INFORMATION ON THE PROCESSING OF
PERSONAL NAVIGATION DATA AND COOKIES

Who is the Data Controller?

The Data Controller is Gruppo Toscano S.p.A., Via Nomentana 90/92 00161 Roma. The information describes the features of processing carried out by the Data Controller in relation to the website's browsing data http:// guidobaldi.it/

What personal data do we collect?

The Data Controller collects the following data:

• user identification data, such as, for example, IP addresses and computer domain names;
• data related to the use of the website by the user;
• data voluntarily provided by the user – identifying information - access to certain services offered through the website, which is referred to specific information in the relevant reference sections (for example, the section "Contact the agency for this property").

As for the use of cookies, these consist of text files that are automatically generated in the user's computer after the visit to any of the website's pages. Some of these files (session cookies) are automatically removed when the browser is closed. Instead, another type of cookie is recorded and stored on the User's computer (for example, to automate the access procedure to the private area, the User can choose for his User-id and password identification data to be stored in one of these files). Gruppo Toscano uses the following technical cookies: - - AntiXsrfToken: it is a security cookie used to prevent cross-scripting attacks - this cookie is anonymous; - ai_user / ai_session: these cookies allow information collection on the user and the device used; - ARRAffinity: these cookies are set by our hosting provider for performance purposes. They contain unique but random values and are destroyed as soon as you close the browser; - cookiesDirective: these cookies memorise if the cookie law has been shown or not. Further types of cookies consist of analytical cookies, used to collect information, in aggregate form, on the number of users and on the methods by which the latter visit the website. The aforementioned cookies can be installed directly from the site manager or from a different site that installs them through the first terminal (what are known as "third-party" analytical cookies). The Gruppo Toscano website uses analytical cookies from third parties, meaning by the latter, in particular: - Google Analytics cookies in collecting aggregate and anomalous information on the users' browsing carried out on websites. You can disable Google Analytics cookies by downloading a specific plug-in browser available at the following url: https://tools.google.com/dlpage/gaoptout - https://www.google.com/intl/it/policies/privacy/; - Facebook cookies in collecting information on user preferences for behavioural advertising purposes. You can disable Facebook cookies, if you have a Facebook profile using your Facebook account settings or using the Do Not Track setting on your browser. For more information, please see the page available at the following url: https://www.facebook.com/help/Cookies/ - https://www.facebook.com/privacy/explanation; - Sharethis cookies in sharing web pages on social networks. For further information, please consult the page available at the following URL: http://www.sharethis.com/pri.html Finally, the last type of cookies consists of profiling cookies, for the purpose of sending advertisement messages; for example through custom banners, in line with the preferences shown by the user while surfing the internet. Should the User prefer not to receive cookies, he/she can prevent their transmission by the website by appropriately configuring his/her web browser. In some cases, however, the use of some parts of the website may be affected by the storage of cookies on the User's computer.

For what purposes are personal data used?

The Data Controller processes personal data for the following purposes:

• to manage the correct use of the website;
• to evaluate the use of the website by users in statistical format;
• to ascertain any wrongdoing committed by users to the detriment of third parties or to the detriment of the Data Controller;
• to comply with the European and national legislation, as well as with the provisions of the Privacy Authority;
• to profile the user based on his/her browsing within the website.

Why is the process that we do legitimate?

The processing of personal data carried out by the Data Controller is legitimate because it is based on the consent of the interested party expressed during the act of browsing.

How will the Data Controller process your personal data and how long are they stored?

Your personal data are processed both in paper and electronic format. The Data Controller stores the user's personal information by following certain fundamental criteria highlighted below: in particular, referring to the purposes of collection and the statute of limitations prescribed by law.

To whom do we disclose your personal data?

Within the Data Controller's organisation

Personal data may be accessed by the Data Controller's collaborators who need it to offer the services requested, limited only to information that is instrumental and related to this, with particular reference to employees and non-employees.

Service providers

The Data Controller shares personal information with some suppliers who support Gruppo Toscano in the website's management. If third parties access the data, they will do so in compliance with the current legislation for the protection of personal data and instructions given by the Data Controller.

Legislative requirements

We do not disclose personal information to other third parties without permission, except when required by the law or by an Authority.

Are the data transferred abroad?

User data are not transferred abroad.

What are your rights as a data subject and how can you exercise them?

The European General Data Protection Regulation (2016/679) guarantees you, as a data subject in processing, specific rights.

For each process, you may exercise the following rights:

• Right of access: you have the right to obtain a copy of the personal data we hold and which are subject to processing;
• Right to rectify: you have the right to rectify your personal data stored by the Data Controller if they are not updated or correct;
• Right to object the processing of personal data for commercial purposes: you may request the Data Controller cease sending commercial communications any time;
• Right to oppose decisions based on solely automated processes: you may request to not be the recipient of decisions on the basis of exclusively automated processes, including profiling activity;
• Right to revoke consent already granted: you have the right to revoke consent already granted for a given process at any time;
• Right to contact the Privacy Authority for the protection of personal data: you have the right to contact the Privacy Authority for the protection of personal data in the case of doubts regarding the processing of personal data made by the Data Controller.

You may also exercise the following rights in the event of certain situations:

• Right to cancel: you may request the Data Controller delete your personal data if the purposes of processing have ceased and there are no legitimate interests or legal provisions required for the continuation of data;
• Right to object to processing: you may request the Data Controller cease performing a specific process on your personal data;
• Right to restrict processing: you have the right to request the Data Controller limit the processing operations on your personal data;
• Right to data transferability: you have the right to obtain a copy of your data in a structured and computerised format transferable to another Data Controller.

If you wish to exercise your rights, please send an email or write to the following address specifying your request and providing us with the necessary information for identification (including a copy of your identity document): [email protected] The Data Privacy Officer (DPO) will reply within one month. If for some reason we fail to respond to you, you will be provided with a detailed explanation as to why your request cannot be fulfilled. This information is intended to inform you about how your personal data are collected by the Data Controller and how they are processed. If you need any kind of clarification, please contact us using the following contact details: [email protected]