USER PRIVACY NOTICE PURSUANT TO ART. 13 OF ARTICLE 13 AND 14 OF THE EU REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 N. 679 (THE “GDPR”)

DeA Capital Real Estate SGR S.P.A., with registered office in Rome, Via Saverio Mercadante n. 18, telephone number (+39) 06.681631, fax (+39) 06.68192090, e-mail privacy-RE@deacapital.com, as the Data Controller (hereinafter, the "Company” or the “Controller”), provides this notice about the processing of the personal data collected by the users who browse the website, accessible online at the following address https://www.palazzobuonaparte.it (the “Website”) and/or who make a request to the Controller to the agent/outsourcer about the lease or purchase of properties of the Italian alternative real estate investment fund reserved in closed form, named Palazzo Buonaparte managed by the Company (hereinafter, the “Fund”).

The personal data of the Website user (hereinafter, the “User”) are collected directly from the site, or acquired from independent third-party controllers and/or processors appointed for that purpose and are processed in compliance with the provisions of the GDPR, with applicable regulations, and with the present notice according to principles of correctness, lawfulness, transparency and the protection of confidentiality.

 

  1. WHAT TYPES OF PERSONAL DATA ARE PROCESSED BY THE COMPANY?
    1. Browsing data, technical and analytics cookies

The procedures and IT systems set up for the Website acquire, during their normal operation, some personal data the transmission of which is implicit in the use of internet communication protocols, to allow the User to browse the Website or provide a service requested by said User.

 

The Company uses:

  1. technical cookies, without which the viewing of the Website or some operations could not be performed or would be more complex and/or less secure;
  2. analytics cookies, to collect browsing data in aggregate and anonymous form for solely statistical purposes.

 

For detailed information about cookies and about the third parties who become aware of the data collected through the use of cookies, see the cookie policy notice available at the following link. For User data collected by third parties through the use of technical and analytics cookies, see the relevant privacy and cookie notices available as indicated in the cookie notice.

 

    1. Data processed following a request for contact or for information made by the User

The User can, through the Website, request to be contacted by the Company in order to receive information about the lease and/or purchase of the of the properties of the Fund promoted through the Website. In this case, the personal data voluntarily provided by the User (including by filling out the specific form on the Website) and transmitted to the Controller concern: name and surname, telephone number, and e-mail address.  

The personal data indicated in sections 1.1 to 1.2 above are collectively defined as "Personal Data.

 

  1. FOR WHAT PURPOSES ARE PERSONAL DATA PROCESSED? WHAT IS THE LEGAL BASIS FOR THE PROCESSING?

Personal data are processed for the following purposes.

  1. Browsing data (section 1.1): to carry out the activities necessary to (i) to ensure that the services offered are working properly and to allow the User to view the Website safely and efficiently; (ii) collect information of a statistical nature in aggregate form to evaluate the effectiveness of the web services; for these purposes, the consent of the User is not required;
  2. Personal Data (section 1.2): to meet specific User requests regarding the lease and/or purchase of properties owned by the Fund, promoted by the Website; the legal basis for the processing is the implementation of pre-contractual and contractual measures adopted at the request of the interested party (Article 6, letter (b) of the GDPR);
  3. all categories of Personal Data (section 1): (i) fulfilment of obligations mandated by applicable law; (ii) the ascertainment of any crimes by the judicial authority; the legal basis for the processing is the fulfillment of a legal obligation to which the Controller is subject (Article 6, letter c) of the GDPR);
  4. all categories of Personal Data (section 1): (i) the exercise, where necessary, of the Controller’s rights, for example the right to defense in court; the legal basis for the processing is the pursuit of the Controller’s legitimate interest to protect their rights or their right to defense (Article 6, letter (f) of the GDPR).

 

  1. WHO HAS ACCESS TO THE PERSONAL DATA? RECIPIENTS OF THE DATA

In carrying out its activity and for the purposes set out in section 2 above, the User's Personal Data may be disclosed to:

  • third parties who are involved with the management and administration of the properties promoted through the Website (for example, agents, property managers, facility managers, etc.);
  • judicial and/or supervisory authorities, supervisory authorities, if they so request;
  • providers of cloud or IT services for the Company;
  • companies which are part of the Controller’s group;
  • [●] (e.g. website managers; providers of development services, etc.);

The personal data are processed by:

  • the Controller’s employees and/or collaborators, who operate on the basis of the instructions provided by the Controller. The system administrator may also have access to the Personal Data during the performance of their duties. The name of the aforementioned subjects may be requested from the Controller, by contacting: privacy-RE@deacapital.com;
  • the processors appointed for this purpose by the Controller. The list of processors appointed by the Company can be requested at the following e-mail address: privacy-RE@deacapital.com.

 

  1. WHERE DOES THE DATA PROCESSING TAKE PLACE? ARE PERSONAL DATA TRANSMITTED ABROAD?

The processing of Personal Data is carried out by the Controller mainly in Italy on the Controller’s servers and/or on those of the appointed third-party companies. With regards to the purposes set out in section 2 above, Personal Data may be transferred to third parties in Europe [and outside the EU. The list of the latter countries is available from the Controller and can be requested in the manner indicated in section 9 below

 

  1. HOW LONG WILL THE DATA BE STORED?

Personal data will be stored according to the following criteria:

  1. for the purposes referred to in letter a) of section 2 above, for a period of time not exceeding 365 days from the viewing of the Website by the User, unless a different period of time is required for regulatory compliance;
  2. for the purposes referred to in letter b) of section 2 above, for a period of time not exceeding 365 days from the last request for information sent by the User to the Company regarding the properties promoted through the Website, unless a different period of time is required for regulatory compliance;
  3. for the purposes referred to in letter c) of section 2 above, for a period of time not exceeding that required for the fulfillment of a regulatory obligation and/or the ascertainment of an alleged crime;
  4. for the purposes of legitimate interests as per letter d) of section 2 above, for the period of time necessary for the pursuit of the Controller’s legitimate interests to protect their rights or their right to defense by the collection of Personal Data.

 

  1. HOW WILL THE DATA PROCESSING BE CARRIED OUT?

The processing of personal data will be carried out using electronic and/or telecommunications tools, with a logic strictly related to the purposes referred to in section 2 above, and in any case in such a way as to guarantee the security and confidentiality of said data.

 

  1. WHAT RIGHTS DOES THE USER HAVE WITH REGARDS TO THEIR PERSONAL DATA?

With regards to their Personal Data, the User may, at any time, exercise the rights provided for in Articles 15 to 22 of the GDPR, in the manner and terms established therein.

In particular, the User has the right to:

  1. ask the Controller for access to, correction of, and erasure of browsing data (“right to be forgotten”) which pertain to said User or the limitation of the processing of such data;
  2. oppose the processing of browsing data;
  3. obtain the portability of the browsing data;
  4. withdraw the consent requested by the Controller and potentially given by the user, at any time, and without compromising the lawfulness of the processing based on the consent given before its withdrawal.

 

  1. LODGING COMPLAINTS

In regards to any type of data processed by the Controller, the User has the right — if they believe that the processing of their browsing data has occurred or is occurring in violation of the GDPR and of the applicable regulations at the time, and with no prejudice to their right to file an appeal to any other court — to lodge a complaint with the Supervisory Authority for personal data protection, in the manner indicated on the site www.garanteprivacy.it.

 

  1. HOW TO EXERCISE THE RIGHTS. HOW TO CONTACT THE CONTROLLER

The user can exercise their rights at any time, as per section 7 above, by sending a communication to the following address: privacy-RE@deacapital.com or to the Company’s registered office, Via Mercadante n. 18 – 00198, Rome.

 

  1. THE NATURE OF THE PROVISION

With regards to the purposes set out in section 2 above:

  1. in letter a), the provision of Personal Data is necessary in order to allow the User to view the Website effectively;
  2. in letter b), the provision of Personal Data is optional; the absence of data prevents the User from receiving information on properties for lease and/or sale;
  3. in letter c), the provision of Personal Data is mandatory for the fulfillment of legal obligations by the Controller;
  4. in letter d), the provision of Personal Data is mandatory and the User may oppose it in the manner referred to in section 9 above, without prejudice to the right of the Company to assert any overriding interest or to defend their rights in legal proceedings.

                                                                                                                                                              

The Data Controller

DeA Capital Real Estate SGR S.P.A.