PRIVACY POLICY

Our purpose is to be as transparent as possible with our users and customers about the personal data we collect. Your privacy is important to us.

Through the reading of this Privacy Policy, the user is informed about the way in which GIROPES collects, treats and protects the personal data provided to it through the website - https://giropes.com (hereinafter, the website) and any other data that it may provide in the future to GIROPES by other means.

The User should carefully read this Privacy Policy, which has been written in a clear and simple manner to facilitate its understanding, and freely and voluntarily determine whether the user wishes to provide his or her personal data to GIROPES.

By filling out any form on the corporate website and clicking on the box "I have read the privacy policy" or similar, the user expressly states that has read this privacy policy which indicates the data processing carried out and the purposes, among other information, thus complying with the duty to inform imposed by the Data Protection regulations.

In those cases where the corporate website requests consent for a specific purpose, by clicking on the "I accept" or similar box, or by clicking in the selection box (check box), the user gives unequivocal and explicit consent to the data processing in issue.

Who is responsible for the processing of your data?

• • Identity: GIROPES, S.L. –TAX ID: B17485319
  • Address: Pol. Ind. Empordà Internacional, Carrer Molló, 3, 17469 Vilamalla (GIRONA)
  • Phone: 972527212
  • E-mail: giropes@giropes.com

- Processing of DATA collected through the WEBSITE

For what purposes do we process your personal data?

GIROPES processes the information provided by interested parties in order to respond to your request and, where appropriate, to send you information about our products or services, as well as our newsletters.

No automated decisions will be made based on the data provided.

How long will we keep your data?

The data will be kept as long as the interested party does not request their deletion or for the duration of the business relationship, always respecting the statute of limitations of responsibilities.

What is the legal basis for the processing of your data?

Consent of the person concerned (by clicking on the selection box or check box): To respond to your request and, where appropriate, to send you commercial communications, as well as our newsletters.

To which recipients will your data be communicated?

No data will be transferred to third parties, unless legally required.

Data transfers to third countries?

No transfer of data to third countries is foreseen.

How did we obtain your data?

The personal data that we process at GIROPES comes from the interested party.

- DATA processing for STAFF SELECTION

For what purposes do we process your personal data?

At GIROPES we process the information provided by interested parties in order to carry out staff selection processes.

No automated decisions will be made based on the data provided.

How long will we keep your data?

They will be kept for two years, unless the data subject withdraws his or her consent before the maximum storage period expires.

What is the legal basis for the processing of your data?

Consent of the interested party: Participate in staff selection processes.

To which recipients will your data be communicated?

No data will be transferred to third parties, unless legally required.

Data transfers to third countries?

No transfer of data to third countries is foreseen.

How did we obtain your data?

The personal data we process at GIROPES comes from the interested party or his/her legal representative.

The categories of data being processed are:

• Identification data
• Mailing and e-mail addresses
• Professional and academic data

Special categories of personal data are not processed (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or organization membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person).

- Processing of the USE of the IMAGE

For what purposes do we process your personal data?

GIROPES processes the data obtained (image and, where appropriate, voice) in order to publish these images on websites or social networks, as well as in other media, such as magazines, publications, etc., for advertising or broadcasting our activities.

No automated decisions will be made based on the data provided.

How long will we keep your data?

The data will be kept from the time the user gives his/her consent until the withdrawal of such consent.

What is the legal basis for the processing of your data?

Explicit consent of the interested party: Use of photographs and, where appropriate, videos where the image of interested parties appears.

It is also reported that by granting consent the images may be published on the company's website, social networks and any support that the company deems appropriate to publicize its activities, events and services.

To which recipients will your data be communicated?

They will be published on the company's website and/or social networks or other media.

Data transfers to third countries?

The use of images in social networks can involve international transfers of data.

- Processing of CUSTOMER DATA

For what purposes do we process your personal data?

In GIROPES we process the information provided by the interested parties with the main purpose of providing the requested services, as well as to perform the administrative, accounting and tax management derived from such services or product sales, and, where appropriate, to send commercial communications about our products and services.

No automated decisions will be made based on the data provided.

How long will we keep your data?

The data will be kept for as long as the interested party does not request its deletion, and if applicable, for the years necessary to comply with legal liabilities.

What is the legal basis for the processing of your data?

• Execution of a contract: Provide the requested services
• Legal liability: Perform the administrative, accounting and tax management of the services requested
• Legitimate interest of the responsible: Send commercial communications about our products and services

To which recipients will your data be communicated?

The data will be communicated to the following recipients:

• Tax Agency, in order to comply with legal liabilities. (Legal requirement).
• Financial institutions, with the purpose of issuing the corresponding receipts, if applicable. (Contract requirement)

Data transfers to third countries

No transfer of data to third countries is foreseen.

How did we obtain your data?

The categories of data being processed are:

• Identification data
• Mailing and e-mail addresses
• Business information
• Banking information, if applicable

- Data processing for ADVERTISING

For what purposes do we process your personal data?

In GIROPES we process the information provided by the interested parties in order to manage the sending of commercial communications about our products and/or services by electronic means (e-mail, WhatsApp, SMS...).

No automated decisions will be made based on the data provided.

How long will we keep your data?

The data will be kept from the time the user gives his/her consent until the withdrawal of such consent.

What is the legal basis for the processing of your data?

Consent of the interested party (by signing the document to obtain consent, clicking or ticking the selection box or check box or any other valid means of obtaining consent): For sending commercial communications.

To which recipients will your data be communicated?

Platforms for sending advertising by electronic means, in order to send it with guarantees and obtain statistical data.

Data transfers to third countries?

No transfer of data to third countries is foreseen.

How did we obtain your data?

The personal data that we process at GIROPES comes from the interested party.

The categories of data being processed are:

• Identification data and mailing and e-mail addresses

• Business information.

Special categories of personal data are not processed (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or organization membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person).

- Processing of VIDEO SURVEILLANCE data

Basic Information about Data Protection

Responsible: GIROPES; Purpose: Guarantee the safety of people, goods and facilities; Legal basis: Mission in the Public Interest; Recipients: It is foreseen that data will be transferred to: If applicable, the State security forces and corps, as well as Courts and Tribunals; Rights: You have the right to access, rectify and delete the data, as well as other rights, indicated in the additional information, which can be exercised by contacting the address of the data processor

Complete information about Data Protection

For what purposes do we process your personal data?

In GIROPES we process the images captured by the cameras in order to guarantee the security of people, goods and facilities.

No automated decisions will be made based on the data provided.

How long will we keep your data?

The data will be kept for a maximum of 30 days, except for communication to Security Forces and Bodies, and/or Courts and Tribunals.

What is the legal basis for the processing of your data?

Mission in the Public Interest: Guarantee the safety of people, goods and facilities.

To which recipients will your data be communicated?

Where applicable, to the State Security Forces and Corps, as well as Courts and Tribunals, in order to provide the images if a crime or infraction has been perpetrated.

Data transfers to third countries

No transfer of data to third countries is foreseen.

What category of personal data do we process?

Image.

- Processing of VISITOR DATA to FACILITIES

For what purposes do we process your personal data?

GIROPES processes the information provided by interested parties for the purpose of registration and management of visits to the facilities of the responsible. If you do not provide your personal data, we will not be able to fulfill the purposes described above.

No automated decisions will be made based on the data provided.

How long will we keep your data?

For four years or until the interested party requests its deletion.

What is the legal basis for the processing of your data?

We provide you with the legal basis for the processing of your data:

Legitimate interest of the responsible: Control of entrances and exits to the facilities of the responsible for security reasons and traceability of visits. (GDPR art. 6.1.f).

To which recipients will your data be communicated?

No data will be transferred to third parties, unless legally required.

Data transfers to third countries

No transfer of data to third countries is foreseen.

How did we obtain your data?

The personal data we process in GIROPES comes from: The interested party.

The categories of data being processed are:

• Identification data.

- Data processing of the parties involved in the INTERNAL COMPLAINTS CHANNEL

For what purposes do we process your personal data?

In GIROPES we process the information provided by the persons concerned in order to manage the internal complaint channel and the protection of persons who report regulatory violations and anti-corruption, in order to inform the responsible of the acts or behaviors, occurred in the entity or caused by third parties who contract with it, and that may be contrary to the general or sectorial regulations applicable to it. If you do not provide your personal data, we will not be able to fulfill the purposes described above.

No automated decisions will be made based on the data provided.

How long will we keep your data?

The data will be kept for the necessary time to decide whether to initiate the investigation of the reported facts. The maximum period will be three months from its entry into the system, unless the purpose of its storing is to serve as evidence of the functioning of the prevention model, in which case the data will be kept anonymized. (OLPPDGDR art. 24.4)

What is the legal basis for the processing of your data?

We provide you with the legal basis for the processing of your data:

Mission in the Public Interest: Control of risks of non-compliance within the organization; (Organic Law 3/2018, of December 5^th, on the Protection of Personal Data and Guarantee of Digital Rights [Preamble V]). Processing of special categories of data contained in the information on the infringement (Law 2/2023, February 20th, regulating the protection of persons who report regulatory infringements and the fight against corruption, art. 30 and GDPR art. 9.2.g).

Fulfillment of a legal liability: (EU) Directive 2019/1937 of the European Parliament and of the Council dated October the 23^rd, 2019 on the protection of persons who report breaches of Union law (Art. 8; liability of the establishment of internal complaint channels). Law 2/2023, of February 20^th, regulating the protection of persons who report regulatory violations and the fight against corruption.

Consent of the interested party: For the storing and recording of complaints made through telephone lines and voice messaging systems with recording. As well as for the recording of the personal meeting requested with the entity for the purpose of denouncing. ((EU) Directive 2019/1937; art. 18.2 and 4)

To which recipients will your data be communicated?

The data will be communicated to the following recipients:

State Security Forces and Corps; Jurisdictional Bodies; Public Prosecutor's Office, in order to report the commission of a possible crime (legal requirement).

Data transfers to third countries

No transfer of data to third countries is foreseen.

How did we obtain your data?

The personal data processed by GIROPES comes from the complaint filed by the interested parties who have an employment, commercial or service relationship with the company.

The categories of data being processed are:

• Identification data.
• Business information.
• Financial data.

The following special categories of data are processed: health-related data.

RIGHTS OF THE INTERESTED PARTY

What are your rights when you provide us with your data?

Any person has the right to obtain confirmation as to whether or not GIROPES is processing personal data concerning them.

The interested parties have the right to access (art. 15 GDPR) to their personal data, as well as to request the rectification (art. 16 GDPR) of inaccurate data or, where appropriate, to request its deletion (art. 17 GDPR) when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

In certain circumstances, data subjects may request the limitation (Art. 18 GDPR) of the processing of their data, in which case we will only keep them for the exercise or defense of claims.

In certain circumstances and for reasons related to their particular situation, the interested parties may object to the processing (art. 21 GDPR) of their data. In such case, GIROPES will stop processing the data, except for compelling legitimate reasons or the exercise or defense of possible claims.

You also have the right to request the portability (art. 20 GDPR) of your personal data. This means that you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, so that it can be transmitted to another entity directly, where technically feasible.

If you have given your consent for any specific purpose, you have the right to withdraw your consent (art. 7 GDPR) at any time, without affecting the lawfulness of the processing based on the consent prior to its withdrawal.

Rights may be exercised by contacting the responsible in person, by mail or by e-mail to the e-mail address of the responsible, sending the instance / request. The forms for the exercise/request of rights can be found on the website of the Spanish Data Protection Agency:

https://www.aepd.es/reglamento/derechos/index.html#section1

In case you feel that your rights concerning the protection of your personal data have been violated, especially when you have not obtained satisfaction in the exercise of your rights, you may submit a complaint to the competent Data Protection Supervisory Authority, by accessing the electronic headquarters of the Spanish Data Protection Agency:

https://sedeagpd.gob.es/sede-electronica-web/vistas/infoSede/queSede.jsf

OBLIGATION TO PROVIDE THE DATA

The data requested in the accessible forms from the GIROPES Website and, in general, those requested by the company for providing the service/sale of the product, are, in general, obligatory (unless otherwise specified in the required field) in order to comply with the established purposes. Therefore, if they are not provided or are not provided accurately, requests may not be fulfilled correctly.

In case the interested party provides data of third parties, he/she declares to have the consent of these and undertakes to transfer to the interested party, owner of such data, the information contained in this Privacy Policy, exempting GIROPES from any responsibility in this regard.

SECURITY MEASURES

Personal data will be processed in a lawful, fair and transparent way in relation to the interested party («lawfulness, fairness and transparency»); collected for specified, explicit and legitimate purposes, and not further processed in a way incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, kept in a form which allows the identification of the interested parties for no longer than is necessary for the purposes of the processing of the personal data (respecting the statute of limitations for responsibilities); processed in such a way as to ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or accidental damage, through the implementation of appropriate technical or organizational measures ("integrity and confidentiality").

We follow strict criteria for the selection of service providers with access to personal data, in order to comply with their data protection liabilities, as well as to formalize with them the corresponding data processor contract (art. 28 GDPR), whereby they will be required, among others, the following liabilities: implement appropriate technical and organizational measures; process the data according to our instructions; and delete or return the data to us upon the completion of the provision of services.