Lumos

Pursuant to Article 13 of EU Regulation 2016/679 ("General Data Protection Regulation", hereinafter also GDPR) and the still applicable provisions of Legislative Decree no. 196 of June 30, 2003 ("Code regarding the protection of personal data"), subsequently amended by Legislative Decree no. 101 of August 10, 2018, USB S.p.A. - Società Benefit, with registered office in Milan (CAP 20159), at via Piave 21, Tax Code: 11905750961, VAT: 11905750961, with commercial brand "Lumos" (hereinafter also referred to as Lumos), hereinafter the Data Controller, provides you with the following information regarding the processing of your personal data; processing based on the principles of lawfulness, fairness, transparency, integrity and confidentiality for the protection of your rights.

1. Identity and contact details of the data controller

The data controller is USB S.p.A. - Società Benefit, with registered office in Milan (CAP 20159), at via Piave 21, Tax Code: 11905750961, VAT: 11905750961, with commercial brand "Lumos" (hereinafter referred to as Lumos), email [email protected], phone 02 5003 0462.

Your personal data will be processed by the Controller's employees, who have been appointed to process personal data and have received adequate operational instructions in this regard.

Your data may also be processed, on behalf of the Controller, by other specifically appointed subjects as Data Processors. The updated list of Data Processors is available upon request.

2. Object of processing

The Controller processes the following personal data:

* Personal data: name, surname, address, date of birth, tax code, etc.

* For registration:

Personal data (as above)

* Email address

* Phone number

* For registration via Google or Social: unique identifier provided by the external platform (Google or Social Network). The Controller does not directly collect other personal data through these platforms, except those strictly necessary and permitted by the user's privacy settings on such platforms.

3. Purpose of processing

Your personal data is processed for the following purposes and based on the following legal bases (Article 6 GDPR):

* Registration on the platform:

- Purpose: To allow registration and management of the Service User's account on the "Platform", allowing the publication and consultation of advertisements.

- Legal basis: Performance of a contract to which the data subject is party (Article 6, paragraph 1, letter b) GDPR).

* Compliance with legal obligations, regulations or community legislation:

- Purpose: To comply with obligations provided by laws, regulations or legislation, such as administrative, accounting or tax obligations.

- Legal basis: Compliance with a legal obligation to which the controller is subject (Article 6, paragraph 1, letter c) GDPR).

4. Methods of processing and data retention

The processing of your personal data will be carried out using computerized and/or paper methods, with logic strictly related to the purposes indicated above and, in any case, in such a way as to guarantee the security and confidentiality of the data itself. Specific security measures are adopted to prevent data loss, unlawful or incorrect use and unauthorized access.

Your personal data will be retained for a period of time not exceeding that necessary for the purposes for which it was collected and processed, in compliance with legal obligations. In particular:

- Data relating to portal registration will be retained for the entire duration of the registration and, subsequently, for a period not exceeding 10 years from its termination, without prejudice to any legal obligations that provide for longer retention periods.

5. Communication and access to data

Without prejudice to communications made in execution of legal obligations, your data may be communicated to external parties who perform specific tasks on behalf of the Controller (Data Processors) strictly functional to the purposes indicated above, such as, by way of example and not exhaustive:

* IT service providers for portal and information systems management;

* Email and SMS sending service providers;

* Professionals (e.g. accountants, legal consultants) for legal compliance;

* Competent authorities for legal compliance.

Your data will be communicated only in Italy and made accessible for the purposes indicated in point 3 of this policy. Data subject to online publication (for example following your advertisement) may also be accessible by parties located outside the European Union territory.

Outside of this case, your data will not be transmitted abroad.

6. Nature of data provision

The provision of data for the purposes described in point 3 (portal registration and coupon collection) of this policy is necessary to provide you with the requested services. In the absence of such data, it will not be possible to complete portal registration and/or provide coupons.

7. Rights of the data subject

The data subject, pursuant to Articles 15 and following of the GDPR, has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed and, in such case, has the right to:

a) obtain access to personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients in third countries or international organizations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; where personal data are transferred to a third country or to an international organization, the existence of appropriate safeguards pursuant to Article 46;

b) obtain rectification of inaccurate personal data concerning him or her and have incomplete personal data completed;

c) obtain erasure of personal data concerning him or her without undue delay if one of the grounds referred to in Article 17 of the GDPR exists;

d) obtain restriction of processing when one of the cases referred to in Article 18 of the GDPR occurs;

e) receive in a structured, commonly used and machine-readable format the personal data concerning him or her which he or she has provided to a controller and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (right to data portability), where the processing is based on consent or on a contract and is carried out by automated means;

f) object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1); object to processing of personal data concerning him or her for direct marketing purposes through the use of automated calling systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or postal mail;

g) not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, is authorized by Union or Member State law to which the controller is subject, or is based on the data subject's explicit consent;

h) withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal;

i) lodge a complaint with a supervisory authority (Italian Data Protection Authority – www.garanteprivacy.it).

8. Methods of exercising rights

The data subject may at any time exercise the rights described in point 7 of this policy by sending a communication:

* by registered mail with return receipt to the Controller's address indicated in point 1;

* by certified email (PEC) to the Controller's PEC address [[email protected]];

* by email to the Controller's email address indicated in point 1.

Please specify in the request the right you intend to exercise and, except in the case of PEC addressed to the data subject, provide an identity document for your identification.