pursuant to art. 13 of the EU General Data Protection Regulation 679/2016 hereinafter referred to as GDPR.

This Policy is general and concerns all the processings included in the web application or mobile device application (hereinafter ‘Application’): please, refer to the specific policies of each processing with the related consent request where needed.

Tecnostaf S.r.l. Cda Solagne, 2 66040 Roccascalegna (CH) VAT number: 02276110695as the Controller, informs you, under the EUGeneral Data Protection Regulation n. 2016/679 (hereinafter, “GDPR”), that your data will be processed in accordance with the procedures and for the following purposes according to the definitions listed below:

Processing: means any operation or set of operations which is performed on personal data, whether or not by automated means, suchas collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable naturalperson is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines thepurposes and means of the processing of personal data;

Data subject: the User, natural person, who uses the application

Application: hardware or software tool used to collect the User Personal Data, namely a website, an application for mobile devices or aweb based software.

Form: it is a word used to identify the interface of an application enabling the client User to enter and send to the web server one or moredata freely typed by him/her. It’s more commonly known as “form to be completed” in order to enter data.

1. IDENTITY OF THE CONTROLLER AND OF THE LEGAL REPRESENTATIVE PRO-TEMPORE (under art. 13, par. 1 lett. a)

Controller: Tecnostaf S.r.l. its legal representative Mr Giancarlo Di Lello, registered office: Cda Solagne, 2 66040 Roccascalegna (CH),

mail: info@tecnostafsrl.com PEC tecnostafsrl@pec.it

2. DATA PROTECTION OFFICER (UNDER art. 13, par. 1 lett. b) WHERE APPLICABLE

Not applicable

3. PROCESSINGS

PURPOSE: Contacting the user

The application includes specific forms that, once filled in with the contact details, allow the user to be contacted by the Controller in order to receive information.

Personal data collected: contact data and IP address.

Nature of the provision of data and consequences of failure to provide such data under art. 13 par. 2 lett. e) GDPR: the provisionof data for this purpose is mandatory. The failure to provide the required data shall not allow the service to be provided.

Consent: for the implementation of this purpose no explicit consent is required, which shall be considered to be given by entering thecontact data.

Period for which the personal data will be stored under Art. 13, par. 2 lett. a) GDPR: the data are processed for the time necessaryto provide the service requested by the user or required by the purposes described in this document and in any case no later than 12 months from collection.

Legal basis for the processing: the processing is necessary under Art.6 par.1 lett. b) of the EU General Data Protection Regulation679/2016 (GDPR).

Processing recipients: authorized staff of the company commercial area, company staff in charge of the application management andof the communication with the users via email.

PURPOSE: Marketing activity

By subscribing our mailing list or newsletter, the email address, the telephone number or the address of the User are automatically added to a list of contacts to which send emails, or printed materials – including commercial and promotional information – can be sent.

Personal data collected: contact data and IP address.

Nature of the provision of data and consequences of failure to provide such data under art. 13 par. 2 lett. e)GDPR: the provisionof data for this purpose is optional and it does not affect the fulfillment of your requests and the performance of the contracts, but it will

preclude the transmission of marketing communications by the Controller.

Consent: for the implementation of this purpose an explicit consent is required, which is given by filling in a specific form in theapplication.

Period for which the personal data will be stored under art. 13, par. 2 lett. a) GDPR: the data are processed for the time necessaryto provide the service requested by the user or required by the purposes described in this document and in any case no later than 12 months from collection.

Legal basis for the processing: EU General Data Protection Regulation 679/2016.

Processing recipients: Company staff in charge of the application management, of the marketing systems and the staff in charge of thecustomer service. The updated list of the abovementioned recipients is available at the Controller office and may be requested sending an email to the following address: info@tecnostafsrl.com or by registered letter to: Tecnostaf S.r.l., Cda Solagne, 2 66040 Roccascalegna (CH).

PURPOSE: Statistics and marketing

The services in this section allow the Controller to monitor and analyse the traffic data and to track the User’s behavior in order to send commercial communications about products and services, to carry out direct marketing activities using the analysis results or profiling. This makes it possible to process, in a partially or totally automated way, the personal data and the consumption habits in order to propose offers that meet the User’s personal needs.

Personal data collected: contact data, usage data, User preferences and IP address.

Nature of the provision of data and consequences of failure to provide such data under art. 13 par. 2 lett. e) GDPR: the provisionof data for this purpose is optional and it does not affect the fulfillment of your requests, the performance of the contracts or other services provided by the Controller.

Consent: for the implementation of this purpose an explicit consent is required, which is given by filling in a specific form in theapplication.

Period for which the personal data will be stored under art. 13, par. 2 lett. a) GDPR: the data are processed for the time necessaryto provide the service requested by the User or required by the purposes described in this document and in any case no later than 14 months from collection.

Legal basis for the processing: consent under art.6 par.1 lett. a) of the EU General Data Protection Regulation 679/2016 (GDPR).

Processing recipients: company staff in charge of the application management and of the management of direct marketing campaignsand promotional activities. Third-party companies of data analysis. The list of the recipients is available at the Controller office and may be requested sending an email to the following address: info@tecnostafsrl.com or by registered letter to: Tecnostaf S.r.l., Cda Solagne, 2 66040 Roccascalegna (CH).

4. COLLECTED DATA PROCESSING METHODS

The processing is performed through IT and/or telematic tools with methods of organization and rationale strictly connected to the specified purposes.

5. WITHDRAWAL OF CONSENT

You have the right to withdraw any previously expressed consent at any time and the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal in accordance with art. 7 par. 3 of the EU Regulation 679/2016.

6. EXERCISE OF THE RIGHTS OF THE DATA SUBJECT

With regard to the processings described in this Policy, as a data subject you may exercise, under the terms of the GDPR, the rights laid down in articles from 15 to 21 of the GDPR and, in particular, the following rights:

Right of access – article 15 of the GDPR: the right to obtain confirmation as to whether or not personal data concerning you are beingprocessed, and, where that is the case, access to the personal data and have a copy of them.

Right of rectification – article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal dataconcerning you and to have incomplete personal data completed.

Right to erasure (‘right to be forgotten’) – article 17 of the GDPR: the right to obtain the erasure of personal data concerning you withoutundue delay.

Right of restriction of processing – article 18 of the GDPR: the right to obtain restriction of processing where:

the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;

the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

the personal data are required by the data subject for the establishment, exercise or defence of legal claims;

the data subject has objected to processing pursuant to Article 21 of the GDPR pending the verification whether the legitimate grounds of the Controller override those of the data subject.

Right to data portability – article 20 of the GDPR: the right to receive the personal data concerning you, which you have provided to aController, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance where the processing is based on consent and is carried out by automated means. Furthermore, you shall have the right to have your personal data transmitted directly from one Controller to another, where technically feasible.

Right to object – article 21 of the GDPR: the right to object, on grounds relating to your particular situation, at any time to processing ofpersonal data concerning you based on the conditions governing the lawfulness of the legitimate interest or of the performance of a task carried out in the public interest or in the exercise of official authority, including profiling, unless there are legitimate grounds for the Controller to go on with the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Moreover, the right to object at any time to processing of personal data concerning you where personal data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

The rights referred to above may be exercised against the Controller through the aforesaid contact points.

The exercise of your right, as the data subject, is free of charge pursuant to art. 12 of the GDR. Nevertheless, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may charge a reasonable fee taking into account the administrative costs of providing the information requested or refuse to act on the request.

7. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY (under art.13 par. 2 lett. d) and art. 77 of the GDPR)

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The supervisory authority shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 of the GDPR.

8. MODALITIES FOR THE EXERCISE OF THE RIGHTS

In order to exercise the abovementioned rights, the data subject shall send written communication through registered letter or registered email or email to the Controller referred to in art. 1 of this Policy.

Notice is hereby given that, pursuant to art. 12 par. 5 of the GDPR, the information in this document and any communications and actions taken pursuant to art. from 15 to 22 and art. 34 of the GDPR, shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive or repetitive, the controller may either a): charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or b) refuse to act on the request. The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

9. LEGAL INFORMATION

This Policy has been drawn up in fulfillment of the obligations under the EU Regulation n. 679/2016 and the legal basis of the processing consists in the consent under art. 6 par.1 lett.a) of this Regulation. This Privacy Policy concerns exclusively this Application.