Subject: Information on the processing of personal data, pursuant to art. 13 of EU Regulation no. 2016/679 – “GENERAL DATA PROTECTION REGULATION” (hereinafter “GDPR”) and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.

With this notice, we wish to inform you of how TOSO SpA processes your personal data, collected while you browse our website: www.gamondi.it. Unless otherwise specified, all articles cited refer to the legislation indicated in the title.

1. Data controller

The data controller is TOSO SpA (hereinafter also referred to as the Controller or Company), with registered office in Via Statale, 3 in Cossano Belbo (12054 – Cn) – VAT number: 02462360047, in the person of Gianfranco Toso, legal representative.

1. Appointment of RDP – DPO

The Data Controller, not falling within the cases indicated in Article 37 of the GDPR, nor those indicated in the various interpretations of the Guarantor Authority, has not deemed it necessary to appoint a Data Protection Officer.

1. Object of the treatment

1 Browsing data

The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's IT environment.

2 Data provided voluntarily by the user

The optional, explicit, and voluntary sending of emails to the addresses indicated on this site entails the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data included in the message.

Specific summary information will be progressively reported or displayed on the site pages set up for particular services on request.

The processing of your information will be based on the principles of correctness, lawfulness, transparency, and protection of confidentiality. Your information will be processed and stored using computerized and paper-based tools for the time strictly necessary to achieve the purposes for which it was collected.

Specific security measures are observed to prevent data loss, illicit or incorrect use, and unauthorized access.

3 Cookies

Cookies are small text files that visited sites send to the user's terminal, where they are stored before being retransmitted to the same sites on the next visit.

The Site uses:

• Session cookies whose use is not instrumental in collecting personal data identifying the user, being limited to the sole transmission of session identification data in the form of numbers automatically generated by the server, without any possibility of customization.

  Session cookies are not stored permanently on the user's device and are automatically deleted when the browser is closed.

• Third-party cookies for displaying Google Maps

  Toso SpA does not have access to the data collected and processed independently by third parties. For more information on the logic and methods of processing data collected by Google Maps, users are encouraged to read the privacy policies of the entities providing the relevant services.

Technical cookies are not used for User profiling activities.

Users can choose to enable or disable cookies by changing their browser settings according to the instructions provided by the relevant providers at the links below:

• Chrome
• Firefox
• Safari
• Internet Explorer
• Opera

1. Purpose of the processing, legal basis, nature of the provision.

The purpose of the processing referred to in point 3.1 is to obtain anonymous statistical information on the use of the site and to monitor its proper functioning. The data may be used to ascertain liability in the event of hypothetical computer crimes against the site. The processing is lawful pursuant to Art. 6, paragraph 1, letters b) and f) of the GDPR. Providing the data is mandatory, otherwise it will be impossible to properly manage the contractual aspects.

The purpose of the processing referred to in point 3.2 is always related and/or instrumental to browsing the website (therefore, any use other than and/or conflicting with the data subject's purposes is excluded). Specifically, the processing in question is limited to responding to inquiries submitted by the data subject. This processing is legitimate pursuant to Art. 6, paragraph 1, letter a) of the GDPR and requires the data subject's explicit consent. Providing data is optional; however, refusal to provide personal data relevant to the purpose of collection will prevent us from fulfilling your request.

The purpose of the processing referred to in point 3.3 is to improve the user's browsing experience and collect aggregate information for statistical purposes. Providing data is optional.

1. Treatment methods, duration of treatment

The processing of your personal data in relation to point 3.1 is carried out using the operations indicated in Art. 4, no. 2) GDPR, namely: collection, recording, organization, use, and deletion. Your personal data is subject to electronic and/or automated processing and is deleted immediately after processing.

The processing of your personal data in relation to point 3.2 is carried out using the operations indicated in Art. 4, no. 2) GDPR, namely: collection, recording, organization, use, and deletion. Your personal data is subject to electronic and/or automated processing.

In any case, your personal data will not be disclosed.

The processing of your personal data in relation to point 3.3 takes place in accordance with the rules and methods of the provider of the various services, and is indicated in the dedicated information, indicated in point 3.3.

1. Data Access

Your data may be made accessible for the purposes referred to in point 4) to employees and collaborators of the Data Controller, in their capacity as persons in charge and/or internal data processors and/or system administrators, or to third-party companies or other entities (for example, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) who carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.

1. Data communication

Without the need for express consent (pursuant to Article 6, letters b), c) of the GDPR), the Data Controller may disclose your data for the purposes referred to in point 4) to supervisory bodies, public bodies (particularly healthcare bodies), judicial authorities, insurance companies for the provision of insurance services, as well as to those entities to whom disclosure is required by law for the fulfillment of the aforementioned purposes. These entities will process the data in their capacity as independent data controllers. Your data will not be disclosed.

1. Transfer of data to non-EU countries

The personal data provided, referred to in point 3), are stored in electronic and/or paper format on servers and/or in physical archives located at the Data Controller's headquarters within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move archives and servers to other EU or non-EU countries, for example, when using Cloud services. In this case, the Data Controller hereby ensures that the transfer of data outside the EU will be carried out in accordance with applicable laws, subject to the stipulation of the standard contractual clauses provided by the European Commission.

1. Rights of the interested party

As a data subject, you enjoy the rights set forth in Articles 15, 16, 17, 18, 19, 20, 21, and 22 of the GDPR. In detail:

• Right of access
• Right to rectification
• Right to erasure ('right to be forgotten')
• Right to restriction of processing
• Right to notification obligation in case of rectification or erasure of personal data or restriction of processing
• Right to data portability
• Right to object
• Rights relating to automated individual decision-making, including profiling

1. How to exercise the rights of the interested party

You may exercise your rights at any time by sending:

– a registered letter addressed to the Data Controller, referred to in point 1)

– an email to info@toso.it

TOSO SpA.