PRIVACY NOTICE

DATA PROCESSING THROUGH SOCIAL MEDIA

This notice provides the data subjects with information about the processing of personal data carried out through the Social Media platforms used by BKT Europe Srl (hereinafter also the “Company”), as a processing controller or joint controller, in accordance with the following specifications.

WHO IS THE CONTROLLER AND HOW TO CONTACT THEM

The data processed through social media platforms is processed by BKT Europe Srl, in the person of its pro tempore legal representative, with registered office at Viale Bianca Maria 25, 20122 Milan, and operational headquarters at Viale della Repubblica 133, 20831 Seregno (MB), VAT number 05404270968, email privacy@bkt-tires.com

The Company processes user data in its capacity as controller or joint controller with the operator of the social network indicated below, depending on the platform used.

1. FACEBOOK and INSTAGRAM pages

The information is processed by BKT Europe Srl jointly with Meta Platforms Ireland Ltd (Ireland/EU - "META"), the operator of Instagram and Facebook.

BKT Europe Srl has entered into a joint controller agreement with META that establishes the division of data protection obligations between BKT Europe Srl  and META. Details on the processing of personal data for the generation of statistics and the agreement between BKT Europe Srl  and META can be found at: https://www.facebook.com/legal/controller_addendum

The personal data processing not attributed to BKT Europe Srl  in this notice is independently controlled by Meta Platforms Ireland Ltd. Further information on the processing of personal data by META can be found at https://privacycenter.instagram.com with regard to Instagram, and at https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0

 with regard to Facebook.

The processing of personal data, unless otherwise specified in this notice, is controlled by META as specified in the policy https://www.facebook.com/privacy/policy

1. LinkedIn Profile

BKT Europe Srl has a LinkedIn profile where it presents the company and individual services.  The processing of personal data, unless otherwise specified in this notice, is controlled by LinkedIn Ireland Unlimited Company ("LinkedIn Ireland") Ireland/EU. Further information on the processing of personal data by LINKEDIN can be found at https://www.linkedin.com/legal/privacy-policy

LINKEDIN provides the Company with anonymized statistics and insights for the profile, to allow the Company to evaluate the types of actions people take on the profile. This data is created based on specific information about the users who have visited it. BKT Europe Srl is a joint data controller with respect to such data.

A joint controller agreement has been entered into with LINKEDIN that establishes the distribution of protection obligations between the Data Controller and LINKEDIN. Details on the processing of personal data and the agreement with LINKEDIN can be found at:

https://legal.linkedin.com/pages-joint-controller-addendum

1. YOUTUBE channel

BKT Europe Srl has a YouTube channel. The Service allows you to discover, watch and share videos and other content, and provides a platform for creators and advertisers, large and small, to distribute original content.

The provider of the YouTube service in the European Economic Area is Google Ireland Limited, a company incorporated and operating under the laws of Ireland (Registration number: 368047), located at Gordon House, Barrow Street, Dublin 4, Ireland, and is part of the Alphabet Inc. group.

Google processes the personal data of YouTube visitors and users as an independent controller. When a user logs in to YouTube, they agree to YouTube's terms of use, privacy standards and cookie policy as well as Google's processing of their personal data, over which the Company has no control. If the user is not registered with YouTube, Google may still perform statistical analyses of your personal data when you access the Company's YouTube channel and provide the Company with anonymous statistics about this. Therefore, only certain aggregated information (such as the number of profile or media clicks and the watch time of a specific video) is visible to the Company through its account. In addition, the Company does not have the ability to prevent or stop the use of such tools on your Google account. To find out more about the processing carried out by Google, please refer to the relevant notice: https://policies.google.com/privacy?hl=it

1. Company twitter profile

The company operates a Twitter profile. The service provider is: Twitter International Unlimited Company  One Cumberland Place, Fenian Street Dublin 2, D02 AX07 IRELAND

Twitter and the Company operate as independent controllers and have entered into a controller agreement

available at the following link https://gdpr.twitter.com/en/controller-to-controller-transfers.html

To find out more about the processing carried out by Twitter, you can consult the relevant policy: https://twitter.com/it/privacy/previous/version_14

1. TIKTOK Profile

The company operates a TIKTOK profile. The TIKTOK provider for the EU is TikTok Technology Limited, Irish company no. 635755, with registered office at 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

TIKTOK and the Data Controller operate as independent data controllers and for promotional profiles they have signed a Data Controllers agreement, which can be consulted at the following link https://ads.tiktok.com/i18n/official/article?aid=893639991572679936

To find out more about the processing carried out by TIK TOK, you can consult the relevant policy: https://www.tiktok.com/legal/page/eea/privacy-policy/it-IT

WHAT DATA IS PROCESSED

When data is processed under joint controllership:

1. Joint controller with META

When the data subject interacts on the Instagram page of BKT Europe Srl, the Company may process various data: those that the data subject makes public, those that he or she transmits with comments or messages, and those relating to the statistics processed by META.

META provides the Company with anonymized statistics (Insights) for the Instagram and Facebook pages to help the Company understand the type of actions that users take on the pages and allow it to offer content that is increasingly in line with public interests and that may be improved based on certain information about users who have visited the pages or who may be interested in them. This processing of personal data is carried out by the Company and META as joint controllers. The Company is not able to attribute the information obtained through statistics and sponsored emails to individual Instagram or Facebook profiles that interact with its Instagram or Facebook page.

Find out more about Instagram insights:

https://www.facebook.com/business/help/441651653251838?id=419087378825961

Learn more about Facebook insights:

https://www.facebook.com/business/help/144825579583746?id=939256796236247

1. Joint controllership with LINKEDIN

When a LinkedIn user visits, follows, or connects with the Company's Page, LinkedIn processes personal data to provide the Company with Page Insights. In specific, LinkedIn processes the data provided by the subject in their LinkedIn profile, such as job function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how a user interacts with the company page, such as whether a user is a follower.

The Page Insights provided to the Company consist of aggregated data and, despite its joint controller status, LinkedIn will not provide the Company with the users' personal data in connection with Page Insights or allow the Company to link Page Insights to individual users.

Further information on LinkedIn's processing can be found in the relevant policy: https://www.linkedin.com/legal/privacy-policy

When data is processed as an independent controller:

1. Comments and direct messages

The Company also processes the information that data subjects provide via the company page on the social media platform. This information may include the user name used, contact details or messages sent. The Company carries out these processing operations as the sole data controller.

1. Public profile data

The Company may access data that followers share publicly, such as username or name.

The categories of data that may be processed in the event of interactions on the Company's social pages or profiles, as followers or through comments or direct messages, are:

• Identification data (Examples of data types: First name, last name, username)
• Any other information the user wishes to share ("likes", contact details, content, Feedback, opinions, reviews, and any information provided voluntarily).

WHAT ARE THE PURPOSES AND LEGAL BASES OF THE PROCESSING?

The purposes for which the data is processed through social networks are as follows:

• Optimize pages, by evaluating user interactions and proposing content that is able to stimulate interactions and expand the audience of the company pages.
• Maintain contact with users and communicate with users.
• Provide feedback or assistance (at your request).
• Legal obligations: Disclose data and information to competent authorities and data protection supervisory authorities, in accordance with applicable legislation, comply with inspections and requests by governments or authorities, comply with procedural requests, such as witness obligations, for instance.
• Intra-group communications and reports on the effectiveness of the brand's presence on social media and communication strategies.
• Defense in court
• Safety and proper functioning of the systems

We rely on several legal bases in order to process your data lawfully:

The processing of page or profile statistics is based on the controller's legitimate interest in evaluating the types of actions taken on the page or profile and is aimed at improving the page or profile based on these indications. The legal basis for this processing, therefore, is Art. 6 (1) (f) GDPR.

The data relating to followers of the page or profile and the data relating to comments or messages sent spontaneously by users is processed on the basis of the Data Controller's legitimate interest in contacting the applicants. The legal basis for data processing is Art. 6 (1) (f) GDPR.

Further processing of data may take place with your consent (Art. 6 (1) (a) GDPR) or for compliance with a legal obligation (Art. 6 (1) (c) GDPR).

At the user's request, furthermore, the data sent voluntarily through direct messages may be used to initiate pre-contractual negotiations. 

Intra-group communications and the sharing of reports take place in response to the Data Controller's legitimate interest.

Should it be necessary, the data can also be used given a legitimate interest of the controller, which involves verifying the security and correct functioning of the IT systems used and carrying out defensive initiatives.

HOW IS THE DATA MANAGED?

The data collected is processed with IT instruments and only residually with print-based methods. Adequate security measures are adopted to prevent the loss of data, illegal or incorrect use and unauthorized access.

Transferring data abroad

Some processing operations may involve transfers outside the European Economic Area.

In cases of joint controllership:

• In accordance with Meta's privacy policy, user data is also processed in the USA or other third countries. META only transfers user data if appropriate safeguards are in place: https://privacycenter.instagram.com/policy/?subpage=9.subpage.3-HowDoWeSafeguard.

• LinkedIn's data centers, which store user information, are currently located in the United States. LinkedIn's services, therefore, require the transfer of data from the European Union (EU), the European Economic Area (EEA) and Switzerland to the United States (USA) and vice versa. To ensure the protection of EU personal data when it is transferred outside the EU, the General Data Protection Regulation requires that such transfers take place using certain legal mechanisms described on the EU Commission's website. LinkedIn relies on the Standard Contractual Clauses approved by the European Commission as a legal mechanism for data transfers from the EU. https://www.linkedin.com/help/linkedin/answer/a1343190?trk=microsites-frontend_legal_privacy-policy&lang=en

In cases when the Company is an independent controller:

• For processing carried out independently by the Company, the data will be transferred outside the European Union and the European Economic Area for intra-group communications. Transfers to Canada will take place in the presence of an adequacy decision by the EU Commission, or to other countries in the absence of an adequacy decision. In this case, the standard contractual clauses approved by the EU Commission on June 4, 2021, will serve as a safeguard to ensure compliance with the General Data Protection Regulation even in cases of transfers of personal data outside the EU.

In cases when the managers of Social Network platforms are the independent controllers:

• For transfers outside the EU carried out by Google, Twitter or TIKTOK, as well as for those made by META and LINKEDIN as independent controllers, please see the related notices.

Storage period

The data is stored for as long as users leave it available on the platforms.

Direct messages are deleted after 2 years.

This is done without prejudice to any defensive needs for which the data can be kept also beyond the indicated deadlines.

WHAT HAPPENS IF THE DATA IS NOT PROVIDED

The provision of data through messaging systems or comments is optional and voluntary. It will not be possible to interact directly on social media in this case, but there will be no consequences for failure to provide it.

As far as META is concerned, the user may avoid providing data for page statistics - given that the provision is optional and there are no consequences for failure to provide it - by objecting to the processing, as indicated in the appropriate section of this notice.

WHO CAN SEE THE DATA

The data will be processed by employees of the Controller who are authorized to process it.

The data can be seen by companies which provide IT supply services and by consultants to manage disputes and for legal assistance should there be any disputes due to which it is necessary to involve them.

Please note that some of the indicated subjects act as controllers and others as data processors and that communication to those who operate as independent controllers is carried out since prescribed by legal obligations or is necessary to fulfil the obligations arising from the pre-contractual relationship or the legitimate interest of the controller in maintaining the security of the IT systems and in adopting defensive initiatives through legal consultants.

In cases of processing carried out under joint controllership, the data will be shared with the joint controllers.

The data subject may request a detailed list of data recipients from the Data Controller, to the extent to which they can be identified specifically.

Please note that communication of the personal data is limited, in any event, to the data categories the transmission of which is necessary to undertake the activities and purposes being pursued.

WHAT ARE THE DATA SUBJECT'S RIGHTS?

The law recognizes for the data subject the right to ask the Data Controller for access to the personal data and its rectification or cancellation or limitation of the processing regarding them or to object to its processing, as well as the right to data portability.

In particular, it is noted that there is the possibility to object to the processing of data done for marketing purposes.

The data subject may assert their rights at any time, without formalities, by contacting the Controller through the email privacy@bkt-tires.com

Here below is a breakdown of the rights recognized by the law in force on the protection of personal data.

• The right of access, i.e. the right to obtain from the processing controller the confirmation that data processing is or is not taking place which regards them and, if so, to obtain access to personal data and to the following information: a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or the categories of recipients to whom the personal data has been or will be communicated, in particular if recipients in other countries or international organizations; d) when possible, the retention period of the personal data envisaged or, if not possible, the criteria used to determine this period; e) the existence of the data subject's right to ask the Processing controller to rectify or cancel personal data or to limit the processing of the personal data regarding them or to oppose its processing; f) the right to lodge a complaint to a supervisory authority; g) should the data not be collected from the data subject, all the information available on its origin; h) the existence of an automatic decision-making process, including profiling and, at least in these cases, significant information on the approach used, as well as the importance and consequences envisaged of this processing for the data subject. Should the personal data be transferred to another country or international organization, the data subject then has the right to be informed of the existence of adequate guarantees relating to its transfer.
• The right of rectification, i.e. the right to obtain from the processing controller the rectification of inexact personal data regarding them without unjustified delay. Taking account of the purposes of processing, the data subject has the right to integrate incomplete personal data, also by providing an additional statement.
• The right of cancellation, i.e. the right to obtain from the processing controller the cancellation of inexact personal data regarding them without unjustified delay if: a) the personal data is no longer necessary in regard to the purposes for which it was collected or otherwise processed; b) the data subject withdraws their agreement on which the processing is based and if there is no other legal basis for the processing; c) the data subject opposes the processing undertaken because necessary to carry out a public service or connected to the exercise of public powers with which the Controller is invested or to pursue a legitimate interest and there is no prevailing legitimate reason to proceed with the processing, or opposes the processing for direct marketing purposes; d) the personal data was illegally processed; e) the personal data must be cancelled to fulfil a legal obligation envisaged by the law of the European Union or of the Member state to which the Processing controller is subject; f) the personal data was collected in relation to the company's offer of services for information to minors. The request for cancellation cannot, however, be accepted if the processing is necessary: a) to exercise the right to freedom of expression and information; b) to fulfil a legal obligation which requires processing as envisaged by the law of the European Union or of the Member state to which the Data Controller is subject or to execute a task undertaken in the public interest or in the exercise of public powers with which the Data Controller is invested; c) for reasons of public interest in the public health sector; d) for the purposes of archiving in the public interest, scientific or historic research or statistical purposes, to the extent to which cancellation risks making impossible or seriously compromising achieving the goals of such processing; or e) for verifying, exercising or defending a right in the courts.
• The right of limitation, i.e. the right to obtain that data is processed, except for its conservation, only with the agreement of the data subject or to verify, exercise or defend a right before the courts or to protect the rights of another natural person or corporation or for reasons of relevant public interest of the European Union or of a member State if: a) the data subject challenges the preciseness of the personal data, for the period necessary for the Data Controller to verify the exactness of this personal data; b) the processing is illegal and the data subject opposes the cancellation of the personal data and instead asks that its use is limited; c) although the Data Controller no longer needs it for processing purposes, the personal data is necessary for verifying, exercising or defending a right in the courts; d) the data subject has opposed the processing undertaken because necessary to carry out a public service or connected to the exercise of public powers with which the Controller is invested or to pursue a legitimate interest of the Data Controller or of third parties, pending verification of the possible prevalence of the legitimate reasons of the Data Controller over those of the data subject. 

• The right to portability, i.e. the right to receive the personal data regarding them provided to the Controller in a structured form, for shared use which can be read by an automatic device and has the right to transmit this data to another controller without impediment by the Controller to whom they have provided the data, as well as the right to obtain direct transmission of the personal data from one controller to another, if technically feasible, should the processing be based on agreement or on a contract and the processing is carried out with automated means. This right will not affect the right to cancellation.

Please note the il right to object, in particular, i.e., the right of the data subject to object at any time, on grounds relating to their particular situation, to the processing of their personal data as required for the performance of a task carried out in the public interest or in connection with the exercise of the official authority vested in the controller or for the furtherance of the legitimate interests of the Data Controller or of a third party. Should the personal data be processed for direct marketing purposes, the data subject has the right to oppose at any time the processing of the personal data regarding them undertaken for these purposes, including profiling to the extent this is connected to such direct marketing.

META also offers the possibility to object to certain data processing, including data processing relating to page sites; information and the options for exercising the right to object can be found at https://www.facebook.com/help/contact/367438723733209

Users may exercise their rights as data subjects through their account settings or by contacting LinkedIn directly.

The data subject is then informed that if they believe that the processing of their personal data is violating the provisions of the GDPR, they have the right to file a complaint with a Supervisory Authority (Art. 77 of the Regulation) or to take appropriate legal action (Art. 79 of the Regulation).