PRIVACY POLICY

Pursuant to articles 13 and 14 of Regulation (EU) 2016/679 - General Data Protection Regulation (“GDPR”),
we inform you that the personal data provided by the data subject (“you”), for yourself or for the
organisation to which you belong, to the company Cesena Fiera S.p.A. (“hereinafter referred to as “we”), on
the occasion of or in connection with trade fairs, exhibitions, events, conferences/congresses,
championships/competitions and/or workshops (the ““Events”) organised, hosted or attended by us, also in
collaboration with third-party partners, are processed in compliance with the principles of lawfulness,
fairness, transparency, proportionality, necessity, accuracy, completeness and security and with the other
regulatory obligations in force.

Categories of data subjects. Processing operations and collection procedures

The data processed concern customers (i.e. exhibitors, visitors, buyers, conference/congress participants,
speakers at Events, participants in championships/competitions and/or workshops, concessionaires of
exhibition and/or advertising spaces, third-party organisers and sponsors who have held their respective role
during the last 10 years) and prospects (individuals who have expressed an interest in Events, over the last 10
years – for example, also by providing their business card or requesting information or quotes –journalists),
understood as natural persons over 14 years of age acting on their own account and/or as internal contact
persons of legal persons, entities or other organisations. The individual categories of data collected are listed
in our collection forms, which supplement this privacy policy.

Data is processed electronically or on paper and in a manner that is compatible with the purposes specified
below.

We collect data i) through online forms or paper forms or via pre-registration or participation apps filled out
by you and/or acquired by third-party operators authorised by us or ii) via mobile devices such as tablets and
smartphones present at the venue of the Events or iii) through a business card provided by you.

The collected data will be recorded and retained on the servers managed by Cesena Fiera S.p.A. and on those
managed by Italian Exhibition Group S.p.A.

The data collected may be processed by authorised personnel for the activities for which they are responsible,
within the limits strictly necessary for the performance of the respective activities assigned to them (e.g. legal,
commercial, marketing, administrative, logistics, IT and management control departments, etc.).

Purposes of processing

Data processing has the following purposes:

1. Fulfilment of contractual and legal obligations arising out of or in connection with the participation –
already contractually agreed upon or potential – of the data subject in the Events.

2. Planning and organisational management of the Events, for example issuing and paying for tickets,
accreditation and entrance passes (including checking whether payment has been made successfully via third-
party services), management of personal identification tags (with passport photo) for security reasons,
planning and managing specific services requested by you (e.g. set-up services, hotel booking and hospitality
services, ticketing, translations, hostesses, catering, escorting), managing the contracts we enter into with
third-party suppliers of goods and/or services used by you during or on the occasion of the Events; publishing
your name and surname or business/company name, phone number, fax number, e-mail, website, in the
public online and printed catalogue of the Event in which you are participating; communication, at your
request, of pre-contractual information (e.g. programmes, proposals, etc.) related to the Events, drafting
invitation letters for consular visa applications.
3. Sending (via email, ordinary mail, SMS, MMS, push-up messages, instant messaging functions such as
whatsapp, telefax, telephone calls with operator, social networks and other automated tools) of commercial
messages, advertising and sale offers for products/services that are similar to those of your interest or relating
to trade fair/congress products/services, i.e. relating to the fresh fruit and vegetable supply chain, agricultural
sector and/or related to them (e.g. sector publishing, championships/competitions, etc.) - activities collectively
defined as “soft spam”.

4. Profiling. Profiling is only relevant for privacy purposes if it concerns natural persons, that is, sole
proprietorships or partnerships and their partners/directors, or internal contacts of corporations, institutions
or organisations.

Profiling uses some of the data you provide us with and, in some cases, combines it with company data from
public databases (e.g. Business Register, CCIAA - Chamber of Commerce, Industry, Agriculture and Crafts).
For example, we process the following data:

i) in the case of exhibitors: name and surname, business name of the organization to which they belong,
contact details, residence or location, country of origin, website, sector of activity, types of product or service
offered, annual promotional / advertising budget, type of distribution - store, department store, concept
store, markets of interest, brand;

ii) in the case of buyers/visitors: name and surname, business name of the organization to which they belong,
job attachment, level of professional responsability, contact details, residence or location, country of origin,
website, year of foundation of the company, turnover, employees number, sector of activity, percentage of
business connected to Italy and to the foreign, Italian and foreign regions of interest, main categories of
products or services of interest to the buyer and / or marketed by the same also as a percentage of sales by
geographical area, categories of customers of the company, purpose of the visit;

iii) in the case of journalists: name and surname, contact details, sector and newspaper to which they belong,
country of origin, language,

iv) in the case of speakers at the Events/congresses/conferences: name and surname, contact details,
sector, skills/topics covered.

In some cases, if you are a customer or prospect, we will associate the data provided by you with additional
personal data acquired while you are visiting our websites or when using the services provided by these sites
(e.g. cookies relating to the pages of our website that you have visited, the country you are browsing from)
or through other communication channels (e.g. social media) or through services for sending bulk commercial
e-mails (e.g. what messages you have received, which e-mails you have opened, what proposals you have
accepted by performing specific actions such as opening an attachment or following our request to click on a
link to landing pages or attachments to the e-mail message, etc.).

In particular, profiling allows us to minimise the number of promotional messages that are sent to you, which
are not relevant to your likely expectations and needs, or that are sent to you through unwanted channels.

The limited nature of profiling does not exclude you from specific advantages or from the possibility of freely
exercising your privacy rights, nor does it have any specific legal effects; in particular, it does not in any way
affect your ability to participate in the Events and/or to use our services (e.g. online pre-registration,
purchase of services).
5. Only with your separate consent: communication of data to our third-party partners (e.g., Italian Exhibition
Group S.p.A., Cesena Fiera S.p.A., exhibitors or other operators active in the Events), for independent direct
marketing activities relating to goods/services concerning such third-party partners.

Legal basis for processing. Compulsory or optional provision of data and consequences of failure to provide
data
Data processing for the purposes set out in sub 1 has its legal basis in our need to fulfil the obligations arising
from the contract stipulated or to be stipulated with you (and to carry out all the activities necessary to ensure
that the commitments undertaken therein are correctly and completely fulfilled) and/or the legal obligations
connected therewith. Therefore, such processing does not require your prior consent and you are also free
not to provide your data. However, in this case, we will not be able to conclude the requested contract and/or
regularly provide the service requested by you or by the organisation to which you belong (e.g. allowing you
to participate in the Event of interest and providing you with related services) and/or we will not be able to
fulfil our legal obligations arising from the contract.

The legal basis for processing for the purposes set out in sub 2 is our legitimate interest to organise the
Events, plan and manage all organisational activities that will allow you to participate efficiently and effectively
in the Events and to handle relationships with third-party suppliers of goods and services that are functional
and/or connected to the Events.

In particular, the request for personal data and documents, especially for foreign guests, will make it possible
to understand such data correctly and, above all, to verify that the company applying for a travel visa is
reliable.
Therefore, such processing does not require your prior consent.

You are not obliged to provide data, but in this case, you will not be able to participate in the Event.

During the Events, videos (including voice) are shot and/or photographs are taken by us and/or
photographers and/or videographers authorised by us. Such generic images concern trade fair Events that
can be considered public events and are therefore processed, without requiring your consent, so that we
can publish them on our websites/landing pages and social profiles (e.g. Twitter, Facebook, WhatsApp,
YouTube, Vimeo, etc.) as well as on brochures, catalogues, flyers and other printed material promoting the
Events.
If, however, the above-mentioned images portray you in a recognisable way, Cesena Fiera S.p.A. may
publish them for the same promotional purposes on our printed materials, as mentioned above, or
electronic/digital channels intended for the public (e.g. catalogues, brochures, flyers, websites/landing pages,
blogs, social networks), only after having received your specific consent (which is the legal basis for
processing), given on site to our official photographer and/or videographer.

In the latter case, you may withhold your consent and thus prevent us from processing your image; however,
by giving us your consent, you expressly waive any financial compensation for the use of your image. You may
subsequently request, at any time, that the face shown in the images published online be blacked out, without
prejudice to the lawfulness of the processing carried out up to the date on which the images were blacked
out. Cesena Fiera S.p.A. does not guarantee that images will be blacked out on the online channels of third-
party independent data controllers.

The legal basis for processing for the purposes set out in sub 3 (soft spam) is our legitimate interest to freely
contact our customers, as well as prospects, in order to be able to offer them – through
electronic/phone/paper channels – new opportunities relating to services or products similar to those
previously purchased/contracted (in the case of customers) or to those for which interest has been expressed
(in the case of prospects), or relating to trade fair/congress products/services and/or those related to them
(e.g. sector publishing, championships/competitions, etc.). Consequently, the so-called “soft spam” described
above may lawfully take place even without your prior consent, which is therefore not necessary.

The legal basis for processing for the purposes set out in sub 4 (profiling) is our legitimate interest in
maintaining and analysing a limited set of information about you so that we can contact you more effectively
if you are one of our customers or prospects. Given the limited scope of data used in profiling, it also takes
place without your prior consent, which is therefore not necessary.
Processing for the purposes set out in sub 5 (transfer of data to third parties) takes place only with your
explicit consent (thus constituting the legal basis for the lawfulness of processing).

You are free to refuse to give your consent, but this will not affect your right to participate in the Events
and/or to receive the services you requested from us.

Communication and disclosure of data

For the purposes set out in sub 1 and 2, we disclose such data to: service providers in charge of managing
and maintaining our computer systems, websites and databases, photographers and/or videographers who
produce video and audio material or related post-production, journalists and newspapers, companies
providing services necessary for the organisation and management of the Events (e.g. installation of fittings
and equipment, publishers of printed and online catalogues, logistics, security, private surveillance, first aid,
hostesses, etc.), diplomatic representatives, consultants, banks (for making or receiving payments related to
the Events), personnel authorised by Cesena Fiera S.p.A. to process such data (Communication, Travel, Sales,
Marketing departments, etc).

For purposes under 3 and 4, the data are communicated to: companies appointed to carry out marketing
analysis, advertising, communication and/or public relations agencies, digital and print publishing companies
that produce our advertising or promotional materials, companies producing websites or blogs, web
marketing companies, persons in charge of designing and/or maintaining promotional materials, companies
managing and maintaining the computer systems, websites and databases used to organise and manage the
Events, image agencies.

Such third parties will process the data as External Data Processors in accordance with our written guidelines
and under our supervision.

As for all the purposes mentioned above, we also communicate data to third-party business partners
(including, for example, Italian Exhibition Group S.p.A. and Cesena Fiera S.p.A.), which are involved in the
implementation and/or promotion of the Events, who will process the data as independent data controllers,
joint data controllers or data processors.
You may request that we provide you with a list of our joint data controllers, independent data controllers
and data processors (see the “rights of the data subject” section of this privacy policy).

Transferring data abroad

In case of communication of data to third party recipients based outside the EU, the data transfer will take
place against adequate guarantees, consisting of the prior stipulation by the third importer of a contractual
agreement with us through which he, for the processing of its competence, undertakes to comply with
privacy obligations substantially equivalent to those provided for by EU legislation at our charge (through the
use of standard contractual clauses - or "CCS" - compliant at least with the text adopted by the EU
Commission, except for any additions and / or changes more favorable to the interested party).

In some cases of data transfer to cloud suppliers based outside the EU, these suppliers are subject to the
regulatory powers of local public authorities and in some situations, based on foreign legislation, (in the USA:
the Federal Trade Commission, 'Article 702 of the FISA and the Executive Order EO 12333) the importer may
be obliged to communicate the personal data transferred, in response to requests received from public
authorities, to meet the national security requirements (e.g. anti-terrorism) or application of local law (with
consequent possible access to data, of which the importer, based on local legislation, may not have to give
notice to the exporter and the interested party, who will therefore not be able to exercise the relative rights
normally recognized by the GDPR).

Therefore, in the abstract, the risk cannot be excluded that in certain and exceptional situations linked to the
aforementioned specific requirements, the foreign public authority may process such data without applying
substantially equivalent safeguards to those provided for by the GDPR to the data subject. However, the risk
that the American public authority actually has an interest in applying local legislation to the data transferred
appears to be reasonably negligible on the basis of the following circumstances:

i) the performance of the exporter (Cesena Fiera Spa) in favor of the interested parties whose
data the importer processes and the consequent data processing, have a limited object (the
provision of exhibition services) and a limited purpose (the management of processes technical-
organizational functional to the aforementioned services and the fulfilment of legal obligations);
the performance does not involve the publication of personal opinions, comments or similar
information, nor the making available of services or products that can be used in activities against
national security;
ii) the types of personal data transferred are limited (eg personal, contact, contractual,
administrative data); no particular categories of data are transferred (e.g. on political and
religious opinions, biometrics); the categories of interested parties to which the data refer are
limited (exhibitors, visitors, participants in Events, buyers, journalists, speakers) and they
concern operators belonging to product or economic categories that are not reasonably relevant
with regard to national security purposes ( eg tourism, wellness, machine handling, sporting
activities, and so on).

Therefore, Cesena Fiera Spa believes that the CCS applied in the relationship with importers (in particular the
USA) effectively guarantee a protection of the rights of the interested parties substantially similar to that
provided for by the GDPR, regardless of the application of any additional measures to the treatment in
question.

The adoption of additional contractual measures by Cesena Fiera Spa towards importers (e.g. obligations to
communicate public access, the right to suspend or cease the transfer and to terminate the contract with the
importer, and the like), may be introduced at any time by the exporter upon the outcome of any information
provided to operators by the EDPB - European Data Protection Board following the judgment of the Court of
Justice of the European Communities (ECJ of 17 July 2020 which declared invalid in EU relations the bilateral
agreement called "Privacy Shield") .

The transfer of data to the non-EU country takes place in any case also because it is necessary for the
execution of i) a contract concluded between the interested party and Cesena Fiera Spa and / or pre-
contractual measures adopted at the request of the interested party, or ii) a contract stipulated between
Cesena Fiera Spa and another natural or legal person (e.g. our subsidiary, supplier, based outside the EU,
etc.) in favor of the interested party.

Duration of processing

In the case of purposes sub 1 and/or 2, we process the data for 10 years from the date on which the contract
is concluded (in the case of customers) or from the date on which the data subject’s data is collected (in the
case of prospects).

In the case of purposes sub 3 and 4, we process the data for 10 years from the collection of the data subject’s
data (in the case of customers and prospects).
We process the data for a period of 60 days, after each Event has ended, in the case of data made available
at collection points for requests of assistance that visitors and exhibitors have made to us (including any
insurance desk, Info points and First Aid).

We process the data contained in the promotional catalogue (printed and/or digital) of the individual Events
for a maximum of 2 editions of the catalogue.

We process certification data concerning the Exhibitions/Events until the end of the certification process,
and then until certification is complete.
We treat the data necessary for the purposes of computer security (eg log-in registrations, failed logs and
log-outs, when accessing restricted areas on the Cesena Fiera Spa websites related to the Events) for 1 year
from collection. The recordings of the logs related to the reading of Cesena Fiera Spa online privacy
information and the on-line actions (eg clicks, flags and the like) through which Cesena Fiera Spa is informed
of the data subject's consent are kept for 10 years from collection.

Should a dispute arise between you and us, or between you and our third-party suppliers, we will only
process the data for as long as it is necessary to safeguard our rights or those of the third-party suppliers,
that is, until a final judgement has been issued and fully executed or an agreement has been made between
the parties.

Data related to the drafting of invitation letters for consular visa applications (e.g. copy of passport, etc.) are
processed for 3 months from the end of the individual Event to which they relate.

At the end of this maximum period, the personal data will either be destroyed or rendered completely
anonymous.

Rights of the data subject

You have the right to:

- ask us to confirm whether or not personal data concerning the data subject is being processed and, in this
case, to obtain access to such personal data and the following information: a) the purposes of processing; b)
the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal
data have been or will be communicated, especially if they are recipients based in non-EU countries or
international organisations; d) where possible, the retention period of the personal data or, if that is not
possible, the criteria used to determine that period; e) the existence of the right of the data subject to request
that the data controller rectify or erase the personal data concerning the data subject or restrict their
processing, or to object to their processing; f) the right to lodge a complaint with a supervisory authority; g) if
the data are not collected from the data subject, all available information as to their source; h) whether any
automated decision-making, including profiling, takes place and, at least in such cases, meaningful information
about the logic used as well as on the importance and expected consequences of such processing for the data
subject.

- if personal data are transferred to a non-EU country or to an international organisation, the data subject has
the right to be informed as to whether adequate safeguards are in place for the transfer of such data;

- request, and obtain without undue delay, to rectify inaccurate data; taking into account the purposes of
processing, the integration of incomplete personal data, also by providing a supplementary statement;

- request the erasure of data if a) the personal data are no longer necessary with regard to the purposes for
which they were collected or otherwise processed; b) the data subject withdraws the consent on which the
processing is based and there is no other legal basis for processing the data; c) the data subject objects to the
processing, and there is no overriding legitimate ground to proceed with the processing, or objects to
processing carried out for direct marketing purposes (including profiling for the purpose of such direct
marketing); d) the personal data have been unlawfully processed; e) the personal data must be erased in order
to comply with a legal obligation under EU or Member State law to which the data controller is subject; f) the
personal data have been collected in connection with the offer of the IT company to provide services.

- request that limitation of processing concerning you be applied in any of the following cases: a) the data
subject questions the accuracy of the personal data, for the period necessary for the data controller to check
whether the personal data are accurate; b) the processing is unlawful and the data subject objects to the
erasure of such personal data and, instead, requests that their use be restricted; c) although the data
controller no longer needs the personal data for processing purposes, they are necessary for the data subject
to verify, exercise or defend a right in court; d) the data subject has objected to data processing carried out
for direct marketing purposes, while awaiting verification as to whether the legitimate reasons of the data
controller prevail over those of the data subject:

- obtain from the data controller, upon request, information on third-party recipients to whom the personal
data have been transmitted;

- at any time, withdraw consent to the processing of personal data, if previously given for one or more
specific purposes; it is also understood that this will not affect the lawfulness of the processing based on the
consent given before it was withdrawn.

- receive the personal data concerning you, which you have provided to us, in a structured, commonly used
and machine-readable format and, if technically feasible, to have such data transmitted directly to another
data controller without hindrance on our part, if the following (cumulative) conditions are met: a) data
processing is based on the consent of the data subject for one or more specific purposes, or on a contract to
which the data subject is a party and for the performance of which processing is necessary; and b) data is
processed automatically (through software) – the overall right to so-called “portability”. The exercise of the
so-called right to data portability will not affect the above-mentioned right to erasure;

- not be subject to a decision that is based solely on automated processing, including profiling, which
produces legal effects that concern the data subject or significantly affect the latter in a similar way.

- lodge a complaint with the competent supervisory authority under the GDPR (that of its place of residence
or domicile); in Italy, it is the Garante della protezione dei dati personali (Italian Personal Data Protection
Authority).

You can exercise your rights by writing to the Data Controller, which is Cesena Fiera S.p.A., with registered
office in Via Dismano, 3845 — 47522 Pievesestina di Cesena (Italy), e-mail address: [email protected].

The company’s Legal Representative or the organisation’s Representative undertakes to make this Privacy
Policy available also to other data subjects belonging to the company or the organisation itself and whose
data he/she declares to provide legitimately. Likewise, the consent given for the purposes set out in point 5
by the company’s Legal Representative or by the organisation’s Representative, is understood to be extended
also to other data subjects belonging to the company or the organisation itself for whom the Representative
declares to legitimately provide the relevant data.

Macfrut Customer-Prospect privacy policy - Rev.2 – 23.08.22