1. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF USERS

pursuant to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and further national and European legislation as applicable

I. Data Controller and DPO
NSA SpA, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 02229510983;
NSA Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 09280900961;
NSA SOLUZIONI ASSICURATIVE SpA, con sede legale in Milano, Via Conservatorio n. 30, P.Iva 08632480961;
ALA Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 11050980967; PLANET FINANCE Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 11792670967;
SOLUZIONI PER IMPRESE Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 13219480962 in the person of its legal representative pro tempore, as joint controllers (hereinafter each respectively referred to as “Data Controller”), inform you that your personal data will be processed for the purposes and in the manner specified below.

The processing of personal data will be carried out in accordance with the law, according to the principles of necessity, correctness, lawfulness and transparency, protection of your privacy and your rights, limitation of the purpose of processing and storage, data minimization, accuracy and quality of data, data integrity and security.
The Data Protection Officer (DPO) appointed by the Data Controller can be reached by writing to the following e-mail address: legale@grupponsa.it.

II. Personal data processed
Browsing data. The computer systems and software procedures used to operate the site www.grupponsa.it (“Website”) acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. These data are not collected to be associated with identified data subjects, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users connecting to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct functioning and is deleted immediately after processing. The data could be

used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Website: except for this possibility, at present the data on web contacts do not persist for more than seven days and in any case not beyond the time necessary to process the requests made.
Data voluntarily provided by the user. Subscription to the newsletter and the optional, explicit and voluntary sending of e-mail messages to the addresses indicated on the Website entails the subsequent acquisition of the sender's address, which is necessary in order to reply to the requests made, as well as any other personal data included in the message. The personal data collected through this method will be processed by the Data Controller for the sole purpose of responding to the request for information received and for any subsequent related communications.

III. Purpose of the processing
On the basis of your free, explicit and informed consent – or in the other cases of lawfulness of processing strictly provided for by law, including art. 6 of Reg. (UE) 2016/679 – the Data Controller informs you that your personal data will be collected for the following purposes:
a) Managing contact requests via the form on the "contact us" page.
Legal basis: art. 6, lett. b), of Reg. (UE) 2016/679, processing is necessary for the performance of a contract to which you are party or for in order to take steps at your request prior to entering into a contract.
b) Statistical research/analysis on aggregated or anonymous data, without therefore the possibility of identifying the user, aimed at measuring the functioning of the Website, measuring traffic and assessing usability and interest.
Legal basis: art. 6, lett. f), of Reg. (UE) 2016/679, processing is necessary for the purposes of the legitimate interest pursued to the Data Controller.

IV. Data processing methods
Your personal data are processed for the most part through the use of electronic instruments by the Data Controller – by means of persons authorized to process them, with regard to the data necessary to perform the work tasks assigned to them - and/or by other persons appointed by the Data Controller as data processors pursuant to art. 28 GDPR. Personal data will be processed by implementing specific technical and organisational security measures that are appropriate and designed to prevent the loss of data, unlawful or incorrect use and unauthorized access.
Your data may be transmitted to the police and to judicial and administrative authorities, in accordance with the law, for the detection and prosecution of criminal offences, the prevention and protection against threats to public safety, to enable the Data Controller to ascertain, exercise or defend a right in court, and for other reasons related to the protection of the rights and freedoms of others.
The Data Controller hereby informs you that personal data may also be transferred to Countries not belonging to the European Union or to the European Economic Area (so-called Third Countries) recognized by the European Commission as having an adequate level of protection of personal data

or, if this is not the case, only if an adequate level of protection of personal data with respect to that of the European Union is contractually guaranteed by the suppliers of the Data Controller located in the Third Country (e.g. by signing the standard contractual clauses provided for by the European Commission) and that the exercise of the rights of the data subjects is always ensured.
The personal data provided will not be disseminated.

V. Data retention period
We retain your personal data for a limited period of time, which varies according to the type of activity for which the data is processed. Once this period has expired, your data will be permanently deleted or in any case irreversibly anonymized, unless their further processing is necessary for one or more of the following purposes: i) resolution of pre-litigation and/or litigation initiated before the expiry of the storage period; ii) to follow up investigations/inspections by internal control functions and/or external authorities initiated before the expiry of the retention period; iii) to follow up on requests from Italian and/or foreign public authorities received/notified to the Data Controller before the expiry of the retention period.
In particular, the data you provide for the purposes referred to in this privacy policy will be retained for two years after they are provided.

VI. Rights of the data subject
As a data subject, you may at any time exercise your rights under Articles 15 et seq. of Reg. (EU) 2016/679. In particular, you may ask the Data Controller for confirmation of the existence or otherwise of personal data concerning you, access to the personal data and the rectification or erasure of the same or the limitation of the processing concerning you or to object to their processing, in addition to the right to data portability and the right to lodge a complaint with a supervisory authority. You may obtain information about the source from which the personal data originates and, where applicable, whether the data comes from publicly accessible sources. In addition, where the processing is based on explicit consent, the data subject will have the right to withdraw consent at any time without affecting the lawfulness of the processing based on the consent given before the withdrawal. In order to ensure that your data is not violated or used unlawfully by third parties, we will ask you for certain information to ensure your identity before granting your request to exercise one of these rights.

2. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF PROSPECTIVE CLIENTS

pursuant to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and further national and European legislation as applicable

I. Data Controller and DPO
NSA SpA, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 02229510983;
NSA Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 09280900961;
NSA SOLUZIONI ASSICURATIVE SpA, con sede legale in Milano, Via Conservatorio n. 30, P.Iva 08632480961;
ALA Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 11050980967; PLANET FINANCE Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 11792670967;
SOLUZIONI PER IMPRESE Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 13219480962 in the person of its legal representative pro tempore, as joint controllers (hereinafter each respectively referred to as “Data Controller”), inform you that your personal data will be processed for the purposes and in the manner specified below.

The processing of personal data will be carried out in accordance with the law, according to the principles of necessity, correctness, lawfulness and transparency, protection of your privacy and your rights, limitation of the purpose of processing and storage, data minimization, accuracy and quality of data, data integrity and security.
The Data Protection Officer (DPO) appointed by the Data Controller can be reached by writing to the following e-mail address: legale@grupponsa.it.

II. Type and origin of personal data processed
The personal data processed by the Data Controller are either communicated by you or are collected from other data controllers, such as public sources or publicly accessible databases, in compliance with the relevant regulations (e.g. Chambers of Commerce, Central Credit Bureau, etc.).
The personal data processed include, but are not limited to, personal data, contact data, tax data, banking and financial information, and information on marital status.
Except in the cases strictly provided for by law, the Data Controller does not collect personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and does not process genetic data, biometric data intended to uniquely identify a natural person, data concerning the health or sex life or sexual orientation of the person. The Data Controller invites you not to provide such data.

The Data Controller collects personal data relating to criminal convictions and offences or related security measures, only to the extent strictly necessary for the fulfilment of legal or contractual obligations and in accordance with the relevant legislation.

III. Purpose of the processing
On the basis of your free, explicit and informed consent – or in the other cases of lawfulness of processing strictly provided for by law, including art. 6 of Reg. (UE) 2016/679 – the Data Controller informs you that your personal data will be collected for the following purposes:
a) to promote the offer of products or services provided by the Data Controller and/or products or services provided by third party companies with which the Data Controller has entered into agreements for the promotion of such products or services;
b) to enable the proper establishment of the contractual relationship and the proper performance of all activities related thereto;
Legal basis: processing is necessary for compliance with a legal obligation and for the performance of a contract to which you are party or for in order to take steps at your request prior to entering into a contract;
c) to assert or defend a right in court, as well as in administrative proceedings or arbitration and conciliation procedures in the cases provided for by law;
Legal basis: processing is necessary for compliance with a legal obligation and for the purposes of the legitimate interest pursued to the Data Controller;
d) the Data Controller informs you that it may record and store extracts of telephone conversations between you and the Data Controller concerning the scheduling of appointments you have requested with the Data Controller's consultants in order to monitor the quality of the service;
Legal basis: processing is necessary for the performance of a contract to which you are party or for in order to take steps at your request prior to entering into a contract and for the purposes of the legitimate interest pursued to the Data Controller.
The Data Controller informs you that in the event of failure to provide the personal data requested for the purposes referred to in lett. a), b), c) and d) of the present paragraph III, it will be impossible to take steps at your request prior to entering into a contract and to establish a contractual relationship.

IV. Data processing methods
Your personal data are processed for the most part through the use of electronic instruments by the Data Controller – by means of persons authorized to process them, with regard to the data necessary to perform the work tasks assigned to them - and/or by other persons appointed by the Data Controller as data processors pursuant to art. 28 GDPR. Personal data will be processed by implementing specific technical and organisational security measures that are appropriate and designed to prevent the loss of data, unlawful or incorrect use and unauthorized access.
Your data may be transmitted to the police and to judicial and administrative authorities, in accordance with the law, for the detection and prosecution of criminal offences, the prevention and protection against threats to public safety, to enable the Data Controller to ascertain, exercise or

defend a right in court, and for other reasons related to the protection of the rights and freedoms of others.
The Data Controller hereby informs you that personal data may also be transferred to Countries not belonging to the European Union or to the European Economic Area (so-called Third Countries) recognized by the European Commission as having an adequate level of protection of personal data or, if this is not the case, only if an adequate level of protection of personal data with respect to that of the European Union is contractually guaranteed by the suppliers of the Data Controller located in the Third Country (e.g. by signing the standard contractual clauses provided for by the European Commission) and that the exercise of the rights of the data subjects is always ensured.
The personal data provided will not be disseminated.

VI. Data retention period
We retain your personal data for a limited period of time, which varies according to the type of activity for which the data is processed. Once this period has expired, your data will be permanently deleted or in any case irreversibly anonymized, unless their further processing is necessary for one or more of the following purposes: i) resolution of pre-litigation and/or litigation initiated before the expiry of the storage period; ii) to follow up investigations/inspections by internal control functions and/or external authorities initiated before the expiry of the retention period; iii) to follow up on requests from Italian and/or foreign public authorities received/notified to the Data Controller before the expiry of the retention period.
The data you provide for the purposes referred to in this privacy policy will be retained for the time necessary to achieve the purposes for which they are collected or for any other legitimate related purpose and in any case for a period not exceeding 2 years from collection and/or your provision.

VII. Rights of the data subject
As a data subject, you may at any time exercise your rights under Articles 15 et seq. of Reg. (EU) 2016/679. In particular, you may ask the Data Controller for confirmation of the existence or otherwise of personal data concerning you, access to the personal data and the rectification or erasure of the same or the limitation of the processing concerning you or to object to their processing, in addition to the right to data portability and the right to lodge a complaint with a supervisory authority. You may obtain information about the source from which the personal data originates and, where applicable, whether the data comes from publicly accessible sources. In addition, where the processing is based on explicit consent, the data subject will have the right to withdraw consent at any time without affecting the lawfulness of the processing based on the consent given before the withdrawal.

3. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF CANDIDATES

pursuant to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and further national and European legislation as applicable

I. Data Controller and DPO
NSA SpA, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 02229510983;
NSA Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 09280900961;
NSA SOLUZIONI ASSICURATIVE SpA, con sede legale in Milano, Via Conservatorio n. 30, P.Iva 08632480961;
ALA Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 11050980967; PLANET FINANCE Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 11792670967;
SOLUZIONI PER IMPRESE Srl, with registered office in Milano, Via Pietro Mascagni n. 15, P.Iva 13219480962 in the person of its legal representative pro tempore, as joint controllers (hereinafter each respectively referred to as “Data Controller”), inform you that your personal data will be processed for the purposes and in the manner specified below.

The processing of personal data will be carried out in accordance with the law, according to the principles of necessity, correctness, lawfulness and transparency, protection of your privacy and your rights, limitation of the purpose of processing and storage, data minimization, accuracy and quality of data, data integrity and security.
The Data Protection Officer (DPO) appointed by the Data Controller can be reached by writing to the following e-mail address: legale@grupponsa.it.

II. Purpose of the processing
The Data Controller processes personal data collected directly from you or from third parties, which include, but are not limited to:
- personal data (e.g. name, surname, address, date and place of birth)
- contact data (e.g. e-mail, landline and mobile phone)
- your image (as part of selection activities carried out through online platforms)
- data contained in your curriculum vitae and in the aptitude tests administered by the Data Controller as part of the selection procedure.
The Data Controller may process special categories of personal data (e.g. data relating to health, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership) for purposes strictly connected with and instrumental to the establishment of a work or collaboration relationship (e.g. the establishment management and termination of the employment or collaboration relationship), or to fulfil specific legal obligations (e.g. with regard to social security and assistance, including supplementary assistance, health and safety at work, taxation, trade unions, protection of health, public order and safety).

In such cases, the processing is necessary to fulfil legal obligations arising from the need to establish a working relationship or collaboration. This necessity represents the legal basis that legitimizes the relevant processing; without your personal data, the Data Controller would be unable to fulfil the provisions of the law or to establish a working relationship or collaboration with you.
The personal data you voluntarily provide will be processed exclusively for the recruitment, selection and assessment of personnel to be hired or with whom any professional collaboration relationships of any kind will be established. The provision of your data is necessary for the management of personnel selection procedures and failure to provide them will preclude the possibility of assessing your application.
The legal basis legitimizing the relevant processing is that referred to in art. 6, lett. b), of GDPR, as the processing is necessary to take steps at your request prior to entering into a contract.

III. Data processing methods and data protection
Your personal data are processed through the use of electronic and analogic instruments by means of persons appointed by the Data Controller as data processors pursuant to art. 28 of Reg. (UE) 2016/679 or persons authorized to process them, for as long as necessary to achieve the purposes for which they are collected or for any other legitimate related purpose, and in any case no longer than two years after they are provided.
The Data Controller hereby informs you that personal data may also be transferred to Countries not belonging to the European Union or to the European Economic Area (so-called Third Countries) recognized by the European Commission as having an adequate level of protection of personal data or, if this is not the case, only if an adequate level of protection of personal data with respect to that of the European Union is contractually guaranteed by the suppliers of the Data Controller located in the Third Country (e.g. by signing the standard contractual clauses provided for by the European Commission) and that the exercise of the rights of the data subjects is always ensured.

IV. Rights of the data subject
As a data subject, you may at any time exercise your rights under Articles 15 et seq. of Reg. (EU) 2016/679. In particular, you may ask the Data Controller for confirmation of the existence or otherwise of personal data concerning you, access to the personal data and the rectification or erasure of the same or the limitation of the processing concerning you or to object to their processing, in addition to the right to data portability and the right to lodge a complaint with a supervisory authority. You may obtain information about the source from which the personal data originates and, where applicable, whether the data comes from publicly accessible sources. In addition, where the processing is based on explicit consent, the data subject will have the right to withdraw consent at any time without affecting the lawfulness of the processing based on the consent given before the withdrawal.