INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA pursuant to Article 13 of EU Regulation no. 679/2016
ALBALUNA SRL

Premises 

This notice is provided by the company ALBALUNA SRL (Tax Code LRCCGLBR64E03A944P, VAT Number 04098211206), with its registered office in DOZZA (BOLOGNA), at Via GIORGIO DEI CHIRICO 2, (ALBALUNA SRL) (hereinafter “Controller”), taking into account Legislative Decree 196/2003 (Italian Privacy Code) as amended by Legislative Decree of August 10, 2018, no. 101, for the adaptation of national legislation to the provisions of European Regulation EU 2016/679 (GDPR). This notice is provided to Clients, in their capacity as data subjects, (singularly “User”) concerning the processing of personal data carried out by the Controller through the platform called “PIENISSIMO” for the management of its activities, bookings, services offered, and commercial contacts with its clientele. The notice is provided through paper forms and/or telematic tools, including any links accessible/consulted by the User on the Controller’s website where the services offered are requested, namely:

Provisions

1. Data Controller The Data Controller is the company ALBALUNA SRL (Tax Code LRCCGLBR64E03A944P, VAT Number 04098211206), reachable at the following contacts:

• Postal address: VIA GIORGIO DE CHIRICO 2

• Email address: tlc.electronics2017@gmail.com

2. Data Collection Personal data processed are acquired by the Controller for managing bookings and/or enabling the User to take advantage of other services offered, such as the free Wi-Fi service inside the premises, the fila-fast option, customer experience questionnaires, or participation in the loyalty program to benefit from rewards and discounts.

3. Data Subject to Processing Personal data subject to processing includes common identification and contact details of the User and other data instrumental to the requested service. In relation to specific needs expressed by the User at the time of booking, the Controller may collect and process sensitive / particular data such as health-related information (e.g., allergies or food intolerances). Such data will be processed only with the User’s written or equivalent consent (“equivalent consent” includes online expressions of will through procedures such as clicking on “Accept,” “Send,” etc., or checking boxes next to “I consent to the processing,” etc.) and in compliance with current regulations on personal data processing.

4. Browsing Data When data collection occurs digitally through computer devices (PC or smartphone), the Controller will also collect and process the User’s browsing data, which is implicitly transmitted when using Internet communication protocols. The use of cookies and other digital tools with similar functionality is detailed in the dedicated cookie policy available online on the Controller’s website in the appropriate section.

5. Primary Purposes of Processing The primary purpose of processing is to enable the User to book a table or access other services offered by the Controller, such as the free Wi-Fi service within the premises, the fila-fast option, or the loyalty program. Additional purposes for data collection include:

5.1 Mandatory or Optional Consent for Primary Processing Purposes Providing data, while not mandatory, is necessary and essential for managing and finalizing the booking and for enjoying the described services. The Controller is not obligated to acquire specific consent from the User as it responds to specific requests from the data subject. Failure to provide the requested and necessary personal data will result in the inability to fulfill the User’s order.

6. Secondary Purposes of Data Processing for Promotional, Advertising, and Marketing Purposes

The collected personal data may also be processed, both in paper form (e.g., filling out forms, coupons, and similar paper documents at the Controller’s premises and subsequently used electronically) and in automated/electronic form, for the following purposes:

a) Compliance with legal, accounting, fiscal, administrative, and contractual obligations related to ongoing or future relationships or the provision of requested services;

b) Implementing measures to protect personnel from illegal or fraudulent acts by Users, including identifying the responsible person and preserving related information for judicial or other protective actions;

c) Collecting, storing, and processing data provided by the User for performing statistical analyses in anonymous and/or aggregated form to verify the quality of offered services; d) Communicating with Users via email or phone regarding the completed booking.

For marketing purposes, it is mandatory to acquire specific, separate, expressed, documented, prior, informed, free, and entirely optional consent. If the User decides to give specific consent, they must be informed and aware that the processing purposes pursued are commercial, advertising, promotional, and broad marketing in nature. The User will always be free to revoke the consent at any time by sending a clear communication to the Controller’s contact details. The Controller will promptly remove and delete the data from databases used for marketing purposes and inform any third parties to whom the data was communicated for the same cancellation purposes.

7. Data Recipients

Collected personal data will be processed within the Controller’s business by authorized and appropriately instructed employees. Externally, the data may be communicated and processed by individuals and/or legal entities engaged in activities

necessary and/or instrumental to guarantee the operation of the Controller’s business. The updated list of appointed Data Processors is kept at the Controller’s office and is viewable upon request. Personal data will not be disseminated but may be communicated to inspection bodies for checks and controls concerning legal compliance.

8. Processing of Personal Data for Commercial Profiling Purposes

The Controller may process data for marketing and service improvement purposes through profiling activities. Profiling involves structuring data according to predefined parameters to derive additional information, which provides an added value by establishing multiple correlations between collected data.

8.1 Mandatory or Optional Consent for Profiling Purposes

Providing personal data and living consent to profiling processing is entirely optional and can be revoked without formality at any time. Failure to provide data will only result in the inability for the Controller to proceed with profiling activities.

9. Potential Indication by the User of Personal Data of Third Parties (Other Interested Users)

The User acknowledges that any indication (e.g., when filling out the reservation form using the Platform via the website or the Owner’s devices – tablets) of personal and contact data of any third party other than the User constitutes a processing of personal data for which the User acts as an autonomous Data Controller, assuming all obligations and responsibilities provided by the applicable laws. In this regard, the User guarantees the Owner that any data of third parties thus indicated by the User (and consequently treated as if the third party had provided their informed consent to the processing) has been acquired by the User in full compliance with the applicable laws. The User fully indemnifies the Owner from any dispute, claim, damage compensation request,

etc., that may be received by the Owner from any interested third party due to the provision of data indicated by the User in violation of the applicable personal data protection laws.

10. Transfer of Data to a Third Country

The User’s data will be transferred outside the European Union in accordance with applicable legal provisions. Specifically, the data will be transferred to the Republic of San Marino (RSM) and processed by the provider of the platform used for managing reservations and customer contacts, acting as the Data Processor. This role has been formalized using the Standard Contractual Clauses (SCC) as required by law to ensure the security and integrity of customers’ personal data. Last modified: 22.03.2024

• Number and type of reservations made within a predetermined time frame;

• Frequency of service usage;

• Other indicators highlighting purchasing preferences and habits.

11. Data Retention and Security Measures

Data will be retained for the periods defined by the relevant regulations, on servers located in countries within the European Union or in countries outside the European Union that guarantee adequate security measures. In any case, the data retention period for the User will be strictly limited to the time necessary to achieve the primary purposes indicated in paragraph 5, unless there is express and specific consent also regarding the operations referred to in paragraphs 6 and 8 (marketing, profiling), in which case the data will be processed until consent is subsequently revoked and in any case in compliance with legal terms. Once the aforementioned obligations have been fulfilled, the User’s data will in any case be deleted, except for retention based on different legal terms of the act and/or document containing the data.

12. Exercise of Rights by the User/Data Subject

At any time, the User may – without any formalities – exercise their rights as provided by the applicable regulations, as listed below. The exercise of rights is not subject to any form constraint.

It will be sufficient to make a request to the contact details of the Owner indicated in paragraph 1.

Rights of the Data Subject The Data Subject/User may exercise the right to:

a) Request confirmation of the existence or non-existence of their personal data and, if so, obtain access to such data and all information relating to the processing itself;

b) Obtain the rectification and deletion of data;

c) Obtain the restriction of processing;

d) Obtain data portability, i.e., receive them from a Data Controller, in a structured, commonly used, and machine-readable format, and transumi them to another Data Controller without impediments; e) Object to processing at any time, including for direct marketing purposes; f) Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal; g) Lodge a complaint with a supervisory authority.

13. Changes

In compliance with applicable personal data protection regulations, the Owner reserves the right to make changes to this privacy policy at any time, providing appropriate communication to Users and ensuring in any case adequate and similar protection of personal data. To view any changes, the User is invited to regularly consult this privacy policy, which in any case indicates the date of the last modification.