At Safinea, we are committed to safeguarding the personal data of our clients, employees, partners, and all individuals whose information we handle. This Data Protection Policy outlines our dedication to processing personal data responsibly, ethically, and in compliance with applicable laws and regulations.

This policy applies to all employees, contractors, consultants, and any other third parties who have access to personal data processed by Safinea Ltd.

- Personal Data: Any information relating to an identified or identifiable natural person.

- Processing: Any operation performed on personal data, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

We adhere to the following principles in our processing of personal data:

4.1 Lawfulness, Fairness and Transparency

-  Lawfulness:Personal data shall be processed only on lawful grounds.

-  Fairness: We shall process personal data fairly and not use it in ways that have unjustified adverse effects on the individuals concerned.

- Transparency: We shall be clear, open, and honest with individuals about how their personal data will be used.

4.2 Purpose Limitation

Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

4.3 Data Minimisation

Personal data will be processed in a manner that is adequate, relevant, and limited to what is necessary in relation to the purposes.

4.4 Accuracy

We shall take all reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.

4.5 Storage Limitation

Personal data shall be kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which the personal data is processed.

4.6 Integrity and Confidentiality

We shall process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

4.7 Accountability

We shall be responsible for, and be able to demonstrate, compliance with these data protection principles.

We process personal data based on one or more of the following lawful bases:

- Consent: Where the individual has given clear consent for us to process their personal data for a specific purpose.

- Contract: Where the processing is necessary for the performance of a contract with the individual or to take steps at their request before entering into a contract.

- Legal Obligation: Where the processing is necessary for compliance with a legal obligation.

- Vital Interests: Where the processing is necessary to protect someone’s life.

- Public Task: Where the processing is necessary to perform a task in the public interest or in the exercise of official authority.

- Legitimate Interests: Where the processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual.

We respect and uphold the rights of individuals regarding their personal data, including:

- Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data.

- Right of Access: Individuals have the right to access their personal data and supplementary information.

- Right to Rectification: Individuals have the right to have inaccurate personal data corrected or completed if it is incomplete.

- Right to Erasure: Individuals have the right to have personal data erased under certain conditions.

- Right to Restrict Processing: Individuals have the right to request the restriction or suppression of their personal data under certain circumstances.

- Right to Data Portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

- Right to Object: Individuals have the right to object to the processing of their personal data in certain situations.

Individuals can exercise their rights by submitting a request to our Data Protection Officer. We will respond to such requests within one month, in accordance with applicable laws.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

- Encryption of personal data where appropriate.

- Regular testing, assessment, and evaluation of the effectiveness of security measures.

- Access controls to prevent unauthorized access to personal data.

Where processing may result in a high risk to the rights and freedoms of individuals, we shall conduct a Data Protection Impact Assessment (DPIA) to identify and mitigate such risks.

We maintain a record of our processing activities in accordance with GDPR Article 30. This record includes details such as the purposes of processing, categories of data subjects and personal data, recipients of personal data, and any transfers to third countries.

In the event of a personal data breach, we shall promptly assess the risk to individuals and, if necessary, report the breach to the relevant supervisory authority and affected individuals in accordance with applicable laws.

When engaging third-party processors, we shall:

- Conduct due diligence to ensure they are capable of providing the level of protection required.

- Enter into a written agreement requiring them to process personal data in compliance with our policies and applicable laws.

Personal data shall only be transferred to another country or territory if that country or territory ensures an adequate level of data protection, or if appropriate safeguards are in place.

We provide regular training and updates to our employees and contractors on data protection responsibilities to ensure ongoing compliance with this policy.

This policy shall be reviewed annually or when significant changes occur to ensure its effectiveness and compliance with legal and regulatory requirements.

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract, and possible legal action.

For questions, concerns, or requests regarding this Data Protection Policy or personal data processing, please contact:

Data Protection Officer

Helen C. Johnson

Helen.johnson@safinea.eu

+44 7484 676513

By adhering to this Data Protection Policy, Safinea Ltd. demonstrates our commitment to protecting personal data and respecting the privacy rights of individuals.