Data Privacy Policy

Through this document, BIALTEC S.A.S., hereinafter referred to as BIALTEC, in compliance with Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, implements its Policy for the Treatment and Protection of Personal Data (hereinafter the “Policy”).

BIALTEC is a simplified joint-stock company, engaged in commercial activities, dedicated as stated in its corporate purpose to the development, production, and commercialization of biotechnology for animal feed.

Due to the above, considering BIALTEC’s corporate purpose and in the exercise of its faculties, it is possible to determine that there are personal data that constitute databases owned by BIALTEC, which are processed in accordance with the guidelines established by the applicable legal framework in the European Union.

Therefore, the Policy will apply to protect both personal data and transactional information that BIALTEC currently processes and those that may be processed in the future as part of its economic activities.

GENERAL PROVISIONS

Identification of the Data Controller

BIALTEC, its main address at Alexander Fleminglaan 1, 2613 AX Delft. Office 3-33 Biotech Campus,Delft, The Netherlands. Phone: (+31) 6 84139376, email: sales@bialtec.com, and website: https://www.bialtec.com

Objective

For the purposes of this Policy, BIALTEC acts as the Data Controller for personal data collected directly from data subjects. Therefore, the main objective of the Policy is to define and subsequently determine all matters relating to the procedures, principles, and security policies according to which BIALTEC will ensure the proper treatment of personal data collected in the development of its corporate purpose.

Legal Framework

The Policy was elaborated strictly in compliance with all provisions of the current regulations on the subject. This document fulfills the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, implements its Policy for the Treatment and Protection of Personal Data, and any other regulations that may modify, regulate, or supplement the applicable legislation on the protection of personal data in the future.

Definitions

The following terms are defined throughout the Policy:

• Archive: A set of data recorded as a single storage unit containing personal data.
• Authorization: The prior, express, and informed consent of the data subject to carry out the processing of personal data, obtained at the time of data collection.
• Privacy Notice: Verbal or written communication generated by the data controller, directed to the data subject, regarding the processing of their personal data. It informs the data subject about the existence of the Information Processing Policy applicable to them, how to access it, and the purposes of the data processing.
• Database: An organized set of personal data that is subject to processing.
• Successor in Interest: A person who has succeeded another due to the latter’s death (heir).
• Personal Data: Any information related to or that may be associated with one or more identified or identifiable natural persons.
• Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the civil status of individuals, their profession or occupation, and their status as a trader or public servant. Public data can be found in public records, official documents, official gazettes and bulletins, and duly enforceable court judgments not subject to confidentiality.
• Sensitive Data: Sensitive data refers to data that affects the privacy of the data subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or data promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data concerning health, sexual life, and biometric data.
• Data Processor: A natural or legal person, public or private, who, on its own or jointly with others, carries out the processing of personal data on behalf of the data controller.
• Data Controller: A natural or legal person, public or private, who, on its own or jointly with others, decides on the database and/or the processing of the data contained therein.
• Data Subject: A natural person whose personal data is subject to processing.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
• Transfer: Data transfer occurs when the data controller and/or data processor sends information or personal data to a recipient, who is also a data controller and is located inside or outside the country.
• Transmission: Processing of personal data involving the communication of such data with the purpose of processing by the data processor on behalf of the data controller.
• Deletion: The action requested by the data subject to the data controller and/or data processor, exercising their right to freedom and purpose regarding their information.

It is noted that the definitions included in this Policy were taken from the current regulations at the time, which regulate the proper protection of personal data of natural persons regarding their circulation and processing.

Principles

In accordance with the current regulations, BIALTEC has incorporated the general principles regarding the processing of personal data into the Policy. These fundamental principles apply to the entire content of the Policy.

Validity and Application

The Databases and the Policy will have an indefinite period of validity in accordance with the duration of BIALTEC’s corporate purpose.

The Policy will apply to the processing of Databases in which BIALTEC acts as the data controller and/or data processor, from the date of its publication, rendering ineffective any other institutional provisions that contradict it.

DUTIES OF THE DATA CONTROLLER AND/OR DATA PROCESSOR – RIGHTS OF DATA SUBJECTS

Duties of BIALTEC as Data Controller

BIALTEC will have the following duties as the Data Controller, derived from the applicable legislation on the subject, without prejudice to any other duties provided for in the regulations that govern or may regulate it.

• Ensure that data subjects can fully and effectively exercise their rights regarding their personal data at all times.
• Allow access to information of data subjects only to authorized individuals.
• Rectify the information when it is incorrect and communicate the relevant corrections.
• Request and keep a copy of the Authorization granted by the data subject for the processing of their personal data.
• Adequately inform the data subject about the purpose of data collection and the related rights, stemming from the granted Authorization.
• Ensure that the information is truthful, complete, accurate, up-to-date, verifiable, and understandable. Additionally, always demonstrate that the information must correspond to the personal data initially provided for processing.
• Maintain the information under physical and digital security conditions that

Rights of Data Subjects:

According to the applicable law on personal data protection, the following are the rights of data subjects who have authorized the processing of their data by BIALTEC:

1. Access, knowledge, update, rectification, and deletion of personal data held by BIALTEC as the Data Controller.
2. Request proof of the Authorization granted by the data subject or by the Data Controller to BIALTEC, through any valid means.
3. Be informed by BIALTEC, upon request, regarding the use that has been given to their Personal Data.
4. Revoke the Authorization or request the deletion of the data when the processing does not comply with constitutional and legal principles, rights, and guarantees.
5. Access their Personal Data that has been processed by BIALTEC as the Data Controller, free of charge.

BIALTEC acknowledges that the personal data in its databases belong to the data subject who authorized its processing.

Information Processing:

Channels of Data Collection:

The data subject may authorize BIALTEC to process their personal data through different means, including:

1. Physical documents.
2. Electronic documents.
3. Data messages.
4. Internet.
5. Websites.
6. Any other format that allows the consent of the data subject through unequivocal conduct, which would indicate that the data would not have been stored or captured in the database otherwise.

Authorization will be requested by BIALTEC before processing personal data.

Mechanisms for Data Collection:

BIALTEC collects Personal Data through the following mechanisms:

1. Virtual: BIALTEC collects personal data through non-face-to-face technological means previously enabled (Website and Official Social Media Accounts) in accordance with established formats.
2. Written: BIALTEC collects personal data physically and face-to-face in the development of its corporate purpose through information provided in documents related to the company’s constitution or modification of shareholding composition, contracts with suppliers, contracts with employees, resumes of candidates, and capture forms in its own establishments or those operated by third parties.

Fields for Information Collection:

In compliance with the principles of data protection, the collection of personal data will be limited to those that are relevant and appropriate for the purpose for which they are collected or required by BIALTEC.

Authorization for the Use of Personal Data:

As the Data Controller, BIALTEC obtains clear, express, prior, informed, and unambiguous authorization from data subjects through electronic forms, data collection formats, or any other means available for this purpose.

For this purpose, BIALTEC will request the data subject’s authorization, informing them of the purpose for which their personal data will be processed, except in the cases expressly authorized by law.

Revocation of Authorization:

All data subjects may revoke their Authorization granted to BIALTEC for the processing of their personal data at any time, and even request the deletion or elimination of their personal data contained in BIALTEC’s databases. This is provided that such action does not contravene any current legal or contractual provision.

BIALTEC will guarantee the data subject easy access to these requests, establishing simple and straightforward mechanisms to allow the data subject to revoke their Authorization or request the deletion of their personal data, at least through the same means through which it was initially granted.

Regarding the aforementioned procedure, the data subject should take into account that the revocation of consent may be expressed totally or partially regarding the authorized purposes. If it is totally revoked, BIALTEC must cease any processing of the data provided by the data subject; on the other hand, if it is partially revoked only for certain types of processing, BIALTEC will cease processing for the expressly revoked purposes. In this latter case, BIALTEC may continue processing the personal data for the purposes that were not revoked.

Data Processing and Purpose:

All processing of data from data subjects with whom BIALTEC has established a relationship as the Data Controller and the Controller of Transactional Information for the offer of value-added services will be carried out by BIALTEC based on the provisions of Law, and in general for the fulfillment of its corporate purpose.

In any case, BIALTEC will collect and process personal data of data subjects for the purpose of executing specific objectives, which vary according to the Database, as described below:

• Payroll:
• Carrying out selection processes.
• Developing and executing the employment relationship if established.
• Sending information by any known means or means to be known (email, physical mail, SMS, phone calls, data messages, among others) about selection processes, execution of employment contracts, sick leaves, payments, campaigns, product and service information, activity notifications, promotions, offers, and launches.
• Conducting training and development programs.
• Conducting performance evaluations and assessments.
• Providing employment and/or commercial references when requested by the data subject.
• Validating the employment and/or commercial references provided by the data subject.
• Providing commercial personal information for the execution of contractual relationships acquired by BIALTEC with third parties.
• Updating personal data.
• Consulting, reporting, processing, and disclosing all information related to their financial, commercial, and service behavior to any Information Operator (Credit Bureau) or any public or private, national, foreign, or multilateral entity or source that manages or handles databases for commercial and credit service purposes.
• Advancing procedures for affiliation to the social security system.
• Processing biometric data for the implementation and use of access and security systems requiring biometric authentication.
• Purchases, Payments, and Accounting:
• Establishing communication channels with the data subject, through email, phone calls, SMS, or any known or to-be-known communication channel, provided it is authorized by the data subject.
• Creating and monitoring purchase orders.
• Managing supplier payments.
• Analyzing information for statistical purposes.
• Providing commercial personal information for the execution of contractual relationships acquired by BIALTEC with third parties.
• Requesting proposals and quotes.
• Addressing complaints.
• Contacting potential or existing suppliers for purchases and contracts.
• Sending and requesting information about product performance.
• Updating personal data.
• Evaluating the quality of contracted products and services.
• Carrying out marketing and advertising activities related to BIALTEC’s corporate purpose.
• Consulting, reporting, processing, and disclosing all information related to their financial, commercial, and service behavior to any Information Operator (Credit Bureau) or any public or private, national, foreign, or multilateral entity or source that manages or handles databases for commercial and credit service purposes.
• Analyzing, evaluating, and consulting the information provided by the data subject in lists for the control of money laundering and terrorism financing administered by any national or foreign authority.
• Commercial:
• Establishing communication channels with the data subject, through email, phone calls, SMS, or any known or to-be-known communication channel, provided it is authorized by the data subject.
• Providing incentives to customers to boost sales, such as discounts, gifts, bonuses, or any activity related to customer loyalty.
• Conducting studies on transactional behavior, consumption habits, and preferences to offer BIALTEC’s own services, third-party services