PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA OF PROSPECTS OF FIERA MILANO CONGRESSI

NOTICE FOR THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 OF THE GDPR

In accordance with Article 13 of Regulation (EU) 2016/679 (“GDPR”), Fiera Milano Congressi S.p.A. (“FMC”), in its capacity as Data Controller, informs you that the personal data you voluntarily provided (for example, via business card or e-mail) and relating to you as the contact person of the client company with which FMC may establish contractual relationships for the organization of congress, will be used solely for the purpose of enabling the establishment and execution of the contractual relationship and will be processed in compliance with applicable laws, including the GDPR, as well as other applicable regulations on personal data protection, according to the methods and for the purposes described in this notice (the “Notice”).

1. Data Controller’s contact details

The Data Controller of personal data is Fiera Milano Congressi S.p.A. (“Controller” or “FMC” or the “Company”), with registered office in Milan, Piazzale Carlo Magno no. 1, 20149. You may contact the Data Controller via email at gdpr@fieramilanocongressi.it, or by regular mail at the address provided above.

2. Categories of personal data

The Company primarily processes the following categories of personal data:

·       identification and contact data (such as name, surname, email address, phone numbers);

·       data related to your job position;

·       data related to your preferences concerning the products and/or services offered by the Company.

3. Purpose and legal basis for processing

Your personal data is collected and processed for the following purposes:

a) to respond to your request for contact and information, received via email or through the delivery of a business card, and to respond to your interest in the Company and our congress services for the purpose of initiating a commercial negotiation as well as to handle any subsequent requests for information;

b) to retain your identification and contact data to propose future collaborations and send you offers regarding congress services similar to those for which you initially expressed interest.

For the purposes referred to in point a), FMC processes such data based on the execution of pre-contractual measures taken at your request, pursuant to Article 6, paragraph 1, letter b) of the GDPR.

For the purposes referred to in point b), FMC processes such data based on your consent, pursuant to Article 6, paragraph 1, letter a) of the GDPR.

4. Modalities of processing

The processing of personal data is carried out for the purposes mentioned above, in accordance with Article 5 of the GDPR, either in paper form or electronically, as well as through automated tools.

The processing is performed directly by FMC, in its capacity as data controller, by its employees and collaborators who have been authorized to carry out data processing operations related to the contractual relationship and instructed accordingly, as well as by external entities that, on behalf of the same Company, provide various services as specified in paragraph 7 below.

Your personal data will not be transferred outside the European Union and/or the European Economic Area (“EEA”).

5. Nature of data provision and consequences of refusal

For the purposes mentioned in paragraph 3, providing your data is optional and voluntary but necessary for the correct establishment and execution of the contractual relationship. Failure to provide data may result in the impossibility of establishing the contractual relationship or being contacted for future collaborations.

6. Retention period of personal data

Your personal data will be stored for the time strictly necessary to respond to your request for contact and information. If, following the initial contact due to your interest in our Company, commercial negotiations are initiated but no contractual relationship is established, the Company, solely with your consent, may retain your identification and contact data for an additional two years to propose future collaborations and send you offers related to congressservices similar to those for which you initially expressed interest.

Once this period has expired, your data will be deleted or removed from the Controller's active systems.

It is understood that if you do not respond to our consent request sent via email or any subsequent reminder, your data will be automatically deleted from the Controller’s systems within 28 days from the first request.

Additionally, your data will be deleted or removed from the Controller's active systems if you notify us that you are no longer the contact person of the client company with which FMC may establish contractual relationships for the organization of events.

7. Recipients of personal data

In the context of the purposes mentioned in paragraph 3, your personal data may be communicated to the following categories of recipients. The complete list of such entities or categories of entities is available at the Controller's registered office:

-  data processors, pursuant to Article 28 of the GDPR, appointed as necessary;

-  companies and professionals that the Controller uses to fulfill contractual or legal obligations or to protect its rights (for example, accountants, lawyers, tax consultants, auditors, consultants in the context of auditing or due diligence operations, etc.);

-  companies managing technical networks and IT systems;

- public entities;

- judges and courts, in response to any request or as part of a legal proceeding;

- public authorities authorized by law, in case of inspections, audits, and/or checks.

Your personal data will not be disclosed.

8. Data subject’s rights

You have the right to exercise, at any time, the rights recognized by Articles 15-21 of the GDPR, briefly summarized below:

- Right of access: you can request information about how we process your data or confirm that the Controller is processing your personal data. In this case, you can request a copy of your data and verify what information we hold about you.

- Right of rectification: You have the right to request the correction of your personal data if they are inaccurate, including the right to request the completion of incomplete personal data.

- Right to erasure: You have the right to request the deletion of your data (or part of it) that you have provided to us, including those that are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

- Right to restriction of processing: You can request that we restrict the processing of your personal data under the circumstances provided by law.

- Right to object: You can object to the processing of your personal data unless there is a legitimate reason for the continuation of such processing.

- Right to data portability: You can obtain from the Company, in a structured, commonly used, and machine-readable format, the personal data you have provided us, for the purpose of transmitting them to another entity. This right applies if the Company processes such data through automated tools based on consent or for the provision of services.

- Withdrawal of consent: If the processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of the processing carried out prior to such withdrawal.

- Right to lodge a complaint with the Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent Supervisory Authority if you believe that the processing operations violate the current legislation on personal data protection.

Any requests for the exercise of your rights may be submitted to the Data Controller by writing to the email address provided in paragraph 1 of this Notice.