This information is provided in accordance with Article 13 of Regulation 2016/679 (GDPR) to users accessing the website www.sirfinpa.it and relates to all personal data processed as indicated below. This information is provided solely for the Sirfin-PA S.r.l. website and not for any other websites that may be accessed through links.

1. DATA CONTROLLER. The data controller for the collected personal data is Sirfin-PA S.r.l. (hereinafter referred to as the “Controller”) with registered office in Rome, Via Angelo Bargoni 78 – Telephone 0687462513, VAT number 03120390780, represented by its Legal Representative.

2. 2. COLLECTED DATA The processed personal data is collected either directly provided by the data subject or automatically provided. The data provided directly by the data subject includes all personal data provided to the Controller in any manner, directly by the data subject. In particular, the optional, explicit, and voluntary sending of emails to the addresses indicated on this website results in the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the communication. The data subject is free to provide personal data, both common and sensitive, contained in the curriculum vitae or in the submitted application. The optional, explicit, and voluntary submission of documents and resumes via email or on the website results in their subsequent acquisition, as well as the necessary addresses to respond to requests, and any other personal data included in the communications for the same purposes. The data collected automatically includes browsing data. Although these data are not collected to be associated with the user’s identity, they may indirectly, through processing and association with data held by the Controller, allow for their identification. In particular: • IP address • browser and navigation device The collection of this data is essential for the functioning of the implicit renewal systems of the processing (see the section on Processing Methods and Technologies Used) and is an integral part of the platform’s operation.

3. LEGAL BASIS AND PURPOSE OF PROCESSING. The data is processed exclusively for the purposes for which it is collected, as described below. The provided data may be processed for evaluation and recruitment purposes by Sirfin PA S.r.l., for the time necessary for the indicated and accepted purposes, including through electronic and internet-based tools. Data obtained from social networks, recruitment websites, or other sources on the internet may also be used, for example, for the purpose of verifying specific risks related to the candidate in relation to the specific position to be filled. The legal basis for processing is based on the law, the legitimate interest of the Controller (consisting of a thorough evaluation of its candidates), or the consent of the data subject. The data will be processed for the time necessary to evaluate the profile for possible employment. The provision of data is for the purpose of responding to your request and does not require consent, in accordance with Article 6 of EU Regulation 2016/679.. Sirfin-PA S.r.l. does not provide any user information to third parties without their consent, except as required by law. The provided data may be processed for evaluation and recruitment purposes by Sirfin PA S.r.l., for the time necessary for the indicated and accepted purposes, including through electronic and internet-based tools. Data obtained from social networks, recruitment websites, or other sources on the internet may also be used, for example, for the purpose of verifying specific risks related to the candidate in relation to the specific position to be filled. The legal basis for processing is based on the law, the legitimate interest of the Controller (consisting of a thorough evaluation of its candidates), or the consent of the data subject. The data will be processed for the time necessary to evaluate the profile for possible employment. The data will be processed for the time necessary to evaluate the profile for possible employment. However, the dissemination and transfer of data outside the EU are excluded.

4. PROCESSING METHODS AND TECHNOLOGIES USED. The processing of your personal data is carried out through the operations indicated in Article 4 n. 2) of the GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data. Your personal data is subject to both paper-based and electronic and/or automated processing. The data processing is carried out using suitable tools and procedures to ensure security and confidentiality. The computer systems and software programs used for the functioning of the website collect certain personal data, the transmission of which is implicit in the use of Internet communication protocols (e.g., IP addresses or domain names of the computers used by users who connect to the site, addresses and times of requests, method of connection to the server, numeric code indicating the status of the response, and other parameters related to the user’s operating system). Although this information is not collected to be associated with identified data subjects, it could, by its nature, through processing and association with data held by third parties, allow for the identification of users. This data is used solely for the purpose of obtaining statistical information (not associated with any identifying data) on the use of the site and to ensure its proper functioning. The data may be used to ascertain responsibility in case of hypothetical computer crimes against the website. Sirfin-PA S.r.l. does not use automated decision-making processes, does not engage in profiling activities, and does not record, store, or process data related to the choices, habits, and purchasing preferences of its customers, nor does it create profiles (individual or aggregated) for the purpose of targeted offers. Accessing the website www.sirfinpa.it activates methods of automatic information collection (technical cookies) necessary for proper navigation on the aforementioned sites, which are automatically deleted upon expiration or session closure. The cookies used by this site do not allow for the collection of your personal information, do not attempt to link your IP address to your identity, and are not used in any way for marketing purposes. This site does not use profiling cookies to send targeted advertising messages based on user preferences expressed during internet browsing.

5. COMMUNICATION AND DISCLOSURE. The collected data will not be “disclosed,” meaning it will not be made known to unspecified individuals in any way. However, the data may be “communicated” to one or more specified and identified subjects as follows: • to individuals authorized within Sirfin-PA S.r.l. as data processors and processors and/or system administrators; • to subjects who can access the data by virtue of a legal provision, regulation, or community legislation, within the limits provided by such laws; • to consultants of Sirfin-PA S.r.l., limited to the assigned task, subject to the signing of obligations and confidentiality and security constraints in data processing, such as the company listed below: IT Hosting Provider (current provider: Aruba S.P.A.) The complete list of data controllers and data processors can be requested by sending a specific request to the following email address: segreteria@sirfinpa.it Specific security measures are observed to prevent data loss, unlawful or incorrect use, and unauthorized access.

6. DATA TRANSFER. Personal data is stored on remote servers located in Italy.

7. DATA SUBJECT’S RIGHTS. According to Article 7 of the Privacy Code and Article 13 of the GDPR, each user has the right to obtain confirmation of the existence or non-existence of their personal data, even if not yet recorded, and their communication in an intelligible form. In particular, the data subject has the right to obtain from Sirfin-PA S.r.l. information regarding: • the origin of personal data; • the purposes and methods of processing; • the logic applied in case of processing carried out with the aid of electronic/IT tools; • the identifying details of the data controller, data processors, and the designated representative; • the subjects or categories of subjects to whom the data may be communicated or who may become aware of it as designated representatives in the territory of the State, data processors, or data processors. Furthermore, the data subject has the right to obtain from Sirfin-PA S.r.l.: • the updating, rectification, or integration of their data; • the erasure, anonymization, or blocking of data processed unlawfully; • access to their data, namely confirmation of whether or not personal data concerning them is being processed; • the limitation of processing; • data portability, namely the right to receive structured personal data concerning them in a commonly used and machine-readable format; • the right to lodge a complaint with the supervisory authority. Finally, the data subject has the right to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if pertinent to the purpose of collection. In particular, the data subject has the right to object to the processing of personal data concerning them for the purpose of sending commercial advertising materials, direct selling, or conducting market research or commercial communication.

8. EXERCISE OF RIGHTS. The data subject may exercise their rights at any time by sending: • a registered letter with return receipt to: Sirfin-PA S.r.l., Via A. Bargoni n. 78 (00153) Roma, Italy • an email to the following address: privacy@sirfinpa.it. Contact details of the Data Protection Officer: dpo@sirfinpa.it.

9. DATA CONTROLLER AND DATA PROCESSORS. The updated list of data controllers and data processors is kept at the registered office of the Data Controller. Sirfin-PA S.r.l. reserves the right to modify, supplement, or periodically update this information in compliance with applicable regulations or measures adopted by the Italian Data Protection Authority. Such modifications or additions will be made known to the data subjects through a link to the Privacy Policy page on the website.

Last modified: October 1, 2018.