The purpose of this privacy policy is to provide full information on the processing of personal data carried out by Next 14 S.p.A. when the User accesses and navigates this website (as indicated in greater detail below)

Version n. 1 of 15 February 2023

1. INTRODUCTION – ABOUT US

Next 14 S.p.A., with registered office in Via Tortona 37, 20144 – Milan, VAT number 02701840346 (hereinafter, the “Data Controller”), owner of the internet website https://next14.com/privacy (hereinafter, the “Website”), in its capacity as data controller in relation to the personal data of the users who navigate the Website (hereinafter, the “Users”) hereby provides the privacy policy pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 (hereinafter, the “Regulation” or “Applicable Law”).

2. HOW TO CONTACT US

The Data Controller takes its Users’ right to privacy and the protection of their personal data very seriously. For any information on this privacy policy, Users can contact the Data Controller at any time, using any of the following methods:

• By sending a registered letter with return receipt to the Company’s registered office (Via Tortona 37, 20144 – Milan);

• By sending an e-mail to the address info@next14.com

Users can also contact the Data Protection Officer (DPO) of Next14 Group at the following e-mail address: dpo@next14.com

2. WHAT WE DO – PURPOSE OF THE PROCESSING

By browsing the Website, the User can stay up to date regarding the services and activities developed and/or promoted by the Data Controller, request information from the Data Controller or send job applications to the Data Controller.

In relation to the activities that may be carried out through the Website, the Data Controller collects personal data relating to the Users.

This Website and any services offered through the Website are reserved for persons over the age of 18. The Data Controller therefore does not collect personal data relating to persons under the age of 18. At the request of Users, the Data Controller will promptly delete all personal data involuntarily collected and relating to persons under the age of 18.

Specifically, the personal data of Users will be lawfully processed for the following purposes:

1. contractual obligations and provision of the requested service, namely to allow the navigation of the Website and the execution of specific User requests, including those of a general or commercial nature, press-related requests, or job /collaboration applications sent to the Data Controller.

The User’s data collected by the Data Controller to this end includes:

• navigation of the Website: all personal data whose transmission is implicit in the use of Internet communication protocols, which the computer systems and software procedures used to operate the Website acquire during their normal functioning: the IP addresses or domain names of the computers used by the Users, the addresses in URI notation (Uniform Resource Identifier) of the requested resources, the time of the request, the method used in submitting the request to the server, the file size obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the User’s IT environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to allow its correct operation;

• Contacts section of the Website: the name, surname, e-mail address, and all the information and personal data voluntarily entered by the User in any field present in the form or all the information provided through the e-mail address given on the Website. The User’s personal data will be processed by the data Controller for the sole purpose of ascertaining the User’s identity (also through e-mail address validation), thus avoiding possible fraud or abuse, and for contacting the User for service reasons following up the User’s request;

• Career section on the Website: the name, surname, e-mail address, telephone number, skills indicated in the job application, and all the information and personal data voluntarily entered by the User in the curriculum vitae and the cover letter attached to the request. The data provided by the User will be processed to ascertain the User’s identity (also through e-mail address validation), thus avoiding possible fraud or abuse, and to process the User’s request regarding the possibility of establishing a working relationship/ collaboration with the Data Controller and, in particular, to i) send the User any information relating to the Data Controller’s are of business (target market, logistical information such as the location of the interview, interview procedures, etc.), which is necessary or even only useful for the User with a view to any interview to which the User may be invited by the Data Controller; and ii) to communicate with the User solely for reasons related to the selection process (communication of the dates of any interviews, communication of the outcome of the selection, etc.).

2. administrative and accounting purposes, namely, to carry out activities of an organisational, administrative, financial and accounting nature, such as internal organisational activities and functional activities for the fulfilment of contractual and pre-contractual obligations;

3. legal obligations, namely, to comply with obligations imposed by law, by an authority, by a regulation or European legislation.

The provision of personal data for the processing purposes indicated above is optional but necessary, since failure to provide such data will make it impossible for the User to contact the Data Controller for the purposes indicated on the Website through the appropriate sections provided by the Data Controller on the Website.

The personal data necessary for the pursuit of the processing purposes described in this section 3 are indicated with an asterisk in the various forms provided by the Data Controller on the Website.

2. LEGAL BASIS

Contractual obligations and provision of the service (as described in section 3(a) above): the legal basis consists of Article 6, paragraph 1(b) of the Regulation, i.e. the processing is necessary for the performance of a contract to which the User is a party, or for the performance of pre-contractual measures taken at the User’s request.

Administrative and accounting purposes (as described in section 3(b) above): the legal basis consists of Article 6, paragraph 1(b) of the Regulation, as the processing is necessary for the performance of a contract and/or the implementation of pre-contractual measures taken at the User’s request.

Legal obligations (as described in section 3(c) above): the legal basis consists of Article 6, paragraph 1(c) of the Regulation, as the processing is necessary to comply with a legal obligation to which the Data Controller is subject.

5. PROCESSING METHODS AND DATA RETENTION PERIOD

The Data Controller will process the User’s personal data using manual and computerised tools, following criteria strictly related to the purposes stated above and, in any case, in such a way as to guarantee the security and confidentiality of the data.

Navigation data is not stored for more than 30 days (except when required by a judicial authority investigating possible criminal offences). The personal data of the Website’s Users collected through forms present on the Website will be stored for the time strictly necessary to fulfil the primary purposes indicated in section 3 above, or in any case for as long as is necessary to protect the interests of both the Users and the Data Controller under civil law, and in any case:

• no more than 24 months for data collected through the Contacts section on the Website;

• no more than 24 months for data collected through the Career section on the Website.

5. TRANSMISSION AND DISSEMINATION OF DATA

The User’s personal data may be transferred outside the European Union and, in this case, the Data Controller will ensure that the transfer takes place in accordance with the Applicable Law and, in particular, in accordance with Articles 45 (Transfer on the basis of an adequacy decision) and 46 (Transfer subject to adequate safeguards) of the Regulation.

The personal data of the Users may be disclosed to the employees and/or collaborators of the Data Controller in charge of managing the Website and Users’ requests. These subjects, who have been instructed in this matter by the Data Controller pursuant to Article 29 of the Regulation, will process Users’ data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Law.

The personal data of Users may also be disclosed to third parties who may process personal data on behalf of the Data Controller in their capacity as Data Processors, such as, for example, IT and logistic service providers functional to the operation of the Website, suppliers of outsourcing or cloud computing services, professionals and consultants.

Users have the right to obtain a list of any data processor appointed by the Data Controller, making a request to the Data Controller in the manner indicated in section 7 below.

5. RIGHTS OF DATA SUBJECTS

Users may exercise their rights granted by the Applicable Law by contacting the Data Controller using any of the following methods:

• By sending a registered letter with return receipt to the Company’s registered office (Via Tortona 37, 20144 – Milan);

• By sending an e-mail to the address info@next14.com

Users can also contact the Data Protection Officer (DPO) of Next14 Group at the following e-mail address: dpo@next14.com

Pursuant to the Applicable Law, Users have:

1. 1. the right to withdraw consent at any time, if the processing is based on their consent;

   2. the right of access to their personal data;

   3. (where applicable) the right to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format), the right to restriction of processing of personal data, the right to rectification and the right to erasure (“right to be forgotten”);

   4. the right to object:

      1. in whole or in part, for legitimate reasons, to the processing of personal data concerning them, even if relevant to the purpose of collection;

      2. in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising material or direct sales material or for carrying out market research or commercial communication;

   5. if they consider the processing of their personal data to be in breach of the Regulation, the right to lodge a complaint with the supervisory authority (in the Member State where they habitually reside, where they work or where the alleged breach occurred). The Italian supervisory authority is the “Garante per la protezione dei dati personali”, with headquarters in Piazza Venezia, n. 11, 00186 – Rome (RM) (www.garanteprivacy.it).

***

The Data Controller is not responsible for updating all the links that can be viewed in this privacy policy; therefore, whenever a link is not functional and/or updated, the User acknowledges and accepts that they must always refer to the document and/or section of the websites accessed by this link.