Shareholder privacy policy

1. Data Controller

Elica S.p.A.

Via Ermanno Casoli, n.2, 60044 Fabriano (AN)

P.I. AN 00096570429

Certified email address: elicaspa@sicurezzapostale.it

Telephone: +39-07326101

("Company" or "Controller").

2. Data Protection Officer (DPO)

The Data Protection Officer (pursuant to Article 37 of the Privacy Regulation) can be contacted at the following email address: dpo@elica.com (hereinafter "DPO”).

3. Personal data processed and data source

The personal data collected essentially relates to:

• Identification, personal details, and contact information (name and surname, address, telephone number, email address, tax information, etc.);

• Audio recordings of meetings involving the interested party;

• Other non-specific data relating to existing legal relationships, limited to share ownership.

4. Purpose and legal basis of processing

Data processing will be carried out for the proper management of existing contractual and/or business relationships. Specifically, Elica must, in accordance with applicable law, enter the names of Shareholders in the Shareholder Register.

The data is also processed to fulfill legal obligations to which the Company is subject, such as administrative and accounting obligations, in accordance with the requirements of applicable law.

The data may also be processed, if necessary, to ascertain, exercise, and/or defend the Company's rights.

For each of the purposes identified above, the following legal bases are identified:

- for data relating to natural persons, the legal basis is the performance of a contract to which the data subject is a party, pursuant to Article 6.1, letter b) of the GDPR;

- for data relating to legal persons, the legal basis is the legitimate interest of the Data Controller pursuant to Article 6.1, letter f) of the GDPR;

- for data processed to fulfill legal obligations to which the Company is subject, the legal basis is Article 6.1(c) of the GDPR;

- for data that may be processed, if necessary, to ascertain, exercise, and/or defend the Company's rights, the legal basis is the Data Controller's legitimate interest pursuant to Article 6.1(f) of the GDPR.

5. Data retention period

For the entire duration of the contract and for 10 years after termination of the contractual relationship, as per the ordinary limitation period or specific statutory period.

In the event of legal disputes, for the entire duration of the same, until the time limit for appeals has expired.

6. Data provision

The provision of Data is necessary for the conclusion and/or execution of the contractual relationship. Refusal to provide the Data therefore prevents the contractual relationship from being established.

7. Data recipients

The Data may be disclosed to entities acting as independent data controllers, such as public authorities, the Board of Statutory Auditors, independent auditors, or professional firms, or processed on behalf of the Company by entities providing services essential to the pursuit of the aforementioned purposes, designated as data processors pursuant to Art. 28 of the GDPR. Furthermore, the Data is processed by Company employees belonging to the corporate functions responsible for pursuing the aforementioned purposes, who have been expressly authorized to process the data and have received adequate operating instructions.

The data may be processed in particular by employees of the following departments: Information Technology, Investor Relations, and Legal, who will have access as data processors.

The data will be processed by Computershare S.p.A., with registered office at Via Lorenzo Mascheroni 20145 Milan, tax code, VAT number 06722790018.

The processed data will not be disseminated.

8. Transfer of personal data to countries outside the European Union

Where data is transferred to countries outside the European Union (EU) or the European Economic Area (EEA) that have not been deemed adequate by the European Commission, the transfer mechanisms referred to in Article 46 of the GDPR (such as standard contractual clauses) will be used, considering the possible inclusion of "additional measures" to ensure a level of protection substantially equivalent to that required by European Union law.

9. Rights of the Data Subject - Complaint to the Supervisory Authority

By contacting the Data Controller via email at privacy@elica.com, the data subject may exercise the rights recognized by Articles 15-22 of the GDPR, and in particular, may request access to, rectification, integration, or erasure of, their Data, as well as restriction of processing in the cases provided for by Article 18 of the GDPR.

Furthermore, if processing is based on consent or a contract and is carried out by automated means, the data subject has the right to receive the Data in a structured, commonly used, and machine-readable format, and, if technically feasible, to transmit it to another controller without hindrance.

The data subject has the right to object at any time, easily and free of charge, for reasons related to their particular situation, to the processing of their Data in the event of the Data Controller's legitimate interest.

Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State in which they habitually reside or work or in the State in which the alleged infringement occurred.

 

Il Titolare

ELICA S.p.A.