MEF S.r.l. with legal headquarters in Naples, Via F. Caracciolo, 17 80122 (hereinafter “Data Controller”), as data
controller, informs you in conformity with Article 13 D.Lgs. 30.6.2003 n. 196 (hereinafter, “Privacy Law”) and Article 13 EU Regulation n. 2016/679 (hereinafter, “GDPR”) that your data will be processed with the modalities and purposes as follows:

1. Data Subject

The Data Controller processes the personal and identification data (for example, name, surname, business name, address, telephone number, e-mail, bank and payment references) – hereinafter “personal data” or data”) communicated by you when concluding contracts/commercial agreements for services from the Data Controller.

2. Purpose of the data processing

Your personal data are processed:

A) without your express consent (Article 24 subsection a), b), c) Privacy Law and Article 6 subsection b), e) GDPR), for the following Service Purposes:
- closing contracts/commercial agreements for services by the Data Controller;
- fulfilling the pre-contract, contract, accounting and fiscal obligations deriving from ongoing relations with you;
- fulfilling obligations foreseen by law, by a regulation, by an EU regulation or by an order by the Authorities (as, for example, the law on money laundering);
- exercising the rights of the Data Controller, for example the right to defend himself in a lawsuit;

B) only after your specific and distinct consent (Articles 23 and 130 Privacy Law and Article 7 GDPR), for the following Marketing Purposes:
- sending by e-mail, post and/or text and/or telephone, newsletters, commercial communications and/or
advertising material on the products or services offered by the Data Controller and establishing the degree of
satisfaction on the quality of the services;
- sending you by e-mail, post and/or text and/or telephone contact commercial and/or promotional
communications of third parties.
We advise you that if you are already our customers, we can send you commercial communications relative to the
services and products of the Data Controller similar to those you have already received, except if you dissent (Article
130 subsection 4 Privacy Law).

3. Processing Modality

The processing of your personal data has been carried out as indicated by Article 4 Privacy Law and Article 4
subsection 2) GDPR and precisely : collecting, recording, organizing, storing, consulting, elaborating, modifying,
selecting, extracting, comparing, using, interconnecting, blocking, communicating, deleting and destroying the data.
Your personal data are subjected to hard and electronic and/or automated processing.
The Data Controller will hold the personal data for the time necessary to fulfil the above-mentioned purposes and in
any case for no longer than 10 years after the end of relations for Service Purposes and for no longer than 5 years
after collection for Marketing Purposes.

4. Access to Data

Your data may be made accessible for the purposes stated in Article 2.A) and 2.B):
- to employees and collaborators of the Data Controller in Italy and abroad, as internal delegate and/or responsible
for the processing and/or systems administrator;
- To third party companies or other subjects (for example, banks, professional offices, consultants, insurance
companies for insurance services, etc.) who carry out outsourcing activity on behalf of the Data Controller, in their
duties as external members responsible for data processing.

5. Data Communication

Without express consent (Article 24 a), b), d) Privacy Law and Article 6 b) and c) GDPR), the Data Controller can
communicate your data for the purposes as per Article 2.A) to Supervisory Bodies (such as IVASS, Agenzia delle
Entrate), Judicial Authorities, to insurance companies for insurance services, as well as to those to whom communication is compulsory by law and to carry out said purposes. These subjects will hold the data as independent processors of the data.

Your data will not be made public.

6. Transfer of Data

The Personal Data are stored on the server in NAPLES. It is understood in any case that the Data Controller, when
necessary, will have the right to move the server even outside the EU. In this case, the Data Controller ensures from
now that the transferral of data outside the EU will come about in conformity with the laws applicable, after stipulation of the standard contractual clauses foreseen by the European Commission.

7. Nature of the data conferral and consequences of refusal to reply

Data conferral for purposes relating to Article 2.A) is compulsory. In its absence, we cannot guarantee you the
services stipulated in Article 2.A).
Data conferral for the purposes relating to Article 2.B) is instead optional. You can therefore decide not to give any
data or to subsequently deny the right to process data already given: in this case, you cannot receive newsletters,
commercial communications and advertising material relating to the services offered by the Data Controller. You will
continue however to be entitled to the Services relating to Article 2.A).

8. The rights of the interested party

As the interested party, you will have the right regarding Article 7 Privacy Law and Article 15 GDPR and precisely the
right to:

i. obtain confirmation of the existence or not of personal data relating to you, even if not yet recorded and
their communication in an intelligible form;

ii. obtain the indication: a) of the origin of the personal data; b) of the purposes and modality of processing;
c) the logic applied in the case of processing carried out with the help of electronic tools; d) the identification of the
owner, of the people in charge and of the data processor as stated in Article 5, subsection 2 Privacy Law and Article
3, subsection 1, GDPR; e) of the subjects or categories of subjects to whom the personal data may have been
communicated or may have knowledge of in the role of designated representative in the territory of the State, of
people in charge of the data or employees;

iii. obtain: a) an update, rectification or, if interested, integration of the data; b) erasure, transformation to
an anonymous form or a blocking of all the data processed in violation of the law, including those for which
conservation is not necessary in relation to the purposes for which the data was collected or subsequently processed;
c) a declaration that the operations relating to subsections a) and b) have been notified, also concerning their
content, to those to whom the personal data was communicated or made public, except in the case that this proves
impossible or entails the employment of means manifestly disproportionate compared to the right protected;

iv. to oppose, in all or in part: a) for legitimate reasons to the processing of personal data that involve you, even if pertinent to the purpose of the collection; b) to the processing of personal data that involve you with the purpose of sending advertising material or direct sales material or to carry out market research or commercial communication, using automatic calling systems without the presence of an operator using e-mail and/or traditional marketing modalities using a telephone and/or the postal services. We state that the right to oppose by the interested party, shown in the preceding point b), for direct marketing purposes using an automated modality is extended to the traditional modality and that in any case the interested party can exercise the right to oppose also only in part. Therefore, the interested party can decide to receive only communications by traditional modality or only automated communications or neither of the 2 types of communication.

Where applicable, he also has the rights mentioned in Articles 16-21 GDPR (the right of rectification, the right to be
forgotten, the right to a limitation of processing, right to the portability of the data, right to oppose), besides the
right to apply to the Supervisory Authority.

9. Modality of exercising rights

You can at any time exercise your rights by sending:
- a registered letter to MEF S.r.l., Via F. Caracciolo,17 80122, Naples
- an e-mail to

10. Data Controller, Data processor, and employees

The Data Controller of the processing is MEF S.r.l., with legal headquarters and operating headquarters in Naples, Via F. Caracciolo, 17 80122.
An updated list of the people in charge of the data, of data protection and employees is kept in Naples, Via F. Caracciolo, 17 80122.