Macchi di Cellere Gangemi LLP is an international law firm (the “law firm”). Pursuant to applicable data protection laws (Data Protection Law) - namely EU Regulation No. 2016/679 of the European Parliament and of the Council, dated 27 April 2016 (GDPR), any other existing or future legislative acts or provisions implementing and adopting the GDPR in Italy and France and the Data Protection Act 2018 enacted by the United Kingdom Parliament and subsequent amendments - and in relation to Personal Data, as defined in Article 4 of the GDPR and in Section 3(2) of the Data Protection Act 2018, Personal Data are data that can identify you, or that can otherwise be linked to you, which will become available to this law firm, the law firm informs you (the Data Subject) of the following:

1. Purpose of Data Processing. The purpose of data processing consists solely in:

(i) the correct and complete performance of the legal professional mandate for which the law firm has been engaged, both on judicial and extrajudicial matters;

(ii) the compliance with legal obligations to which the law firm is subject, in particular with the identification and recording obligations provided for by the applicable anti-money laundering laws and relevant implementing provisions; and,

(iii) in the unlikely case such a rare situation may occur, the protection of legitimate interests of the law firm, of the Data Subject or of a third party, when there are not fundamental rights that override such interests; Personal Data may also be processed whenever it is necessary in the public interest.

With reference to Article 6 GDPR, the legal lawful basis for the processing of Personal Data by the law firm is both in the execution of its professional engagement and contractual commitment, and the compliance with mandatory legal obligations.

2. Data Processing. The data processing (Data Processing) is carried out legitimately through any operation or set of operations such as: collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilisation, interconnection, blocking, communication, erasure and destruction of data. The Data Processing procedures are structured to ensure that Personal Data are kept up to date and accurate, therefore the law firm is entitled to collet additional information in the course of its contractual relationship with the Data Subject.

The above operations can be carried out with or without the use of electronic or automated means. Specifically, Personal Data will be entered in databases and the relevant processing shall take place through manual, electronic and IT tools suitable to ensure their safekeeping.

The Data Processing shall be carried out directly by the Data Controller(s) (as identified in Paragraph 11 below) and the person(s) authorised by the Data Controller(s) to undertake any material Data Processing of Personal Data and/or the entities which process personal data on behalf of the Controller(s), if any (Data Processors) (e.g. where necessary, companies which provides IT support and maintenance services).

Data Processing shall be always carried out in a lawful, fair and transparent manner in compliance with and limited only to the above mentioned purposes, in accordance with applicable law and the law-bar deontology regulations. Whenever it could be necessary that Personal Data are processed for another reason than the ones listed above, the Data Controller is entitled to do so, as long as such purpose is compatible with the original one. The Data Controller has to notify the Data Subject of such decision and it has to explain the legal basis that allows to do so. The Data Controller can also process Personal Data without the Data Subject's consent, in compliance with the above rules, where this is required or permitted by law.

3. Security Measures. The law firm implements all adequate security measures to prevent the destruction, accidental loss, unauthorised access, alteration or disclosure, unlawful or incorrect use of Personal Data. In particular, Personal Data will be safely kept, backed-up in digital devices and protected by passwords to allow access only on a strictly as needed basis. The Personal Data will not be used for automated decision making.

The law firm has made arrangements to have in place procedures to deal with any suspected data security breach, so the Data Controller will notify the Data Subject and any Regulator of a suspected breach, whenever legally required to do so.

4. Data Providing. The providing of any personal or judicial data is mandatory for the carrying out of the activities provided for in Paragraph 1 (i),(ii) and (iii).

5. Refusal. Failure by Data Subjects (defined in Article 4 of the GDPR and in Section 3(5) of the Data Protection Act 2018) to provide the personal and judicial data required for the purposes under Paragraph 1 (i),(ii) may prevent the firm group from being able to duly carry out its professional engagement with the Data Subject and comply with its legal obligations.

6. Data Communication. For the purposes described in Paragraph 1, Personal Data - depending on their categories/type - may be made available to Data Processors and may be communicated, where required, to Authorities and to Supervisory Bodies, to external consultants of the law firm, its accountants and entities that operate in the judicial field, or to the counterparts and relevant solicitors, barristers, attorneys, panels of arbitrators and, in general, to any other entity to which the data communication is necessary for the correct achievement of the purposes indicated in Paragraph 1 and/or in order to comply with relevant laws, regulations or the EU legislation. The law firm requires Data Processors to respect the security of the Personal Data collected about the Data Subject and requests that they take appropriate safety measures in line with its policies to protect data communicated. Third parties are not allowed to use Personal Data collected by the law firm for their own purposes, they can access them only for specific reasons and solely on instructions by the law firm. The list of the Data Processors to which data will be communicated together with the relevant details may be requested to the law firm. Within the law firm, Personal Data collected on the Data Subject may be communicated only to those solicitors, lawyers, barristers, attorneys, members, contractors, consultants, trainees, agents, employees and authorised persons in charge of the processing (e.g. people working in the administration department), and any other third parties who have a business need to know. The processing of such data will be in compliance with the law firm's guidance and it is subjected to a duty of confidentiality. The law firm prescribes that all its entities must employ adequate safeguarding procedures.

7. Data Dissemination. Personal Data may not be disclosed publicly or diffused to an undetermined set of recipients.

8. Sharing of Personal Data and Transfer Abroad. Personal Data may be shared between the offices of the law firm in the UK, France and Italy for the performance of the professional mandate. Personal data will not be transferred by the law firm outside the territory of the UK and the European Union.

9. Rights Granted to Data Subjects. Under certain circumstances, any Data Subject has specific rights pursuant to the Data Protection Law, including the right to:

(i) request to access Personal Data collected (commonly known as "data subject access request"), which enables to receive a copy of the data held and lawfully processed by the Data Controller and to obtain confirmation whether or not such data exist;

(ii) be made aware of the origin, of the details and the purposes for which the processing is carried out;

(iii) request to correct, update, rectify inaccurate or incomplete Personal Data processed by the law firm;

(iv) request erasure of Personal Data retained by the law firm, that will delete or remove such data unless there is a specific reason to continue to hold and process them;

(v) obtain the cancellation, the transformation into anonymous form or the blocking of Personal Data processed unlawfully, the update, amendment and integration of the same data and the restriction of processing;

(vi) oppose, for lawful reasons, to the processing of the Personal Data;

(vii) obtain portability, to transfer Personal Data to another party, where applicable;

(viii) withdraw consent at any time, where applicable. Subsequently the law firm will cease to process Personal Data of the Data Subject, unless there is a legitimate and lawful basis for not doing so;

(ix) file a complaint with the competent Data Protection Authority responsible for data protection issues, such as, as the case may be, the Information Commissioner's Office (ICO) (for UK) (https://ico.org.uk).

Any requests made to exercise the rights provided by the Data Protection Law shall be forwarded to the following email address: london@macchi-gangemi.com or in writing to the Managing Partner, COLP or COFA of the Data Controller at the address indicated below. The payment of a fee is not required when a Data Subject is exercising its rights in regard to its Personal Data. However, such fee could be charged whenever the Data Controller believes that the request for access is clearly unfounded or excessive. Alternatively, it may be refused to comply with the request in such circumstances.

10. Data retention. Personal Data will be retained for the period of time necessary for the purposes for which the data have been collected or for which they are further processed to satisfy any legal, accounting, or reporting requirements, in compliance with data retention policies adopted by the law firm. In general, Personal Data provided for the purpose of the performance of the legal professional mandate will be kept as long as it is necessary to execute such mandate, or, as the case may be, after the termination of the professional mandate, save where there is no legal requirement or professional needs to retain it for a further period of time. Once the contractual relationship with the Data Subject is concluded, the Data Controller will retain and securely destroy Personal Data in accordance with the law firm's data retention policy.

11. Data Controller. The different law firm entities are the Data Controllers of all the Personal Data of their respective clients, which is used in the exercise of the professional mandate. In brief, this means that law firm entities are responsible for how your Personal Data is collected and used. Under the Engagement Letter you entered into with Macchi di Cellere Gangemi LLP, the Data Controller is:

Macchi di Cellere Gangemi LLP, with registered office at 33 St. James's Square, London SW1Y 4JS, United Kingdom (ICO Registration No. ZA286545), e-mail: london@macchi-gangemi.com.

The law firm reserves the right to update this Privacy Notice at any time and the Data Controller will provide the Data Subject with a new version whenever substantial updates are made. Notifications could be given in other ways from time to time about the processing of Personal Data.