Corporate Name: IBIZA MOBILITY EXPERTS S.L.U.

VAT ID: B70991674

Registered Office: Carretera Aeropuerto km. 5,5 (Pol. Ind. Can Frigoles nº 6) Sant Jordi de Ses Salines 07817 Ibiza.

Personal Data Protection Policy

Applicable Regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “GDPR”).

Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, “LOPDGDD”).

National regulations on data protection in the countries where IBIZA MOBILITY EXPERTS S.L.U. has a presence.

The GDPR is mandatory for all EU companies that process personal data of European citizens. Additionally, it applies to companies established outside the European Union that process data of European citizens in relation to an offer of products or services offered to them, or the analysis of their behavior within the EU.

Scope:

This policy applies to Spain without prejudice to possible adaptations at the international level, in accordance with the legislation and regulations of the reference country.

Additionally, the policy will apply to all professionals in all areas and departments of contracting, rental, maintenance, management, office, and sales integrated into IBIZA MOBILITY EXPERTS S.L.U.

Definitions:

Personal data: any information about an identified or identifiable natural person (“the data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data controller or controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor or processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Data protection officer: a natural person who: (1) informs and advises the controller or processor and the employees who are involved in processing of their obligations under data protection law, (2) monitors compliance with data protection law, other data protection provisions, and the policies of the controller, (3) provides advice on data protection impact assessments and monitors their performance, (4) cooperates with the supervisory authority.

Sensitive data or special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Transfer of personal data to third countries or international organizations: processing of data that involves a transfer of such data outside the territory of the European Economic Area (EEA), whether it constitutes a disclosure or transfer of data, or is intended for the performance of data processing on behalf of the controller.

Data breaches or Personal Data Security Violations: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Basic Principles:

IBIZA MOBILITY EXPERTS S.L.U. and all its personnel must comply with the following principles in the processing of personal data:

Principle of lawfulness and transparency: The processing of personal data must be lawful, and the data subject should be informed of the circumstances concerning the processing of their data in an accessible and understandable manner, in clear and plain language.

Principle of legality: The processing of personal data may only be carried out if there is a legal basis for it, such as the data subject’s consent or another legal basis such as the performance of a contract with the data subject, compliance with the legal obligations of IBIZA MOBILITY EXPERTS S.L.U., or the satisfaction of legitimate interests of IBIZA MOBILITY EXPERTS S.L.U.

Principle of purpose limitation: Personal data shall only be processed for specified, explicit, and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes.

Principle of data minimization: Only the personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed should be collected and processed.

Principle of accuracy: It shall be ensured that the data available are accurate and up to date.

Principle of exercising data protection rights: Proper attention shall be given to the data protection rights (access, rectification, erasure, objection, restriction of processing, and data portability) of the data subjects.

Principle of limitation on storage period: Personal data shall be kept in a format that allows the identification of data subjects for no longer than is necessary for the purposes for which the personal data was collected, avoiding abuses that could infringe the other principles relating to processing.

Principle of data security: Appropriate security measures shall be established to protect the personal data being processed, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Principle of proactive responsibility: IBIZA MOBILITY EXPERTS S.L.U. shall ensure compliance with these principles by its personnel and shall comply with other requirements provided for by current data protection regulations. To this end, a record of processing activities shall be kept.

IBIZA MOBILITY EXPERTS S.L.U. shall guarantee a level of security in data protection from the moment of determining the means and purposes of processing, as well as during the actual processing of the data.

Strategic Lines and Commitments Roles and Responsibilities:

This section includes the planned allocation of roles and responsibilities within the organization, which, when necessary, will be complemented by a more detailed one within each local organization of IBIZA MOBILITY EXPERTS S.L.U.

IBIZA MOBILITY EXPERTS S.L.U. employees shall:

Know their obligations and responsibilities regarding the processing of personal data that they need to perform in the course of their work.

Process personal data in accordance with the principles set out in the GDPR.

Ensure that third parties who need to access personal data comply with the technical and organizational measures established in the contract.

Report any personal data security incidents of which they become aware.

IBIZA MOBILITY EXPERTS S.L.U. shall:

Ensure that employees fulfill their roles and responsibilities regarding the protection of personal data.

Ensure compliance with the provisions of this policy.

Implement those necessary local procedures to guarantee the rights and obligations established in the GDPR, such as the management of data subject rights, the management and reporting of security incidents, or the implementation of information clauses for obtaining consent.

Security Measures:

IBIZA MOBILITY EXPERTS S.L.U. guarantees the security, secrecy, and confidentiality of personal data under its responsibility by adopting the most demanding and robust security measures and technical means to prevent its loss, misuse, or unauthorized access. Thus, personal data that IBIZA MOBILITY EXPERTS S.L.U. may collect through different channels will be treated with absolute confidentiality, committing to keep them secret and guaranteeing the duty of keeping them by adopting all necessary and reasonable measures to prevent their alteration, loss, or unauthorized access, in accordance with applicable law.