PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA OF TRAINING COURSE PARTICIPANTS
ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 (“GDPR”)

Metal Work S.p.A., with registered office at Via Segni 5/7/9, Concesio (BS), ZIP Code 25062, VAT No. 03472820178, Tel. +39 030 218711, e-mail: metalwork@metalwork.it, certified e-mail (PEC): metalworkspa-bs@legalmail.it (hereinafter the “Data Controller” or the “Controller”), processes personal data in compliance with Regulation (EU) 2016/679 (“GDPR”).

Data Protection Officer (DPO)
For any request relating to the processing of personal data or to exercise the rights provided for by the GDPR, you may contact the Data Protection Officer (DPO) at:

• E-mail: info@ambroservizi.it
• Certified e-mail (PEC): ambrostudioservizi@pec.it

Categories of Personal Data Processed
Within the scope of the organisation and management of training courses, the Controller may collect and process the following categories of personal data.

Common Personal Data

• identification data (first name and surname);
• personal details (place and date of birth, residence or domicile);
• contact details (e-mail address, telephone number, certified e-mail/PEC);
• data relating to the company, organisation or professional firm to which the participant belongs.

Photographs and Audio/Video Recordings
During training activities, photographs, video footage and/or audio recordings may be taken by the Controller or by specifically authorised persons.

Such content may be used:

• for organisational and documentation purposes related to the training course;
• for the Controller’s institutional and promotional communication activities, including publication on websites, social media channels, newsletters and promotional or informational material;
• for the promotion of future training initiatives and events.

Where required under applicable law, the legal basis for such processing is the data subject’s consent.
The data subject may at any time object to the use of their image or withdraw any consent previously given by contacting the Controller using the contact details provided in this notice.
Images and recordings will be processed in accordance with the principles of lawfulness, fairness, transparency and data minimisation set out in Regulation (EU) 2016/679 (GDPR).

Methods of Processing
Personal data will be processed both electronically and in paper format through suitable tools designed to ensure the security and confidentiality of the data, in compliance with the GDPR.
Processing may also be carried out through automated tools intended to store, manage or transmit the data.
Personal data will be stored in paper, IT and telematic archives located in countries where the GDPR applies (EU Member States).

Purposes of Processing
Personal data are processed for the following purposes:

1. to allow the data subject to participate in training courses;
2. to manage any disputes or litigation, whether judicial or extrajudicial;
3. to respond to requests for the exercise of privacy rights pursuant to Article 12 GDPR.

Legal Basis for Processing
The legal basis for the processing is:

• for purposes under points 1 and 2: the legitimate interest of the Controller;
• for the purpose under point 3: compliance with legal obligations relating to data protection pursuant to Article 12 GDPR.

Data Retention Period
The personal data provided will be retained until participants request cancellation of their registration.
In the event of withdrawal of consent, the data may still be retained for administrative purposes for a period not exceeding six months, without prejudice to any specific legal obligations requiring longer retention periods.

Provision of Data
The provision of personal data is mandatory in order to participate in the training courses. Failure to provide such data will make participation impossible.

Data Transfers
Personal data will not be transferred outside the European Union.

Recipients of Personal Data
Personal data may be communicated to:

• employees and collaborators of the Controller authorised to process personal data and adequately instructed;
• system administrators;
• third-party companies or other entities carrying out outsourced activities on behalf of the Controller, appointed as data processors where required;
• public security authorities upon request and judicial authorities where necessary.

The list of external data processors and authorised persons is available at the Controller’s registered office.
Personal data will not be disclosed.

Rights of Data Subjects
Participants may exercise the rights provided for under Articles 15–22 GDPR, including the right:

• o obtain confirmation as to whether or not personal data concerning them are being processed;
• to obtain information regarding the origin of the personal data, the purposes and methods of processing, the logic applied in the event of processing carried out with electronic tools, the identification details of the Controller and processors, and the subjects or categories of subjects to whom the personal data may be communicated;
• to obtain the updating, rectification or integration of personal data;
• to obtain the erasure, anonymisation or restriction of processing of personal data processed in violation of the law, including data whose retention is unnecessary for the purposes for which they were collected or subsequently processed;
• to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning them.

Where applicable, participants also have the right to data portability, to withdraw consent at any time and, without prejudice to any other administrative or judicial remedy, to lodge a complaint with the competent supervisory authority, namely the Italian Data Protection Authority (“Garante per la protezione dei dati personali”), according to the procedures available on the Authority’s website: www.garanteprivacy.it.

How to Exercise Rights
If participants wish to receive further information regarding the processing of their personal data or exercise their rights, they may contact the Controller by e-mail, certified e-mail (PEC) or registered mail with return receipt.
Before providing any information or modifying any personal data, the Controller may need to verify the identity of the requester and ask certain questions.
Requests will be handled as quickly as possible depending on their nature and, in any case, within 30 days, extendable by an additional 60 days in particularly complex cases.