Dear CUSTOMER, In accordance with Article 13 of the GDPR (EU Regulation 2016/679), the following information is provided, in line with the principle of transparency, to make the customer (data subject) aware of the characteristics and methods of data processing. Identity and Contact Information The “Controller” of the processing is Samotrace Roberto. Purpose of the Processing, Legal Basis, and Legitimate Interest The processing of personal data requested from the data subject is carried out for the following purposes: a) Establishment and management of the contractual relationship; b) Execution of contractual and legal obligations; c) Handling requests for commercial information about products and services. Recipients and Categories of Data Recipients Data is processed internally by subjects authorized for data processing under the responsibility of the Controller for the purposes outlined above. Data may also be communicated to external Data Processors who have entered into specific agreements, contracts, or protocols with the Controller (an updated list of Data Processors may be requested from the Controller at any time by submitting a written request to the contact details indicated in section 1). Data may also be communicated to other subjects acting as independent Controllers (e.g., external professionals, as well as banks, public and private institutions, for reasons related to or connected to the contract). Data Transfer to Third Countries The Controller will not transfer data to a third country or an international organization. Data Retention Period Personal data will be retained for the period necessary to achieve the purposes for which it was collected, and therefore for the time required to execute the contract, or for the longer period mandated by law. Data Subject Rights Regarding personal data, the data subject may exercise the following rights: – Right of access; – Right to obtain rectification or deletion; – Right to restriction of processing; – Right to object to processing; – Right to data portability. The above rights may be exercised by the data subject using the contact details indicated in sections 1 and 2 of this privacy notice. Complaint The data subject is informed of their right to lodge a complaint with the supervisory authority (Data Protection Authority). For further details, please consult the official website of the Data Protection Authority: www.garanteprivacy.it. Data Communication The communication of personal data is a legal or contractual obligation, or a necessary requirement for the conclusion of a contract. Provision of Data The provision of data is mandatory since the communication of data is a contractual obligation or a necessary requirement for the conclusion of the contract. Failure to provide the data will prevent the data subject from proceeding with the finalization of the contract. Profiling The Controller does not use automated processes for profiling. Different Purpose for Processing If the Controller intends to process personal data for a purpose different from that for which it was collected, prior to such further processing, the data subject will be provided with information regarding the new purpose and any other relevant information. 2. PERSONAL DATA PROCESSING 2.1. By entering into this Agreement, the Customer entrusts the Provider with the task of processing Personal Data for the provision of Services, as detailed in this Agreement and in the Software Usage Conditions. 2.2. The Provider undertakes to comply with the Customer’s instructions; however, should the Customer request variations from the initial instructions, the Provider will assess the feasibility and agree on those variations and the associated costs. 2.3. In cases under Article 2.2 and in the event of Customer requests that involve the processing of Personal Data which, in the Provider's opinion, violate Data Protection Legislation, the Provider is authorized to refrain from following such Instructions and will promptly inform the Customer. In such cases, the Customer may either revise the Instructions given or contact the Supervisory Authority to verify the legality of the requests. 3. RESTRICTIONS ON THE USE OF PERSONAL DATA 3.1. In performing the processing of Personal Data for the provision of Services, the Provider undertakes to process Personal Data: 3.1.1. Only to the extent, and in the manner necessary, to deliver the Services or to properly fulfill its obligations under the Contract and this Agreement or as required by law or a competent regulatory body. In such circumstances, the Provider will notify the Customer (unless prohibited by law for reasons of public interest) via communication to the Notification Email; 3.1.2. In accordance with the Customer’s Instructions. 3.2. The Provider’s personnel who access or otherwise process Personal Data are authorized to do so based on appropriate authorizations, and have received the necessary training, including regarding the processing of personal data. Such personnel are also bound by confidentiality obligations and the company’s Code of Ethics, and must comply with the confidentiality and data protection policies adopted by the Provider. 5. SECURITY MEASURES 5.1. Provider’s Security Measures – In performing the processing of Personal Data for the provision of Services, the Provider commits to adopting adequate technical and organizational measures to prevent unlawful or unauthorized processing, accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, or access to Personal Data.