INFORMATION ON THE PROCESSING OF PERSONAL DATA

PURSUANT TO ART.13 AND 14 OF REGULATION (UE) 2016/679 (“GDPR”)

This policy describes the processing of personal data in relation to the Sistema platform (hereinafter referred to as the "Sistema").

Registering with Sistema creates a user account that also allows you to access the La Marzocco App. The information on the processing of personal data carried out through the La Marzocco App can be consulted at the following link. https://lion.lamarzocco.io/api/customer-app/policies/AU/privacy

1. Titolare del trattamento

La Marzocco S.r.l.

Sede legale: Via Luigi Salvatore Cherubini n. 14, Firenze.

Sede operativa: Via La Torre n. 14/H, Scarperia (FI).

P. IVA 04040140487.

E-mail: privacy@lamarzocco.com

With regard exclusively to optional processing activities relating to marketing and profiling, the companies listed below (Companies of the La Marzocco Group and some premium resellers) act as joint controllers pursuant to Article 26 of the GDPR, having jointly determined the purposes and essential means of the processing:

DATA PROTECTION OFFICER (DPO)

La Marzocco S.r.l. has appointed its own Data Protection Officer (DPO), who can be contacted at the following e-mail address: dpo@lamarzocco.com

The Joint Controllers can be contacted through the following contact details for any request relating to the processing of personal data: privacy@lamarzocco.com

2. Categories of Personal Data Processed

The personal data that may be collected and processed by the Data Controller in the context of the registration and use of Sistema consist of common personal data relating to the Data Subjects, including, by way of example:

1. User registration data: first name, surname, e-mail address, country of residence and password. The telephone number and date of birth may optionally be provided

2. Company registration data: company name, Tax ID, country, billing address, and information relating to the physical location where the La Marzocco machine is installed.

3. Support request management data: first name, surname, e-mail address, company information, and details related to the request.

3. Source of the data

The personal data are collected directly from the Data Subjects during the registration process to Sistema and, subsequently in connection with the subscription to a service plan, as well as in the context of processing support and technical assistance requests.

Why are your personal data processed and what is the legal basis that makes the processing lawful:

1. For carrying out registration to Sistema: The legal basis for the processing is Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The personal data are retained for the fulfilment of pre-contractual measures until the deletion of the user account.

2. For entering and managing a subscription agreement with the Data Subject: The legal basis for the processing is Article 6(1)(b) of the GDPR as the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The personal data are retained for purposes related to the performance of the contract, for the entire duration of the contractual relationship and until its termination, whether due to cancellation, expiry or non-renewal of the subscription.

3. For providing support and technical assistance services related to Sistema’s functionalities.: The legal basis for the processing is Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The personal data are retained for the time necessary to manage and fulfil the support request and thereafter, until receipt of any request from the Data Subject to delete them.

4. For asserting, exercising, or defending a right in judicial proceedings.The lawful basis for processing is Article 6(1)(f) of the GDPR, as the processing is necessary for the purposes of the legitimate interest pursued by the Data Controller in defending its rights in judicial proceedings. The personal data shall be retained for a period of 10 years from the termination of the contractual relationship or from the resolution of any related dispute.

5. For compliance with legal obligations.: The lawful basis for processing is Article 6(1)(c) of the GDPR, as the processing is necessary to comply with a legal obligation to which the Data Controller is subject. The personal data shall be retained for the period prescribed by applicable law.

6. For sending, via e-mail, informational and commercial communications regarding news, events, products, and promotional offers that may be relevant and of possible interest to the Data Subject: The lawful basis for processing is Article 6(1)(a) of the GDPR, as the processing is based on the data subject’s consent to the processing of their personal data. The processing of the personal data is valid until the data subject withdraws their consent. The personal data are retained for a period of 13 months from the user’s last activity.

7. For analysing Data Subject’s interests, habits, and consumption choices, as well as their preferences and purchasing behaviours concerning the products and services offered by the Joint Controllers, in order to personalise the informational and promotional communications sent to the Data Subject: The lawful basis for processing is Article 6(1)(a) of the GDPR, as the processing is based on the data subject’s consent to the processing of their personal data. The processing of the personal data is valid until the data subject withdraws their consent. The personal data are retained for a period of 13 months from the user’s last activity.

Once the retention periods indicated above have expired, the personal data will be destroyed, deleted, or anonymised, in accordance with the technical procedures for deletion and backup.

4. Nature of the Data Provision

The provision of personal data is optional but necessary in order to access Sistema and use the service offered. Any refusal to provide the aforementioned personal data would therefore make it impossible to use Sistema and benefit from the service provided. The provision of personal data for marketing and profiling purposes is optional, and any refusal does not in any way affect the use of the service.

5. Persons authorised to process Personal Data

Your personal data may be processed by the personnel and representatives of the Companies assigned to pursue the purposes indicated above. Such persons have been expressly authorised by the Data Controller to process personal data, have received appropriate operational instructions and are subject to confidentiality obligations.

6. Recipients of the Data

Your personal data may be disclosed to:

• companies within the La Marzocco Group and premium resellers acting as joint controllers for marketing and profiling purposes, or as independent controllers to provide local assistance services;

• entities, bodies, or public authorities to whom the personal data must be disclosed in compliance with a legal obligation or order.

Your personal data may also be processed, on behalf of the Company, by parties external to the Data Controller’s organization, appointed as Data Processors pursuant to Article 28 of the GDPR, who are given appropriate operational instructions, including:

• providers of cloud computing services and technological infrastructure;

• providers of platforms for managing support requests and customer relationship management (CRM));

• specialised technicians responsible for assistance and handling support requests;

• providers of services for entering information about the physical location where the La Marzocco machine is installed;

• providers of platforms for managing and sending marketing communications.

7. Transfer of Personal Data to Countries outside the European economic area

Certain personal data may be transferred to recipients located outside the European Economic Area. The Data Controller ensures that any such transfer complies with the GDPR. In particular, transfers may be based on an adequacy decision of the European Commission, the Standard Contractual Clauses approved by the European Commission, or another appropriate legal basis. Upon request, the Data Controller will provide the data subject with the list of recipients located outside the European Economic Area.

8. Rights of the Data Subject

The Data Controller has designated the following contact point privacy@lamarzocco.com to which Data Subjects may address requests at any time at any time in order to exercise the following rights:

• the right to access the personal data concerning them (Article 15 GDPR).

• the right to obtain rectification or completion of inaccurate or incomplete data (Article 16 GDPR);

• the right to erasure of personal data (Article 17 GDPR);

• the right to restriction of processing (Article 18 GDPR);

• the right to object to the processing where it is based on the Data Controller’s legitimate interest (Article 21 GDPR);

• the right to receive their personal data in a structured, commonly used and machine-readable format and, where technically feasible, to transmit those data to another controller without hindrance (“right to data portability”, Article 20 GDPR);

• the right to withdraw consent given for marketing and/or profiling purposes at any time, without affecting the lawfulness of the processing based on consent before its withdrawal.

Data Subjects also have the right to lodge a complaint with the competent supervisory authority pursuant to Article 77 of the GDPR if they believe that the processing of their personal data infringes the applicable data protection legislation