1. Introduction

We are highly committed to the privacy of individuals, which is why the protection of personal data is important to us.

We treat data in accordance with the provisions of EU Regulation 2016/679 General Data Protection Regulation, Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights and other applicable regulations in this regard.

This Privacy Policy was revised in September 2023 to comply with the duties of the controller and of website information and transparency, as well as to provide the general terms of the subject-matter expert to any party interested and not only to the website users. There may be variations until the next revision.

2. Who is the data controller?

Party in charge: NEW GROWING SYSTEM S.L.

Spain’s Tax ID Number (NIF/CIF): B04272175

Address: CTRA. PULPÍ, PARAJE EL CANADILLAR Nº 10. 04640 PULPÍ (ALMERÍA)

Email: ngs@ngsystem.com

3. What is the origin and type of the data we process?

The origin of the information we process can be any of the following categories:

• • Paper, electronic or digital forms.
  • Communication and messaging systems: e-mail and messaging applications, telephone, etc.
  • Other lawful sources and origins of information.

The different categories of data that we may process depending on the type of data subject (user, customer, supplier, employee, etc.) and of the data controller activity nature, as well as depending on the different data processing methods, are as follows:

• • Identification data, for example: full name, image.
  • Identification codes or passwords, for example: user name, employee code.
  • Postal or electronic contact addresses, for example: telephone, email, social network profiles.
  • Data on personal and professional characteristics, such as age, date of birth, qualifications, professional experience, CV.
  • Economic, financial and insurance data, e.g.: bank details, credit card, etc.
  • Economic and non-economic payroll data and other employment-related information, for example job title, payroll document, etc.
  • Transactional data, for example: goods and services provided and received.
  • Special category data, for example: health, union membership, racial origin.
  • Other data and information necessary or implicit in the development of our activities, services and object.

MANDATORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY THE INTERESTED PARTY.

The interested party, by ticking the corresponding boxes and entering data in the fields marked as mandatory (for example with an asterisk) in the contact form or presented in download forms, expressly, freely and unequivocally accepts that their data is necessary for the controller to meet their request. The inclusion of data in the remaining fields is voluntary.

The interested party guarantees that the personal data provided to the officer is truthful and undertakes to communicate any changes to them. The data requested through the website, marked as mandatory, is necessary to provide an optimal service to the person concerned. If not all data is provided, there is no guarantee that the information and services provided will be completely tailored to your needs.

4. What is the aim of processing your personal data?

Generally speaking, data is processed to successfully carry out the actions inherent to normal activity development and management by the data controller. However, we can specify different processing purposes depending on the possible existing categories of interested parties:

• • Actual and potential customers: management and maintenance of commercial, pre-contractual and contractual relationships; in-house administration; economic management; advertising and marketing, customer service.
  • Collaborators, creditors and suppliers: management and maintenance of commercial relations, in-house administration and financial management.
  • Workers: management, development and maintenance of labor relationships, human resources management, communications, training activities, prevention of occupational hazards, workday registration and other purposes arising from legal obligations and development of labor relations.
  • Candidates: management of resumes received, management of job offers and personnel selection.
  • Website and social network users: user service and management of communications between the parties.
  • Visitors: visitor service and access control to the facilities.
  • Existing information of any other interested party category which is processed by the data controller, shall be done within the framework of their activity, in strict compliance with applicable norms and under the general criteria of this Privacy Policy.

Other general purposes that the data controller may implement are as follows:

• • Preparation of a commercial profile, with the aim to enhance your experience by personalizing offers and communications. No individualized decisions will be made based on this profile, and actions will always be driven by a legitimate interest.
  • Video surveillance, for the security of goods and people, as well as the corresponding labor control based on legitimate interest.
  • Telephone switchboard, in order to record communications for security, guarantee and quality of service, based on legitimate interest.
  • Financial risk analysis and control of monetary obligations. In case of debtors with certain, due and enforceable payments pending, the responsible party may communicate this circumstance to credit solvency files, debtors’ files, and debt management or collection services, among others, based on legitimate interest.
  • Communications: development and implementation of communications through the available data and means of contact (e-mail, instant messaging, etc.) with categories of internal stakeholders (workers) and external stakeholders (customers, prospects, collaborators, suppliers, etc.). The purposes of such communications may be informative, organizational, commercial and advertising, as appropriate based on informed consent and the data controller’s legitimate interest.
  • Other purposes derived from the nature of the data controller, rooted in the normal development and exercise of their activity, and based on a valid legitimate basis.

5. How long do we keep your data?

In general, personal data is kept at least as long as there is a relationship with the person concerned, as long as their deletion is not requested, as long as liabilities may arise or as long as there is a legal provision for their retention.

With regard to the data of candidates and job seekers, it is deleted immediately when they are no longer of interest to the data controller.

The data controller has a data protection plan with an inventory of retention periods which is observed in order to manage the different retention periods applicable.

In any case, data deletion is carried out ensuring the confidentiality of data.

6. What is the legitimacy of processing your data?

The controller observes and applies the following legitimating bases which apply to each purpose of processing: These actions are the following:

1. 1. Informed consent of the data subject.
   2. Pre-contractual or contractual commitments.
   3. Legitimate interest of the controller.
   4. Applicable legal obligations.
   5. Other legally prescribed legitimate bases.

7. To which recipients will your data be communicated?

The data of interested parties shall not be communicated to any third party by default, except: a) auxiliary services, authorized data processors or other implicit third parties necessary to correctly provide goods and services; b) authorities and public administrations competent in the exercise of their functions; c) other legitimate interested parties and legally foreseen third parties.

8. What are your rights when you provide us with and/or we process your data?

As an interested party, you may at any time request us to exercise any of the following data protection rights:

• • To access the interested party’s personal data with the aim of confirming whether or not data concerning you is being processed and to obtain more information about this processing.
  • To rectify or delete personal data concerning the interested party when, among other reasons, they are inaccurate or no longer necessary for the purposes for which they were collected.
  • To limit the processing of the interested party’s personal data in certain circumstances, in which case they will only be kept for the purpose of exercising or defending claims, for protecting the rights of another person or for reasons of public interest.
  • To receive personal data concerning you, which you have previously provided to us, and in a structured format where possible (data portability). To object to the processing of your data in certain circumstances and for reasons related to your particular situation.
  • To object to the processing of your data in certain circumstances and for reasons related to your particular situation. The company will stop processing your data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
  • To revoke consent, which may entail the cancellation or termination of the existing business or contractual relationship, if any. Without prejudice to data processing carried out prior to the withdrawal of consent.

To do so, you only have to contact us by email or at the postal address indicated at the beginning.

Optionally you can also contact our designated data protection controller, or the Data Protection Agency to learn more about your rights or to that your rights be protected by the supervisory authority.

9. Data security.

Our information system is equipped with the necessary technical and organizational measures to ensure an adequate level of data confidentiality, integrity, availability and resilience in order to protect the rights and freedoms of data subjects.

The controller complies with the provisions and principles described in the RGPD to process the data in a lawful, fair and transparent manner in relation to the data subject, and adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

However, as far as the legal system allows, we do not assume any liability for damages from alterations that third parties may cause in our information system. Any breach of security will be conveniently and immediately communicated to the competent authority and / or State security forces and law-enforcement agencies.

10. Sending communications or information.

Our policy regarding the submittal of information through telematic means (e-mail, instant messaging, etc.), is limited to sending only communications that we consider of interest to our users and interested parties, in relation to the company functions and activity, or that you have consented to receive.

If you prefer not to receive these messages, we will offer you through such messages the possibility of exercising your right to cancel and waive the receipt of these messages, in accordance with the provisions of Title III, Article 22 of Law 34/2002 of Services for the Information Society and Electronic Commerce.

11. Social media.

The controller may have a presence in social networks through the corresponding profiles, being applicable this section and any legal and privacy terms present on the website for processing the data of users or interested parties who become followers or in any way linked to these profiles.

The purposes for the controller to use these profiles are: communication, business development, marketing and advertising, processing queries posed to the controller and user service, informing on actions, activities and events organized by the controller or in which the controller participates, and interacting through the official profiles.

The legitimate bases set out in section 6 above are complemented in this case because the user or interested party may have a profile on the same social network as the data controller, and decides to join or connect with the profile of the data controller, thus showing interest in the information published by the data controller. Therefore, at the time of following the data controller profiles, the user or interested party gives their consent to the processing of data available on their profile.

The user can access the privacy policies and terms of the corresponding social network at all times, as well as configure the privacy features to be set up in their profile. Publications made by the user will be known by other users, which means the user is primarily responsible for their privacy.

Users followers and / or participants in our profiles will refrain:

1. 1. From publishing content or information contrary to law, morality, and good faith. Any illegal, annoying, inappropriate use or behavior that may spark negative opinions in the profile or that violates the rights of individuals, is not allowed.
   2. To behave in a manner contrary to the principles of legality, honesty, responsibility, protection of human dignity, protection of minors, protection of public order, protection of privacy, consumer protection and intellectual and industrial property rights.

The controller reserves the right to remove without notice any content deemed inappropriate. The controller also disclaims any liability in connection to the security measures for each platform, which means users must know them along with the legal terms and conditions of use of each platform.

The controller shall be expressly exonerated from any liability that may arise from the use of social networks by minors or persons with special abilities. The social networks of the controller do not knowingly collect any personal information from minors, therefore, if the user is a minor, they should not register or use the social networks of the controller, nor should they provide any personal information. Particularly in Spain, processing the personal data of a minor may only be founded from the age of 14 years. On the other hand, if required by any rule or regulation, or if the user has special abilities, the parental authority or guardianship holder, or their legal representative, should produce a valid document proving the representation.

12. Employment and candidate management

Individuals interested in accessing job offers from the controller may provide their data and professional information to the controller via different channels, preferably through existing forms, email addresses, and existing means for this purpose, where appropriate.

Such data will be processed according to the privacy terms herein for the purpose of managing applications for possible job offers, internships and training of the entity in charge and any subsidiaries or companies belonging to the same business organization, when it exists and is applicable.

Data processing will be carried out on the basis of informed consent by the interested party or other valid legitimate basis.

If the data provided is of no professional interest to the entity or once it is no longer necessary for the purposes for which they were collected, such data will be deleted ensuring their confidentiality and anonymity.

Any interested party may revoke their consent and exercise their privacy rights under the terms set forth in this privacy policy.