PRIVACY POLICY

Welcome to ACS Data Systems Spa.

The purpose of this Privacy Policy (hereinafter referred as “Policy”) is to explain to you in a simple and transparent way what personal data we collect and how we use and manage it during our business activities in order to provide you with the best possible service. We act in your best interest and are committed to protect and securely store any personal data you provide to us. We will also provide you with our contact details for any queries you may have in relation to personal data. If you do not agree with the contents of this Policy, please suspend your use of ACS services.

This Privacy Policy complies with the provisions of the General Data Protection No. 2016/679 and with the Italian Privacy regulations pursuant to Legislative Decree No. 196/2003, as amended. For ease of understanding and overview, it is divided into thematic sections.

Fundamental principles and security in processing

One of our primary goals is to ensure the protection of your personal data.

Therefore, in accordance with Article 5 of the European General Data Protection Regulation No. 2016/679, we ensure that the data: a) are processed lawfully, fairly and in a manner comprehensible to the data subject by ACS, b) are adequate, relevant and limited to what is necessary for the purposes of the processing, c) are accurate and, where necessary, kept up to date, d) are collected only for specified, explicit and legitimate purposes.

ACS Data Systems Spa uses separate procedures and systems to protect the stored personal data. Access to personal data is only permitted to authorized employees within the scope of their work activities.

Specific security measures have been taken to prevent the loss, unlawful or incorrect use of and unauthorized access to personal data and to ensure its security and confidentiality. In addition, security procedures and physical restrictions have been implemented at the technical level to prevent access to and use of personal data stored on our servers.

Data Controller and Data Protection Officer

The Data Controller is ACS Data Systems Spa with registered office in 39100 - Bolzano (BZ), Via Luigi Negrelli 6 (hereinafter "ACS" or "Controller").

To exercise your rights listed in the “Data Subjects Rights” section of this Privacy Policy and for any other requests, you may contact the Controller in the following ways:

• by mail to: ACS Data Systems Spa, Via Luigi Negrelli. 6, 39100 - Bolzano
• by e-mail to: privacy@acs.it
• by certified e-mail to: info@pec.acs.it

The Controller has appointed a Data Protection Officer ("DPO") whom you may contact to exercise your rights or to obtain further information on these rights and on this Privacy Policy as follows:

• by mail to: ACS Data Systems Spa, Via Luigi Negrelli 6, 39100 - Bolzano - to the attention of the Data Protection Officer
• by e-mail to: privacy@acs.it
• by certified e-mail to: info@pec.acs.it

Persons with authority to process data

Personal data may be processed by employees and collaborators of the various business functions of the Controller, including Sales and Purchasing, Administration and Accounting, IT, Marketing, and Human Resources. The employees and collaborators in question have been explicitly authorized to process the data, have received appropriate instructions on how to do so, and have been sensitized and trained in this regard.

Area of application

This Policy describes our arrangements for processing data and information relating to individuals who belong to or may be associated with one or more of the following categories: customers or potential customers, suppliers, business partners, users of ACS websites, platforms and other online ACS-applications that contain a reference or link to this Privacy Policy (hereinafter referred to as "Data Subject" for short).

Purpose of the data processing and legal basis for the processing

Personal data may be processed for the following purposes:

• to enter into and execute contracts, or to execute pre-contractual measures taken at the request of the Data Subject, as well as to fulfill contractual and legal obligations related to the following purposes (e.g. managing orders, requesting contact details of customers and suppliers, carrying out agreed payment methods, ensuring regular invoicing and keeping customer and supplier accounts, customer care and management of any complaints, etc.)

Legal basis: performance of a contract ex art. 6 letter b) of the GDPR, and legal obligation ex art. 6 letter c) of the GDPR

• internal needs of operational, organizational and managerial type, (e.g. compilation of master data and archiving, asset management, compilation of statistics and internal reports, insurance needs, etc.)

Legal basis: legitimate interest ex art. 6 letter f) of the GDPR aimed at carrying out our economic activity

• to carry out personnel selection processes and correctly evaluate the application of the interested party to a specific job offer, or sent spontaneously to the Controller, through the examination of the curriculum vitae and other documents (e.g. application form, cover letter etc.) containing personal data of the interested party.

Legal basis: pre-contractual ex Article 6 letter b) of the GDPR

• to detect the degree of customer satisfaction on the quality of services and products provided by ACS, through surveys, questionnaires, studies, and market surveys.

Legal basis: consent of the Data Subject ex art. 6 letter a) of the GDPR, optional and revocable at any time; legitimate interest ex art. 6 letter f) of the GDPR for products or services like the object of the contract by e-mail, with the right to object from the first communication or at the time of subsequent communications (so-called soft spam, art. 130, paragraph 4, Privacy Code and s.m.i.)

• “direct” marketing: advertising campaigns (e.g. on initiatives and events, new products and services as well as new offers) through traditional or automated methods of contact (e.g. letters and advertising material, newsletters, e-mails etc.)

Legal basis: consent of the Data Subject pursuant to art. 6 letter a) of the GDPR, optional and revocable at any time; legitimate interest pursuant to art. 6 letter f) of the GDPR for products or services similar to the object of the contract by e-mail, with the right to object from the first communication or on the occasion of subsequent communications (so-called soft spam, art. 130, paragraph 4, Privacy Code and s.m.i.)

• documentation and promotion of events organized by ACS through recordings and publication of content and multimedia material (e.g. audio, video, photographs and statements made by the Data Subject).

Legal basis: consent of the Data Subject ex art. 6 letter a) of the GDPR, optional and revocable at any time

• protect credits and manage any debts, and in general defend the rights and interests of the Controller during any extrajudicial and judicial disputes, including in the context of disputes arising in relation to the services offered.

Legal basis: legitimate interest ex art. 6 letter f) of the GDPR aimed at protecting its rights and preventing unlawful

• fulfillment of legal obligations of any nature (civil, fiscal, tax etc.), arising both from national legislation, and from EU and international legislation.

Legal basis: legal obligations ex art. 6 letter c) of the GDPR

Personal data collected

The Controller may collect and process the following types of data for the purposes indicated above:

• so-called "common" personal data, by way of example only personal data (name, surname, language, e-mail address and telephone numbers, etc.), data relating to the type of work, salary, company role and personal interests, user data when registering on the Controller's portals or platforms, data relating to the type of use of services, audio, photos, videos and images or statements and information voluntarily released by the Data Subject.

Origin of data collection

The Controller usually collects data directly from the Data Subject (e.g. through web pages or social profiles of the Controller, registration to its own platforms or portals, compilation of contractual documentation, etc.). The Controller may also process data that have been collected from third parties (e.g. through the acquisition of data from external databases for commercial information, public lists, subsidiaries, etc.). In the latter case, the Controller will provide this privacy policy at the first useful contact with the Data Subject.

Method and place of processing

In relation to the purposes previously indicated, personal data may be processed on paper, or by means of computer and telematic tools (e.g. e-mail, newsletters, use of management software, registration on our websites or on our platforms, etc.), ensuring in any case the security and confidentiality of data processed, in full compliance with current regulations.

The personal data processed are usually subject to decision-making based on human intervention, but they could also be subject to partially automated decision-making. In the latter case, human involvement is in any case ensured through effective control by persons who have the authority and competence to intervene in the final decision. Specific security measures are observed to prevent data loss, illegal or incorrect use and unauthorized access.

The personal data collected or voluntarily communicated by the Data Subject are processed by the Controller within the European Economic Area (EEA).

Period of data retention

Personal data will be processed by the Controller for a period strictly necessary to achieve the purposes set forth in this Policy. This means that the data collected will be destroyed or deleted from the systems or archives of the Controller, should their retention no longer be necessary, and in any case not beyond the terms provided for by law.

Area of communication and diffusion

In relation to the above purposes, personal data will be communicated, if necessary, to third parties such as, by way of example:

• companies related to, controlled by and controlling of ACS; Information on these companies is indicated here;
• Public Administrations and/or Judicial or Police Authorities, where required by law or to prevent or repress the commission of a crime;
• Credit institutions with which the Controller has relationships for the management of credits/debts and financial intermediation;
• suppliers/manufacturers in order to register products or to provide you with our services;
• third parties who perform complementary activities for the provision of ACS services;
• to business partners who support ACS in the creation of events, for organizational purposes and in any case auxiliary to the management of the event, or to allow ACS to have feedback on the outcome of the event itself;
• to all those natural person and/or private and/or public legal entity (e.g. legal, administrative and fiscal consulting firms, judicial offices, Chambers of Commerce, etc.), when the communication is necessary or functional to the carrying out of our activity.

The personal data processed by our company are not subject to disclosure. ACS does not sell or give away your personal data.

Data Subjects Rights

At any time, as a Data Subject, you may exercise your rights vis-à-vis the Controller, provided for in Articles 15 to 22 of the GDPR, where applicable, namely:

• obtain access to personal data concerning you (art. 15 GDPR);
• rectification of inaccurate personal data and completion of incomplete personal data (art. 16 GDPR);
• erasure of personal data concerning you (art. 17 GDPR);
• restriction or block of the processing of personal data concerning you (art. 18 GDPR);
• requesting a copy of the personal data concerning you, and, if technically feasible, the transmission of the same to another data controller, in a structured, commonly used and readable format [so-called data portability] (art. 20 GDPR);
• object to processing, in whole or in part, for a legitimate reason, of personal data concerning you (art. 21 GDPR).

With regards to the methods of exercising the rights provided for, you may send a request with the subject: "exercise privacy rights" to the Controller or the Data Protection Officer, at the addresses provided in the above Information Notice.

Please note that you have the right to lodge a complaint to the Italian Data Protection Authority through the website www.garanteprivacy.it., or with the supervisory authority in the Member State in which you normally reside or work or in which the alleged violation occurred (art. 77 GDPR).

Accessibility of the Policy

The complete Policy is accessible at https://infinitys.it/en/privacy-policy/, as well as in paper or digital format at the registered office of the Controller. If expressly requested by the Data Subject, the information may also be provided orally, provided that the identity of the applicant is proven.

Amendments to this Policy

This Policy may be subject to amendments and additions, also to incorporate changes in national and/or European Union legislation. To stay up to date, please visit this page regularly. If substantial changes are made to this Policy, for example changing the purposes of processing and / or categories of data processed, the Controller will inform you, requesting, if necessary, consent to treatment.

Use of the Controller’s website

In addition to the provisions set out in the preceding paragraphs, the following provisions apply to the processing of personal data relating to users and visitors (hereinafter also only "User" or "Users") of the INFINITYS website (hereinafter also only "Website").

When you visit one of our websites, fill in the registration forms to use certain services or receive information, or access restricted areas Personal data is collected and processed in full compliance with the fundamental principles and security policies set out above.

Typology of data processed electronically

Internet browsing data

The information systems and software procedures used to operate the Website gather, during their normal operation, some personal data, the transmission of which is involved in the use of Internet communication protocols. This information is not collected in order to be linked to identified data subject, but by its very nature could, through processing and association with data held by third parties, allow Users to be identified. This category of data includes, for example, IP addresses or the domain names of the computers used by Users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, and other parameters relating to the User's operating system and computer environment.

These data are used solely for the purpose of obtaining statistical information on the use of the Website, to check its correct functionality and to allow you to take advantage of certain services on the Website itself. Furthermore, the data is used in an anonymous form, without automatic association with any other information provided by the User. The legal basis of the processing is the legitimate interest of the Controller ex art. 6 letter f) of the GDPR. Their storage will take place for the time strictly necessary to pursue the above-mentioned purposes, and in any case not beyond the terms of the law.

The data in question could be used to verify responsibility in the event of any computer crimes that create damage to our Website and its Users.

Cookies

In addition to the technical cookies necessary for navigation and functional to the provision of the service requested by the User, the Website may use analytical, profiling and third party cookies. For the full information on the cookies used on our Websites, please refer to the ACS Cookie Policy in this section.

Links to Third-Party Websites

The Website may provide additional information with links to third party applications, products, services, or web pages that are not specifically covered by this Privacy Policy (hereinafter "Third Party Website" or "Third Party Websites"). By clicking on these links, you leave the Website; on Third Party Websites the Controller does not exercise any control about the application of the rules on the protection of personal data. Therefore, in order to obtain more details about the purposes and methods of processing, the rights that can be exercised and the storage of personal data, please consult the privacy policy of the relevant Third-Party Website. In the event that the Owner becomes aware, directly or through a report, of a link with illicit content, it will be removed from the Website, if technically possible.

Interaction with social networks and third-party platforms

The Website may use so-called "social plug-ins", namely special tools that allow you to embed the functions of social networks directly on a website (e.g. the Facebook "like" button, YouTube widgets, Twitter, LinkedIn). Each of the social plug-ins on the Website is identifiable by the proprietary logo of the social platform. If you interact with the social plug-in, the information referring to you is directly communicated to the social platform which processes your data as autonomous owner. Therefore, in order to obtain more details about the purposes and methods of processing, the rights that can be exercised and the storage of personal data, please refer to the privacy policy of the respective social network.

Data voluntarily provided by the User

The voluntary, explicit, and optional sending of e-mails to the addresses indicated on the Website implies the subsequent acquisition of the e-mail address and of the User's data necessary to reply to the requests, as well as any other personal data included in the communication.

Contact Form, Newsletter and commercial communications

The User's data - by way of example, e-mail address, company name, telephone number, etc.. - will be processed by the Controller:

a) for the handling of requests related to the performance of the contract of which you are a part, including the pre-contractual stages (e.g. response to your request for contact, technical support), as well as

b) for sending, through various communication media (e.g. e-mail, SMS and MMS, fax etc.), information about our products, services, events and other initiatives that we believe to be of interest to you. If you subscribe to our newsletter by filling out the form on the Website, you will consent to the sending of periodic electronic communications of an informative or commercial nature related to our business, including advertising and informative material, commercial and marketing communications, invitations to internal or external events and for participation in market research.

The legal Basis of the treatment is, with reference to point a), pre-contractual ex art. 6 letter b) of GDPR, whereas, with reference to point b) is the consent of the interested party ex art. 6 letter a) of GDPR, optional and revocable at any time, as well as the legitimate interest of the Controller ex art. 6 letter f) of GDPR to promote directly to its customers products or services, similar to those sold or provided, through e-mail communications (so-called “soft spam”). In case of commercial communications or subscription to the newsletter, you can always refuse the sending of communications, or unsubscribe from the newsletter (including through the use of the “opt-out” function present within each e-mail received). In this way, you will declare that you no longer wish to receive messages and to delete your personal data from the contact list held by the Controller. The memorization of the collected data will take place until the express withdrawal of consent by the Data Subject, and in any case not beyond the terms of the law.

Minor visitors

Our Website and applications provide content of a commercial nature and are specifically intended and designed for use by adults. We recognize the need to protect data relating to children, particularly in the online environment, and, therefore, we would like to inform you that consent to process is only applicable if you are an adult or a child 16 years of age or older.

Last update: 26/10/2021