1. Subject matter

This information notice is provided pursuant to and for the purposes of art. 13 of Regulation (EU) 2016/679 ("GDPR") in order to inform you that, in order to allow your registration to the portal "Cyber Security and Digital Competence Center" (the "Portal") and to provide you with its services, the company Leonardo S.p.A. collects and processes personal data referable to you, in compliance with applicable law and your rights.

2. Data Controller

The data controller of your personal data is the company Leonardo S.p.A., with registered office in Rome, Piazza Monte Grappa n. 4 (the "Controller"). The Controller, in compliance with art. 37 of GDPR, has appointed a Data Protection Officer (DPO) who can be contacted at the following email address: DPO@leonardocompany.com.

3. Type of personal data processed, purpose and legal basis of processing

Your personal data and contact details (i.e. name, surname, email address, hereinafter referred to as "Personal Data") necessary for the purposes of your registration on the Portal are processed. Special categories of data, as per art. 9 of the GDPR, suitable to reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or sexual life or sexual orientation of the person, will not be processed.

Your Personal Data will be processed for: (i) allow you to access the Portal and the services provided through it, as well as (ii) allow the Controller to send you commercial communications in relation to its products and/or services. Your Personal Data may also be processed in order to (iii) profile your preferences, in compliance with the principles set out in the GDPR and the applicable privacy regulations. Your Personal Data will be processed only with your specific consent according to the different purposes pursued by the Controller (pursuant to art. 6 letter a) and art. 7 of GDPR). The consent to the processing of your Personal Data is optional, but without it for the purpose under no. (i) above, the Controller could not guarantee your access to the Portal.

4. Personal Data recipients and other subjects authorized to process them

In the performance of its activity and for the purposes referred to in paragraph 3 above, your Personal Data may be communicated to public and/or private organizations, authorized to receive them by law, as well as to natural and/or legal persons, associations or professional firms that provide services or activities of assistance and advice to the Controller (including cloud services and marketing services), with particular but not exclusive reference to accounting, administrative, tax, IT, legal, financial matters and/or legal advisors.

Your Personal Data will be processed by the Controller through its own personnel duly authorized to do so and instructed to confidentiality, only as necessary and on the basis of specific instructions from the Controller. Your Personal Data will not be subject to disclosure or transfer to third countries (with respect to the European Union) or to international organizations.

5. Methods of processing and Personal Data retention

The processing of your Personal Data will be carried out in compliance with GDPR and applicable privacy law and regulations, with computer and/or manuals systems, in any case suitable to guarantee the security of the processing itself. The processing of your Personal Data is in any case based on the principles of proportionality and necessity (for which no unnecessary personal data will be processed or collected), the principle of loyalty and transparency and will take place in compliance with the requirement of adequacy of security measures.

Without prejudice to the exercise of your rights, your Personal Data will be kept for as long as necessary for the purposes for which they are collected.

6. Data subjects’ rights

With respect to your Personal Data you can exercise all rights set forth by articles 15 et seq. of the GDPR. In particular, you may:

a) request the Controller to confirm the existence of your Personal Data, the origin of such data, the reason and purpose of their processing, the categories of subjects to whom the data may be transmitted, as well as the identification details of the Controller and of its data processors;

b) request access to Personal Data, transformation into anonymous form, blocking, rectification, updating, integration, erasure of such data or limitation of their processing;

c) object to the processing of Personal Data, for any reason connected to its particular situation, within the limits set forth by the GDPR and, in particular, object, at any time, to the delivery of communications and/or informative material by the Controller (opt-out right) pursuant to Article 17 of the GDPR, through the "Unsubscribe" function contained at the bottom of each electronic communication received from the Controller or by sending an express request to the email addres: soc@leonardocompany.com.

d) exercise the right to portability, within the limits provided for by Article 20 of the GDPR;

e) withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

f) lodge a complaint with the Italian Data Protection Authority, following the procedures and the instructions published on its official website (www.garanteprivacy.it).

Any amendment or erasure or limitation on processing carried out upon your request - unless this proves impossible or involves a disproportionate effort - will be communicated by the Controller to each of the recipients to whom the relevant Personal Data have been transmitted. The Controller may inform you of these recipients upon request. For the purpose of exercising the rights listed in this paragraph, as well as for any clarification, you can directly contact the Controller by sending an email to the following email address: DPO@leonardocompany.com.