Privacy PolicyMod. IREG – Last Update 02/2024 Information on the processing of personal data Pursuant to Article No. 13 of the EUROPEAN REGULATION No. 679/2016 Dear Interested Party, UBGEN SRL, as Data Controller, pursuant to Article No. 13 of the European Regulation No. 679/2016 "General Data Protection Regulation (GDPR)" (hereinafter EU Regulation), which sets out provisions on the processing of personal data, intends to inform you about the processing of your personal data. The regulation establishes that any entity processing personal data is required to inform the data subject regarding the data being processed and the key elements of such processing, which must always be carried out in a lawful, fair, and transparent manner, while also protecting confidentiality and ensuring the rights of the data subject. It is specified that "processing of data" refers to any operation or set of operations related to the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, or destruction of the data. 1. Data Controller The Data Controller is UBGEN S.R.L., with registered office at Via Regia 71, 35010, Vigonza (PD) and operational office at Viale del Lavoro 14, 35010, Vigonza (PD), Tax Code and VAT number: 04750480289, and can be contacted at: Phone: +39 049 628630 Email: privacy@ubgen.it 2. Nature of the Data Processed, Purpose, and Legal Basis of Processing Nature of the data processed. In relation to the processing purposes listed below, we inform you that only "common personal data" will be processed, such as: Company identification data (company name, VAT number, tax code, type, address, telephone number, email, etc.); Personal data of the company representative and legal responsible person (name, surname, etc.); Etc. Purpose of processing. Your personal data will be processed for the following purposes: A. To fulfill your registration request on our website and, consequently, to create a personal account by completing the appropriate form available on this page; B. To manage pre-contractual and contractual relationships; C. To comply with legal obligations; D. Marketing: to send you advertising material, direct sales offers, market research, and commercial and promotional communications. Legal Basis of Processing Personal data, for the purposes referred to in points 2A-2B and 2C, will be processed respectively: for the pursuit of a legitimate interest of the Data Controller (Art. 6, para. 1, letter f of the EU Regulation); for the execution of a contract in which the data subject is a party or for the execution of pre-contractual measures adopted at their request (Art. 6, para. 1, letter b of the EU Regulation); to comply with a legal obligation to which the Data Controller is subject (Art. 6, para. 1, letter c of the EU Regulation). Your personal data, for the purposes referred to in point 2D of this notice, may be lawfully processed only with your prior consent (Art. 6, para. 1, letter a of the EU Regulation), which must be specific, separate, explicit, documented, prior, and entirely optional. The consent you provide may be revoked at any time, without affecting the lawfulness of processing based on consent given before the revocation (Art. 7, para. 3 of the EU Regulation). Furthermore, the data subject is informed that, pursuant to Art. 21 of the EU Regulation, they have the right to object at any time to the processing of their personal data for direct marketing purposes (including profiling). If the data subject objects to processing for direct marketing purposes, personal data can no longer be processed for such purposes. Clarification: Following the principle of maximum transparency towards the data subject, which is a distinctive feature of our company, we would like to inform you that if you decide to give consent for point 2D (marketing), you must be previously informed and aware that the purposes of the processing pursued are of a specific commercial, advertising, promotional, and marketing nature, such as: 1. Sending advertising and informational material (e.g., newsletters) with a promotional nature; 2. Sending commercial information through paper, automated, or electronic means, particularly via postal mail, email, telephone (e.g., calls, WhatsApp messages, SMS, MMS), fax, and any other digital channel (e.g., websites, mobile apps); 3. Sending invitations to events, exhibitions, and informational and promotional meetings; 4. Sending updates on promotional initiatives or technical news, related to services, training, assistance, or customer satisfaction surveys on quality. 3. Data Recipients and Processing Methods Existence of an Automated Decision-Making Process, Including Profiling The processing of your personal data will be conducted in accordance with the principles of fairness, lawfulness, and transparency and may be carried out using paper-based and electronic tools, both by the company's authorized personnel and by external entities assigned to perform specific tasks on behalf of the Data Controller, as Data Processors, pursuant to Art. 28 of the EU Regulation. These external entities will receive a letter of assignment, which imposes on them the duty of confidentiality and security in the processing of personal data, as well as the adoption of appropriate security measures to prevent data loss, unlawful or incorrect use, and unauthorized access, in compliance with current regulations on personal data protection. For brevity, a detailed list of these entities is available at the Data Controller's headquarters and is at your disposal. Your personal data will not be disseminated and will not be transferred to third countries or international organizations, nor will they be communicated to third parties, except where required by legal or contractual obligations. (It should be noted that contractual obligations also include the communication of data to the other two companies of the Group, namely DENTIST EDUCATION SRL and ESSEMME COMPONENTS S.R.L., as their activities are essential for the completion/execution of your request). 4. Data Retention Periods Your personal data will be retained for a period no longer than necessary to achieve the purposes for which they are processed, in compliance with the principle of storage limitation provided by the EU Regulation, and/or for the time required by legal and contractual obligations, or until the specific consent of the data subject is revoked. ◦ With reference to the purposes indicated in points 2A-2B-2C, the data will be retained for a period no longer than necessary to achieve the purposes for which they are processed and/or for the time strictly necessary to fulfill legal and contractual obligations. ◦ With reference to the purposes indicated in point 2D, data processed for marketing purposes will be retained for no longer than 24 months from the time of collection. To guarantee the declared retention periods, a periodic review will be conducted annually to assess whether the processed data can be deleted if they are no longer necessary for the intended purposes. 5. Access to Data (Categories of Recipients to Whom Data May Be Communicated) Additionally, we inform you that the collected data will never be disclosed and will not be communicated without your explicit consent, except for necessary communications that may require the transfer of data to public entities, consultants, or other subjects for the fulfillment of tax and legal obligations, or for the fulfillment of the intended purposes (where authorized). Such transfers will be made only after the issuance of a letter of assignment that obliges them to ensure confidentiality and security in the processing of personal data. In accordance with Article 13, paragraph 1, letter e) of the EU Regulation, the following is a list of entities or categories of entities (duly identified and instructed) that may have access to the user's personal data as Data Processors or Authorized Persons: • Partners, employees, collaborators, and suppliers of the Data Controller, both in Italy and abroad, in their capacity as authorized persons and/or data processors (e.g., commercial, technical, administrative, legal, and press offices; system administrators, external professionals, service providers, etc.). • Partner companies and/or directly affiliated companies, as their activities are essential for the completion/execution of what you have requested. Your personal data may also be communicated to external subjects involved in handling the related procedures and activities, as well as to external parties who interact with the company, but only for activities functional to the aforementioned purposes. These external subjects are designated as Data Processors, in accordance with Article 28 of the EU Regulation. For brevity, a detailed list of these entities is available at our headquarters and is at your disposal. 6 & 7. Communication and Transfer of Data Without the need for explicit consent (Article 6, paragraph 1, letters b), c), and f) of the EU Regulation), the Data Controller may communicate your data for the purposes specified in points 2A to 2F to: Supervisory bodies Judicial authorities Entities to whom data communication is required by law for the fulfillment of the purposes mentioned above. These subjects will process the data as independent data controllers. Personal data is stored on devices located at the Data Controller's headquarters or with service providers within the European Union. Your data will not be disclosed. To ensure the security of such transfers, we rely solely on entities that provide the necessary guarantees to implement appropriate technical and organizational measures, ensuring that the processing complies with the requirements of EU Regulation 679/2016. Both for data stored on internal devices and for any data hosted by third-party providers, the Data Controller has implemented appropriate technical and organizational measures to guarantee an adequate level of security, in full compliance with what is indicated in the EU Regulation. 8. Consequences of Failure to Provide Data The personal data referred to in points 2A-2B-2C of this notice are necessary. Without such data, it would be impossible to proceed with registration (creation of your personal account) and fulfill contractual and legal obligations. Conversely, the personal data referred to in point 2D are optional, and the refusal to provide them will not have any consequences, nor will it affect your registration request or the execution of contractual and legal obligations. You may, therefore, choose not to provide any data or to revoke your consent at any time regarding the processing of already provided data. 9. Rights of the Data Subject As a data subject, you have the rights set out in Articles 15 to 22 of the EU Regulation, which include the right to: • Obtain confirmation of the existence and processing of personal data concerning you and, in such cases, obtain access to your data (right of access); • Receive information on the purposes of processing, the categories of data processed, the recipients or categories of recipients to whom the data has been or will be communicated (particularly if they are recipients in third countries or international organizations), the data retention period, or the criteria used to determine that period. If the data has not been collected from the data subject, you also have the right to obtain all available information regarding its origin; • Request the correction of inaccurate data concerning you (right to rectification); • Request the deletion of your personal data (right to erasure or "right to be forgotten"); • Request the restriction of processing (right to restriction of processing); • Obtain data portability, meaning the right to receive the data from the Data Controller in a structured, commonly used, and machine-readable format, and to transmit those data to another Data Controller without hindrance (right to data portability); • Object to the processing at any time (right to object). Specifically, as required by Article 21 of the EU Regulation, if personal data is processed for direct marketing purposes (including profiling), the data subject has the right to object at any time to the processing of their personal data for these purposes. In such a case, the personal data can no longer be processed for direct marketing purposes; • Be informed (with the right to object) about the existence of automated decision-making processes, including profiling; • Withdraw consent at any time, without affecting the lawfulness of processing based on consent given before the withdrawal; • Lodge a complaint with a supervisory authority (Garante per la Protezione dei Dati Personali – Italian Data Protection Authority). It is important to note that there may be conditions or limitations to the rights of the data subject. For example, the right to data portability may not apply in all cases, as it depends on the specific circumstances of the data processing. Another example: if you choose to object to data processing, the Data Controller has the right to evaluate your request, which may be denied if there are compelling legitimate reasons for continuing the processing that override your interests, rights, and freedoms. 10. How to Exercise Your Rights You may exercise your rights at any time, without any formal requirements, by sending: - A registered letter with acknowledgment of receipt to the company (see the address indicated in the letterhead); - An email to privacy@ubgen.it; Or by contacting the Data Controller directly on: +39 049 628630. 11. Minors The services offered by the Data Controller and the nature of the relationship with you do not involve the intentional collection of personal data from minors. If any minor’s data is inadvertently recorded, the Data Controller will promptly delete it, upon request or notification from the data subject. 12. D.P.O. (Data Protection Officer) – Authorized Personnel – Data Processors Below, we provide some essential information that you need to be aware of, not only to comply with legal obligations, but also because transparency and fairness towards data subjects are fundamental principles of our business. D.P.O. (Data Protection Officer) – R.P.D. (Responsabile della Protezione dei Dati). You may contact the Data Protection Officer for any information or requests concerning your data, or to report any issues encountered. The Data Controller has appointed Nicola Ghinello as the Data Protection Officer, who can be reached at: Phone: +39 348 3165267 Email: nicola.ghinello@dpo-rpd.com Authorized Personnel. The updated list of authorized personnel for data processing is kept at the Data Controller’s headquarters. Data Processors. For brevity, a detailed list of these entities is available at our headquarters.

I have read understood and accept the privacy policy.