Privacy and Data Protection Policy

In compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR) and Article 11 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights, we inform you of the following:

The User must carefully read this Privacy Policy, drafted in clear and accessible language to facilitate its understanding, with the aim of allowing the User to freely, informedly and voluntarily determine whether they wish to provide their personal data or those of third parties to GRUPO ADLANTER, S.A. (hereinafter, the Entity).

 

Data Controller Information

• Data controller: GRUPO ADLANTER, S.A.
• Tax ID (NIF): A59053355
• Registered office: CARRER DE ROC BORONAT, 147, CP 08018, BARCELONA (BARCELONA).
• Data Protection Officer (hereinafter, DPO) email: dpdexterno@bonetconsulting.com
• Data Protection Channel: https://corporate-line.com/cnormativo-grupoadlanter

Purpose, legal basis and retention of your personal data

The Entity will process the personal data that the User provides to us for the following purposes and for the retention periods indicated below:

• To manage the provision and performance of the contracted services and/or products, as well as the preparation, monitoring and management of contracts, offers and service proposals, including the data of the persons whose involvement is necessary for this purpose. The legal basis for this processing is the performance of a contract or the application of pre-contractual measures at the request of the data subject. In this case, we will retain the personal data for as long as the contractual or pre-contractual relationship remains in force and, once it has ended, for the legally required periods in order to address any liabilities arising from it.
• To manage and handle communications, any type of request, suggestion, complaint or claim submitted by informants/users through the Internal Information System, in accordance with Law 2/2023 of 20 February regulating the protection of persons who report regulatory infringements and the fight against corruption. These communications may involve management and, where applicable, referral to the department responsible for due handling and compliance with the applicable regulatory framework. The legal basis for this processing is compliance with legal obligations applicable to the Entity. Data relating to the information received and internal investigations will be retained for the period necessary and proportionate for the purposes of complying with the Whistleblower Protection Law, in no case exceeding a period of ten years. After three months from receipt, the communications will be deleted, unless they must be retained to certify and provide evidence of the existence and operation of the System and/or based on other compliance requirements associated with the information, with the informant’s identity being anonymised in a separate area with appropriate security measures.
• To send informational communications about products or services similar to those already contracted by the Client. The legal basis for this processing is the Entity’s legitimate interest, within the framework of a prior contractual relationship and provided that such communications refer to the Entity’s own products or services similar to those initially contracted, always guaranteeing the possibility to object with each sending. In the case of electronic communications, this processing is supported by Article 21.2 of Law 34/2002 on information society services and electronic commerce (hereinafter, LSSICE). Personal data will be retained as long as the right to object is not exercised or unsubscribing from receiving such communications is not requested.
• To send commercial communications, newsletters or mailings, when such communications are not covered by a prior contractual relationship under the terms indicated above. The legal basis for this processing is the data subject’s consent, given freely, specifically, informedly and unambiguously. Personal data will be retained as long as the consent given is not withdrawn or unsubscribing from receiving such communications is not requested.
• To manage the receipt and assessment of applications, CVs and recruitment processes, including unsolicited applications submitted through the website or the contact email address, as well as their consideration for current or future vacancies that match the candidate’s profile. The legal basis for this processing is the data subject’s consent, expressed by submitting their application. Personal data will be retained until consent is withdrawn and, in any case, for a maximum period of one year from receipt of the curriculum vitae.
• To ensure the security of persons, property and facilities by means of video surveillance systems. The legal basis for this personal data processing is the Entity’s legitimate interest in preserving the security of its facilities, people and assets. Images will generally be retained for a maximum period of 30 days from capture, unless they must be retained for longer to evidence the commission of acts that threaten the integrity of persons, property or facilities, or to comply with a legal obligation.
• To manage the professional relationship with suppliers, collaborators and third parties, including maintaining the commercial, administrative, accounting and invoicing relationship arising from the services contracted by the Entity. The legal basis for this processing is the performance of the contract and compliance with the legal obligations applicable to the Entity. Personal data will be retained for as long as necessary to manage the contractual relationship and, subsequently, for the legally required periods.
• Within the framework of managing employment relationships, the Entity may process personal data of employees, candidates or associated personnel for the following purposes:
  • To manage the employment relationship, including the formalisation, development and termination of the employment contract, as well as administrative, accounting and payroll management.
  • To manage attendance control, time recording and compliance with working hours.
  • To organise and manage mandatory or necessary training actions for the performance of the job.
  • To comply with obligations regarding occupational risk prevention, health surveillance and psychosocial risk management.
  • To exercise employer control powers provided for in labour regulations, in accordance with Article 20.3 of the Workers’ Statute.
  • To manage internal communications necessary for the proper development of work activity, including operational notices, alerts or access to corporate tools and documentation. Such communications may be carried out through personal contact means provided by the data subject when necessary for the development of the employment relationship, preferably using corporate channels when these are available.
  • To verify the absence of conflicts of interest or situations that may compromise the integrity, security or regulatory compliance of the Entity.
  • To ensure the application of equality, non-discrimination, harassment prevention and protection of vulnerable groups policies in the workplace.
  • To process the image of employees for corporate or dissemination purposes, when prior express consent has been obtained.

The legal basis for these processing activities, depending on the specific nature of each processing operation, is the performance of the employment contract, compliance with legal obligations, the Entity’s legitimate interest or the data subject’s consent where necessary. Personal data will be retained for the duration of the employment relationship and, once it has ended, for the legally required periods to address potential liabilities.

• To manage and control internal regulatory compliance mechanisms, policies and procedures, including internal control actions, and the prevention, detection and investigation of regulatory non-compliance or breaches of internal policies. The legal basis for this processing is compliance with legal obligations and, where applicable, the public interest or the Entity’s legitimate interest in ensuring regulatory compliance and the integrity of its organisation. Personal data will be retained for the time strictly necessary for the processing, investigation and closure of the actions and, subsequently, for the legally required periods.
• To manage requests to exercise data protection rights received through the channel enabled by the Entity for that purpose. The legal basis for this processing is compliance with a legal obligation applicable to the data controller. Personal data will be retained for the time necessary to process and resolve the request and, subsequently, for the legally required periods to evidence its proper handling.
• To manage and handle information or communications regarding prevention of and action against harassment, violence or especially serious conduct, in particular those affecting groups requiring special protection, including, where applicable, trans persons, LGTBI persons and minors, as well as to process any internal actions that may be appropriate. The legal basis for this processing is compliance with legal obligations, an essential public interest and, where applicable, the establishment, exercise or defence of legal claims, depending on the specific nature of the communication and the data processed. Personal data will be retained for the time strictly necessary to process the communication, investigate and adopt the appropriate measures and, subsequently, for the legally required periods. If such communications are channelled through the Internal Information System, the retention periods provided for in Law 2/2023 of 20 February shall apply.

The personal data processed generally come from the data subject. However, in certain cases, data may come from third parties with whom the data subject has a relationship, such as client companies, collaborating entities or suppliers, as well as from publicly accessible sources, where legally appropriate. In such cases, the data subject will be informed under the terms set out in Article 14 of the GDPR.

Recipients of your personal data and international transfers

The Entity may disclose the data subject’s personal data to the following recipients, where necessary depending on the purpose of the processing and on the corresponding legal basis in each case:

• Competent Public Administrations, such as Social Security, the State Tax Administration Agency, subsidy management bodies or the Public Prosecutor’s Office, when disclosure of personal data is necessary to comply with legal obligations applicable to the Entity.
• Mutual insurance companies collaborating with Social Security, occupational risk prevention services or other similar entities, where necessary to comply with obligations in labour, safety and health matters or to protect employees.
• Legal representatives of employees, including works councils, unions and prevention delegates, in cases where labour regulations apply.
• Clients or entities linked to the provision of services, exclusively when it is essential to identify employees for the proper performance of the contracted service, limiting the disclosure in all cases to adequate, relevant and non-excessive data, in accordance with the data minimisation principle.
• Service providers acting as data processors, with whom the Entity has entered into the corresponding data processing agreement in accordance with Article 28 of the GDPR.
• Judicial authorities, the Public Prosecutor’s Office and Law Enforcement Agencies, when disclosure is necessary to comply with a legal obligation, for the establishment, exercise or defence of legal claims, or in compliance with requests or orders from such authorities.

As a general rule, international transfers of personal data are not envisaged. However, where technology service providers are used that may involve processing data outside the European Economic Area, such transfers will be carried out in full compliance with Articles 44 et seq. of the GDPR, by adopting appropriate safeguards, such as entering into Standard Contractual Clauses approved by the European Commission or other valid mechanisms in accordance with applicable regulations.

Personal Data Protection Rights

To ensure transparency in the processing of your personal data, we inform you of the rights granted to you under Data Protection regulations. Below we detail each of these rights and how you can exercise them in relation to the personal data we hold.

• Right of access: You have the right to know whether the entity is processing your personal data.
• Right to rectification: You have the right to request the correction of inaccurate data.
• Right to erasure: You have the right to request the deletion of your personal data when it is no longer necessary for the stated purpose.
• Right to restriction of processing: You have the right to request that the use of your data be restricted, being retained only for the defence of claims.
• Right to object: You have the right to object to the processing of your personal data, unless there are legitimate grounds or it is needed for the defence of claims.
• Right to data portability: You have the right to receive the data in a structured and readable format in order to transfer it to another controller, where possible.
• Right to withdraw consent: You have the right to withdraw consent at any time, except where processing is required by law or necessary for a contracted service, with no retroactive effect.
• Right not to be subject to automated decisions: You have the right not to be subject to automated decisions based on personal data that significantly affect you, such as profiling.

You may notify and process the exercise of your Rights and report any indication or knowledge you may have of possible security breaches, cyberattacks and/or possible non-compliance or irregularities regarding Data Protection regulations through the enabled Channel, which you can access directly at https://corporate-line.com/cnormativo-grupoadlanter, or by contacting the Entity’s Data Protection Officer via the following email address: dpdexterno@bonetconsulting.com

In the event of disagreements with the Entity in relation to the processing of your data, you have the right to lodge a complaint with the corresponding Data Protection Supervisory Authority. In Spain, this Authority is the Spanish Data Protection Agency (www.aepd.es).

The Entity may request additional information to confirm the identity of the applicant when there are reasonable doubts about it and will respond to the request within a maximum period of one month from receipt, which may be extended in cases of particular complexity.

Internal Information System

The Entity has implemented an Internal Information System (SIIF), which is configured as a fundamental pillar for supervision, control and prevention in the field of regulatory compliance, reflecting the highest commitment, rigour and professionalism in matters of security, confidentiality, data protection, experience, independence and expertise in handling the communications received.

The internal information channels integrated into the System have been implemented through technical tools that include all the necessary requirements to provide and guarantee our commitments above. Likewise, the SIIF guarantees the basic principles of anonymity, proper recording, retention and non-alteration, prevention of conflicts of interest, protection of the informant and prevention of retaliation.

Through this System, every informant must, in good faith, report any indication, suspicion or evidence of possible regulatory breaches, crimes, unethical behaviour and, in general, non-compliance with the Entity’s protocols, rules and codes of conduct.

Access to the SIIF has been enabled in a separate section of our website.

Processing of personal data in the Internal Information System

Within the framework of the Internal Information System (SIIF), the Entity will process personal data for the purpose of managing and processing the communications received, as well as analysing, verifying and investigating the reported facts, adopting, where appropriate, the corrective, disciplinary or legal measures that correspond.

This processing is carried out in compliance with the legal obligations established in Law 2/2023 of 20 February regulating the protection of persons who report regulatory infringements and the fight against corruption, and, where applicable, on the basis of the Entity’s legitimate interest in preventing and detecting unlawful conduct or conduct contrary to internal regulations.

Within the framework of these actions, the following categories of personal data may be processed:

• Identification and contact data of informants, affected persons and third parties involved.
• Professional and employment-related data linked to the relationship with the Entity.
• Information relating to the reported facts, including descriptions, assessments or associated documentation.
• Where applicable, special categories of data under Article 9 of the GDPR, when processing is strictly necessary for the investigation and there is a sufficient legal basis under applicable regulations.

Personal data may come from the informant (identified or anonymous), from affected persons or from third parties participating in the investigation.

Finally, the Entity guarantees the confidentiality of the informant’s identity, as well as of any third party mentioned in the communication and of the affected persons. Access to the data will be restricted exclusively to authorised personnel involved in the management and investigation of the communications.

Security and control measures

General

The Entity will process personal data by applying the appropriate technical, legal, organisational and security measures in order to guarantee the confidentiality and integrity of the information it manages in accordance with current regulations.

Cybersecurity

As a specific and complementary concept to the above, the Entity applies cybersecurity measures to prevent and manage possible attacks and fraud by cybercriminals that threaten the privacy and protection of the data that our Entity processes and accesses in the context of its activities and operations.

In this regard, we would like to warn that in possible risk situations involving communications whose content and/or format raises doubts about authenticity, we recommend disregarding them and contacting the Entity through the contact details indicated in this Privacy Policy.

Likewise, any request received purportedly from our Entity regarding changes to payment methods, requests for data or contact persons, or confidential (non-public) information, bank and/or credit card details and/or other official data, should not be acted upon without direct confirmation from our Entity through an alternative means.

We appreciate and require your collaboration in communicating and reporting any notification relating to this type of request and other possible cyberattack risk situations in which our Entity may be used, as well as any possible security risk you may become aware of.

Assistance and support

Interested persons may communicate to the Entity any doubts about the processing of their personal data or the interpretation of our Policy by contacting the Data Protection Officer via the email address indicated at the beginning of this Policy.

Updates and amendments

The Entity reserves the right to amend and/or update information on data protection when necessary for proper compliance with the applicable regulations in this area. If any changes are made, the new text will be published in this same section of the website.

Update date: May 2026.