INFORMATION NOTICE REGARDING THE PROCESSING OF CUSTOMERS’ PERSONAL DATA IN ACCORDANCE WITH EU REGULATION 2016/679 (“GDPR”) DATA CONTROLLER Ariston Thermo S.p.A., Viale Aristide Merloni, 45 60044 Fabriano (AN) Italy T. +39 0732 6011 Fax: +39 0732 602331 Tax Number e VAT Number: IT01026940427 (“Company”). DATA PROCESSING PURPOSES Purchase of goods or services including all related activities (such as email, communications related to the offer,delivery of products, withdrawal of purchases, delivery of the product, installation, first start-up, warranty ...) Participation in any loyalty programs and/or recording of data in the Company's CRM Remote control of ATG products, prevention and resolution of malfunctions, further after-sales services. Monthly product consumption report (only if the product is connected to the Internet) LEGAL BASIS FOR PROCESSING DATA Execution of the contract involving the data subject. DATA RETENTION PERIOD Contractual term and, following expiry, for the ordinary limitation period of 10 years. DATA PROCESSING PURPOSES Analysis and clustering of customer types for business development purposes LEGAL BASIS FOR PROCESSING DATA Legitimate interest (best business management) DATA RETENTION PERIOD Contractual term and, following expiry, for the ordinary limitation period of 10 years. DATA PROCESSING PURPOSES Fulfilling obligations provided for by regulations and by applicable national and supranational legislation. LEGAL BASIS FOR PROCESSING DATA Need to fulfil legal obligations DATA RETENTION PERIOD Term provided for by law (10 years for administrative-accounting obligations) DATA PROCESSING PURPOSES Management of security and IT resources (backup, restore, logical access to any online account) LEGAL BASIS FOR PROCESSING DATA Execution of the contract involving the data subject. DATA RETENTION PERIOD Contractual term and, following expiry, for the ordinary limitation period of 10 years. DATA PROCESSING PURPOSES If necessary, in order to establish, exercise or defend the rights of the Data Controller in judicial proceedings Out-of-court debt recovery LEGAL BASIS FOR PROCESSING DATA Legitimate interest (judicial protection) DATA RETENTION PERIOD In case of litigation, for the entire duration of the same, until the time limit for appeal has expired. DATA PROCESSING PURPOSES Purposes of direct marketing: for example, sending - by automated means of contact (such as SMS, mms, e-mail, social networks, instant messaging apps) and traditional (such as operator calls and traditional mail) - promotional and commercial communications relating to services / products offered by the Company or reporting corporate events, as well as measuring the degree of customer satisfaction, conducting market surveys and statistical analysis. Purpose of profiling: analysis of customer preferences, habits, behaviors, interests (...) in order to send personalized commercial communications / targeted promotional actions / offers and services adapted to customer needs / preferences. (CRM metrics, Business Intelligence, warranty extension...) LEGAL BASIS FOR PROCESSING DATA Consent (optional and it can be withdrawn at any time). DATA RETENTION PERIOD Personal data and contact data: until revocation of consent Detail of purchases: 24 months after collection of each data Once the aforementioned retention period has lapsed the data will be destroyed or made anonymous. DATA PROVISION Data marked with an asterisk (*) in the data collection form must be provided to be able to provide the information requested, therefore if this information is absent the Company will not be able to process the request DATA RECIPIENTS The data may be processed by external parties operating as autonomous data controllers such as, by way of example, supervisory and control authorities and, in general, public or private parties entitled to request the data. The data may be communicated to public notaries and law firms as well as to accountants. The data may also be processed, on behalf of the Company, by external parties designated as Processor, who are given adequate operating instructions. These subjects are essentially included in the following categories: a. companies offering email services; b. companies offering website maintenance services; c. companies offering support in carrying out market research. d. companies and agencies in the field of event management and trade fairs e. companies that offer services instrumental to the pursuit of the purposes set out in this information notice (media agencies, IT suppliers, freight forwarders, softwarehouse & system integrators, e-commerce companies, consulting companies, etc.); f. companies offering call center and customer care services; information provider companies; SUBJECTS AUTHORIZED TO PROCESSING DATA Data may be processed by employees in company departments who are responsible for carrying out the activities outlined above and have been authorized to process the data and have received suitable operating instructions. PERSONAL DATA TRANSFERS OUTSIDE THE EU The data may be transferred abroad to non-European countries, and in particular in the USA, a country whose level of data protection has been deemed appropriate by the European Commission pursuant to art. 45 of the GDPR (Privacy Shield) The decision of adequacy of the European Commission can be consulted at the following link: http://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:32016D1250&from=IT DATA SUBJECTS’ RIGHTS- COMPLAINT TO THE SUPERVISORY BODY By contacting Ariston Thermo S.p.A., by mail address 60044 Fabriano (AN) Italy, via e-mail sent to firstname.lastname@example.org, data subjects can ask the Company for access to personal data, or the correction or deletion of personal data, and also have the right to restrict processing of the data in the cases set out in article 18 of the GDPR, and object to processing in the case of legitimate interests of the controller. Furthermore, in the case where processing is based on consent or a contract and carried out with automated tools, data subjects have the right to receive the personal data in a structured, commonly used and machine-readable format, and to transmit the data to another data controller without obstruction. Data subjects have the right to withdraw consent at any time in relation to data processed for marketing purposes, and object to data being processed for these purposes. Data subjects have the possibility of stating a preference for being contacted for the aforementioned purposes through conventional methods and objecting to receiving communication through automatic methods only. Data subjects have the right to lodge a complaint to the competent Supervisory Authority in the member state where they are resident or where they work, or the member state where the alleged breach took place.