INFORMATION ON THE PROCESSING OF PERSONAL DATA

Following the full application of the European Regulation on the protection of personal data (EU Regulation 2016/679), Mosaic Srl, a company based in Udine in via Marangoni 60, tax code and VAT number IT02626100305, transmits the following document pursuant to art. 13 D.Lgs. N. 196/2003 (hereinafter the Privacy Code) and the EU Regulation 2016/679 (hereinafter GDPR).

DATA PROCESSED

The personal data we collect mainly includes

• Name and surname
• Company position
• Email address
• Professional address

These data are collected directly from the current or potential customer following contact or conclusion of the contract.

USE OF THE DATA PROCESSED

1. To allow the provision of consulting activities (obligations arising from the contract)
   These treatments are essential for providing Mosaic consulting services to customers who have requested it. These treatments are based on the contractual relationship between the data subject and the data controller..
2. Purposes related to accounting and legislative and tax obligations
   The collected data are used for administrative activities such as:
   • Issuing invoices and sending them to Mosaic customers
   • Receipt of invoices from Mosaic suppliers
3. To send informative and / or commercial material (commercial purpose)
   These treatments are essential for sending information and / or documents requested by current or potential customers via online channels (website, e-mail) or ordinary mail.
4. With prior consent, to send updates on the activities and services provided by Mosaic after the initial contact phase (marketing purposes)
   The data collected, if the data subject has explicitly given his consent to the processing, are processed for the purpose of sending updates and promotions of potential interest related to services, initiatives or events.

The provision of data for purposes 1. and 2. is mandatory to initiate contractual relations between Mosaic and its Customers and Suppliers.
The treatments 3. and 4. are based on the legitimate interests of the Data Controller and the interested party can oppose at any time.

METHOD OF TREATMENT AND STORAGE

In relation to the aforementioned purposes, the processing of data is done by manual, computerized and telematic tools with logic strictly related to the purposes themselves and, in any case, so as to guarantee, with the support of appropriate technical tools, the security and confidentiality of the data .
The data are accessible only by employees who have been properly trained and informed about their duties and the activities allowed on the data collected.
The personal data of the interested party will be kept for the time necessary for the purposes stated.

COMMUNICATION AND DIFFUSION OF DATA

The data collected as part of the provision of Mosaic Srl services may be communicated to:

• companies that perform functions that are strictly connected and instrumental to the operation – even technical – of Mosaic’s services, such as – but not limited to – suppliers and partners who provide services in IT, management consultancy and in the development of projects Business Intelligence and Corporate Performance Management, companies that provide archiving services, digital preservation of fiscal, administrative, payment and invoicing documents
• bodies and administrative and judicial authorities by virtue of legal obligations.

The collected data will not be transferred to outside the European Union. In any case it is understood that the Data Controller, if it becomes necessary for the execution of the contract with the Client and / or for the conclusion or execution of a contract stipulated by the Holder with a third party in his favor, shall have the right, prior to his explicit consent expressed at the bottom, to communicate data to Third Countries even in the absence of an adequacy decision by the European Commission due to the lack of an adequate level of data protection in said Third Country. In this case, the transfer of non-EU data will take place in compliance with the applicable legal provisions, stipulating, if necessary, agreements guaranteeing an adequate level of protection and / or adopting the standard contractual clauses envisaged by the European Commission.

The data are not subject to dissemination.

In no case will personal data be transferred or sold to third parties.

PROTECTION OF PERSONAL DATA

Mosaic takes all possible measures to protect Personal Information acquired against misuse, interference and loss, as well as unauthorized access, modification or disclosure.

These measures include:

• limiting physical access to our offices
• limitation of access to information collected on customers, suppliers and employees
• where required by law, destruction or de-identification of personal information.

RIGHTS OF THE INTERESTED PARTY

The interested party has the rights set forth in art. 7 Privacy Code and art. 15 GDPR (right of access) or the rights of:

1. obtain confirmation of the existence or not of personal data concerning him, even if not yet registered, and their communication in an intelligible form.
2. get the indication:
   • the origin of personal data;
   • of the purposes and methods of processing;
   • of the logic applied in case of treatment carried out with the aid of electronic instruments;
   • of the identification details of the owner, of the managers and of the designated representative pursuant to art. 5, paragraph 2 of the Privacy Code and art. 3, paragraph I, GDPR;
   • of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the territory of the State, managers or agents.
3. get:
   • updating, rectification or, when interested, integration of data;
   • the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
   • the attestation that the operations referred to in letters a) and b) have been made known, also as regards their content, to those to whom the data have been communicated or disseminated, except in the case in which this fulfillment proves impossible o involves a use of means manifestly disproportionate to the protected right.
4. to object, in whole or in part:
   • for legitimate reasons, the processing of personal data concerning him, even if pertinent to the purpose of the collection;
   • to the processing of personal data that IO concern for the purpose of sending advertising or direct sales material or for the performance of market research or commercial communications;
5. to propose a complaint to the Supervisory Authority for any matter relating to the aforementioned processing of the data.

Pursuant to articles from 16a 22 GDPR the interested party can exercise:

1. the right to rectification (Article 16),
2. the right to be forgotten (cancellation of Article 17),
3. the right limitation of processing (Article 18),
4. the right to obtain from the Owner the notification to the recipients to whom the data have been transmitted of any corrections or cancellations or limitations of the processing (Article 19),
5. the right to portability (Article 20),
6. the right to object (Article 21),
7. the right to refuse the automated process (Article 22). This allows you to access your data for:
   • Verify its veracity;
   • Change them if they become inaccurate;
   • Integrate them also with a supplementary declaration;
   • Request cancellation;
   • Limit the treatment;
   • Oppose treatment.

The interested party may revoke at any time the consent expressed in relation to the different purposes indicated above, except for the impossibility of continuation of business relationships as indicated and without prejudice to the processing of previously acquired data for the fulfillment of tax and tax obligations dependent on contracts concluded.

CANCELLATION OF DATA

The Data Controller in compliance with the corresponding right of access to the interested party has set up procedures for which the interested parties can request the cancellation without unjustified delay of personal data or the limitation of the processing of personal data concerning them for the following reasons:

• because the data are no longer necessary for the purposes for which they were collected;
• because the interested party has revoked the consent; Because the interested party opposes the treatment;
• because the data are treated illegally.

RULES OF EXERCISE OF RIGHTS

Requests regarding personal data can be sent by the interested party:

• via email to privacy@mosaicnet.it
• by paper mail to the address specified above.

REFERENCE FIGURES

The Controller appointed Francesco Bortolin, Chairman of the Board of Directors, as Data Processing Manager.

The data controller uses data processors to achieve the specified purposes, adequately instructed on the protection of their personal data.