Shareholder Privacy Policy

1. Data Controller

Elica S.p.A.

Via Ermanno Casoli, n.2, 60044 Fabriano (AN)

P.I. AN 00096570429

Certified email address: elicaspa@sicurezzapostale.it

Telephone: +39-07326101

("Company" or "Controller").

2. Data Protection Officer (DPO)

The Data Protection Officer (pursuant to Article 37 of the Privacy Regulation) can be contacted at the following email address: dpo@elica.com (hereinafter "DPO”).

3. Personal data processed and data source

The personal data collected essentially relates to:

• Identification, personal details, and contact information (name and surname, address, telephone number, email address, tax information, etc.);

• Audio recordings of meetings involving the interested party;

• Other non-specific data relating to existing legal relationships, limited to share ownership.

4. Purpose and legal basis of processing

a) Data will be processed for the proper management of existing contractual and/or business relationships. Specifically, Elica must, in accordance with applicable law, enter the names of Shareholders in the Shareholder Register.

b) The data is also processed to fulfill legal obligations to which the Company is subject, such as administrative and accounting obligations, in accordance with the requirements of applicable legislation.

c) The data may also be processed, if necessary, to ascertain, exercise, and/or defend the Company's rights.

d) Audio recordings may be made to fulfill the obligations to record minutes of meetings.

For each of the purposes identified above, the following legal bases are identified:

- For purpose a):

- For data relating to natural persons, the legal basis is the performance of a contract to which the data subject is a party, pursuant to Article 6.1, letter b) of the GDPR;

- For data relating to contact persons of legal entities, the legal basis is the legitimate interest of the Data Controller pursuant to Article 6.1(f) of the GDPR.

- For purposes b) and d), the legal basis is to fulfill legal obligations to which the Company is subject pursuant to Article 6.1(c) of the GDPR;

- For purpose c), the legal basis is the legitimate interest of the Data Controller pursuant to Article 6.1(f) of the GDPR.

5. Data retention period

For the entire duration of the contract and for 10 years after the termination of the contractual relationship, as per the ordinary limitation period or specific statutory period.

In the event of legal disputes, for the entire duration of the dispute, until the time limit for appeals has expired.

For audio recordings of meetings, the retention period is one year.

6. Data provision

The provision of Data is necessary for the conclusion and/or execution of the contractual relationship. Refusal to provide the Data will therefore prevent the contractual relationship from being established and/or the resulting obligations from being fulfilled.

7. Data recipients

The Data may be disclosed to entities acting as independent data controllers, such as public authorities, the Board of Statutory Auditors, independent auditors, or professional firms, or processed on behalf of the Company by entities providing services essential to the pursuit of the aforementioned purposes, designated as data processors pursuant to Art. 28 of the GDPR. Among these entities, Computershare S.p.A. processes data as the Data Processor.

Furthermore, the Data is processed by Company employees belonging to the corporate functions responsible for pursuing the aforementioned purposes, who have been expressly authorized to process the data and have received adequate operating instructions.

The data may be processed in particular by employees of the following departments: Information Technology, Investor Relations, and Legal, who will have access as data processors.

The processed data will not be disseminated.

8. Transfer of personal data to countries outside the European Union

Where data is transferred to countries outside the European Union (EU) or the European Economic Area (EEA) that have not been deemed adequate by the European Commission, the transfer mechanisms referred to in Article 46 of the GDPR (such as standard contractual clauses) will be used, considering the possible inclusion of "additional measures" to ensure a level of protection substantially equivalent to that required by European Union law.

9. Rights of the Data Subject - Complaint to the Supervisory Authority

By contacting the Data Controller via email at privacy@elica.com, the data subject may exercise the rights recognized by Articles 15-22 of the GDPR, and in particular, may request access to, rectification, integration, or erasure of, their Data, as well as restriction of processing in the cases provided for by Article 18 of the GDPR.

Furthermore, if processing is based on consent or a contract and is carried out by automated means, the data subject has the right to receive the Data in a structured, commonly used, and machine-readable format, and, if technically feasible, to transmit it to another controller without hindrance.

The data subject has the right to object at any time, easily and free of charge, for reasons related to their particular situation, to the processing of their Data in the event of the Data Controller's legitimate interest.

Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State in which they habitually reside or work or in the State in which the alleged infringement occurred.