For the purposes of the provisions of the applicable legislation on the protection of personal data, Monema Communications S.L., with Tax ID (NIF) B-26439653 and registered office at C/ Gran Vía nº 17, Logroño, La Rioja, Spain (hereinafter, Monema), informs its customers or users, that is, any person who voluntarily, and through any available channel, communicates or provides access to personal data to Monema, that it guarantees security against unauthorised or unlawful processing, loss of personal data and accidental destruction or damage. This entails the implementation of the technical, administrative and organisational measures necessary to ensure the integrity, availability and confidentiality of the personal data it processes, taking into account the state of the art, the nature of the data stored and the risks to which they are exposed, and that it will only record personal data in files, processing centres, premises, equipment, systems and programs that meet the conditions laid down in the applicable regulations.

In compliance with the measures implemented and as a proactive data controller, Monema makes this data protection policy publicly available (the terms “policy”, “privacy policy” or “data protection policy” may be used interchangeably to refer to it), which applies to any person who voluntarily, and through any available channel, communicates or provides access to personal data to Monema and consequently implies, where applicable, the obtaining of the free, unequivocal, specific, informed and explicit consent of the customer or user for the processing of personal data by Monema.

Likewise, these guidelines shall apply on a subsidiary basis to any others on the same subject which may be established, on a special basis, and which are communicated, including but not limited to, through registration forms and/or contractual conditions of the services, this policy applying directly or on a supplementary basis to any matters not expressly provided for and that do not conflict with them.

For the purposes of complying with the aforementioned regulations and helping the user or customer of any service offered by Monema to understand how their personal data are collected, used, processed and protected, Monema informs them of the following aspects related to their right to the protection of personal data.

1. What data are processed? This section contains information on the categories of data processed by Monema.

2. For what purposes are the data processed? This section lists the legal bases and purposes for which Monema processes personal data.

3. Data retention periods. This section explains the criteria and retention periods relating to each of the personal data processing activities, depending on their purpose.

4. Exercise of rights. This section provides the necessary information on the rights available to the customer or user, as well as the means by which they may request that Monema allow them to exercise these rights.

5. Information communicated to third parties: recipients or categories of recipients. This section describes the information we share with recipients and the purposes of such communication.

6. International data transfers. This section specifies the international data transfers that Monema carries out outside the European Economic Area.

7. Security and confidentiality in the processing of your information. This section describes the confidentiality and information security measures used by Monema to protect personal data.

8. Processing of minors’ data. This section provides information on the data processing carried out by Monema in cases where the customer or user is a minor.

9. Processor. This section describes the obligations that Monema assumes when it processes personal data on behalf of the controller.

10. Cookies. Cookie policy.

11. Responsibilities. This section sets out the obligations that the user or customer of Monema must assume.

12. Changes to the policy. This section regulates the procedure for amending the Privacy Policy.

What data are processed?

Personal data is any information relating to an identified or identifiable natural person. In this regard, Monema processes the personal information that the customer or user provides for the purpose of entering into a contract, the information generated through the provision of the service, as well as the data generated by Monema. Based on the principle of data minimisation, the data we may process will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, and we will always respect the wishes of the customer or user.

The data that are processed depend on the relationship of the user or customer with Monema, as well as on the additional processing permitted or authorised by the user or customer.

The data that Monema may process are the following:

a) Data obtained from the customer or user: these are the data provided by the customer or user at the outset to manage the relationship between us, or afterwards in the course of that relationship. Among these data are contact details (NIF/Tax ID, postal address, installation address, landline and mobile telephone numbers), email address, date of birth, profession and economic and/or activity sector, payment details and/or bank account for direct debit of invoices, as well as any type of information gathered, where applicable, through the various Monema brand customer service channels (for example, nickname or identifier, complaints, queries or incidents raised), including information obtained through cookies during your visits to Monema websites and apps, and the interactions of the customer or user with Monema’s official social media channels.

b) Data not obtained from the customer or user:

b.1) Data derived from the provision of the service or product:

a) Monema Services data: these are the data relating to the services contracted, installed equipment, average monthly consumption, for example, relating to the number of calls, number of minutes, type of call (national, international, roaming, etc.); number of SMS, volume of data used; billing data, for example, revenue per customer or average bill amount, type of services charged through the bill and data on their use, including applications, websites and Monema platforms.

b) Monema usage data: these are the data obtained from the provision of the service, and/or any other device available at Monema.

c) Traffic data: these are the data associated with call detail records, i.e. originating and destination numbers, date, time and duration of the call; originating and destination numbers of SMS and/or MMS sent, public IP address of each connection made, including the date and time of connection, the number that internationally identifies a customer (IMSI), as well as any other event associated with voice, data, messaging traffic, recordings (where they are activated, with storage space for approximately 30 hours per user, which are deleted as new recordings are made and there is no space), the transcriptions of such recordings and the summaries generated automatically (when the customer or user has contracted or accepted these functionalities) and originating and destination numbers of calls.

d) Website visit data: these are the technical and browsing data associated with each web access or visit made, including the public IP address from which it is made, the date and time of the connection, DNS queries, the websites visited or applications used, the IP address of the visited website, domain name (URL), sections visited within the website (URI) and the volume of data used.

e) Location data: these are the data on the geographic position of the user’s mobile line, that is: the identifier of the antenna to which the communication is associated and its geographic position, the change of antenna and/or switching on and off of the device in order to be able to provide the necessary coverage, and the date and time of the above information.

b.2) Data generated or inferred by Monema:

These are the data resulting from analyses carried out by Monema based on the data available on the customer or user for internal management, commercial and customer service purposes and other purposes related to the performance of the contract and, where applicable, for the other purposes indicated in the corresponding section on purpose.

For what purposes do we process your data?

We may make estimates regarding your age, gender, device used (brand, model, operating system), tenure (of the customer, the line or the device used), preferred purchase channel, customer service province and nearest store, response to marketing campaigns carried out, whether the customer or user uses digital media, the best time to contact you, payment behaviour, propensity to churn, as well as basic analysis of aspects relating to your personal preferences and interests based on Monema usage data.

Additionally, and if we have consent to do so, we may use any additional data indicated to create marketing profiles of the customer or user, such as household composition, economic level, type of occupation, interests and preferences such as travel, sports, games, science, gardening, fashion, music lovers, cinema or theatre, etc.

b.3) Data not obtained from the data subject that come from external sources:

These are data that will allow Monema to have more up-to-date and reliable details enabling the regularisation or verification of the data provided by the customer or user for their subsequent use in accordance with this Policy. If they are not obtained directly from the data subject, Monema will inform the data subject under the terms established in the applicable regulations, essentially the source of origin and the category of data processed. Some examples of external sources that Monema may consult are:

• The advertising census, from which it is possible to obtain the name, surname(s) and address of the persons registered therein, of the National Statistics Institute or of the equivalent bodies of the Autonomous Communities.

• The telephone directory, always in accordance with the applicable regulations.

• Lists of persons belonging to a professional group from which only the name, profession, title, activity, academic degree, professional address and indication that they belong to that group may be obtained.

• Official gazettes and bulletins, although with some exceptions.

• The media, such as television, radio, press, etc.

Notwithstanding the foregoing, you are informed that the provision of Monema’s services may involve the processing of other categories of data not included in this list; in such cases, the customer or user will be informed in the specific privacy conditions for each of the products or services concerned, and their consent will be obtained, where necessary, in accordance with the applicable regulations.

Without prejudice to the data indicated above, Monema informs you that the data processed may be subjected to an irreversible anonymisation process, in all cases in compliance with the Code of Good Practice in Data Protection for Big Data projects, as well as the Guidelines and safeguards in personal data anonymisation procedures published by the Spanish Data Protection Agency, with the aim of applying all the safeguards established by law and any other measures available in the market and technology. You can obtain more information on how we anonymise your data in the corresponding section.

Monema processes the customer’s or user’s data in order to provide the service, as well as for other purposes permitted or authorised by the customer or user under the terms informed in this Privacy Policy or in the specific conditions of each Monema service contracted.

Additionally, during the term of the contractual relationship, other data may be incorporated for these or other purposes, in which case the customer or user will be duly informed at the time of collection, through the commercial service channels. Therefore, before carrying out any additional processing not provided for in this Policy, we will inform you.

The customer or user is solely responsible for all information provided to Monema for the management and contracting of products and services, guaranteeing that they are authorised and have obtained the consent of the data subject to provide it. Monema is not responsible for the use of false, inaccurate, incomplete or outdated data provided by the customer or user.

For these purposes, Monema informs you of the legal bases that allow the various processing activities:

1. Performance of the contract

Monema informs you that, for the performance of the contract entered into with the customer, it may use, from among the categories of data indicated in section one, those that are necessary for proper performance of the contract. In addition, we need to process your data in order to provide you with high-quality services, to adapt to your needs and to improve your experience of these services.

Furthermore, as a Monema customer, the processing activities that may be necessary to fulfil this contract will be carried out for the following purposes:

To provide the service, maintain it and manage the contractual relationship with the customer or user.

Customer service through any Monema channel that may be used, including devices and/or applications that Monema makes available for the management of services.

To evidence the contract, improve the quality of technical and commercial support and verify customer or user satisfaction through the recording of their voice and, where applicable, the transcription and automated processing of such recording (including the generation of summaries) carried out using third-party artificial intelligence tools, through the channels enabled for this purpose.

To check the customer’s creditworthiness by accessing credit information systems prior to the contracting of any Monema service and while the contractual relationship remains in force. The specific credit information systems used by Monema are identified in the “external sources” section.

To carry out statistics, surveys or market studies aimed at assessing product or service quality, making business, commercial or investment decisions, verifying sales or the products most sold, etc., including for three months after you cease to be a customer or user, for example, to understand the reasons for your departure or dissatisfaction. To this end, Monema uses trusted third parties to carry out these surveys or market studies, so that they can obtain anonymous results.

To maintain the security of electronic communications networks and services, detect faults or technical errors in the transmission of electronic communications, and carry out any processing that is necessary for the proper provision of the telecommunications service or any other applicable sectoral regulations.

To comply with statutory service quality obligations imposed by telecommunications and other applicable laws in force.

To detect or prevent abusive or fraudulent use of Monema services, as well as irregular contracting of such services.

Any other processing that is mandatory and necessary to fulfil its functions as a service provider.

2. Legitimate interest

Legitimate interest constitutes a legal basis for processing, provided that Monema’s interest in processing the customer’s or user’s data for the indicated purpose falls within the reasonable expectations based on the relationship between us as a Monema customer or user.

In this regard, the following data processing is considered to be based on legitimate interest and Monema may therefore process the following data for each of the purposes described below:

Data relating to abnormal traffic that may be originating from the customer’s or user’s connection and affecting the security of networks, systems or equipment may be processed so that Monema can send the customer, by any means, cybersecurity information or alerts.

Data obtained from the customer or user, data derived from the provision of the service or product (data on Monema services, usage data for Monema services (and other devices) and visits to our Monema websites and apps), as well as data generated by Monema may be processed in order to analyse or predict, in a very basic way, aspects relating to personal preferences and interests so that Monema can offer them, by any means, personalised offers of Monema services.

and data generated by Monema may be processed in order to analyse or predict, in a very basic way, aspects relating to their personal preferences and interests so that Monema can offer the customer personalised offers of Monema products and services on their television service, as well as Monema partners’ products and services.

Additionally, for the purpose of making commercial offers, Monema may process the data provided by users who have requested information about Monema services by any means (including electronic means, where applicable), for a maximum period of two years from the time they were supplied.

The right to object to this processing may be exercised by sending the appropriate notice to the addresses listed in the “Exercise of Rights” section of this Privacy Policy.

3. Consent

Consent constitutes a legal basis for processing that allows Monema to process the following data for each of the purposes described below, subject to obtaining the corresponding authorisation from the customer or user, as applicable.

To this end, each customer or user will first receive a specific information notice with sufficient detail regarding the processing of data for the purposes stated below:

Data obtained from the customer or user, data derived from the provision of the service (data on Monema services, usage data for Monema services (other devices) and visits to our Monema websites and apps), data generated by Monema and data from external sources may be processed in order to create a commercial profile and enable Monema to offer you, by any means, including electronic and digital means, offers of Monema products and services.

Data retention periods

You are informed that, in compliance with the principle of storage limitation, data will be processed solely and exclusively for as long as is necessary and for the purposes for which it was collected in each case. It will therefore be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes of processing the personal data.

Accordingly, Monema has established the following retention periods, which will be applicable depending on the purpose and legal basis for processing, unless a different period has been specified in this Privacy Policy or in the service conditions of each Monema service:

For processing related to performance of the contract, data will be retained for as long as is strictly necessary to fulfil the purposes required by the service. For example, data obtained from the customer will be retained for as long as the customer remains active; information on traffic, browsing and location will be processed for a period that may range from 3 to 12 months to comply with obligations relating to network security or fraud prevention.

In application of civil, commercial and tax legislation, data relating to the contracting and billing of the products and services contracted will be stored for a period of 6 years from the date the customer leaves.

In compliance with Law 25/2007, traffic and location data will be stored for 12 months and may be requested by means of a court order.

For processing related to data analysis to predict customer or user interests and preferences based on legitimate interest, as well as the preparation of a commercial profile where consent has been obtained, the data indicated in each of the permitted or authorised cases by the customer will be stored and processed for this purpose for a period of 12 months, unless a longer period is necessary to fulfil the intended purpose. For example, the services that have been contracted by the customer during the term of the contractual relationship with Monema.

Once the above periods have expired, data may be destroyed, blocked or anonymised, as appropriate and in accordance with what is laid down by law.

Exercise of rights

In accordance with the applicable regulations, Monema informs the user or customer that they have the following rights arising from the applicable regulations:

• Access: enables the data subject to obtain information on whether or not Monema is processing personal data concerning them and, where appropriate, the right to obtain information on their personal data being processed.

• Rectification: enables errors to be corrected and inaccurate or incomplete data to be amended.

• Erasure: enables data to be deleted and no longer processed by Monema, unless there is a legal obligation to retain it and/or other legitimate grounds for processing by Monema prevail. For example, when personal data is no longer necessary in relation to the purposes for which it was collected, the customer may request the erasure of such data without undue delay.

• Restriction: under the conditions established by law, enables processing of the data to be suspended so that Monema will only retain it for the exercise or defence of claims.

• Objection: in certain circumstances and on grounds relating to their particular situation, data subjects may object to the processing of their data. Monema will cease processing the data unless there are compelling legitimate grounds, or for the exercise or defence of possible claims.

• Portability: enables the data subject to receive their personal data that they have provided to Monema and to transmit it directly to another controller in a structured, commonly used and machine-readable format. To exercise this right, the customer must provide a valid email address.

• Digital rights: Monema guarantees the exercise of digital rights insofar as they are applicable, in compliance with the applicable regulations, specifically Organic Law 3/18 on Data Protection and the Guarantee of Digital Rights (LOPDGDD). By way of example and without limitation, some of these rights are:

• • Employee’s right to disconnect from digital devices outside working hours.

  • Right to be forgotten where data are inappropriate, not relevant and/or excessive, including on social media.

  • Protection of privacy through protocols agreed with employees for the use of digital devices and reinforcement of employees’ privacy in relation to audiovisual or geolocation systems at work.

  • Right to internet neutrality.

  • Protection of minors.

Monema guarantees the adoption of the measures necessary to ensure the exercise of these rights free of charge, and it will be necessary to attach a copy of your official identity document in order to exercise them:

• To exercise any of the rights listed above by sending a letter by post, indicating in your request which right you are exercising, to C/ Gran Vía nº 17, Logroño, La Rioja, Spain.

• By sending an email, providing the same information as in the previous section, to: info@monema.com

As stipulated by law, Monema will deal with the exercise of these rights within a maximum period of one month. However, depending on the complexity of the request, full implementation of certain rights may take longer, but will not exceed an additional two months.

Finally, the customer has the right to file a complaint with the national supervisory authority, for which purpose they must contact the Spanish Data Protection Agency, whose contact details are as follows:

Agencia Española de Protección de Datos (Spanish Data Protection Agency)

C/ Jorge Juan, 6 – 28001 Madrid

Telephone numbers: 901 100 099 / 91 266 35 17

Information we communicate or share: recipients or categories of recipients

Monema will only exchange personal data with third-party recipients for any of the purposes set out in the Privacy Policy, in order to maintain the contractual relationship, to carry out communications to companies that the customer has authorised, to credit information systems, as well as any communications that are legally required under any applicable regulations, as described below:

Necessary for the provision of the service:

Monema has contracted trusted suppliers to manage some of the functions necessary for the provision of the service. These suppliers may have access to personal data, will act as data processors and will be contractually obliged to comply with their legal obligations as processors, to maintain confidentiality and secrecy of the information.

As regards the categories of recipients, personal information of the customer may be shared with Monema’s commercial and technical departments, depending on the products and/or services contracted by the customer. The following is an up-to-date list of categories of services managed by providers contracted by Monema:

• • Administrative, back-office, tax and labour services.

  • Financial and banking services.

  • Legal services.

  • Hosting and cloud services.

  • Information removal and destruction services.

Under no circumstances will the customer’s or user’s personal data be shared with third companies without obtaining their prior consent, unless the communication of their data is necessary to ensure the maintenance of the contractual relationship with the customer, as well as in cases provided for in applicable regulations at any given time.

Furthermore, given the configuration of Monema’s commercial offering and depending on the technical needs for the provision of services that form part of that offering, data may be communicated, as necessary, between the joint controllers, in order to provide and properly manage the contracted service, offer the commercial proposition that best suits the customer’s circumstances (for example, in the event of coverage limitations requiring a satellite solution), as well as their interests and preferences.

Communication of data to credit information systems:

The customer is informed that, in accordance with applicable regulations, in the event of non-payment, data relating to the debt may be communicated to third companies that are legally authorised and responsible for managing non-compliance with monetary obligations.

Compliance with a legal obligation

Monema may also communicate your personal information to third parties that are legally authorised, when this is necessary to comply with the law.

Monema may communicate the customer’s personal data to various public authorities by virtue of a legal obligation, such as tax and customs authorities, judicial authorities, telecommunications authorities, law enforcement agencies, and any other authority as may be applicable under current legislation.

International data transfers

You are informed that Monema contracts the management of some of the functions necessary for the provision of the service with data processors located outside the European Economic Area and that, in any case, they guarantee an adequate level of protection for personal data by adhering to the EU–US Data Privacy Framework or by complying with the standard contractual clauses for the transfer of personal data approved by the European Commission. By providing us with their data, the customer or user is aware of and accepts this communication of data, as follows:

• Google: https://www.google.es/intl/es/policies/privacy/

• Dropbox: https://www.dropbox.com/es_ES/privacy

• Vtiger: https://www.vtiger.com/policy-legal-center/privacy-policy/

• Amazon: https://www.amazon.es/gp/help/customer/display.html?ie=UTF8&nodeId=201909010&ref_=footer_privacy

• DeepInfra Inc.: https://deepinfra.com/privacy
• Microsoft Azure: https://www.microsoft.com/es-es/trust-center/privacy

• Social networks:

• Facebook: https://es-es.facebook.com/help/cookies

• Twitter: https://twitter.com/privacy?lang=es

• LinkedIn: http://www.linkedin.com/legal/privacy-policy

• YouTube: https://www.google.es/intl/es/policies/privacy/

In the above cases, or where they have signed up to the Privacy Shield agreement, you may consult the Spanish Data Protection Agency’s guide on the EU–US Privacy Shield.

Security and confidentiality in the processing of information

Monema is committed to ensuring the security, secrecy and confidentiality of data, communications and personal information. Therefore, as part of our commitment and in compliance with current legislation, we have adopted the most appropriate security measures and technical means to prevent their loss, misuse or unauthorised access.

When we receive customer data, we use security procedures and functions to prevent unauthorised access.

Personal data that we may collect through the various communications we have with the customer or user will be treated with absolute confidentiality. We undertake to keep such data secret and to guarantee our duty to safeguard it by adopting all measures necessary and reasonable to prevent its alteration, loss, processing or unauthorised access, in accordance with the applicable legislation.

In cases of personal data security breaches that pose a risk to individuals’ rights, Monema will take the necessary measures to remedy the situation and mitigate the possible negative effects such a breach may have caused. It will also notify customers or users and the competent national authority when required to do so by applicable data protection regulations.

Processing of minors’ data

Monema expressly prohibits minors under 14 years of age from providing data to Monema without the prior consent of their parents, guardians or legal representatives.

If the customer authorises the use of the services by a user under 14 years of age, the customer, as the person responsible for that minor, will be responsible for authorising and deciding with Monema on the processing of the minor’s data under the terms set forth in this Policy.

Monema will ensure the proper use of minors’ data, guaranteeing respect for applicable laws with such measures as may reasonably be appropriate.

When parents, guardians or legal representatives of these minors detect unauthorised data processing, they may submit their queries by sending an email to info@monema.com

Processor

Where Monema acts in the capacity of processor, all its staff undertakes to:

1 Use the personal data subject to processing, or those collected for inclusion, only for the purpose of this processing. Under no circumstances may the data be used for Monema’s own purposes or for purposes other than those indicated in the contract.

2 Process the data in accordance with the instructions of the controller.

3 Maintain a written record of all categories of processing activities carried out on behalf of the controller, which shall contain:

1. The name and contact details of the processor or processors and of each controller on whose behalf the processor is acting.

2. The categories of processing carried out on behalf of each controller.

3. A general description of the appropriate technical and organisational security measures that are being applied.

4. Not to disclose the data to third parties, unless expressly authorised to do so by the controller, in legally permissible cases. If the processor wishes to subcontract, it must inform the controller and request prior authorisation.

5. Maintain the duty of secrecy with regard to the personal data accessed as a result of this processing, even after the termination of the contract.

6. Ensure that persons authorised to process personal data expressly and in writing undertake to respect confidentiality and to comply with the appropriate security measures, of which they must be duly informed.

7. Keep at the controller’s disposal documentation demonstrating compliance with the obligation set out in the previous paragraph.

8. Ensure that persons authorised to process personal data receive the necessary training in personal data protection.

9. When data subjects exercise their rights of access, rectification, erasure, objection, restriction of processing or data portability with Monema, Monema must notify the controller by email at the address indicated by the controller. Such notification must be made immediately and in any case no later than the working day following receipt of the request, together with any other information that may be relevant to resolving the request.

10. Notification of personal data security breaches

4 The processor shall notify the controller, without undue delay and via the email address indicated by the controller, of any personal data security breaches under its responsibility of which it becomes aware, together with all relevant information for documenting and communicating the incident. At a minimum, the following information shall be provided:

1. Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records concerned.

2. Contact details of the person from whom more information can be obtained.

3. Description of the possible consequences of the personal data security breach. Description of the measures taken or proposed to remedy the personal data security breach, including, where appropriate, measures taken to mitigate possible negative effects.

If it is not possible to provide the information simultaneously, and insofar as it is not possible, the information shall be provided gradually without undue delay.

At the controller’s request, Monema shall communicate such personal data security breaches to the data subjects as soon as possible, where the breach is likely to result in a high risk to the rights and freedoms of natural persons.

Such communication must be made in clear and plain language and must include the elements indicated in each case by the controller, which shall include, at least:

1. The nature of the data breach.

2. Contact details of the controller’s or processor’s contact point where more information can be obtained.

3. A description of the possible consequences of the personal data security breach.

4. A description of the measures taken or proposed by the controller to remedy the personal data security breach, including, where appropriate, measures taken to mitigate possible negative effects.

To make available to the controller all information necessary to demonstrate compliance with its obligations, as well as to enable audits or inspections carried out by the controller or another auditor authorised by it.

To implement the necessary technical and organisational security measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

The security measures adopted by the processor include, but are not limited to, the following:

ORGANISATIONAL MEASURES

All staff with access to personal data are aware of their obligations in relation to personal data processing and are informed of these obligations and, in particular, of the duty of confidentiality and secrecy, which continues even after the employment relationship with the company has ended.

TECHNICAL MEASURES

Identification

There are profiles with administrator rights for installing and configuring the system, and users without administrator privileges or rights for accessing personal data.

• There must be passwords for accessing personal data stored in electronic systems. Passwords must be at least 8 characters long, combining numbers and letters.

• Where personal data are accessed by several people, each person with access to personal data will have a specific user ID and password (unique identification).

• The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties.

Duty of safeguarding

Below are some of the technical measures used to ensure the safeguarding of personal data:

• Updating computers and devices: Devices and computers used for storing and processing personal data are kept as up to date as reasonably possible.

• Antivirus: Computers and devices used for automated personal data processing will have an antivirus system that ensures, as far as possible, protection against theft and destruction of information and personal data. The antivirus system must be updated periodically.

• Firewall: To prevent unauthorised remote access to personal data, a firewall must be enabled on those computers and devices where it is necessary to store and/or process personal data.

• Data encryption: When it is necessary to extract personal data outside the premises where it is processed, either by physical or electronic means, consideration must be given to using an encryption method to ensure the confidentiality of personal data in the event of unauthorised access to the information.

• Back-up copy: A back-up copy is made on a second medium other than the one used for day-to-day work. The back-up copy is stored in a secure location, separate from the computer holding the original files, in order to allow personal data to be recovered in case of loss of information.

Security measures will be reviewed periodically. The review may be carried out using automated mechanisms (software or computer programs) or manually.

Destination of the data

To return to the controller the personal data and, where appropriate, any media on which they are stored, once the service has been provided.

The return must entail total erasure of the data held on the computer equipment used by the processor. However, the processor may retain a copy, with the data duly blocked, for as long as liabilities may arise from performance of the service.

The controller is responsible for:

• Providing the processor with the data necessary to provide the service.

• Overseeing, prior to and throughout the processing, compliance with the GDPR and this contract by the processor.

• Supervising the processing.

Cookies

Monema uses “cookies” when you browse its website. “Cookies” are small files sent by our computer systems to users’ computers which automatically collect information about the visitor’s IP address, the day and time the visit begins and ends, as well as information on the different sections of the website visited. Users can configure their browser so that it alerts them on screen if they are about to receive a cookie. Users can also configure their computers not to receive these cookies, without this preventing them from accessing the information on the website. These are:

• Own cookies

Purpose: These cookies are used to enable visits to our website and interaction with it. They are also used to understand the origin of visits to our website.

• Third-party cookies:

Cookies: google-analytics.com

Provider: Google Inc.

Purpose: Collects various information on how the user browses our site, for example, the visitor’s location, details of the visit (time spent, pages viewed, etc.).

Uses cookies such as “__utma”, “__utmb”, “__utmc” and “__utmz”.

Cookies: consensu.org (Sharethis)

Purpose: To transfer the origin when sharing one of our website pages on social media.

Content from other web services, such as certain social networks, has been integrated.

Each of these services uses its own cookies. If you wish to know the privacy and cookie usage conditions, please consult the links to the policies provided by each service.

Responsibility

Monema warns that, unless there is a legally established representation, no user and/or customer may use another person’s identity and communicate their personal data, and therefore they must at all times provide Monema with personal data corresponding to their own identity that are adequate, relevant, current, accurate and truthful. To this end, the user and/or customer will be solely responsible for any damage, direct and/or indirect, caused to third parties or to Monema as a result of using another person’s personal data or using their own personal data where such data are false, inaccurate, outdated or inappropriate. Similarly, the user and/or customer who communicates a third party’s personal data will be liable to that third party for the obligation to inform established in the applicable regulations for cases where personal data have not been obtained from the data subject, and/or for the consequences of failing to have provided such information.

Monema is not responsible for any non-compliance with data protection regulations by the customer, acting as controller, in the part relating to their own activity and connected with the performance of the contract or commercial relationships with Monema. Each party will bear responsibility arising from its own non-compliance with contractual obligations, legislation and regulations.

Changes to the policy

Monema may update this Privacy Policy at any time. Such updates will in all cases be made public and will be communicated directly to the customer or user where they affect their rights or freedoms.

All notifications, amendments and communications from Monema to the customer relating to the Privacy Policy will be made with the legally required notice, by email to any of the addresses provided by the user or customer to Monema.

Use of the services once this change has been communicated will imply that the customer is aware of it under the terms set out in the new Privacy Policy published.