ICONT Form – Updated Date 08/2025

Information on the processing of personal data

Pursuant to Article 13 of European Regulation No. 679/2016

Dear Interested Party,

EDG Srl – a single-member company , acting as Data Controller pursuant to Article 13 of European Regulation No. 679/2016 (General Data Protection Regulation (GDPR)) (hereinafter EU Regulation), which contains provisions regarding the processing of personal data, wishes to inform you of the processing of your personal data.

The law requires that anyone processing personal data is required to inform the data subject of the data being processed and the elements qualifying the processing, which must in any case be carried out lawfully, fairly, and transparently, as well as protecting the confidentiality and guaranteeing the data subject's rights.

Please note that data processing means any operation or set of operations concerning the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, or destruction of data.

1. Data controller

The Data Controller is EDG Srl – a single-member company with registered office in Via Gaffarello, 75 – 35010 Borgoricco (PD) and operational headquarters in Via Grandi n. 12, 30036 Santa Maria di Sala (VE) , Fiscal Code and VAT number: 05252830285, contactable at the following numbers: telephone +39 041 5739911, e-mail: info@edg.it .

2. Nature of the data processed, purpose and legal basis of the processing

Nature of the data processed. In relation to the processing purposes listed below, we inform you that only "common personal data" will be processed, such as, for example:

• identification data (company name, VAT number, tax code, type, address, telephone number,
  email, etc.);
• personal details of the company contact and legal representative (name, surname, etc.);
• etc.

Purpose of processing. Your personal data will be processed for the following purposes:

1. respond to your requests: by voluntarily completing the appropriate form found in this contact area ;
2. comply with legal obligations;

Legal basis for processing. Personal data, for the purposes referred to in points 2A and 2B, will be lawfully processed to fulfill pre-contractual and contractual obligations between us and the user (Article 6, paragraph 1, letter b), and to fulfill our legal obligations (Article 6, paragraph 1, letter c).

3. Data recipients and processing methods Existence of an automated decision-making process, including profiling

The processing of your personal data will be based on the principles of fairness, lawfulness, and transparency and may be carried out using paper and electronic means both by Company personnel authorized/appointed to process personal data, and by external parties appointed to perform specific tasks on behalf of the Data Controller, acting as Data Processors pursuant to Art. 28 of the EU Regulation, subject to our letter of appointment requiring them to maintain confidentiality and security of the processing of personal data and to adopt appropriate security measures to prevent data loss, unlawful or improper use, and unauthorized access, in compliance with applicable data protection regulations.

For the sake of brevity, a detailed list of these figures is available at the Data Controller's office and is at your disposal.

Your personal data will not be disclosed or transferred to third countries or international organizations, nor will they be communicated to third parties except for legal or contractual obligations.

With reference to the provisions of Article 13 of the EU Regulation, paragraph 2, letter f) and Article 14 of the EU Regulation, paragraph 2, letter g), we hereby inform you that the Data Controller does not currently use any automated decision-making systems or processes.

4. Data retention periods

Your personal data will be stored for a period of time not exceeding the achievement of the purposes for which they are processed, in compliance with the principle of limitation of storage provided for by the EU Regulation and/or for the time necessary for legal and contractual obligations or until the revocation of the specific consent by the interested party and, therefore

• with reference to the purposes indicated in points 2A-2B, the data will be retained for a period no longer than is necessary to achieve the purposes for which they are processed and/or for the time strictly necessary to fulfill legal and contractual obligations;

To ensure the stated retention periods, a periodic annual review of the processed data is required, as well as the possibility of deleting it if it is no longer necessary for the intended purposes.

5. Access to data (categories of recipients to whom the data may be communicated)

We also inform you that the data collected will never be disclosed or shared without your explicit consent, except for necessary communications that may involve the transfer of data to public bodies, consultants, or other parties for compliance with tax and legal obligations or for the purposes (where authorized), subject to our prior letter of engagement imposing a duty of confidentiality and security on the processing of personal data.

With reference to Article 13, paragraph 1, letter e) of the EU Regulation, we indicate the subjects or categories of subjects (duly identified and trained) who may become aware of the user's personal data in their capacity as data controllers or persons in charge of processing. A specific list by category is provided below:

• Members, employees, collaborators, and suppliers of the Data Controller in Italy and abroad, in their capacity as persons in charge/authorized and/or responsible for data processing (e.g., sales, technical, administrative, legal, and press offices; system administrators, external professionals, various service providers, etc.)

Your personal data may also be disclosed to external parties who are recipients of the practices concerning you, in the performance of the activities and to external parties who interact with the undersigned, always and exclusively for activities functional to the purposes described above, external parties called upon to perform specific tasks, on behalf of the Data Controller, as Data Processors , pursuant to Art. 28 of the EU Regulation.

For the sake of brevity, a detailed list of these figures is available at our office and is at your disposal.

6. and 7. Communication and transfer of data

Without the need for express consent (Article 6, paragraph 1, letters b), c), and f) of the EU Regulation), the Data Controller may communicate your data for the purposes referred to in points 2A to 2B to supervisory bodies, judicial authorities, as well as to those entities to whom communication is mandatory by law for the fulfillment of the purposes indicated above.

These entities will process the data in their capacity as independent data controllers.

Personal data is stored on devices located at the Data Controller's headquarters or at providers within the European Union.

Your data will not be disclosed.

To ensure the security of such transfers, we only use entities that offer the necessary guarantees to implement appropriate technical and organizational measures so that the processing performed complies with the provisions of EU Regulation 679/2016.

The Data Controller has implemented appropriate technical and organizational measures to ensure an adequate level of security for both the data stored on its devices and any data stored at providers, in full compliance with the provisions of the EU Regulation.

8. Consequences of failure to communicate data

The personal data referred to in points 2A-2B of this notice are necessary. Without such data, we would be unable to process your contact/information request or fulfill our contractual and legal obligations.

9. Rights of the interested party

In your capacity as an interested party, you have the rights set forth in Articles 15 to 22 of the EU Regulation listed below, and specifically, you have the right to:

• obtain confirmation of the existence and processing of personal data concerning him or her and, where that is the case, obtain access to his or her data (so-called right of access);
• obtain information on the purposes of the processing, the categories of data in question, the recipients or categories of recipients to whom the data have been or will be disclosed, in particular if recipients are in third countries or international organizations, the envisaged period for which the data will be stored, or the criteria used to determine that period; and, where the data are not collected from the data subject, obtain all available information on their source;
• obtain the rectification of data concerning him/her (so-called right of rectification)
• obtain the erasure of data concerning him or her (so-called right to be forgotten);
• obtain limitations on processing (so-called right to limitation of processing);
• obtain data portability, i.e., receive data from a data controller in a structured, commonly used and machine-readable format and transmit it to another data controller without hindrance (so-called right to data portability);
• Object to processing at any time (so-called right to object). We specifically inform you, as required by Article 21 of the EU Regulation, that if personal data are processed for direct marketing purposes (including profiling), the data subject has the right to object at any time to processing of personal data concerning him or her for such purposes, and that if the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes;
• be informed (with the possibility to object) of the existence of an automated decision-making process concerning natural persons, including profiling;
• withdraw consent at any time without affecting the lawfulness of processing based on consent given before its withdrawal;
• lodge a complaint with a supervisory authority (Data Protection Authority).

Please note that there may be conditions or limitations to the rights of the data subject. Therefore, it is not certain that, for example, the right to data portability will be available in all cases; this depends on the specific circumstances of the processing activity.

Another example: if you decide to object to the processing of your data, the Data Controller has the right to evaluate your request, which may not be accepted if there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms.

10. How to exercise your rights

Without any formality, you can exercise your rights clearly and explicitly at any time by sending:

- a registered letter with acknowledgement of receipt to the undersigned;

- an email to info@edg.it

Or by contacting the Data Controller directly at: +39 041 5739911.

11. Minors

The Data Controller's services and the basis of the existing relationship with you do not involve the intentional acquisition of personal information relating to minors. If information on minors is inadvertently recorded, the Data Controller will delete it promptly, upon request or notification from the interested party.

12. DPO (RPD) – Persons in charge/Authorized – Data Controllers

Below, we provide you with some information that is essential to your knowledge, not only to comply with legal obligations, but also because transparency and fairness towards interested parties are a fundamental part of our business.

DPO (Data Protection Officer) – RPD (Data Protection Officer) . You may also contact the Data Protection Officer for information and requests regarding your data or to report any service disruptions or problems you may encounter.

The Data Controller has appointed Mr. Nicola Ghinello as Data Protection Officer, who can be contacted at the following numbers: telephone +39 348 3165267, email: nicola.ghinello@dpo-rpd.com.

Authorized Persons. The updated list of authorized persons is kept at the Data Controller's headquarters.

Data controllers.

For the sake of brevity, a detailed list of these figures is available at our office.