PRIVACY POLICY - INFORMATION FOR CUSTOMERS, SUPPLIERS, PARTNERS AND OTHER SUBJECTS REFERRED TO IN ART. 13 OF THE REGULATION

EUROPEAN N. 679/2016

The General Management, as Data Controller of personal data, of Caspian Strategies & IT Management (VAT number: 11275050968) based in Via Bagutta 13, Milan, 20121 (MI), hereby wishes to provide adequate information to individuals who operate in the name and on behalf of suppliers, of the client company, involved in contractual or pre-contractual activities of the company Caspian Strategies & IT Management VAT number 11275050968 pursuant to art. 13 GDPR 679/16 - "European regulation on the protection of personal data".

1. Data subject to processing

The personal data processed are personal and contact data provided or received by the interested party on the occasion of:

- visits or phone calls or emails;

- direct contacts obtained following participation in events, etc .;

- requests for commercial information, proposition of offers also in the tender procedure;

- requests through our website or through the website of suppliers, customers, partners, other subjects;

- transmissions and transactions subsequent to the order for the supply of the service or good (supplied / purchased);

2. Purpose of the treatment

The personal data of individuals who operate in the name and on behalf of the supplier / client company, and other subjects are processed for:

- forward communications with different means of communication (telephone, mobile phone, sms, email, fax, paper mail, etc.);

- formulate requests or process requests received;

- exchange information aimed at the execution of the contractual relationship, including pre and post contractual activities, including assistance;

- execution of obligations provided for by laws, regulations or community legislation, as well as to comply with provisions issued by public authorities entitled to do so or by supervisory and control bodies to which the company is subject (think for example of investigations of a tax law, etc.).

The interested party may refuse to provide the Data Controller with personal data. However, the provision of personal data is necessary for a correct and e ffi cient management of the contractual relationship with the supplier, client company, and other subjects involved in the activities of the Data Controller. Therefore, any refusal to provide the data may compromise in whole or in part the contractual relationship itself or the pre and post contractual activities.

3. Legal basis

The processing is necessary for the execution of a contract of which each subject is a party or for the execution of pre-contractual or post-contractual measures adopted at the request of the supplier / client company, or of the company pursuant to art. 6.1, lett. b) of the GDPR)., or for the fulfillment of a legal obligation pursuant to art. 6.1, lett. c) of the GDPR).

4. Processing methods

The data of the interested parties will be processed in compliance with the principles of lawfulness, correctness and transparency, using manual or automated tools also by inserting them into databases, lists and lists suitable for storing, managing and transmitting data, in the ways and within the limits necessary for pursuit of the aforementioned purposes. The company has established adequate security measures in order to protect the data of individuals who work in the name and on behalf of suppliers and client companies. The data will be processed exclusively by persons authorized to process in relation to the purpose of the processing. The company does not carry out automated decision-making processes for the purposes indicated.

5. Recipients of the data

The personal data processed by the Data Controller will not be usable, that is, it will not be disclosed to indeterminate subjects, in any possible form, including that of making them available or simple consultation. Instead, they may be communicated to the Owner's workers and to some external subjects who collaborate with them, always in compliance with the purposes indicated. In particular, these are employees / collaborators who, on the basis of the roles and work duties performed, have been entitled to process personal data, trained to do so within the limits of their competences and in accordance with the instructions given to them by the Data Controller. They may also be communicated, within the strictly necessary limits, to subjects who, for the purpose of issuing our orders or requests for information and quotes or formulations of o ff erts, our services, must supply / deliver goods and / or perform / receive on our / your performance or services assignment. The data could be accessed (for assistance purposes on SW applications, on the computer network and for connectivity) our appointed technicians or external consultants or agents of companies that provide these services and appointed as data processors. Finally, they may be communicated to the subjects entitled to access them by virtue of the provisions of the law, regulations, community regulations.

6. Data transfer

The Data Controller does not transfer personal data to third countries or to international organizations. Although at the moment all the subjects who process the data on behalf of the Company as external data processors are established within the European Union, in the future it may be necessary to provide such data also to subjects who may be established outside the European Union. , in countries that do not guarantee personal data an adequate level of protection pursuant to the European Data Protection Regulation 679/2016. The company will eventually transfer the data outside the European Union only after adopting the precautions established by the European Regulation and after having obtained the necessary guarantees from the indicated subjects and with the consent of the interested parties.

7. Data retention

The Data Controller retains and processes personal data for the time necessary to fulfill the purposes indicated and in any case for a period not exceeding 15 years, unless otherwise required by law or the need to exercise rights, even in court by of society. When it is no longer necessary to keep personal data, they will be deleted or destroyed

8. Rights of the interested party

Pursuant to articles 15 to 21 of the Regulations, you may exercise the following rights:

- the right of access, i.e. the possibility of obtaining confirmation as to whether or not a processing is in progress and to acquire information regarding: purpose of it, categories of personal data in question, recipients of the data in particular if third countries, the period storage where possible and the methods of their treatment,

- the right to rectification and integration of data,

the right to their cancellation, whenever the data is not necessary with respect to the purposes or if it decides to revoke the consent or opposes the processing or even if the data were processed unlawfully;

- the right to limit the processing in the event that you contest the accuracy of the personal data for the period necessary to carry out the related checks, or the processing is unlawful, or if the data controller no longer needs your data, you requires conservation for judicial purposes;

- the right to data portability to another owner, if the processing takes place by automated means or is based on consent;

- the right to object to the processing.

The same, where exercisable by you, can be asserted by writing to a.vismara@caspian-strategies.com specifying the subject of the request, the right that the interested party intends to exercise and attaching a photocopy of an identity document certifying the legitimacy of the request.

9. Proposition of a complaint

The interested party has the right to lodge a complaint with the supervisory authority of the State of residence.

10. Data Controller

The data controller of Caspian Strategies & IT Management (VAT number 11275050968) with registered office in Via Bagutta 13, Milan, 20121 (MI) who may

contact for any issue concerning personal data at the above address or at the following email address commerciale@caspian-strategies.com

You are therefore invited to give ample dissemination and knowledge of this information to all subjects (employees, collaborators, subcontractors and how many others) whose names and / or personal data, for various reasons, will be provided to the writer as part of the regular execution existing contractual or pre-contractual relationships with Caspian Strategies & IT Management.

Place and date Milan

Signature of the data controller: Caspian Strategies & IT Management

ATTACHMENT 15E INFORMATION NOTICE TO CUSTOMERS, SUPPLIERS, PARTNERS AND OTHER DATA SUBJECTS, PURSUANT TO ART. 13 OF EU REGULATION NO. 679/2016

In his position as Data Controller, the management, from Caspian Strategies & IT Management (P.IVA 11275050968), a company located at Via Bagutta 13, Milano, 20121 (MI) would hereby like to provide the following information to all individuals operating on behalf of suppliers and customer companies, involved in contract and pre-contract activities with the company Caspian Strategies & IT Management tax ID code no. VSMLRT65S11A940N, pursuant to Art. 13 of GDPR no. 679/16 - the European "General Data Protection Regulation".

1. Processed Data

The personal data being processed refer to personal or contact details provided or received by the Data Subject in the following occurrences:

- visits, telephone calls or e-mails;

- direct contacts through attendance in events etc .;

- business inquiries and proposals, quotations and tender bids;

- queries submitted via our Website or our suppliers ', customers', partners 'and other Data Subjects' Websites;

- communications and transactions following a purchase order for the supply of goods or services (whether supplied or procured).

2. Purposes of Data Processing

The personal data of any individuals operating on behalf of suppliers or customer companies as well as other Data Subjects are processed for the following purposes:

- forwarding communication via various media (landline, mobile, text, e-mail, fax, regular mail etc.);

- placing inquiries or responding to inquiries being received;

- exchanging information aiming at contract performance, including pre- and post-contract activities as well as support services;

- ful fi lment of legal and regulatory obligations and compliance with EC standards, or abiding by orders issued by duly authorized public authorities or supervisory and governance bodies that the Company is subject to (such as tax assessments and the like).

Data Subjects may refuse to submit their personal data to the Data Controller. However, providing personal data is required for the proper and e ff ective management of contracts with suppliers, customer companies as well as other Data Subjects involved in the Data Controller's business activities. Therefore, failure to provide personal data may fully or partly prevent the proper performance of contracts or pre- and post-contract activities.

3. Legal Grounds for Data Processing

The personal data submitted to the Company shall be processed in the performance of the pre- and post-contract activities arising from the execution of the existing contracts and agreed upon with suppliers and customer companies, or requested by the company pursuant to Art. 6.1, para. b) of GDPR, or the ful fi lment of legal obligations pursuant to Art. 6.1, para. c) of GDPR.

4. Data Processing Method

The personal data submitted by Data Subjects shall be processed fully abiding by lawfulness, fairness and transparency principles, by means of manual or automated systems, including recording said data in suitable databases, lists and fi les with a view to data retention, management and transfer, with the methods and restrictions required to achieve the aforesaid purposes. The Company has the proper data security measures in place to protect the personal data of any individuals operating on behalf of suppliers and customer companies. Data shall exclusively be processed by authorized personnel with a view to the purposes of data processing. The Company does not perform automated decision-making processes for said purposes.

5. Data Recipients

The personal data processed by the Data Controller shall not be transferred or disclosed to undetermined individuals in any form whatsoever, including their availability or simple reference. However, said data can be communicated to the Data Controller's personnel as well as their contractors, still in full compliance with the stated purposes.

Namely, data can be processed by those employees / contractors whose positions and tasks involve their being authorized to process personal data, trained to do so within the scope of their capacity and in compliance with the instructions provided by the Data Controller. Furthermore, as strictly required, said data may be communicated to any individuals or entities that must supply / deliver goods and or perform / be provided services upon our / your request, for purposes connected to order issuing or business inquiries and quotations or proposals as well as our services. For purposes connected to IT network, SW application and connection support services, said data might be accessed by our duly authorized engineers or consultants or operators from companies provided the aforesaid services and appointed as Data Processors. Finally, said data may be

communicated to any individuals or entities whose access is authorized by virtue of law provision, regulations or EC standards.

6. Data Transfer

The Data Controller does not transfer any personal data to foreign countries or international organizations. Even though all entities processing data on behalf of the Company as third-party Data Processors are located within the European Union, in the future said data may be required to be transferred to extra-European entities located in countries where ad adequate personal data protection level is not guaranteed to comply with the European Data Protection Regulation 679/2016. If necessary, the company will only transfer data to extra-European countries after adopting all the applicable measures required by the European Regulation and obtaining the required guarantees by data processors as well as the consent of Data Subjects.

7. Data Retention

Personal data shall be processed and retained by the Data Controller for as long as required for the aforesaid purposes, and in any case no longer than 15 years, unless otherwise required for the Company to abide by legal obligations or exercise its rights, including in legal proceedings.

Personal data shall be destroyed or deleted when their retention is no longer required.

8. Rights of the Data Subject

In your position as data subject, you can exercise the following rights, as provided for by Articles 15 through 21 of the GDPR:

- right to access, that is, to obtain con fi rmation as to whether or not personal data concerning you exist and are processed, and be provided information as to processing purposes, personal data categories being involved, Data Recipients, especially if located in foreign countries, data retention period, where possible, and data processing method;

- right to amendment or integration of the data;

- right to data erasure, should data processing not be required for the relevant purposes or if the Data Subjects should decide to withdraw their consent or oppose data processing, or should data be processed unlawfully;

- right to request the restriction of data processing in the event that the correctness of personal data is challenged, for as long as required to perform the relevant assessment or if said data are processed unlawfully, or if you request the retention of your personal data for judicial purposes though the Data Controller no longer needs them;

- right to request Data portability to another Controller, should data processing be performed by automated means or is based on the Data Subject's consent;

- right to oppose data processing.

Where applicable, you can exercise the aforesaid rights by writing to a.vismara@caspian-strategies.com, specifying the reason for your request, the right that the Data Subject intends to exercise and attaching a copy of your proof of ID to prove the lawfulness of your request.

9. Right to Claim

Data Subjects have the right to put forward a complaint to the Data Protection Authority in their country of residence.

10. Data Controller The Data Controller shall be Caspian Strategies & IT Management (P.IVA 11275050968), a company located at Via Bagutta 13, Milano, 20121 (MI), that you may contact for any queries on your personal data processing, to be sent to the aforesaid address or the following e-mail address: commerciale@caspian-strategies.com As a consequence, would you please disseminate and communicate this information notice to any and all individuals (whether employees, contractors, sub-suppliers and the like) whose names and / or personal data are submitted to our Company for various reasons, within the scope of the proper performance of contract or pre-contract activities with

Caspian Strategies & IT Management

Place and Date Milan

Signature of Data Controller Caspian Strategies & IT Management