Supplier Privacy

With the present the writing company, as Data Controller, whereas:

  • the company considers the protection of confidentiality and protection of the personal identity of those with whom it interacts to be fundamental;
  • the company, by material and territorial scope (pursuant to Article 2.3 of the GDPR) is required to apply the compliance requirements established by the legislation in question;
  • his work is performed under the authority of the company itself, Data Controller (ex. Article 4, paragraph 7 of the GDPR)
  • his duties could involve access, even occasionally, to information qualified as personal data (ex.Art.4, paragraph 1)

Pursuant to art. 29 of Reg. (EU) 2016/679, authorizes access to / processing of personal data and provides you with adequate instructions to ensure an adequate level of security. 1. REFERENCES OF LAW, DEFINITIONS This document (required by law) concerns all employees / collaborators. This is because the legislation in question for “personal data” means any information relating to a natural person and for “processing” any operation performed on such data, including simple access or consultation. (Example: it is therefore sufficient that you temporarily consult a document that shows the name of a person, or you access a phone book -some-containing names, to be considered subjects who in the conduct of their business within the company treat personal data). The regulation defines “data subject” the natural person to whom the data refers (eg: a customer, a supplier, a visitor, a colleague, etc.). 2. AUTHORIZATION SCOPE In general, only the access to data and processing operations strictly necessary for the performance of work tasks (access profiles defined and monitored at company management level) are permitted. In the eventual use of electronic tools, the user profile is configured according to this logic, ie guaranteeing an adequate level of consistency between the work tasks and the assigned permissions. Staff is required to respect the assigned permissions, avoiding any attempt to access resources that are not relevant to their profile. At the level of paper documentation, it is requested not to arbitrarily access archives / files / documents that are not necessary for the tasks assigned. Within the general framework outlined in this document, it is necessary to comply with the rules / instructions / instructions relevant to working environment (present or future) and with the functions / tools made available by the Data Controller. For any doubt or request for changes regarding the default access permissions, please contact the privacy team, referred to in paragraph 5 of this. 3. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA (GDPR – Art.5)

1. Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

4. INFORMATION, CONSENT AND RIGHTS OF DATA SUBJECT (GDPR – Art.12-22) The GDPR provides that the data subjects receive adequate informations regarding the processing of their data, expressing, if necessary, a specific, free and informed consent. In addition, the need to secure the rights referred to in Chapter III of the GDPR is acknowledged, including the right of access, rectification, forgetting / cancellation, limitation, portability and opposition. The company has implemented adequate internal procedures aimed at guaranteeing the aforementioned rights, therefore it is required, should it be addressed by any subject, a request in the field of privacy, to promptly report it to the privacy team, referred to in paragraph 5 of here I’m. 5. PRIVACY TEAM The company has defined a specific internal organization to guarantee an effective application of the privacy compliance requirements. For any information / clarification or to report any profiles referred to in these instructions (eg: safety incident, new treatment activity, requests of the data subjects, etc.) it is possible to contact, without particular formalities, to: • Data Protection Officer – Dr. Gregorio Galli – Mob. 329.0516409 – gregorio@gallidataservice.com 6. PRIVACY BY DEFAULT AND PRIVACY BY DESIGN (GDPR – Art.25)

The GDPR provides that any business activity / process, before being implemented, is subject to appropriate assessments on the number of data collected, the security measures, the storage time, etc. In order to correctly activate the persons responsible for carrying out these assessments, you are asked to report to the privacy team any initiative or project that intends to carry out (software purchase, website opening, video surveillance activation, etc.) that has implications with the processing of personal data.

7. SAFETY OF PROCESSING AND OPERATING INSTRUCTIONS (GDPR – Art.32)

The GDPR provides that adequate technical and organizational measures are put in place to guarantee the interested parties a suitable level of security in the processing of data. In addition to the logical, physical and IT security measures implemented by the company, the following instructions are therefore issued:

7.1 INSTRUCTION FOR DATA MANAGEMENT IN PAPER FORMAT

  • accedere ai soli documenti strettamente necessari in relazione e per l’adempimento delle mansioni e dei compiti assegnati;
  • utilizzare i dati di cui viene a conoscenza esclusivamente per le finalità legate all’espletamento dell’attività lavorativa;
  • limitare l’esposizione dei documenti durante le operazioni di trattamento;
  • riporre alla fine del trattamento i documenti nella posizione idonea;
  • non lasciare mai incustoditi i documenti;
  • non consentire l’accesso a persone non autorizzate e non divulgare i dati;
  • organizzare i propri spazi lavorativi (scrivanie, scaffalature, raccoglitori, ecc.) in modo ordinato ed idoneo a prevenire la perdita o l’accesso non autorizzato;
  • distruggere documenti contenenti dati personali prima dello smaltimento;
  • non utilizzare documenti con dati personali come “carta da riciclo” per ulteriori stampe;
  • non effettuare copie non autorizzate o non necessarie alle proprie mansioni;
  • prestare la dovuta attenzione al trasporto di documenti al di fuori della sede;
  • prestare la dovuta attenzione ad eventuali colloqui, anche telefonici, in presenza/prossimità di persone non autorizzate.

8.2. INSTRUCTION FOR DATA MANAGEMENT IN DIGITAL FORMAT The electronic devices and business applications, as well as the contents generated by the users, are work tools, to be used exclusively for professional purposes (on which the company can lawfully have management / verification activities). Users with electronic company tools are required to comply with the provisions contained in the specific Company Computer Regulations, which summarize the main concepts:

  • ensure the integrity, conservation and safety of the machines, avoiding behaviors that could compromise their functionality, settings and safety;
  • not make substantial changes to your IT environment, with particular reference to the installation or uninstallation of applications and the modification of system settings,
  • always use the system access credentials, guaranteeing their secrecy
  • lock the device in case of removal from the station • use removable memory devices and personal clouds (eg: dropbox) only after comparison with ICT contacts
  • use the internet and e-mail only for business purposes, strictly avoiding any obscene, pornographic, offensive, defamatory, violent, discriminatory and, in general, illegal (with particular reference to computer piracy and copyright).
 

General instructions In general it is forbidden to any subject, except for activities expressly connected to their duties, to disclose information concerning personal data, make copies of any kind (on paper, computer, etc.) and destroy, steal or manipulate the contents of the databases if not expressly authorized by the Data Controller. 9. DATA BREACH (GDPR – Art 33,34) The GDPR provides that the Controller manages any event that could pose a security risk for personal data (data breach, violation of personal data). There is a “violation of personal data” when accidentally (culpably) or unlawfully (maliciously) an event causes the destruction, loss, modification, unauthorized disclosure, access to personal data transmitted, stored or otherwise processed (eg: theft devices / documents, loss of devices / documents, attack / computer virus, deletion or unintentional sending of data, etc.). In order to correctly activate the persons responsible for handling such events, you are asked to report to the privacy team any circumstances that he believes can be considered a “data breach”. 10. INSTRUCTIONS UPDATE MODE These instructions may be subject to periodic updating / integration, according to the methods deemed most appropriate, also in relation to the provisions of article 7 of the Workers’ Statute (“posting in a place accessible to all “). In relation to the extent of updates, the Company will use further effective dissemination tools, such as: forwarding by email, publication on the company intranet and / or dedicated platforms, sending individual hard copy, organizing dedicated training events, etc. 11. INTEGRATION D.LGS. 196/2003, DURATION AND VIOLATION

This act integrates any eventual designation act previously carried out pursuant to Italian privacy law (Legislative Decree 196/2003), including the appointment as a processor. It is also an addition to any other regulation / code provided by management systems / internal organization models. The authorization and instructions assigned to be intended for an indefinite period and lapse due to interruption of the employment relationship or revocation by the Owner. The observance of the fundamental principles regarding privacy in relation to the information that has been made known to the writer, is considered indispensable even after the possible termination of the working relationship. The person in charge is personally responsible for any behavior that is clearly contrary to the indications provided herein. Any violation may be the source of disciplinary measures and / or legal liability.

FORNAROLI POLYMERS S.P.A.  Registered Office: Via Archimede, 57 – 20129 Milano (MI) – I LOCAL UNIT: Via Trebbia, 71 – 29121 Piacenza (PC) – ITALY Tel. +39/0523/484944 – Fax +39/0523/482660 VAT No. 09301380961 – Share capital Euro 2.000.000,00 fully paid-up Tax Registration No. and Registration number at the Milan Chamber of Commerce: 01338080334 Economic and Administrative Index of Milan no. 09301380961 Web Site: www.fornarolipolymers.com E-mail: info@fornarolipolymers.com PEC (certified email): fornarolipolymers@tmcert.it