Personal Data Processing Disclaimer to Article 13 of the UE Regulation 2016/679 (“Privacy Policy”)

If you are reading this document ("Privacy Policy"), it is because you are visiting this Website (“Website”).

This Privacy Policy was written under Article 13 of the EU Regulation 679/2016 (hereinafter "GDPR") and provides some examples of how we process your Personal Data. If you have any questions about this Privacy Policy or how we process your Personal Data, please send your request to: admin_ti@stellantis.com. The information and Data you provide or otherwise acquire will be processed following the provisions of the GDPR and the confidentiality obligations that inspire the Data Controller's business. From this Website, connecting to other third-party Websites through special links may be possible. We encourage you to consult their respective privacy policies for these processing activities. The Data Controller is not liable for the management of Personal Data, if any, by such third-party websites.

1. Who we are

STELLANTIS EUROPE S.p.A., headquartered at Corso Giovanni Agnelli 200, 10135 - Turin, Italy (hereinafter also "we" or "us") is the Data Controller of your Personal Data (hereinafter: “Data”).

2. What data we collect and process

We collect Data from our Website. The Data collected and the related processing purposes depend on the management of the settings of the Browser and the Device being used.
The purposes for collecting your Personal Data are stated in the section "Why we collect and process your Data".

a) Data provided by the user

You may provide us with Personal Data when you use this Website. This is the case, for example, when you register with our Website and use the related Services.
If you provide us with third-party data, you will be held responsible for sharing that information. You must be legally authorized to share it (i.e., authorized by a third party to share their information, or the sharing must be necessary and justified by a legitimate reason). You must hold us harmless from any liability in the event of any claims, demands, or damages that may arise from the processing of Personal Data of third parties in breach of the applicable data protection law.

b) Judicial Data referable to you

We may receive Judicial Data from you, only in cases required by laws and/or regulations during your registration to the Website.

c) Data collected by the Browser and Device

When you use our Website we collect information about the Browser and Device you are using. This information includes your IP Address, date, time and requested URL, Unique Identifiers, and other information, such as the type of Browser or Device. Information on the Browser or Device may include operating system, language, network settings, telephone or Internet provider, third-party applications installed, and plug-in lists.
Some of this information is collected using Cookies and Other Tracking Technologies present in your Browser or Device. More information about Cookies can be found in our Cookie Policy.

	3. Why we collect and process your Data and legal grounds	Your Data are used for the following purposes:
		a. Provide our Services and related support allow you to browse the Website and provide the Services you request from the Data Controller from time to time. This processing is based on the performance of a contractual obligation or pre-contractual measures taken at your request;
		b. Statistical purposes for statistical purposes without being able to be traced back to your identity (“Statistics”). It should be noted that such processing is not performed on Data and therefore can be freely carried out by the Data Controller. This processing is based on the legitimate interest of the Data Controller.
		c. Fulfilling legal obligations We may use your Data to fulfill legal obligations and orders to which we are subject, which is the legal basis for processing your Data. Some legislation may require us to share your Data with public authorities. If this sharing is not required by the law of your country, we may still send your Data, as explained in more detail in the next purpose "Protection of our interests and your interests".
		d. Protection of our interests and your interests To the extent permitted by applicable Data protection law, we may need to use your Data to detect, prevent, and respond to fraudulent and illegal behavior or activities that could compromise the safety of our Services and Website. This could occur when you use our Website in manners other than what is permitted or if you behave inappropriately at Our Events. These purposes include audits and evaluations of our business operations, safety checks, financial checks, records, and information management program, and otherwise in connection with the administration of our general business activities, accounting, record account, and legal functions. These purposes are based on our legitimate interest in protecting our interests and protecting our customers, including you.

4. How we use your Data (processing method)

The Data collected for the above purposes are processed both manually and in an automated manner, i.e., through programs or algorithms that analyze Data inferred from user activity and Data collected from the Browser and Device.

	5. How we can disclose your Data	We may disclose your Data to the following recipients and/or categories of recipients ("Recipients"):
		Persons authorized by us to carry out any of the Data-related activities described in this document: our employees and contractors who have assumed a duty of confidentiality and abide by specific rules for handling your Data; Our Data Processors: these are the external parties to whom we entrust some processing activity. For example, security system providers, accounting and other consultants, data hosting providers, etc. We have entered into agreements with each of our Data Processors to ensure that your Data are processed with appropriate safeguards and only following our instructions; System Administrators: these are our employees or our Data Processors whom we have delegated to manage our computer systems and who can access, modify, suspend, and limit the processing of your data. These people have been selected, and properly trained, and their activities are tracked by systems that they cannot change, as required by the regulations of our competent Control Authority; Police authority or any other authority whose provisions are binding on us: this is the case when we have to comply with a judicial order or the law or defend ourselves in legal proceedings.

6. Where are your Data

We are a global company and our services are available in various jurisdictions around the world. This means that your Data may be stored, accessed, used, processed, and disclosed outside your jurisdiction, including within the European Union, the United States of America, or any other country where the service providers, Data Processors and their sub-processors, or where their servers or cloud computing infrastructure may be located. We strive to ensure that our Recipients' processing of your Data complies with applicable data protection laws, including EU legislation to which we are subject. Where required by EU data protection law, transfers of your Data to recipients outside the EU will be subject to appropriate safeguards (such as EU standard contractual clauses for data transfers between EU countries and third countries), and/or other legal grounds following EU law. For more information about the safeguards, we implement to protect Data transferred to third countries outside the EU, you may write to us at: admin_ti@stellantis.com

	7. For how long do we retain your Data	Data processed for the purposes of providing the Services (see sect. 3.a) and Protecting our interests and your interests (see sect. 3.d) will be retained for as long as is strictly necessary to achieve those same purposes. However, your Data may be retained for a longer period in case of potential and/or actual claims and consequent liabilities and/or in case of other requirements and/or in case of other mandatory legal retention requirements and/or retention obligations.
		Data processed to fulfill a legal obligation (see sect. 3.c) will be retained as long as required by the specific obligation or rule of law or applicable regulation. More information regarding the data retention period and the criteria used to determine this period can be requested by writing to the Data Processor at admin_ti@stellantis.com.

	8. How to control your Data and manage your choices	At any time, you can ask for:
		Access to your Data (right of access): based on your use of our Services, we will provide you with your Data; Exercise your right to portability of your Personal Data (right to Data portability): based on your use of our Services, we will provide you with an interoperable file containing Data about you; Correct your Data (right to rectification): for example, you can ask us to change your e-mail address or phone number if they are incorrect; Limit the processing of your Data (right to restrict processing): for example, when you believe that the processing of your Data is unlawful or that processing based on our legitimate interest is not appropriate; Delete your Data (right to erasure): for example, when you do not want to use our Services and do not want your Data stored; Objections to processing activities (right to object); Withdraw your consent (right to withdraw consent). You may exercise the above rights or express any concerns or complaints about our use of your Data directly at: admin_ti@stellantis.com.
		At any time, you can also: contact our Data Protection Officer (DPO), here: dataprotectionofficer@stellantis.com;
		contact the Personal Data Protection Authority, a list of all Personal Data Protection Authority by country can be found here: https://edpb.europa.eu/about-edpb/board/members_en.

9. How we protect your Data

We take reasonable physical, technological, and organizational precautions to prevent the loss, misuse, or modification of the Data under our control. For example:

We ensure that your Data is only accessed and used by, transferred to, or disclosed to Recipients who need to have access to that Data.
We also limit the amount of Data accessed, transferred, or disclosed to Recipients to only what is necessary to fulfill the specific purposes or tasks performed by the Recipient.
The computers and servers where your Data is stored are kept in a secure environment, are password-controlled with limited access, and have industry-standard firewalls and anti-virus software installed.
Hard copies of documents containing your Data (if any) are also kept in a secure environment.
We destroy hard copies of documents containing your Data that are no longer needed.
When we destroy Data recorded and archived in the form of electronic files that are no longer needed, we ensure that a technical method (e.g., a low-level format) ensures that the records cannot be reproduced.
The laptops, USB flash drives, cell phones, and other wireless electronic devices used by our employees who have access to your Data are protected. We encourage employees not to store your Data on such devices unless reasonably necessary to perform a specific task as outlined in this Privacy Policy.
We train our employees in compliance with this Privacy Policy and conduct monitoring activities to ensure continued compliance and to determine the effectiveness of our privacy management practices.
Our Data Processors are contractually bound to retain and protect your Data using measures substantially similar to those outlined in this Privacy Policy or required by applicable data protection law.

Where required by applicable law, in the event of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Data transmitted, stored or otherwise processed, notice will be given to you and the appropriate Data protection authority as required (e.g., unless the Data is unintelligible to any person or the breach is unlikely to result in a risk to the rights and freedoms of you and others).

10. What this Privacy Policy does not cover

This Privacy Policy explains and covers the processing we perform as the Data Controller on our Website.
This Privacy Policy does not cover processing by parties other than us.
In these cases, we are not responsible for any processing of your Data that is not covered by this Privacy Policy.

11. Use of Data for other purposes

Should we process your Data in a different way or for purposes other than those stated herein, you will receive specific notice before such processing begins.

12. Changes to this Privacy Policy

We reserve the right to adapt and/or modify this Privacy Policy at any time. We will inform you of any relevant adaptations/changes.

13. License

The icons shown in this Privacy Policy are "Data Protection Icons" by Maastricht University, European Centre on Privacy and Cybersecurity (ECPC) CC BY 4.0.

14. Definitions

Browser: refers to the programs used to access the Internet (e.g., Safari, Chrome, Firefox, etc.)

Cookie: this is a small text sent to your browser by our sites or our partners or resellers. It allows the site to store information, such as the fact that you visited the site, your language, and other information. Cookies are used for a variety of purposes, such as to record your preferences regarding the use of cookies (technical cookies), to analyze and improve our services, and to create new services and features or to personalize our services.

Data Controller: this means the legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and the means for processing your Personal Data.

Data Processor: refers to an entity engaged by us to process your Personal Data exclusively on behalf of the Data Controller and following its written instructions.

Device: refers to the electronic device (e.g., iPhone) through which you visit our Website and/or our Partners' websites and applications.

IP Address: is a unique number used by the browser or device to connect to the Internet. The Internet service provider provides this number to identify the provider and/or the approximate area where the user is located. Without this Data, you cannot connect to the Internet and use our Services.

Judicial Data: this means Personal Data related to criminal convictions and crimes and security measures.

Other Tracking Technologies: pixel tags (trackers used with Cookies and embedded in web page images to track certain activities) or Unique Identifiers embedded in links to commercial communications that send us information when clicked.

Our Events: these are events/showrooms organized by us or in collaboration with other brands with whom we have signed partnership agreements.

Partners: this means third-party entities that may only disclose your Personal Data to us after contractually assuring us that they have obtained your consent or have another legal basis that legitimizes their disclosure/sharing of such Data with us. This definition also includes selected partners with whom we may share your Data. Partners can belong to the following product sectors: manufacturing, wholesale and retail trade, financial services, banking, transportation and warehousing, information and communication services, professional, scientific and technical activities, travel agencies, business support services, arts, sports, entertainment and amusement activities, activities of membership organizations, physical wellness center services, electricity and gas suppliers, rental companies, electric mobility and insurance companies.

Personal Data: any information relating to an identified or identifiable natural person, directly or indirectly, as well as any information related or reasonably linkable to a particular individual or household. For example, an e-mail address (if it relates to one or more aspects of an individual), IP addresses, and Unique Identifiers are considered Personal Data. For convenience, we will collectively denote all Personal Data also referred to as "Data".

Services: collectively, this means all the Services available on our Website.

Unique Identifiers: information that can uniquely identify the user through the Browser, Device. In the browser, IP addresses and cookies are considered Unique Identifiers. On the Device, vendor-provided advertising identifiers, such as Apple's IDFA and Android's AAIG, that we use to analyze and improve our Services and to create new Services and features are considered Unique Identifiers. Please note that for these purposes and in line with the opinions of European supervisory authorities, we do not use other Unique Identifiers, such as MAC addresses and IMEIs as they are not user-resettable.

Website: this includes this Website and the pages of our social networks where this Privacy Policy is present.