INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA ON THE BROOKS BROTHERS WEBSITE

Welcome to the Brooks Brothers website. Pursuant to art. 13 of the Regulations (EU) 2016/679 (hereinafter the "GDPR"), this page provides information on how we process your personal data that we collect when you visit the Site and interact with its services.

The information is provided only for the Website and possible sub-domains and not for the other websites that can be visited via hypertextual connections or links.

Please read this information carefully before providing your personal details.

1. DATA CONTROLLER

Progetto 17 S.r.l., with registered office in Piazza Arcole 4, 20143, Milan (MI), privacy@thelevelgroup.com and The Level S.r.l., with registered office in Piazza Arcole 4, 20124, Milan (MI), privacy@thelevelgroup.com ("TLG") are joint controllers of data processing for activities related to the sale of products offered on the Site. You can find out more about the essential content of the agreement pursuant to art. 26 GDPR between TLG and Progetto 17 S.r.l. by sending an email to privacy@thelevelgroup.com

Progetto 17 S.r.l is also the autonomous controller for the purposes of managing the Site and your registration on the Site (personal account), and for the marketing and profiling activities described in greater detail below.

TLG is also an autonomous controller for administrative and accounting purposes relating to the sale, as well as for any assistance relating to your purchase.

Hereinafter, when we use the expression "Joint Controllers", we will be referring jointly to Progetto 17 S.r.l and TLG. Conversely, you will find the reference to Progetto 17 S.r.l or TLG in the event that the information refers to only one of the two data controllers.

2. DATA PROTECTION OFFICER (DPO)

TLG has appointed a Data Protection Officer (DPO) whom you can contact by sending an email to: dpo@thelevelgroup.com

3. CATEGORIES OF PERSONAL DATA COLLECTED

a) Browsing data

Browsing the Site and accessing the related services involve the acquisition of some personal data relating to your browsing, such as, for example, the IP addresses or domain names of the devices you use to connect to the Site, the uniform resource identifier (URI) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the IT environment you use.

b) Personal data you voluntarily provide

The personal data that you voluntarily provide to us when you register on the Website, access its services, purchase a product or interact with the customer support service, such as, for example, personal data, contact details, data relating to purchases and banking data.

c) Cookies

The Site uses cookies. For more information on cookies and their use on the Site, consult the cookie policy.

I. Processing carried out by the Joint Controllers

The Joint Controllers process your personal data for the following purposes:

A. Site registration (personal account)

Your personal data are processed to allow you to create a personal account on the Website and to access and use the related services.

The legal basis for this processing is the performance of a contract or pre-contractual measures requested by you.

The data are retained until you request the cancellation of your account or until the service is terminated.

B. Assistance and general information

Your data are processed to provide assistance in relation to purchases made in brick-and-mortar stores or on other online stores, as well as to respond to requests for general information about products or the brand.

The legal basis for this processing is the performance of a contract or pre-contractual measures requested by you, specifically responding to requests from the data subject.

The data are retained for the time necessary to respond to your request.

C. Marketing activities

With your consent, your personal data are processed to send you information and commercial communications, including promotional content, relating to the products and services of the Joint Controllers.

The legal basis for this processing is your consent.

The data are retained for 24 months following the last communication sent.

D. Profiling activities

With your consent, your personal data are processed to analyse your tastes, preferences, habits and behaviours in order to send personalised commercial communications based on your commercial and behavioural profile.

The legal basis for this processing is your consent.

The data are retained for a period of 12 months from the date of collection.

4. PURPOSE, LEGAL BASIS AND RETENTION PERIOD

I. Processing carried out by the Joint Controllers

The Joint Controllers process your personal data for the following purposes:

A. Site registration (personal account)

Your personal data are processed to allow you to create a personal account on the Website and to access and use the related services.

The legal basis for this processing is the performance of a contract or pre-contractual measures requested by you.

The data are retained until you request the cancellation of your account or until the service is terminated.

B. Assistance and general information

Your data are processed to provide assistance in relation to purchases made in brick-and-mortar stores or on other online stores, as well as to respond to requests for general information about products or the brand.

The legal basis for this processing is the performance of a contract or pre-contractual measures requested by you, specifically responding to requests from the data subject.

The data are retained for the time necessary to respond to your request.

C. Marketing activities

With your consent, your personal data are processed to send you information and commercial communications, including promotional content, relating to the products and services of the Joint Controllers.

The legal basis for this processing is your consent.

The data are retained for 24 months following the last communication sent.

D. Profiling activities

With your consent, your personal data are processed to analyse your tastes, preferences, habits and behaviours in order to send personalised commercial communications based on your commercial and behavioural profile.

The legal basis for this processing is your consent.

The data are retained for a period of 12 months from the date of collection.

II. Processing carried out by the Joint Controllers for sales purposes

E. Sale of products

Your personal data are processed in order to enter into and perform the sales contract for the products offered on the Site. This includes the management and fulfilment of purchase orders, delivery of products, communications relating to orders, management of payments and the performance of anti-fraud checks.

The legal basis for this processing is the performance of a contract or pre-contractual measures requested by you.

The data are retained for the period necessary to process the purchase order, without prejudice to any further retention required for subsequent purposes provided by law.

III. Processing carried out by TLG as autonomous Data Controller

F. After-sales assistance

Your personal data are processed to manage and respond to requests relating to products purchased on the Site, such as returns, refunds or complaints.

The legal basis for this processing is the performance of a contract or pre-contractual measures requested by you.

The data are retained for the period necessary to respond to your request, without prejudice to any further retention required for subsequent purposes.

G. Compliance with legal obligations

Your personal data are processed to comply with legal obligations, including civil, tax, public security, banking and personal data protection obligations.

The legal basis for this processing is compliance with legal obligations.

The data are retained for the period provided for by applicable legislation. In particular, billing data are retained for 10 years from the date of issue of the invoice.

H. Disputes and prevention of criminal acts

Your personal data are processed to assert or defend a right, as well as to detect and prevent fraud and other crimes or offences.

The legal basis for this processing is the legitimate interest of the Data Controller.

The data are retained for the period necessary to achieve the purposes for which they were collected, in accordance with applicable legislation, including provisions relating to limitation periods.

5. NATURE OF DATA PROVISION

The provision of data in the fields marked with an asterisk (*) for the purposes referred to in section 4(I) (A) and (B) and 4(II) and (III) above, is necessary to register on the Site, use the related services and purchase products on the Site. Failure to provide these data will make it impossible to obtain the products and services requested. The provision of data in the fields not marked with an asterisk, although useful in facilitating relations with the Joint Controllers, is optional and the failure to provide them will not affect your ability to obtain the requested products and services. Regarding the marketing and profiling purposes referred to in section 4(I)(C) and (D), the provision of data is optional and your refusal means the Joint Controllers will not be able to process the data you provide for marketing and profiling purposes. You may still register on the Site, purchase products and use the related services in accordance with the provisions of section 4(I)(A) and (B), (II) and (III).

6. EXISTENCE OF AN AUTOMATED DECISION-MAKING PROCESS (PROFILING)

The Joint Controllers intend to pursue the purposes referred to in section 4(I)(D) (profiling) by analysing information about the data subject (derived, for example, from the purchases made), so as to send personalised commercial communications and carry out targeted promotional and business intelligence actions. The processing will be carried out with data and/or information processing tools and, once the data are cross-checked, a commercial profile will be created of the data subject on the web. For the same purpose, such data and/or information will be associated with data and/or information subsequently provided by the data subject or already held by the Joint Controllers, including following the acceptance, if any, of the services offered by the latter.

7. METHODS OF PROCESSING DATA

Your data will be processed by the Joint Controllers using mainly information technology and telematics. Specific security measures have been implemented to prevent data loss, unlawful or improper use of and unauthorised access to data. The Joint Controllers have adopted all appropriate security measures required by law. Your data will be processed by the Joint Controllers as autonomous Controllers using mainly information technology and telematics in compliance with the technical and organisational rules aimed at preventing the unlawful, improper or unauthorised use of data.

8. CATEGORIES OF RECIPIENTS OF PERSONAL DATA AND DISCLOSURE OF DATA

To pursue the purposes for which the data are collected, the Joint Controllers as autonomous Controllers may communicate the data to the following categories of recipients or data processors:

• information technology service providers, including internet service providers and cloud service providers;

• persons who perform logistics, warehousing, promotional and delivery services for the Joint Controllers;

• entities that perform customer service activities;

• firms and other persons that provide assistance and consultancy services and services such as legal, fiscal, accounting, economic-financial, technical-organisational, data processing, communications;

• entities that provide banking, financial, insurance and debt recovery services;

• entities that perform fraud control activities with respect to payments;

• subsidiaries, parent companies, associated and affiliated companies;

• public authorities and supervisory and control bodies.

The updated list of data processors is available upon specific request made via the methods indicated in section 12. For the sole purposes specified above, your personal data may also be communicated to the Joint Controllers'/autonomous Controllers' authorised in-house personnel to process the data by reason of their respective duties. No data collected on the Site are disclosed.

9. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR AN INTERNATIONAL ORGANISATION

Your personal data may be transferred, for the purposes for which they are collected, to the United States of America (USA), a country not belonging to the European Union. The transfer of personal data to entities located in the USA will take place exclusively after the signing, by the Joint Controllers and the non-EU recipient, of the standard contractual clauses adopted or approved by the European Commission (Article 46(2)(c) and (d) of the GDPR). To obtain a copy of such data, contact the Joint Controllers using the methods indicated in section 12

10. SOCIAL BUTTONS AND WIDGETS

The Site also includes social buttons/widgets. These social network icons (such as Facebook, Twitter, YouTube, and Instagram) allow you to access the social network by clicking on the relevant icon. Through these tools, you can share content and recommend products from the Site on social networks. By clicking on the social buttons/widgets, the social network may collect data relating to your visit to the Site. As stated above, this privacy policy does not concern the processing of your data by the social network and, as such, you should consult the privacy policy provided by such social network for more information.

Aside from the data you voluntarily share with the selected social network by clicking on the social buttons/widgets, the Joint Controllers do not disclose or share any personal data with the social network.

11. MINORS

The Site and services are intended for the sale of products and services to persons of legal age. As such, the Joint Controllers do not intentionally collect the personal data of persons under the age of 18. By accessing the services of the Site, you declare that you are of legal age.

12. RIGHTS OF DATA SUBJECTS

With respect to the personal data you provide, you have the right, at any time:

• to obtain confirmation as to whether or not personal data concerning you are being processed, and, if so, to access the personal data and obtain a copy (Article 15 of the GDPR);

• to obtain the rectification of inaccurate personal data concerning you or to have incomplete personal data completed, taking into account the purposes of the processing (Article 16 of the GDPR);

• to obtain the erasure of personal data concerning you in the cases referred to in Article 17 of the GDPR;

• to obtain restriction of processing in the cases referred to in Article 18 of the GDPR;

• to object to the processing of personal data concerning you in the cases referred to in Article 21 of the GDPR;

• to data portability if the processing is based on your consent or on a contract and it is carried out with automated means (see Article 20 of the GDPR);

• if you have expressly authorised the processing of your personal data for one or more specific purposes (Article 6(1)(a) of the GDPR), to withdraw your consent without affecting the legality of the processing based on the authorisation given before such withdrawal.

To exercise these rights, please send a message to: privacy@thelevelgroup.com You may also exercise your rights by sending a letter to each Joint Controller at the address indicated in section 1, if the processing is carried out by them under a Joint Controller Agreement. Finally, you also have the right to lodge a complaint with the control body—the Personal Data Protection Authority—in accordance with the established procedures.