The following information is provided in accordance with: • Article 13 of the Privacy Code, Legislative Decree no. 196 of June 30, 2003, • Article 13 of the General EU Regulation no. 679/2016 on the processing of personal data (GDPR), • Recommendation no. 2/2001, which the European authorities for the protection of personal data, gathered in the Group established by Article 29 of Directive no. 95/46/EC, adopted on May 17, 2001, to identify some minimum requirements for collecting personal data online, particularly the methods, timing, and nature of the information that data controllers must provide to users when they connect to web pages, regardless of the purposes of the connection. This information is valid for the website www.sudpesca.com (hereafter referred to as the "site") and not for any other websites that the user may access through links present on the site. This page describes how the site manages the personal data of users who consult, browse, or use it, according to the possibilities allowed and the services offered by the site itself. The processing is always based on principles of lawfulness and fairness, in compliance with all applicable regulations, and suitable security measures are adopted to protect the data. 1. DATA CONTROLLER, PROCESSORS, AND DATA PROCESSORS Following the consultation, browsing, or use of this site, data relating to identified or identifiable individuals or legal entities may be processed. The data controller is: SUD PESCA S.A.S. VIALE SPAGNA 12 – 847091 BATTIPAGLIA (SA) ITALY – PHONE: (+39) 08280 303196 contatti@sudpesca.com – sudpesca@pec.it Data processors are other parties or categories of subjects who, within the purposes outlined in this information, may become aware of the data or to whom the data may be communicated. They are involved in the organization of the site and the management of its activities and are appointed by the data controller or data processor, including external entities who may also be designated, if necessary, as Data Processors by the Data Controller. The data may also be communicated to Public Authorities, Law Enforcement Agencies, or other Public and Private entities, but only when necessary to comply with legal obligations, regulations, or community legislation. Users are invited to avoid providing sensitive data (i.e., data revealing racial or ethnic origin, religious, philosophical, or other beliefs, political opinions, membership in parties, trade unions, associations or organizations of a religious, philosophical, political, or trade union nature, as well as personal data revealing health and sex life) and unnecessary judicial information, as this could lead to the destruction of the message. 2. LOCATION AND METHODS OF DATA PROCESSING The processing related to the web service of this site takes place at the aforementioned address and is carried out by the Data Controller, Data Processors, and authorized personnel appointed by them, at their respective locations. If necessary for the maintenance of the site, an additional location for data processing, including the service provider's hosting location, may be chosen. The data will be treated confidentially, using automated tools, and will not be disclosed to unauthorized third parties. Furthermore, they will not be communicated, disseminated, or transferred abroad or to third countries (outside the EU). 3. PURPOSES AND LEGAL BASIS OF PROCESSING, RETENTION PERIOD OF PERSONAL DATA COLLECTED FROM THE DATA SUBJECT The collection of personal data from the data subject occurs explicitly, meaning that the data subject, after reading this information, must accept it by voluntarily checking the checkbox confirming the reading and acceptance before providing their personal data and consenting to its processing. Failure to check the checkbox may result in the impossibility for the Data Controller to receive and process the data, with the potential consequence of being unable to provide the services requested by the data subject during navigation, registration, or any other action on the site that may require the processing of personal data, which remain identifying data necessary for the proper functioning of the site and to avail of the services provided by the platform, as identified and listed below. The personal data, unless expressly specified, will be processed by the Data Controller, Data Processor, and duly authorized Data Processors if not otherwise specified. These data may be necessary for the data subject to avail of certain functionalities and services offered by the site for the following purposes: • Registration on the website and the use of addresses and/or company/business data. Purpose and legal basis of processing: The data subject is required to provide identifying data necessary for the creation of an account to use the option to purchase from the site, namely name, surname, complete address, email address, telephone number, and, if the customer is a company, the company name and VAT number. The submission of the request is subject to the specific, free, and informed consent (reference to Art. 6 GDPR) documented through a specific checkbox to be checked (reference to Art. 7 GDPR). After registration, the data subject may receive emails containing information about activities voluntarily completed by them (e.g., after purchasing a product, the status of an order, such as "in progress," "shipped," etc., may be notified). Retention period of data: The data is kept until a possible request for deletion from the data subject, except for specific legal and tax retention obligations. The password related to the account follows the same retention period but is encrypted. Scope of communication: The data is processed by the Data Controller, Data Processor, and duly authorized Data Processors. The name, surname, addresses, email address, and telephone number may be communicated to postal and/or courier services for the delivery of the data subject's purchase orders. These services may also send communications to the data subject regarding the status of the delivery. Provision: The provision of data related to mandatory fields is necessary to avail of the services offered by the site. - Sending messages via contact form Purpose and legal basis of processing: The collection of identifying and contact data is required to respond promptly to requests submitted by the data subject, such as email address and, if applicable, order reference. The submission of the request is subject to specific, free, and informed consent (GDPR-Art.6, paragraph 1, letter a) documented through a specific checkbox (GDPR-Art.7, paragraph 1). Retention period of data: The data is kept for a time compatible with the purpose of the collection and is not saved in databases but used solely to provide a response to the data subject's request. Provision: Providing data in the mandatory fields is necessary to obtain a response, while optional fields are intended to provide useful information to interpret the request. • Data provided voluntarily by the user: The optional, explicit, and voluntary sending of emails and/or regular mail to the addresses indicated on this site results in the subsequent acquisition of the sender's address, which is necessary to respond to the requests, as well as any other personal data included in the message. If the sender submits their curriculum vitae to apply for a professional position, they are solely responsible for the relevance and accuracy of the data sent. It is noted that any curriculum vitae submitted without authorization for data processing will be immediately deleted. 4. PURPOSES AND LEGAL BASIS OF PROCESSING, RETENTION PERIOD OF PERSONAL DATA NOT OBTAINED FROM THE DATA SUBJECT Personal identifying data will be processed exclusively by the Data Controller, Data Processor, and duly authorized Data Processors, if not otherwise specified. These data may be necessary for the data subject to avail of certain functionalities and services offered by the site, for the following purposes: • Access logs Purpose and legal basis of processing: Access logs are used to track entries on the site for control and security purposes. IP addresses and access times are saved. These data are not directly related to an identified or identifiable person, due to the widespread use of dynamic IP addresses. Retention period of data: The logs are kept for 10 years or until deletion upon request or necessity, which may occur before the established timeframe. Scope of communication: The data is processed by the Data Controller, Data Processor, and duly authorized Data Processors. Only in the case of an investigation, they may be made available to competent authorities. Provision: The data is not provided by the data subject but is automatically acquired by the technological systems of the site. • Abandoned Carts Purpose and legal basis of processing: Abandoned carts are used for monitoring the proper functioning of the site (to understand why a user adds products to the cart but does not complete the purchase). Retention period of data: The data is kept until the data subject's eventual request for deletion. Provision: The data is not provided by the data subject but is automatically acquired by the technological systems of the site. NOTE: In case abandoned carts are used for remarketing purposes, the data subject will be informed and must grant consent to receive notifications regarding abandoned carts. The data subject can unsubscribe at any time through a specific link or request deletion from the receipt of such remarketing notifications. • Navigation data The computer systems and software procedures used to operate this website acquire some personal data during their normal operation, the transmission of which is implicit in the use of Internet communication protocols. These are pieces of information that are not collected to be associated with identified data subjects but, by their very nature, could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user's operating system and computer environment. The following information is automatically collected when visiting the site: 1. User's hostname: The hostname or Internet Protocol address of the user requesting access to the site. 2. HTTP header and "user agent" string: This includes the type and version of the browser used and the operating system with which the browser functions. 3. System date: The date and time of the user's visit. 4. Full request: The exact request made by the user. 5. Content length: The size, in bytes, of each document sent to the user. 6. Method: The method of request used. 7. Universal Resource Identifier (URI): The location of resources on the server. 8. URI request string: Everything found after the question mark in the URI. 9. Type of device used to browse the site. 10. Protocol: The transmission protocol and version used. Purpose and legal basis of processing: This data is used solely for the purpose of obtaining anonymous statistical information about the use of the site and to monitor its proper functioning. The data may also be used to ascertain responsibility in the event of hypothetical computer crimes against the site (legitimate interests of the Data Controller). Retention period of data: The data is typically kept for short periods, i.e., from a single session up to 2 years from the visit to the page, with possible extensions related to investigative activities. Scope of communication: The data is processed by the Data Controller, Data Processor, and duly authorized Data Processors. Only in the case of an investigation, they may be made available to competent authorities. Provision: The data is not provided by the data subject but is automatically acquired by the technological systems of the site. 5. PRIVACY REGARDING COOKIES Cookies are small text strings that websites visited by the user send to their terminal (usually the browser), where they are stored to be retransmitted to the same sites on the next visit by the same user. For more detailed information, please refer to the dedicated page on this site regarding the extended Cookie Policy, accessible through a link located at the bottom of all pages of the site. Cookies that do not identify the user: For these technical nature cookies, consent is not required, but only a dedicated notification, as they do not identify the user and are necessary for the proper functioning of the website. • First-party navigation or session cookies: These cookies ensure the normal navigation and use of the website (e.g., allowing a purchase or authentication to access restricted areas). Our site uses non-persistent technical cookies solely to improve your browsing experience and enable faster access on subsequent visits. • Functionality cookies: These cookies allow users to navigate based on selected criteria (e.g., language, products selected for purchase) to improve the service provided to them. • Analytical cookies: These are similar to technical cookies when used directly by the site manager to collect aggregated information about the number of users and how they visit the site. Cookies that may identify the user: For these cookies, user consent is required, and the user can choose to disable them using the "Disable Cookies" button present in the short cookie notification or through the configuration of their browser (see the extended Cookie Policy on this site). These are mostly third-party cookies, created, installed, and readable by a site different from the one the user is visiting, and their data is stored by the third party, subject to the third party's cookies and data processing policy. The duration of these cookies ranges from a single session to two years from the page visit. Users can check which third-party cookies are used and, if necessary, disable them by visiting the link related to the extended Cookie Policy. It should be noted that disabling or blocking some or all cookies may affect the complete usability of the site or, more generally, its browsing experience. 6. DATA SECURITY MEASURES Specific security measures are observed to prevent data loss (through the use of backups), unlawful or incorrect uses, and unauthorized access (through the use of passwords). The website is also equipped with an Https/SSL security certificate. The physical server, on which personal data is stored, is located in Milan (Italy) and is protected by a double UPS system, a continuous power supply engine for prolonged blackouts, temperature and humidity monitoring, a distributed extinguishing system, 24/7 surveillance, registered and controlled accesses. Where the data subject has been provided or has chosen a password to access certain parts of our website, the data subject is directly responsible for keeping this password confidential and agrees not to share it with anyone. 7. NOTIFICATION OF PERSONAL DATA BREACHES (Reference to Articles 33 and 34 GDPR) According to Article 33 of the GDPR, the Data Controller or Data Processor shall notify the competent supervisory authority of any personal data breaches of which they become aware, and where such breach is likely to result in a risk to the rights and freedoms of individuals, within 72 hours and without undue delay. According to Article 34 of the GDPR, in the event that a data security breach presents a high risk to the rights and freedoms of individuals, the Data Controller shall notify the data subject of the breach without undue delay, except in cases covered by Article 34(3) of the GDPR. 8) RIGHTS OF DATA SUBJECTS Right to withdraw consent (Reference to Article 7 GDPR): The data subject has the right to withdraw any previously given consent. The withdrawal of consent shall not affect the lawfulness of the processing based on consent before its withdrawal. If a request for withdrawal is made, the data subject's data will be deleted, except in cases where processing is still necessary (e.g., for a different legal basis or tax obligations). Right of access to data (Reference to Article 15 GDPR): The data subject can independently view their personal data from the dedicated panel, if registered. Furthermore, the data subject has the right to obtain from the data controller confirmation of whether or not personal data concerning them is being processed and, if so, to access their data. If personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards regarding the transfer. Right to rectification (Reference to Article 16 GDPR): The data subject can modify their personal data from the dedicated panel, if registered. Additionally, the data subject has the right to obtain from the data controller the correction of inaccurate personal data without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement. Right to erasure or right to be forgotten (Reference to Article 17 GDPR): The data subject has the right to obtain from the data controller the erasure of their personal data without undue delay. The data controller will delete such personal data upon request without undue delay. If the data controller has made the personal data public, they shall take reasonable steps, taking into account available technology and the cost of implementation, to inform other data controllers processing the data that the data subject has requested the erasure of any links to, copies, or replication of their personal data. It is highlighted that the right to erasure may not apply in cases where processing is necessary for: • Exercising the right of freedom of expression and information, • Compliance with a legal obligation, • Reasons of public interest in the area of public health, • Archiving purposes in the public interest, scientific research, historical research, or statistical purposes, • The establishment, exercise, or defense of legal claims. • Right to restriction of processing (Reference to Article 18 GDPR): With the right to restriction of processing, the data subject can request the limitation of the use of their data, excluding their deletion. This restriction can be exercised not only in cases of unlawfulness of the processing, but also if the data subject contests the accuracy of their data (while waiting for the data to be rectified) or if they object to the processing of their data (while waiting for the data controller's evaluation of the objection). • Obligation to notify (Reference to Article 19 GDPR): The data controller will communicate to each recipient to whom the personal data have been disclosed any rectification, erasure, or restriction of processing requested by the data subject, unless this proves impossible or involves a disproportionate effort. The data controller, if requested by the data subject, will inform the data subject about the recipients to whom their personal data has been transmitted and to whom their requests to exercise their rights have been transmitted. • Right to data portability (Reference to Article 20 GDPR): The data subject has the right to receive the personal data concerning them and which they have provided to the data controller, in a structured, commonly used, and machine-readable format, without hindrance, provided that this does not adversely affect the rights and freedoms of others and if the data is processed by automated means (excluding paper archives). Data portability does not entail the erasure of the data. • Right to object (Reference to Article 21 GDPR): The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of their personal data, including profiling. In such cases, the data controller will refrain from further processing the personal data of the data subject who has exercised the right to object, unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. • Means of Complaint and Appeal to Competent Administrative and Judicial Authorities: If the data subject believes that the processing of their data has not complied with the provisions prescribed by Legislative Decree no. 196/2003 and EU Regulation no. 679/2016 or if they believe that their rights under the aforementioned laws have been violated, they may lodge a complaint with the Supervisory Authority and/or file an appeal before the competent judicial authorities, pursuant to Articles 77, 78, and 79 (GDPR), as well as the right to obtain compensation for any damages under Article 82 (GDPR). • Exercise of Rights: The data subject who wishes to exercise their right of access to data and the right of rectification can freely and at any time access their user area to view and rectify the data they have provided and that are processed by the website. The data subject can also exercise these and all other rights by communicating it to the Data Controller SUD PESCA S.A.S. • Response Time: The deadline for the response to the data subject, for all rights (including the right of access), is 1 month, which can be extended up to 3 months in cases of particular complexity (pursuant to Article 12 GDPR). The Data Controller or Data Processor will provide a response to the data subject within 1 month of the request, even in case of refusal. • Cost of Exercise of Rights: The exercise of rights is generally free of charge for the data subject, but there may be exceptions. The Data Controller may evaluate the complexity of the response to the data subject and determine the amount of any contribution to be requested from the data subject, but only if the requests are manifestly unfounded or excessive, particularly due to their repetitive nature; if multiple "copies" of personal data are requested in the case of the right of access, the Data Controller may take into account the administrative costs incurred. The Data Controller has the right to request necessary information to identify the data subject, and the data subject has the duty to provide it in an appropriate manner. The response to the data subject, unless otherwise indicated by the data subject, will generally be provided in writing, in a commonly used electronic format. The response can be given orally if requested by the data subject. 10) MINORS: The consent of minors is valid from the age of 16; before that age, the consent of parents or legal guardians is required. Updating of the Privacy Policy: It is noted that this information may be subject to periodic review, also in relation to applicable regulations and jurisprudence. Therefore, the data subject is invited to consult this policy periodically. This page is visible through a link at the bottom of all pages of the website, in accordance with Article 122, second paragraph, of Legislative Decree no. 196/2003 and following the simplified procedures for information and obtaining consent for the use of cookies, published in the Official Gazette no. 126 of June 3, 2014, and related register of measures no. 229 of May 8, 2014. Last Update: May 2018.