PRIVACY POLICY - BARONE FIDELITY APP
Pursuant to and in accordance with Art. 13 of Reg. (EU) 2016/679

This notice contains the information required under Article 13 of Reg. (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, as well as European or national legislative interventions and/or measures of the supervisory authorities subsequent to the publication of this notice. We therefore invite you to take note of the information notice and express your consent to the processing of your data by signing and returning the attached form.

1. DATACONTROLLER
The Data Controller is BARONE S.R.L. with registered office in Campi Bisenzio (FI), Via dei Confini n. 236 - 50013, tel. 0558826045, e-mail: amministrazione@baronefirenze.it, tax code, VAT number and registration number with the Register of Companies of Florence 06056000489, in the person of its pro-tempore legal representative.

2. DATA PROTECTION RESPONSIBLE (DPO / DPO)
Pursuant to Article 37 of the GDPR. The Data Controller has appointed the Data Protection Officer also known as DPO whose contact details are released (e-mail: dpo@baronefirenze.it) which have also been published in the appropriate section of the company website.

3. LEGAL BASIS AND PURPOSE OF THE PROCESSING
BARONE S.R.L. processes your personal data exclusively for the performance of the company's business and in particular for the following purposes:
a) For the conclusion and execution of the contract concerning our products and/or services, i.e. for purposes strictly related and instrumental to the performance of the necessary pre-contractual activities, the management of the contractual relationship (administrative and accounting activities, customer assistance, complaint management, credit recovery).
b) To comply with legal obligations and requests of the Authorities, as well as to comply with the provisions of current legislation on the prevention and combating of money laundering and financing of terrorism, where applicable.
c) For the processing of statistical analysis and internal market research for which there is no provision for the disclosure of data except for the disclosure of statistics in aggregate and anonymous form.
d) For enrollment in our loyalty program, mandatory personal data will be requested: first name, last name, date of birth, email and cell phone, for the conduct of direct marketing activities through the sending of promotional and advertising material for the purpose of offering our products and services similar to those you have already purchased, sending advertising communications via email, sms, push notifications (on App), WhatsApp Business, including our newsletter.
e) As part of our loyalty program, the data in point d) above will be processed for the prize operation called "Barone Fidelity" to accumulate reward points on both physical and virtual fidelity cards (issued by the App of the same name) and for any instant win or sweepstakes dedicated only to Fidelity Card holders.
f) As part of our loyalty program, the data in point d) above will be processed for profiling purposes in order to improve the commercial offer and services proposed through analysis of consumption habits and choices.

The provision of your data for the purposes referred to in letters a) b) and c) is mandatory as it is necessary for the purposes pursued, failure to provide the data would therefore result in the impossibility of fulfilling these purposes, while the treatments referred to in letters d) e) and f) require your free and specific consent. Regarding the request for personal data for the prize operations referred to in point d) above, the first and last name are used to identify the holder of the fidelity card, the date of birth to settle cases of homonymy, the email as user id for access to the App and the telephone for direct communications with the user in case of winnings.
If we have previously acquired your consent, the same may be revoked at any time by writing to the e-mail address: privacy@baronefirenze.it or by contacting the Data Protection Officer at the e-mail address: dpo@baronefirenze.it or within the Barone Fidelity App by revoking the respective consents independently.

4. METHODS OF THE PROCESSING
The processing of your data will be based on the principles of lawfulness, fairness and transparency and may also be carried out through automated methods designed to store, manage and transmit them accurately and will take place through technical and organizational measures adequate to guarantee their security and protection from unauthorized or unlawful processing, loss, destruction or accidental damage. Your data will be used by appointed data processors and by authorized and properly trained individuals. There will be no automated decision-making processes.

5. COMMUNICATION
For the pursuit of the purposes described in point 3 above, the personal data processed will be known to employees, assimilated personnel and collaborators of the Data Controller, who will act as authorized subjects for the processing of personal data. In addition, your personal data will be processed by third parties belonging to the following categories:
- subjects that take care of administrative and fiscal fulfilments for the Controller;
- companies and consultants that provide legal advice;
- insurance companies and credit institutions;
- external companies that offer services inherent to the verification of creditworthiness, asset soundness, risk profile and regulatory compliance (e.g. anti-money laundering);
- third-party companies that provide logistics services;
- companies that perform technical coordination, support and maintenance of IT systems on our behalf;
- in general, third-party companies that provide assistance on matters related to the existing contract.

PRIVACY POLICY - BARONE FIDELITY APP
Pursuant to and in accordance with Art. 13 of Reg. (EU) 2016/679

The subjects belonging to the above categories operate, in some cases, in total autonomy as distinct Data Controllers, in other cases, as Data Processors specifically appointed by the Data Controller in compliance with Article 28 of Reg. (EU) 2016/679. The complete and updated list of the subjects to whom your personal data may be communicated can be requested at the registered office of the Data Controller. Your personal data will not be transferred to third parties outside the European Union and will not be disseminated.

6. PERIOD OF DATA STORAGE
Your personal data will be retained for as long as you are a member of the loyalty program. Thereafter, your personal data will be retained for a period not exceeding the period of limitation prescribed by law for the purpose of possibly asserting or defending a legal claim against you or third parties, and for the period of time strictly necessary for the pursuit of the specific purposes of the processing referred to in section 3 of this policy and, specifically:

- For the purposes indicated in letter a) b) and c) of par. 3, your personal data will be kept for the time necessary for the completion of the relations subsisting between the parties and thereafter for the period of time determined by the regulations in force; data related to billing will be kept for ten years from the date of billing, after which they will be deleted or pseudonymized.
- For marketing purposes referred to in letter d) of par. 3, your personal data will be transformed into anonymous form 24 months after their registration; data collected and processed for profiling purposes referred to in letter e) will be transformed into anonymous form 12 months after their registration. At any time each user can revoke his or her consent for each of the different contact methods by acting on the appropriate options in the loyalty program App;
- Personal data collected for the prize operation called "Barone Fidelity" referred to in letter e) of point 3, will be kept for the entire duration of the prize operation "Barone Fidelity" and in any case no longer than 24 months.

7. RIGHTS OF THE DATA SUBJECT REFERRED TO IN ART. 15, 16, 17, 18, 20, 21 AND 22 REG. (EU) 2016/679
- Art. 15 - Right of access: the data subject has the right to obtain from the data controller confirmation as to whether or not personal data relating to him or her are being processed and, if so, to obtain access to the personal data.
- Art. 16 - Right to rectification: the data subject has the right to obtain from the data controller the rectification of inaccurate personal data relating to him or her without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
- Art. 17 - Right to erasure (right to be forgotten): the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase the personal data without undue delay.
- Art. 18 - Right to restriction of processing: the data subject has the right to obtain from the data controller the restriction of processing when one of the following occurs:
o a) the data subject disputes the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
o b) the processing is unlawful and the data subject objects to the erasure of the personal data and instead requests that its use be restricted;
or c) although the data controller no longer needs them for the purposes of the processing, the personal data are necessary for the data subject to establish, exercise or defend a legal claim;
or d) the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the data controller's legitimate grounds prevail over those of the data subject.
- Article 20 - Right to data portability: the data subject has the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her that has been provided to a data controller and has the right to transmit such data to another data controller without hindrance from the data controller to whom he or she has provided it. When exercising his or her rights with regard to data portability pursuant to paragraph 1, the data subject has the right to obtain direct transmission of personal data from one controller to another, if technically feasible.
- Art. 21 - Right to object: the data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), including profiling on the basis of those provisions.
- Art. 22 - Right not to be subjected to automated decision-making, including profiling: the data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or affects him or her in a similar significant way.
The above rights may be exercised against us by writing to privacy@baronefirenze.it or by contacting the Data Protection Officer at: dpo@baronefirenze.it.