Dear User, please find below some information that we are required to provide to you, not only to comply with legal obligations, but also because transparency and fairness toward you and all data subjects are fundamental to our business.

DATA CONTROLLER
The Data Controller is part of a “business group” as defined in Article 4.19 of the GDPR and manages personal data protection obligations through shared policies and compliance measures under the control of the parent company Sweden & Martina S.p.A. (VAT No. 00401550280) with headquarters in Italy, a country belonging to the European Union, in accordance with the agreements signed between the group companies.
The data controller is the group company that determines the processing of your personal data. In practice, the data controller is usually the company with which you have a professional relationship.
You may contact your data controller by writing to privacy@sweden-martina.com, in addition to the contact details provided in the “Data Controller Contact Information” section of this policy.

DATA PROTECTION OFFICER
The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following addresses: email: dpo@sweden-martina.com – Certified email (PEC): dataprotectionofficer@pec.it

CATEGORIES AND SOURCES OF DATA
For the purposes of data processing, the Data Controller will process general data, such as: personal details, contact information, address details, data related to identification/recognition documents, payment information, data regarding purchases or use of services, profiling data, product quality certificates, access and identification data, video surveillance recordings, data related to accommodation services (including specific details), photographs, video recordings, and other multimedia content.
The data processed is provided by you and/or by third parties, such as public authorities and entities (e.g., the Chamber of Commerce) and/or collected from publicly accessible sources.

PROVISION OF DATA
Failure to provide the required data may result in legal and contractual consequences, while failure to provide optional data may make it impossible to process the data or result in only partial processing. Therefore, if the data is not provided, the data subject may not obtain the expected result or may obtain it only partially.

DATA PROCESSING Your personal data is collected and processed using automated, semi-automated, and non-automated methods, as specified below. The retention period indicated in each case must, however, be extended by the time required for the statute of limitations to expire with respect to mutual rights and the retention period for backups.

We process your data in order to take pre-contractual steps at your request or to perform a contract to which you are a party, specifically:

• customer management, responding to requests from customers or potential customers, and handling pre-contractual or contractual obligations; providing technical assistance to customers (we will retain the data for 10 years from the year of contact or the termination of the last contract);
• business activities involving the provision of goods and services (we will retain the data for 10 years from the relevant year)
• receipt and shipment of documents and goods (we will retain the data for 10 years from the relevant year or from the termination of the last contract);
• accommodation and related services in connection with commercial negotiations (we will retain data for 10 years following the termination of the last contract for data related to accommodation);
• organization and delivery of courses and events (we will retain the data for 10 years from the year the course was held).

We process your data in order to comply with a legal obligation to which the Data Controller is subject, specifically:

• maintenance of accounting records and compliance with tax obligations (we will retain the data for 10 years from the relevant year);
• management and maintenance of the network and IT systems (we will retain the data for 18 months after the termination of the contractual relationship with regard to obligations pertaining to system administrators);
• ensure corporate compliance, e.g., manage obligations related to personal data protection (we will retain the data for the time strictly necessary to fulfill the purpose).

We process your data to pursue a legitimate interest of the Data Controller, specifically:

• internal corporate management control (we will retain the data for 10 years from the relevant fiscal year);
• Quality checks on goods and services (we will retain the data for 10 years from the year the last contract ends)
• activity scheduling (we will retain the data for 10 years from the year the data was collected);
• monitoring of people entering the company and call routing (we will retain the data for one year from the date it was collected);
• customer satisfaction survey (we will retain the data for 10 years from the year of contact or the termination of the last contract);
• business activities involving the provision of goods and services (we will retain the data for 10 years from the relevant year);
• ensure corporate compliance, e.g., prevent the commission of criminal offenses for the benefit or in the interest of the organization (we will retain the data for the time strictly necessary to fulfill this purpose)
• video surveillance activities to protect company assets, ensure personal safety, and provide perimeter security against intrusions and property damage (we will retain the data for 24 hours, except in cases where the footage must be retained—e.g., theft);
• management and maintenance of the network and IT systems (we will retain data for 10 years from the year the contractual relationship ends for accounts, passwords, and usernames)
• to prevent and/or detect any misuse and to defend our rights and interests in court or during the preliminary stages leading up to any legal proceedings (we retain the data until the purpose of the processing no longer applies).

We process your data based on your consent for certain purposes, specifically:

• sending informational and/or promotional materials, market analyses, and surveys (we will retain the data for up to 10 years after consent is withdrawn);
• management of reviews to promote the Data Controller’s activities and services (we will retain the data for up to 10 years from the year in which consent is withdrawn or the review is published);
• promotion of the Data Controller’s activities and recording via video or photography, with possible subsequent publication (except for data subject to disclosure, we will retain the data until consent is withdrawn; thereafter, processing will be limited to mere storage for 10 years from the year in which consent was withdrawn);
• manage community and networking activities (we will retain the data until consent is withdrawn).

Any special categories of personal data are also processed for the purposes described above based on your consent.
If you do not wish to provide your consent, we will not be able to process your personal data. Furthermore, you may withdraw your consent at any time by contacting the Data Controller using the contact information provided above.

DATA DISCLOSURE
Your data may be disclosed exclusively for technical and operational purposes strictly related to the aforementioned purposes, to parties that process data on behalf of the data controller, appointed as data processors pursuant to Article 28 of EU Regulation 2016/679, banks and financial institutions, public bodies and administrations, or public authorities to which there is a legal obligation to disclose data.
Subject to your consent, for the stated purposes, some of your data may be published on the internet, on the Sweden & Martina corporate website, on social media accounts associated with Sweden & Martina, or on video platforms (e.g., YouTube, Vimeo).

TRANSFER OF DATA OUTSIDE THE EU
The processing of personal data (e.g., storage, archiving, and retention of data on our servers or in the cloud) will be limited to the scope of circulation and processing of personal data within the countries of the European Union, with an express prohibition on transferring such data to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, that is, in the absence of safeguards provided for by EU Regulation 2016/679 (third countries deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of the data subjects, etc.).

YOUR RIGHTS
As a data subject, you have the right, in accordance with Articles 15 et seq. of EU Regulation 2016/679, to request from the Data Controller access to your personal data, as well as their rectification and erasure or the right to be forgotten. You also have the right to request data portability, restriction of processing, or to object to such processing.
For processing based on consent, the data subject has the right at any time to withdraw their consent, without affecting the lawfulness of processing based on consent given prior to withdrawal. To exercise your rights or to request additional information, you may contact the Data Controller using the contact information provided above.
Finally, you may lodge a complaint with the competent supervisory authority.

CHANGES We reserve the right to update our Privacy Policy. Changes will be communicated in the manner deemed most appropriate and we will update the date in this Privacy Policy. Therefore, we recommend that you periodically consult our Privacy Policy, including by requesting a copy from the Data Controller.

Last updated M.210 Revision 7 – October 28, 2025