Information pursuant to Article 13 of the EU Regulation 2016/679 (GDPR) a) The data controller is Sestrieres S.p.A. a s.u. with headquarters in Piazza Agnelli 4 - 10058 Sestriere (TO), fiscale code and VAT number 00941880015. Sestrieres has appointed as Data Protection Officer (DPO): Spaziottantotto Srl and as contact person Ing. Bonsignori Massimiliano. Requests should be addressed through privacy@vialattea.it or at the following addresses Tel. +39 0122.799.411, Fax. +39 0122.799.460. b) The personal data subject to processing are as follows: master data, special data (e.g., related to health status for issuance of special ski passes, in case of an accident also for insurance reimbursement), contact data, bank data (if any), image data (video surveillance, ski pass photo, if any), data related to access and movement within the ski area (geolocation using "RFID" technology), data possibly required by regulations to combat and prevent infection from SARS-CoV2. c) The treatment is finally finalized to: • The issuance and execution of the Contract of Sale of t h e Skipass and use of the facilities. The legal basis for processing is the execution of obligations arising from the existing contract. • Compliance by the Data Controller with legal, administrative, accounting and fiscal obligations as well as for public health figures. The legal basis for the processing is the fulfillment of legal obligations to which the Data Controller is subject. • To ensure emergency relief, including subsequent insurance reimbursement activities, and any other accident-related activities. The legal basis for the processing is the necessitm to protect a vital interest of the rescued person, to carry out a public interest relevant to the preservation of life and fixed fixed safety. • Send commercial information, miscellaneous documentation from Sestrieres and/or its business partners, carry out marketing activities or market surveys. The legal basis for the processing is consent; the provision of contact data is to be considered optional. • To collect data on the use of the facilities (passages at the turnstiles and security cameras) both to verifiy that access to the facilities is carried out vd by those entitled to it (possibly by comparing the image of the ski pass card), and for reasons related to security and the smooth operation of the facilities themselves; in fact, RFID TECHNOLOGY and VIDEOSURVEILLANCE detection systems are installed on the facilities. The legal basis for the processing is the legitimate interest of the Data Controller. d) The provision of data is an essential condition for the conclusion and execution of this contract and is therefore to be considered necessary; therefore, in the absence of the provision of the requested data, the contract cannot be finalized. e) Processing may be carried out with or without the aid of electronic or, in any case, automated tools in compliance with the provisions of the Code and the GDPR, guaranteeing the security and confidentiality of personal data. f) The processing is carried out by the persons authorized to process under t h e direct authority of the Data Controller and/or by the designated and appointing data processors, such as professionals, consultants or external companies operating on behalf of the Data Controller (e.g., for management of computer systems, rescue service, etc.) for the fixed purpose of contract execution. The updated list of data processors is available to t h e data subject upon his/her simple request to be addressed to the Controller at the email address indicated in this policy. Furthermore, without prejudice to the communications to third parties that are obligatory by law for administrative, accounting and fiscal compliance, the personal data acquired, with the exclusion of those that are not necessary, may be communicated to: (I) Other companies that manage part of the district in non-Italian territory, (II) Subjects that deal with rescue, (III) Banks (for the payment methods adopted), (IV) Insurance companies (to insure the user and for reasons related to possible claims), (V) Freelancers (e.g., for lawsuits, litigation, claims, etc.) held to professional secrecy, (VI) Competent authorities in the exercise of their functions or for public interest. g) No sarm data released. h) No personal data will be used for profiling activities. i) Personal Data is stored by the Controller within the Union

European Union ("EU"). The Data Controller may need to transfer data to suppliers based in countries outside the EU. In this case, the Controller will ensure that the information is properly and adequately protected, in accordance with the principles set forth in Articles 45 and 46 of the GDPR, where appropriate by entering into legal agreements governing the transfer of information providing adequate safeguards. j) Personal data will be retained for the period strictly necessary for the provision of the requested services and the pursuit of the specific fi n a l i t m of the processing, finally until the expiration of the legal statute of limitations, including for the protection of one's interests in and out of court. In addition, the Data Controller may be obliged to retain personal data for a longer period in compliance with a legal obligation or by order of an Authority. At the end of the retention period, personal data will be deleted. Therefore, after this period, the right of access, deletion, rectification and the right to data portability can no longer be exercised. k) At any time, the Data Subject may: exercise his/her rights (access, rectification, cancellation, restriction, portabilitm, opposition, absence of automated decision-making processes) when provided against the Data Controller, in accordance with Articles 15 to 22 of the GDPR; lodge a complaint with the Guarantor (www.garanteprivacy.it); if the processing is based on consent, revoke such consent given, taking into account that the revocation o f consent does not affect the liceitm of the processing based on the consent before revocation. The aforementioned rights may be exercised by sending an appropriate request to the Data Controller through the contact channels indicated in this notice. Requests regarding the exercise of the user's rights will be processed without undue delay and, in any case, within one month of the request; only in cases of particular complexity and the number of requests this term may be extended by an additional 2 (two) months. l) In particular, in addition to all of the above, the following clarifications apply: • The detection of passages at the turnstiles will verrm carried out automatically by the system present inside the ski pass (RFID label) and on the turnstile itself (RFID antenna); this detection will allowm to indicate the geographic location of the persons by means of an electronic communication network; this information may be combined with a personal identification exclusively for named cards, may be made available to the ski pass holder and/or to the competent Authorities in the exercise of their functions or for public interest following requests that comply with the current regulations on data processing and dissemination. Access to the system may also be restricted to authorized Sestrieres appointees for the sole finalitm of verification of the quality and technical operation of the service. • Please note that the card is personal and non-transferable and should be kept personally to prevent others from using it-it is assumed that the person using the identification number is the holder or another person legitimized by the holder. Sestrieres will not be held responsible for differing or fraudulent uses. • For ski passes issued to minors, it is the responsibility of the person exercising parental responsibility to give authorization for the processing of data, especially also taking into account what is highlighted in the aforementioned conditions of sale. In case of discrepancies between the language versions of these general terms and conditions, the Italian version of these terms and conditions shall apply.