PRIVACY POLICY

The Directorate/Governing Body of CORPORACION HMS HERMASAN S.L. (hereinafter, the controller), assumes the maximum responsibility and commitment to the establishment, implementation and maintenance of this Data Protection Policy, guaranteeing the continuous improvement of the controller with the objective of achieving excellence in relation to compliance with (EU) Regulation 2016/679 of the European Parliament and Council, of April 27, 2016, relative to the protection of natural persons with respect to the processing of person data and the free circulation of this data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016), and the Spanish law on the protection of personal data (Organic Law, specific sectoral legislation and its implementing rules).

The Data Protection Policy of CORPORACION HMS HERMASAN S.L. relies on the principle of proactive responsibility, according to which the controller is responsible for compliance with the legal and regulatory framework governing the said Policy and is able to demonstrate this to the competent control authorities.

In this sense, the controller will be governed by the following principles which should serve all its personnel as a guide and framework of reference in the processing of personal data:

u the controller will apply, both at the time of determining the means of processing and at the time of processing itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of data protection, like data minimization, and integrate the necessary guarantees in the processing.

1. Date protection by design: the controller will apply, both at the time of determining the means of processing and at the time of processing itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of data protection, like data minimization, and integrate the necessary guarantees in the processing.

2. Data protection by default: the controller will apply the appropriate technical and organisational measure so as to guarantee that, by default, only the personal data necessary for each of the specific purposes of the processing will be processed.

3. Data protection in the information life cycle: the measures that guarantee the protection of personal data will be applicable during the complete life cycle of the information.

4. Lawfulness, loyalty and transparency: personal data will be processed in a lawful, fair and transparent manner in relation to the interested party.

5. Limitation of the purpose: personal data will be collected for specific, explicit and legitimate ends, and will not be further processed in a manner incompatible with said ends.

6. Minimization of data: personal data will be adequate, relevant and limited to what is necessary in relation to the ends for which it is processed.

7. Accuracy: personal data will be accurate and if necessary updated; all reasonable measures will be taken so that personal data which is inaccurate with respect to the purpose for which it is processed will be deleted or rectified without delay.

8. Limitation of the conservation period: personal data will be maintained in a way which allows the identification of the interested parties during no more time that is necessary for the purposes of processing personal data.

9. Integrity and confidentiality: personal data will be processed in such a way as to guarantee the adequate security of that data, including protection against unauthorised or illicit processing and against loss, destruction or accidental damage, through the application of appropriate technical or organizational measures.

10. Information and training: one of the keys to guaranteeing the protection of personal data is the training and information which is provided to the personnel involved in its processing. During the information life cycle, all the personnel with access to the data will be properly trained and informed about their obligation in relation to compliance with data protection regulations.

The Data Protection Policy of CORPORACION HMS HERMASAN S.L. is communicated to all the controller’s personnel and made available to all interested parties.

Hence this Data Protection Policy involves all the controller’s personnel who must be familiar with it and take it on, considering it as their own, with each member responsible for applying it and verifying the standards of data protection applicable to their activity, as well as identifying and contributing the opportunities for improvement they consider appropriate with the aim of achieving excellence with regard to compliance.

This Policy will be revised by the Directorate/Governing Body of CORPORACION HMS HERMASAN S.L., as many times as deemed necessary, to adapt, at all times, to the current provisions on the protection of personal data.