Customers' Policy

Information Notice Pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) for Customers
Dear Data Subject (customer)
With this document, GEDA S.R.L. provides you with information regarding the characteristics and methods of processing your personal data, pursuant to the GDPR and the applicable privacy legislation currently in force.
Any processing of your personal data will be carried out in accordance with the principles of lawfulness, fairness and transparency.

Identity and Contact Details of the Controller.
The Data Controller (hereinafter also the “Controller” or the “Company”) is GEDA S.R.L., represented by the Sole Director, Mr. Stefano Macchion, VAT No. 01018780930, with registered office at Via Maestri del Lavoro 16/18 - 33080 Porcia (PN). The Controller may be contacted at the above address or at the following contact details: Tel. +39 0434 923077, email: info@gedanextage.com, certified email (PEC): geda1@legalmail.it.

Categories of Personal Data Processed. Purposes and Legal Basis of Processing.
The Controller collects and processes personal data that may directly or indirectly identify you, such as identification data, contact details, economic and banking information. The Controller processes such data for the following purposes:
• Establishment and performance of a contract to which the data subject is a party, or performance of pre-contractual measures adopted at the request of the data subject (“contractual purposes”);
• Compliance with obligations arising from laws, regulations, or orders issued by authorised bodies or supervisory authorities (“legal purposes”).
The legal bases legitimising the processing are:
• For pre-contractual and contractual purposes, the necessity to ensure proper management and performance of contractual and pre-contractual obligations (Art. 6(1)(b) GDPR), which does not require your explicit consent;
• For legal purposes, the necessity to comply with obligations established by national and EU legislation (Art. 6(1)(c) GDPR), which does not require your consent.

Methods of Data Processing.
Data will be processed using manual and electronic tools (including company IT devices, internet and intranet networks, management software, corporate email, access control systems, etc.) with procedures ensuring the highest level of security.
Processing will be carried out according to the principles of fairness, lawfulness, transparency, necessity, and confidentiality.
Data will not be subject to automated decision-making.

Data Retention Period.
The retention period begins when the personal data are collected, simultaneously with the start of the service; data will be stored for as long as necessary to fulfil the purposes for which they were collected, or for the time required by applicable national and EU laws and regulations.
In particular:
• Identification data and payment data will be retained for ten years in accordance with applicable legislation and limitation periods (ten years from completion of the service).
• Where rights arising from the contract must be exercised or defended in legal proceedings, the personal data strictly necessary for such purposes will be processed for the time required to pursue them.

Purpose: Management of the contractual relationship
Categories of data: Identification and contact data, contractual data, service-related data
Retention period: For the entire duration of the contractual relationship and until its full completion
Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR)

Purpose: Compliance with legal obligations (administrative, accounting, tax)
Categories of data: Identification and contact data, invoicing data, payment data, and any other data contained in accounting records
Retention period: 10 years from the date of the last accounting entry, as required by Art. 2220 of the Italian Civil Code
Legal basis: Legal obligation (Art. 6(1)(c) GDPR)

Purpose: Protection of rights in legal proceedings
Categories of data: Data strictly necessary to establish, exercise or defend legal claims
Retention period: 10 years from termination of the contractual relationship (ordinary limitation period under Art. 2946 of the Italian Civil Code). In case of litigation, data will be retained until all remedies have been exhausted
Legal basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR) and necessity of defence in legal proceedings, constituting an exception to the right to erasure (Art. 17(3)(e) GDPR).

Entities Processing Data. Categories of Recipients.
Processing is carried out by authorised personnel and by Data Processors appointed in writing, acting in accordance with the Controller’s instructions and adopting appropriate security measures. The list of Data Processors is available upon request.
Data may also be communicated to:
a) Trade associations to which the Controller adheres;
b) Banks, financial institutions, credit insurance companies and other credit intermediaries providing services necessary for the purposes described above;
c) Software assistance companies, cloud service providers and IT providers;
d) Supervisory bodies or certification entities, where necessary;
f) Companies or professionals for judicial or out-of-court protection of the Controller’s rights.

Transfer of Data Outside the EU.
Data will not be transferred by the Controller to countries outside the European Economic Area (EEA) or to international organisations.
Some data may, however, be shared with recipients located outside the EEA. If such transfer becomes necessary, the Controller ensures compliance with applicable legislation by implementing appropriate safeguards such as adequacy decisions, Standard Contractual Clauses approved by the European Commission, or other lawful instruments.

Nature of Data Provision.
Providing personal data is necessary to comply with contractual and legal obligations. Refusal to provide such data, in whole or in part, may make it impossible for the Controller to perform the contract and fulfil legal obligations.

Rights of the Data Subject.
The data subject may exercise the rights listed in Articles 15–22 GDPR, including the right to access personal data, rectify or erase them, restrict or object to processing on legitimate grounds, withdraw consent at any time (where applicable), request data portability, and obtain data updates.
The data subject also has the right to obtain information on the origin of data, the purposes and methods of processing, the logic applied, the identity of the Controller, and the entities to whom data may be communicated.
The data subject may request anonymisation, restriction or blocking of unlawfully processed data and may lodge a complaint with the Italian Data Protection Authority according to the procedures indicated on its website (www.garanteprivacy.it).
Requests may be made without formalities using the contact details above or using the forms provided by the Authority.
Contact details of the Italian Data Protection Authority: Piazza Venezia 11, 00187 Rome; Fax +39 06.69677.3785; Tel. +39 06.696771; email: garante@gpdp.it; certified email: protocollo@pec.gpdp.it.

Right to Lodge a Complaint.
If you believe your personal data have been processed in violation of the Regulation, you may lodge a complaint with the Italian Data Protection Authority (via email to garante@gpdp.it or by post to Piazza Venezia 11, 00187 Rome) pursuant to Art. 77 GDPR, or seek judicial remedy pursuant to Art. 79 GDPR.

Changes to This Privacy Notice.
This notice may be amended over time due to regulatory updates, new services or technological developments.

Porcia, Italy - 13/11/2025