Legislative Decree 196 of 2003, generally known as the Privacy Code, lays down the rules to be observed by all subjects involved in the personal data processing, with particular reference to the Data Controllers (those who make decisions on the purposes and means of the processing) and the Data Processors (those who are appointed, by the Data Controller, to process the data).

For personal data protection, Sogei is the Data Controller for the processing of data falling within its corporate scope (data on employees, suppliers, visitors, etc.), and it is the Data Processor for the data for which the Tax Administration and the other entities from which it has received specific appointment.

In accordance with the aforesaid law, and above all having always given appropriate importance to the confidentiality, integrity and availability of the information, Sogei has developed a valid Privacy Management System.

All corporate activities are performed according to this System which, among other things, defines the roles and responsibilities of all subjects involved in data processing and the organizational procedures that must be followed.

The subjects are individually appointed for the processing and, at the same time, informed on the skills, responsibilities and limitations that this appointment entails. In particular, all are reminded of the obligation to process pertinent data only, in a legal and correct manner, observing the need for legitimacy, accuracy, updating, and in accordance with the provisions of Art. 11 of the Privacy Code.

The organizational procedures which all parties must follow to guarantee data confidentiality in particular, range from rules on the use of credentials for data access, to the obligatory use of encryption systems, methods of secure disposal of any media containing personal data, and the tracking and recording of all operations carried out.

To guarantee maximum data protection, the Privacy Management System is closely integrated with the Information Security Management System.

For that matter, both the systems envisage constant monitoring, both on compliance with the regulations of an organisational type and of the efficiency of the security measures according to an annually planned audit programme. The audits are carried out by the Governance Security and Privacy Department, which checks all the company's structures involved in personal data processing, and by the Internal Auditing department which, although operating in synergy with the Governance Security and Privacy Departments, also subjects their work to audit.