This Privacy Policy has been developed by taking into account the provisions of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the movement of such data (the "GDPR"); Spanish Organic Law 3/2018 of 5 December, on Protection of Data and Digital Rights (_Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos y derechos digitales_) (the "LOPDGDD"); and other applicable laws and regulations.

The purpose of this Privacy Policy is to inform natural persons who provide their own personal data and/or the data of persons they represent, about how those data are being collected, and about specific aspects relating to processing of their data, the purposes of that processing, the contact details to use for exercising their rights, the data storage periods, and the security measures implemented, among other subjects.

WHO IS THE DATA CONTROLLER?

In relation to data protection, GRUPO INDUSTRIAL CRIMIDESA SL is the data controller for the personal data processing being performed by that company.

The contact details for the data controller are as follows:

• Identity of the data controller: GRUPO INDUSTRIAL CRIMIDESA SL
• Address: María de Molina, 37, 6ª planta. 28006 Madrid - Spain
• Telephone: +34914113045

WHAT PERSONAL DATA DO WE PROCESS?

All data collected by GRUPO INDUSTRIAL CRIMIDESA SL will be processed lawfully, fairly, and in a transparent manner.

In addition, the data requested during each of the procedures performed will only include information that is strictly essential for the intended, informed purpose in each case.

This means that the data collected from you will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed in each case. It also means that your personal data will be collected for specified, explicit, legitimate purposes, and will not be further processed in any way that is incompatible with those purposes. In addition, the data will be kept up to date where necessary.

In general, the following types of data will be collected as part of the various processing steps for activities performed at the organisation:

• Identification data.
• Data relating to academic, professional, and training profiles.

WHAT ARE THE SOURCES OF THE PERSONAL DATA?

As a general rule, the personal data are always collected directly from the data subject. However, there are some specific exceptions to this rule, where the data may be collected via sources other than the data subject, such as third-party persons, entities, or services.

The data subjects will be informed about this in the informational texts that appear on the different means of information collection, either as part of the first communication with the data subject, or within a reasonable period of time.

WHAT IS THE PURPOSE OF OUR PERSONAL DATA PROCESSING, AND WHAT ARE THE SPECIFIC CASES?

In general terms, the personal data are processed for the following purposes:

• Contact: to respond to requests for information we receive about the products and services offered, and to respond to any other types of questions we receive from the users. If you are using social networks to send queries to us, you should avoid entering personal data there. Remember that we have no control over the information you provide to those platforms, so we recommend that you should carefully read the privacy policy of each social network you are using.
• Candidates: to perform our internal staff selection processes, both current and future.
• Delivery notes: to process and manage the product or service requested through the quotation, and to perform subsequent follow‑up to maintain contact with the data subject. For more information about how we use your personal data, please use the following link: (LINK)
• Contractual relationships: to process and manage the service and its subject matter, for financial, administrative, taxation, and accounting purposes, or to perform verifications regarding compliance or non‑compliance with monetary obligations, or to perform verifications with official regulatory bodies if necessary because of the nature of the contracted service. In addition, the data will be used to review and ensure the quality of the product and/or service contracted (customer service, satisfaction surveys, follow‑up or advising regarding your product), and to communicate with you or send you necessary or mandatory notices relating to control and performance of the subject matter of the service. For more information about how we use your personal data, please use the following link: (LINK)
• Invoices: to process and manage customer documentation, the sale of goods and services, invoicing, accounting, collections activities, situations of non‑payment, offers, quotations, contracts, customer service, contact with customers, and commercial relationships, and to keep you informed regarding our own products and services that may be of interest to you. The personal data will also be processed for the purpose of complying with the data controller's legal obligations. You can find more information about data protection by using the following link: (LINK)
• Quotations: to process and manage the product or service requested via the quotation, or the request for information we have received, and to perform subsequent follow-up to maintain contact with the data subject. You can find more information about data protection at the following link: (LINK)

The personal data we collect are not used for purposes of profiling or for automated decision-making.

However, all the specific purposes for which we perform each type of processing are explained in the informational texts incorporated into each of our means of data collection (online forms, printed forms, audio or visual advertising, informational notes, invoices, contracts, and other documents that may contain personal data).

WHAT IS THE LEGAL BASIS FOR THE DATA PROCESSING?

As a general rule, before processing any personal data, GRUPO INDUSTRIAL CRIMIDESA SL will inform you about the legal basis for the specific type of processing performed.

However, the organisation may process personal data for the purpose of:

• Compliance with legal and regulatory obligations: these include, but are not limited to, those set forth in the following Spanish statutes: the General Consumer and User Defence Act (_Ley General para la Defensa de los Consumidores y Usuarios_), General Taxation Act (_Ley General Tributaria_), Corporation Tax Act (_Ley de Impuestos de Sociedades_), Account Auditing Act (_Ley de Auditoría de Cuentas_), Value-Added Tax Act (_Ley del Impuesto sobre el Valor Añadido_), Civil Code (_Código Civil_), and Commercial Code (_Código de Comercio_). There may also be specific laws or regulations that authorise or require processing of the data subject's data, which will be listed in the corresponding informational text. In addition, compliance with legal obligations will be the legal basis for compliance with the data controller's applicable legal obligations.
• Performance of a contract or pre-contractual relationship: for management in advance of a contracted service or product, to develop performance of a contract, or for subsequent management derived from such operations.
• Consent: some types of processing are based on obtaining the data subject's express, unambiguous consent. This is done by incorporating informed consent texts into the various information collection systems; by obtaining consent via a statement made by the data subject; by requiring a clear, affirmative act such as ticking a box made available for this purpose; by requiring a signature on the appropriate document; or by collecting data sent via the means of contact indicated. In addition, we inform you that we will only use the personal data in compliance with this Privacy Policy and, in general, we will ask for your consent before using the data for any purposes other than those for which you initially provided them.
• Legitimate interest: some types of data processing are performed based on the data controller's legitimate interest, primarily those that involve sending commercial communications about products or services similar to those contracted. According to article 21(2) of the Spanish Information Society Services Act (_Ley de Servicios de la Sociedad de la Información_), this type of processing will only be valid if the customer has not expressly opted out of receiving these communications, either at the time when the data are collected, or by using the option found in any of the communications we send.

FOR HOW LONG WILL WE PROCESS THE PERSONAL DATA?

The personal data are processed for as long as necessary to comply with the purpose for which they were collected; for as long as the service continues to be provided or the employment or contractual relationship continues to exist; for as long as a mutual interest exists; and/or during the time period set forth in the corresponding laws and regulations.

Once those time periods have elapsed, the data will be removed from our systems. However, the data may still be retained, with access to it blocked, so that it can be made available only to governmental bodies and courts for the purpose of addressing any potential liabilities arising from the processing, for the limitation periods corresponding to those liabilities. Once those limitation periods have elapsed, the data will be destroyed.

WHO DO WE SHARE THE PERSONAL DATA WITH?

In order to comply with the purposes described above, personal data may be shared with:

• Other companies belonging to our group of undertakings. Other than this, no other data transfers to third parties are anticipated, except to the competent authorities in the case of specific legal obligations.

ARE INTERNATIONAL DATA TRANSFERS PERFORMED?

As a general rule, no data transfers are performed to any countries outside of the European Economic Area (EEA). However, if any data transfers to countries outside of the EEA are to occur, the ORGANISATION will apply adequate safeguards in order to perform that transfer, based on the requirements set forth in the European Union's General Data Protection Regulation.

WILL PROFILING OR AUTOMATED DECISION-MAKING OCCUR?

In general, no profiles are created for the purpose of automated decision-making.

WHAT RIGHTS CAN YOU EXERCISE?

According to the European legislation, data subjects can exercise the following rights:

• Right of Access: this is the right to ask the data controller for information from a filing system, regarding whether your personal data are being processed.
• Right of Rectification: this is the right to request changes to any data that are inaccurate or incomplete.
• Right to Object to Processing: this is the data subject's right to object to processing of their personal data, or to have such processing stopped.
• Right Not to be Subject to Individual Automated Decision-Making: this is the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject.
• Right to Limit the Purpose of the Processing: this is the data subject's right to halt processing of their personal data under certain circumstances.
• Right to Erasure or "Right to be Forgotten": this is the data subject's right to request erasure of their personal data.
• Right to Data Portability: this is the data subject's right to ask the data controller to send their personal data to another data controller in a clear, structured format.
• Right to Lodge a Complaint: the data subject may lodge a complaint with a competent supervisory authority if they believe that the processing does not comply with the legislation in force.

HOW CAN YOU EXERCISE YOUR RIGHTS?

Data subjects can exercise their rights in the following ways:

• By sending an email to protecciondatos@crimidesa.es and including a document to verify their identity (a copy of the front side of their national identity document or an equivalent document). In all cases, you can request assistance from the Spanish Data Protection Agency (_Agencia Española de Protección de Datos_) via its website. In relation to this, GRUPO INDUSTRIAL CRIMIDESA SL will respond to your request as soon as possible, and taking into account the time periods established in the data protection legislation.

WHAT COULD HAPPEN IF THE PERSONAL DATA ARE NOT PROVIDED?

The data requested in fields marked with an asterisk (*), or provided in the documents or other media used to collect the data, are strictly necessary in relation to the purpose for which they are being collected or for providing optimal service to the data subject; or they must be collected because the data controller has a legal obligation to collect them; or they are required in order to enter into a contract. Provision of the data requested in all other fields is optional.

However, if you do not provide all of the data, we cannot guarantee that the information and services provided will be fully adapted to your needs.

This means that if you do not provide the required data, or if you provide inaccurate or incomplete data, it may not be possible to respond to your request, or it may be impossible to provide the information requested or proceed with contracting of the services.

In addition, the user must ensure that the data provided via any of the forms is truthful and accurate, and corresponds with the data subject's own personal data.

WHAT SECURITY MEASURES HAVE WE IMPLEMENTED?

GRUPO INDUSTRIAL CRIMIDESA SL has implemented the security measures required under section 32 of the GDPR.

In relation to this, GRUPO INDUSTRIAL CRIMIDESA SL, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the existing risk.

In all cases, GRUPO INDUSTRIAL CRIMIDESA SL has implemented measures that are sufficient to:

• Ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services
• Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• Regularly test, assess, and evaluate the effectiveness of the technical and organisational measures implemented for ensuring the security of the processing.

CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be modified from time to time, in order to update it based on changes to the legislation in force; or to update the procedures applied for collecting and using personal data; or based on the addition of new services or elimination of others. Any such changes will enter into force from their time of publication at the website, so it is important to regularly review this Privacy Policy to remain informed about any changes made to it.