PRIVACY NOTICE

1. INTRODUCTION

Collina delle Fate SRL (“Collina delle Fate”), with its registered office at Via Giganti 66 – 61034 – Fossombrone (PS), VAT No. 02417480411, which can be contacted by email at the address “customer@collinadellefate.com”, will process the personal data provided by the purchasers of its marketed products and/or the users of its services (“Customers” or “Data Subjects”) in connection with a contract for the sale of goods and/or the provision of services, as well as data provided otherwise within the context of a contractual and/or pre-contractual relationship (“Contract”), unless a different notice regarding the processing of personal data is provided within the same context.

2. TO WHOM AND TO WHAT DOES THIS PRIVACY NOTICE APPLY?

Collina delle Fate is the data controller with respect to the personal data obtained from the Customer, which are processed in accordance with the terms of this notice (“Privacy Notice”) and the applicable legislation. Consequently, this Notice applies to all Customers.

3. WHAT TYPE OF PERSONAL DATA OF CUSTOMERS IS COLLECTED?

Collina delle Fate collects the following categories of personal data:

1. a) first name, last name, gender, contact details (email, telephone number, residential address, billing address);
2. b) place and date of birth;
3. c) tax code;
4. d) identification document (ID card, passport, or driver’s license);
5. e) bank data (credit card details or bank account details).
6. HOW ARE THE CUSTOMERS’ PERSONAL DATA USED?

Collina delle Fate processes the Customers’ personal data for the following purposes:

1. a) for the sale of products and/or the provision of other services arising from the Contract;
2. b) for compliance with applicable national and European legislation, including anti-money laundering and anti-fraud laws;
3. c) for the management of complaints and disputes;
4. d) to assert and defend its rights, including in the context of debt recovery procedures and the assignment of receivables to authorized companies, also through third parties;
5. e) to complete a potential acquisition, merger, transfer of assets, sale of a business or business unit by disclosing and transferring the Customer’s personal data to the involved third party/parties;
6. f) with the prior consent of the Customer, for the sending of marketing communications regarding the products and services offered by Collina delle Fate (for example, by sending promotional material or conducting market research). Marketing communications may be sent both through traditional communication means and digital channels;

The purposes set out in letters a), b) and c) are collectively defined as “Contractual Purposes”.

The purposes set out in letters d) and e) are collectively defined as “Legitimate Interest Purposes”.

The purpose set out in letter f) is also defined as “Marketing Purpose”.

5. WHAT ARE THE LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA?

The processing of the Customers’ personal data is based on Legislative Decree no. 196/2003 (“Privacy Code”) and on EU Regulation no. 2016/679 (“GDPR”).

Data processing is necessary for the Contractual Purposes as it is essential for the performance of the Contract and for complying with the applicable legal obligations. Should the Customer fail to provide the personal data necessary for the Contractual Purposes, Collina delle Fate will not be able to conclude the Contract with the Customer.

The processing of the Customer’s personal data for Legitimate Interest Purposes is carried out in order to pursue Collina delle Fate’s legitimate interest, which is fairly balanced against the Customer’s interest, as the processing is limited to what is strictly necessary for the performance of the required economic operations. Processing for Legitimate Interest Purposes is not mandatory. The Customer may revoke any consent given at any time, in accordance with the procedures indicated in Section 9 of this Privacy Notice. It is noted, however, that personal data may be processed without the Data Subject’s consent if the processing is necessary to pursue a legitimate interest of the Data Controller, in compliance with the Data Subject’s rights and fundamental freedoms. Processing is carried out in compliance with the principle of proportionality, and the Data Subject’s rights or fundamental freedoms do not override this interest. The Data Subject maintains the right to object at any time to the processing for reasons related to their particular situation.

Providing data for Marketing Purposes is optional. In the absence of consent, the Customer will not receive commercial communications. The Customer may revoke any consent given at any time, in accordance with the procedures indicated in Section 9 of this Privacy Notice.

6. HOW ARE THE CUSTOMERS’ PERSONAL DATA PROCESSED?

Customers’ personal data may be processed using manual or automated tools that are suitable to ensure their security and confidentiality, and to prevent unauthorized access, dissemination, modification, or removal of data through the adoption of appropriate technical, physical, and organizational security measures. Under no circumstances will the Customers’ personal data be subject to any fully automated decision-making process, including profiling.

7. WHO CAN ACCESS THE CUSTOMERS’ PERSONAL DATA?

For the Contractual Purposes mentioned above, Customers’ personal data may be transferred to the following categories of recipients, located within and, subject to the limits set forth in Section 8 of this Privacy Notice, outside the European Union:

1. a) third-party service providers offering assistance and consultancy services to Collina delle Fate in the accounting, administrative, legal, insurance, and IT sectors;
2. b) banks and credit card issuers;
3. c) entities and authorities whose right to access Customers’ personal data is expressly recognized by law, by regulations, or by provisions issued by the competent authorities. Depending on the circumstances, such recipients will process the personal data as controllers, processors, or data agents.

For the Legitimate Interest Purposes mentioned above, Customers’ personal data may be transferred to the following categories of recipients, located within and, subject to the limits set forth in Section 8 of this Privacy Notice, outside the European Union:

1. a) third-party service providers offering assistance and consultancy services to Collina delle Fate regarding debt recovery and the assignment of receivables;
2. b) potential buyers of Collina delle Fate and entities resulting from a merger, demerger, or any other form of transformation involving Collina delle Fate;
3. c) competent authorities.

For the Marketing Purposes mentioned above, Customers’ personal data may be transferred to the following category of recipients, located within and, subject to the limits set forth in Section 8 of this Privacy Notice, outside the European Union:

1. a) third-party service providers offering assistance and consultancy services to Collina delle Fate regarding the sending of commercial communications;

The external data processors appointed by Collina delle Fate can be obtained, upon request, by the methods indicated in Section 9 of this Privacy Notice.

8. ARE CUSTOMERS’ PERSONAL DATA TRANSFERRED ABROAD?

Customers’ personal data may be freely transferred outside the national territory to countries within the European Union. With regard to transfers outside the European Union to countries not deemed adequate by the European Commission, Collina delle Fate adopts appropriate security measures to protect the Customers’ personal data. Consequently, any transfer of Customers’ data to countries outside the European Union will, in any case, be carried out in compliance with the appropriate guarantees necessary for such transfer, such as the standard data protection contractual clauses, pursuant to the applicable legislation and in particular the GDPR.

9. WHAT ARE THE RIGHTS OF CUSTOMERS REGARDING THEIR PERSONAL DATA?

The Customer may contact Collina delle Fate at any time and free of charge by sending an email to “customer@collinadellefate.com”, in order to exercise the following rights:

– Right of Access

The Data Subject has the right to know:

1. a) whether processing of his/her data is taking place,
2. b) which data are processed,
3. c) for what purposes,
4. d) to whom they are disclosed,
5. e) and for how long they will be retained.

– Right to Rectification

The Data Subject may request correction of inaccurate data or completion of incomplete data.

– Right to Erasure (“Right to be Forgotten”)

The Data Subject may request the deletion of personal data when:

1. a) they are no longer necessary for the purposes for which they were collected,
2. b) consent has been withdrawn,
3. c) he/she objects to the processing and there are no overriding legitimate grounds,
4. d) the data have been processed unlawfully.

– Right to Restrict Processing

The Data Subject may request that the data be stored only, without being processed for other purposes, if:

1. a) the Data Subject contests the accuracy of the personal data, for the period necessary for the Controller to verify their accuracy;
2. b) the processing is unlawful and the Data Subject objects to the deletion of the personal data, instead requesting that its use be restricted;
3. c) although the Controller no longer requires the data for processing purposes, the personal data are necessary for the Data Subject to establish, exercise, or defend a legal claim;
4. d) the Data Subject has objected to the processing, pending verification as to whether the Controller’s legitimate interests prevail over those of the Data Subject.

During the restriction period, the personal data will only be stored and will not be processed for other purposes, except for judicial protection or for the protection of the rights of another natural or legal person.

– Right to Data Portability

The Data Subject can receive the personal data provided to the Controller in a structured, commonly used and machine-readable format and transfer them to another Controller.

– Right to Object

The Data Subject may object, at any time, to the processing of his/her data for reasons related to his/her particular situation, if the processing is based on:

1. a) the Controller’s legitimate interest;
2. b) direct marketing purposes (in which case the objection is absolute and no justification is required).

– Right not to be Subject to Automated Decision-Making

The Data Subject has the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

– Right to Lodge a Complaint

The Data Subject may always lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) if he/she believes that his/her rights have been violated.

Collina delle Fate has not appointed a Data Protection Officer, as such an appointment is not mandatory under current legislation.

10. DATA RETENTION TERMS APPLICABLE TO CUSTOMERS

Customers’ personal data will be retained for the period necessary to pursue the purposes for which such data were collected, as stated in this Notice. In any case, the following retention periods will apply with respect to the processing of Customers’ personal data for the purposes specified below:

1. a) For Contractual and Legitimate Interest Purposes, Customers’ personal data are retained for a period equal to the duration of the Contract (including any renewals) and for ten years following its termination, resolution, or withdrawal, except where a longer retention period is required for potential litigation, requests from competent authorities, or pursuant to applicable legislation;
2. b) For Marketing Purposes, Customers’ personal data are retained for the duration of the Contract and for twenty-four months after its cessation.
3. CHANGES AND UPDATES

This Privacy Notice is updated as of 10 April 2025 and may be subject to modifications and additions.

Customers may view the constantly updated text of the Privacy Notice on the Collina delle Fate website (www.collinadellefate.com).