PRIVACY NOTICE PURSUANT TO ARTICLE 13 OF REGULATION (EU) 679/2016

We process your personal data, where personal data means any information relating to you as a natural person, identified or identifiable even indirectly by reference to any other information in our possession ("Data Subject").

The processing will be performed for the purpose of sending you commercial and/or promotional communications regarding Deloitte’s innovative assets (e.g. products, services), presenting the characteristics of potential interest for you and your company. Such information will be accessible via a box endowed with a specific QR code which will be sent to you by ordinary mail.

The personal data processed by Deloitte will be those acquired in the context of the contractual/commercial relations maintained with the latter, such as your name and surname. Deloitte may also collect and process your home address in case you specifically request Deloitte to send the commercial and/or promotional communications regarding Deloitte’s innovative assets to your home address.

Deloitte will process your personal data, including your home address, only in case you express your specific and informed consent pursuant to Article 6(1)(a) of the Regulation.

The processing of your personal data will be carried out with electronic (IT or telematics) and manual means designed to store, manage and transmit the data, according to methods and procedures consistent with the aforementioned purpose and in compliance with the principles set out in article 5 of the Regulation, such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

With reference to the point above, your personal data will be processed only for the period strictly necessary to send you promotional communications about Deloitte services which could be of your interest. Your home address will be retained for a maximum period of six months from the moment of receipt.

You may object to the processing for this purpose at any time, easily and free of charge by sending a request to Deloitte's DPO using the relevant e-mail address. Following your objection, Deloitte will not send you any commercial communication and will process your personal data only for purpose of performing the contractual relations with you or your company and/or to fulfil any legal obligation.

With reference to the above-mentioned purpose, Deloitte may communicate your personal data to the following categories of recipients:

- third parties, either internal or external to the Deloitte network, delegated to carry out the activities necessary in order to perform the processing;
- competent authorities (including courts) to which Deloitte is subject, for the performance of their institutional functions to the extent required by law or regulation;

Your data will be communicated to these third parties after appropriate designation in the role of Data Processors or as autonomous Controllers, and will be processed by collaborators and/or employees of Deloitte in the context of their respective functions and in accordance with the instructions given by Deloitte itself.

Personal data may also be transferred outside the European Economic Area. In this case, Deloitte ensures that the transmission of the data will be carried out on the basis of adequate guarantees, pursuant to artt. 45-47 of the Regulation.

In particular, in the event of transfers to third countries, Deloitte will adopt standard contractual clauses or standard data protection clauses and performs a transfer impact assessment to identify and put in place specific measures to protect the personal data transferred. If you have any questions about this, please contact Deloitte's Data Protection Officer using the relevant e-mail address.

Your data will not be disclosed.

In relation to the purpose of processing above, you have the following rights under the Regulation (articles 15-22):

• to obtain confirmation that Deloitte is processing your personal data and access such data (right to access);
• to update, modify and/or correct your personal data (right to rectification);
• to request the erasure or the limitation of the processing of data processed in violation of the law, including data that does not need to be retained for the purposes for which they were collected or otherwise processed (right to be forgotten and right to restriction of processing);
• to object to data processing activities (right to object);
• to withdraw the consent, where given, without prejudice to the lawfulness of the processing of the consent given before the withdrawal;
• to lodge a complaint with the competent supervisory authority or appeal to the judicial authority in the event of a breach of the law on the protection of personal data;
• to receive a copy of your personal data in an electronic format and request that such data will be transmitted to another Data Controller (right to data portability).

In order to exercise these rights, you can contact Deloitte’s Data Protection Officer by sending an e-mail to the address indicated above.