Common use of PROCESSING WITH ELECTRONIC DEVICES Clause in Contracts

PROCESSING WITH ELECTRONIC DEVICES. 2.1 Management of authentication credentials The law envisages that access to electronic procedures that process personal data is permitted by Authorised Persons in possession of “authentication credentials” which allow them to bypass an identification procedure. Authentication credentials consist of a code for identifying the Authorised Person for processing personal data (user- ID) associated with a confidential password, or an authentication device (e.g.: smart card, token, one-time-pw), or a biometric characteristic. Authorised Persons must use and manage their authentication credentials in accordance with the following instructions. Individual user-IDs for accessing applications must never be shared amongst users (even if Authorised Persons for data processing). If other users must access data, they are required to request authorisation from their Manager. Authentication credentials (for example passwords or strong authentication devices like tokens, smart cards, etc.) that allow access to applications must be kept confidential. They must never be shared with other users (even if Authorised Persons for data processing). Passwords must be changed by the Authorised Person following the first use and subsequently, in observance of the specific corporate procedures, at least every three months in the case of sensitive and judicial data processing, or at least every six months for personal/shared data. Passwords must consist of at least eight characters or, if this is not permitted by the electronic device, by the maximum number of characters permitted. Passwords must not contain references that easily lead to the Authorised Person (e.g.: family names) and must be chosen in accordance with corporate regulations concerning the construction and use of passwords (see also point 3, below), unless more restrictive instructions are envisaged by corporate systems.

PROCESSING WITH ELECTRONIC DEVICES. 2.1 Management of authentication credentials The law envisages that access to electronic procedures that process personal data is permitted by Authorised Persons in possession of “authentication credentials” which allow them to bypass an identification procedure. Authentication credentials consist of a code for identifying the Authorised Person for processing personal data (user- user-ID) associated with a confidential password, or an authentication device (e.g.: smart card, token, one-time-pw), or a biometric characteristic. Authorised Persons must use and manage their authentication credentials in accordance with the following instructions. Individual user-IDs for accessing applications must never be shared amongst users (even if Authorised Persons for data processing). If other users must access data, they are required to request authorisation from their Manager. Authentication credentials (for example passwords or strong authentication devices like tokens, smart cards, etc.) that allow access to applications must be kept confidential. They must never be shared with other users (even if Authorised Persons for data processing). Passwords must be changed by the Authorised Person following the first use and subsequently, in observance of the specific corporate procedures, at least every three months in the case of sensitive and judicial data processing, or at least every six months for personal/shared data. Passwords must consist of at least eight characters or, if this is not permitted by the electronic device, by the maximum number of characters permitted. Passwords must not contain references that easily lead to the Authorised Person (e.g.: family names) and must be chosen in accordance with corporate regulations concerning the construction and use of passwords (see also point 3, below), unless more restrictive instructions are envisaged by corporate systems.

PROCESSING WITH ELECTRONIC DEVICES. 2.1 Management of authentication credentials The law envisages that access to electronic procedures that process personal data is permitted by Authorised Persons in possession of “authentication credentials” which allow them to bypass an identification procedure. Authentication credentials consist of a code for identifying the Authorised Person for processing personal data (user- user-ID) associated with a confidential password, or an authentication device (e.g.: smart card, token, one-one- time-pw), or a biometric characteristic. Authorised Persons must use and manage their authentication credentials in accordance with the following instructions. Individual user-IDs for accessing applications must never be shared amongst users (even if Authorised Persons for data processing). If other users must access data, they are required to request authorisation from their Manager. Authentication credentials (for example passwords or strong authentication devices like tokens, smart cards, etc.) that allow access to applications must be kept confidential. They must never be shared with other users (even if Authorised Persons for data processing). Passwords must be changed by the Authorised Person following the first use and subsequently, in observance of the specific corporate procedures, at least every three months in the case of sensitive and judicial data processing, or at least every six months for personal/shared data. Passwords must consist of at least eight characters or, if this is not permitted by the electronic device, by the maximum number of characters permitted. Passwords must not contain references that easily lead to the Authorised Person (e.g.: family names) and must be chosen in accordance with corporate regulations concerning the construction and use of passwords (see also point 3, below), unless more restrictive instructions are envisaged by corporate systems.