INFORMATION NOTICE GIVEN IN ACCORDANCE WITH ARTICLES 13-14 OF GDPR 2016/679 In accordance with the aforementioned legislation, this processing will be based on the principles of fairness, lawfulness, transparency and protection of your privacy and rights. Pursuant to Article 13 of GDPR 2016/679, we therefore provide you with the following information:

A - Your personal data (name, surname, identification document details and copy thereof, telephone number, email address, etc.), will be provided at the time of membership depending on the type of association requested Terme di Chianciano SpA, as the owner of the processing of your personal data, informs you of their use and your rights, so that you can knowingly express your consent, where required, and exercise the rights provided by the General Regulation for the protection of personal data (European Regulation 679/2016, hereinafter: The Regulation). Your personal data (provided to us by you, by third parties or originating, within the limits of the law, from public lists) may be processed for the following expressly stated purposes: Fulfilling a contractual or extra-contractual obligation, a legal or regulatory obligation, Proposing services or goods to the data subject, Performing profiling, transferring data to third parties, sending periodic communications. The legal basis of the processing is represented by: A Legal obligation or regulation,

B Contract with interested party or execution of contract,

C Legitimate interest of the data controller or a third party,

D Vital and urgent interest of the person concerned,

E Explicit consent of the person concerned,

F Performing a task in the public interest

In particular, below we specify the meaning of the types of purposes: legal purposes: i.e. to comply with obligations laid down by law, by a regulation, by the European Union legislation as well as by provisions issued by Authorities legitimated to do so by law or by competent supervisory or control bodies (in this case your consent is not necessary as the processing of the data is related to compliance with such obligations/provisions). Data processed by law include those relating to tax regulations or for anti-money laundering registers. contractual and, more generally, administrative-accounting, i.e. to perform obligations arising from contracts to which you are a party or to fulfil, prior to the conclusion of the contract, your specific requests, also by means of distance communication techniques, including a dedicated telephone call centre (in this case your consent is not required, since the processing of the data is functional to the management of the relationship or the execution of the requests) such processing also includes purposes arising from the protection of mutual interests in court and for tax purposes or for other legal obligations such as, for example, the keeping of anti-money laundering registers if applicable. direct commercial: data processing activities aimed at providing you with information and sending you informative, commercial and advertising material (including by means of distance communication techniques such as, but not limited to, postal mail, telephone calls, including through automated calling systems, telefaxes, electronic mail, SMS or MMS messages or other) on products, services or initiatives of the company, to promote the same, to carry out direct sales actions, to conduct market research, to verify the quality of products or services offered to you (including by telephone calls or the sending of questionnaires). The processing of such data may take place with your optional consent or on the basis of the legitimate interest of the company where deemed and evaluated not to be in conflict with your rights. Profiling: data processing activities aimed at optimising the commercial offer (also by means of focused and selected analyses), to carry out targeted commercial communications, to perform statistical research, to apply one or more profiles to you (for the purpose of making appropriate commercial decisions or to analyse or predict, again for commercial purposes, your personal preferences, behaviour and attitudes).

(In this case, your consent is optional and does not prejudice the maintenance of relations with the company). indirect commercial: i.e. by communicating your data to third parties so that they can carry out their own autonomous commercial activities as indicated in number 3 above.

(In this case, your consent is optional and does not prejudice the maintenance of relations with the company)

post-commercial: i.e. in order to investigate, after the termination or withdrawal of the relationship with the Company, the reasons for the interruption of the relationship. (In this case your consent is optional and does not prejudice the maintenance of relations with the company) Special cases of data: ‘Particular’ data also known as ‘sensitive’ data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to a person's health or sex life or sexual orientation (Art. 9 of the Regulation) or relating to criminal convictions and offences or related security measures (Art. 10 of the Regulation). Such data may only be processed with your express written consent if one of the reasons stated in Art. 9 para. 2 and Art. 10 of the regulation applies. Consent is free and optional, but refusal to consent could jeopardise the performance of one or more activities requested by you from the company that specifically concern facts for which it is essential to process this type of data. Consent to the processing of your data may be binding for the purpose of concluding contracts with the owner company or third parties. Only data whose processing is indispensable for the conclusion of a contract may be binding for the conclusion of the contract, while you may freely give or withhold consent for data that is not indispensable, and in particular for the purposes of profiling, commercial communications, marketing. Ella is under the age of 18 and over the age of 14. Your data will therefore be processed with particular care to confidentiality and within the limited timeframe necessary for the fulfilment of the services you have requested from the Controller, excluding purposes other than those underlying the relationship between you and the Controller. your data may be subject to transfer to third parties for the purposes stated by the Controller. In particular, they may be transferred to third countries subject to an adequacy finding or, failing that, subject to your express consent.

B - DATA PROCESSING METHODS.

The processing of your data is carried out by means of manual/paper filing instruments and by means of electronic and automated instruments, in a manner strictly related to the above-mentioned purposes. Where you have given your consent, processing may also take place by means of profiling or data comparison. The Company has adopted technical and organisational measures to prevent and limit the risk of loss, deterioration, and theft of your data, and to ensure their recovery within a reasonable time in the event of a data breach. Processing is carried out in such a way as to guarantee the security, protection and confidentiality of your data. Within the company, the following may become aware of your personal data, as data processors or persons in charge of the processing: employees, managers and directors or partners of the company who have or hold by law or by company statute administrative, collaborative or commercial roles subject to self-employment contracts operating within the company structure. Such personnel have been provided with adequate training and instructions by the Company to protect the storage, maintenance, updating and security and confidentiality of your data. Consent to processing by such personnel is not required as it is inherent in the necessary modalities provided for by law. Outside the company, your data may be processed by: collaborators subject to a non-employee employment contract operating outside the company's structures commercial collaborators subject to a non-employee employment contract operating outside the company's structures consultants of any kind (lawyers, chartered accountants, engineers, architects, labour consultants or other professionals registered or not registered with professional bodies), who perform technical, support (in particular: legal services, IT services, shipping) and company control tasks on behalf of the company. For the pursuit of the aforesaid purposes, the company may communicate or in any case transmit your data to certain subjects, including foreign ones, who will use the data received as autonomous co-controllers, unless they have been designated by the company as ‘data controllers’ for the processing operations for which they are specifically responsible.

It is your right to request and obtain the list of third parties to whom such data are transmitted. Public bodies or public administrations for the fulfilment of legal obligations The data controller uses IT systems in co-ownership with third parties, who therefore become co-owners of the processing and the relationship with them is regulated by a specific contractual agreement It is possible that the data controller delegates the processing of your data to other sub-processors, Since the data you provide may consist of so-called ’special‘ data, already called ’sensitive‘ data under Article 9 of the European Regulation, i.e. data relating to racial origin, health, sexual orientation or habits, political, trade union, religious or philosophical beliefs, or criminal convictions (Article 10 of the Regulation), the processing may take place with your prior written consent and for the purposes indicated in this processing form, except in cases of processing defined as lawful by the Regulation Since the data you provide may consist of so-called ’biometric‘ data, such as fingerprints, handprints, facial data or signatures collected by means of technological instruments Your data may be subject to profiling, i.e. the collection and aggregation of data concerning you for the purpose of making appropriate business decisions or for analysing or predicting your personal preferences, behaviour and attitudes for business purposes. Profiling may take place a) with your consent b) on the basis of the legitimate interest of our company. Failure to give consent for profiling purposes does not normally affect the smooth development of the relationship under which your data is processed. The performance of profiling activities could compromise your rights and opportunities with respect to the offers of our company. For your protection, the Data Controller has appointed a Data Protection Officer in the person of Luca Rampazzo Your data may be transferred to a foreign country. In this case, if this takes place within the European Union, your data will be processed in the same way as in Italy. If it is transferred to countries outside the European Union, it will be processed in accordance with your rights under the European Regulation. If your data is transferred to a country outside the EU, it may be processed by entities that guarantee the respect of the rights provided by the European Regulation through voluntary compliance by the same with general measures. The transfer of the data will take place in any case by means that guarantee the protection of the data from intrusion by third parties. Your data has been collected directly from you and we therefore provide you with the following information in this form where applicable: data of the data controller and representative data of the data protection officer purpose and legal basis of the processing recipients of the data intention to transfer data abroad duration of the storage period or criteria for determining the duration right of access, rectification, cancellation, objection to processing portability right to revoke the processing if possible unless required by law possibility to complain to the authority (Garante) if the data are required for the performance of a contract, or by law and the consequences if consent is not given if the data are or will be subject to profiling and, if so, the logic of the profiling the existence of automatic decision-making processes and the data subject's right to have decisions made after human intervention. Your data will be kept by the Data Controller, with respect to the purposes envisaged, for as long as is necessary for the performance of the existing relationship with you and in order to be able to guarantee the reciprocal protection of your rights in court, as well as to comply with legal obligations, including tax obligations. Data that are not necessary for the latter purposes will be removed within the maximum period provided for by the right to be forgotten, as indicated further on in this notice, or, at your request, even within a shorter period if this does not conflict with the rights of the Data Controller. The data of the data subject that do not have to be retained for specific legal obligations will be deleted within 10 years or 15 days of the opening of the camera park With regard to profiling logics, the company declares the following: type of household, geographical origin, specific profiles, age

C - RIGHTS OF THE DATA SUBJECT You may, at any time, exercise the following rights expressly recognised by the Regulation: You have the right to lodge a complaint at any time with the national authority (Data Protection Authority) if you consider that one of your rights has been violated You have the right to ensure that your data is always accurate and up-to-date and therefore you may at any time report or request that it be updated You have the right to revoke your consent to the processing of your data where this is not prevented by legal provision or the need to protect the holder's rights, including in court. In any case, the request for revocation gives rise to the right to restriction of processing. You have the right to access your data processed by the Controller by means of a written request, also in electronic form. It is indispensable for you to be able to provide us with proof of your identity, possibly also by means of access to our databases through credentials that can be uniquely referred to you. You are entitled to free access for one time only, whereas you may be charged a fee for subsequent requests. You are entitled to receive a reply within 30 days of your request. You have the right to have your data in a printable format. You have the right to have your data corrected and updated, and you may at any time request that your data be updated and corrected if you find that the data in our possession is out of date or incorrect. In order to ensure that your data is up-to-date, please inform us of any useful changes. You have the right to the deletion of data concerning you, provided that it is not data that the Data Controller must retain for specific legal obligations such as, for example, obligations arising from tax regulations, anti-money laundering or for the protection of the rights of the data controller in litigation. If you dispute the accuracy of your data, or the lawfulness of the processing, or the right of the Controller to delete your data, or if you object to the processing of your data and the Controller disputes your objection, you have the right to have your data stored but not processed except to the extent necessary to settle the dispute over the data. Should the Controller modify or delete all or part of your data, you have the right to be informed of this and to object to the modification and deletion. You have the right to transfer your data - stored and processed electronically - to another operator, within the limits indicated by the Regulations, and provided that it is technically feasible, in such a way that it can be easily read and acquired by third parties. The data you are entitled to transfer (portability) also include data deriving from the automatic observation of your activity through the Controller's IT services, such as searches and history of the activities performed You are entitled to object to the processing of your data, profiling, the use of data for direct marketing, profiling for public interest or for scientific or historical or statistical research purposes. The company may, under certain circumstances, adopt automated procedures in order to make decisions concerning you and in particular in order to decide whether and under what conditions to conclude contracts directly or through third parties with you. In this case, you have the right to request that, before a binding decision is taken, your position is in any case examined by a human operator who carries out a substantive assessment. The use of automated decision-making procedures may result in your exclusion from certain proposals, offers or the right to conclude contracts or benefit from particular promotions. Since your data may be processed for the purpose of conducting e-commerce activities, you are entitled to have your data processed in accordance with state-of-the-art IT procedures. For this purpose, your data may be transferred to third parties in order to carry out, in whole or in part, technical and IT procedures for the conclusion of the contract and the execution of the contract, such as, for example, third-party servers, logistics and transport service providers. Your consent for this purpose is always necessary and, in the event that you do not consent to the processing of the data necessary for the conclusion of transactions, the Company may not be able to provide you with the services requested. Consent to the processing of indispensable data must be separate from consent to the acquisition of data that is not indispensable or for purposes other than those related to the conclusion of e-commerce contracts. The company may, under certain circumstances, process your data in order to communicate with you regarding commercial or informational or educational initiatives (so-called newsletters). In this case, your consent, if necessary, must be explicit and separate from other forms of consent and you may revoke your consent for this purpose at any time. You have the right to be consulted when assessing the security procedures for the processing and protection of your data.

D - INDICATION OF PERSONS INVOLVED IN PROCESSING

Your data may be processed by the following parties:

[owner] Terme di Chianciano SpA [co-owner] Terme Italia SRL [representative] Not applicable [internal responsibility] appointed and registered [RDP/DPO] Luca Rampazzo

E - METHODS FOR EXERCISING YOUR RIGHTS Your requests may be exercised by means of written communications to the Company's address or to the e-mail address dott.lucarampazzo@gmail.com, or, if provided, autonomously within the personal area made available to you electronically by means of a unique identifier.