PERSONAL DATA PROTECTION CODE

Italian Legislative Decree n. 196 dated 30 June 2003

Everyone has the right to protection of the personal data concerning them. The information on performance of the tasks applying to any entity that is in charge of public functions including the respective evaluation data shall not be the subject of privacy safeguards.

This consolidated statute, here inafter referred to as “Code”, shall ensure that personal data are processed by respecting data subjects’ rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection.

This Code shall apply to the processing of personal data, including data held abroad, where the processing is performed by any entity established either in the State’s territory or in a place that is under the State’s sovereignty.

This Code shall also apply to the processing of personal data that is performed by an entity established in the territory of a country outside the European Union, where said entity makes use in connection with the processing of equipment, whether electronic or otherwise, situated in the State’s territory, unless such equipment is used only for purposes of transit through the territory of the European Union. If this Code applies, the data controller shall designate a representative established in the State’s territory with a view to implementing the provisions concerning processing of personal data.

This Code shall only apply to the processing of personal data carried out by natural persons for exclusively personal purposes if the data are intended for systematic communication or dissemination. The provisions concerning liability and security referred to in Sections 15 and 31 shall apply in any case.

A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.

A data subject shall have the right to be informed

a) of the source of the personal data;

b) of the purposes and methods of the processing;

c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;

d) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.

The data processor may be designated by the data controller on an optional basis.

Where designated, the data processor shall be selected among entities that can appropriately ensure, on account of their experience, capabilities and reliability, thorough compliance with the provisions in force applying to processing as also related to security matters.

If necessary on account of organizational requirements, several entities may be designated as data processors also by subdividing the relevant tasks.

The tasks committed to the data processor shall be detailed in writing by the data controller.

The data processor shall abide by the instructions given by the data controller in carrying out the processing. The data controller shall supervise over thorough compliance with both said instructions and the provisions referred to in paragraph 2, also by means of regular controls.

Personal data undergoing processing shall be kept and controlled, also in consideration of technological innovations, of their nature and the specific features of the processing, in such a way as to minimise, by means of suitable preventative security measures, the risk of their destruction or loss, whether by accident or not, of unauthorized access to the data or of processing operations that are either unlawful or inconsistent with the purposes for which the data have been collected.

The provider of a publicly available electronic communications service shall take suitable technical and organisational measures under Section 31 that are adequate in the light of the existing risk, in order to safeguard security of its services and integrity of traffic data, location data and electronic communications against any form of unauthorised utilisation or access.

If the contrary isn’t be revealed by a writing, we consider this letter as accepted.