25-04-2022

1. Purpose

The Personal Data Protection Policy is a measure of proactive responsibility that aims to ensure compliance with applicable legislation in this area and in relation to this, respect for the right to honor and privacy in the processing of personal data of all persons who are related to the Company. In development of the provisions of this Personal Data Protection Policy, the Principles governing the processing of data in the organization are established, and consequently, the procedures, and the organizational and security measures that the persons affected by this Policy undertake to implement in their area of responsibility. To this end, the Management shall assign responsibilities to the personnel involved in data processing operations.

2. Scope of application

This Personal Data Protection Policy shall apply to the Company, its directors, officers, and employees, as well as to all persons who deal with it, expressly including service providers with access to data (“Data Processors”).

3. Principles of personal data processing

As a general principle, The Company will scrupulously comply with the legislation on personal data protection and must be able to prove it (Principle of “proactive responsibility”), paying special attention to those processing operations that may entail a higher risk for the rights of the affected parties (Principle of “risk approach”). In relation to the above CYTES BIOTECHNOLOGIES S.L. will ensure compliance with the following Principles:

•  Lawfulness, loyalty, transparency, and purpose limitation. The data processing must always be informed to the affected party, through clauses and other procedures; and will only be considered legitimate if there is consent for the processing of data (with special attention to that provided by minors), or has other valid legitimacy and the purpose of the same is in accordance with regulations.

• Data minimization. The data processed must be adequate, relevant and limited to what is necessary in relation to the purposes of the processing.
• Accuracy. The data shall be accurate and, if necessary, updated. In this regard, the necessary measures shall be taken to ensure that personal data that are inaccurate with respect to the purposes of the processing are deleted or rectified without delay.
• Limitation of the retention period. The data will be kept in a form that allows the identification of the data subjects for no longer than is necessary for the purposes of the processing.
• Integrity and Confidentiality. Data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures.
• Transfer of data. It is forbidden to purchase or obtain personal data from illegitimate sources or in those cases where such data have been collected or transferred in contravention of the law or where their legitimate origin is not sufficiently guaranteed.
• Hiring of suppliers with access to data. Only suppliers that offer sufficient guarantees to apply appropriate technical and security measures in the processing of data will be chosen for contracting. With these third parties, the appropriate agreement in this regard shall be documented.
• International data transfers. Any processing of personal data subject to European Union regulations that involve a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable law.
• Rights of data subjects. The Company will facilitate the exercise of the rights of access, rectification, deletion, limitation of processing, opposition and portability to the affected parties, establishing for this purpose the internal procedures, and in particular the models for its exercise that are necessary and appropriate, which must satisfy, at least, the legal requirements applicable in each case.