Surveillance Information for Retail Locations in accordance with EU Regulation No. 679/2016 (GDPR)

In accordance with Article 13 of EU Regulation No. 2016/679, DB S.r.l., with its registered office at Corso della Repubblica, No. 19, Forlì – 47121 (FC), email: info@dorelan.it; PEC: dorelancertificata@pec.it, as the Data Controller, informs you that for the purposes of crime prevention and investigation, the protection and safety of employees and third parties, the protection of the company's assets, and for organizational and production needs of B&T S.P.A., closed-circuit surveillance equipment has been installed in some areas of the corporate headquarters and related areas. This equipment is specifically marked with appropriate signage placed before the surveillance range, as indicated by the Provision on Video Surveillance of the Data Protection Authority dated April 8, 2010, and in compliance with Article 4, paragraph 1, of Law No. 300/1970.

The legal basis for this processing is the pursuit of the Data Controller's legitimate interest in ensuring the security of the corporate headquarters, as specified above. Providing data is not mandatory, as it is possible to avoid entering the cameras' field of view by previously observing the informative signs; however, in this case, access to the Company and its premises may be denied.

For the stated purposes, the Data Controller may process, through automatic detection, images (common personal data) of individuals who access or pass through the premises and areas covered by the surveillance. The camera's field of view is fixed, and the cameras are positioned so as not to capture areas exclusively reserved for workers and to always respect the dignity of individuals (there are no devices capturing bathrooms, lockers, recreational areas). For the exact camera locations, we invite you to contact the Data Controller at the contact information provided below.

The installed system is based on digital technologies that allow data extraction via PC and transmission via the network, without comparing or linking the captured images to elements that would make it possible to identify the individuals.

The video images collected, as personal data under current legislation, are stored on electronic, magnetic, or computer media for a period of time consistent with the principles of the purpose and necessity of processing, up to 48 hours after detection. However, in accordance with the provisions of the Data Protection Authority, the retention period is extended: (i) in special circumstances, such as holidays or company closures on weekends, up to 72 hours after detection; and (ii) in the case of a specific request from the police or the judicial authority for investigative purposes. After the indicated period, the images will be deleted by overwriting and will no longer be recoverable.

The data will be processed by personnel specifically authorized and adequately trained by the Data Controller, within the scope of what is necessary to pursue the aforementioned purposes, always within the limits of their respective competencies and for the proper performance of their assigned tasks. The data may be communicated to parties expressly authorized by law, such as the judicial and public security authorities, supervisory and control authorities, and may be processed on behalf of the Data Controller by specifically designated entities as data processors pursuant to Article 28 of the GDPR for the execution of specific activities, including, in particular, the company responsible for the maintenance of the video surveillance system. As per the authorization received, access will be tracked and recorded to verify the treatments performed and detect any violations.

As data subjects, individuals who are recorded, and therefore identified or identifiable, may request access to the data held by the Data Controller at any time, as well as their rectification and deletion, data portability in a format readable with common applications, provided that these rights do not conflict with contractual or legal obligations regarding the retention of the data, which the Data Controller is obliged to observe. Data subjects also have the right to lodge a complaint with the supervisory authority (Data Protection Authority) in case of unlawful processing or delay or obstruction by the Data Controller in the exercise of data subject rights, and to address the judicial authority to protect their rights.

We remind you that at any time, you can request further information regarding the data processed, the exercise of rights, as well as request the updated list of subjects who have access to the data as part of this processing by contacting the Data Controller at the following contact details:

By mail: DB S.r.l. - Corso della Repubblica, No. 19, Forlì – 47121 (FC)

By email: privacy@dorelan.it

The Data Controller has appointed a Data Protection Officer (DPO) to whom data subjects can address for matters related to the exercise of their rights and to request information about personal data concerning them processed by the Data Controller. The DPO can be contacted at the registered office of B&T S.p.A., Via Due Ponti, No. 9, 47122, Forlì (FC), and at the following email address: dpo@dorelan.it.

Updated as of June 15, 2023.