PRIVACY NOTICE

PRIVACY POLICY ON PERSONAL DATA
Dear User, pursuant to Art. 19 of the Data Protection Act (hereinafter also referred to as the "nLPD"), Art. 13 of the Data Protection Ordinance (hereinafter also referred to as the "OPDa") and Art. 13 of EU Regulation 679/2016 (hereinafter also referred to as the "GDPR"), SOWRE SA, as better defined below, as the "Data Controller", provides you with some information about the use of personal data provided by users who consult and/or interact with the services web accessible electronically from the www.Sowre.com address, corresponding to the home page of the official website of SOWRE SA.
The information is provided only for the site in question and not for other websites that may be consulted by the user via links and is addressed to users of this site. The Site may contain links to sites, services and other Internet resources referable to third parties.
In this case, the Data Controller is in no way responsible for the contents, security and usability of such sites and resources; in particular, the Data Controller does not verify the policy, nor does it issue guarantees regarding the protection of privacy and personal data by such third parties.
In compliance with the obligations dictated by the protection of personal data, this site respects and protects the privacy of users.

1. Data Controller.
The Data Controller is: SOWRE SA, with registered office in CHIASSO, Switzerland, CORSO SAN GOTTARDO 54/A, represented by the persons with the right to sign in accordance with the entries in the Cantonal Commercial Register (CH-500.3.004-961-9), (e-mail address: amministrazione@sowre.com - telephone number: tel. + 41(0)916493778), hereinafter also referred to as the "Company" or "Data Controller".
The list of data processors and any authorised persons is kept at the data controller's registered office and made available at the request of the data subject.

2. Personal data subject to processing.
Personal data is information that directly or indirectly identifies a person, whether natural or legal. Personal data worthy of special protection include information on religious, philosophical or political opinions or activities, personal sphere, mental, mental or physical state, as well as information on offences committed, the penalties imposed and measures taken. The Data Controller may collect the following categories of common personal data for the purposes described in this policy:
- identification information such as name and surname, company name, e-mail, type of request and message (and any other personal data indicated in the message) provided voluntarily by the user in exchange for the optional, explicit and voluntary sending of e-mails through the contact form on the Data Controller's website or sent by the user through his/her CV;
- IP address of the user's device, user location, unique identifiers of the user's mobile device, duration of stay on the Site, services used, connections and messages activated, browser characteristics (type, language, plug-ins installed, etc., cookies, etc.);
- browser, network, and device information;
- information relating to the professional and training profile, level of education and work experience contained in the CV, cover letter and any school notes (including school evaluations and certificates relating to training and/or school and professional experience) as well as relating to training, specialization and professional development courses attended both for training needs of a compulsory nature, complementary or motivational.
The Site does not request/collect/process personal data worthy of particular protection, given the merely informative nature of the same. We therefore recommend that you do not transmit unsolicited information of this kind through the Site and related resources.

3. Purpose.
Your personal data will be processed for the following purposes:
a) to obtain anonymous statistical information on the use of the site and to check its correct functioning;
b) ascertain responsibility in the event of hypothetical computer crimes against the site;
c) respond to requests for information received through the website, send information material or other communications, inform you of changes to the site or updates to the services, request feedback regarding the terms of the web service offered;
d) manage applications received on the Site for: recruitment, analysis, evaluation and selection of personnel; archiving of curricula for future personnel search needs;
e) for legal, administrative and audit purposes;
f) assert or defend a right in court, out of court or administrative proceedings.

4. Legal basis for processing.
In accordance with Art. 6 GDPR and Art. 6 nLPD, the Controller processes your personal data within the applicable legal framework. Where required, and depending on the purpose of the processing activity, the processing of your personal data may be based on one of the following grounds:
- for browsing this website, to ascertain liability in the event of hypothetical computer crimes against the site, to assert or defend a right in judicial, extrajudicial or administrative proceedings, for legal, administrative and audit purposes: legitimate interest of the data controller/overriding interest of the data controller (art. 6 letter f), GDPR and Art. 31 nLPD paragraph 2);
- for the fulfilment of the activity aimed at processing requests for information: consent of the website user (Art. 6, paragraph 1, letter a), GDPR 679/2016 - Art. 31 nLPD paragraph 1);
- for the processing of personal data contained in CVs: to comply with pre-contractual measures taken at the request of the data subject (Art. 6 para. 1 lit. b) GDPR and Art. 31 paragraph 2 nLPD).
The provision of such personal data is optional, but failure to provide them may make it impossible to obtain what has been requested.
It is understood that the legitimate interest of the controller will be taken into account provided that the latter is not overridden by your legitimate interests in privacy and data protection.

5. Processing methods and security measures.
In relation to the purposes described above, the processing of personal data is carried out using manual, computer and telematic tools, in any case, in order to guarantee the security and confidentiality of the data. Collection, recording, storage, organization, processing, profiling for organizational purposes, selection, extraction, comparison, interconnection, communication, blocking, cancellation, destruction is permitted.
Your data is processed lawfully and correctly, adopting the appropriate security measures aimed at preventing unauthorized access, disclosure, or unauthorized modification of data.

6. Data retention period.
The user's personal data, in compliance with the provisions of art. 6 n.4 nLPD and the GDPR, the following will be processed:
- with regard to browsing data on this website: they are at the end of the browsing session and then are deleted immediately;
- with regard to identification and contact data: for the period of time necessary to fulfil the request submitted and in any case no later than 1 month from the contact request or, if earlier, until the revocation of consent by the data subject;
- with regard to the personal data contained in the CV: for the period of time necessary to fulfil the request and in any case no later than 3 years from the sending of the CV or until the withdrawal of consent by the data subject.
In any case, the data may be processed for the entire duration of any out-of-court and/or judicial proceedings and until the exhaustion of the terms of availability of judicial protections and/or appeal actions.
The verification of the obsolescence of the data stored in relation to the purposes for which they were collected is carried out periodically and, after the expiry of the storage terms indicated above, the data are deleted.

7. Subjects to whom the data may be communicated.
The Data Controller will only use your data internally within the company without transferring, sharing or transferring it to third parties. The same may therefore only be communicated to persons authorised to process the data, data processors, service providers who offer services on behalf of the Data Controller:
- freelancers who provide services to the Data Controller;
- financial administrations, public bodies, judicial authorities, law enforcement agencies;
- third parties exclusively for accounting, fiscal, legal, insurance needs, or in the event of police checks or if required by law.
Where the Data Controller transfers your data to third-party service providers, the Data Controller ensures that they meet the same security standards.
Third-party service providers are therefore required to comply with a number of technical and organisational security measures, regardless of their location, including measures relating to:
(i) information security management;
(ii) information security risk assessment;
(iii) Information security measures (e.g., physical access controls, logical access controls; malware and hacking protection; data encryption measures; backup management and recovery measures).
The third parties described above process the personal data shared under this provision in accordance with the purpose for which such data was originally collected and at least according to the same level of protection as in Switzerland.
The list of Data Processors is constantly updated and available at the headquarters of the Data Controller.

8. Disclosure of personal data outside the Confederation.
The Data Controller stores your personal data exclusively in Switzerland and the same will not be transferred to third countries that do not adopt the same data protection laws as the country in which the information was initially provided. For this reason, the Data Controller has made an express request that Microsoft's M365 servers be located in Zurich.
For the sake of completeness, it should be noted that, pursuant to art. 16 and 17 of the nLPD, the transfer of personal data may only be communicated abroad if the Federal Council has established that the legislation of the recipient state or international body guarantees adequate data protection, or if:
- the data subject has given his or her consent;
- the communication is directly related to the conclusion or execution of the contract; the communication is necessary for the protection of an overriding public interest or to establish, exercise or enforce a right before a court or a competent foreign authority;
- communication is necessary to protect the life or physical integrity of the person concerned or of a third party;
- the data subject has made the personal data accessible to anyone; The data comes from a legally required register that is accessible to the public or to persons with a legitimate interest.
Your personal data will not be subject to dissemination or any fully automated decision-making process.

9. Rights of the data subject.
In accordance with the provisions of the nLPD and the GDPR, the Data Controller grants in particular the following rights (non-exhaustive list):
- Be subjected to transparent processing (Art. 19-21 nLPD);
- obtain confirmation as to whether or not personal data is being processed and, if so, obtain access to the personal data - including a copy of the personal data - and the communication, among others, of the following information: purposes of the processing, categories of personal data processed, recipients to whom the personal data have been or will be disclosed, data retention period, (right of access - Art. 25 of the nLPD and Art. 15 GDPR);
- obtain the rectification of inaccurate personal data and/or the completion of incomplete personal data without undue delay (right to rectification - Art. 32 paras 1 and 3 of the nLPD and Art. 16 GDPR);
- obtain the erasure of personal data without undue delay (right to erasure – Art. 32 para. 2 lit. c of the nLPD and Art. 17 GDPR);
- receive personal data in a structured, commonly used and machine-readable format, if the processing is based on consent and is carried out by automated means (right to data portability - Art. 28 of the nLPD and Art. 20 GDPR);
- object to the processing at any time for reasons relating to your situation (right to object - Art. 30 2 lit. B and 3 of the nLPD and Art. 21 GDPR). In the event of exercising this right, the Company will refrain from further processing personal data, provided that there are no compelling legitimate reasons to proceed with the processing anyway;
- obtain the restriction of processing (right to restriction of processing) if the accuracy of the personal data is contested (for the period necessary for the controller to verify the accuracy of the personal data) or if the data subject has objected to the processing (pending verification of whether the legitimate reasons of the controller prevail over those of the data subject) (Art. 18 GDPR);
- To assert one's point of view with regard to automated decisions and in particular to demand a review of the decision by a human being (right not to be subject to an automated individual decision – Art. 21 of the nLPD and Art. 22 of the GDPR);
- lodge a complaint with the competent supervisory authority (Federal Data Protection and Information Commissioner in Switzerland – FDPIC and in Italy Data Protection Authority).
To exercise these rights, the data subject may exercise his/her rights in the following ways:
- by email: by sending a request to the Company at the following email address: privacy@sowre.com;
- by ordinary mail, to the Company's registered office (SOWRE SA), Corso San Gottardo 54/A Chiasso.
When contacting the Data Controller, please ensure that you include your name, email address, postal address and/or telephone number(s) to ensure that the Data Controller can properly handle your request.
To exercise these rights, the interested party may send the form called FORM FOR THE EXERCISE OF RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA to the following email address privacy@sowre.com.
When contacting the Data Controller, you must be sure to include your name, email address, postal address and/or telephone number(s) as well as a copy of a valid document for identification purposes, to ensure that the Data Controller can properly handle your request. The Company is required to provide a response within one month of the request; term extendable up to three months in case of particular complexity of the request.

10. Data Protection Officer and Data Protection Consultant.
The Data Protection Officer pursuant to Article 37 of the GDPR (appointed in Italy), as well as a Data Protection Consultant pursuant to Article 10 of the nLPD (appointed in Switzerland) is the lawyer Francesco Tagliabue, with an office in (22100) Como, Piazzale Gerbetto n. 6 – Italy. The details that allow you to quickly contact the Data Controller and communicate directly and effectively with the same, including the e-mail address, are as follows: email francesco.tagliabue@legaliassociati.it – certified email francesco.tagliabue@como.pecavvocati.it – tel. +39.031.262591 – fax. +39.031.279179.
Any reports on the protection of personal data can be made using the form called FORM FOR REPORTING ISSUES ON THE PROTECTION OF PERSONAL DATA and sent to the following email address: privacy@sowre.com.

11. Further information: amendment/entry into force.
The Owner reserves the right to modify, update, add or remove parts of this privacy policy at its discretion and at any time.
Before using the Site or related resources (e-mails, etc.), it is therefore the responsibility of the user to check the content of the current policy. In order to facilitate this verification, the information will contain the date of update.

Effective Date: September 15, 2025