November 2025

This information notice has been drafted to supplement previous versions and does not replace them.

Pursuant to Art. 13 of Regulation (EU) 2016/679 (GDPR), this notice concerns your personal data, i.e., information referring to you, processed by GPI S.p.A. within the scope of the website https://www.gpigroup.com/.

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

1.1.The Data Controller is GPI S.p.A., with registered office at Via Ragazzi del ’99 no. 13 – 38123 Trento (TN), VAT No.: 01944260221.

1.2. Contact information: a) telephone: +39 0461381515; b) e-mail: info@gpi.it.

2. PROCESSED DATA, PURPOSES AND LEGAL BASIS OF PROCESSING, NATURE OF PROVISION, RETENTION PERIOD

2.1. In this paragraph, regarding each purpose, you will also be informed of: the personal data processed, the legal basis for processing, the nature of the provision, and the retention period.

A. Website browsing Personal data processed:personal data transmitted implicitly during the use of internet communication protocols (IP addresses, domain names of computers used to connect to the site, URI – Uniform Resource Identifier – addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server and other parameters relating to the user’s operating system and IT environment). Purpose:to allow browsing and consultation of the website. Legal basis:Art. 6.1 lett. f) GDPR as the processing is necessary for the pursuit of the legitimate interest of the controller Nature of provision:necessary to browse the website. Retention period:the entire duration of the browsing session regarding data collected during the same and for a period not exceeding that strictly necessary to achieve the purposes for which they are collected, and in any case for a timeframe consistent with the provisions of current legislation on network and information system security, including national provisions implementing Directive (EU) 2022/2555 (NIS2 Directive) and the Directive on Electronic Communications (Directive 2002/58/EC, also known as the “ePrivacy Directive”), without prejudice to a further period if necessary for the ascertainment of responsibility in the event of computer crimes.

B. Request for information.
Personal data processed: name, surname, e-mail address, as well as optional data such as profession, reference organization, telephone number, country of origin, and other information you voluntarily provide.

Purpose: to respond to requests for information.

Legal basis: Art. 6.1 lett. b) GDPR as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Nature of provision: necessary to make requests for information.

Retention period: for the entire duration necessary to respond to your requests for information.

C. Fraud prevention.

Personal data processed: behavior on the website, including IP addresses. Purpose: security and prevention of fraudulent conduct, for which the controller uses an automatic control system involving the detection and analysis of user behavior on the site associated with the processing of personal data, including the IP address.

Legal basis: Art. 6.1 lett. f) GDPR as processing is necessary for the pursuit of the legitimate interest of the controller.

Nature of provision: necessary to browse the website.

Retention period: for a period not exceeding that strictly necessary to achieve the purposes for which they are collected, and in any case for a timeframe consistent with current legislation on network and information system security, including national provisions implementing Directive (EU) 2022/2555 (NIS2 Directive) and the Electronic Communications Directive (Directive 2002/58/EC, also known as the “ePrivacy Directive”), unless an anomaly occurs. In such a case, data will be retained until the behaviors are ascertained and, in the event of legal action, until the conclusion thereof.

2.2. Regarding the “Work with us” section, please refer to the specific privacy notice contained in that section.

2.3. Regarding cookies, please refer to the cookie policy available in the specific section on this website.

2.4. Regarding browsing on the Data Controller’s social network profiles, please refer to the specific privacy section of the relevant websites.

2.5. Your personal data may be processed, if necessary and subsequent to its provision for the purposes above, to ascertain, exercise, or defend a right in court, based on the legitimate interest of the Data Controller (Art. 6.1 lett. f) GDPR).

3. POSSIBLE RECIPIENTS OF DATA

3.1. To provide the requested services, the Data Controller may entrust your personal data to various service providers, with whom a specific contract has been drawn up aimed at protecting your personal data and complying with personal data protection legislation. These are subjects identified as Data Processors, who may process your personal data based on a specific assignment pursuant to Art. 28 GDPR, following the instructions and directives provided by the Controller. In particular, this may involve: a) persons, companies, or professional firms providing assistance and consultancy activities to the Controller; b) subjects with whom it is necessary to interact to allow browsing of the website, for example, the hosting service provider; c) subjects delegated to carry out technical maintenance activities on network equipment and electronic communication networks. The complete list of data processors is available by sending a request to the Controller at one of the contact points indicated in this notice.

3.2. The Controller may communicate your personal data to subjects, bodies, or authorities to whom communication is mandatory by virtue of legal provisions or orders from authorities. Such subjects will operate as independent data controllers.

3.3. Your personal data may be communicated to and processed by persons authorized by the Controller for processing pursuant to Art. 29 GDPR, who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, such as Company employees.

4. DATA TRANSFER TO NON-EU COUNTRIES AND/OR INTERNATIONAL ORGANIZATIONS

4.1. Your personal data may be transferred to non-EU countries based on the standard contractual clauses referred to in Art. 46 GDPR.

4.2. Regarding cookies, please refer to the cookie policy available on this website.

5. RIGHTS OF THE DATA SUBJECT AND COMPLAINTS

5.1. Regarding the data itself, the data subject, or a person delegated in writing, may exercise the following rights, including by writing to the Controller’s contact points indicated in this notice: a) the right of access pursuant to Art. 15 GDPR; b) the right to rectification pursuant to Art. 16 GDPR; c) the right to erasure (‘right to be forgotten’) pursuant to Art. 17 GDPR; d) the right to restriction of processing when one of the hypotheses provided for by Art. 18 GDPR applies; e) the right to receive attestation that the operations carried out pursuant to Arts. 16, 17 and 18 GDPR have been brought to the attention of those to whom the data have been communicated, unless this proves impossible or involves a disproportionate effort (Art. 19 GDPR); f) the right to data portability pursuant to Art. 20 GDPR; f) [sic] the right to object to the processing of personal data pursuant to Art. 21 GDPR; g) the right not to be subject to a decision based solely on automated processing pursuant to Art. 22 GDPR; g) [sic] the right to withdraw consent at any time pursuant to Art. 7 GDPR; h) the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR.

6. FURTHER INFORMATION

6.1. The Data Controller remains available for any need for clarification and, should the processing be modified compared to that described in this document, the Controller will provide a specific updated notice.

6.2. The protection of data concerning you and compliance with the principles provided for by the legislation, with particular reference to the principle of transparency, are values of primary importance to us; we would be grateful if you could help us by reporting any misunderstandings of this document or suggesting improvements to the Controller’s references as indicated above.

7. DATA PROTECTION OFFICER

7.1. GPI S.p.A. has appointed a Data Protection Officer (DPO), who can be contacted at the following details for all matters relating to the processing of personal data and the exercise of rights deriving from the GDPR: a) telephone: +39 055750808; b) e-mail: dpo@gpi.it.