DeACapital Real Estate SGR S.P.A., with registered office in Rome, Via Saverio Mercadante n. 18, telephone number (+39) 06.681631, fax (+39) 06.68192090, e-mail privacy-RE@deacapital.com, as the Data Controller (hereinafter, the "Company” or the “Controller”), provides this notice about the processing of the personal data collected by theusers who browse the website, accessible online at the following address https://milano3puntozero.it (the “Website”) and/or who make a request to the Controller DeA Capital RE SGR about the lease or purchase of properties of the Italian alternative real estate investment fund reserved in closed form, named “Leone – Fondo di investimentoAlternativo Immobiliare di Tipo Chiuso Riservato” managed by the Company(hereinafter, the “Fund”).

The personal data of the Website user (hereinafter, the “User”) are collected directly from the site and are processed in compliance with the provisions of the GDPR, with applicable regulations, and with the present notice according to principles of correctness, lawfulness, transparency and the protection of confidentiality.

The procedures and IT systems set up for the Website acquire, during their normal operation, some personal data the transmission of which is implicit in the use of internet communication protocols, to allow the User to browse the Website or provide a service requested by said User.

The Company uses:

• technical cookies, without which the viewing of the Website or some operations could not be performed or would be more complex and/or less secure;
• analytics cookies, to collect browsing data in aggregate and anonymous form for solely statistical purposes;
• profiling cookies, which can be processed by the Company only with the prior consent of the User (cfr. section 1.3).

For detailed information about cookies and about the third parties who become aware of the data collected through the use of cookies, also see the cookie policy notice available at the following link: https://milano3puntozero.it/out-milano/en/cookie-policy.html. For User data collected by third parties through the use of technical and analytics cookies, see the relevant privacy and cookie notices available as indicated in the cookie notice.

The User can, through the Website, request to be contacted by the Company in order to receive information about the lease and/or purchase of the of the properties of the Fund promoted through the Website. In this case, the personal data provided voluntarily by the User (also by filling in the specific form on the Website) and transmitted to the Data Controller concern: name and surname, telephone number, e-mail address (“Personal Identifiable Data”).

PersonalIdentifiable Data and/or the data collected through the use of the profiling cookies indicated in the specific cookie notice may alsobe processed by the Company, provided that the User’s consent is obtained, for promotional and/or commercial ends, for the purposes described in section 2, letter c) below. For more detailed information about profiling cookies and about the third parties who carry out marketing services through the use of profiling cookies, please see to the cokie notice.

The personal data indicated in sections 1.1 to 1.3 above are collectively defined as "Personal Data”.

Personal data are processed for the following purposes.

• Browsing data (section 1.1): to carry out the activities necessary to (i) to ensure that the services offered are working properly and to allow the User to view the Website safely and efficiently; (ii) collect information of a statistical nature in aggregate form to evaluate the effectiveness of the web services; for these purposes, the consent of the User is not required; (iii) profiling cookies for the purposes set out in letter c) below, of this section; for these purposes, the User's consent is required.
• Personal Identifiable Data (section 1.2): (i) to meet specific User requests regarding the lease and/or purchase of properties owned by the Fund, promoted by the Website; the legal basis for the processing is the implementation of pre-contractual and contractual measures adopted at the request of the interested party (Article 6, letter b) of the GDPR);
• Personal Data (section 1.3): with regards to Personal Identifiable Data, the sending of messages of a promotional and marketing nature, with regards to (i) commercial offers for the lease and/or purchase of properties owned by the Fund and promoted through the Website; (ii) newsletters and e-mails regarding commercial offers for the lease and/or purchase of properties, other than those referred to in point (i) above, also those promoted on other websites of the company; with regards to User data collected through the use of profiling cookies, the delivery of advertising content on a site or application, and the tracking of data related to the User's browsing traffic through other tracking tools for commercial and advertising purposes; the legal basis for the processing is the express consent given by the User (article 6, letter a) of the GDPR);
• Personal Data (section 1): the transfer of data to third parties [for the performance of communication and marketing services also related to the use of profiling cookies as per letter c) above, for statistics services, as per letter a) above, and/or services of managing or administrating the properties promoted on the Website. Third party recipients of the User's Personal Data are indicated in section 3 below; the legal basis for the processing is the express consent given by the User (article 6, letter a) of the GDPR);
• Personal Data (section 1): (i) fulfilment of obligations mandated by applicable law; (ii) the ascertainment of any crimes by the judicial authority; the legal basis for the processing is the fulfillment of a legal obligation to which the Controller is subject (article 6, letter c) of the GDPR);
• Personal Data (section 1): (i) the exercise, where necessary, of the Controller’s rights, for example the right to defense in court; the legal basis for the processing is the pursuit of the Controller’s legitimate interest to protect their rights or their right to defense (article 6, letter (f) of the GDPR).

In carrying out its activity and for the purposes set out in section 2 above, the User's Personal Data may be disclosed to:

• third parties for carrying out marketing activities, also related to the use of profiling cookies;
• third parties who are involved with the management and administration of the properties promoted through the Website (for example, agents, property managers, facility managers, etc.);
• third parties who carry out statistical activities aimed at evaluating the effectiveness of web services;
• judicia land/or supervisory authorities, supervisory authorities, if they so request;
• companies which are part of the Controller’s group.

Personal data are processed by:

• the Controller’s employees and/or collaborators, who operate on the basis of the instructions provided by the Controller. The system administrator may also have access to the Personal Data during the performance of their duties. The name of the aforementioned subjects may be requested from the Controller, by contacting: privacy-RE@deacapital.com;
• the processors appointed for this purpose by the Controller. The list of processors appointed by the Company can be requested at the following e-mail address: privacy-RE@deacapital.com.

The processing of Personal Data is carried out by the Controller mainly in Italy on the Controller’s servers and/or on those of the appointed third-party companies and/or those appointed as processors. With regards to the purposes set out in section 2 above, Personal Data may be transferred to third parties in Europe.

Personal data will be stored according to the following criteria:

• for the purposes referred to in letter a) of section 2 above, for a period of time not exceeding 365 days from the viewing of the Website by the User, unless a different period of time is required for regulatory compliance;
• for the purposes referred to in letter b) of section 2 above, for a period of time not exceeding 365 days from the last request for information sent by the User to the Company regarding the properties promoted through the Website, unless a different period of time is required for regulatory compliance;
• for the purposes referred to in letter c) of section 2, points (i) and (ii) above, for a period of time not exceeding 365 days, from the collection of the Personal Data and related acquisition of the User’s consent, unless a different period of time is required for regulatory compliance, without prejudice to the possibility of the User to exercise the rights referred to in paragraph 7 below in the manner referred to in paragraph 9 of this policy; the User in particular has the right to withdraw their consent at any time without prejudice to the lawfulness of the processing based on their consent prior to the     withdrawal;
• for the purposes referred to in letter c) of section 2 above with regards to the use of profiling cookies for marketing purposes, for a period of time of 365 days, unless a different period of time is required for regulatory compliance, without prejudice to the possibility of the User to exercise the rights referred     to in paragraph 7 below in the manner referred to in paragraph 9 of this policy; the User in particular has the right to withdraw their consent at any time without prejudice to the lawfulness of the processing based on their consent prior to the withdrawal;
• for the purposes referred to in letter d) of section 2 above, for a period of time not exceeding 365 days, from the collection of the Personal Data and the related acquiring of the User’s consent, unless a different period of time is required for regulatory compliance, without prejudice to the possibility of the User to exercise the rights referred to in paragraph 7 below in the manner referred to in paragraph 9 of this policy; the User in particular has the right to     withdraw their consent at any time without prejudice to the lawfulness of the processing based on their consent prior to the withdrawal;
• for the purposes referred to in letter e) of section 2 above, for a period of time not exceeding that required for the fulfillment of regulatory obligation and/or the ascertainment of an alleged crime;
• for the purposes of legitimate interests as per letter f) of section 2 above, for the period of time necessary for the pursuit of the Controller’s legitimate interests to protect their rights or their right to defense by the collection of Personal Data.

The processing of personal data will be carried out using electronic and/or telecommunications tools, with a logic strictly related to the purposes referred to in section 2 above, and in any case in such a way as to guarantee the security and confidentiality of said data.

With regards to their Personal Data, the User may, at any time, exercise the rights provided for in Articles 15 to 22 of the GDPR, in the manner and terms established therein. In particular, the User has the right to:

• Ask the Controller for access to, correction of, and erasure of browsing data (“right to be forgotten”) which pertain to said User or the limitation of the processing of such data;
• oppose the processing of browsing data;
• obtain the portability of the browsing data;
• withdraw the consent requested by the Controller and potentially given by the user, at any time, and without compromising the lawfulness of the processing based on the consent given before its withdrawal.

In regards to any type of data processed by the Controller, the User has the right— if they believe that the processing of their browsing data has occurred or is occurring in violation of the GDPR and of the applicable regulations at the time, and with no prejudice to their right to file an appeal to any other court— to lodge a complaint with the Supervisory Authority for personal data protection, in the manner indicated on the site www.garanteprivacy.it.

The user can exercise their rights at any time, as per section 7 above, by sending a message to the following address: privacy- RE@deacapital.com or to the Company’s registered office, Via Mercadante n. 18 – 00198, Rome.

With regards to the processing of Personal Data by party that manages the platform, the User can exercise the rights referred to in section 7 by sending a message in compliance with the provisions of the privacy notice available on the website of at the following link: https://milano3puntozero.it/out-milano/en/cookie-policy.html.

With regards to the purposes set out in section 2 above:

• for letter a), the provision of Personal Data is necessary in order to allow the User to view the Website effectively;
• for letter b), the provision of Personal Data is optional; the absence of data prevents the User from receiving information on properties for lease and/or sale;
• for  letters c) and d), the provision of Personal Data is optional and the User’s refusal will prevent them from receiving promotional messages and/or information also related to profiling cookies, and from receiving the services from third parties appointed by the Company;
• for letter e), the provision of Personal Data is mandatory for the fulfillment of legal obligations by the Controller;
• for letter f), the provision of Personal Data is mandatory and the User may oppose it in the manner referred to in section 9 above, without prejudice to the right of the Company to assert any overriding interest or to defend their rights in legal proceedings.

The Data Controller
‍Dea Capital Real Estate SGR S.P.A.