DATA CONTROLLER

The Data Controller is DOBLEMENTE SL, Avda Alameda, N 74, interior local 8, 03803, Alcoy (ALICANTE).

Privacy principles

At DOBLEMENTE SL we are committed to working continuously to guarantee privacy in the processing of your personal data, and to offer you the most complete and clear information we can at all times. We encourage you to read this section carefully before providing us with your personal data. If you are under fourteen years of age, we ask that you do not provide us with your data without your parents’ consent. In this section we inform you of how we process the data of people who have a relationship with our organization. Starting with our principles: – We do not request personal information, unless it is necessary to provide you with the services you require from us. – We never share personal information with anyone, except to comply with the law, or with your express authorization. – We will never use your personal data for purposes other than those stated in this privacy policy. – Your data will always be treated with a level of protection appropriate to data protection legislation, and we will not subject them to automated decisions. We have drafted this privacy policy taking into account the requirements of current data protection legislation: – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons (RGPD). – Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPD). – Royal Decree 1720/2007, of December 21 (RLOPD). This privacy policy was drafted on December 6, 2018. Due to the modification of treatment criteria, in order to facilitate its understanding or to adapt it to current legislation, we may modify this privacy policy. We will update the date of the same, so that you can check its validity.

Treatments we carry out

TREATMENT OF EMPLOYEES Legal Basis: GDPR: 6.1.b) Treatment necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of pre-contractual measures. GDPR: 6.1.c) Treatment necessary for compliance with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of October 23, approving the revised text of the Workers’ Statute Law. Purposes of the Treatment: – Management of contracted personnel. – Personal file. Time control. Training. Pension plans. Prevention of occupational risks. – Issuing staff payroll. – Management of union activity. Group: Employees Data Categories: Name and surname, DNI/CIF/Identification document, staff registration number, Social Security/Mutual Society number, address, signature and telephone number. Special data categories: health data (sick leave, occupational accidents and degree of disability, without including diagnoses), union membership, for the exclusive purposes of paying union dues (where applicable), union representative (where applicable), attendance certificates for own and third parties. Personal characteristics data: Sex, marital status, nationality, age, date and place of birth and family data. Family circumstances data: Date of registration and deregistration, licenses, permits and authorizations. Academic and professional data: Qualifications, training and professional experience. Employment and administrative career details. Incompatibilities. Attendance control data: date/time of entry and exit, reason for absence. Financial and economic data: Financial and economic data: Payroll data, credits, loans, guarantees, tax deductions, salary reduction corresponding to the previous job (if applicable), judicial withholdings (if applicable), other withholdings (if applicable). Banking data. Categories of Recipients: – Entity entrusted with management of occupational risks. – General Treasury of Social Security. – Trade union organizations. – Financial entities. – State Tax Administration Agency. – Main contractors to whom we provide services as subcontractors. International Transfers: International transfers of the data are not planned. Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. The economic data of this processing activity will be kept in accordance with the provisions of Law 58/2003, of December 17, General Tax Law. Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Regulation

Data Protection. PROCESSING OF CONTACTSLegal Basis: Consent of the interested partyPurposes of the Treatment: Attend to your request, send you information and follow up on the request. Group: Contact persons, clients, suppliersData Categories: Name and surname, telephone number, email addressCategories of Recipients: Data transfers to third parties are not contemplated.International Transfers:No international transfers of the data are planned.Deletion Period: Contact data will be kept for an indefinite period, or until the interested party requests its deletion.Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation. PROCESSING OF ATTENTION TO THE RIGHTS OF PERSONS (ARCO)Legal Basis: GDPR: 6.1.c) Treatment necessary for compliance with a legal obligation applicable to the data controller. General Data Protection Regulation. Purposes of Processing: To respond to requests for information on the exercise of rights established in the General Data Protection Regulation. Group: Individuals who make the request (employees, customers, suppliers, contact persons). Categories of Data: First and last name, address, signature and telephone number. Categories of Recipients: Data may be disclosed to the Data Protection Authority (Spanish Data Protection Agency) as part of an investigation into the protection of rights initiated by the data subject. International Transfers: No international transfers of the data are planned. Deletion Period: Data will be kept for a period of five years from the time of the request. Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation. PROCESSING OF CANDIDATES FOR SELECTION PROCESSES (HR)Legal Basis: GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation, at the request of the latter, of pre-contractual measures. Purposes of Processing: Staff selection and provision of jobs. Group: Candidates submitted to job provision procedures. Data Categories: Name and surname, ID/CIF/Identification document, staff registration number, address, signature and telephone number. Special categories of data: health data (disabilities). Personal characteristics data: Sex, marital status, nationality, age, date and place of birth and family data. Academic and professional data: Qualifications, training and professional experience. Employment detail data. Categories of Recipients: No transfers of data to third parties are planned. International Transfers: No international transfers of the data are planned. Deletion Period: Data will be kept for the time necessary to fulfil the purpose for which it was collected and to determine any potential liabilities that may arise from said purpose and the processing of the data. Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation. SUPPLIER PROCESSINGLegal Basis: GDPR: 6.1.b) Processing necessary for the execution of a contract to which the data subject is a party or for the application, at the request of the latter, of pre-contractual measures. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute Law. Law 58/2003, of 17 December, General Tax. Purposes of the Treatment: – Acquisition of products and/or services that we need for the development of our activity. – Control of subcontractors, if applicable. Collective: – Suppliers. – Workers of our suppliers. Data Categories: – Name and surname, DNI/NIF/Identification document, address, signature and telephone number. – Employment detail data: job position. Training in occupational safety. – Economic, financial and insurance data: Banking data Recipient Categories: – Financial institutions. (Payment of invoices) – State Tax Administration Agency. International Transfers: No international transfers of the data are planned. Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data, in accordance with Law 58/2003, of December 17, General Tax, Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation. CUSTOMER PROCESSINGLegal Basis: GDPR: 6.1.a) The interested party gave their consent for the processing of their personal data for one or more

specific purposes. GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or in order to implement pre-contractual measures at the request of the latter. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute Law. Law 58/2003, of 17 December, General Tax Law. Purposes of Processing: Supply of our services (Booking engine and similar) Group: Clients Data Categories: – Name and surname, ID/NIF/Identification document, address, signature and telephone number. – Economic, financial and insurance data: Bank details Recipient Categories: – Financial institutions. – State Tax Administration Agency. International Transfers: No international transfers of the data are planned. Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data, in accordance with Law 58/2003, of December 17, General Tax Law. Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation. BOOKING ENGINE PROCESSING Legal Basis: GDPR: 6.1.a) The interested party gave their consent for their personal data to be processed for one or more specific purposes. GDPR: 6.1.b) Processing necessary for the execution of a contract to which the interested party is a party or for the application, at the request of the latter, of pre-contractual measures. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of October 23, approving the revised text of the Workers’ Statute Law. Law 58/2003, of December 17, General Tax. Purposes of the Treatment: The purpose is to manage reservations by internet users, of tourist establishments within the websites of clients who use our booking engine. Collective: Clients Data Categories: – Name and surname, DNI/NIF/Identification document, address, signature and telephone number. – Economic, financial and insurance data: Banking details Recipient Categories: Data is not communicated to third parties. International Transfers: International transfers of the data are not planned. Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

YOUR RIGHTS

You have the right to request a copy of your personal data, to rectify inaccurate data or complete it if it is incomplete, or, where appropriate, to delete it, when it is no longer necessary for the purposes for which it was collected. You also have the right to limit the processing of your personal data and to obtain your personal data in a structured and legible format. You can object to the processing of your personal data in some circumstances (in particular, when we do not have to process it to comply with a contractual requirement or other legal requirement, or when the purpose of the processing is direct marketing). When you have given us your consent, you can withdraw it at any time. At that time, we will stop processing your data or, where appropriate, we will stop doing so for that specific purpose. If you decide to withdraw your consent, this will not affect any processing that has taken place while your consent was in force. These rights may be limited; For example, if in order to comply with your request we had to reveal data about another person, or if you ask us to delete some records that we are obliged to keep due to a legal obligation or a legitimate interest, such as the exercise of defence against claims. Or even in those cases where the right to freedom of expression and information must prevail. You can contact us by any of the means indicated in the Data Controller section of this privacy policy, providing a copy of a document that proves your identity (normally your ID). Another of your rights is not to be the subject of a decision based solely on automated processing, including the creation of profiles that produces legal effects or affects you. In the event of any violation of your rights, such as, for example, if we have not responded to your request, you have the right to file a claim with the Control Authority in

Data protection matters. This may be the data protection authority of your country (if you live outside of Spain) or the Spanish Data Protection Agency (if you live in Spain).

Additional information

Processing of your data outside of the European Economic Area. For the indicated treatments we can use the services of the following providers outside the European Economic Area, but subject to the Privacy Shield agreement, approved by the data protection authorities of the European Union. Amazon: More information: https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4 Apple iOS: More information: https://www.privacyshield.gov/participant?id=a2zt0000000GnZjAAK Dropbox: More information: https://www.privacyshield.gov/participant?id=a2zt0000000GnCLAA0 Facebook/ Instagram (FB Messenger): More information: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAACGoogle (Drive / Mail …): More English: information: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAILinkedin: More information: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0Mailchimp: More information: https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAGMicrosoft (Drive, Skype…): More information: https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAKmonday.com: Collaboration with work teams More information: https://www.privacyshield.gov/participant?id=a2zt0000000GnZjAAKTwitter: Social network for micro-messages More information: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=ActiveWhatsapp: Mobile Instant Messaging More information: https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAGZoho: CRM (Customer Relationship Management) More information: https://www.privacyshield.gov/participant?id=a2zt0000000TOJbAAOLinks to third party websites. Our website may, from time to time, contain links to other websites. It is your responsibility to ensure that you read the data protection policy and legal conditions that apply to each site. Third party data. If you provide us with third party data, you assume the responsibility of informing them in advance as established in article 14 of the GDPR.

Dispongo is supported by Doblemente S.L. and is compatible with the following editions of Windows 10: Windows 10 Pro, Windows 10 Home, Windows 10 Education, and Windows 10 Enterprise.