Please read carefully this information notice (hereinafter, “Privacy Policy”), which is intended to be rendered to the users of the website www.Extrotto.com (hereinafter, the “Site”), prepared in accordance with Article 13 of the General Data Protection Regulation No. 2016/679 (hereinafter, also “GDPR”), in which we provide you with all the details regarding the processing of your data and its use.

1. DATA CONTROLLER

The data controller HINES ITALY RE S.R.L., with registered office and operational headquarters in Milan(MI): VIA BROLETTO 35 – 20121,P.Iva 09484180964 (hereinafter, “Data Controller”) reachable at:Italy.marketing@hines.com

2. OBJECT OF PROCESSING

The Controller will process the following personal data: a) Identifying data (e.g.: first name, last name, company name, tax code, address, telephone number, e-mail) – hereinafter “personal data” or also “data” – directly provided by you at the time of your request for information transmitted to persons in charge of the Controller. b) Data collected using cookies or similar technologies. For more information, please refer to the Cookie Policy (https://www.Extrotto.com/cookie-policy). c) Technical data: This category of data includes the IP addresses or domain names of the computers used by the users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s Operating system and computer environment. These data are used only for statistical information (so they are anonymous), to check the proper functioning of the site and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site: except for this eventuality, data on web contacts do not persist for more than 7 days.

3. PURPOSE AND LEGAL BASIS FOR PROCESSING

Your personal data will be processed for the following purposes: a) to follow up on your requests and/or arrange appointments and put in place any activity preparatory to sending the information of your interest. With reference to this purpose, the legal basis for the processing of your personal data is represented by Article 6, paragraph 1, letter b) of the GDPR “The processing is necessary for the performance of a contract to which the data subject is party or the execution of pre-contractual measures taken at the request of the data subject.” The provision of personal data for this purpose is optional, but without it, it will not be possible for the Data Controller to comply with your requests. b) to comply with legal obligations to which the Controller is subject. The Data Controller may use your personal data to (i) fulfill any obligations under applicable laws, regulations or EU legislation, comply with requests from authorities (ii) follow up on requests from data subjects to exercise their rights, involving, where appropriate, third parties appointed as data processors. With reference to this purpose, the legal basis for the processing of your personal data is represented by Article 6(1)(c) of the GDPR, “The processing is necessary to comply with a legal obligation to which the data controller is subject.” c) for the pursuit of the legitimate interests of the Controller: the Controller may use your personal data for purposes of preventing fraud committed through the use of the Site and to enable the Controller to protect itself in court. With regard to this purpose, the legal basis for the processing of your personal data is Article 6(1)(f) of the GDPR “Processing is necessary for the purposes of pursuing the legitimate interests of the data controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail, in particular if the data subject is a child.” Should a contractual relationship be established with the Controller, your data will be processed in the manner and for the purposes indicated in the information notice prepared for customers. The processing of your personal data will be carried out by means of the operations indicated in Art. 4 No. 2 GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. Your personal data will be subject to both paper and electronic and/or automated processing, in compliance with the rules of confidentiality and security provided by laws, regulations and internal provisions.

4. RECIPIENTS OF THE DATA

Your personal data may be made accessible for the purposes referred to in Article 3 to: persons authorized by the Data Controller to process personal data who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality; b) persons delegated and/or appointed by the Data Controller to carry out activities strictly related to the pursuit of the purposes set out in Article 3, rightly appointed, where necessary, as data processors; c) persons, companies or professional firms that provide assistance and consulting activities to the Data Controller, rightly appointed as data processors; d) Other companies of the Hines Group. The Data Controller may also communicate your data for the purposes referred to in Article 3 to those subjects to whom the communication is mandatory by law.

5. TRANSFER OF DATA

Your data will not be transferred outside the European Economic Area. In any case, if the Data Controller intends to transfer your data outside the EEA, such data transfer can only take place if the requirements of Art. 44 et seq. GDPR are met.

DATA RETENTION PERIOD

The Data Controller will process personal data for the time strictly necessary to fulfill the purposes set out in Article 3 above.

7. DATA PROTECTION

Your personal data are processed by the Data Controller in full compliance with applicable regulations. In particular, to ensure the security of your personal data, taking into account the state of the art and implementation costs, as well as the nature, object, context and purposes of the processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Controller has taken appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

8. RIGHTS OF THE DATA SUBJECT

In your capacity as a data subject, you may at any time exercise your rights: a) to access your personal data; b) to obtain the rectification or erasure of your personal data or the restriction of the processing that concerns you; c) to object to the processing; d) to the portability of your data; e) to withdraw your consent, where applicable, without the withdrawal of the same affecting the lawfulness of the processing based on the consent given before the withdrawal; f) to lodge a complaint with the Supervisory Authority (Privacy Guarantor). You may exercise your rights at any time by sending: a registered letter to HINES ITALY RE S.R.L., with registered and operational office in Milan(MI): VIA BROLETTO 35 – 20121 or an e-mail to: Italy.marketing@hines.com Date of last update: September 2023.