BARONE FLORENCE - BARONE S.R.L.

Privacy policy customers and suppliers pursuant to and for the purposes of art. 13 of Reg. (EU) 2016/679

This notice contains the information required under Article 13 of Regulation (EU) 2016/679 (hereinafter "GDPR")
on the protection of natural persons with regard to the processing of personal data, as well as legislative interventions
European or national and/or measures of the supervisory authorities subsequent to the publication of this notice.

1. DATACONTROLLER
The Data Controller is BARONE S.R.L. with registered office at Via dei Confini 236 - 50013 Campi Bisenzio (FI), tel. 0558826045,
VAT number and registration number with the Register of Companies of Florence 06056000489, in the person of its legal
representative pro tempore.

2. PERSONAL DATA PROTECTION RESPONSIBLE (DPO / DPO)
Pursuant to Article 37 of the GDPR. The Data Controller has appointed the Data Protection Officer
personal also known as DPO whose contact details are released (E-mail: dpo@baronefirenze.it) which have also been
published on the institutional website baronefirenze.it.

3. PURPOSE AND LEGAL BASIS OF THE PROCESSING
BARONE S.R.L. will process your personal data such as personal and identification data (first name, last name, tax code, VAT number);
contact data (telephone, e-mail); bank and payment data and other data necessary for the execution of the contract, exclusively for the
performance of the company's activities and in particular for the following purposes:

3.1. CUSTOMERS:
a) For the conclusion and execution of the contract having as its object our products and/or services, that is, for purposes strictly
connected with and instrumental to the performance of the necessary pre-contractual activities, the management of the
contractual relationship (fiscal and administrative fulfilments, customer assistance, claims management, credit recovery),
to the provision of the products and/or services, from time to time, requested.
b) For the proper fulfillment of legal obligations and rights provided by law (e.g. for the purpose of keeping
accounts, tax and administrative fulfilments, banking management, business relations or to enforce
or defend a right in court), as well as to comply with the provisions of the regulations for the
prevention of fraud, anti-money laundering and terrorism financing regulations, where applicable.
c) For the evaluation and monitoring of the quality of our products and/or services, including through the processing of internal statistical analysis
for which data disclosure to third parties is not envisaged, subject to the disclosure of statistics
in aggregate and anonymous form.
The provision of your data for the above-mentioned purposes is necessary for the purposes pursued in accordance with Article 6,
para. 1(b) of the GDPR (performance of a contract); para. c) (legal obligations); para. f) (legitimate interest). The
failure to provide the data would therefore result in the impossibility of fulfilling these purposes.
3.2. SUPPLIERS:
a) For the conclusion and execution of the contract concerning your products and/or services, i.e. for purposes strictly
related and instrumental to the performance of the necessary pre-contractual activities, the management of the relationship
contract.
b) For the proper fulfillment of legal obligations and rights provided by law (e.g. for the purpose of keeping
accounts, tax and administrative fulfilments, banking management, business relations or to enforce
or defend a right in court), as well as to comply with the provisions of the regulations for the
prevention of fraud, anti-money laundering and financing of terrorism regulations, where applicable.
c) For the evaluation and monitoring of the quality of the products and/or services provided by you, including by means of analysis
internal statistics not disclosed to third parties, except in aggregate and anonymous form.
The provision of your data for the above purposes is necessary for the purposes pursued in compliance with Article 6,
para. 1(b) of the GDPR (execution of a contract); sub-paragraph (c) (legal obligations); sub-paragraph (f) (legitimate interest). The
failure to provide the data would therefore result in the impossibility of fulfilling these purposes.

4. METHODS OF PROCESSING
The processing of your data will be based on the principles of lawfulness, fairness and transparency and may also be carried out
through automated methods designed to store, manage and transmit them accurately and will take place using technical
and organizational measures appropriate to ensure their security and protection from unauthorized or unlawful processing, loss,
destruction or accidental damage. Members' data will be used by the appointed data processors and by
authorized and properly trained individuals. There are no automated decision-making processes including profiling.

5. COMMUNICATION
For the pursuit of the purposes described in point 3 above, the personal data processed will be known to the employees,
assimilated personnel and associates of the Data Controller, who will act as authorized data subjects
personal data. In addition, your personal data will be processed by third parties belonging to the following categories:
- subjects that take care of administrative and fiscal fulfilments for the Controller;
- companies and consultants that provide legal advice;
- insurance companies and credit institutions;
- external companies that offer services inherent to the verification of creditworthiness, asset soundness,
risk profile and regulatory compliance (e.g. anti-money laundering);
- third-party companies that provide the logistics services;
- companies that perform on our behalf the activities of technical coordination, assistance and maintenance of computer systems
;
- in general, third-party companies that provide assistance on matters related to the existing contract.
The subjects belonging to the above categories operate, in some hypotheses, in total autonomy as separate Data Controllers of the
processing, in other hypotheses, as Data Processors specifically appointed by the Data Controller in compliance
with Article 28 GDPR. The complete and updated list of the subjects to whom your personal data may be communicated can be
requested at the registered office of the Data Controller. Your personal data will not be transferred to third parties outside the
European Union and are not subject to dissemination.

6. PERIOD OF DATA STORAGE
Your personal data will be retained for the period of time strictly necessary for the pursuit of the specific purposes
of the processing referred to in point 3 of this information notice and, specifically:
- For the purposes indicated in point 3, your personal data will be retained for the time necessary to carry out the
relationships subsisting between the parties and thereafter for the period of time determined by the regulations in force the data related
to billing will be retained for ten years from the date of billing, after which they will be
deleted or pseudonymized.

7. RIGHTS OF THE DATA SUBJECT UNDER ARTICLES. 15, 16, 17, 18, 20, 21 AND 22 REG. (EU) 2016/679
- Art. 15 - Right of access: the data subject has the right to obtain from the data controller confirmation as to whether or not
processing of personal data concerning him or her is taking place and, if so, to obtain access to the personal data.
- Art. 16 - Right to rectification: the data subject has the right to obtain from the data controller the rectification of
inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right
to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
- Art. 17 - Right to erasure (right to be forgotten): the data subject has the right to obtain from the data controller the
erasure of personal data concerning him/her without undue delay, and the data controller has the obligation to
erase without undue delay the personal data.
- Art. 18 - Right to limitation of processing: the data subject shall have the right to obtain from the data controller the
limitation of processing when one of the following occurs:
o a) the data subject disputes the accuracy of the personal data, for the period necessary for the data controller to
verify the accuracy of such personal data;
o b) the processing is unlawful and the data subject objects to the erasure of the personal data and instead requests that
its use be restricted;
or c) although the data controller no longer needs them for the purposes of processing, the personal data are
necessary for the establishment, exercise or defence of a legal claim by the data subject;
or d) the data subject has objected to the processing pursuant to Article 21(1), pending verification on
whether the data controller's legitimate grounds prevail over those of the data subject.
- Article 20 - Right to data portability: the data subject has the right to receive in a structured, commonly used and
machine-readable format personal data concerning him or her that have been provided to a data controller and has the right to
transmit such data to another data controller without hindrance from the data controller to whom he or she has
provided them.
When exercising his or her rights with regard to data portability under paragraph 1, the data subject has the right to
obtain the direct transmission of personal data from one controller to another, if technically feasible.
- Art. 21 - Right to object: the data subject has the right to object at any time, on grounds relating to his/her
particular situation, to the processing of personal data concerning him/her pursuant to Article 6(1)(e) or
f), including profiling on the basis of these provisions.
- Art. 22 - Right not to be subjected to automated decision-making, including profiling: the data subject
has the right not to be subjected to a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or which affects his
person in a similar significant way.
The above rights may be exercised against us by writing to the e-mail address
amministrazione@baronefirenze.it. The exercise of your rights as a data subject is free of charge in accordance with Article 12, GDPR.