I. PERSONAL DATA PROTECTION POLICY

SOLÉ, S.A. (A08191223) (the "Company") is an organizaton in which data processing activities of a personal nature take place, which gives it an important responsibility in the design and organization of procedures so that they are aligned with legal compliance in this matter. In the exercise of these responsibilities and in order to establish the general principles that should govern the processing of personal data in the Company, approves this Policy of protection of personal data, which notifies its employees and makes available of all its interest groups.

1. Purpose

The Policy of protecton of personal data is a measure of proactie responsibility that has the purpose of ensuring compliance with the applicable legislation in this matter and relation to it, respect for the right to honor and privacy in the treatment of data of a personal nature of all the people who are related to The Company. In accordance with the provisions of this Personal Data Protection Policy, the Principles that govern the data processing in the organization and, consequently, the procedures, and the organizational and security measures that the people affected by it, are established. This Policy is committed to implement in their area of responsibility. To this end, the Directorate will assign the responsibilities to the personnel that participate in the data processing operations.

2. Area of application

This Policy of protecton of personal data will apply to the Company, its administrators, managers and employees, as well as to all persons who are related to it, with the express inclusion of service providers with access to data (" Managers of the treatment ")

3. Priociples of the processiof of persooal data

As a general principle, The Company will scrupulously comply with the legislaton on the protecton of personal data and must be able to demonstrate it (Principle of "proactie liability"), paying special atenton to those treatments that may pose a greater risk to the rights of those afected (Principle of "risk approach"). In relaton to the exposed CENTRO VACACIONAL IRRISARRI IGANTZI S.L. will ensure compliance with the following Principles:

  • Legality, loyalty, transparency and limitaton of the purpose. The data processing should always be informed to the afected party, through clauses and other procedures; and it will only be considered legitmate if there is consent to the processing of data (with special atenton to the one proiided by minors), or has another ialid legitmaton and the purpose thereof is in accordance with the Regulatons.

  • Data minimizaton. The data processed must be adequate, releiant and limited to what is necessary in relaton to the purposes of the treatment.

  • Accuracy. The data must be accurate and, if necessary, updated. In this regard, the necessary measures will be taken so that personal data that are inaccurate with respect to the purposes of the processing are deleted or rectied without delay.

  • Limitaton of the conseriaton period. The data will be maintained in such a way as to allow the identicaton of the interested partes for no longer than necessary for the purposes of the treatment.

  • Integrity and Conidentality. The data will be treated in such a way as to guarantee an adequate security of the personal data, including the protecton against the unauthorized or illicit treatment and against its loss, destructon or accidental damage, through the applicaton of the appropriate technical or organizatonal measures.

  • Data transfers. It is forbidden to purchase or obtain personal data from illegitmate sources or in those cases in which said data has been collected or transferred in contraienton of the law or its legitmate origin is not sufciently guaranteed.

  • Hiring of suppliers with access to data. Only suppliers that ofer sufcient guarantees to apply appropriate technical and security measures in data processing will be selected for hiring. With these third partes will be documented due agreement in this regard.

  • Internatonal data transfers. Any processing of personal data subject to European Union regulatons that iniolie a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable law.

  • Rights of those afected. The Company will provide those afected with the exercise of the rights of access, recticaton, deleton, limitaton of treatment, oppositon and portability, establishing for this purpose the internal procedures, and in partcular the models for their exercise that are necessary and tmely, which must meet, at least, the legal requirements applicable in each case.

The Company will promote that the principles contained in this Policy of protecton of personal data are taken into account (i) in the design and implementaton of all work procedures, (ii) in the products and seriices ofered (iii) in all the contracts and obligatons that they formalize or assume and (ii) in the implementaton of any systems and platorms that allow the access of employees or third partes and / or the collecton or processing of personal data.

Commitment of workers

The workers are informed of this Policy and they are aware that the personal informaton is an asset of the Company, and in this respect they adhere to it, commitng to the following:

  • Carry out awareness training on data protecton that the Company puts at your disposal.
  • Apply security measures at the user leiel that apply to their job, without prejudice to the design
  • and implementaton responsibilites that could be atributed to them based on their role within CENTRO VACACIONES IRRISARRI SL.
  • Use the established formats for the exercise of Rights by those afected and inform the Company immediately so that the response can be made efectie.
  • Inform the Company, as soon as it becomes aware, of deiiatons from the proiisions of this Policy, in partcular of "Personal data security breaches", using the format established for this purpose.

Control and evaluation

An annual verificaton and evaluation will be carried out, or wheneier there are signiicant changes in data processing, the efectieness of technical and organizatonal measures to ensure the safety of the treatment.