MyGold SpA PRIVACY RISK MANAGEMENT POLICY pursuant to Articles 24, 25, and 32 of EU Regulation 2016/679 (GDPR) and Legislative Decree 196/2003 amended by Legislative Decree 101/2018 · Law 7/2000 · Legislative Decree 231/2007 231/2007	Version: March 2026 OPO License: Bank of Italy No. 5008800 Privacy Contact: info@mygold.world
Transparency, proportionality, and accountability in the management of our customers’ personal data

GDPR EU Regulation 2016/679 Accountability and Risk-Based

Privacy by Design Art. 25 GDPR

72 hours Data Breach Notification to the Privacy Guarantor

DPIA Impact assessment High-risk treatments

1.	INTRODUCTION

MyGold SpA (hereinafter MyGold or the Company), as Data Controller pursuant to Article 4, paragraph 7 of EU Regulation 2016/679 (GDPR), is committed to ensuring the protection of the personal data of its customers and all individuals whose data is processed as part of its brokerage and custody services for physical gold and precious metals.

This Privacy Risk Management Policy describes, in a transparent and understandable manner, the approach adopted by MyGold SpA to identify, assess, and manage risks to the rights and freedoms of natural persons arising from the processing of personal data, in accordance with the accountability principle established by Article 5, paragraph 2, of the GDPR.

This document is published on the website www.mygold.world in the “Privacy” section, together with the Information on the Processing of Personal Data and the Cookie Policy, in order to ensure maximum transparency for interested parties.

2.	REGULATORY REFERENCES

This Policy is drafted in accordance with the following regulatory framework:

Regulations	Description
EU Regulation 2016/679 (GDPR)	Protection of personal data
Law 17 January 2000, n. 7	Gold trading regulations — identification and data retention requirements for OPO operators and customers
Legislative Decree 231/2007 (AML)	Anti-Money Laundering — Obligations to collect, retain, and report personal data related to KYC/KYB procedures; retention period 10 years
ISO/IEC 27001:2022	International standard for information security management systems – reference for the technical and organizational measures adopted

3.	OUR APPROACH TO PRIVACY RISK MANAGEMENT

MyGold SpA adopts a systematic and documented approach to privacy risk management, based on the principles of proportionality and accountability established by the GDPR. This means that:

• We assess the risks to the rights and freedoms of individuals before starting any new processing of personal data;
• We adopt technical and organizational security measures proportionate to the level of risk detected (art. 32 GDPR);
• For processing that presents a high risk, we conduct a Data Protection Impact Assessment (DPIA) pursuant to art. 35 GDPR;
• The DPO supervises the risk assessment process;
• The DPO supervises the risk assessment process;

4.	HIGH-RISK PROCESSING AND DATA IMPACT ASSESSMENT (DPIA)

Given the nature of the services offered—brokerage and custody of physical gold, management of savings plans, and AML compliance—some of the processing performed by MyGold presents characteristics that qualify them as high risk for the rights and freedoms of data subjects, requiring a DPIA pursuant to Article 35 of the GDPR.

DPIAs are drafted and updated periodically with the involvement of the Compliance Officer. If a DPIA identifies a high residual risk despite the measures adopted, MyGold will consult with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) pursuant to Article 36 of the GDPR before initiating or continuing processing

5.	SAFETY MEASURES ADOPTED

Pursuant to Article 32 of the GDPR, MyGold adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

5.1 Technical measures

Without going into confidential operational details, MyGold SpA guarantees the adoption of the following technical security measures:

• encryption of personal data in transit and at rest;
• secure authentication systems for access to the platform;
• data access control;
• continuous monitoring of the security of information systems;
• backup and disaster recovery procedures;
• periodic security testing of IT infrastructures.

5.2 Organizational measures

• Appointment of the Data Controller with formal responsibility for privacy compliance;
• Designation of the Compliance Manager as internal contact for operational privacy issues;
• Register of Treatments updated pursuant to art. 30 GDPR;
• Periodic training of staff on personal data protection and AML procedures;
• Documented procedures for managing personal data breaches ( see Art. 6);
• Data Processing Agreements (DPA, art. 28 GDPR) with all suppliers who process data on behalf of MyGold ;
• Application of the principles of Privacy by Design and Privacy by Default (art. 25 GDPR) for each new service or significant change to processing;
• ISO/IEC 27001:2022 certified ISMS system — reference for all information security measures.

6.	DATA BREACH MANAGEMENT

In the event of a personal data breach , the company undertakes to:

• promptly assess the nature and extent of the breach and the risk to the rights and freedoms of data subjects;
• notify the breach to the Italian Data Protection Authority within 72 hours of becoming aware of it, if the breach may pose a risk to the rights and freedoms of natural persons (Article 33 of the GDPR);
• communicate the breach to the data subjects without undue delay, if the risk to their rights and freedoms is high (Article 34 GDPR), indicating the nature of the breach and the measures taken or proposed;
• document all breaches in the Incident Log, including those that do not require notification to the Guarantor (Article 33, paragraph 5 GDPR).

7.	PRIVACY BY DESIGN AND PRIVACY BY DEFAULT

MyGold integrates personal data protection into the design of every new service or significant change to existing processing (Privacy by Design), pursuant to Art. 25 GDPR. By default, we process only the personal data strictly necessary for each specific purpose, limiting data collection, access, retention, and dissemination to the bare minimum.

Before launching new processing operations that are likely to pose a high risk to the rights and freedoms of data subjects, MyGold conducts a Data Protection Impact Assessment (DPIA) with the involvement of the Data Protection Officer.

8.	POLICY UPDATES

This Policy is subject to annual review by the Data Controller and the Compliance Officer, or in the event of significant regulatory changes or new processing operations that require a new risk assessment.

The updated version is always available on www.mygold.world in the “Privacy” section.