Information on the processing of customers' personal data

POLICY FOR THE PROCESSING OF PERSONAL DATA OF CUSTOMERS Pursuant to Articles 13 and 14 of EU Regulation 2016/679 - GDPR Labware SpA with headquarters in Via Enzo Ferrari, 3 - Zona Ind.le A, 62012 Civitanova Marche (MC), C.F and P.IVA 01424730438, as the Data Controller hereby renders the information pursuant to Articles 13 - 14 of the EU Regulation 2016/679 - General Data Protection Regulation (GDPR), hereinafter also just “GDPR”.

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER Labware SpA informs you that for the establishment and management of the relationship, it is the Holder of your data qualified as personal data under Regulation 2016/679 EU. For any information inherent to the processing of personal data, including the list of Data Processors who process data, please contact the Data Controller by: Mail: Via Enzo Ferrari, 3 - Zona Ind.le A, 62012 Civitanova Marche (MC), Italy E-mail: privacy@labware.it

2. CATEGORIES OF PERSONAL DATA The Personal Data that are processed by the Data Controller include, but are not limited to: first name, last name, social security number, VAT number, residential address, place of work location, telephone number, mailing address, bank details, etc.

3. PURPOSE OF PROCESSING Personal data, are processed by the Data Controller as part of its business: I) Without your express consent for the following purposes: I.a) Provision of services and execution of contracts The provision of Personal Data is necessary to provide the requested services and fulfill contractual and pre-contractual obligations. I.b) Administrative and management purposes and for compliance with national and EU regulatory requirements Processing of Personal Data to comply with regulatory requirements is mandatory and consent is not required. Processing is obligatory, for example, when it is prescribed by anti-money laundering, tax, accounting, anti-corruption regulations or by orders and requests of the Supervisory and Control Authority, to which the Controller is subject; I.c) Holder's defense The processing of Personal Data is necessary to pursue a legitimate interest of the Data Controller, i.e.: to establish, exercise or defend a right in court or whenever judicial authorities exercise their jurisdictional functions; II) I Personal Data will be processed with your express consent for the following purposes: II.a) Marketing To carry out functional activities for the promotion and sale of products and services through letters, telephone, Internet, SMS, MMS and other communication systems;

4. LEGAL BASIS. The legal basis of the processing of personal data for the purposes referred to in point 3. section I.a) above is the performance of a contract to which you are a party or the performance of pre-contractual measures taken at your request, therefore the performance of pre-contractual and contractual obligations with respect to legal relationships established and/or constituted with you (Art.6 paragraph 1, lett. b), GDPR). The legal basis for the processing of personal data for the purposes referred to in 3. section I.b) above is the fulfillment of a legal obligation to which the Data Controller is subject (Art.6 paragraph 1, lett. c), GDPR), while for the purposes referred to in 3. section I.c) above is the pursuit of the legitimate interest of the Data Controller (Art.6 paragraph 1, lett. f), GDPR). The legal basis for the processing of personal data for the purpose referred to in 3. section II.a) above is the data subject's express consent to the processing of his or her personal data for one or more specific purposes (Art.6 paragraph 1(a), GDPR). 5. RECIPIENTS Without prejudice to communications made in fulfillment of legal and contractual obligations, all data collected and processed may be shared, exclusively for the purposes specified above, with the following categories of authorized persons and/or internal and external data processors identified in writing and to whom specific written instructions about data processing have been provided: - Authorized internal staff - employees and collaborators of the Controller, in their capacity as persons authorized to process personal data, who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality; - Data Processors - persons, companies, professional firms or other third parties with whom the Data Controller has relationships necessary to carry out its activities for the purposes indicated above or by legal obligation, to whom specific mandate has been entrusted and for the time necessary to achieve the purposes for which the data were collected, who typically act as Data Processors of Labware SpA. By way of example, the Data Controller may need to communicate the data to the following categories: subjects who provide professional consulting services and fiscal, legal and judicial assistance; subjects who provide services for the management of the computer system; - Third party recipients - Jurisdictional or supervisory authorities, administrations, public bodies and entities (by way of example but not limited to: Inland Revenue Agency, Police Forces, Judicial Authorities, Territorial Authorities, Ministries and their collaborators/auxiliaries), insurance and banking companies. 6. STORAGE AND TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Your personal data are stored on servers within the European Union. It remains in any case Page 3 to 5 understood that the Data Controller, should it become necessary, for technical or operational reasons, will have the right to transfer Personal Data to countries outside the European Union for which there are “adequacy” decisions of the European Commission, i.e. on the basis of appropriate safeguards or specific derogations provided for in the Regulations. 7. PROCESSING METHODS AND STORAGE TIME OF PERSONAL DATA The processing of Personal Data will take place, in compliance with the provisions of the GDPR, by means of paper, computer and telematic tools, with logics strictly related to the purposes for which the personal data have been collected and, in any case, in such a way as to ensure their security and confidentiality in accordance with the provisions of Article 32 GDPR. Personal Data are kept, for a period of time not exceeding that necessary to achieve the purposes for which they are processed, subject to the retention periods provided for by law. In particular, Personal Data are generally retained for a time period of 10 years from the termination of the contractual relationship to which you are a party. Personal Data may, also, be processed for a longer term if an act interrupting and/or suspending the statute of limitations occurs that justifies the extension of data retention. Personal Data for Marketing purposes will be processed until the data subject makes a request to deactivate the service. More information regarding the period of retention of Personal Data and the criteria used to determine this period may be requested by writing to the Data Controller. 8. RIGHTS OF THE DATA SUBJECT In relation to the processing operations described in this notice, as a data subject you may, under the conditions set forth in the GDPR, exercise the rights enshrined in Articles 15 to 21 of the GDPR and in particular the following rights: - Right of access - right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to your personal data, including a copy thereof (Article 15, GDPR); - Right to rectification - right to obtain, without undue delay, rectification of inaccurate personal data concerning you and/or supplementation of incomplete personal data (Art. 16, GDPR); - Right to erasure - right to obtain, without undue delay, the erasure of personal data concerning you (Art.17, GDPR); - Right to restriction of processing - right to obtain from the Controller the restriction of processing, in the cases provided for in the GDPR (art. 18, GDPR); - Right to data portability - right to receive, in a structured, commonly used and machine-readable format, personal data concerning you provided to the Data Controller and the right to transmit them to another data controller without hindrance, in the cases provided for in the GDPR (Art. 20, GDPR); - Right to object - right to object, at any time on grounds relating to your particular situation, to the processing of personal data concerning you, unless there are legitimate grounds for the Controller to continue the processing (Art. 21, GDPR); - Right to revoke consent - right to revoke consent to the processing of your data at any time, without prejudice to the lawfulness of the processing based on the consent before revocation; - Right to lodge a complaint with the Data Protection Authority, Square of Page 4 to 5 Montecitorio n.121, 00186, Rome (RM). The above rights may be exercised, vis-à-vis the Data Controller, by contacting the references indicated in point 1 above. 9. PROVISION OF DATA The provision of your personal data for the purposes referred to in point 3. section I) is mandatory. Any failure to provide, partial or inaccurate provision of your data and/or any express refusal to process it will make it impossible for the Data Controller to follow up on your requests, fulfill contractual obligations or a legal obligation to which the Data Controller is subject or requests by the competent Authorities. The provision of data for the purposes referred to in point 3. section II) is optional, with the consequence that you may decide not to provide your consent, or to revoke it at any time.