Video Surveillance Privacy Policy

INFORMATION PURSUANT TO AND FOR THE PURPOSES OF ART. 13 OF EU REGULATION 2016/679 “GENERAL REGULATION ON DATA PROTECTION” ON THE PROCESSING OF PERSONAL DATA CARRIED OUT THROUGH THE VIDEO SURVEILLANCE SYSTEM INSTALLED BY BANCOMAT SPA.

Regulation (EU) 2016/679 (“GDPR”) and the related current Italian pro tempore reference legislation (together with the GDPR, “Privacy Policy”) - including the measures issued by the Guarantor Authority for the Protection of Personal Data (“Guarantor”) - dictate rules relating to the protection of individuals with regard to the processing of personal data, protecting their fundamental rights and freedoms.

Pursuant to art. 13 GDPR, we hereby wish to inform people who frequent our premises about the methods and purposes with which BANCOMAT S.p.A. (“ATM”, “Data Controller” or “Company”), with registered office in Piazzale Luigi Sturzo n. 15, 00144, Rome, as Data Controller, will process the personal data of these people as part of the recordings taken by the video surveillance system installed at the company headquarters.

In particular, the Company, in compliance with the most specific provisions on the subject - General Provision of the Guarantor of April 8, 2010 on video surveillance and Guidelines 3/2019 of the EDPB - has taken steps to post adequate permanent first-level signs in the areas specifically identified before the cameras reach them.

In addition to what has already been indicated in the above-mentioned signs indicating the presence of video recording tools, additional detailed information is hereby provided, in accordance with the provisions and principles of the Privacy Policy.

In the premises of the Company's headquarters, a video surveillance system of n. 5 fixed cameras has been installed - well identified by the appropriate signs and in compliance with the provisions of art. 4, paragraph 1, of Law 300/1970 (“Workers' Statute”) - with timer lighting for exclusive purposes of security, anti-intrusion and protection of people and company assets. The cameras will be active from 22:00 to 7:00 on working days while they will always remain active on holidays, weekends and periods of company closure.

The personal data referring to people who may be filmed (“Data”) and processed by the Company through the use of the System consist of images and videos that may possibly depict these people, if they fall within the range of the cameras.

As set out above, the Data are processed by the Company, in full compliance with the Privacy Legislation, exclusively for purposes related to organizational and productive needs, to the safety of work and premises and to the protection of corporate resources. The processing is carried out - pursuant to art. 6, paragraph 1, letter f), of the GDPR - based on the legitimate interest of the Data Controller in protecting the people who frequent their premises and their business assets. No other use of the Data that goes beyond the purposes indicated above is allowed.

Data processing is carried out through a video surveillance system (“System”), which allows the recording and recording of images and videos. The images will be kept on the servers for a maximum period of 72 hours, then they will be automatically deleted. It should be noted that, for security reasons and to ensure the protection of premises and company assets, the cameras will always be active during periods of company closure. The recordings collected during this period will be kept for the entire closing period and for a maximum time of 72 hours following the reopening, after which they will be automatically deleted.

Specific requirements for further storage of the images remain without prejudice to an investigative request from the judicial authority or judicial police or if it is necessary to protect the rights of BANCOMAT and pursue the purposes indicated above.

The System installed at the Company's headquarters is managed on its behalf by a supplier — ASG NETWORK S.r.l. — third company highly specialized in the business security sector. Furthermore, in the event of an alarm, the System is connected to the supplier's own Operations Center in order to ensure greater efficiency in cases of emergency intervention. This provider has been appointed as data controller pursuant to art. 28 of the GDPR.

They will be able to access the System and view the recordings, in cases where it is essential for the purposes pursued, only authorized and specially trained subjects in the field of protection of confidentiality. In particular, the supplier's employees and, only in strictly necessary cases, also the Company's internal employees employed in the IT security department, appropriately appointed and authorized.

The Data may be communicated to third parties who, if required by law, will be able to access the images within the limits established by the regulations themselves (e.g. Police Forces and competent authorities in the case of crimes), as well as to legal professionals and insurance companies for the protection of the rights of ATM and third parties. The Data will not be disseminated or, except as indicated above, of communication to other third parties.

The Data will be processed and stored on the servers located at the company headquarters and it is not intended to be processed outside the European Economic Area.

For the processing in question, the Company has carried out a privacy impact assessment pursuant to art. 35 of the GDPR.

With regard to the processing described above and in the terms set out in the GDPR, the interested party can exercise, free of charge and without formalities, the rights referred to in articles 15 et seq. of the GDPR, including the right to request access to the Data, cancellation, limitation of processing or, where the conditions exist, the right to object to the same.

Requests should be addressed to ATM, with headquarters in Piazzale Luigi Sturzo, 15 — 00144 Rome; e-mail: privacy@bancomat.it.

In response, the representative of Data Protection Officer (DPO), designated pursuant to articles 37 et seq. of the GDPR, which can be contacted at privacy@bancomat.it.

If you believe that the data processing is in violation of the GDPR, you can lodge a complaint with Guarantor for the Protection of Personal Data (www.garanteprivacy.it), or go to the appropriate courts (art. 79 GDPR).

This information is posted at the Company's headquarters, published on the corporate website and kept in company repositories accessible to employees. It may be supplemented in the event of regulatory changes or provisions of the Guarantor.

‍