PRIVACY NOTICE pursuant to Article 13 of the General Data Protection

Regulation EU no. 2016/679

A.Who are we and why are we giving you this document?

The Mondadori Group, corporate group consisting of the parent company Arnoldo Mondadori Editore S.p.A. and its subsidiaries, pursuant to article 2359 of the Civil Code (hereinafter “Mondadori Group”), has considered for many years the protection of its customers and users’ personal data of utmost importance, by ensuring that such personal data are processed, whether automatically or manually, in full compliance with the rights and safeguards provided by the General Data Protection Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”) and any other laws and regulations concerning the protection of personal data.

For the purposes of this Notice “personal data” is defined in Article 4 (1) of the Regulation as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (hereinafter “Personal Data”).

The Regulation requires that before carrying out a “processing” of Personal Data - meaning, as defined in Article 4 (2) of the Regulation, “any operation or set of operations performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (hereinafter the “Processing”) – the person to whom those Personal Data belong must be informed on the purposes for which those data are requested and how they are going to be used.

The purpose of this Notice is accordingly to provide you, straightforwardly and intuitively, with all the information you may need before providing your Personal Data so that you can understand and be informed on how your Personal Data will be processed as well as request and obtain clarifications and/or rectifications at any time.

This Notice (hereinafter the “Notice”) has accordingly been drawn up on the basis of the Principle of Transparency and all the requirements set forth by Article 13 of the Regulation; it is arranged into different sections (“Sections” or individually “Section”) each of which deals with one specific topic, in order to make it simple, intuitive and easy to understand.

B.Who will process your Personal Data?

The company which will be processing your Personal Data for the purposes provided by Section E of this Notice (and which will accordingly be the Data Controller as defined in Article 4(7) of the Regulation, “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and the means of the processing of personal data”) is:

Mondadori Media S.p.A. with registered office at Via Gian Battista Vico 42, 20123 – Milan, administrative and operative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code no. and VAT no. 08009080964

C.Whom can you contact?

To facilitate dealings between the Data Controller and the data subjects, individually defined in Article 4 (1) of the Regulation as “ the identified or identifiable natural person” to whom the Personal Data refer (hereinafter the “Data Subject”), the Regulation requires, in some specific cases, the designation of a person responsible for control and support; one of that person’s tasks is to act as the point of contact for the Data Subject.

The Mondadori Group has instituted the position of Data Protection Officer (the “DPO”) in accordance with Article 37 of the Regulation.

The DPO’s duties, under Article 39 of the Regulation, include the following:

As provided for in Article 38 of the Regulation, you may contact the DPO if you have any questions about the processing of your Personal Data and/or want to exercise your rights as described in Section H of this Notice. You can do this by e-mailing or by writing to the Data Protection Officer of the Mondadori Group at the address of Arnoldo Mondadori Editore S.p.A., 1 via Mondadori, 20054 Segrate (MI), Italy.

You can find all the information about how your Personal Data are processed, together with the contact details made available to all Data Subjects by the Mondadori Group, in the “Privacy” section of the Websites at any time.

D.For which purpose will be processed your Personal Data?

The Data Controller needs to process your Personal Data in order to allow you to register to one or more of its websites, ask information by using the contact form and/or subscribe to the newsletter service. The websites for which the Data Controller will collect your Personal Data are listed in the Mondadori Media S.p.A. section of the Mondadori Group Privacy Policy at the following link (hereinafter “Websites”). The Personal Data will be processed by the Data Controller for the following purposes: to allow you to register to the Websites, join in the events organized by the Data Controller, receive newsletters and use the services provided by each of Websites to which you are registered. Such Processing will be legally based on the contractual relationship between you and Data Controller further to your acceptance of Websites General Terms and Conditions.

Moreover, the Data Controller may process your Personal Data to comply with legal obligations and respond to requests from the competent authorities. In such cases, the Processing will be legally performed on the basis of the compliance with legal obligations to which the Data Controller is subject.

The Data Controller may also disclose o otherwise process your Personal Data in the context of transactions, contract assignments, transfers of business, transfers of business units and/or restructuring to carry out such transactions and comply with the contractual obligations arising therefrom. In such cases, the Processing will be legally performed on the basis of the legitimate interest of the Data Controller to carry out such transactions.

Furthermore, the Data Controller may process your Personal Data to establish, exercise or defend legal claims. Such Processing will be legally performed on the basis of the legitimate interest of the Data Controller to protect its rights.

The provision of the Personal Data marked with * is necessary to carry out the Processing for the purposes above. In case of failure to provide such Personal Data, the Data Controller will not be able to process your Personal Data and, as a consequence, to allow you to register to the Websites and use any other services provided by the Websites which require the provision of your Personal Data. The Personal Data that will be collected for the purposes above include but are not limited to: first name, last name, home address, date and place of birth, e-mail address and telephone numbers.

Where you decide to access to the Websites by using a social login (e.g. Facebook, Google, Twitter profile), where allowed, the collection ofyour Personal Data will be done by the provider of the relevant social network that you use to access to our Websites.

You can read this Privacy Notice in the Privacy Section of every Websites.

E. To whom may your Personal Data be disclosed?

Your Personal Data may be disclosed to specific persons regarded as “Recipients” of such Personal Data; Article 4 (9) of the Regulation defines a “recipient” as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

In order to correctly carry out all the Processing activities for the purposes mentioned in this Notice, your Personal Data may be processed by the following Recipients:

F. For how long will your Personal Data be processed?

One of the principles that applies to the Processing of your Personal Data is the storage limitation. Such principle is provided for by Article 5 (1)(e) of the Regulation, which reads “personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.” In the light of this principle, your Personal Data will be processed by the Data Controller for no longer than is needed for the purposes set out in Section E of this Notice. Specifically, your Personal Data will be stored for the shortest time necessary, as indicated in Recital 39 of the Regulation; that is, up to ten years after the termination of the contractual relationship between you and the Data Controller, without prejudice to a further period of time that may be required or allowed in accordance with statutory or regulatory provisions, as provided for in Recital 65 of the Regulation.

G.Which are your rights?

In accordance with the Regulation, you can exercise at any time towards the Data Controller the following rights:

To exercise any of the above rights you may contact the Data Controller using the channels provided in Section D of this Notice.

You are reminded that you can also contact the Mondadori Group’s DPO at any time, as explained in Section D of this Notice.

You also have the right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Garante per la Protezione dei Dati Personali or other competent supervisory authority if you believe that the Processing of your personal data by the Data Controller is in violation of the Regulation and/or other applicable laws.

To make it easier for you to unsubscribe from one of the following Mondadori Group web sites, please click on the links below or follow the steps below:

We remind you that you can also contact the DPO of the Mondadori Group in the manner provided by Section D of this Notice.

H.Where will your Personal Data be processed?

Your Personal Data will be processed by the Data Controller within the European Union.

In case for technical and/or operational issues, it is necessary to engage persons outside the European Union, those persons, where they process Personal Data on behalf on the Data Controller, will be appointed as Data Processors in accordance with Article 28 of the Regulation; the transfer of your Personal Data to those persons, which will be limited to the performance of specific Processing activities, will be carried out in accordance with the provisions of Chapter V of the Regulation. All the necessary safeguards will accordingly be taken to guarantee the protection of your Personal Data; to such extent the transfer in question will be based on: (a) decisions of the European Commission as to the adequacy of the recipient non-EU country in question; (b) standard contractual clauses provided for by the European Commission; (c) binding corporate rules.

You may get further details from the Data Controller whenever your Personal Data have been processed outside the European Union, by asking for the indication of the specific safeguards in place.