PRIVACY POLICY

GR 100 PLASENCIA S.L. (the “Company”) is an Organization in which personal data processing activities take place, which means it has an important responsibility to design and organize procedures so that they are aligned with legal compliance in this matter.
In the exercise of these responsibilities and in order to establish the general principles that should govern the processing of personal data in the Company, it approves this Personal Data Protection Policy, informing its Employees hereof and making it available to all its interest groups.

1. Purpose

The Personal Data Protection Policy is a proactive Responsibility measure that is intended to ensure compliance with the applicable legislation on this matter and in relation thereto, respect for the right to honor and privacy in the processing of personal data of all people who relate to the Company.
In development of the provisions of this Personal Data Protection Policy, the Principles that govern the processing of data in the organization and consequently, the procedures, and the organizational and security measures that the people affected by this Policy undertake to implement in their area of responsibility.
To this end, Management will assign responsibilities to the staff involved in data processing operations.

2. Scope of application

This Personal Data Protection Policy will apply to the Company, its administrators, directors and employees, as well as to all people related hereto, with the express inclusion of service providers with access to data (“Data Processor”)

3. Principles for the processing of personal data

As a general principle, the Company will scrupulously comply with legislation on the protection of personal data and must be able to demonstrate it (principle of “proactive responsibility”), paying special attention to any processing that may pose a greater risk to the rights of those affected (the “risk approach” principle).
Concerning the above, GR 100 PLASENCIA S.L. shall ensure compliance with the following Principles:

• Legality, loyalty, transparency and limitation of purpose. The affected party must always be informed of the data processing through clauses and other procedures; and it will only be considered legitimate if there is consent for the processing of data (with special attention to that given by minors), or it has another valid legal basis and the purpose thereof is in accordance with the Regulations.
• Data minimization. The data processed must be adequate, relevant and limited to what is necessary in relation to the purposes of the processing.
• Accuracy. The data must be accurate and, if necessary, updated. In this regard, the necessary measures will be taken to promptly delete or rectify personal data that is inaccurate with respect to the purposes of the processing.
• Limitation of the conservation period. The data shall be maintained in a way that the persons concerned can be identified for no longer than necessary for the purposes of the processing.
• Integrity and Confidentiality. The data will be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures.
• Data transfers. The purchase or obtaining of personal data from illegitimate sources is prohibited or in those cases in which the said data has been collected or transferred in contravention of the law or its legitimate origin is not sufficiently guaranteed.
• Hiring suppliers with access to data. Only suppliers who offer sufficient guarantees to apply appropriate technical and security measures in data processing will be hired. The proper Agreement in this regard will be documented with these third parties.
• International data transfers. All processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable law.
• Rights of those affected. The Company will ensure that those affected can exercise their rights of access, rectification, deletion, limitation of processing, opposition and portability, establishing for this purpose the internal procedures, and in particular the models for their exercise that are necessary and appropriate, which must at least satisfy the legal requirements applicable in each case.

The Company will ensure that the principles included in this Personal Data Protection Policy are taken into account. (i) in the design and implementation of all work procedures, (ii) in the products and services offered (iii) in all contracts and obligations that they formalize or assume and (iv) in the implementation of any systems and platforms that allow access by employees or third parties and/or the collection or processing of personal data.

4. Commitment of workers

Workers are informed of this Policy and declare themselves aware that personal information is an asset of the Company, and in this regard they adhere to it, committing to the following:

• Carrying out the data protection awareness training that the Company makes available to them.
• Applying security measures at the user level that apply to their workplace, without prejudice to the responsibilities in their design and implementation that may be attributed to them based on their role within GR 100 PLASENCIA S.L.
• Use the established formats for the exercise of Rights by those affected and inform the Company immediately so that the response can be effective.
• Inform the Company, as soon as it becomes aware, of deviations from what is established in this Policy, in particular of “Violations of the security of personal data”, using the format established for this purpose.

5. Monitoring and evaluation

An annual verification, evaluation and assessment will be carried out, or whenever there are significant changes in data processing, of the effectiveness of the technical and organizational measures to guarantee the security of the processing.

GR 100 PLASENCIA S.L.