INFORMATION PROVIDED PURSUANT TO ARTICLES 13-14 OF THE GDPR (GENERAL DATA PROTECTION REGULATION) 2016/679

In accordance with the legislation indicated, this processing will be based on the principles of correctness, lawfulness, transparency and protection of your privacy and rights.

Pursuant to Article 13 of GDPR 2016/679, we therefore provide you with the following information:

A - Personal data (name, surname, identification document details and copy thereof, telephone number, email address, etc.), will be provided at the time of membership depending on the type of association requested

Monticello spa SRL, as the controller of your personal data, informs you about their use and your rights, so that you can consciously express your consent, where required, and exercise your rights under the General Data Protection Regulation (European Regulation 679/2016, hereinafter: The Regulation). Your personal data (provided to us by you, by third parties or originating, within the limits of the law, from public lists) may be processed for the following expressly stated purposes: Fulfilling a contractual or non-contractual obligation, a legal or regulatory obligation, Proposing services or goods to the person concerned, Carrying out profiling, transferring data to third parties, sending periodic communications.

The legal basis for the processing is represented by: A Obligation by law or regulation, B Contract with data subject or execution of contract, C Legitimate interest of data controller or third party, D Vital and urgent interest of data subject, E Explicit consent of data subject, F Performance of public interest task

Below we specify the meaning of the types of purposes:

1. by law: i.e. in order to comply with obligations laid down by law, by a regulation, by the legislation of the European Union as well as by provisions issued by Authorities empowered to do so by law or by competent supervisory or control bodies (in this case, your consent is not necessary as the processing of the data is related to compliance with such obligations/provisions). Among the data processed by law are those relating to tax regulations or for anti-money laundering registers.
2. contractual and, more generally, administrative-accounting, i.e. to perform obligations arising from contracts to which you are a party or to fulfil, prior to the conclusion of the contract, your specific requests, also by means of distance communication techniques, including a dedicated telephone call centre (in which case your consent is not necessary, since the processing of the data is functional to the management of the relationship or the execution of the requests); such processing also includes the purpose arising from the protection of mutual interests in court and for tax purposes or for other legal obligations such as, for example
   

the keeping of anti-money laundering registers if applicable.

1. direct commercial: data processing activities aimed at providing you with information and sending you informative, commercial and advertising material (including by means of distance communication techniques such as, but not limited to, postal mail, telephone calls, including through automated calling systems, telefaxes, electronic mail, SMS or MMS messages or other) on products, services or initiatives of the company, to promote the same, to carry out direct sales actions, to conduct market research, to verify the quality of products or services offered to you (including by telephone calls or the sending of questionnaires). The processing of such data may be carried out with your optional consent or on the basis of the legitimate interest of the company where it is deemed and evaluated not to be in conflict with your rights.
2. profiling: data processing activities aimed at optimising the commercial offer (also by means of focused and selected analyses), to carry out targeted commercial communications, to carry out statistical research, to apply one or more profiles to you (in order to make appropriate commercial decisions or to analyse or predict, again for commercial purposes, your personal preferences, behaviour and attitudes). (In this case, your consent is optional and does not affect the maintenance of relations with the company).
3. indirect commercial: i.e. by communicating your data to third parties for them to carry out their own autonomous commercial activities as indicated in number 3 above (in this case, your consent is optional and does not prejudice the maintenance of relations with the company)
4. post-commercial: i.e. in order to investigate, after the termination or withdrawal of the relationship with the Company, the reasons for the interruption of the relationship. (In this case your consent is optional and does not prejudice the maintenance of relations with the company)

Special cases of data:

1. Particular' also called 'sensitive' data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning the health or sex life or sexual orientation of the person (Art. 9 of the regulation) or concerning criminal convictions and offences or related security measures (Art. 10 of the regulation). Such data may only be processed with your express written consent if one of the reasons stated in Art. 9 para. 2 and Art. 10 of the regulation applies. Consent is free and optional but refusal to consent
   

could jeopardise the performance of one or more activities requested by you from the company that specifically concern facts for which it is essential to process this type of data.

1. Consent to the processing of your data may be binding for the purpose of concluding contracts with the Controller or third parties. Only data whose processing is indispensable for the conclusion of a contract may be binding for the conclusion of the contract, while you may freely give or withhold consent for data that is not indispensable, and in particular for the purposes of profiling, commercial communications, marketing.
2. You are under the age of 18 and over the age of 14. Your data will therefore be processed with special care for confidentiality and within the limited time period necessary for the fulfilment of the services you have requested from the Controller, excluding purposes other than those underlying the existing relationship between you and the Controller.
3. your data may be subject to transfer to third parties for the purposes stated by the Controller. In particular, they may be transferred to third countries subject to an adequacy finding or, failing that, subject to your express consent.

The Data Controller has set up a special processing register to document the specific processing operations performed on the data of the persons concerned and the relevant legal bases. With a view to ensuring a high level of transparency, we inform you that this document may be viewed by you following an express request to the DPO Luca Rampazzo using the e-mail address given at the end of the information notice

B - DATA PROCESSING METHODS.

The processing of your data is carried out by means of manual/paper filing instruments and by means of electronic and automated instruments, in a manner strictly related to the above-mentioned purposes. Where you have given your consent, processing may also take place by means of profiling or data comparison. The Company has adopted technical and organisational measures aimed at preventing and limiting the risk of loss, deterioration or misappropriation of your data, and at ensuring that they are restored within a reasonable timeframe in the event of a data breach.

Processing is carried out in such a way as to guarantee the security, protection and confidentiality of your data.

Within the company, your personal data may come to the knowledge of the data controller or processor:

• employees, managers and directors or partners of the company who have or hold by law or company by-laws administrative, collaborative or commercial roles subject to self-employment contracts operating within the company structure. Such personnel have been provided with adequate training and instructions by the Company to protect the storage, maintenance, updating and security and confidentiality of your data. Consent to processing by such personnel is not required as it is inherent in the necessary modalities provided for by law.

Outside the company, your data may be processed by:

• collaborators under non-employee employment contracts operating outside the company's facilities
• commercial employees under a non-employee employment contract operating outside the company's facilities
• consultants of any kind (lawyers, certified public accountants, engineers, architects, labour consultants or other professionals registered or not registered in professional registers), who perform technical, support (in particular: legal services, IT services, shipping) and business control tasks on behalf of the company.
  For the pursuit of the aforesaid purposes, the company may communicate or in any case transmit your data to certain subjects, including foreign ones, who will use the data received as autonomous co-controllers, unless they have been designated by the company as "persons in charge" of the processing for their specific purposes. It is your right to request and obtain the list of third parties to whom such data are transmitted.
• Public bodies or administrations to fulfil legal obligations

The data controller uses computer systems in co-ownership with third parties, who therefore become co-owners of the processing, and relations with them are governed by a specific contractual agreement

It is possible that the data controller delegates the processing of your data to other sub-processors, who are in turn instructed on how to process the data correctly

Since the data you provide may consist of so-called 'special' data, also known as 'sensitive' data under Article 9 of the European Regulation, i.e. data relating to racial origin, health, sexual orientation or habits, political, trade union, religious or philosophical beliefs, or criminal convictions (Article 10 of the Regulation), the processing may take place with your prior written consent and for the purposes indicated in this processing form, except in cases of processing defined as lawful by the Regulation

Since the data you provide us with may consist of so-called 'biometric' data, such as fingerprints, handprints, facial data or signatures collected by means of technological instruments, this data will be processed in accordance with the legal provisions in force subject to your consent where necessary and for the purposes indicated in this processing form.

The company may carry out video surveillance activities for the security of its property or persons

Your data may be subject to profiling, i.e. the collection and aggregation of data about you in order to make appropriate business decisions or to analyse or predict your personal preferences, behaviour and attitudes. Profiling may take place a) with your consent b) on the basis of the legitimate interest of our company. Failure to give consent for profiling purposes does not normally affect the smooth development of the relationship under which your data is processed. The carrying out of profiling activities could jeopardise your rights and opportunities with regard to our company's offers.

For your protection, the Data Controller has appointed a Data Protection Officer in the person of Luca Rampazzo

Your data may be transferred to a foreign country. If this happens within the European Union, your data will be processed in the same way as in Italy. If it is transferred to countries outside the European Union, it will be processed in accordance with your rights under the European Regulation. If your data is transferred to a country outside the EU, it may be processed by entities that guarantee the respect of the rights provided by the European Regulation through voluntary compliance by the same with general measures.

Data will be transferred in any case by means that guarantee the protection of such data from intrusion by third parties.

Your data has been collected directly from you and we therefore provide you with the following information in this form where applicable:

• data of the holder and representative
• data of the data protection officer
• purpose and legal basis of processing
• recipients of data
• intention to transfer data abroad
• duration of the retention period or criteria for determining the duration
• right to access, rectification, cancellation, objection to processing, portability
• right of withdrawal from processing if possible, except where required by law
• possibility to lodge complaints with the authority (Garante)
• whether the data are compulsory for the performance of a contract, or by law, and the consequences if consent is not given
• whether the data are or will be subject to profiling and, if so, the logic of the profiling
• the existence of automated decision-making processes and the data subject's right to have decisions made after human intervention.

Your data will be kept by the Data Controller, with respect to the intended purposes, for as long as is necessary for the performance of the existing relationship with you and to be able to guarantee the mutual protection of your rights in court as well as to comply with legal obligations, including tax obligations. Data that are not necessary for the latter purposes will be removed within the maximum period of time provided for by the right to be forgotten, as indicated further on in this information notice, or, at your request, even within a shorter period of time if this does not conflict with the rights of the Data Controller.

Data of the data subject that does not have to be retained due to a specific legal obligation will be deleted within 10 years or 15 days of park opening for cameras

With regard to profiling logics, the company states the following: type of household, geographical origin, specific profiles, age.

C - RIGHTS OF THE DATA SUBJECT

You may, at any time, exercise the following rights expressly recognised by the Regulation:

• You have the right to lodge a complaint at any time with the national authority (Garante per la protezione dei dati personali) if you consider that your right has been violated
• You have the right to ensure that your data is always accurate and up-to-date and you may therefore report or request that it be updated at any time
• You have the right to revoke your consent to the processing of your data if this is not prevented by legal provisions or the need to protect the holder's rights, including in court. In any case, the request for revocation gives rise to the right to restriction of processing.
• You have the right to access your data processed by the Controller by means of a written request, also in electronic form. It is indispensable for you to be able to provide us with proof of your identity, possibly also by means of access to our databases through credentials that can be uniquely referred to you. You are entitled to free access for one time only, whereas you may be charged a fee for subsequent requests. You are entitled to receive a reply within 30 days of your request. You are entitled to have your data in a printable format.
• You have the right to have your data corrected and updated, and you may at any time ask us to update and correct it if you find that the data in our possession is out of date or incorrect. In order to ensure that the data is up-to-date, we would ask you to notify us of any useful changes.
• You have the right to the deletion of data concerning you, provided that it is not data that the Data Controller must retain for specific legal obligations such as, for example, obligations arising from tax regulations, anti-money laundering or for the protection of the rights of the Data Controller in litigation.
• If you dispute the accuracy of your data, or the lawfulness of the processing, or the right of the Controller to delete your data, or if you object to the processing of your data and the Controller disputes your objection, you have the right to have your data stored but not processed except to the extent necessary to resolve the dispute over the data.
• Should the Controller change or delete all or part of your data, you have the right to be informed and to object to the change and deletion
• You have the right to transfer your data - stored and processed electronically - to another operator, within the limits indicated by the Regulation, and provided that it is technically feasible, in such a way that it can be easily read and acquired by third parties. The data you are entitled to transfer (portability) also include data deriving from the automatic observation of your activity through the Controller's IT services, such as searches and history of activities performed
• You have the right to object to the processing of your data, to profiling, to the use of your data for direct marketing, to profiling for public interest or for scientific or historical research or statistical purposes.
• The company may, under certain circumstances, adopt automated procedures in order to make decisions concerning you and in particular in order to decide whether and under what conditions to conclude contracts directly or via third parties with you. In this case, you have the right to request that, before a binding decision is taken, your position is in any case examined by a human operator who carries out a substantive assessment. The use of automated decision-making procedures may result in your exclusion from certain proposals, offers or the right to conclude contracts or benefit from particular promotions.
• Since your data may be processed for the purpose of carrying out e-commerce activities, you are entitled to have your data processed in accordance with the best state-of-the-art IT procedures. For this purpose, your data may be transferred to third parties in order to carry out, in whole or in part, technical and IT procedures for the conclusion of the contract and the execution of the contract, such as, for example, third-party servers, logistics and transport service providers. Your consent for this purpose is always necessary and, in the event that you do not consent to the processing of the data necessary for the conclusion of transactions, the Company may not be able to provide you with the services requested. Consent to the processing of indispensable data must be separate from consent to the acquisition of data that is not indispensable or for purposes other than those related to the conclusion of e-commerce contracts.
• The company may, under certain circumstances, process your data in order to communicate with you about commercial or informational or educational initiatives (so-called newsletters). In this case, your consent, if necessary, must be explicit and separate from other forms of consent and you may revoke your consent for this purpose at any time.
• You have the right to be consulted when assessing security procedures for the processing and protection of your data

D - INDICATION OF PERSONS INVOLVED IN PROCESSING

Your data may be processed by the following parties:

1. [holder] Monticellospa SRL
2. [joint owners] Pillerstone Italy SPW Bluwater SPA
3. [representative] Not applicable
4. [responsible] Bluwater S.p.A.
5. [RDP/DPO] Luca Rampazzo

E - HOW TO EXERCISE YOUR RIGHTS

Your requests may be exercised by written communication to the address of the Company Via San Michele 16/D, Monticello Brianza (Lecco) or to the e-mail address alessandro.chiafala@alfapark.it, or, if applicable, autonomously within the personal area made available to you electronically by means of a unique identifier.

F - LIST OF PROCESSING OPERATIONS AND THEIR LEGAL BASES (EX ART. 30 GDPR)

In compliance with the transparency obligations provided for by the General Data Protection Regulation (GDPR) 2016/679, the following is an updated list of the personal data processing operations carried out by Terme di Chianciano S.p.A., indicating the relevant legal basis for each processing operation.