The flow of personal data

is subject to specific rules to ensure that the protection granted to personal data under European law is not affected by transferring the same data to a country without a system of safeguards considered similar to that guaranteed in the EU.

The external flow of personal data between

is considered legitimate and free if the European Commission has previously recognized with its own formal decision that there is a data protection system at the receiving country which offers personal data a protection similar to what they enjoy under EU law.

In the event that the receiving country is not included in the list of data protection adequate countries, a legal ground must be identified that makes such transfer legitimate. One of these legitimacy conditions that can be used effectively in transactions concerning the Company's relationship with Third Parties is the use of contractual terms binding the Company and the receiving Third Party to the same guarantees as provided by EU law for the protection of personal data. In this way, the obstacle to the non-applicability of EU law to the non-EU third-party is overcome, binding the Third Party to contractual requirements comparable with the rules set forth by the law.

For this legitimacy requirement to go beyond the ban on the transfer of personal data to countries without adequate protection, the contractual clauses used must be exactly the same as those officially approved by the EU Commission without any modifications.

In this respect, the Commission has, over the years, approved several sets of standard contractual clauses dealing with the following cases: