( ATTACHMENT AB.04 REV. 7.0 OF 04/13/2026 )

CARTES S.R.L. operates in full compliance with European Regulation No. 679/2016 (hereinafter referred to as the GDPR) and, in accordance with the provisions contained therein, this notice provides full details regarding the processing of your personal data and your rights.
Before giving your consent to the processing of your data, we therefore invite you to read this policy carefully.

1. Data Controller and Data Processor
The Data Controller (i.e. the person responsible for decisions regarding the purposes and methods of processing personal data, security and the tools used) is CARTES S.R.L., with registered office at VIA MICHELANGELO, 2 – 46024 – MOGLIA (MN), VAT number 02234310361, in the person of its legal representative Mr LODI MARIO, domiciled for this purpose at the Company’s registered office.

2. Purposes of processing and legal bases
The data subject’s personal data (i.e. the data provided to the company, including via registration on the website) are provided to CARTES S.R.L. and processed by the latter, including through disclosure to third parties where necessary and instrumental, for the following purposes:
a) for purposes strictly connected with and necessary for the fulfilment of obligations arising from relationships, including contractual ones, established with CARTES S.R.L., to enable and manage your registration on the website, to use the services offered, and for administrative and accounting purposes and to fulfil obligations under current legislation pursuant to Article 6(b) of the GDPR
b) to fulfil obligations of any nature provided for by laws, regulations, EU legislation or otherwise connected to obligations arising from orders issued by judicial authorities, administrative officials or police bodies, authorised to do so by law, or by supervisory and control bodies pursuant to Article 6(c) of the GDPR;
c) for purposes related to the assertion or defence of a legal claim by CARTES S.R.L. pursuant to Article 6(c) of the GDPR.
Consent for the purposes referred to in points (a), (b) and (c) above is mandatory; refusal may result in CARTES S.R.L. being unable to provide the services and/or fulfil the obligations arising from the established relationships. The legal basis for this processing is the data subject’s consent, expressed by ticking the box during registration or by sending an email to info@cartes.it stating: ‘I give my consent’. Furthermore, the processing serves the legitimate interests of the Data Controller, such as: the performance of the contract, invoicing, and debt collection.
Consent to the processing of personal data for the following different purposes, which are functional to the activities of CARTES S.R.L. pursuant to Article 6(a) of the GDPR, is, however, to be considered purely optional, and therefore any refusal does not prevent the provision of services by CARTES S.R.L.
The processing of such data requires the consent of the data subjects:
d) for marketing and/or promotional purposes, whether automated (SMS, MMS, email, fax) or traditional (post, telephone contact);
e) for disclosure to third-party companies, with consequent processing by them, which may use such data for marketing and/or promotional purposes;
f) for profiling and/or analysis activities related to market research and/or statistical surveys.
The legal basis for such processing is the data subject’s consent, expressed by ticking the relevant box during registration

3. Special categories of data
Special categories of data, within the meaning and for the purposes of Article 9 of the GDPR, are all data “…capable of revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of political parties, trade unions, associations or organisations of a religious, philosophical, political or trade union nature, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning the health or sex life or sexual orientation of the data subject”.
Such data is never collected by CARTES S.R.L., but should this occur, the company will process it exclusively following the specific and explicit consent of the Data Subject, given in writing, in accordance with and for the purposes of Article 9(2)(a) of the GDPR.

4. Methods of processing
The personal data of data subjects collected for purposes directly related to the provision of the services supplied will be processed by employees and collaborators, both internal and external, of CARTES S.R.L., who have been formally appointed for this purpose in accordance with Article 4 of the GDPR as persons formally authorised to carry out the processing of personal data.
The processing of such data may take place using manual, IT and/or telematic systems, including automated ones, in compliance with the rules and principles of lawfulness and fairness, using the methods best suited to ensuring security and confidentiality; such data will be disclosed to third parties only where strictly necessary.

5. Disclosure to third parties
CARTES S.R.L., in accordance with all the provisions set out in the preceding points, discloses the data of data subjects to:
– designers, to enable them to fulfil the obligations they have undertaken towards data subjects/supporters;
– external consultancy service providers, such as, by way of example only, legal, fiscal, tax and similar services, and/or IT service providers whose support CARTES S.R.L. may utilise in the course of its business;
– third parties for the purposes of measuring satisfaction with the quality of services provided, and/or conducting market research and customer profiling.
Your personal data will be processed within Italy and will not be transferred abroad. Should this occur, the transfer will take place in such a way as to provide appropriate and adequate safeguards in accordance with Articles 46, 47 or 49 of Regulation 679/2016.

6. Retention period for personal data and criteria used
The personal data you provide and that which we collect will be retained for 10 years from the date of the last use, unless such data is necessary to comply with legal obligations or obligations arising from the exercise of rights in court proceedings, or at the request of the authorities.
Any data processed, with your specific consent, for marketing and/or profiling purposes, will be processed for a maximum period of 24 months.

7. Rights of the data subject
European Regulation 679/2016 grants you the rights listed below, which you may exercise vis-à-vis the Data Controller. Below you will find a complete extract of the relevant articles of the Regulation.
Requests regarding your rights and/or any information or clarification you may require may be submitted in writing to the Data Controller/Data Processor, by post to the address CARTES S.R.L. – VIA MICHELANGELO, 2 – 46024 – MOGLIA (MN), or by email to info@cartes.it

7.1. RIGHT OF ACCESS
Article 15 of the General Data Protection Regulation entitles you to obtain confirmation from the data controller as to whether or not personal data concerning you is being processed and, if so, to obtain access to such data.

7.2. RIGHT TO RECTIFICATION
Article 16 of the European Regulation entitles you to obtain from the data controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

7.3. RIGHT TO ERASURE
Article 17 of the European Regulation entitles you to obtain from the data controller the erasure of personal data concerning you without undue delay if one of the grounds provided for by the Regulation applies.

7.4. RIGHT TO RESTRICTION
Article 18 of the European Regulation entitles you to obtain from the data controller the restriction of processing where one of the grounds provided for by the Regulation applies.

7.5 RIGHT TO DATA PORTABILITY
Article 20 of the European Regulation entitles you to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to whom you have provided them.
Furthermore, it entitles you to have your personal data transmitted directly from one data controller to another, where technically feasible

7.6 RIGHT TO OBJECT
Article 21 of the European Regulation entitles you to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you pursuant to Article 6(1)(e) or (f), including profiling based on those provisions.

7.7 RIGHT TO WITHDRAW CONSENT
Article 7 of the European Regulation allows you to withdraw the consent you have given at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal.

7.8. RIGHT TO LODGE A COMPLAINT
Article 77 of the European Regulation grants you the right to lodge a complaint with a supervisory authority (Data Protection Authority), in particular in the Member State where you habitually reside, work or where the alleged infringement occurred, if you consider that the processing concerning you infringes the Regulation.

The Data Controller
LODI MARIO
CARTES S.R.L.