PRIVACY POLICY

related to the products and services of L.B.V. S.r.l. - MAAM
pursuant to the articles 13 and 14 of 2016/679/EU Regulation and 2003/196/Legislative Decree as modified by 2018/101/Legislative Decree

1. Who is the Data Controller?

L.B.V. S.r.l., VAT number and fiscal Code: 09236350964, with registered office in via Cadore n. 2 - 20092 - Milan (MI), legally represented by Mrs. Riccarda Zezza (fiscal Code: ZZZ RCR 72C 58F 839Y) is the "Data Controller" (hereinafter, "Data Controller") of personal and special data provided by the user and any jointly-entitled person (jointly defined as the "Data Subject”) as defined in paragraph 2.

Pursuant to and for the purposes of the art. 37 of 2016/679/EU Regulation, the Data Controller designates Avv. Savino Menna as data protection officier, who can be contacted at the e-mail address dpo@maam.life.

2. What Data are processed?

The Data Controller processes the personal data provided by the Data Subject during their registration, including name, surname, e-mail addresses and password. In order to fully carry out the offered services and products, the Data Controller may also need to process special data categories of the Data Subject pursuant to the Artt. 9 and 10 of 2016/679/EU Regulation, including country localization, date of birth, parenthood, postal code and managerial role in the Company: therefore, it may be necessary for the Data Subject to provide such data to the Data Controller (hereinafter jointly defined as "Data").

When the "customer" of L.B.V. S.r.l. – employer of the user that participate to the MAAM programm platform - need to receive a report containing data of the data subject in a non-anonymous form, the Data Controller will communicate only name, surname, date of use of the programm, total duration of the programm and certification related to the lessons under-taken and the exams passed. These Data will be communicated only to the "customer" company as described above and only if there is evidence of the latter's willingness to participate in the "formazione finanziata - FondoImpresa" and/or the "fondo banche assicurazioni". In any case, L.B.V. S.r.l. reserves the right to communicate to the company "customer" - employer of the user - the Data of the data subject concerning name, surname and date of registration to the MAAM program, in order to allow it to verify the real progress of the signed agreement.

3. For what purposes are the Data processed?

Data processing will be performed by the Data Controller for the following purposes:

a) to stipulate agreements for the Data Controller's services and products, to allow MAAM platform access, including the purpose of advocacy (aimed to influence public Institutions and the allocation of resources within political, economic and social systems), to report to companies and scientific research related to public institutions and aimed to ensure full respect for equal opportunities in professional and work development;

b) to fulfill the pre-agreement, agreement and fiscal obligations deriving from existing relationships with the Data Subject;

c) to fulfill the obligations provided by the law, by a regulation, by EU legislation or by an order of the Authority (such as anti-money laundering, formazione finanziata);

d) to exercise the rights of the Data Controller, such as, for example, the right of defense in a trial.

The purposes referred to in letters from (a) to (d) are jointly defined as the "Contractual Purposes".

e) to perform functional activities to any securitization, credit assignment and issue of securities, company and business unit sales, acquisitions, mergers, demergers or other transformations and to the execution of such operations;

f) for the execution of controls aimed at preventing possible fraud.

The purposes referred to in letters (e) and (f) are jointly defined as the "Legitimate Interest Purposes".

4. On what legal basis are the Data processed?

Data processing is carried out in compliance with the conditions of lawfulness pursuant to the Art. 6 of 2016/679/EU Regulation and in particular:

· is necessary for the Contractual Purposes in order to guarantee the correct execution of the existing agreement between the Data Controller and the Data Subject, as defined in letters from (a) to (c) of the previous paragraph 3 and to fulfill legal obligations as defined in letter (d) of the previous paragraph 3. The processing of these Data is mandatory: if the Data Subject does not provide such Data, the Data Controller does not stipulate any agreements with the Data Subject.

Referring to the particular purposes of advocacy, reporting and scientific research, Data processing is performed in compliance with the provisions of the Art. 9 § 2 lett. h) and j) of 2016/679/EU Regulation, the Art. 89 of 2016/679/EU Regulation and the Chapter III of 2018/101/Legislative Decree;

· for the Legitimate Interest Purposes set in paragraph 3, letter (e), Data processing is carried out for the pursuit of the Legitimate Interest of the Data Controller and its counterparties to the performance of the economic operations indicated therein pursuant to Article 6, letter f) of the 2016/679/EU Regulation, adequately balanced with the interests of the Data Subject as the processing takes place within the limits strictly necessary for the execution of such transactions, while the processing to the Legitimate Interest Purposes referred to in paragraph 3, letter (f) is functional to the prosecution of a legitimate interest of the Data Controller, adequately balanced with the interests of the Data Subject in light of the limits imposed on this processing and the specific circumstances in which the processing takes place illustrated in the same paragraph 3. Data processing to the Legitimate Interest Purposes is not mandatory and the Data Subject may oppose to such processing in the manner set out in paragraph 8 below, but if the Data Subject will oppose to such processing, his Data cannot be used for the Legitimate Interest Purposes, unless the Data Controller will demonstrate the presence of prevailing binding legitimate interest or the exercise or defense of a right pursuant to Art. 21 of the 2016/679/EU Regulation.

5. How are the Data processed?

The processing of Data is carried out pursuant with the operations indicated in the Art. 4 n. 2) of the 2016/679/EU Regulation and, more precisely, through: collection, recording, organization, storage, consultation, processing, modification, extraction, use, communication, deleting and destruction of data.

The Data may be processed using manual or IT tools, suitable to guarantee security, confidentiality and to prevent unauthorized access and violation of the Data processed.

The Data processed are stored using cloud computing tools on servers located within the EU territory (Germany): for more information on safety standards and compliance with the requirements set by the 2016/679/EU Regulation adopted by the selected external providers, consult the web pages https://www.digitalocean.com/security/ and https://www.hetzner.com/rechtliches/datenschutz.

The Data processing necessary to the reporting, advocacy and research purposes, will be anonymized before their processing and processed solely in aggregate way.

6. To whom are the Data communicated?

The Data may be communicated for the Contractual Purposes to any person who perform services connected to and functional to the management of existing contractual relationships or those to be stipulated and, in particular, to the following categories of subjects located within the European Union:

· providers related to the products and services of the Data Controller and public institutions;

· providers related to tax and legal advice services;

· IT, storage, and cloud providers.

The Data may be disclosed for the purposes of Legitimate Interest referred to in paragraph 3, letter (e) and (f), to suppliers of assistance services, technical consulting, tax and legal advice, assignees of receivables in connection with operations of securitization of credit or assignment of credit for purposes strictly connected to the management of the relationship with the Data Subject, as well as the issuance of securities, company or business branch assignees, potential buyers of the Data Controller and companies resulting from possible mergers, demergers or other transformations of the Data Controller, also in the context of the activities functional to these operations, and to competent Authorities.

7. Are the data transferred abroad?

The Data may be freely transferred outside the national territory to countries located in the European Union.

The Data Subject will have the right to obtain a copy of the data held abroad and to obtain information about the place where such data are stored, sending a specific request to the Data Controller in the way indicated to in paragraph 8 of this Privacy Policy.

8. What are the rights of the interested party?

The Data Subject, in addition to the right to lodge a complaint with a supervisory authority, also has the rights listed below:

· Art. 15 2016/679/EU – Right of access: “The data subject shall have the right to obtain from the Data controller confirmation as to whether or not personal data concerning him or her are being processed []; [] The Data controller shall provide a copy of the Data undergoing processing”;

· Art. 16 2016/679/EURight to rectification: “The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement”;

· Art. 17 2016/679/EU - Right to be forgotten: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”;

· Art. 18 2016/679/EURight to restriction of processing: “The data subject shall have the right to obtain from the controller restriction of processing if:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject”;

· Art. 20 2016/679/EUright to Data portability: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. []The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;

· Art. 21 2016/679/EURight to object: “The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions”;

· Art. 22 2016/679/EUAutomated individual decision-making, including profiling: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.

The exercise of the mentioned rights may be forwarded to the Data Controller through the express request of the Data Subject, sending an e-mail to dpo@maam.life or following the other appropriate methods communicated by the Data Controller.

9. Who are the external data processors?

The complete list of data processors is available by sending a written request to the address indicated in paragraph 8 of this Privacy Policy. The Data Controller informs the Data Subject that, with the signature of the agreement for MAAM products and services, the Client/Company employer of the Data Subject is appointed as external Data Processor and it will have access to datas related to the Data Subject participation at MAAM programm and in particular it will have the access to name, surname, work e-mail and Data Subject month of registration.

10. How long will the processed data be stored?

The Data processed by the Data Controller:

· for the Contractual Purposes and to the Legitimate Interest Purpose set in paragraph 3, letter from (a) to (e), they will be kept for a period equal to the duration of the agreement or service/product offered (including possible renewals) and for 10 years from its expiration date, termination or withdrawal, except in cases where storage is required for any disputes, requests by the competent authorities or in accordance with the applicable law; with the particular reference to advocacy, reporting and scientific research purposes, the Data will be stored according with terms set forth in this article and treated solely by anonymization and aggregate form;

· for the Legitimate Interest Purpose set in paragraph 3, letter (f), they will be kept for the duration strictly necessary to guarantee the reliability of the controls indicated therein.

11. Modications and Updates:

This Privacy Policy is valid from the date indicated below. The Data Controller may also make changes and/or additions to this privacy policy, also as a consequence of any subsequent amendments and supplements of applicable laws/regulations. If substantial, the changes will be notified in advance and the Data Subject can find the text of it constantly updated on the website https://2.maam-u.com or sending a specific request to the e-mail indicated in the previous paragraph 8.

COOKIE POLICY

This Cookie Policy refers to the use of cookies by L.B.V. S.r.l.

L.B.V. Srl uses cookies to make the use of https://2.maam-u.com easier and to better adapt the site and the products and services to the interests and needs of users. Cookies can also be used to speed up future experiences and activities on this website.

Using the https://2.maam-u.com website and registering with the platform you consent to the use of cookies in accordance with this Cookie Policy: the consent given may be revoked at any time, through the instructions indicated in the section "how to deactivate cookies" of this Policy.

If you do not want to accept our use of cookies, you can refuse to give your consent: we also inform you that if you disable the cookies we use, this may affect your best user experience on the L.B.V. S.r.l. website.

What is a Cookie?

Cookies are small strings of text downloaded to your device when you visit a website. At each subsequent visit, cookies are sent to the website that originated them (first-party cookies) or to another website that recognizes them (third-party cookies). Cookies are useful because they allow a website to recognize the user's device. They have different purposes such as, for example, allowing you to efficiently navigate between pages, remembering your favorite sites and, in general, improving the browsing experience. They also help ensure that the advertising content displayed online is more targeted to a user and his interests. Depending on the function and use, cookies can be divided into technical cookies, analysis and profiling cookies and third-party cookies.

Technical cookies

Technical cookies are those whose use does not require the user's consent. These cookies are essential to allow you to browse through a website and use all its functions. Without these cookies, which are absolutely necessary, a website cannot provide certain services or functions and browsing would not be as smooth and easy as it should be. A cookie of this type is also used to store a user's decision on the use of cookies on the website. Also the performance cookies belong to this category and are often called analytics cookies: these are cookies that collect information about the use of a website's user experience and improve its operation. For example, performance cookies show the most visited pages, allow you to check which are the recurring patterns of use of a website, help to understand all the difficulties encountered in using the website and to show the effectiveness of the advertising that is published on the website. Technical cookies are essential and cannot be deactivated using the functions of this website. In general, cookies can be completely disabled in your browser at any time.

Profiling cookies

These cookies allow you to remember the choices users on the website and the services specifically requested to provide the most advanced and personalized services. The use of these cookies requires the acquisition of the user's consent in accordance with the data protection laws (Art. 6 § 1 letter A of the 2016/679/EU Regulation). Consent is acquired through a banner visible to users on the first visit to the website. This consent can be revoked at any time by following the instructions in the "how to disable cookies" section of this Cookie Policy. The refusal to consent to the use of profiling cookies does not interfere with the possibility of accessing the site, with the exception of the impossibility of accessing these functions or functions that use these cookies.

Third-party cookies

It is also possible to use cookies from different sites or servers: this is because the site could include elements, for example, images, maps, sounds, links to web pages in other domains that reside in different servers from the requested page. In other words, these cookies are managed by site operators or different servers from the website visited. Third-party cookies are used for advertising purposes depending on the user’s interest. This information could be shared with other parties, such as advertisers, that could could use cookies to gather information about the activities performed by users on the website. Advertisers can use the information to measure the effectiveness of their advertising. The use of these cookies requires the prior acquisition of the user's informed consent. These cookies are not controlled directly by the website operator and are in line with the instructions in the "how to disable cookies" section of this cookie policy.

Duration of cookies

Some cookies (session cookies) are active only until the browser is closed or if there is a logout command. Other cookies "survive" when the browser is closed and are also available for subsequent visits by the user. These cookies are called persistent and their duration is set by the server at the time of their creation. In some cases a deadline is set, in other cases the duration is unlimited.

Which cookies we use

To ensure a more efficient operation of our platform we could use: i) technical and analytical first-party cookies and ii) third-party analytical cookies.

In particular, we may use cookies for the following services / platforms:

- Google;

- Intercom;

- Addthis.

How to disable cookies from your browser

You can manage cookies through your browser settings or follow the links below to disable cookies:

- Google: https://support.google.com/chrome/answer/95647;

- Intercom: https://www.intercom.com/terms-and-policies#privacy_choices;

- Addthis: https://www.oracle.com/legal/privacy/addthis-privacy-policy.html#section8.  

Most browsers automatically accept cookies but the user can accept or refuse cookies or decide to set a notice before accepting a cookie from the websites visited at any time. The procedures for managing cookies are differents and depend on the browser: the "Help" section of the toolbar in most browsers illustrates how to avoid receiving cookies, web beacons and other tracking technologies, how to get notification from the browser or how to disable them completely.

Keep in mind that changing settings will only impact that particular browser and PC. The operation is repeated on each browser and device on which you want to change the settings. Please also note that, by disabling cookies, some websites will not be able to provide profiled services.

This cookie policy may be changed over time: the user/visitor is invited to consult periodically this Cookie Policy.

Milan, 10 October 2018