Dear User, please find below some information that we are required to provide to you, not only to comply with legal obligations, but also because transparency and fairness toward you and all data subjects are fundamental to our business.

DATA CONTROLLER
The Data Controller is part of a “business group” as defined in Article 4(19) of the GDPR and manages personal data protection obligations through shared policies and compliance measures under the control of the parent company Sweden & Martina S.p.A. (VAT No. 00401550280) with headquarters in Italy, a country belonging to the European Union, in accordance with the agreements signed between the group companies. The data controller is the group company that determines the processing of your personal data. In practice, the data controller is typically the company with which you have a professional relationship. You may contact your data controller by writing to privacy@sweden-martina.com, in addition to the contact details provided in the “Data Controller Contact Information” section of this policy.

DATA PROTECTION OFFICER
The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following addresses: email: dpo@sweden-martina.com – Certified email (PEC): dataprotectionofficer@pec.it

DATA CATEGORIES AND SOURCES
For the purposes of data processing, the Data Controller will process common data, such as: personal details, contact information, address information, data related to identification documents, login and identification data, employment-related data, professional qualifications, training-related data, and video surveillance recordings.

The data processed is provided by you or by third parties, such as recruitment or staffing agencies, and/or collected from publicly available sources.

PROVISION OF DATA
Failure to provide the required data may result in legal and contractual consequences, while failure to provide optional data may make it impossible to process the data or result in only partial processing. Therefore, if the data is not provided, the data subject may not obtain the expected result or may obtain it only partially.

DATA PROCESSING Your personal data is collected and processed using automated, semi-automated, and non-automated methods, as specified below. The retention period indicated in each case must, however, be extended by the time required for the statute of limitations to expire with respect to mutual rights and the retention period for backups.

We process your data in order to take pre-contractual steps at your request or to perform a contract to which you are a party, specifically:

• Recruitment of new employees (we will retain this data for five years from the year of recruitment).

We process your data in order to comply with a legal obligation to which the Data Controller is subject, specifically:

• management and maintenance of the network and IT systems (we will retain the data for 18 months after the termination of the contractual relationship with regard to obligations pertaining to system administrators);
• ensure corporate compliance, e.g., manage obligations related to personal data protection (we will retain the data for the time strictly necessary to fulfill the purpose).

We process your data to pursue a legitimate interest of the Data Controller, specifically:

• monitoring of people entering the company and call routing (we will retain the data for one year from the date it was collected);
• ensure corporate compliance, e.g., prevent the commission of criminal offenses for the benefit or in the interest of the organization (we will retain the data for the time strictly necessary to fulfill this purpose)
• video surveillance activities to protect company assets, ensure personal safety, and provide perimeter security against intrusions and property damage (we will retain the data for 24 hours, except in cases where the footage must be retained—e.g., theft);
• management and maintenance of the network and IT systems (we will retain data for 10 years from the year the contractual relationship ends for accounts, passwords, and usernames)
• to prevent and/or detect any misuse and to defend our rights and interests in court or during the preliminary stages leading up to any legal proceedings (we retain the data until the purpose of the processing no longer applies).

DISCLOSURE OF DATA
Your data may be disclosed exclusively for technical and operational purposes strictly related to the aforementioned purposes, to parties that process data on behalf of the data controller, appointed as data processors pursuant to Article 28 of EU Regulation 2016/679, as well as to public authorities to which there is a legal obligation to disclose such data.

TRANSFER OF DATA OUTSIDE THE EU
The processing of personal data (e.g., storage, archiving, and retention of data on our servers or in the cloud) will be limited to the scope of circulation and processing of personal data within the countries of the European Union, with an express prohibition on transferring such data to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, that is, in the absence of safeguards provided for by EU Regulation 2016/679 (third countries deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of the data subjects, etc.).

YOUR RIGHTS
As a data subject, you have the right, in accordance with Articles 15 et seq. of EU Regulation 2016/679, to request from the Data Controller access to your personal data, as well as their rectification and erasure or the right to be forgotten. You also have the right to request data portability, to restrict processing, or to object to such processing.

For processing based on consent, the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal. To exercise your rights or request additional information, you may contact the Data Controller using the contact information provided above. Finally, you may lodge a complaint with the competent supervisory authority.

CHANGES We reserve the right to update our Privacy Policy. Changes will be communicated in the manner deemed most appropriate and we will update the date in this Privacy Policy. Therefore, we recommend that you periodically consult our Privacy Policy, including by requesting a copy from the Data Controller.

Last updated M.231 rev.6 – October 28, 2025