ESTAMPADOS GISBERT S.L. (the ‘Company’) is an organisation in which personal data processing activities take place, which gives it an important responsibility in the design and organisation of procedures so that they are in line with legal compliance in this area.

In the exercise of these responsibilities and with the aim of establishing the general principles that must govern the processing of personal data in the Company, it approves this Personal Data Protection Policy, which it notifies to its Employees and makes available to all its Stakeholders.

Purpose

The personal data protection policy is a measure of proactive responsibility that aims to ensure compliance with applicable legislation in this area and in relation to this, respect for the right to honour and privacy in the processing of personal data of all persons who are related to the Company.

In development of the provisions of this Personal Data Protection Policy, the Principles governing the processing of data in the organisation are established, and consequently, the procedures, and the organisational and security measures that the persons affected by this Policy undertake to implement in their area of responsibility.

To this end, management shall assign responsibilities to staff involved in data processing operations.

Scope of application

This Personal Data Protection Policy shall apply to the Company, its directors, officers and employees, as well as to all persons who deal with the Company, including expressly service providers with access to data (‘Data Processors’).

3. Principles for the processing of personal data

As a general principle, The Company shall scrupulously comply with the legislation on the protection of personal data and must be able to demonstrate this (Principle of ‘proactive responsibility’), paying special attention to those processing operations that may entail a greater risk to the rights of those affected (Principle of ‘risk approach’).

In relation to the foregoing, ESTAMPADOS GISBERT S.L. shall ensure compliance with the following principles

following Principles:

– Lawfulness, loyalty, transparency and purpose limitation. The processing of data must always be informed to the data subject, by means of clauses and other procedures; and shall only be considered legitimate if there is consent for the processing of data (with special attention to that given by minors), or if there is other valid legitimation and the purpose of the processing is in accordance with Normatia.

– Data minimisation. The data processed must be adequate, relevant and limited to what is

limited to what is necessary in relation to the purposes of the processing.

– Accuracy. The data must be accurate and, if necessary, updated. In this respect, the necessary measures shall be taken to ensure that personal data which are inaccurate in relation to the purposes of the processing are erased or rectified without delay.

– Limitation of the period of retention. Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing.

– Integrity and Confidentiality. Data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.

– Transfer of data. It is forbidden to purchase or obtain personal data from illegal sources or in those cases in which such data have been collected or transferred in contravention of the law or where their legitimate origin is not sufficiently guaranteed.

– Hiring of suppliers with access to data. Only those suppliers who offer sufficient guarantees for the application of appropriate technical and security measures in the processing of data shall be selected for contracting. An appropriate agreement shall be documented with such third parties.

– International data transfers. Any processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area shall be carried out in strict compliance with the requirements of the applicable law.

– Rights of data subjects. The Company shall facilitate to data subjects the exercise of the rights of access, rectification, erasure, limitation of processing, objection and portability, establishing for this purpose the internal procedures, and in particular the models for their exercise that are necessary and appropriate, which should

comply, at least, with the legal requirements applicable in each case.

The Company shall promote that the principles set out in this Personal Data Protection Policy are taken into account (i) in the design and implementation of all work procedures, (ii) in the products and services offered, (iii) in all contracts and obligations formalised or assumed and (ii) in the implementation of all systems and platforms that allow access by employees or third parties and/or the collection or processing of personal data.

4. Commitment of employees

Employees are informed of this Policy and declare that they are aware that personal information is an asset of the Company, and in this respect they adhere to it, undertaking to the following:

– Undertake the data protection awareness training that the Company makes available to them.

To carry out the data protection awareness training that the Company makes available to them.

– To apply the user-level security measures applicable to their job, without prejudice to the responsibilities in their design and implementation that may be attributed to them depending on their role within ESTAMPADOS GISBERT S.L..

– Use the formats established for the exercise of Rights by those affected and inform the Company immediately so that the response can be made effective.

– To inform the Company, as soon as they become aware of any breach of the provisions of this Policy, in particular ‘Violations of personal data security’, using the format established for this purpose.

5. Monitoring and evaluation
   

The effectiveness of the technical and organisational measures to guarantee the security of data processing shall be checked, evaluated and assessed annually, or whenever there are significant changes in data processing.

ESTAMPADOS GISBERT S.L.