The Data Controller will process your personal data to perform contractual and pre-contractual activities and to fulfill tax or legal obligations. Your personal data will be processed exclusively for purposes strictly related and instrumental to fulfilling the obligations pertaining to the aforementioned points. Your consent is the legal basis for the processing pursuant to Art. 13, paragraph 1), letter c) of the GDPR.

Providing your data for the purposes referred to in points 1) and 2) of Article 3 does not require any formal consent as it is preliminary and essential to any contractual or pre-contractual relationship.

The personal data provided for the purposes described above may be disclosed to the Data Controller's employees and/or collaborators and communicated to the following parties:

1. third-party companies possibly appointed by the Data Controller to perform the obligations assumed by the latter for the implementation of the processing envisaged for the purposes referred to in points 1) and 2) of Article 3;

2. all subjects (including Public Authorities) who have the right to access the data pursuant to regulatory or administrative provisions;

3. Third-party companies that provide essential support services for processing and have direct or indirect access to your data; All collaborators or suppliers used by the Data Controller to process your personal data have been appropriately and legally authorized and held accountable for the methods and purposes of the processing assigned to them and will act in compliance with this policy.

The personal data you provide and subsequently processed in connection with the management of the service will not be disclosed. For the subjects indicated in points a) and c), only the category of recipients is indicated, as this is subject to frequent updates and revisions. Therefore, interested parties may request an updated list of recipients by contacting the Data Controller through the channels indicated in Article 1 of this policy.

Your personal data will be retained for the periods established by the relevant legislation, which are specified below pursuant to art. 13, paragraph 2, letter a) of the GDPR:

1. for the purposes indicated in points 1), 2) of art.3 for the periods prescribed by the laws in force and in any case for a period of no less than 10 (ten) years

Pursuant to Articles 13, paragraph 2, letters b) and d), 15, 18, 19 and 21 GDPR, the interested party is informed that he or she has the right to:

1. Access to personal data: obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to the following information: the purposes, categories of data, recipients, retention period, the right to lodge a complaint with a supervisory authority, the right to request rectification or erasure, or restriction of processing, or to object to processing, as well as the existence of an automated decision-making process;

2. Request for rectification or erasure of your personal data, or restriction of processing concerning you; "restriction" means marking stored data with the aim of limiting its processing in the future;

3. Objection to processing: to object, for reasons related to your particular situation, to the processing of data for the performance of a task carried out in the public interest or for the pursuit of a legitimate interest of the Data Controller;

4. Data portability: in the case of automated processing carried out on the basis of consent or in performance of a contract, to receive the data concerning you in a structured, commonly used and machine-readable format; in particular, the data will be provided to you by the Data Controller in .xml format;

5. Revoke consent to processing for marketing purposes, both direct and indirect, market research, and profiling; exercising this right does not in any way affect the lawfulness of processing carried out prior to the revocation;

6. File a complaint pursuant to Art. 77 GDPR with the supervisory authority competent for your habitual residence, place of work, or the place where your rights were infringed. In Italy, the competent authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali), which can be contacted using the contact details provided on the website https://www.garanteprivacy.it .

The aforementioned rights may be exercised by sending a specific request to the Data Controller using the contact channels indicated in Article 1 of this policy.

Requests relating to the exercise of your rights will be processed without undue delay and, in any case, within one month of the request; only in cases of particular complexity and the number of requests may this deadline be extended by an additional 2 (two) months.

We specifically and separately inform you, as required by Article 21 of the GDPR, that if personal data is processed for marketing purposes, the data subject has the right to object at any time and that if the data subject objects to the processing, the personal data can no longer be processed for such purposes.

The exercise of these rights is not subject to any formal constraints and is free of charge. The email address for exercising these rights is amministrazione@slc.it