Privacy Policy

1. PURPOSE

The purpose of this document is to describe the general principles of security and confidentiality
obligations of the information and personal data defined by the Data Controller and ensures that all
parties involved in the data processing, in order to develop an efficient and secure management
system of procedures and processes for the security of personal data in compliance with the
fundamental rights and freedoms of individuals, in compliance with the 2016/679 European
Regulation, from now on GDPR

2. DESCRIPTION

Revolution Gaming intends to pursue objectives of information security, personal data,
technological, physical, logical and organizational structure and their management. This means
achieving and maintaining a secure information management system through compliance with the
principles set out in articles 5 and 6 of the GDPR;

Lawfulness, fairness, transparency;
Guarantee with respect to the management and collection of data for the sole contractual purposes,
determined, explicit and legitimate, and subsequently treated in a way that is not incompatible with
these purposes.
Adequate, relevant and limited to what is necessary with respect to the purposes for which they are
processed ("data minimization" principle);
Exact and, if necessary, updated; all reasonable measures must be taken to cancel or correct
inaccurate data in relation to the purposes for which they are processed ("accuracy");
Keep in a form that allows identification of data subjects for a period of time not exceeding the
achievement of the purposes for which they are processed;

Treated in such a way as to guarantee adequate security of personal data, including protection, by
means of appropriate technical and organizational measures, by unauthorized or unlawful
processing and by the accidental loss, destruction or damage "principle of integrity and
confidentiality";
Safeguard the consistency of information from unauthorized changes
Ensure the reliability of the information source channels;
Ensure the protection and control of personal data.

3. SCOPE OF APPLICATION

The policy for the protection of personal data applies to all processes and resources involved in the
design, implementation, start-up and continuous delivery in the context of services.

The products and services provided are described below and the methods of delivery are illustrated.

Products and services provided:

Web platform for the promotion of the territory and offer of tourist services for booking and
assistance to tourists. Advertisements for accommodation and companies.

4. INFORMATION SECURITY POLICY

The verification of data that will be processed with identification of the various types of data and
categories of membership. The verification of the purpose of each processing and of the legal basis
on which each of them is based, also in order to provide adequate information to the parties
concerned, as required by art. 13 and 14 of the GDPR;

The preparation of the information (or its update) that must be provided to the interested parties in
compliance with all the elements indicated in art. 13 and 14 of the GDPR. In particular, interested
parties must be made aware of the rights that the Regulation recognizes them (right of access, right
to be forgotten, right of rectification, right of limitation and objection to treatment, right to data
portability); the information for the subjects involved in the data processing of which the customer is
the data controller is provided by the client if data collection is planned in the software or services
used;

The establishment of a procedure to be adopted in the event of any data breaches (so-called Data
Breach referred to in articles 33 and 34 of the GDPR), for example at the occurrence of disclosure
(intentional or otherwise), destruction, loss, modification or unauthorized access to the personal
data being processed. In fact, the GDPR provides specific requirements in the event of a violation of
this kind, due to an IT attack, abusive access or an accident. In these cases the GDPR imposes, as
foreseen by the art. 33, for the Data Controller the obligation to notify the supervisory authority of
the violation within 72 hours (or in any case without delay). In the event that the violation has

occurred to assume that there is also a high and current danger for the rights and freedoms of those
concerned, the latter must also be directly informed without delay of what happened;

In Article. 35 of the GDPR, it is the responsibility of the Data Controller (and with the possibility of
consulting the Data Protection Manager if appointed) to carry out an impact assessment on data
protection in the event that a type of treatment, also in consideration of the nature, object, context
and purpose of the treatment itself, present a high risk for the rights and freedoms of natural
persons. It should be noted that the GDPR does not establish a real obligation to carry out the
impact assessment, but it is recalled that the Regulation provides for a general obligation on the
Data Controller to implement the appropriate measures in order to adequately manage the risks for
the rights and freedoms of data subjects that may derive from the processing of their data. It will
therefore be advisable to carry out the impact assessment even when the legal obligation to do so is
not incumbent on the Data Controller.

Articles 37 – 38 and 39 introduce another fulfillment required by the Data Controller which consists
in the designation of the Data Protection Officer also referred to as Data Protection Officer. This
appointment, as required by art. 37 of the GDPR, is mandatory only in a series of hypotheses, in
particular, in the event that the processing of data is carried out by a public authority or a public
body (with the exception of the jurisdictional authorities when they perform their duties); where the
principal activities performed by the controller or processor consist of operations which, due to their
nature, scope or purpose, require regular and systematic monitoring of data subjects on a large
scale; and finally, in the case in which the main activities carried out consist in the treatment, on a
large scale, of sensitive data or data relating to criminal convictions and crimes consisting in the
unlawful processing of personal data. As also suggested by the Group of 29, the advisory and
independent body, composed of a representative of the personal data protection authorities
appointed by each Member State that has prepared the Guidelines and dictating regular
appointment of the person responsible for the protection of personal data, when the Regulation
does not specifically require the appointment of a DPO, this figure may in any case be designated by
the holder or by the person in charge of the processing on a voluntary basis.

5. LIABILITY OF THE INFORMATION SECURITY POLICY

The "data controller" and the "responsible" are responsible for the information management
system, in line with the evolution of the company and market context, evaluating possible actions to
be taken in relation to events such as:

Significant changes in the business;

· New threats compared to those considered in the risk analysis activity;
· Significant safety incidents;
· Evolution of the regulatory or legislative framework on the safe processing of information.

Updates regarding the use of cookies and the regulations on the processing of personal data can be
found on the Cookie and Privacy pages of the revolutiongaming.tech website.