PRIVACY POLICY
updated to EU Reg 2016/679

1) Introduction

Erba s.r.l. takes the user’s privacy seriously and is committed to respecting it. This privacy policy (“Privacy Policy”) describes the personal data processing activities carried out by Erba s.r.l. through the website https://www.erbasrl.it (Site) and the relevant commitments undertaken by the Company in this respect.

Erba s.r.l. may process the personal data of users when they visit the Site and when they use the services and functionalities offered by the Site. In the sections of the Site where the user’s personal data are collected, a specific information notice pursuant to art. 13 /15 of the EU Reg. 2016/679 is normally published.

Where required by EU Reg. 2016/679, the user’s consent will be requested before proceeding to process his/her personal data. If the user provides personal data of third parties, he/she must ensure that the communication of the data toErba s.r.l.and the subsequent processing for the purposes specified in the applicable privacy policy complies with EU Reg. 2016/679 and the applicable legislation.

2) Identification details of the data controller, data processor

Data Controller :

Erba s.r.l.

Via Bologna, 1

20060 Bussero (MI) Italy

erba@erbasrl.it

It is possible to obtain information on the data stored with us at any time and free of charge, and to exercise the right to correct, block or cancel the data by communicating via email or telephone to the contact data indicated above.

3) Type of data processed

Visiting and consulting the Site does not generally involve the collection and processing of the user’s personal data except for navigation data and cookies as specified below. In addition to the so-called “surfing data” (see below), personal data voluntarily provided by the user when interacting with the functions of the Site or requesting to use the services offered on the Site may be processed. In compliance with the Privacy Code, Erba s.r.l. may also collect the user’s personal data from third parties in the course of its business.

4) Cookies and navigation data

The Site uses “cookies”. By using the Site, the user consents to the use of cookies in accordance with this Privacy Policy. Cookies are small files stored on the hard disk of the user’s computer. There are two macro-categories of cookies: technical cookies and profiling cookies.

Technical cookies are necessary for the correct functioning of a website and to allow the user to navigate; without them the user may not be able to view the pages correctly or use certain services.

Profiling cookies have the task of creating user profiles in order to send advertising messages in line with the preferences expressed by the user during navigation.

Cookies can also be classified as:

session” cookies, which are deleted immediately when the browser is closed;

persistent” cookies, which remain in the browser for a certain period of time. They are used, for example, to recognise the device that connects to a site, facilitating authentication operations for the user;

_ “own” cookies, generated and managed directly by the manager of the website on which the user is browsing;

third-party” cookies, generated and managed by parties other than the operator of the website on which the user is browsing.

5) Cookies used on the site

The Site uses the following types of cookies

1) its own, session and persistent cookies, necessary to allow navigation on the Site, for internal security and system administration purposes;

2) third party cookies, session and persistent, necessary to allow the user to use multimedia elements on the Site, such as images and videos;

3) persistent third-party cookies used by the Site to send statistical information to the Google Analytics system, through which Erba s.r.l. can perform statistical analyses of access/visits to the Site. The cookies used are for statistical purposes only and collect information in aggregate form.

By means of a pair of cookies, one of which is persistent and the other a session cookie (expiring when the browser is closed), Google Analytics also saves a log with the times of the beginning of the visit to the Site and of the exit from it. You can prevent Google from collecting and processing data by downloading and installing the browser plug-in at the following address:

http://tools.google.com/dlpage/gaoptout?hl=it

4) persistent third-party cookies used by the Site to include buttons from certain social networks (Facebook, Twitter and Google+) on its pages. By selecting one of these buttons, the user can publish the contents of the web page of the Site he is visiting on his personal page of the relevant social network.

The Site may contain links to other sites (so-called third party sites). Erba s.r.l. does not have any access to or control over cookies, web beacons and other user-tracking technologies that might be used by third-party sites that the user might access from the Site; Erba s.r.l. does not have any control on the contents and material published by or obtained through third-party sites, nor on the methods of processing the user’s personal data, and it expressly declines any responsibility in the matter. The user is required to check the privacy policy of third party sites accessed through the Site and to inform himself of the conditions applicable to the processing of his personal data. This Privacy Policy applies only to the Site as defined above.

6) How to disable cookies in browsers

**We suggest reading the guide for each browser for the procedure to disable cookies.

7) Storage of personal data

Personal data are stored and processed by means of IT systems owned and operated by Erba s.r.l. or by third-party technical service providers; for further details, please refer to the section “Scope of accessibility of personal data” below. The data are processed exclusively by specifically authorised personnel, including personnel appointed to carry out extraordinary maintenance operations.

8) Purposes and methods of data processing

Erba s.r.l. may process users’ common and sensitive personal data for the following purposes: use of services and functions on the Site by users, management of requests and notifications by users, sending of newsletters, management of applications received through the Site, etc. Furthermore, with the user’s further specific and optional consent, Erba s.r.l. may process personal data for marketing purposes, i.e. to send the user promotional material and/or commercial communications regarding the company’s services at the addresses indicated, both through traditional methods and/or means of contact (such as paper mail, telephone calls with operator, etc.) and automated means (such as Internet communication, fax, e-mail, SMS, applications for mobile devices such as smartphones and tablets – APPS -, social network accounts, etc.). APPS-, social network accounts -e.g. via Facebook or Twitter-, telephone calls with automatic operator, etc.).

Personal data are processed both in paper and electronic form and entered into the company’s information system in full compliance with EU Reg 2016/679, including security and confidentiality profiles and inspired by the principles of fairness and lawfulness of processing. In accordance with EU Reg 2016/679 the data are kept and stored for the period of time necessary for processing.

9) Security and quality of personal data

Erba s.r.l. undertakes to protect the security of the user’s personal data and complies with the security measures provided for by the applicable legislation in order to prevent loss of data, illegitimate or unlawful use of data and unauthorised access to the same, with particular reference to the Technical Regulations concerning minimum security measures. Moreover, the information systems and software used by Erba s.r.l. are designed to reduce the use of personal and identification data to a minimum; such data are processed only for the achievement of the specific purposes from time to time pursued. Erba s.r.l. uses a number of advanced security technologies and procedures in order to ensure the protection of the user’s personal data; for example, personal data are stored on secure servers located in secure, controlled-access areas. The user can help Erba s.r.l. to update and keep his personal data correct by communicating any change in his address, job title or contact details.

10) Scope of data communication and access

Your personal data may be communicated to:

all subjects whose right of access to such data is recognised by virtue of regulatory provisions;

to our collaborators, employees, within the scope of their duties;

to all those physical and/or juridical, public and/or private persons when the communication is necessary or functional to the carrying out of our activity and in the ways and for the purposes illustrated above;

11) Nature of the provision of personal data

The provision of certain personal data by the user is compulsory in order to allow the Company to manage communications, requests received from the user or to contact the user to follow up his request. This type of data is marked with an asterisk symbol [*] and in this case the provision of such data is obligatory in order to allow the Company to process the request, which, if not provided, cannot be fulfilled. On the contrary, the collection of other data not marked with an asterisk is optional: failure to provide such data will not entail any consequences for the user.

The provision of personal data by the user for marketing purposes, as specified in the section “Purposes and methods of processing” is optional and refusal to provide such data will have no consequences. The consent given for marketing purposes is understood to extend to the sending of communications by both automated and traditional methods and/or means of contact, as exemplified above.

12) Rights of the interested party

12.1 Art. 15 (right of access) , 16 (right of rectification) of EU Reg. 2016/679

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, to obtain access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients in third countries or international organisations

(d) the proposed period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period

(e) the existence of the right of the data subject to request from the controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to the processing of personal data concerning him or her

(f) the right to lodge a complaint with a supervisory authority;

(h) the existence of an automated decision-making process, including profiling and, at least in such cases, meaningful information about the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.

12.2 Right under Article 17 of EU Reg. 2016/679 – right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase the personal data without undue delay if any of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) and if there is no other legal basis for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there is no overriding legitimate ground for processing, or objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data must be erased in order to comply with a legal obligation laid down by Union or Member State law to which the controller is subject;

(f) the personal data have been collected in connection with the provision of information society services as referred to in Article 8(1) of EU Reg. 2016/679.

12.3 Right referred to in Art. 18 Right to restriction of processing

The data subject shall have the right to obtain from the data controller the restriction of processing when one of the following applies:

(a) the data subject disputes the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of such personal data;

(b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that their use be restricted

(c) although the controller no longer needs the personal data for processing purposes, the personal data are necessary for the establishment, exercise or defence of legal claims by the data subject;

(d) the data subject has objected to the processing pursuant to Article 21(1) of EU Reg 2016/679 pending verification as to whether the legitimate reasons of the data controller override those of the data subject.

12.4 Right referred to in Article 20 Right to data portability

The data subject has the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her that has been provided to a data controller and has the right to transmit such data to another data controller without hindrance by the controller

13. Withdrawal of consent to processing

The interested party may revoke consent to the processing of his/her personal data by sending a communication to the following address: Erba s.r.l. – Via Bologna, 1 – 20060 Bussero (MI) – Italy or to the following e-mail address erba@erbasrl.it, accompanied by a photocopy of your identity document, with the following text: <>. At the end of this operation your personal data will be removed from the archives as soon as possible.