Privacy notice in accordance with Articles 13 and 14 of the General Data Protection Regulation no. 2016/679 (hereafter “GDPR”)

Since, in order to implement contractual or pre-contractual measures requested by you, or to execute a legal obligation, or to process some personal data that you have voluntarily provided to us for commercial, marketing and profiling purposes, we will process some of your personal data, in respect of the provisions of Art. 13 and Art. 14 of the GDPR, we wish to provide you with the due information for data subjects in relation to the processing of your personal data.

Joint Controllers

The Joint Controllers in accordance with Art. 4, no. 7 and 26 of the GDPR are:

• Rollon S.p.A., 20871 Vimercate (MB), Via Trieste no. 26, Tax Code 05999150963, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel. +39 039 62591 E-mail infocom@rollon.com.
• Rollon GmbH, Bonner Straße 317-319 D-40589 Düsseldorf, Germany - Ust-IdNr. DE 119 356 738, Handelsregistereintrag Amtsgericht Düsseldorf, HRB 43711, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel. +49 (0)211957470 E-mail: info@rollon.de.
• Rollon CORP., 101 Bilby Road. Suite B Hackettstown, NJ 07840 USA, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel. +1 (973) 300-5492 E-mail: info@rolloncorp.com.
• Rollon S.a.r.l., Les Jardins d'Eole, 2 allée des Séquoias 69760 Limonest France as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel.+33 (0)474719330 E-mail: infocom@rollon.fr.
• Rollon B.V., Ringbaan Zuid 8 NL-6905 DB Zevenaar Netherlands, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel.: +31 (0) 316 58 19 99 E-mail: info@rollon.nl.
• Rollon Ltd. UK, The Works, 6 West Street, Olney, Buckinghamshire, United Kingdom, MK46 5HR, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel. +44 (0) 1234 964024 E-mail: info@rollon.uk.com.
• Rollon S.p.A.,117105, Москва, Варшавское шоссе, д. 17, стр. 1, Russia, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel. +7 (495) 508-10-70 E-mail: info@rollon.ru.
• Rollon India Pvt. Ltd., 1st floor Regus Gem Business Centre 26/1 Hosur Road, Bommanahalli Bangalore 560068, India, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel.: +91 80-67027066 E-mail: info@rollonindia.in.
• Rollon (Shanghai) Commerce & Trading Co. Ltd., No. 16 Jin Wen Road, China, Shanghai, 201323, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel. +86 21-5811 8288 E-mail: info@rollon.cn.com.
• Rollon S.p.A., 〒105-0022 東京都港区海岸1-2-20 汐留ビルディング3F, as Joint Controller in accordance with Art. 4, no. 7 and 26 of the GDPR. The contact details are the following: Tel. 03 6721 8487 E-mail: info.japan@rollon.com.

(hereafter, jointly, the "joint Controllers")

The Joint Controllers have entered into a joint controller agreement concerning, inter alia, the distribution of responsibilities between the Joint Controllers in accordance with Art. 26 of the GDPR, the content of which is available from the offices of the individual Joint Controllers. In accordance with the GDPR, we hereby inform you that the personal data provided will be processed in accordance with the regulatory provisions referred to above and with the duties of confidentiality upon the Joint Controller and in the manner and for the purposes as set out below.
Rollon S.p.A. Italy (as Joint Controller) is the contact point for any questions regarding the personal data processing by the Joint Controllers and it can be contacted by the data subjects at the following e-mail address: privacy@rollon.com.

Contact details of Data Protection Officer (“DPO”)

Rollon S.p.A. Italy (hereafter, the “Company”) has appointed a DPO who can be contacted for any information and requests at the following details: dpo@rollon.com

Type of Personal Data processed and their source

The Joint Controllers will process generic Personal Data, not belonging to the special categories of personal data listed by Art. 9 of the GDPR, such as name, surname, residence and domicile, telephone number, email address, any bank and payment details, role and/or company position, tax data (hereafter, the "Personal Data").
The Personal Data are collected by the Joint Controllers:

• when contracts are entered into with one of the Joint Controllers or when steps prior to entering into a contract are requested;
• on the occasion of events or trade fairs;
• via online channels such as, for example, the Joint Controllers' websites;
• from the Joint Controllers' commercial partners, or third-party companies' internet portals;
• on the occasion of any other type of commercial agreement with the Joint Controllers.

Purposes and legal basis of/for the processing

Commercial Purposes
The Personal Data collected will be processed by the Joint Controllers in order to pursue their activities, for the purposes and on the legal bases set out below.
The Personal Data will be processed primarily for the purposes connected with the discharge of obligations relating to the commercial arrangements that your employer, your client or you personally are party to, or to take steps prior to entering into a contract that the Joint Controllers are asked to take or to comply with an obligation pursuant to law (hereafter "Commercial Purposes"). The Personal Data will, in particular, be processed for the Commercial Purposes on paper or by computer:

• to enter into or execute contracts regarding the Joint Controllers' products or services, including the performance of any activities linked or ancillary to the execution of the contracts, including, by way of example only, the provision of sales and after-sales services and handling of returns and warranties;
• to follow up requested measures prior to entering into a contract, relating to products or services of the Joint Controllers, including participation at promotional events or webinars or online events in general;
• to carry out any request relating to products or services purchased from the Joint Controllers;
• to handle receipts and payments;
• to comply with the statutory obligations imposed by law, by the GDPR, by national or EU legislation or by an order by the authorities to which the Joint Controllers are subject, such as civil, tax, accounting laws or regulations and national and international measures;
• to take the steps involved to comply with administrative, tax and accounting requirements;
• to exercise, where necessary, the Joint Controllers’ rights, such as the entitlement to enforce a right in the courts.

Legal bases of use of the Personal Data for Commercial Purposes and legitimate interests pursued: the Personal Data for the Commercial Purposes will be processed legitimately, without your express consent, in accordance with Art. 6. letter b), letter c) and letter f) of the GDPR, in conjunction between them; therefore, to fulfil commercial or legal obligations and also based upon our legitimate interest based upon the need to be able to implement correct commercial relationships with our customers and with persons who work for them and to implement internal administrative activities relating to relationships between the Joint Controllers and the parent companies or those associated in various guises (recital 48 GDPR).

Profiling purposes
The Personal Data collected on the occasion of any type of commercial contact with the Joint Controllers, or upon registering on the website of the same, may be processed (and therefore also disclosed) by the Joint Controllers, subject to your consent, for profiling purposes (hereafter “Profiling Purposes”), in electronic or automated form, for the following purposes:

• for profiling purposes, activity that involves analyzing Personal Data provided by you directly or indirectly, and the chosen products or services, for their cataloguing and the creation of an individual commercial profile, also using third party platforms
• for purposes of studying and analyzing your habits, purchasing preferences and interests, with reference to products of the Joint Controllers, also using third party platforms
• for purposes of predicting your future commercial preferences with reference to the products of the Joint Controllers, also using third party platforms;
• for purposes of predicting your preferences with reference to the qualities or types of services expected from the Joint Controllers, also using third party platforms;
• for the processing of purchasing statistics of the products of the Joint Controllers.

Legal basis for use of Personal Data for Profiling Purposes: the Personal Data for Profiling Purposes will be processed in accordance with Art. 6. letter a) and with Art. 7 of the GDPR, thus exclusively based upon your consent.

Marketing Purposes
Personal Data collected on the occasion of any type of commercial contact with the Joint Controllers or upon registering to their website may be processed (and, therefore, also disclosed), subject to your consent, for marketing purposes (hereafter “Marketing Purposes”) on paper and in electronic or automated form, for the following purposes:

• for sending, by email, post, SMS, fax or telephone contacts, advertising material, communications for commercial, marketing, promotional or advertising purposes relating to products and services of the Joint Controllers, not based on the results of the profiling activity if you have not provided consent for the Profiling Purposes;
• if, on the other hand, you have provided consent for the Profiling Purposes, for the execution of profiled marketing activities, and thus for the sending, by email, post, SMS, fax or telephone contacts of advertising material, communications for commercial purposes and direct marketing, promotional or advertising purposes relating to the products and services of the Company, following the performance of monitoring activity of some behaviors and profiling, through an IT platform in Cloud able to select the most suitable commercial offers for your profile;
• if you have provided your consent for the Profiling Purposes for the execution of marketing and selective advertising campaigns, based upon your interests and your preferences as obtained from the profiling activity;
• for the direct sale or placement of the Joint Controllers' products and services;
• for sending, by e-mail, post, text message, fax or telephone, of newsletters or invites to events, meetings or trade fairs organized by the Joint Controllers or in which the Joint Controllers are involved;
• for carrying out sample-based marketing research.
• for sending invitations to participate in webinars and online events in general aimed at presenting the products of the Joint Controllers, also using third party platforms.

Legal bases for use of Personal Data for Marketing Purposes and legitimate interests pursued: the Personal Data for Marketing Purposes are processed, in accordance with Art. 6. letter a) and with Art. 7 of the GDPR, thus based upon your consent or, where the presuppositions are in place, in the absence of consent, in accordance with Art. 6. letter f) of the GDPR, thus based upon a legitimate interest pursued by the Joint Controllers in promoting the sale of their products or services with entities with which the Joint Controllers have had a previous commercial relationship and, therefore, with a pertinent and appropriate relationship being in place. If the processing is carried out without your consent, on the basis of the Joint Controllers' legitimate interest, the direct marketing in order to send commercial communications will be limited to the Joint Controllers' services or products that are equivalent or similar to those previously sold to you or to the party you work for, and will be carried out in a manner that does not prejudice your fundamental rights and freedoms.

Recipients of the Personal Data

Personal Data processed for Commercial Purposes may be disclosed to the following categories of recipients:

• to public entities or to those that carry out services of public utility, which may access the Personal Data by virtue of legal provisions or the GDPR, within the limits envisaged by those rules (for example: Judicial authorities, offices of the Tax Authority or similar third parties);
• other parties to whom disclosure is necessary in relation to the performance of contracts, such as banks, shipping agents, carriers and any other third party involved in the performance of contracts to which the data subject or the organization for which the data subject works is party;
• the Joint Controllers' agents or distributors or third-party professionals working together with the Joint Controllers;
• the Joint Controllers' parent companies or companies in any way affiliated to them and their staff.

Access to Personal Data processed for Commercial Purposes may also be provided to external processors or persons appointed to carry out the processing, such as:

• the Joint Controllers' employees or collaborators;
• external consultants providing legal, tax or commercial consultancy services or external parties carrying out work in connection with the Joint Controllers' business;
• website and cloud providers and IT technicians providing support;
• commercial agents.

The Personal Data for Profiling Purposes may be made accessible to persons who have assumed the capacity of external processors, such as:

• entities instructed by the Company to perform profiling activities on behalf of the Joint Controllers as they manage cloud platforms that facilitate the analysis and prediction of preferences;
• entities instructed by the Company to permit the obtaining of catalogues of the Company and the CAD models of the respective products;
• entities instructed by the Company to support the participation in webinars or online events via online platforms.

Access to Personal Data processed for Marketing Purposes may also be provided to external processors or persons appointed to carry out the processing, such as:

• persons instructed by the Company to perform commercial promotion activity on behalf of the Joint Controllers of industrial products such as linear guides and linear motion systems and, in particular, for the provision of catalogues of the Company and CAD models of the respective product;
• persons instructed by the Company to perform commercial promotion activity on behalf of the Joint Controllers of industrial products such as linear guides and linear motion systems, even by way of cloud platforms;
• entities instructed by the Company to support the participation in webinars or online events via online platforms.

The Personal Data processed for Marketing Purposes, only subject to your express consent in writing, may also be disclosed to:

• the Joint Controllers' parent companies or companies in any way affiliated to the Joint Controllers, as well as their staff, involved in the marketing of industrial products such as rolling bearings, alloy steels and relative components.

If the Personal Data is disclosed to those entities, the latter, before carrying out the processing, will autonomously issue a privacy notice in relation to the processing of your Personal Data, in accordance with Art. 14 of the GDPR, with the specific indication of the origin of the Personal Data disclosed.

The Personal Data provided for Commercial Purposes, for Marketing Purposes or for Profiling Purposes will not be disseminated.

For transactions relating to assets or corporate transactions (e.g. mergers or acquisitions), the Personal Data will probably be transferred and may be shared with the legal successors to the extent permitted by the law and by the GDPR, by virtue of a legitimate interest on the part of the Joint Controllers.

Processing methods

The processing of the Personal Data will involve its collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication to the parties listed above, restriction, erasure or destruction.
The Personal Data will be processed both on paper and using IT or automated tools via the use of hardware and software owned by the Joint Controllers or third parties.
The Personal Data may be entered in the CRM, AX system and other company databases or in platforms made available by external processors, for the Commercial Purposes, for the Marketing Purposes and for the Profiling Purposes.
The logical and physical security of the Personal Data and, in general, the confidential nature of the Personal Data processed will in any event be guaranteed, with all necessary technical and organizational measures being put in place in order to ensure the security of the Personal Data.

Personal Data storage period

The Personal Data collected for the Commercial Purposes will be processed and stored:

• for the entire duration of the contractual relationship between you and the Joint Controllers, or between the Joint Controllers and the party for which you work or work with on whatever basis;
• for the period thereafter (until the limitation periods expire) for contractual and non-contractual proceedings during the course of which information including your Personal Data must be stored in order to demonstrate proper performance by the Joint Controllers of the contracts to which they are party.

The Personal Data collected for the Marketing Purposes and for the Profiling Purposes, given the processing purposes and the peculiarities of the sector in which the Joint Controllers operate, will be processed and stored for a period of 24 months, except if your consent to processing for Marketing Purposes and/or Profiling Purposes is renewed.

Provision of the Personal Data

Provision of the Personal Data for Commercial Purposes is optional. However, if the data are not provided, this may make it impossible to enter into or perform the contract or the commercial relationship or to take the steps prior to entering into a contract that are requested.
The provision of Personal Data for Marketing Purposes is always optional. The only consequence of not doing so will be that you cannot be contacted to be told about commercial initiatives or products and services marketed by the Joint Controllers, unless you so request, except where marketing activity can be carried out on the basis of a legitimate interest in accordance with Art. 6 letter f) of the GDPR. You may deny consent to the use of the Personal Data for Marketing Purposes even if you have had to provide the Personal Data for Commercial Purposes or you intend to give your consent to Profiling Purposes. The consent for Marketing Purposes can be withdrawn at any time, simply by sending an e-mail to privacy@rollon.com.
The provision of Personal Data for Profiling Purposes is always optional. Any failure to provide the data will have as the only consequence the fact that the Joint Controllers may not process data involving the profiling of your purchasing habits by analyzing your Personal Data and, consequently, submitting to you offers, commercial communications or invitations to events based upon your preferences. You may deny consent to the use of the Personal Data for Profiling Purposes even if you have had to provide the Personal Data for Commercial Purposes or you intend to give your consent to Marketing Purposes. The consent for Profiling Purposes can be withdrawn at any time, simply by sending an e-mail to privacy@rollon.com.

Transfer of the Personal Data outside the EU

Personal Data collected for the Commercial Purposes, for the Marketing Purposes and for the Profiling Purposes can be transferred to third countries outside the European Union in which certain Joint Controllers and certain Joint Controllers' parent companies or companies in any way affiliated to the Joint Controllers or some external processors are based.
If the Personal Data are transferred overseas to non-EU countries, this will be in the presence of adequate safeguards, i.e.:

• In conformity with the provisions of Art. 45 of the GDPR, and, therefore, to countries for which adequacy decisions have been made by the European Commission confirming that the non-EU country offers an adequate level of protection for Personal Data transferred out of the European Union; or, alternatively,
• in conformity with the provisions of Art. 46 of the GDPR via the adoption of standard contractual clauses for the protection of Personal Data adopted by the European Commission on the basis of versions no. 2010/87/EU (cross-border transfers from controller to processor) and version no. 2004/915/EU (cross-border transfers from controller to controller), ensuring effective legal remedies and the data subjects' rights, including by entering into joint-controllers agreements.

Those agreements are available from the registered office of Rollon S.p.A. (Italy) and the data subjects may request a copy by e-mail at the following address privacy@rollon.com.

Children

The Joint Controllers' products are not intended for those aged under 18. It follows that the Joint Controllers do not intentionally collect Personal Data or, in general, personal information relating to children. Where such information on children is unintentionally recorded, the Joint Controller will erase it promptly, at the users' request.

Data subject rights

In accordance with Chapter III, Section I, of the GDPR, the data subject can exercise the rights referred to therein and, more specifically:

• Right of access - the right to obtain confirmation as to whether or not Personal Data are being processed, and, where that is the case, to receive information relating, in particular, to: the purposes of the processing, the categories of Personal Data processed and the storage period, the recipients to whom the Personal Data can be disclosed (Art. 15 of the GDPR);
• Right to rectification - the right to obtain, without undue delay, the rectification of inaccurate Personal Data and the right to have incomplete Personal Data completed (Art. 16 of the GDPR);
• Right to erasure - the right to obtain, without undue delay, the erasure of Personal Data, in the cases specified by the GDPR (Art. 17 of the GDPR);
• Right to restriction - the right to obtain restriction of processing, in the cases specified by the GDPR (Art. 18 of the GDPR);
• Right to data portability – the right to receive the Personal Data provided in a structured, commonly used and machine-readable format and the right to have those data transferred to another Joint Controller without hindrance, in the cases specified by the GDPR (Art. 20 of the GDPR);
• Right to lodge a complaint with a supervisory authority - the right to lodge a complaint with a personal data protection supervisory authority in the Member State of the data subject's habitual residence or place of work or place of infringement of the GDPR (Art. 77 of the GDPR). More specifically, in the case of Italy, to the Autorità Garante per la protezione dei Dati Personali, Piazza Venezia no. 11, 00186 Rome (RM).

Additional rights of the data subject: right to object and right to withdraw

In accordance with Chapter III, Section I, of the GDPR, the data subject can, in particular, exercise the following additional rights:

• Right to object - the right to object to the processing of the Personal Data, save where there are legitimate grounds on which to continue the processing (Art. 21 of the Regulation);
• Right to withdraw - where the data subject has provided his or her consent to the processing of the Personal Data for the purposes for which they were requested, he or she shall be at liberty to revoke that consent at any time by doing so in an e-mail sent to privacy@rollon.com, without having to comply with any specific formalities. Upon receipt of that request, the Personal Data will no longer be processed for the purposes for which consent was requested.

Exercise of the rights of the data subject

You may exercise all of the rights referred to in this privacy notice simply by e-mailing a request to privacy@rollon.com. This can be done free of charge, without having to follow any particular procedure and will take effect immediately in relation to all of the Joint Controllers.

Absence of automated decision-making processes in accordance with Art. 22 GDPR

The Company and the Joint Controllers will not make any decision based solely on automated processing that may produce legal effects relating to you or that may similarly significantly affect your person.