Privacy Policy ex Law 21/12/2018, n. 171 of the Republic of San Marino

Dear Customers, Suppliers, Job Applicants and Web Site Users.

1. Who is the Data Controller

The Data Controller is Dr. Antonio Valentini, with registered office in 47891 Dogana (RSM), Via Tre Settembre, 99 – SM04249 (hereinafter referred to, for the sake of simplicity, as “The Office”), who may be contacted at T. (+378) 0549 909674, F. (+378) 0549 905614, e-mail avalentini@studiovalentini.sm

2. What are a Personal Data and a Processing of a Personal Data

A Personal Data refers to any information by means of which it is possible to identify, or to render identifiable with reasonable ease, a physical person. Indeed, are called Processing of Personal Data those procedures under Article 1, sub. 1, lett. b) Law n. 171/2018 of the Republic of San Marino, and specifically: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of Data.

3. What kind of Personal Data The Office processes

The Office processes Personal Data of its clients, suppliers, physical person (as common Data), or those of the employees of its clients as legal entities, with whom communicates (name, surname and e-mail), and Personal Data of the users of its website: www.hlbssanmarino.com. The Personal Data of the employees of its clients are also processed by The Office for the payroll services. The Office performs this last process as an external Data processor appointed by the client employer (common and particular Data).

4. How your personal Data are processed

Your personal Data shall be processed by The Office according to the principles of fairness and transparency, lawfulness, purpose limitation, Data minimization, accuracy, storage limitation, integrity and confidentiality. The Office processes Data in both printed and electronic form. In such context, the logistic and physical security of the Data and, in general, the confidentiality of the Data processed will be guaranteed, by taking all necessary technical and organizational measures, so as to reduce the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized access to Personal Data transmitted, stored or otherwise processed. The Office does NOT carry out profiling activities with Personal Data, except in case o use of cookies, and anyway Personal Data will NOT be disclosed without previous and explicit consent.

5. Why do we process Personal Data

The Office collects and processes Personal Data, without a specific consent, for the following purposes: a) To complete necessary pre-contractual activities (e.g. sending of quotations, pre-contractual agreement) (lawfulness of processing: execution of pre-contractual activities); b) To carry out contractual and taxation obligations towards yourself (lawfulness of processing: performance of contractual obligation); c) To protect our assets and/or defend our rights on the basis of our legitimate interests (lawfulness of processing: defense of rights / legitimate interest); d) To fulfill legal obligations and Authorities’ requests and to respect legislation in matter of fraud prevention, money laundry etc. (lawfulness of processing: legal obligation); e) To evaluate the curricula of candidates and manage the selection process, if provided at their own free choice (lawfulness of processing: execution of pre-contractual activities); f) To send e-mail regarding the users requests on the web site (lawfulness of processing: execution of pre-contractual activities).

6. Obligation to provide Personal Data

The provision of Personal Data for the purposes set out in previous clause letters a), b), e), f) is NOT obligatory. Should it NOT be provided then contract execution cannot be guaranteed. The provision of Personal Data for the purposes set out in previous clause letters c), d) is instead obligatory.

7. Who is Personal Data communicated to

Without having to obtain express consent, The Office may communicate Personal Data, for the above referred purposes, to judicial authorities, insurance companies (for the provision of insurance-related services), to members of HLB Global Network of which The Office belongs, as well as to parties to which such communication is required by law for the fulfillment of the afore-mentioned purposes. Said parties will process the Data as autonomous controllers. (I.E., finance and budgent departement)

8. Who can access Personal Data

Personal Data may be made accessible for the above- mentioned purposes: – To employees and collaborators of the Controller, in their role as persons responsible for processing and/or internal processors and/or system administrators; – To third parties or other parties (such as, for example, credit institutes, professional offices, consultants, insurance companies for the provision of insurance services, etc.) that carry out activities which have been outsourced by The Office, in their role as external processors.

9. Where are Personal Data stored and where are they transferred to

The Personal Data are processed at the operative premises of the Controller, in 47891 Dogana (RSM), Via Tre Settembre, 99, as well as in any other place where the parties involved in the processing are located, according to the preceding paragraphs. Personal Data are held in electronic form on servers located within the Republic of San Marino or within the European Union. The Office guarantees that the transfer of Data abroad will take place in accordance with applicable legal provisions following on from the stipulation of standard contractual clauses according to the Data security.

10. How long we hold Personal Data for

Your Data will be held in accordance with the principles of proportionality and necessity, and until the purposes for which it was collected have been fulfilled. In any case, the storing time differs according to the purpose of the processing, as described in the table below. – Sending of quotations: 6 years; – Supply of services, purchase of products and services: During the execution of the contract; – Supply of services, purchase of products and services (from the conclusion of the business relationship): 6 years after the business relationship conclusion; – Assets protection – defense of rights: 6 years after the business relationship conclusion; – Sending of information to public authorities: 6 years after the business relationship conclusion; – Candidates profiles evaluation: 6 months from their receipt; – Reply to requests sent via e-mail: 6 years.

11. What are Data Subjects right

Each Data Subject has the right to: a) Know if the Controller holds and/or processes his Personal Data, obtaining information relative to: the origin, category, purposes and method of processing, the recipients to whom such Data can be communicated, the logic applied in the case of processing carried out by electronic means, the period for which Data are held; as well as the right to access the same in its entirety and obtain a copy (art. 15 Right of access); b) Have rectified his Data and to complete Data which are incomplete (Art. 16 Right to rectification); c) Obtain the cancellation of Data in possession of the Controller where such cancellation is provided for by the New Law (art. 17 Right to erasure – Right “to be forgotten”) d) Request the Controller to limit the processing to only certain Data, where this is provided for by the New Law (Art. 18 Right to restrict processing); e) Be informed as to who the recipients to whom any rectifications, cancellations or processing restrictions have been communicated are (art. 19 Obligation of notification); f) Request and receive all his Data, in a format that is structured, commonly used and readable on an automatic device or to request its transmission to another controller without impediment (Art. 20 Right to portability); g) Oppose entirely or in part, the processing of Data for the purposes of marketing (sending of advertising material, direct sales, market research and commercial communications) and for the purposes of profiling connected to such marketing (art. 21 Right of opposition). Finally, each Data Subject has the right to present a claim/petition directly to the Personal Data Protection Authority, located at 47890 – San Marino, Scala Bonetti n. 2.

12. How can each Data Subject exercise his rights

At any time, each Data Subject may exercise his rights by sending: – A registered letter with return receipt addressed to: Dr. Antonio Valentini, with office in 47891 Dogana (RSM), Via Tre Settembre, 99; – An e-mail to: avalentini@studiovalentini.sm