Privacy Notice

INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) NO. 2016/679

– INVESTORS –

Pursuant to Articles 13 and 14 of Regulation (EU) No. 2016/679 (hereinafter the “GDPR”), Dolcetto HoldCo S.p.A. (hereinafter “Dolcetto” or the “Controller“) provides the following information on the processing of your personal data (hereinafter the “Data“) when you interact with the Investor Relations website or contact us as a current or potential investor, analyst, shareholder, or other financial stakeholders.

1. DATA CONTROLLER, DATA PROCESSORS, DATA PROTECTION OFFICER

The Data Controller is Dolcetto Holdco S.p.A., with registered office in Milan, Via Paleocapa 1. Dolcetto HoldCo S.p.A. is a holding company owing the entire capital of DOC Generici S.r.l. that entrusted the same DOC Generici S.r.l., as the operating company, of the technical operation and management of the website dedicated to Investors relations (“Website”). In this regard, Dolcetto HoldCo S.p.A. appointed DOC Generici S.r.l. as Data Processor by way of a dedicated Data Protection Agreement.

The Data Protection Officer (DPO), can be contacted via:

• Mail: via email privacy@docpharma.com, or at the registered office address mentioned above, for the attention of the Data Protection Officer; or
• Email: at DPO@docpharma.com.

1. CATEGORIES OF DATA PROCESSED

The Controller may process the following categories of Data, with the methods indicated below.

1. a) Data provided directly by You

Data voluntarily provided by you, either verbally, in writing, or electronically (via web forms, email or other means), such as:

• contact information (e.g., name, surname, email address, phone number);
• professional information (e.g., company name, professional role, type of investor);
• communication preferences or requests related to investor materials or events.

1. b) Data collected from public or third-party sources

We may also acquire Data from other sources, including other data controllers (in the latter case, after verifying compliance with legality conditions by third parties), or from public sources (e.g., publicly accessible databases registers, or official publications, press releases), but always in compliance with relevant regulations.

1. c) Data collected automatically via website usage

Your access to our Websites, directly or through third-party sites, portals, or platforms, and the will allow us to automatically acquire the following categories of Data or information.

Navigation Data

The computer systems and software procedures used to operate our websites acquire, during their normal operation, some personal data whose transmission is implicit in the use of the Internet, which is based on the TCP/IP protocol. This information is not collected to be associated with identified individuals, but by its very nature could, through processing and association with data held by third parties, allow your identification.

This category of data includes “IP addresses” or domain names of the computers used by users connecting to the site, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the web server (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment.

First-Party Cookies

A cookie is a small “text file” that some websites, while being visited, can send to the user’s address in order to track expressed preferences and collect data. Each user, if preferred, can still set their browser to receive a warning of the presence of a cookie and decide whether to accept or reject it. It is also possible to automatically refuse the reception of cookies by activating the specific browser option: however, not using cookies could lead to difficulties in interacting with our websites.

Our Websites use the following types of cookies:

• Technical cookies: which ensure the possibility of Browse and using the website, and also to collect information, in aggregate form, on the number of users and how they visit the site; technical cookies will, in particular, also be used to remember that you have already given your consent and avoid asking you to express it again.
• Profiling cookies: used to attribute to specific, identified or identifiable subjects, specific actions or recurring behavioural patterns in the use of the offered functionalities (patterns) for the purpose of grouping different profiles within homogeneous clusters.
• The complete list of cookies used by of our Websites can be consulted at this link: https://www.docpharma.com/cookie-policy/ where you will also find instructions on how to change your browser settings and accept or reject cookies.

Third-Party Cookies

During navigation, you may also receive cookies from other sites or web servers on your terminal: this happens because our sites may contain elements such as images, maps, sounds, specific links to web pages of other domains.

1. PURPOSES AND LEGAL BASIS OF PROCESSING

Your Personal Data will be processed by Dolcetto within its activities for the following purposes and with the following legal bases for processing:

1. a) Legal Obligations

Comply with obligations under tax, corporate, administrative and financial regulations, including investor transparency requirements .

This processing is necessary for the performance of the above-mentioned activities. Failure to provide the data will prevent us from fulfil such obligations towards you .

1. b) Access to Services

Allow you to use the services and made available in our Website or including downloading reports, receiving requested documents, or contacting the IR team. Such processing is necessary for the provision of the services requested and does not require consent.

This processing is necessary for the performance of the above-mentioned services. Failure to provide the data will prevent us from fulfilling your requests or providing the services you are interested in.

1. c) Invitations to Events

Contact you to invite you to participate in event, meeting or similar initiative concerning Dolcetto’s investors’ relations activities, through email, phone, or other communication tools.

In the absence of your consent, Dolcetto will not be able to contact you for the indicated purposes.

1. e) Sending Materials and Newsletters

To send you financial updates and information, corporate announcement, and other investor-related communications via email or other remote communication channels. press releases, by e-mail or other communication tools. , through mail, telephone, email, Internet, SMS, MMS, and other remote communication systems, including video calls or multi-participant video conferencing systems, requires your consent.

This processing is carried out only with your prior consent. Lacking  your consent, Dolcetto will not be able to contact you for the indicated purposes.

1. f) Profiling

With your consent, some Data (including Data transmitted by third parties and Data collected automatically following access and navigation in our Website) may be used to identify, evaluate, or predict aspects concerning, among other things, your interests, preferences, consumption choices, and habits, and, among these, in particular, to identify the investment topics, financial instruments, market segments, for which you have greater interest or the IT functionalities you most appreciate, so as to be able to primarily suggest products, services, and Events that meet your preferences and inclinations.

If you wish to give us your consent, we also remind you to disable the refusal to receive profiling cookies possibly set in your browser, by clicking on the link: https://www.dolcettoholdcospa.com/cookie-policy/

1. g) Legitimate Interest of the Controller

To pursue a legitimate interest of Dolcetto, identified from time to time (including, where necessary, asserting or defending a right in court and preventing crimes or illegal acts). Such processing, to the extent that it does not jeopardize your fundamental rights and freedoms, does not require your consent.

1. RECIPIENTS OR CATEGORIES OF RECIPIENTS

The Data may be disclosed to the following subjects, some of whom have been appointed by the Controller, as the case may be, as processors or authorized persons:

• Companies belonging to the Controller’s group (parent companies, subsidiaries, affiliates), employees and/or collaborators of any kind of the Controller or of companies belonging to the Controller’s group.
• Public or private subjects, natural or legal persons, of whom the Controller makes use for the performance of activities instrumental to achieving the aforementioned purposes or to whom the Controller is obliged to communicate the Data (e.g. financial market authorities) by virtue of legal or contractual obligations or within the scope of negotiations and procedures aimed at corporate operations or reorganizations.

1. TRANSFER OF DATA TO THIRD COUNTRIES

As a Rule, the Controller does not transfer the Data outside the European Economic Area (“EEA”). Should such a transfer become necessary or occur for technical or organizational reasons, even subsequent ones, the Controller will ensure that the Data is transferred in compliance with the provisions of the GDPR, and, in particular, its Articles 45, 46, and 49.

1. PROCESSING METHODS

Your Data is processed using manual, IT, and telematic tools, with methods designed to ensure the security and confidentiality of the data itself.

1. RETENTION PERIOD

Without prejudice to the retention period required by any legal provisions, your Personal Data will be retained for a period not exceeding what is necessary to achieve the purposes for which they were acquired and processed. In particular:

• Data collected following your interactions with the website (e.g., contact requests, subscription to financial communications, participation in investor-related events) will be retained for up to 5 years from the date of your last interaction, unless shorter or longer retention periods apply based on the nature of the Data or applicable regulations.
• Consent-based will be deleted 4 years after the last contact or your last interaction.

The above limits do not apply to Data:

• that the Controller may from time to time obtain from public sources or publicly accessible databases;
• Data processed for the Controller’s legitimate interests (e.g. to assert or defend a right in court or to prevent fraud) will be retained as long as necessary for such purposes.

1. RIGHTS OF ACCESS, ERASURE, RESTRICTION, AND DATA PORTABILITY

Data subjects are granted the rights referred to in Articles 15 to 20 of the GDPR. By way of example, each data subject may:

• obtain confirmation as to whether or not their personal data is being processed.
• where processing is ongoing, obtain access to the personal data and information relating to the processing, as well as request a copy of the personal data.
• obtain the rectification of inaccurate personal data and the integration of incomplete personal data.
• obtain, where one of the conditions provided for by Article 17 of the GDPR applies, the erase of their personal data.
• obtain, in the cases provided for by Article 18 of the GDPR, the restriction of processing.
• receive the personal data concerning them in a structured, commonly used, and machine-readable format and request their transmission to another controller, if technically feasible.

1. RIGHT TO OBJECT. RIGHT TO WITHDRAW CONSENT

Each data subject has the right:

• to object at any time to the processing of their personal data. In case of objection, the personal data will no longer be processed, unless there are legitimate grounds for processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
• to withdraw consent already given at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

1. RIGHT TO LODGE A COMPLAINT WITH THE GARANTE

Each data subject may lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) in the event that they believe their rights under the GDPR have been violated, according to the procedures indicated on the Garante’s website, accessible at: www.garanteprivacy.it.

1. UPDATES TO THIS PRIVACY NOTICE

The contents of this Privacy Notice may be subject to updates due to changes in the type of Data processed or in the methods and purposes of processing. Such changes will be communicated to you via email before the date on which they are expected to become operative and, if necessary, you may be asked via email to confirm the consent already given.