Privacy

DATA PROTECTION POLICY
in force since 21 May 2018

This Data Protection Policy is issued by IDM Südtirol - Alto Adige, with registered office in Piazza della Parrocchia n.
11 – 39100, Bolzano (hereinafter also referred to as “IDM”) pursuant to Articles 4 et seq. of the General Data Protection Regulation (EU) 2016/679 (“Regulation”). Under this Data Protection Policy, IDM is the Data Controller.

Introduction

IDM is committed to protecting the privacy of every Data Subject. The purpose of this Data Protection Policy is to
inform you about the types of data and information that IDM collects about the users, how such information is used,
and how IDM discloses it to third parties.

This Data Protection Policy does not apply to information that is directly provided to, or collected by, third parties,
that is controlled by those third parties and whose use may be governed by other Data Protection Policys and/or terms
of use. In the latter case, it is your responsibility to review the applicable Data Protection Policy and/or terms of use.

1. IMPORTANT DEFINITIONS

“Appropriate Jurisdiction” means a jurisdiction that has been formally designated by the European Commission as
having an adequate level of protection for Personal Data.

“Data Controller” means the party who decides how and why Personal Data should be processed.

“Personal Data Protection Supervisory Authority” means an independent public authority formally entrusted with
supervising and ensuring compliance with the applicable data protection regulations in force.

“EEA” means the European Economic Area.

“Materials” means jointly each and every piece of Content, Subscribed Content (where applicable and as further
defined below), messaging, blogging, chatting, social networking, information, advertising and/or Internet links, etc.,
accessible or delivered through the Website.

“Personal Data” means information relating to a natural person or information from which a natural person is directly
or indirectly identified or identifiable, in particular through reference to an identifying element such as a name, an
identification number, geographic locations, online identifiers or through reference to one or more physical, psychological, genetic, mental, economic, cultural or social elements that identify a specific natural person.

“Processing” means any operation carried out on Personal Data including without the aid of electronic means, such
as collection, recording, organisation, storage, processing, modification, retrieval, consultation, use, communication,
dissemination, or the making available in another way, interconnection, reduction, deletion and destruction of Personal Data.

“Sensitive Data” means any Personal Data relating to race or ethnicity, political opinions, religious or philosophical
beliefs, membership of a party or trade union, physical or mental health, sexual habits, judicial information relating to pending or adjudicated criminal proceedings, national identification number or any other information that could be
regarded as sensitive under the Regulations and any other applicable laws and regulations regarding the protection of
Personal Data.

“Website(s)” means each and every website operated or maintained by or on behalf of IDM.

“Application(s)” means a software application that can be integrated, downloaded and/or executed under IDM or
third-party ownership and made available on the Website(s).

“Content” means any audio or video element and any idea offered by IDM or any third party, including but not limited
to data, films, videos, photographs, software, games, graphics and design, portraits and images, artwork, music, sound,
information and other Materials, tangible and intangible, including derivative works, on and in any and all existing or
future media and formats.

2. PERSONAL DATA COLLECTION

Personal Data Collection: IDM may collect Personal Data about you from the following sources:

Data provided by the user: IDM may obtain Personal Data when you provide it to us (e.g. when you contact IDM
including by email).
Data collected in the course of the business relationship: IDM may collect or obtain Personal Data about you in
the normal course of business (e.g. in the course of IDM’s institutional activities, such as innovation, export, territorial development and marketing activities).
Data that you disclose: IDM may collect or obtain Personal Data that you choose to disclose, including through
social media (e.g. IDM may collect information from your social profile(s) if you write a public “post” about IDM).
Data in relation to the Website: IDM may collect or obtain Personal Data about you when you visit the Website
or use any of the functionalities or resources available on or through the Website(s).
Registration information: IDM may collect or obtain Personal Information when you use or register to use any of
our functionalities or resources available on or through the Website(s).
Information in relation to Content: in the event that you decide to interact with any third-party content as part of
your use of the Website(s), IDM may receive Personal Information that relates to you either directly or from a
third party that provides the Content.
Information from third parties: IDM may collect or obtain Personal Data about you from third parties who provide it to us, including third parties who provide Content or advertisements.

3. CATEGORIES OF PERSONAL DATA THAT IDM MAY PROCESS

IDM may process the following categories of Personal Data about you to the extent that such Processing is strictly
necessary for the purposes of the Processing set out in this Data Protection Policy:

Personal information: birth name(s); name currently used; online handles and nick names; photograph.
Demographic information: gender; date of birth/age; nationality; title; and language preferences.
Contact information: address; phone number; email address; and information from your public profile(s) on social
media.
Payment information: invoice registration; payment registration; billing address; payment method; bank account
number or credit card number; card holder’s or account holder’s name; card or account security information; card
validity period and due date; payment amount; payment date; cheque registration.
Data relating to the Website(s): information about IDM services and activities; settings; IP address; language settings; date and time; statistics on use of the Website(s) and/or Application(s); Website(s) and/or Application(s)
settings; date and time of connection to the Website(s) and/or Application(s); location data, and other information related to technical communications; username; password; login security information; usage data; aggregate information for statistical purposes.
Data on Content and advertising: recording of your interactions with the online advertising services and Content;
recording of advertisements and Content displayed on pages or Applications visible to you, and any interaction
you may have had with such Content or advertising.
Visualisations and opinions: any visualisation or opinion you decide to send IDM (e.g. through surveys or voting,
filling in feedback forms, or assessment made on Applications on digital purchasing platforms of third-party applications) or “posted” publicly on social media.
Non-Personal Data: when you use IDM services, IDM may also collect information that, alone or in combination
with other similar information, cannot be used for your personal identification or to contact you personally
(“Non-Personal Data”). Non-Personal Data includes information about your use of the Website(s) and Application(s).
Personal data of children under sixteen (16) years of age
IDM undertakes to protect Personal Data of children and IDM will not knowingly collect any Personal Data about
such minors for any reason, nor will IDM accept registrations from such minors.
In some cases, particularly when information is collected electronically, IDM may not be able to determine
whether the information was collected from children under the age of sixteen (16) and IDM will process that information as if it had been provided by an adult.
If IDM have been informed that a child under the age of sixteen (16) has provided Personal Data, IDM will make
every commercially reasonable effort to remove such information.
IDM encourage parents and guardians to participate in all of their children’s online activities and to prevent their
children from providing IDM with Personal Data through Smart Services.
IDM EXPRESSLY DISCLAIM ANY LIABILTY OR CLAIM IN CONNECTION WITH THE USE OR MISUSE OF
SUCH FUNCTIONALITIES BY CHILDREN IN VIOLATION OF THIS DATA PROTECTION POLICY.
Cookies and other tracking technologies. From time to time, the Website(s) and/or other Contents or Applications may use “cookies” or other technologies (such as browser cookies, flash cookies, and web beacons). A
“cookie” is a small data file placed within the Website(s) and/or within the Contents/Applications stored locally
within the same. These technologies helps IDM to better understand users’ behaviour, provide IDM with information about the sections, the Content you have viewed or accessed and helps IDM make your experience with
the Website(s) more useful and personalised. In addition, “cookies” and other technologies may be used to collect information about your online activities over time and on third-party websites and services. Further information on how to disable these tracking technologies is available at the following link: www.idm-suedtirol.com/en/privacy

4. LEGAL BASIS FOR PROCESSING SENSITIVE DATA PURSUANT TO ART. 6, Regulation (EU) 2016/679

When processing your Personal Data for the purposes set out in this Data Protection Policy, IDM may use one or
more of the following legal bases, depending on the circumstances:

Consent: IDM may process your Personal Data when IDM obtain your prior, express consent to the Processing
(this legal basis is used exclusively with reference to Processing that is entirely voluntary – it is not used for Processing that is necessary or mandatory);
Contractual requirements: IDM may process your Personal Data when the Processing is necessary in connection
with a contract that you may enter into with IDM;
Compliance with applicable law: IDM may process your Personal Data when the Processing is required by applicable law;
Fundamental interests: IDM may process your Personal Data when it is necessary to process it in order to protect
the fundamental interests of a natural person; or
Legitimate interests: IDM may process your Personal Data when IDM has a legitimate interest in Processing it for
management, operational or promotional purposes and when such a legitimate interest is not outweighed by
your interests, fundamental rights or freedoms.

5. SENSITIVE DATA

IDM does not intend to collect or otherwise process your Sensitive Data in the normal course of business. If, for
any reason, it becomes necessary to process your Sensitive Data, IDM refers to one or more of the following legal
bases:

Compliance with applicable law: IDM may process your Sensitive Data when the Processing is required or permitted by applicable law;
Identification and prevention of an offence: IDM may process your Sensitive Data where Processing is necessary
for the identification and prevention of an offence (including the prevention of fraud);
Establishment, exercise or defence of a right: IDM may process your Sensitive Data when it is necessary for the
establishment, exercise or defence of a right; or
Consent: IDM may process your Sensitive Data if IDM have obtained, in accordance with applicable law, your
prior, express consent to the Processing of your Sensitive Data (this legal basis is used exclusively with reference
to Processing that is entirely voluntary – it is not used for Processing that is necessary or mandatory).

6. HOW IDM USES THE INFORMATION COLLECTED

IDM may process your Personal Data for the following purposes:

Providing the Website(s) and Application(s): providing the Website(s), Application(s) and Content; registering
your account; providing services you requested; providing you with promotional Materials that you have requested; communicating with you in connection with such services; operating and maintaining the Website(s)
and Application(s); providing Content; showing you advertising or other information; communicating with and
interacting with you through the Website(s) and Applications;
Communications with you: communications with you by any means (including email, telephone, text messages,
social media, post or in person) relating to new items and other information that you may be interested in, on
condition that such communications are provided to you in accordance with applicable law; maintaining or updating your contact information where appropriate; and obtaining your prior consent to an opt-in decision where
required;
IT communications and operations: management of the communication systems; IT systems security operations;
IT security audits;
Health and safety: health and safety assessments and record-keeping; compliance with relevant legal obligations;
Financial management: sales, finances; company checks;
Surveys and votes: consulting with you in order to obtain your opinion about IDM’s services;
Investigatory activities: detection, investigation and prevention of violations of rules and offences under applicable law;
Legal proceedings: establishment, exercise and defence of rights;
Adaptation to the law: adjustment to legal regulatory obligations in accordance with the applicable law;
Improving the Website(s) and Applications: identifying problems with the Website(s) and Applications; planning
improvements to the Website(s) and Applications; creating new Website(s) and Applications;
Non-Personal Data: IDM may use Non-Personal Data for internal purposes, such as for statistical analysis. IDM
reserves the right to use or disclose aggregates and/or Non-Personal Data in any manner IDM deems appropriate for institutional purposes and you acknowledge and consent to this. IDM may also use diagnostic data (which
does not identify you or contain Personal Data) in order to improve the operation of the Website(s) and Applications;
Combination of information. IDM may combines the Personal Data and Non-Personal Data collected in order to
provide and improve the services offered. From time to time, IDM may also transfer or merge Personal Data collected offline with the online databases or electronically store information collected offline. IDM may also combines Personal Data collected online with information made available from other sources. If IDM combines NonPersonal Data with Personal Data, the combined information will be processed as Personal Data in accordance
with this Data Protection Policy for as long as this data remains combined.

7. HOW IDM SHARES AND DISCLOSES INFORMATION

It may be the case that IDM shares information under this Data Protection Policy and the following section describes how IDM shares that information. IDM will disclose your Personal Data only if and to the extent that it is
necessary: (i) to provide the services you have requested; (ii) to adapt to applicable law; (iii) to establish, exercise
or defend rights of IDM; (iv) to the extent necessary in connection with the sale or reorganisation of a substantial
part of IDM’s business.

Personal Data and Non-Personal Data. IDM may share Personal Information and Non-Personal Information as
follows:
With employees and contractual partners, in order to help provide or improve services.
With professional consultants from IDM.
With third parties and their respective consultants in connection with mergers, acquisitions, bankruptcy,
dissolution, reorganisation, total or partial sale of IDM‘s assets, financial business, the total or partial assignment IDM’s business, or similar transactions or processes, as well as their preliminary activities (e.g. due
diligence).
When required or permitted by applicable laws and regulations.
With any relevant party for prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal sentences, including protection against and prevention of threats to public safety.
With any relevant party, supervisory authority or court, to the extent necessary for the establishment, exercise and defence of rights.
With public or private authorities, on request, or for the purpose for reporting any present or potential violation to applicable laws and regulations.
With carefully selected third parties, including suppliers, as necessary to provide a service to IDM or to perform a function or service in connection with the IDM Website(s). Each time IDM discloses your Personal
Data to a carefully selected third party or to any third party mentioned in this Data Protection Policy, IDM
will comply with the data protection regulations, ensure that the third party has put in place all measures to
keep your data secure, does not use your Personal Data for purposes other than those specified and that
this takes place in accordance with the purposes set out in this Data Protection Policy.
With other third parties at your sole discretion and with your express consent and for the purposes requested by you.

8. MATERIALS OF THIRD PARTIES

Third parties offering Applications or Materials may collect Personal Data or Non-Personal Data when you access their
Applications and Materials made available through their services. IDM is not responsible for the data collection and
Data Protection Policys that apply to such third parties or for their services, and they may collect data about you and
may share it with IDM and/or others. These third parties and their services may also track you over time and in space,
submit their own advertisements (including interest-based advertisements) and may or may not have published their
own Data Protection Policys.

In addition, when you use the Website(s) you may be directed to other services that are provided and controlled by
third parties and that IDM does not control. For example, if you browse the Internet and click on a link on a website,
the link may take you to a different website. When you access a new website or application IDM advises you to review
the Data Protection Policys of all third parties involved and to pay attention to them. IDM is not responsible for the
availability, completeness and accuracy of such third-party Data Protection Policys.

9. YOUR CHOICE CONCERNING THE COLLECTION OF DATA AND THE MODIFICATION OF THE PREFERENCES COMMUNICATED: YOUR RIGHTS AND CHOICES

Accuracy of data
IDM is committed to making every reasonable effort to ensure that:

your Personal Data processed by IDM is accurate and, where necessary, kept up to date; and
any and all of your Personal Data that IDM has processed that is found to be inaccurate (having regard to the
purposes for which it is processed) is deleted or changed without delay.
From time to time IDM may ask you to confirm the accuracy of your Personal Data.
No data surplus
IDM is committed to making every reasonable effort to ensure that your Personal Data processed by IDM is
limited to that strictly necessary for the purposes set out in this Data Protection Policy.
Data retention
IDM is committed to making every reasonable effort to ensure that your Personal Data processed by IDm is processed only for the minimum period necessary for the purposes set out in this Data Protection Policy.
The criteria for determining the retention period for your Personal Data are as follows: IDM will keep copies of
your Personal Data in a form that permits identification only for the time necessary for the purposes set forth in
this Data Protection Policy, unless applicable law requires a longer retention period. In particular, IDM may retain
your Personal Data for the time necessary to establish, exercise or defend a right of IDM.
Your rights
In relation to the Regulations and applicable law, you may have a number of rights with respect to the Processing
of your Personal Data of which IDM is Data Controllers, including:
the right not to provide your Personal Data to IDM (however, please note that in such a case IDM may not be
able to provide you with all the benefits of the Website(s) and the Applications you request);
the right to request access to, or a copy of, your Personal Data, together with information relating to the nature,
Processing and disclosure of such Personal Data;
the right to request corrections of any inaccuracies in your Personal Data;
the right to request, on legitimate grounds:
the deletion of your Personal Data;
the limitation of the Processing of your Personal Data;
the right to object to, on legitimate grounds, the Processing of your Personal Data by IDM or on behalf of IDM;
the right to obtain certain transfers of Personal Data to other Data Controllers, in a structured format, used in
practice and digitally readable, within the applicable purposes;
when IDM processes your Personal Data based on your consent, the right to withdraw your consent (provided
that such withdrawal does not affect any lawful Processing being carried out prior to the date on which IDM receives notice of such withdrawal or prevent the Processing of your Personal Data on any other legal basis); and
the right to lodge complaints with a Data Protection Authority in relation to the Processing of your Personal
Data by IDM or on behalf of IDM.
All the above is without prejudice to your mandatory rights.
Should you wish to exercise any of these rights, please contact IDM at the following address: privacy@idm-suedtirol.com. Please note that:
IDM may require proof of your identity before IDM can grant effect to the aforementioned rights invoked; and
should your request involve the ascertaining of further facts (e.g. determination of the non-conformity of certain
Processing with applicable law), IDM will evaluate your request in a reasonably short space of time, before deciding on the action to be taken.
If IDM receives a valid request to grant effect to any of the aforementioned rights invoked, IDM will use reasonable efforts within one (1) month or, to the extent permitted by applicable law, as soon as reasonably permitted.
If you request the removal of any Personal Data, you acknowledge that your Personal Data may continue to exist
in a non-deletable form that would be difficult or impossible for IDM to locate. For reasons of file storage, IDM reserves the right to maintain any information deleted from or changed in the databases for non-commercial
purposes including dispute resolution, Website(s) improvement, troubleshooting and application of this Data Protection Policy:
The above-mentioned rights do not apply to the collecting of Non-Personal Data.
IDM reserves the right to deny the Processing of requests for data removal that are not feasible or that affect the
privacy of others. Refusal to process requests for data deletion must be justified by applicable law.
All users of the Website(s) are required to provide, when requested, true, correct, complete and accurate Personal
Data and IDM will reject and delete any data that IDM in good faith believe to be incorrect, false, falsified or
fraudulent, or inconsistent with, or in violation of the Data Protection Policy

10. SECURITY OF THE INFORMATION THAT IDM COLLECTS

IDM takes the security of your Personal Data seriously. IDM implements physical, administrative and organisational
protective measures to preserve the confidentiality and security of your Personal Data. Unfortunately, the transmission of information over the Internet is not completely secure. Although IDM does his best to protect your Personal
Data, IDM cannot guarantee the security of your Personal Data transmitted through use of the Website(s) and Applications. Any transmission of Personal Data is at your own risk. IDM is not responsible for circumventing any and all
privacy settings or security measures for the Website(s) and Applications.

11. WALLS/MESSAGE BOARDS AND OTHER PUBLIC SPACES

IDM may offer walls/message boards or other public functions on the Website(s), and any of your posts in such public
spaces are considered public information that is available to other users.
IDM does not control and is not responsible for the actions of other users with respect to any information you post in
such spaces. In addition, the information you disclose into public spaces may be collected and used by other users to
send you unsolicited messages and for additional purposes. Each post on the message boards and in the public spaces
on the Website(s) is also governed by the terms and conditions of the applicable third-party websites.
Parts of your user profile may also be available to other users and you should take care not to use Personal Data in
your user name or in other information that may be publicly available to other users.

12. TRANSNATIONAL TRANSFER OF INFORMATION

IDM may transfer and retain Personal Data that you provide to IDM in connection with your use of the Website(s)
to/on servers located in countries outside your jurisdiction. IDM may also transfer Personal Data collected by you in
other countries outside your jurisdiction to third parties mentioned in this Data Protection Policy, to the extent that
such transfer is necessary in order to comply with our obligations under this Data Protection Policy.

13. DATA PROTECTION POLICY VERSIONS AND AMENDMENTS

IDM reserves the right to amend this Data Protection Policy at any time and for any reason, and will publish any
changes to this Data Protection Policy within a reasonable time after they enter into force. This Data Protection Policy
will remain in full force and effect as long as you remain a user of the Website(s) and/or Application(s), even if your
use of, or participation in, any particular service, feature, function or promotional activity ends, expires, terminates, is
suspended or disabled for any reason.

CONTACT
Please send any further questions you may have with respect to this Data Protection Policy to privacy@idm-suedtirol.com.

What are cookies?

A "cookie" is a small text that is sent to the computer to identify the visitor's browser or to store information and settings in the browser. You can also refuse browser cookies by disabling the corresponding setting on your browser. However, if you choose this setting, you may not be able to access certain parts of the web page or they may no longer function completely.

The following cookies are used on this website as well as on the subdomains:

Navigation cookies are required for normal navigation and use of the website; without these cookies, the website may not be able to access certain features or work properly.

Functionality cookies: by saving your settings, these cookies extend the functionality of the website. They capture settings you have made (such as username or language) and allow the site to be improved.

Performance cookies may originate from us or from a third party. The information collected by these cookies is anonymous data that is neither used to collect personal information nor for promotional purposes.

Cookies for marketing and retargeting purposes are applied by third parties and are used to display advertising. No personal information is processed, but a connection will be established to your computer or other device by tracking the information stored in it.

Instructions for disabling cookies

Internet Explorer
Block or allow all cookies

1. Open Internet Explorer
2. Navigate to "Tools" and "Internet Options"
3. Select the "Privacy" tab and move the slider to the top to block all cookies
4. Click OK to confirm

Further information https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies

Firefox
To block the cookies of all websites:

1. Click the menu button and select Settings.
2. Navigate to the Privacy section.
3. Go to the settings for the "History" and select "Create custom settings". Select "Accept cookies from websites" and save the settings.

Further information https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Google Chrome

1. Select the Chrome menu icon Chrome Menu.
2. Select Settings.
3. At the bottom of the page, select Show advanced settings.
4. In the Privacy section, select Content Settings.
5. Select Block storage of data for all websites.
6. Select Done.

Further information https://support.google.com/chrome/answer/95647?hl=en&hlrm=en

Safari

1. Open Safari
2. Select "Settings" in the system bar and in the "Privacy" dialog box that opens
3. In the section "Accept cookies" you can specify if and when Safari should store the cookies of the websites. For more information, click the Help button (marked with a question mark)
4. For more information about the cookies that are stored on your computer, click on "show cookies"

Further information https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac

The following table contains a list of cookies that are used on the website and explains their purpose and lifetime:

Cookie Name	Use	Duration
ASP.NET_SessionId	System cookie, used to keep the user session up	until you close the Browser
CookieBanner	Hides the cookie banner	active for 1 year
PageHistory	Contains the session of the visitor	active for 11 months
_ga	Used to identify users	active for 2 years
_gat_ga0	Used to create tracker objects	active for 10 minutes
_gat_ga1	Used to create tracker objects	active for 10 minutes

Web push notifications from PushPanda.io

We use web push notifications from PushPanda.io. Web push notifications are notifications that can be displayed on your terminal device without opening the website or the relevant app.
No distinctive user data, such as IP addresses or similar, that could allow the user in question to be identified, are saved. If somebody registers for the notification distributor (opt-in process), only an identification code and the geographical IP information (country and state) of the user are sent to PushPanda.io and stored in its database. This code is issued by the respective browser provider (Google, Mozilla, etc.) and enables the notifications to be sent to the relevant browser later. Notifications are sent by the browser provider itself.
If the opt-in for push notifications is withdrawn (opt-out), all data saved with PushPanda.io is deleted and the identification code will be invalid.
You can find information about opting out of push notifications at https://www.pushpanda.io/de/links/abmeldung/.
PushPanda.io is a service of Project K GmbH, with headquarters in Innsbruck, Austria.

As of: 19/12/2019