCISING YOUR RIGHTS

Your requests can be exercised via written communication addressed to Company at Via Nibby 11 Roma (Rome) or email address dott.lucarampazzo@gmail.com ,or if provided independently within personal area made available electronically through unique identification.