Privacy Policy

Dear User,

the protection of your Personal Data is very important to Crea.Re Group S.r.l. (the "Company" or the "Controller"), owner of the website www.crearegroup.it (the "Website").

This policy on the processing of your Personal Data (the "Policy") is provided pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of personal data of natural persons ("GDPR"), as well as in accordance with the further provisions of national legislation, including Legislative Decree No 196/2003, as amended by Legislative Decree No 101/2018 (the "Privacy Code") and the individual measures issued by the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali), where applicable, in order to provide you, as a user of the Website (the "User" or the "Data Subject"), with the information regarding how the Controller processes your Personal Data when browsing the Website.

For capitalized definitions not specified within this Policy, please refer to Article 4 GDPR.

1. Scope of Application

The purpose of this Policy is to provide with information on how the Controller processes your Personal Data (i) collected in the context of browsing the Website; (ii) communicated by you and/or transmitted in connection with requests pertaining to the services provided by the Company (the "Services") by either filling in the "Contact Us" form, to found on the Website at https://crearegroup.it/it/contatti/; or by sending an e-mail to info@crearegroup.it.

2. Identity and contact details of the Controller

The Controller is Crea.re Group S.r.l., with registered office in via Bertola 2, 10121 Turin (TO), Italy, P. IVA / C.F. / 11623940019, REA No: TO - 1228578, who can be contacted as follows:

• Phone: (+39) 011 0461440
• Email: privacy@crearegroup.it

3. Types of processed Personal Data

A. Web Server Data

The servers and computer systems used to operate the Website acquire, in the course of their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols.

These data, although not collected to be associated with identified Data Subjects, by its very nature could, through processing and association with data held by third parties, allow Users to be identified.

This category of Personal Data includes the IP addresses of the devices used by Users who connect to the Website, as well as the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used for submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the User's operating system and computer environment.

These data, necessary for the proper functioning of the Website, are also processed for the purpose of:

• obtain statistical information on the use of the Services (most visited pages, number of visitors by time slot or daily, geographical areas of origin, etc.);
• to control the correct functioning of the Services themselves.

It is understood that no use is made of cookies while browsing the Website for the transmission of personal information.

B. Common Personal Data you provide

The optional, explicit and voluntary sending of your Personal Data through the methods indicated in paragraph 1 above, involves the acquisition of Personal Data, such as:

• identification and status data (by way of example, first and last name);
• contact data (by way of example, address of residence or domicile, e-mail address, telephone number).

4. Purpose and legal basis of processing

Web Server Personal Data - referred to in paragraph 3, letter A - are used for the sole purpose of monitoring the proper functioning of the Website. Such data could, in addition, be used by public security authorities to ascertain responsibility in the event of any computer crimes to the detriment of the Website. Without prejudice to the foregoing, the data themselves will be kept for the period of time provided for by applicable laws and, in any case, for the time strictly necessary to provide the User with the requested Service as well as to ensure the transmission of communication through the Website.

For this purpose, the data are processed on the basis of Article 6.1 letter f) of the GDPR, i.e. for the pursuit of the legitimate interest of the Controller.

The Controller will process the Personal Data voluntarily provided by you - referred to in paragraph 3, letter B - in order to follow up on the requests you have sent, as indicated in paragraph 1 (ii) above.

For these purposes, the legal basis for the processing is Article 6.1 letter b) of the GDPR, as the processing of your Personal Data is necessary for the fulfillment of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract.

In addition, your Personal Data may also be processed in order to fulfil the obligations provided for by law, regulations and applicable national, European and international legislation, as well as provisions issued by authorities empowered to do so by law.

For these purposes, the legal basis for the processing is to be found within the scope of Article 6.1 letter c) of the GDPR, as the processing is necessary for the fulfilment of legal obligations.

5. Cookies

The pages of the Website use cookies. Cookies are text files that are stored in a computer system via an Internet browser.

Cookies, in particular, allow a website to (i) recognize the device with which the user has accessed the site; (ii) track navigation through the different web pages; (iii) identify users who return to visit the site. Cookies are used for various purposes including, by way of example, to ensure the efficient operation of the websites and to provide information to the owners of the website. The setting of analytics cookies, including Google Analytics, and third party targeting, whose purpose is to improve the User's experience on the Website and collect useful information, is optional. The Controller will not set these cookies unless the Data Subject enables them through the appropriate "Cookie Banner" that appears when accessing the Website. For more detailed information on the cookies used and on the ways in which navigation data is stored, the User is invited to consult and read the cookie policy.

6. Modality of processing and nature of the data provision

Your Personal Data will be processed by the Controller and its processors in accordance with the principles of fairness, loyalty and transparency as per Article 5 of the GDPR, as well as protecting your confidentiality and your rights through the adoption of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Your Personal Data will also be processed with the aid of computerized and manual systems.

The provision of your Personal Data is necessary as it is strictly functional to the performance of contractual and/or pre-contractual activities consisting in replying to your communications sent according to the modalities set forth in paragraph 1 (ii) above, as well as to the performance of legal and regulatory obligations. Therefore, for the purposes of the Processing of such data, your Consent is not required. However, in case of failure to provide Personal Data, it will not be possible to perform such contractual and/or pre-contractual measures.

7. Place and duration of storage of Personal Data

Your Personal Data will be processed at the registered office of the Controller, as identified in paragraph 2 above.

Your Personal Data voluntarily provided by you will be processed and stored only for the time strictly necessary to perform the Services you have requested. At the end of the storage period, your Personal Data will be deleted.

The navigation data will be kept for a minimum period equal to six (6) months, in any case such data will not be kept for a period exceeding one calendar year.

8. Disclosure, communication and transfer of your Personal Data

Your Personal Data will be processed by employees and/or collaborators of the Controller, expressly and duly authorized to do so in accordance with Article 29 GDPR as well as Article 2 - quaterdecies of the Privacy Code, for the purposes indicated above.

Your Personal Data, depending on the Service requested to the Company, may be communicated to third party suppliers of the Controller, that will be duly appointed as Processors pursuant to Article 28 GDPR and whose names will be duly communicated to you should you make a request to the Controller.

Your Personal Data will not be transferred outside the territory of the European Union.

9. Rights of Data Subjects

The Data Subject has the right to exercise, towards the Company, i.e. the Controller, the rights set forth in Articles 15 to 21 of the GDPR. In particular, such rights consist in:

a) receiving confirmation of the existence of the Personal Data of the Data Subject and access to it, in order to consult its content (right of access);

b) updating, amending and/or correcting the Personal Data (right of rectification);

c) requesting the deletion or removal of Personal Data where there is no valid reason for continuing to process it or where there is a law that requires or legitimizes the Processing or where the Data Subject has successfully exercised the right to object to the Processing, explained below (right to erasure);

d) requesting the suspension of the Processing in the following cases: (a) the Data Subject wants the Controller to ascertain and possibly restore the accuracy of the Personal Data; (b) if the Processing is not legitimate but the Data Subject does not want the Company to delete the Personal Data; (c) the Data Subject needs the Controller to keep the Personal Data longer because it is necessary to exercise or defend a right in court; or (d) the Data Subject has objected to the Processing but the Controller needs to verify whether there are nonetheless overriding legitimate reasons for continuing it (right to restrict Processing);

e) objecting to the Processing based on a Legitimate Interest (or that of a third party) and where there is a specific situation that the Data Subject believes affects his/her fundamental rights and freedoms, or the Processing is for direct marketing purposes (right to object);

f) revoking the Consent, if given, without prejudice to the lawfulness of the Processing based on the Consent given before the revocation (right to revoke the Consent);

g) requiring the Controller to directly transfer the Personal Data to the Data Subject or to a third party, including another Controller (right of portability). This right applies only to the Personal Data provided by the Data Subject: (i) on the basis of the Consent, where actually constituting a valid legal basis for the Processing; or (ii) for the performance of a contract entered into with the Controller, as well as when the Personal Data are processed by automated means and there is therefore Profiling.

The above rights may be exercised by sending a request to the Company at: privacy@crearegroup.it. In this regard, the Company shall comply with the requests of the Data Subject, unless such requests are prohibited by law or there is a legitimate purpose for continuing to process the Personal Data of the Data Subject, in which case the Data Subject will be notified promptly and, in any event, within thirty (30) days of receipt of the request. In any case, the Company reserves the right to verify the identity of the Data Subject before fulfilling any request relating to the Personal Data processed.

10. Right to lodge a complaint

Should you believe that the processing of Personal Data relating to you is in breach of the GDPR, you have the right to lodge a complaint with the Garante per la Protezione dei Dati Personali, as provided for by Articles 13 and 77 of the GDPR, as well as by art. 140 bis of the Privacy Code, or to take legal action pursuant to Article 79 GDPR.

11. Links to other sites and social media

For your convenience, the Company may provide through the Website links to other websites, such as Google or social networks such as LinkedIn and Facebook. The Policy, however, is not applicable to such third party websites, in relation to which the User is invited to examine the specific privacy and security policies provided by the same, before providing any Personal Data. For your convenience, we provide below the links to the privacy policies of the aforementioned third party websites:

• Google: https://policies.google.com/privacy?hl=it&fg=1;
• LinkedIn: https://it.linkedin.com/legal/privacy-policy?trk=hb_ft_priv;
• Facebook: https://it-it.facebook.com/privacy/explanation/.

12. Amendments to the Policy

The Company may change the Policy at any time by posting it on the Website thirty days before it becomes applicable. If such changes are material, the Company will also inform the Data Subject by other means before they become effective, for instance by sending a notification by e-mail, where the Data Subject has previously provided such Personal Data. Should the Data Subject use the Website thirty days after the publication of the modified Policy, it will be assumed that the Data Subject has accepted and consented to the changes.

Last update: June 2022