“Gentle Messenger” general usage rules and limitations

1. Any misuse or inappropriate use of the Gentle Messages platform, or any part of it, is prohibited. As mere example, the User agrees not to use the platform in a way that:

- is defamatory, abusive, obscene, profane, scandalous, inflammatory, pornographic, indecent, or offensive;
- infringes or violates another party’s intellectual property rights (such as music, videos, photos, or other materials for which you do not have written authority from the owner of such materials to post on a site);
- violates any party’s right of publicity or right to privacy;
- constitute personal data processing without the prior consent of the person to whom said data refer
- is threatening, harassing, or that promotes bullying, racism, bigotry, hatred, or physical harm of any kind against any group or individual;
- promotes discrimination (based on race, sex, religion, nationality, disability, sexual orientation or age);
- is inaccurate, false, or misleading in any way;
- is illegal or promotes any illegal activities;
- constitutes and/or promotes illegal or unauthorized copying, alteration, modification or diffusion of another person’s copyrighted work or links to said work, or provides information to circumvent any security measure;
- contains “masked” profanity (i.e., F@&#);
- contains software viruses or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment; or
- contains any advertising, promotional materials, “junk mail,” “spam,” “chain letters,” “pyramid schemes,” or any other form of solicitation.

2. Ferrero is entitled, at its sole discretion, to block and / or restrict the access to (and the use of) the Gentle Messages platforms to any user who violates these rules.

3. The User is solely liable for his/her behavior, for any content, materials, accuracy and appropriateness that occurs within the usage of the tool and for all data, texts, files, information, usernames, images, graphics, photos, profiles, audios and video clips, sounds, musical compositions, works of intellectual property, applications, links and other contents or materials published or displayed participating in usage of the tool.

4. Content and Intellectual Property Right

The content and all other materials on the Website, including, without limitation, copyrights and other intellectual property rights in the artwork, graphics, photographs, texts, videos and audio clips, trademarks and logos available (collectively the "Content") are under license or owned by the Ferrero Group and/or its affiliates and licensors. You are not permitted to copy, reproduce, reuse, retransmit, adapt, publish, frame, post, upload, distribute, modify, broadcast or make derivative works of any Content in any way, including for any public or commercial purpose whatsoever, without the prior written consent of the Ferrero Group. All rights not granted under these Terms and Conditions are expressly reserved by the Ferrero Group. All trademarks, trade names and logos and all related product names, design marks and slogans which appear on the Website are either the trademarks or any other marks (registered or unregistered) of the Ferrero Group, its affiliates and/or its licensors, unless otherwise stated herein. The Ferrero Group, its affiliates and its licensors expressly reserve all intellectual property rights in all content on the Website. No license is granted to any User in connection with any Content contained on the Website. In its sole discretion, the Ferrero Group, its affiliates or its licensors may seek to enforce their intellectual property rights to the fullest extent of the law, including the seeking of criminal prosecution.

GM3 music content presented on tictac.com was selected by tic tac global agency, thank to tic tac music channel presence and on a basis of Spotify T&C and presented in-line with Spotify requirements through Spotify widget. The artists whose music is presented do not have contracts with the Ferrero Group.

SOREMARTEC S.A., with registered seat at 16, route de Trèves, 2633 Senningerberg, Luxembourg and/or its affiliates and any other Ferrero Group company as may be applicable (collectively the "Company"), in its position as the data controller, pursuant to article 13 and article 14 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and/or any other applicable domestic laws and regulations concerning the protection of personal data (collectively the "Regulation"), wishes to provide you with the following information:

1. Types of personal data

The data provided by you at our Consumer Contact Center, including your name and surname, birth date, telephone number, e-mail address, physical address (if required), and data (if required) provided to describe the issue you are reporting to us (potentially including special categories of personal data, such as data related to your health), shall be processed, collected, used and/or disclosed (“Processed”) by the Company in accordance with the Regulation, including decisions (if any) of the relevant supervisory authority.

Any data of third parties may be provided by you only if you are entitled under the Regulation to do so, such as due to your position of legal guardian regarding the third party, or because you have the express consent of the third party. You will be the sole person responsible for such a provision and you acknowledge this.

2. Purposes and legal grounds of the processing

The Company will Process the data provided by you while carrying out its business and for the main purposes of 1) providing an answer to your general questions and/or 2) managing the issues that you are reporting to the Company and/or 3) defending the Company itself.

Moreover, the data shall be Processed in order to comply with the obligations established by the law (including, without limitation, obligations arising from the regulations of health and safety, for handling litigations (if existing), for the purposes of internal group reporting, for internal audit purposes (safety, productivity, quality of the services), for management control purposes, for certification purposes.

Your data may also be Processed for recurring valuations concerning whether the ethical and legal requirements established by the Company in its Code of Ethics have been complied with.When you ask generic questions to the Company, we will Process your data as strictly necessary to allow us to provide you an answer, as per your request (Article 6(1)(b) of GDPR) and consent which shall be deemed to have been given by you providing the data to the Company.

Where this is strictly necessary to appropriately address any questions or issues you report to the Company, the Company may also Process special categories of personal data (in particular, data related to health, such as details on allergic or other adverse reactions to products, etc.) which you decide to provide to the Company. These special categories of personal data will only be Processed by the Company based on your prior and explicit consent.

To the extent that the Regulation applies, the Processing of data for all the other listed purposes does not require your consent since the Company is authorized to avail itself of the reliefs available under letter c) and f) of article 6.1, of the GDPR and/or the Regulation.

3. Nature of collection and Processing methods

In most cases, with the exception of basic questions put during a telephone call to our Consumer Contact Center operators, the collection of personal data concerning Data Subjects is a requirement to provide a response to your query: failing this, it becomes impossible to provide a response to any inquiry on your part.

The data shall be Processed by the Company, and by those entrusted by the Company with Processing, mainly by means of electronic or manual systems and according to the principles of fairness, integrity and transparency that are required by the Regulation, while preserving the privacy of the concerned persons through the implementation of technical and organizational measures ensuring an adequate security level (including, without limitation, by preventing access from unauthorized persons - unless such access is required by the Regulation - or by ensuring restoration of access to data after material or technical accidents).

4. Data storage and retention

The data shall be stored in compliance with the Regulation for the time that is necessary to comply with the above mentioned purposes, this being a period of:

• 12 months in case of inquiries not related to the quality of our products (e.g. availability of a certain product in a certain country);
• 24 months in case of inquiries related to the quality of our product (e.g. complaints about the freshness of a certain product purchased in certain supermarket); or
• 10 years in case of incident reporting (e.g. allergy or any other adverse reaction after the consumption of a certain product).

5. Disclosure, dissemination and transfer of data

Without prejudice to the duty of disclosure in order to fulfil the Regulation and any other legal or contractual obligations, the data may be disclosed to tax or legal consultants, to collaborators of the Company, to government or other public entities if required in the framework of tenders, as well as to those persons that are authorized by the laws to receive such data, to Luxembourgish or foreign judicial or other public authorities for the fulfilment of legal obligations, or for the performance of the obligations arising from an agreement, including for the purposes of defending before the Courts, unless otherwise prohibited by the Regulation. Contact details may also be disclosed on occasional and for single reasons to suppliers of the Company, including - without limitation - if it becomes necessary to collaborate with any of these persons for the performance of services.

Furthermore, data may also be Processed by the personnel entrusted with the contract and service management within the Company. In order to perform certain services implying the need of personal data processing, the Company may also avail itself of third parties. Data may also be disclosed to other companies belonging to the “Ferrero Group” - meaning SOREMARTEC S.A. and any other company directly or indirectly owned and/or controlled at any time by or under common ownership and/or control with SOREMARTEC S.A. - if necessary for the coordination and control of the Ferrero Group and in accordance with the Regulation. These companies shall operate as data processors and/or data intermediaries in compliance with specific and adequate instructions by SOREMARTEC S.A. concerning the Processing methods and safety measures as specified in specific agreements. Both the personnel mentioned above and the data processors and data intermediaries have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality.The full and updated list of the companies acting as data processors and data intermediaries is available on request from our privacy department by writing to privacy.apac@ferrero.com.

Personal data shall not be disseminated. As a general rule, the data collected shall not be transferred outside the territory of the European Union and/or the country from which the data was collected. However, should the need arise to transfer the data to countries outside the European Economic Area and/or the country from which the data was collected, including countries not offering adequate data protection or data protection comparable to the protection provided under the Regulation, this shall be done with your consent, which shall be deemed to have been given by you providing the data to the Company, and the Company undertakes to ensure a level of protection and preservation, also by means of entering into specific agreements, that is adequate to the applicable laws, including by means of entering into standard contractual clauses.

A copy of the commitments undertaken by third parties by means of any such clause, as well as the list of the countries outside the European Economic Area and/or the country from which the data was collected where personal data has been transferred (if applicable) are available on request from our Privacy Department by writing to privacy.apac@ferrero.com.

6. Data Subjects’ rights

Data Subjects shall have the rights contemplated in GDPR (articles 15-21) and/or the Regulation in respect of the Processing of data contemplated thereto, including but not limited to the right to:

• Obtain confirmation of the existence of personal data concerning him/her and to gain access to them (right of access);
• Request the updating, modification and/or rectification of their personal data that is in the possession or under the control of the Company (right of rectification);
• Obtain erasure, or to set limits to processing, of personal data whose processing is unlawful, including that which is no longer necessary in relation to the purposes for which it was collected or otherwise processed (right to be forgotten and right to the restriction of processing);
• Object to Processing (right to object);
• Withdraw previously given consent, if any, in respect of the Processing by the Company of the Data Subject’s personal data for any purpose, without prejudice to the lawfulness of Processing based on that consent and/or any legal consequences arising from such withdrawal;
• Lodge a complaint with their local EU Data Protection Authority or to the data protection authority of Luxembourg (CNPD at https://cnpd.public.lu/en/support/contact.html), or any equivalent domestic authority, or the Company itself, if they believe that the Company has handled their information in an unlawful manner;
• Receive a copy in electronic form of their data which has been provided to the Company in the framework of an agreement and to have such data transmitted to another controller (right to data portability).

The above rights are subject to any exceptions available under the Regulation.The Company has appointed a Data Protection Officer. To exercise the rights above, and to request any further information regarding how Ferrero Processes your data, please send an e-mail to our Privacy Department at the following address: privacy.apac@ferrero.com.

Address: 89 Science Park Drive, #04-13/20, The Rutherford (Lobby C), 118261

7. Amendments

This Notice entered into force on November 1st, 2021.The Company reserves the right to partly or fully amend this Notice, or simply to update its content, e.g., as a result of changes in applicable law. The Company will inform you of such changes as soon as they are introduced, and to the maximum extent that the Regulations and applicable laws apply, they will be binding once they are communicated to you.