This Privacy Policy aims to illustrate the means and purposes of the processing of personal data carried out by Orthofix Srl, in its quality of data controller (hereinafter the "Controller" or the "Company"), in connection and through the website http://web.orthofix.com/sites/Country/uk/Pages/Home.aspx (hereinafter the "Website").

Please note that this Policy shall apply to anyone who navigates and/or uses the Website, or otherwise interacts with the contents and services accessible through the Website (hereinafter the "User").

The processing of personal data of the Users will take place full compliance with the applicable data protection legislation, including the Regulation (EU) 2016/679 (the "GDPR").

1. REDIRECT TO OTHER WEBSITES

The Website incorporates links which allow you to connect to other websites run both by other companies of Orthofix Group and by third parties. The Company assumes no responsibility regarding the processing of personal data which may take place through and/or in connection with third-parties' websites.

Therefore, each User who accesses such web pages and/or social platforms through the Website must carefully read the relevant privacy policies in order to better understand how their personal data will be processed by the third parties which, as autonomous controllers, will provide and manage such websites.

2. CATEGORIES OF PERSONAL DATA COLLECTED

A) Traffic data

The computer systems and software procedures used to operate this Website need to acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This category of data includes: IP addresses, browser type, operating system, the domain name and website addresses from which you are logged in or out, the information on pages visited by User within the Website, the time of access, time period of User's staying on a single page, the internal path analysis and other parameters regarding the User's operating system and computer environment.

This technical / IT data is collected and used only in an aggregated and not immediately identifiable manner and can be used to ascertain liabilities in case of hypothetical crimes committed within or against the Website or upon competent authorities' request.

B) Personal data provided directly from User

There are few sections of the Website (e.g. "Request for information", "Customer Service" and "Newsletter") which allow the collection only of those personal data which the User will decide to share with the Company. It remains understood that, in this case, the Controller must collect the data provided by the User in order to fulfil the requests received. Accordingly, if the User prefers that the Controller does not collect his/her personal data, he or she is invited not to send any request.

In any event, the Users will always be free, after having read this Policy in order to understand in detail how and for which purposes their personal data will be processed by the Company, to share his/her own data by filling out the specific forms available on the Website.

3. PURPOSES OF THE PROCESSING

The Website has been designed with the main goal of providing information – and therefore as an interactive window – regarding the activities, products and services offered by the companies belonging to Orthofix Group. This is the reason why, in most cases, the collection of the User's personal data is not required.

In any case, according to the principles set forth by the GDPR, the Website is also set to minimize the collection of personal data, as well as to exclude the processing of such data in all cases when the purposes described hereunder can be achieved with different means and/or by anonymous data.

Your personal data will be processed by the Company for the sole purposes of:

a) allowing an appropriate navigation on the Website;

b) allowing the Users to better explore and get more information regarding the activities, services and products offered by the Company and other legal entities of Orthofix Group;

c) answering and fulfilling the Users' requests;

d) to run the recruitment process and collect the CVs delivered through the Website;

e) to comply with obligations provided for by applicable laws and/or requests or orders made by competent authorities;

f) delivering promotional newsletter regarding the products and services of the Company.

Should the data be collected in the future also for purposes other than those described above, it will be duty of the Company, on one hand, to provide adequate information to the User relating to such new purposes in order to enable transparency and user awareness and, on the other hand, ensure that a valid legal basis (such as the User's consent) exists, where needed, to undertake the relevant processing.

4. LEGAL BASIS OF THE PROCESSING

The provision of personal data by the User - unless otherwise noted - is optional, but it must be highlighted that in case of refusal to make some data available to the Company, it could be impossible to fulfill the User's request or provide certain specific services (such as the newsletter).

The processing activities listed from a) to e) above do not require the acquisition of the User's consent, as they are based on different legal bases, i.e. the need to perform and provide the services which have been directly requested by the User and the need to ensure compliance with a legal obligation applicable to the Controller.

On the contrary, the although sending promotional newsletters requires the User's registration, the Company will not be able to deliver this kind of communication in absence of the User's prior specific consent.

5. METHODS OF THE PROCESSING AND DATA SECURITY

The personal data are collected and processed lawfully and fairly, for the above purposes and in accordance with the fundamental principles established by the applicable legislation.

Processing operations may take place both manually and electronically, or by information technology tools, always under technical and organisational measures that ensure the security and confidentiality of the data, especially in view of reducing the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the personal data or, more generally, processing that is not compliant with the purposes of the collection.

The processing will be carried out under the authority of the Controller only by those subjects who have been duly authorized to access and process the data in accordance with the instructions provided for by the Company and the applicable data protection laws and regulations.

On the contrary, the although sending promotional newsletters requires the User's registration, the Company will not be able to deliver this kind of communication in absence of the User's prior specific consent.

6. COMMUNICATIONS TO THIRD PARTIES

The personal data collected through the Website will not be shared or communicated to third parties, unless upon specific consent of the User.

Should the data be made available by the Company to third-party suppliers or partners (such as service providers, mail carriers, hosting providers, IT companies, communication agencies) in order to enable them to perform specific services connected to or necessary for the fulfilment of the purposes listed above, it will be responsibility of the Controller to appoint such third parties as data processor by virtue of their capacity, experience and reliability and to provide them with specific instructions regarding the security of the data. The updated list of appointed data processors can be accessed at any time by sending a written request to the Company, as specified below.

It remains understood the Users' personal data must be communicated to third parties, such as public or judicial authorities, to comply with binding orders and request, as well as with applicable legal provisions.

7. DATA RETENTION

Personal data collected by the Website will be kept in a format that allows User's identification for no longer than necessary to fulfill the purposes for which the data have been originally collected and, in any case, within the time limits set forth by applicable laws and regulations, as well as to enforce or protect the rights of the Controller (consistent with the retention periods and statutes of limitations provided for by the law), where necessary.

When no longer necessary in accordance with the above, the data will be cancelled or anonymized.

It remains understood the Users' personal data must be communicated to third parties, such as public or judicial authorities, to comply with binding orders and request, as well as with applicable legal provisions.

8. COOKIES (CROSS-REFERENCE)

To get more detailed information regarding the installation and use of cookies by this Website, please refer to the applicable Cookie Policy.

9. TRANSFER OF DATA ABROAD

Given the international nature of the Controller's business activities, the data will be transferred and so processed abroad, still for the sole purposes described above, by the companies belonging to Orthofix Group which are established both inside and outside the territory of the European Union (mainly in the U.S.).

In all cases when the data will be transferred to non-EU countries, the relevant transmission will be subject to specific data protection guarantees, as required by the law, e.g. through the adoption of Standard Model Clauses as approved by the European Commission, or other equivalent safeguards.

10. DATA SUBJECTS' RIGHTS

The User can at any time exercise his/her rights, including:

a) accessing his/her personal data, obtaining evidence of the purposes pursued by the Controller, the categories of data involved, the recipients to whom they may be disclosed, the applicable storage period, the existence of automated decision-making processes;

b) having incorrect personal data referred to him/her rectified without delay;

c) having his data erased in the cases provided for by the law;

d) obtaining restrictions to processing, where possible;

e) requesting portability of the data provided to the Controller, i.e. receiving them in a structured, commonly used and machine-readable format, also for transmitting such data to another controller, without any hindrance by the Company, in all situations where it is required by the law in force;

f) lodge a complaint to the competent Supervisory Authority.

To exercise these rights, or for any further information and/or clarifications, please write to privacy@orthofix.it

11. DATA CONTROLLER

The Data controller is Orthofix Srl, a company duly incorporated under the Italian law, with registered office at Via Vittor Pisani 16, Milan (Italy).

The Data controller may be contacted by writing to privacy@orthofix.it

12. POLICY UPDATING

The Controller shall have the right to amend and/or integrate this Privacy Policy over time in order to comply with new legal provision and/or include new services. For this reason, each User is invited to periodically visit this page.

Below is highlighted the date when the last version of this policy has been uploaded.

Last Update: May 25, 2018