Privacy Notice pursuant to Article 13 of EU Regulation 2016/679

Dear Customer,

pursuant to Article 13 of EU Regulation 2016/679 (GDPR), and in relation to the personal data that Bibione Terme S.p.A. will acquire, we wish to inform you of the following:

1. Purposes of Processing:

Your personal data, freely provided and acquired in the course of Bibione Terme S.p.A.'s activities, will be processed for the following purposes:

• Sending communications for promotional and marketing purposes;
• Marketing our products and/or services through our e-commerce platform (pool tickets, wellness packages, cosmetic products, etc.);
• Statistics and customer profiling.

Your data will also be processed for the purposes required by the current anti-money laundering regulations (D.LGS. 231/2007 and subsequent amendments).

The data processed (which may be common, identifying, sensitive, or judicial in nature) will be accurate, complete, and not excessive in relation to the purposes for which they were collected and subsequently processed.

Other purposes relate to ordinary administrative, commercial, and marketing activities.

1. Processing Methods:

The data will be processed, ensuring the necessary security and confidentiality, using the following methods:

• Collection of data from the data subject (e.g., filling out a paper questionnaire);
• Collection of data electronically (filling out an online form);
• Processing using electronic and automated tools.

1. Legal Basis for Processing:

The provision of common, sensitive, and judicial personal data is strictly necessary for carrying out the activities described in point 1.

1. Refusal to Provide Data:

You have the right to refuse to provide your personal data. However, such refusal will result in the inability to receive the requested service, making it impossible to complete the registration process, and the Data Controller will not be able to fulfill contractual obligations.

1. Disclosure of Data to Third Parties:

Your personal data will be processed by the Data Controller, by the Data Processors appointed by them, and by strictly authorized personnel.

Your data may be disclosed to:

• Companies/professional firms providing assistance, consultancy, or collaboration to the Data Controller in the areas of accounting, administration, tax, legal, and financial matters;
• Public administrations for the performance of institutional functions within the limits set by law or regulations;
• Third-party service providers to whom data disclosure is necessary to fulfill the contractual services;
• Supervisory bodies responsible for checks and controls related to compliance with legal obligations.

Your data may also be disclosed to:

• Google and other search engines;
• Social networks (Facebook, Instagram, etc.);
• Competent authorities;
• Ensoul S.r.l.;
• Shopify International Limited;
• Intuit Mailchimp;
• Zoho Corporation;
• Aleapro Snc.

1. Data Dissemination:

Sensitive data are not subject to dissemination except for purposes strictly related to fulfilling contractual obligations.

1. Transfer of Data Abroad:

The collected data are not expected to be transferred to countries outside the European Union or to third countries outside the European Union.

1. Data Retention Period:

The collected data will be retained for a period of not less than 10 years. This period may be extended in accordance with a specific legal obligation.

1. Rights of the Data Subject:

You have the right:

• To access your personal data;
• To obtain the rectification or deletion of the data or the limitation of processing;
• To object to processing (with the limitations mentioned in point 3);
• To data portability;
• To withdraw consent;
• To lodge a complaint with the supervisory authority (Data Protection Authority).

1. Data Controller and Data Protection Officer (DPO):

The Data Controller is Bibione Terme S.p.A., located at Via delle Colonie n. 3 - 30028 Bibione (VE), represented by the legal representative Alessandro Vardanega.

Contact details of the Data Controller:

• Email: segreteria@bibioneterme.it
• PEC: bibionetermespa@pec.it
• Tel: 0431-441111
• Fax: 0431-441199

The designated Data Protection Officer (DPO) is Mr. Nicola Occari, who can be contacted at:

• Email: dpo@bibioneterme.it

Privacy Notice pursuant to GDPR EU 2016/679 regarding the protection of personal data

Dear Customer,

As the “Data Controller” and “Data Subject” (i.e., the individual to whom the data subject to processing relates), we wish to inform you about the essential elements of the processing operations carried out.

1. Purpose of Processing

The collection and processing of personal data, both identifying and special, are carried out for the following purposes:

• Fulfillment of Regulatory Obligations: All operations required by regulatory, fiscal, and tax obligations arising from the operation of the thermal establishment.
• Provision of Healthcare Services: Establishing and executing relationships aimed at providing the requested healthcare services.
• Initiating Relationships: Operations strictly related and instrumental to initiating the aforementioned relationships, including the acquisition of preliminary information.
• Management of Customer Relationships: Activities related to administration, accounting, orders, shipments, invoicing, services, and handling of potential disputes.
• Customer Satisfaction and Statistics: Measuring customer satisfaction and processing internal statistics.

The data will be processed in accordance with the principles of fairness, legality, transparency, and respect for privacy and rights.

The contractual, service provision, commercial dispute, and promotional purposes pertain only to the processing of the Customer's personal data. The Customer’s personal data will be processed throughout the duration of the established relationships and subsequently for the fulfillment of all legal obligations, as well as for future commercial purposes.

1. Processing Methods

The processing of data is carried out both through automated methods (on electronic or magnetic support) and non-automated methods (on paper support), in compliance with the confidentiality and security rules required by law, regulations, and internal provisions.

1. Place of Processing

Data is processed and stored at the headquarters located at Via delle Colonie 3, 30028 Bibione (VE). Additionally, data is processed by professionals and/or companies responsible for technical, development, management, and administrative-accounting activities. Data will not be transferred outside the European Union (EU).

1. Mandatory or Optional Data Provision

Some data is essential for establishing the relationship aimed at providing the healthcare service, while other data is accessory. Provision of data is mandatory only for those required by regulatory or contractual obligations.

1. Consequences of Refusing to Provide Data

• Regulatory or Contractual Obligation: Refusal would prevent the execution or continuation of the Contract, constituting illegal processing.
• No Legal Obligation: Refusal would not have the same consequences but would prevent the execution of accessory operations.

1. Disclosure of Data

Data may be disclosed to:

• Public and Private Entities: Financial Administration, Tax Police, Judicial Authorities, Labor Inspectorate, Local Health Authority, Social Security Agencies, ENASARCO, Chamber of Commerce, etc.
• Authorized Entities: Entities that can access the data based on legal provisions.
• Professionals and Consultants: Consulting firms and other professionals.

Sensitive data will not be disseminated or transferred, except for achieving the specified purposes and with your prior written authorization.

1. Data Retention Period

Data will be retained for:

• Administrative and Accounting Activities: 10 years, as established by Article 2220 of the Civil Code, subject to any delayed payments justifying an extension.

1. Rights of the Data Subject

You have the right to:

• Access personal data
• Obtain rectification or deletion of data
• Restrict processing
• Object to processing
• Data portability
• Withdraw consent
• File a complaint with the supervisory authority

If you have consented to processing, you may withdraw it at any time, subject to the mandatory obligations provided by current regulations at the time of the withdrawal request. To exercise these rights, please contact the Data Controller using the contact details provided below.

1. Data Controller and Data Protection Officer (DPO)

The Data Controller is BIBIONE TERME S.P.A., headquartered at Via delle Colonie 3, San Michele al Tagliamento (VE), 30028 - Fraz. Bibione (VE). Rights can be exercised by sending communications to:

Email: info@bibioneterme.it
PEC: bibionetermespa@pec.it

The company has designated a Data Protection Officer (DPO) as the single contact point for privacy, who can be reached at: dpo@bibioneterme.it.

Privacy Notice pursuant to and for the purposes of EU GDPR 2016/679 regarding the protection of personal data

Dear Customer,

In your capacity as "Controller" and "Data Subject", i.e., the person to whom the data subject to processing pertains and/or is managed by you, we wish to inform you of the essential elements of the processing carried out.

1. Purposes of Processing

The collection and processing of personal data are carried out for the following purposes:

• Compliance with Legal Obligations: All operations imposed by legal, fiscal, and tax obligations arising from business activities and requirements in the field of anti-money laundering.
• Provision of Health Services: Establishment and execution of contracts aimed at providing the requested health services.
• Initiation of Relationships: Operations closely connected and instrumental to the initiation of the aforementioned relationships, including the acquisition of preliminary information prior to contract conclusion.
• Management of Relationships with the Supplier: Activities related to administration, accounting, orders, shipping, invoicing, services, and management of any disputes.
• Supplier Evaluation and Statistical Processing: Evaluation of suppliers and related statistical processing.

Data will be processed in accordance with the principles of fairness, lawfulness, transparency, and protection of your/our privacy and rights. Contractual, service provision, commercial dispute resolution, and promotional purposes pertain to the processing of personal data of the Supplier only. The Supplier’s personal data will be processed for the duration of the contractual relationships established and subsequently for the fulfillment of all legal obligations and for future commercial purposes.

1. Anti-Money Laundering and Anti-Terrorism

Providing data required by anti-money laundering and anti-terrorism legislation is mandatory, and any refusal to provide such data will preclude the provision of the requested professional service and may result in the reporting of the transaction to the relevant supervisory authority. In this regard, it is specified that the processing of personal data related to anti-money laundering obligations will take place with regard to the specific execution methods imposed on non-financial operators by the Regulation on identification and retention of information as set out in Article 3(2) of Legislative Decree No. 56/2004 and adopted by Ministerial Decree No. 143/2006. Other information may also be obtained from public sources to comply with the obligations of Legislative Decree 231/2007.

1. Processing Methods

Data processing for the stated purposes is carried out both through automated methods (on electronic or magnetic media) and non-automated methods (on paper media), in compliance with the rules of confidentiality and security required by law, subsequent regulations, and internal provisions.

1. Place of Processing

Data is currently processed and archived at the headquarters located at Via delle Colonie 3, San Michele al Tagliamento (VE), 30028 - Bibione (VE). Additionally, data is processed by professionals and/or companies appointed to carry out technical, development, administrative, and accounting tasks on behalf of the company. Data will not be transferred outside the European Union (EU).

1. Mandatory or Voluntary Data Provision

Some data is essential for the establishment or execution of the contractual relationship, while other data can be considered ancillary. Providing data to the company is mandatory only for those data for which there is a legal or contractual obligation.

1. Consequences of Potential Refusal to Provide Data

In cases where data provision is required by a legal or contractual obligation, refusal would result in the Supplier being unable to execute or continue the contract, as it would constitute unlawful processing. In cases where there is no legal obligation to provide data, refusal would not have the above consequences but would nonetheless prevent the execution of ancillary operations.

1. Data Communication

Without prejudice to communications and disclosures made in compliance with legal obligations, data related to your legal entity may be communicated in Italy and/or abroad to:

• Professionals and Consultants: Consulting firms, factoring companies, credit institutions, debt recovery companies, credit insurance companies, commercial information companies, transportation companies;
• Public and Private Entities: Including following inspections or audits such as: Financial Administration, Tax Police, Judicial Authorities, Italian Exchange Office, Labor Inspectorate, ASL, Social Security Institutions, ENASARCO, Chamber of Commerce, etc.;
• Other Companies in the BIBIONE TERME S.p.A. Group;
• Entities Authorized by Law: Entities that may access your data based on legal provisions.

Sensitive data, even if processed in an entirely anonymous form, will not be subject to any form of dissemination or transfer, except for the purposes specified in this notice and with your specific written authorization.

1. Data Transfer Abroad

Supplier data is not transferred outside the European Union.

1. Data Retention Periods

The provided data will be retained in our archives according to the following parameters:

• Administrative, Accounting, Order Management, Quotation, Production Flow, Support and Maintenance, Shipping, Invoicing, Services, and Dispute Management: 10 years as stipulated by Article 2220 of the Civil Code, subject to extension for delayed payments.
• Purposes as per Points 5 Above: Retention periods are until the expiry of the contract and/or the commercial supply relationship.

1. Rights of the Data Subject

Regarding personal data, the Supplier can exercise the rights provided under the European Regulation 2016/679 and current legislation, including:

• Access to personal data
• Correction or deletion of data
• Restriction of processing
• Objection to processing
• Data portability
• Withdrawal of consent
• Filing a complaint with the supervisory authority

In the case of consent to processing by BIBIONE TERME S.P.A., it may be withdrawn at any time, subject to mandatory obligations under current legislation at the time of withdrawal request. To exercise these rights, please contact the Data Controller at the contact details provided below.

1. Data Controller and Data Protection Officer (DPO)

The Data Controller, to whom you may address requests to exercise the above rights, is BIBIONE TERME S.P.A., located at Via delle Colonie 3, San Michele al Tagliamento (VE), 30028 - Bibione (VE). The Data Protection Officer (DPO) is the Legal Representative Pro Tempore. Rights may also be exercised by sending communications to the following email addresses: info@bibioneterme.it or bibionetermespa@pec.it. The company has appointed a Data Protection Officer (DPO) as the sole point of contact for privacy matters, who can be reached at the email address dpo@bibioneterme.it.