Privacy notice pursuant to Articles 13 and 14 of the General Data Protection Regulation No. 2016/679 (the “GDPR”)

In order to take the contractual steps or steps prior to entering into a contract that you have requested or to process certain data that you have provided us with for commercial and marketing purposes or to comply with obligations pursuant to law, we will be processing some of your personal data. In accordance with Articles 13 and 14 of the GDPR, we therefore set out the information to be given to data subjects in relation to the processing of your personal data that we will be carrying out.

Joint Controllers

The joint controllers pursuant to Article 4 (7) and Article 26 of the GDPR are:

• Rollon S.p.A., Via Trieste 26, 20871 Vimercate (MB), tax code 05999150963, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +39 039 62591 E-mail: infocom@rollon.com.
• Rollon GmbH, Bonner Straße 317-319 D-40589 Düsseldorf, Germany - Ust-IdNr. DE 119 356 738, Handelsregistereintrag Amtsgericht Düsseldorf, HRB 43711, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +49 (0)211957470 E-mail: info@rollon.de.
• Rollon CORP., 101 Bilby Road. Suite B Hackettstown, NJ 07840 U.S.A., as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +1 (973) 300-5492 E-mail: info@rolloncorp.com.
• Rollon S.a.r.l., Les Jardins d'Eole, 2 allée des Séquoias 69760 Limonest France as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel.+33 (0)474719330 E-mail: infocom@rollon.fr.
• Rollon B.V., Ringbaan Zuid 8 NL-6905 DB Zevenaar Netherlands, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +31 (0) 316 58 19 99 E-mail: info@rollon.nl.
• Rollon Ltd. UK, The Works, 6 West Street, Olney, Buckinghamshire, United Kingdom, MK46 5HR, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +44 (0) 1234 964024 E-mail: info@rollon.uk.com.
• Rollon S.p.A.,117105, Москва, Варшавское шоссе, д. 17, стр. 1, Russia, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +7 (495) 508-10-70 E-mail: info@rollon.ru.
• Rollon India Pvt. Ltd., 1st floor Regus Gem Business Centre 26/1 Hosur Road, Bommanahalli Bangalore 560068, India, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +91 80-67027066 E-mail: info@rollonindia.in.
• Rollon Ltd, No. 16 Jin Wen Road, China, Shanghai, 201323, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. +86 21-5811 8288 E-mail: info@rollon.cn.com.
• Rollon S.p.A., 〒105-0022 東京都港区海岸1-2-20 汐留ビルディング3F, as joint controller in accordance with Article 4 (7) and Article 26 of the GDPR. Contact details: Tel. 03 6721 8487 E-mail: info.japan@rollon.com.

(referred to below jointly as the "joint Controllers")

The Joint Controllers have entered into a joint controllers agreement regarding, in particular, the distribution of responsibilities as between the Joint Controllers in accordance with Article 26 of the GDPR, the content of which can be obtained at each individual Joint Controller's registered office. In accordance with the GDPR, we hereby inform you that the personal data provided will be processed in accordance with the regulatory provisions referred to above and with the duties of confidentiality upon the Joint Controller and in the manner and for the purposes as set out below.
Rollon S.p.A. Italian (as Joint Controller) is the contact point for any questions regarding the personal data processing by the Joint Controllers and can be contacted by data subjects at the following e-mail address: privacy@rollon.com.

Type of personal data processed and their source

The Joint Controllers will be processing generic personal data that are not in the special categories of personal data listed in Article 9 of the GDPR, such as name, surname, residence, home address, telephone number, e-mail address, bank and payment details (if any) role and/or classification within a business and tax details (referred to below as the "Personal Data").
The Personal Data are collected by the Joint Controllers:

• when contracts are entered into with one of the Joint Controllers or when steps prior to entering into a contract are requested;
• on the occasion of events or trade fairs;
• via on-line channels such as, for example, the Joint Controllers' website;
• from the Joint Controllers' commercial partners, or third-party companies' internet portals;
• on the occasion of any other type of commercial agreement with the Joint Controllers.

Purposes and legal basis of/for the processing

Commercial Purposes
The Personal Data collected will be processed by the Joint Controllers in order to pursue their activities, for the purposes and on the legal bases set out below.
The Personal Data will be processed primarily for the purposes connected with the discharge of obligations relating to the commercial arrangements that your employer, your client or you personally are party to, or to take steps prior to entering into a contract that the Joint Controllers are asked to take or to comply with an obligation pursuant to law (referred to below as the "Commercial Purposes"). The Personal Data will, in particular, be processed for the Commercial Purposes on paper or by computer in order to:

• enter into or perform contracts regarding the Joint Controllers' products or services, including the performance of any activities linked or ancillary to performance of the contracts, including, by way of example only, the provision of sales and post-sales services and handling returns and warranties;
• implement requested steps prior to entering into a contract relating to the Joint Controllers' products or services;
• carry out any request relating to the products or services purchased from the Joint Controllers;
• handle receipts and payments;
• comply with the statutory obligations imposed by law, by the GDPR, by national or EU legislation or by an order by the authorities that the Joint Controllers are subject to, such as civil, tax, accounting laws or regulations and national and international measures;
• take the steps involved to comply with administrative, tax and accounting requirements;
• exercise, where necessary, the Joint Controllers rights, such as the right to enforce a right in the courts.

Legal bases for use of the Personal Data for Commercial Purposes and legitimate interests pursued: the Personal Data for Commercial Purposes will be processed legitimately, without your express consent, in accordance with Article 6 (b), (c) and (f) of the GDPR, concurrently with one another, and, therefore, in order to comply with commercial or legal obligations and, in addition, on the basis of our legitimate interest given the need to establish proper commercial relationships with clients and with parties working for the same and to complete internal administrative steps relating to dealings between the Joint Controllers and their parent companies or companies in any way affiliated to the Joint Controllers (GDPR Recital 48).

Marketing Purposes
The Personal Data collected on the occasion of any type of commercial contact with the Joint Controllers may be processed (and, therefore, disclosed as well), with your consent, for marketing purposes (the "Marketing Purposes") on paper and in computerized or automated form, for the following purposes:

• to send, by e-mail, post, text message, fax or telephone, advertising material or communications for commercial, marketing, promotional or advertising purposes, relating to the Joint Controllers' products and services;
• the direct sale or placement of the Joint Controllers' products and services;
• to send, by e-mail, post, text message, fax or telephone, newsletters or invites to events, meetings or trade fairs organised by the Joint Controllers or which the Joint Controllers are involved in;
• to carry out sample-based marketing research.

You can say that you only want to receive communications for Marketing Purposes via traditional forms of contact (telephone or post) by e-mailing the Joint Controllers.
Legal bases for use of the Personal Data for Marketing Purposes and legitimate interests pursued: the Personal Data for Marketing Purposes will be processed in accordance with Article 6 (a) and Article 7 of the GDPR, i.e. on the basis of your consent, or, where the relevant grounds are met, in the absence of consent, in accordance with Article 6 (f) of the GDPR, i.e. on the basis of a legitimate interest on the part of the Joint Controllers in selling their products or services to parties they have had a commercial relationship with in the past and, therefore, where there is already a relevant and appropriate relationship in place. Where the processing is carried out without your consent, on the basis of the Joint Controllers' legitimate interest, the direct marketing in the form of despatch of commercial communications will be limited to the Joint Controllers' services or products that are equivalent or similar to those previously sold to you or to the party you work for, and will be carried out in a manner that does not prejudice your fundamental rights and freedoms.

Recipients of the Personal Data

Personal Data processed for Commercial Purposes may be disclosed to the following categories of recipients:

• public parties and parties that provide public services able to access the Personal Data pursuant to provisions of the law of the GDPR, to the extent permitted by the same (e.g. the judicial authorities, offices in the Department of Revenue or similar parties);
• other parties to whom disclosure is necessary in relation to the performance of contracts, such as banks, shipping agents, carriers and any other third party involved in the performance of contracts that the data subject or the organisation that the data subject works for is party to;
• the Joint Controllers' agents or distributors or third-party professionals working together with the Joint Controllers;
• the Joint Controllers' parent companies or companies in any way affiliated to the Joint Controllers with the Joint Controllers, and their staff.

Access to Personal Data processed for Commercial Purposes may also be provided to external processors or persons appointed to carry out the processing, such as:

• the Joint Controllers' employees or contract staff;
• external consultants providing legal, tax or commercial consultancy services or external parties carrying out work in connection with the Joint Controllers' business;
• website and cloud providers and IT technicians providing support;
• commercial agents;
• Joint Controllers, as listed above.

Personal Data processed for Marketing Purposes, only where you have provided your consent in writing, may also be disclosed to:

• the Joint Controllers' commercial partners for the purposes of the marketing of industrial products such as linear guides and linear movement systems;
• parties appointed by the Joint Controllers to carry out the commercial promotion and marketing on behalf of the Joint Controllers of industrial products such as linear guides and linear movement systems;
• the Joint Controllers' parent companies or companies in any way affiliated to the Joint Controllers, as well as their staff, involved in the marketing of industrial products such as rolling bearings, alloy steels and relative components;
• Joint Controllers, as per the annex referred to above.

Where Personal Data are disclosed to these parties, before carrying out the processing, in accordance with Article 14 of the GDPR they will independently provide their own privacy notice in relation to the processing of your Personal Data, specifically stating the source of the Personal Data disclosed.

Personal Data provided for Commercial Purposes and/or Marketing Purposes will not be disclosed.

In the event of transactions relating to assets or corporate transactions (e.g. mergers or acquisitions), the Personal Data will probably be transferred and may be shared with the legal successors to the extent permitted by the law and by the GDPR, pursuant to a legitimate interest on the part of the Joint Controllers.

Manner of processing

The processing of the Personal Data will involve its collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication to the parties listed above, restriction, erasure or destruction.
The Personal Data will be processed both on paper and using IT or automated tools via the use of hardware and software owned by the Joint Controllers or third parties.
The Personal Data may be inserted in the CRM system, the AX system and additional in-house databases for Commercial Purposes and for Marketing Purposes.
The logical and physical security of the Personal Data and, in general, the confidential nature of the Personal Data processed will in any event be guaranteed, with all necessary technical and organisation measures being put in place in order to ensure the security of the Personal Data.

Storage period

The Personal Data collected for Commercial Purposes will be processed and stored:

• for the entire duration of the contractual relationship between you and the Joint Controllers, or between the Joint Controllers and the party that you work for or work with on whatever basis;
• for the period thereafter (until the limitation periods expire) for contractual and non-contractual proceedings during the course of which information including your Personal Data has to be stored in order to demonstrate proper performance by the Joint Controllers of the contracts that they are party to.

The Personal Data collected for Marketing Purposes will be processed and stored for 24 months, save where your consent to processing for Marketing Purposes is renewed.

Provision of the Personal Data

Provision of the Personal Data for Commercial Purposes is optional. However, where the data are not provided, this may make it impossible to enter into or perform the contract or the commercial relationship or to take the steps prior to entering into a contract that are requested.
Provision of the Personal Data for Marketing Purposes is always optional. The only consequence of not doing so will be that you cannot be contacted to be told about commercial initiatives or products and services marketed by the Joint Controllers, unless you so request, save where marketing can be carried out on the basis of a legitimate interest in accordance with Article 6 (f) of the GDPR. Where you have had to provide Personal Data for Commercial Purposes, you can still withhold consent to the Personal Data being used for Marketing Purposes. In addition, consent for Marketing Purposes can be revoked at any time, simply by sending an e-mail to privacy@rollon.com.

Transfer of the Personal Data outside the EU

Personal Data collected for Commercial Purposes and for Marketing Purposes can be transferred to third countries outside the European Union in which certain Joint Controllers and certain Joint Controllers' parent companies or companies in any way affiliated to the Joint Controllers are based.
Where the Personal Data are transferred overseas to non-EU countries, this will be in the presence of adequate safeguards, i.e.:

• in accordance with Article 45 of the GDPR, and, therefore, to countries for which decisions in terms of adequacy have been made by the European Commission confirming that the non-EU country offers an adequate level of protection for Personal Data transferred out of the European Union; or, alternatively,
• in accordance with Article 46 of the GDPR via the adoption of model Personal Data protection clauses adopted by the European Commission on the basis of versions no. 2010/87/EU (cross-border transfers from controller to processor) and version no. 2004/915/EU (cross-border transfers from controller to controller), ensuring effective legal remedies and the data subjects' rights, including by entering into joint-controllers agreements.

Such agreements can be obtained from Rollon S.p.A.'s registered office (in Italy) and data subjects can ask for a copy of the same by e-mail using the address privacy@rollon.com.

Children

The Joint Controllers' products are not intended for those aged under 18. It follows that the Joint Controllers do not intentionally collect Personal Data or, in general, personal information relating to children. Where such information on children is unintentionally recorded, the Joint Controller will erase it promptly, as the users' request.

Rights of the data subject

In accordance with Chapter III, Section 1, of the GDPR, the data subject can exercise the rights referred to therein and, more specifically:

• Right of access - the right to obtain confirmation as to whether or not Personal Data are being processed, and, where that is the case, to receive information relating, in particular, to: the purposes of the processing, the categories of Personal Data processed and the storage period, the recipients to whom the Personal Data can be disclosed (Article 15 of the GDPR);
• Right to rectification - the right to obtain, without undue delay, the rectification of inaccurate Personal Data and the right to have incomplete Personal Data completed (Article 16 of the GDPR);
• Right to erasure - the right to obtain, without undue delay, the erasure of Personal Data, in the cases specified by the GDPR (Article 17 of the GDPR);
• Right to restriction - the right to obtain restriction of processing, in the cases specified by the GDPR (Article 18 of the GDPR);
• Right to data portability – the right to receive the Personal Data provided in a structured, commonly used and machine-readable format and the right to have those data transferred to another Joint Controller without hindrance, in the cases specified by the GDPR (Article 20 of the GDPR);
• Right to lodge a complaint with a supervisory authority - the right to lodge a complaint with a personal data protection supervisory authority in the Member State of the data subject's habitual residence or place of work or place of the infringement of the GDPR (Article 77 of the GDPR) and more specifically, in the case of Italy, to the 'Autorità Garante per la protezione dei Dati Personali', Piazza Venezia 11, 00186 Rome (RM).

Additional rights of the data subject: right to object and right to withdraw

In accordance with Chapter III, Section 1, of the GDPR, the data subject can, in particular, exercise the following additional rights:

• Right to object - the right to object to the processing of the Personal Data, save where there are legitimate grounds on which to continue the processing (Article 21 of the Regulation);
• Right to withdraw - where the data subject has provided his or her consent to the processing of the Personal Data for the purposes for which they were requested, he or she shall be at liberty to revoke that consent at any time by doing so in an e-mail sent to privacy@rollon.com, without having to comply with any specific formalities. Upon receipt of that request, the Personal Data will not longer be processed for the purposes for which consent was requested.

Exercise of the rights of the data subject

You can exercise all of the rights referred to in this privacy notice simply by e-mailing a request to privacy@rollon.com. This can be done free of charge, without having to follow any particular procedure and will take effect immediately vis-à-vis all of the Joint Controllers.

Absence of automated decision-making processes

The Joint Controllers will not carry out any profiling with your Personal Data, nor will they make decisions on the basis of automated processes.