INFORMATION NOTICE PURSUANT TO ARTICLE 13 OF THE GENERAL DATA PROTECTION REGULATION OF THE EUROPEAN UNION (EU REG. 2016/679)
Pursuant to Article 13 of the General Data Protection Regulation of the European Union No. 2016/679, PALACE SETTE s.r.l. (hereinafter referred to as “PALACE SETTE” or “Data Controller”) shall acquire and process the personal data received (hereinafter: Data) following a request for assistance, and therefore wishes to inform the Data Subjects of the following:

1. Data Controller
The Data Controller is PALACE SETTE s.r.l., VAT No. (05834140013), with registered office in Turin (TO), Via XX Settembre 5 – 10121.
The Data Controller may be contacted at the following addresses:
a. Telephone: 011 533688
b. Standard email: info@logerconfort.it
c. Certified email (PEC): palacesette@pec.it

2. Data Processors
The processing of Data may be carried out on behalf of and under the delegation of the Data Controller by the following subjects:
a. Administrators and employees of PALACE SETTE (Appointees);
b. External consultants responsible for accounting, assistance and maintenance of IT devices, software programs, and the website.
PALACE SETTE shall appoint for the performance of the activities referred to above only those subjects who, if not legally bound to confidentiality, have undertaken such obligation and in any case provide sufficient guarantees regarding the adoption of appropriate technical and organizational measures so that the data processing is equivalent to that carried out by the Data Controller. Furthermore, the Data Controller is continuously committed to training its collaborators in matters of personal data protection and cybersecurity awareness.

3. Categories of Data Processed
The following information shall be subject to processing:
a. Personal identification data;
b. Contact details;
c. Biometric data (photographs, audio, and video);
d. Tax and financial data.

4. Purposes of Data Processing
The Data shall be used for the following purposes:
a. Fulfilment of contractual obligations;
b. Consultancy;
c. Training;
d. General and financial management of the company;
e. Accounting and tax compliance;
f. Statistics;
g. Newsletter distribution;
h. Transmission of advertising messages.

5. Legal Basis for Data Processing
The processing of Data voluntarily provided is lawful and necessary for the achievement of the purposes indicated in Section 4 (Purposes of Data Processing). With regard to the activities indicated in Section 4, letters “g” and “h”, the legal basis for processing is the prior consent expressly given. With regard to the activities indicated in Section 4, letters “a” and “f”, the legal basis for processing is the performance of a contract.

6. Mandatory or Optional Nature of Data Provision
The provision of Data required for the purposes referred to in Section 4, letters a) to e), is necessary to enable the proper execution of the assignment entrusted by you and is mandatory for all that is required by the fulfilment of legal, contractual, and tax obligations directly or indirectly arising therefrom. Therefore, refusal to provide such Data or subsequent denial of processing (see Sections 12 and 14) shall prevent the Data Controller from fulfilling contractual obligations.

7. Methods of Data Processing
PALACE SETTE adopts a data minimization policy whereby Data is collected and used only to the extent strictly necessary for the execution of the assignment. Where necessary and to the extent possible, Data shall be pseudonymized in order to render it neutral and hinder its referability to Data Subjects. As regards the actual processing methods, the Data Controller adopts technical/organizational, digital, and analog measures aimed at the complete protection of all Data collected. It is further noted that PALACE SETTE’s employees have been adequately trained on current legislation and correct data processing procedures, and in any case, processing is carried out only by personnel formally authorized through a specific procedure. The Data Controller does not carry out any profiling, and its policy does not provide for automated decision-making processes.

8. Disclosure of Data
Data shall be disclosed to third parties only where necessary for the provision of the service or required by legal obligations.
Consequently, Data may be disclosed to:
a. External Data Processors and Appointees referred to in Section 2;
b. Public entities and third parties who are legally entitled to access the Data by virtue of laws or other regulatory provisions;
c. Subjects authorized by the Data Controller pursuant to Article 29 of the Regulation, necessary to carry out activities strictly related to the provision of the requested services, and who have undertaken confidentiality obligations or are subject to an adequate legal obligation of confidentiality.
Data shall not be disseminated, and any further disclosure shall be made only with your express consent.

9. Dissemination of Data
Data shall not be disclosed to subjects other than those indicated in the preceding sections.

10. Transfer of Data Abroad
Data shall not be transferred to countries outside the European Union.

11. Data Retention Period
Your Data, both analog and digital, shall be retained for a period of ten years from the termination of the assignment entrusted by you. Upon expiry of such period, paper-based Data shall be disposed of following a process aimed at rendering it unintelligible; digital files shall be deleted from the internal server and backup unit using “wiping” or “shredding” techniques, or anonymized and retained solely for statistical purposes.

12. Data Subject Rights
With regard to the Data, each Data Subject has the right to:
a. Obtain confirmation of the existence or non-existence of the Data, even if not yet recorded, and its communication in an intelligible form;
b. Access the Data;
c. Request its rectification, erasure, or restriction of processing;
d. Object to processing (see Section 14);
e. Request data portability, i.e., the delivery of the Data in a structured, commonly used, and machine-readable format;
f. Withdraw consent to processing at any time without affecting the lawfulness of processing based on consent given prior to withdrawal;
g. Lodge a complaint with a supervisory authority.

13. Exercise of Rights
Each Data Subject may exercise their rights at any time by submitting a request via registered mail or certified email to the addresses indicated in Section 1 of this notice.

14. RIGHT TO OBJECT
a. If processing is carried out based on the legitimate interest of the Data Controller, the Data Subject, where they must exercise rights that override such legitimate interest, has the right to object at any time to the processing of personal data concerning them.
b. The Data Subject also has the right to object at any time to the processing of personal data concerning them for direct marketing purposes.
c. The right to object may be exercised against the Data Controller in writing using the addresses described in Section 1.

In accordance with what is stated in Section 6 of this notice, objection to processing may render it impossible to continue the contractual relationship between the parties.

Turin, 3 September 2025
The Data Controller PALACE SETTE s.r.l.