Privacy Policy concerning the processing of personal data

HIVE S.r.l.

via Ermete Conti 7

42020 San Polo D'Enza (RE)

P.IVA 02893710356

PEC: hive@pec-mail.it

Cod. Doc. 20824.51.487210.2957896

Privacy notice on the processing of personal data pursuant to Articles 13-14 of EU Regulation 2016/679

Data subjects: users who visit/use the online booking services platform for access to St. Peter's Basilica with audio guide or to the areas pertaining to St. Peter's Basilica.

HIVE S.r.l., as the Controller of your personal data, pursuant to and for the purposes of EU Regulation 2016/679, hereinafter "GDPR", hereby informs you that the above-mentioned legislation provides for the protection of data subjects with regard to the processing of personal data and that such processing will be based on the principles of fairness, lawfulness, transparency, and protection of your confidentiality and rights.

Your personal data will be processed in accordance with the legislative provisions of the above-mentioned regulation and the confidentiality obligations set out therein.

Purposes and legal basis of processing: in particular, your data will be processed for the following purposes connected with fulfilling legal obligations:

• mandatory legal obligations in tax and accounting matters.

Your data will also be used for the following purposes relating to the performance of measures connected with contractual or pre-contractual obligations:

• after-sales assistance;

• customer management;

• quality management;

• activity planning;

• requests aimed at measuring the level of user satisfaction and improving the quality of the services offered by sending automatic communications containing questionnaires, surveys, or feedback requests relating to the visit experience and the services used

• electronic payment instruments.

Processing methods. Your personal data may be processed in the following ways:

• processing by means of electronic computers.

All processing is carried out in compliance with the methods referred to in Articles 6 and 32 of the GDPR and through the adoption of appropriate security measures.

Your data will be processed only by personnel expressly authorized by the Controller and, in particular, by the following categories of authorized personnel:

• programmers and analysts;

• Administration office.

Disclosure: your data may be disclosed to external parties for the proper management of the relationship and, in particular, to the following categories of Recipients, including all duly appointed Data Processors:

• within public and/or private entities to which disclosure of the data is mandatory or necessary in fulfillment of legal obligations, or is in any case functional to the administration of the relationship;

• Fabbrica di San Pietro (hereinafter "FSP"), Palazzo della Canonica, 00120 Vatican City, for the organization of entrance activities.

Dissemination: your personal data will not be disseminated in any way.

Retention period. Please note that, in compliance with the principles of lawfulness, purpose limitation, and data minimization pursuant to Art. 5 of the GDPR, the retention period for your personal data is:

• set for a period not exceeding the achievement of the purposes for which they are collected and processed for the performance and fulfillment of contractual purposes;

• set for a period not exceeding the achievement of the purposes for which they are collected and processed, and in compliance with the mandatory time limits prescribed by law;

• set for a period not exceeding the fulfillment of legal obligations and for protection in litigation.

Controller: the Data Controller, pursuant to the Law, is HIVE S.r.l. (via Ermete Conti 7, 42020 San Polo D'Enza (RE), VAT No. 02893710356, contactable at the following address: e-mail info@hivenetwork.it), represented by Maurizio Rota.

The data protection officer (DPO) designated by the controller pursuant to Art. 37 of the GDPR is:

• Alessandro Simonassi, contactable by e-mail: dpo@hivenetwork.it.

You have the right to obtain from the controller erasure (right to be forgotten), restriction, updating, rectification, portability, and objection to the processing of personal data concerning you; more generally, you may exercise all rights provided for by Articles 15, 16, 17, 18, 19, 20, 21, and 22 of the GDPR.

You may also view the updated version of this notice at any time by visiting the website https://www.privacylab.it/informativa.php?20824487210.

EU Regulation 2016/679: Articles 15, 16, 17, 18, 19, 20, 21, 22 - Rights of the Data Subject

1. The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her exist, even if not yet recorded, to have them communicated in intelligible form, and to lodge a complaint with the Supervisory Authority.

2. The data subject has the right to obtain information on:

• the origin of the personal data;

• the purposes and methods of processing;

• the logic applied in the event of processing carried out with the aid of electronic instruments;

• the identification details of the controller, processors, and the representative designated pursuant to Article 5, paragraph 2;

• the persons or categories of persons to whom the personal data may be communicated or who may become aware of them in the capacity of designated representative in the territory of the State, processors, or persons in charge of processing.

3. The data subject has the right to obtain:

• the updating, rectification, or, where interested, integration of the data;

• the erasure, anonymization, or blocking of data processed in breach of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;

• certification that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, unless this requirement proves impossible or involves the use of means manifestly disproportionate to the right protected;

• data portability.

4. The data subject has the right to object, in whole or in part:

• on legitimate grounds, to the processing of personal data concerning him or her, even if relevant to the purpose of collection;

• to the processing of personal data concerning him or her for the purposes of sending advertising material or direct sales, or for carrying out market research or commercial communications.