General principles

The effectiveness and need for updating this section of the Handbook and / or the respective procedures are subject to continuous checks and periodic audits on the basis of what is indicated in the specific Policies and in any case on an semi-annual basis.

Unless otherwise indicated in the Policies, control is entrusted to the Compliance circle.

The Compliance Team is responsible for the management and updating of the present section of the Handbook. The Compliance Team has to check the status of the present section on a monthly basis.

Compliance Team takes care of updating the GDPR Registers of the Company, unless otherwise specified, on an ongoing or at least annual basis. Originals of the GDPR Registers are stored on the Compliance sharepoint.

It is understood that only the CEO or the Board of Directors and delegated representative(s) of the Company may approve changes of any kind to thse Policies and Procedures.

The provisions set out in this document, which also contain a description of the Company's work tools, are to be considered binding for every employee and collaborator of Agile.

The violation of the provisions of this document may constitute a disciplinary offense, even of a serious nature, relevant for the purposes of the employment relationship and / or serious breach of the existing consultancy relationships with the Company.

Introduction

This document summarizes the procedures and principles adopted by Agile regarding the protection of Privacy and in relation to the processing of personal data ("Data") communicated or obtained by Agile in the execution of its business activities.

This Policy applies to all Personal Data collected, processed, shared or used by Agile for which Agile is Controller or External Processor under the GDPR.

Definitions

In this document:

with the term "processing" (Art. 4, no. 2, of EU Regulation 2016/679) we refer to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

with the term "personal data" (art. 4, no. 1, of EU Regulation 2016/679) we refer to any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

with the term “controller” (art. 4, no. 7, of EU Regulation 2016/679) we refer to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

with the term “processor” (art. 4, no. 8, of EU Regulation 2016/679) we refer to the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Controller and Processor

Controller

The Controller, in person of the legal representative of the Company, using where necessary the Processors (art. 28 of EU Regulation 2016/679), where appointed:

identifies and makes decisions regarding the purposes and methods of data processing, including the security profile;

carries out the census and updates the record of data processing activities and guarantees to the data subject all the rights set out in articles 15-21 of EU Regulation 2016/679;

identifies, prepares, verifies, documents and makes known the security measures (minimum and more extensive) necessary for the protection of Data.

An internal compliance function within the Company has also been identified, supported by the DPO, in the figures of Internal Compliance and Internal Technical Compliance, to support the entire Company in matters concerning GDPR compliance.

The function reports to compliance@agilelab.it.

The Company maintains GDPR Records, unless otherwise specified, on at least a semi-annual basis.

Processors

The Processors manage the processing on the basis of the tasks entrusted and analytically specified in writing by the Controller. The Processors comply with the instructions given by the Controller who, also by means of periodical verifications, supervises the punctual observance of the provisions on processing provided for by the Regulations, including the security profile. The Processors supervise the respect of the instructions given to the persons appointed of the processing.

Agile, because of the typical nature of the Company's activities, is frequently appointed as Processor by clients who use systems supplied by Agile and/or delegate to Agile certain data processing activities for which the client is the Controller.

In the event of data transfer outside the EU, this transfer will be done in accordance with the provisions of the law, stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission.

Privacy Principles

In order to prevent outsiders from gaining knowledge of the Data being processed, employees, collaborators and/or advisors must observe the following rules of ordinary diligence, as well as all other measures deemed necessary to ensure compliance with the provisions of the privacy regulations:

• all processing operations must be carried out in such a way as to ensure compliance with security measures, the confidentiality of the information that comes into their possession considering all data confidential and, as a rule, subject to secrecy;

• all operations, whether digital or paper-based, concerning or relating to Data in relation to which Agile or Agile's clients are controllers, must be carried out exclusively using Company equipment and tools;

• the individual phases of work and the conduct to be observed must make it possible to avoid the risk of loss or destruction of Data, the risk of access by unauthorized persons, and the risk of processing operations that are not permitted or do not conform to the purposes for which the Data were collected;

• for the purposes referred to in the previous point, given the specific activity of Agile, a further procedure for managing access to certain specific infrastructures is being implemented, of which the interested parties will be informed in due course;

• in the event of moving away, even temporary, from the workstation, all necessary measures must be taken (e.g. blocking of the PC) so that third parties, even if employees, cannot access the Data for which any type of processing was underway;

• must be carried out only processing operations limited to what is necessary for the purposes for which the Data were collected;

• with regard to the Data related with client companies are controllers, must be carried out only those processing operations necessaries to fulfil the contractual commitments undertaken;

• the accuracy of the data processed and their relevance to the purposes pursued in each case must be constantly verified. If a data subject withdraws his/her consent to the processing of Data pursuant to art. 7, paragraph 3, of the Regulation, the employee and/or collaborator must promptly notify the Controller or, if present, the Processor for the adoption of any necessary measure.

Processing of Special Personal Data (art. 9 GDPR)

All processing of special personal data in accordace with art. 9 of the GDPR (race or ethnic origin data, religious or philosophical beliefs data, political opinions data, trade union membership data, genetic data, biometric data, health data and data concerning sexual orientation) shall be executed reducing the most any security and confidentiality issue. Documents shall be stored on segregated folders to be limited to selected workers and the head of the interested circle, who has the responsibility to select the additional users allowed to access the data. Circle leaders shall monitor and report to Compliance Team.

Accessing Data from Workstation/Tools

The workstation and Company tools must be:

• used only for work-related purposes;

• used exclusively by a single user

• protected, preventing third parties from accessing the Data being processed.

The duty of each employee, collaborator and/or advisor:

• limit the downloading/saving of files locally to cases where this is unavoidable, and report any possible improvements to Internal Compliance;

• in this case, provide for the immediate and definitive deletion of the files saved locally when the work is finished;

• do not install any software and/or applications not previously authorized;

• do not leave confidential information unattended in whatever medium it is stored;

• call up the security features of the operating system in case you leave your PC momentarily or, alternatively, set the screen saver with password so that it activates after maximum 5 minutes of inactivity;

• do not leave your laptop on and unattended;

• do not leave smartphones unattended;

• do not use faxes and/or telephones to transmit confidential and personal information if you are not absolutely certain of the identity of the person you are talking to or the recipient and if they are not authorized to receive it.

Personnel who have company equipment are responsible for activating all security measures necessary to ensure its protection.

The Company periodically conducts a census of the equipment used by Personnel for work activities.

The only devices authorized for access to Company systems (including, in particular, those serving the clients) are those resulting from the last census carried out by the Company for each individual employee.

Access to Company systems (including, in particular, those serving the clients) from equipment other than those registered, even on a one-off basis, may only take place in cases of particular necessity and urgency, or in the event of an explicit request by the Company. In such cases it is required to communicate the identification codes of the machine concerned to Internal Compliance.

The Company reserves the right to use anti-fraud computer tools, giving specific information.

Password management

Without prejudice to what is stated additional policies, in order to properly manage passwords, Personnel must take care to:

• change it at least every 90 days, or immediately in cases where it is compromised;

• compose it using at least 8 characters or, if the electronic instrument does not allow it, with a number of characters equal to the maximum allowed;

• use both letters and numbers and at least one uppercase character;

• do not base your choice on easily deducible information such as your name, family members' names, dates of birth, fiscal code, etc;

• keep it confidential and do not disclose it to third parties;

• do not allow other users (e.g. colleagues) to operate with your user ID;

• do not write it down on a piece of paper or a post-it note that is easily accessible to others, or leave it stored on your PC;

• never communicate your user ID over the telephone unless you have a serious need to do so.

Device loss/theft/tampering

Subject to all of the provisions of the preceding paragraphs and the provisions of the Data Breach Policy, it is recommended that:

• always store the work tool in a secure location;

• notify Internal Compliance immediately in the event of loss, theft or tampering with the equipment;

• always operate in strict confidence when using the equipment in public.

Internet on Company equipment Wi-Fi / LAN networks

Communication tools must be used only and exclusively for work-related purposes. Behaviour that may cause damage to third parties is prohibited. In particular, internet browsing is only permitted on sites relevant to the performance of assigned duties.

Devices may be connected to the Company's Wi-Fi network while in the office.

Access to the networks is allowed only to employees, collaborators and advisors who have received the relevant access credentials.

E-mail

It is forbidden to use electronic mail to communicate confidential information, files containing a large amount of Data or critical data, without ensuring the appropriate protection. In such cases, the document and the data contained therein must be shared through the Company's system;

it is forbidden to access electronic mail from sources other than Company sources unless explicitly authorized;

it is forbidden to open e-mails and attached files of unknown origin or which present evidently anomalous aspects;

it is forbidden to answer or forward messages coming from an unknown sender or of doubtful content;

it is always necessary to ensure that the recipients of e-mail correspondence are authorized to take possession of the data you are about to send;

only the use of programs authorized by the IT Department is permitted;

it is forbidden to modify the characteristics set on the equipment or to install storage, communication or other devices, to connect any equipment to the Company network, to make external connections of any kind using equipment that is simultaneously connected to the Company network (thus creating a link between the internal Company network and the external network).

Cloud Services

Corporate data is stored in cloud servers (Microsoft Azure, AWS). Access to the Drives is allowed only through authentication with corporate email. Access to individual folders in the corporate drive is governed by an access hierarchy. See Section B of this document for any additional information.

Physical security of work environments

Agile has adopted an almost paper-free approach to business documentation.

In any case, the cabinets and drawers in the offices where documents with confidential data are stored are locked; the keys are kept by Internal Compliance.

Access to the offices is possible after deactivating the alarm - by means of a special key - and opening the lock.

Roles and Responsibilities

Internal Compliance:

• Monitors all compliance activities, implementation of new standards and all relations with third parties and authorities.

Internal Technical Compliance:

• Manage the back-office activities related to GDPR compliance .
• Handle communications and inquiries.

GDPR & Cybersecurity Account:

• Assists the company in all compliance works.
• Supports Internal Compliance.

Each team leader of any Circle is authomatically appointed as an internal responsible for the processing of Personal Data under its perimeter of work.

Each person may receive special appointments by the Company (such as System Administrator, for example).