INFORMATION SHEET ABOUT DATA PROTECTION AND PRIVACY POLICY according to the UE Regulation 679/2016

FIDEA SRL, having registered office in Servigliano (FM), Via Circonvallazione Clementina n ° 4 (hereinafter "Data Controller"), in its role of data controller, informs you, pursuant to art. 13 D.Lgs. 30.6.2003 n. 196 (hereinafter, "Privacy Code") and art. 13 EU Regulation n. 2016/679 (hereinafter, "GDPR"), that your data will be processed in the following manner and for the following purposes:

1. Data subject to processing For the purpose of the required services, the Data Controller processes personal data (such as name, surname, company name, address, telephone number, e-mail address, bank and payment details, income data — hereinafter "data"), that you delivered us via electronic means, ordinary mail or personally to our employees or to our offices. Health and judicial data may also be processed in case you provide them spontaneously, or they are necessarily for the purpose of the processing.

2. Purpose of the processing Your personal data are processed:
A) without your express consent (Article 24 letters a), b), c) Privacy Code and art. 6 letters. b), e) GDPR), for the following Service Purposes:
- to perform the services you have requested from the Data Controller for the disbursement of loans, mortgages and any other credit type, also through requests for various certifications, submission of requests to public offices or companies providing services; to provide services of banks, financial brokers and insurance products directly offered through the web portal as well as through web campaigns linked to the aforementioned portal; to offer telephone consultancy, even prolonged, about the offered products / services ; to provide banks, financial brokers and insurance companies with the data and information resulting necessary for the provision of the requested services; to advise the customers about products and/or services belonging to the categories of the requested ones, except for the faculty referred to in point 8 below:
- to fulfil the obligations established by law (administrative, accounting, fiscal and tax and for purposes related to anti-money laundering obligations), by regulations, by the Community legislation or by any other Authority order.
- to exercise the Data Controller's rights, such as the right to defence in a court;

B) with your specific and distinct consent (articles 23 and 130 of the Privacy Code and article 7 of the GDPR), for the following Marketing Purposes:
- the sending of newsletters, commercial communications and/or advertising material, services and special offers, as well as assistance and "customer care" services, via e-mail, ordinary mail and/or SMS and/or telephone.

3. Processing methods The processing of your personal data is carried out though the steps indicated in art. 4 of the Privacy Code and art. 4 n. 2) GDPR, and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data are subjected to both paper and electronic processing. The Data Controller may, in compliance with the specific legislation about this matter, use cookies on its customers or WEB alerters browsers, to the purpose of information gathering. The data will not be transferred to elsewhere and will only be stored in our computer systems. The Data Controller will process personal data along the necessary time to fulfil the aforementioned purposes and for no more than 10 years from the end of the relationship for administrative purposes and for no more than 3 years from the collection of data for Marketing Purposes, in any case. The Data collected and processed may be made available to:
Data Controller Collaborators, like Managers or Appointed Persons; companies operating in the credit or insurance field with which FIDEA already has stipulated or is going to stipulate a commercial collaboration or some co-brokerage agreements so that they will be able to offer financing or insurance products; to the Banks or Financial brokers, even in absence of assignment of a professional entrustment, for the sole purpose of reporting the name/identity of the client, in connection with the financing requests; to third parties, physical or legal, to companies that offer anti-fraud services or services which are necessary for the credit evaluation through databases; to real estate companies and to professionals providing notary activities and translation and interpreting services; the data will be shared with them only if they are involved and functional to the fulfilment of the requested services; to the Data Controller's Consultants (as autonomous Data Controllers), for the aspects that may concern them and according to the methods established by law; The data will not be disseminated and will be destroyed when we have no longer necessity or obligation to keep them

4. Access to data Your data may be made available for the purposes referred to in art. 2.A) and 2.B):
- to employees and collaborators of the Data Controller, as persons in charge and/or internal managers of the processing and/or system administrators.
- to third parties or other subjects (credit institutions, professional offices, insurance consultants, interpreters, notaries etc.) who carry out outsourced activities on behalf of the Data Controller, as external data processors.

5. Communication of data With no need for express consent (pursuant to Article 24 letters a), b), d) Privacy Code and art. 6 letters b) and c) GDPR), the Data Controller may communicate your data for the purposes referred to in art. 2.A) to: judicial authorities if they do an explicit request, as well as with those subjects to whom the communication is mandatory by law for the accomplishment of the said purposes. These subjects will process the data as independent data controllers. Your information will not be disseminated.

6. Data transfer Personal data are stored in our computer system and will not be transferred abroad. The Data Controller has in any case the right to move the servers to server farms residing in the EU territory only and only if necessary. In this case, the Data Controller hereby ensures that the data will be transferred in accordance with the applicable legal provisions, under the standard contractual clauses provided by the European Commission.

7. Provision of data and consequences of refusal to reply The provision of data for the purposes referred to in art. 2.A) is mandatory. In case of their absence, we can not guarantee the related Services

8. Rights of the involved party As an involved party, you own the rights described in art. 7 of the Privacy Code and art. 15 GDPR and precisely the rights to:
I. obtain confirmation of the existence or absence of personal data about you, even if they are not yet registered, and the communication of this data in an intelligible form;
II. obtain info about: a) the source of personal data; b) the purposes and methods of the processing; c) the method applied in case of processing of data through electronic instruments; d) the ID details of the Data Controller, the managers and the designated representative pursuant to art. 5, paragraph 2 of the Privacy Code and art. 3, paragraph 1, GDPR; e) subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them, in their role of designated representative in the State territory, managers or agents;
III. Obtain: a) updating, rectification or, in case of necessity, additions of data; b) the cancellation, transformation into anonymous form or blocking of data unlawfully processed, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the official confirm that the operations referred to in letters a) and b) have been communicated, also about their content, to those to whom the data have been made available, except in the case in which this fulfilment results as impossible or involves a use of means which are manifestly disproportionate to the assured right;
IV. to object, partially or completely a) to the processing of personal data concerning you, even if pertinent to the purpose of the collection, for legitimate reasons; b) to the processing of personal data concerning you for the purpose of sending advertising material. It should be noted that the right of opposition of the interested party, set out in point b) above, for direct marketing purposes through automated methods, extends to traditional ones. The possibility to object to these marketing communications remains, even partially, in charge of the involved party. Therefore, the involved party can decide to only receive communications using traditional methods or automated communications only, or none of the two types of communication. You also have the rights referred to in Articles 16-21 GDPR (Right of rectification, right to be forgotten, right to limitation of processing, right to data portability, right of opposition) if applicable, as well as the right to complain to Guarantor Authority. It is also your duty to promptly communicate the updating of your data by e-mail and/or registered letter A/R.

9. How to exercise rights You can exercise your rights at any time by sending:
- a registered letter A/R. to Fidea SRL, Via Circonvallazione Clementina 4, 63839 Servigliano (FM)
- an e-mail to amministrazione@fideacredito.it. Please note that Fidea srl appointed a Data Protection Manager to protect your data. His name is Mr. Sauro Antonelli, who can be reached at +39.348.8293536 or e-mail address: s.antonelli@fideacredito.it.

10. Data Controller, responsible and agents The Data Controller is Fidea srl, with registered office in Servigliano (FM), Via Circonvallazione Clementina N. 4. The updated list of data processors and persons allowed to process data is located in the registered office of the Data Controller

Consent for personal data processing
After carefully reviewing this Information Sheet, I hereby express my free and informed consent for the processing of personal data, including sensitive data, within the scope of the purposes described above, by ticking the designated box.