PRIVACY & COOKIES POLICY

Informative report and consent on personal data processing

Concerned persons: Users and visitors of this company’s web site

CANTALUPI LIGHTING S.R.L., having its registered office in Via Fosso Legnami n. 217, Massarosa, fraz. Piano di Mommio (LU), VAT Number/Tax ID number 01793930460, in person of its legal representative pro tempore acting as Data Controller of your Personal Data, in compliance with and to the effect of the Legislative Decree 30 June 2003 n. 196 (‘Code on personal data protection), and Regulation (EU) 2016/679 (also called GDPR), hereby informs you that the above said rules provide for the protection of persons as to the processing their personal data and that such processing will be based on correctness, lawfulness, transparency and protection of your privacy and rights.

1. Safety measures: Specific safety measures have been put in place to guarantee the secure access of the user and the protection of the information contained in the web site from the risk of voluntary or accidentally loss or destruction.

To access to the reserved part of the site, an identification code and a password are assigned to the companies that request them. Passwords are generated in such a way that they do not contain any references to the partner, in order to avoid possible abuses. Password must be kept safe by the user.

2. Amendments to this Privacy Policy: Data Controller reserves the right to amend this Privacy Policy at any time, informing the users through this web page and guaranteeing in any case identical Personal Data protection. You are kindly requested to visit this page frequently, taking into consideration the date of the last modification at the end of the document.

3. Legal references: this information report on privacy is drafted in compliance with the rules provided for by EU Regulation 2016/679, Art. 10 of the Directive n. 95/46/CE, and Directive 2002/58/CE, updated by the Directive 2009/136/CE, concerning Cookies.

4. Object and Purpose of processing: your data will be processed for the purposes described in the following paragraphs; if they are related to legislative or contractual obligations it will be sufficient to read this policy, if related to other purposes, the provision of data will be optional for you, and your refusal to the processing does not affect the continuation of the relationship or the adequacy of the data processing.

In general, User’s data are collected to allow the Data Controller to provide its services, as well as for the following purposes: contacting the user, sending email messages, interacting with social networks, for Statistics purposes and visualization of external platforms content.

The type of personal data used for each purpose are listed in the specific sections of this document.

Personal data collected through this web site refer to:

1. Navigation and utilization data, cookies

2. Data voluntarily provided by the user

Collected personal data refer both to the User and thirds whose data are provided by the User.

User is responsible of the personal Data of thirds that are disseminated or shared through the web site, and guarantees to have the right to disseminate them, holding the Data Controller harmless from any responsibility towards third parties.

For the purposes of the following data processing, the Data Controller may become aware of the following categories of data, when necessary for the purposes specified below, and in particular:

• email address

• Telephone number,

• Photos and videos concerning the user,

• Other data voluntarily provided (for example by means of delivery of curriculum vitae).

Some data may belong to the category of data defined as specific data, namely sensitive data, such as that related to judicial or health matters. Processing of sensitive data will concern only data strictly pertinent to the obligations, tasks or purposes described above; such data will be processed in compliance with the indications contained in the relevant General Authorizations of the Guarantor.

1. Navigation data.

Computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow the identification of the users. This category of data includes IP addresses or domain names of the computers used by users connecting to the site, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response

given by the server (success, error, etc.) and other parameters relating to user’s operating system and computer environment.

These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning. Data could be used to ascertain responsibility in case of hypothetical computer crimes to the detriment of the site.

All companies that use the navigation data are to be considered as independent data controllers and, therefore, for the processing carried out by these subjects, please refer to the specific privacy policies indicated below.

Cookie

Like practically all the websites, our website also uses some cookies. Cookies are small text files that the sites visited by the user (but also other sites or webserver) send and record on user’s computer (or mobile device), to be then retransmitted to the same sites (or webserver), when the user visit the site again, thus sending information.

Cookies are now essential tools as they allow modern sites to work as best as possible, allowing maximum customization, interaction and fluency in navigation. But they can also be used to monitor user browsing and then send advertising messages in line with user’s navigation habit.

Cookies can be:

limited to navigation session (if they expire when closing browser) or permanent (if they expire after a long-term period – years).

• generated by the concerned party or by third parties (in the second case they are installed by a website or web server other than the one visited by the user at that moment);

• technical cookies (necessary, sometimes indispensable, for a complete – or better – use of the site) or aimed at profiling (designed to create a user profile, and then send advertising messages in line with the preferences expressed by the same during the previous navigation) .

The Data Protection Authority considers as technical cookies session cookies, functional cookies and – only under certain conditions – analytics cookies; in particular the Data Protection Authority, in the provision dated 8 May 2014, specified that the latter can be assimilated to technical cookies only if used for the purpose of optimizing the site directly by the owner of the site, which will collect information in aggregate form on the number of users and how they visit the site.

For more information on the types of cookies, their features and how they work please consult the websites http://www.allaboutcookies.org, www.youronlinechoices.com, http://cookiepedia.co.uk and the specific Provision of the aforementioned Data Protection Authority.

Our web site includes the following cookies:

Technical operational cookies

They are essential to navigate the site using all its features, such as access to restricted areas and language selection. Without these cookies it would not be possible to provide the requested services. These cookies collect information anonymously and are not used for commercial purposes.

Analytics cookies

These cookies are used to allow the anonymous and aggregate analysis of user’s access data. These cookies relate to the web analytics platform of Google Analytics. They do not collect any information that can identify the user. For details on the functionality of these cookies and how to block them, see the privacy section of the service: https://www.google.com/analytics/learn/privacy.html?hl=it

The user can choose to delete, or block, some (or all) cookies by appropriately configuring the browser. Normally these programs also allow, through a special option, to specifically block third-party cookies. Each browser has different procedures for the management of cookies; the following links refer to the specific instructions of the most popular browsers:

Internet Explorer:

http://windows.microsoft.com/it-it/internet-explorer/delete-manage-cookies#ie=ie-11

Google Chrome:

https://support.google.com/accounts/answer/61416?hl=it

Apple Safari:

http://support.apple.com/kb/HT1677?viewlocale=it_IT

Mozilla Firefox:

https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie

Statistic Purposes

The services contained in this section allow the Data Controller to monitor and analyze traffic data and are used to keep track of User behavior.

Google Analytics

This Site uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files that are stored on users’ computers in order to analyze how users use the Site. The information generated by the cookie about the use of the Site by users (including their IP address) will be transmitted to and stored by Google servers in the United States. Google will use this information for the purpose of tracking and reviewing the use of the Site by users, compiling reports for website operators and providing other services relating to the activities of the Site and the use of the Internet. Google may also transfer this information to third parties where required to do so by law or where such third parties process the information on Google’s behalf. Google will not associate users’ IP address with any other data held by Google.

Users may refuse to use cookies by selecting the appropriate settings on their browser, but this may prevent them from using all the features of the Website. Alternatively, if the user does not want Google Analytics to use login information, the user can follow the steps

described hereunder. By using the Website, the user gives consent to the processing of his own data by Google in the manner and for the purposes set out above.

The privacy policy of Google company, relating to Google Analytics service, is available in http://www.google.com/intl/en/analytics/privacyoverview.html

Google’s privacy policy rules are available in:

http://www.google.com/intl/it/privacy/privacy-policy.html

Further information on Google Analytics privacy is available in

https://support.google.com/analytics/answer/6004245?hl=it

Buttons/Social Widgets

The web site contains services allowing users to share Site information with the social networks for which they are registered, specifically:

• Facebook

• Instagram

• Pinterest

• YouTube

Such services are provided and managed by the respective companies and the data are processed directly by them. Users are kindly requested to read privacy policies of said companies.

2. Data voluntarily provided by the user.

Sending of email to the addresses contained in the web site

The discretionary, explicit and voluntary sending of e-mails to the addresses indicated on this site entails the subsequent acquisition of sender’s address, necessary to respond to requests, and of any other personal data included in the message.

Compilation of the data collection form (for information request) and subscription to the newsletter

The website www.cantalupilighting.it on its “Catalogs” page allows interested parties to request information through the insertion of some personal data (such as name and surname, company name of the reference company, e-mail address, country of reference). These data will be processed manually and also through the use of IT tools by the specifically appointed employees of the companies CANTALUPI LIGHTING SRL , exclusively to respond to user’s request. The personal data contained in the Form are divided into two categories: mandatory and discretionary, as shown in the procedure for information request. The provision of mandatory data and the relevant processing for the purposes indicated above are strictly functional to the execution of the request. The other data collected are used to help CANTALUPI LIGHTING SRL to offer better services, also through manual and/or automated profiling of the optionally provided data (for example: profession and nationality).

Subscription to the newsletter service will involve the sending of addiotional advertising material for marketing purposes.

The data will not be disseminated and will be processed exclusively for the aforementioned purposes by specially appointed personnel. The data owner is required, after evaluation of the above, to provide us with confirmation of the acknowledgment of this information and with consent to the processing (through confirmation by email and the affixing of a flag in the appropriate space situated below the form for data collection).

The data owner may at any time contact the Data Controller in order to exercise his/her rights concerning personal data protection, as provided for by the law in force.

5. Processing Methods Data processing is carried out by adopting the appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of Personal Data. In particular, data processing is carried out by:

• IT tools, with organizational methods strictly related to the purposes indicated above;

• Entrusting of processing operations to third parties.

Each data processing takes place in compliance with the procedures set forth in Chapter II of the Regulation (EU) 2016/679 and the articles. 11, 31 and following of Legislative Decree 196/03.

6. Duration of processing and Storage of Personal Data Processing operations connected to the web services of this site take place at the company headquarters indicated at the beginning of this document, and are handled by technical staff in charge of the processing. Your personal data will be stored in the manner indicated above, for the minimum time required by their legislative and contractual nature or until data owner requests for cancellation thereof. At the time of collection, data will be stored in the reference folders existing on electronic and / or paper archives. At the time of cancellation, it is possible that data keep on being stored as anonymous data.

7. Access to Data: your data will be stored at our office and will be made accessible only to those responsible for the performance of the services necessary for proper

management of the relationship. Protection of data owner’s rights is guaranteed.

Your data will be processed only by personnel expressly authorized by the Data Controller and, in particular, by the following categories of persons in charge, who are part of the group companies:

• Managers and administrative staff (reading, writing, communication);

• Managers and IT staff (reading, writing, modification, cancellation);

In addition to the data controller and internal employees of the companies of the business group, in some cases, data may also be accessed by third parties (such as third party acting as technical service providers, postal carriers, hosting providers, IT companies, communication agencies). Your data may be disclosed to third parties, in particular to:

• Constitutional bodies or similar;

• Consultants and freelancers, also in associated form;

• Anyone who is legitimate recipient of communications required by law or regulation.

8. Communication and dissemination of data: with no need for express consent, the Data Controller may communicate your data to Supervisory Bodies, Judicial Authorities, insurance companies for the provision of insurance services, as well as to those persons to whom communication is mandatory under the law, for the accomplishment of said purposes.

Said persons shall process data in their capacity as autonomous Data Controllers.

9. Transfer of Personal Data Personal data processed by us as Data Controller are stored on servers located in the premises of a company pertaining to Cantalupi Lighting srl, within the territory of the European Union.

Some of the above mentioned persons may not be in Italy because of the multinational nature of our company, so your personal data may be transferred abroad, even outside the European Union in countries that do not guarantee an adequate level of personal data protection according to the standards established by Italian and European legislation on personal data

protection. Personal Data may be transferred abroad only in relation to professional information and only for purposes that are instrumental to your work at the Company or related to company activity. Data controller is responsible for verifying the compliance of the aforementioned subjects with national and European legislation regarding the processing of personal data.

In particular, Data Controller has agreed with the companies of the group operating outside the European Union specific standard contractual clauses.

10. Rights of the Data Owner: in his capacity as data owner, you may exercise the rights pursuant to art. 15 of the Regulations and precisely the following rights:

1. ask the Data Controller if your personal data have been processed, and if so you have the right to access your Personal Data and the following information:

a) processing purposes and methods;

b) type of processed personal data;

c) subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representative in the territory of the State, managers or agents;

d) where possible, the storage period of personal data or, where this is not possible, the criteria adopted to establish storage time;

e) the right to request the Data Controller that your personal data are modified or deleted or that the processing of your personal data is limited, and the right to revoke your consent to the processing of your personal data;

f) the right to lodge a complaint with the supervisory authorities (for example the “Guarantor”, the Italian data protection authority);

g) if your personal data have not been provided directly by you, you have the right to receive information on the origin of the data collected;

h) if an automated decision-making process takes place, including profiling pursuant to Article 22, paragraphs 1 and 4 of the EU Regulation, you have the right to receive significant information on the logic applied to the processing of your Personal Data, as well as on the importance and consequences of such processing;

2 If your personal data are transferred abroad or to an international organization, you have the right to know whether adequate guarantees are applied to the transfer pursuant to Article 46 of the EU Regulation.

3. Upon request, the Data Controller will send you a copy of your personal data that have been processed.

If you wish to receive additional copies, the Data Controller may charge reasonable management fees. If you send the request electronically, any information will be sent to you in a commonly used electronic format, unless otherwise specified.

4. The right to receive a copy of your personal data processed in accordance with paragraph 3 above may not infringe the rights or freedom of third parties.

Furthermore, if possible, you have the following rights under Articles 16 to 22 of the EU regulation:

– the right to update, correct and supplement your personal data;

– the right to cancel your personal data;

– the right to limit the processing of your personal data;

– the right of portability of your personal data;

– the right to object;

f) the right to lodge a complaint with the data protection Supervisory Authority.

Finally, you have the right to revoke your consent without prejudice to the lawfulness of the data processing carried out prior to the revocation.

11. How to exercise your rights: you may exercise the above rights at any time by sending:

– a registered letter with acknowledgment of receipt to CANTALUPI LIGHTING S.R.L., having its registered office in Via Fosso Legnami n. 217, Massarosa, fraz. Piano di Mommio (LU)

– an email to info@cantalupilighting.it

12. Minors: the supply of any product and the provision of any service by the Data Controller under any contract / relationship between the user and the Data Controller does not include the intentional collection of Personal Data regarding minors. In the event that the Personal Data of minors are stored unintentionally, the Data Controller will delete them immediately upon request.

13. Further information on processing: Below, we give you additional information, not only to fulfill legislative obligations, but also because transparency and fairness towards our customers are an important part of our business.

Data controller: The Data Controller is CANTALUPI LIGHTING S.R.L., having its registered office in Via Fosso Legnami n. 217, Massarosa, fraz. Piano di Mommio (LU), VAT number 01793930460, responsible for the lawful and compliant use of your Personal Data, which can be contacted at the e-mail address info@cantalupilighting.it;

Data Processor: As internal Data Processor was appointed Ms Azzurra Cantalupi. She is also responsible for the lawful and compliant use of your Personal Data, and she can be contacted at the e-mail address a.cantalupi@cantalupi.it.

Persons authorised to process data: The updated list of all the external data processors and of the persons entitled to the data processing is available at the registered office of the Data Controller.

Defense in court: the User’s Personal Data may be used for the defense by the Owner of the website both in court and in the stages leading to possible legal action, in case of abuse by the User in the use of the web site or services related thereto.

Specific informative reports: specific informative reports could be shown on the pages of the Website in relation to particular services or processing of data provided by the User or by the

Data Owner, if such services or processing have different purposes than those indicated in this statement.

Maintenance: User’s Personal Data may be processed with additional methods and purposes depending on site maintenance.

System Log: for needs related to its operation and maintenance, this web site and any third-party services used by it may collect system logs, which are files that record the interactions – including navigation – and that may also contain Personal Data, such as IP address.

Link to third parties’ websites: CANTALUPI LIGHTING SRL is not responsible for the processing of personal data that may be carried out by and through sites to which this site is linked.

For further information, please contact us.