Data Protection and Privacy at Work Policy

Dual Borgstena Textile Portugal, Unipessoal, Lda., a legal person with identification number 502355409, with registered office at EN 234 — km 87.7 (Chão do Pisco), Apartado 35, 3521-909 Nelas, hereinafter referred to as Borgstena, the Employer or the Data Controller, hereby publishes this Data Protection and Privacy Policy, to ensure transparency and the dissemination of information to each of its employees on the rules applicable to data protection in the employment context, following the entry into force of the General Data Protection Regulation (hereinafter the GDPR) and the GDPR Implementing Law (hereinafter the LERGPD), and in conjunction with the Labour Code, approved by Law No. 7/2009 of 12 February.

1.Contact details of the data controller

Borgstena establishes the following contacts for the purpose of applying the rules of the GDPR as Data Controller:

• general email address: info@borgstena.com;
• general telephone: (+351) 232 427 660;
• website: www.borgstena.com;
• email address of the Data Protection Officer: dataprotection@borgstena.com.

2.Personal data processed

The Employer, within the strict limits of the purposes and legal grounds specified below, processes, by itself or on its behalf, employees' personal data, namely the name, marital status, civil, tax, social security and health user identification numbers, age, date of birth, place of birth, academic, technical and professional qualifications, telephone numbers, composition and identification of the members of the respective household, training data and professional performance data.

The Employer, on the grounds of the exception provided for in Article 9 of the GDPR and in strict compliance with the provisions of that article, in particular as regards the duty of professional secrecy, also processes the following special categories of personal data: trade union membership, biometric data and health data.

3.Purpose of processing

Employees' personal data are processed for the purposes inherent in the performance of the employment contract, including compliance with related legal obligations, namely the planning and organisation of work, equality and diversity in the workplace, health and safety at work, the protection of the Employer's assets and the purposes of the exercise and enjoyment, individually or collectively, of employment-related rights and benefits, as well as the purposes associated with the termination of the employment relationship.

Without prejudice to the above purposes, special categories of personal data are processed for the following specific purposes:

• trade union membership — for compliance with legal obligations and at the request of employees;
• biometric data — for access control to facilities and attendance control and for the protection of persons and property;
• health data — for the purposes of preventive and occupational medicine and the assessment of the working capacity of employees, by processors legally qualified for the purpose and under a strict obligation of professional secrecy.

4.Legal basis for processing

4.1. The processing of the aforementioned personal data is necessary for: i) the performance of the employment contract; ii) compliance with legal obligations to which the Employer is subject by virtue of applicable national or European Union legislation; iii) the legitimate interests pursued by the Employer, namely the exercise of its management powers and the corresponding optimisation of its organisational and operational processes.

4.2. Outside of these cases, the Employer may process data collected from employees for other specific, explicit and legitimate purposes, expressly obtaining, at the time of collection, the corresponding and legitimate consent of the employees.

5.Recipients

5.1. Within the scope and context of the employment relationship and for the purposes and on the grounds specified above, the Employer may communicate employees' personal data to other entities, namely processors for the provision of occupational medicine, management consultancy, human resources, accounting, tax, legal or other services, banking entities, insurance entities, the Tax Authority, the Social Security services, the Working Conditions Authority, the Employment and Vocational Training Institute, judicial entities, enforcement agents, the National Data Protection Commission and other entities as determined by law or in compliance with judicial orders.

5.2. The Employer, in accordance with the provisions of the GDPR, formalises the corresponding contracts with its processors, ensuring that they adopt the technical and organisational protection measures required to protect the personal data they process.

6.Retention period

6.1. Without prejudice to personal data being kept for the period strictly necessary to achieve the specific purposes in question, and to compliance with other applicable legal time limits depending on the special categories of personal data processed, employees' personal data are kept, by default, for a period of two years from the termination of the employment contract binding the Parties, under Article 337(1) of the Labour Code.

6.2. Employees are informed that this period may be extended where this becomes necessary for the declaration, exercise or defence of the Employer's rights in legal proceedings.

7.Rights of the data subject

7.1. Employees, as holders of personal data, have the right of access, rectification, erasure, restriction, objection and data portability, under the conditions and with the exceptions provided for by law.

7.2. In the event of a breach of their personal data, the data subject may also lodge a complaint with a supervisory authority, namely the National Data Protection Commission.

7.3. In cases where the legal basis for the processing of their personal data is consent, employees also have the right to withdraw their consent at any time, without affecting the lawfulness of the processing carried out, on that basis, up to that point.

8.Exercising the rights of the data subject

8.1. To exercise any type of data protection and privacy rights, or for any matter relating to data protection, privacy and information security, employees may contact the Data Protection Officer at dataprotection@borgstena.com, describing the subject of the request and indicating an email address, a telephone contact or a correspondence address for reply.

8.2. A Form for Exercising the Rights of Personal Data Subjects is available to employees at borgstena.dataprotectionofficer.help/borgstena/forms or at any of the Employer's workplace service points, and may also be requested by email to the Data Protection Officer.

9.Obligations of employees regarding data protection

Employees are obliged to act in accordance with the legal rules applicable to the protection of personal data and with the internal rules in force in this area, namely the procedures, internal regulations and work instructions in the field of data protection and information security, and are expressly made aware of the terms of the Data Protection Policies and Information Security Policies approved by the Data Controller, accessible on the Data Protection Platform at borgstena.dataprotectionofficer.help/borgstena.

10.Duty of secrecy and confidentiality

Employees are bound by duties of secrecy and confidentiality whenever they process personal data, in accordance with the terms of the Data Protection and Privacy Policy, and must guarantee the confidentiality of all personal data within the scope of their employment responsibility, undertaking to comply with all procedural, technical and organisational measures necessary for the secrecy of personal data or information, and to process such data in a manner that ensures their security, including protection against unauthorised or unlawful processing and against accidental access, editing, disclosure, use, destruction or damage.

11.Duty to report a personal data breach

11.1. Employees must be aware of and comply with the rules of the personal data and information security incident management system in force at the Employer.

11.2. In the event of a personal data breach, employees must notify the Employer without undue delay and, where possible, within twelve hours of becoming aware of it, unless the breach is not likely to result in a risk to the rights and freedoms of natural persons. If the notification is not transmitted within twelve hours, it must be accompanied by the reasons for the delay.

11.3. A Personal Data Breach Incident Reporting Form is available to employees at borgstena.dataprotectionofficer.help/borgstena/forms or at any of the Employer's workplace service points, and may also be requested by email to the Data Protection Officer.

12.Permanent security contact point

12.1. Employees are informed that the Employer has set up a Permanent Contact Point for the management of information security and cyberspace security incidents, in accordance with the legal regulations in force, and that they are obliged to report the occurrence of any information security incident or cyberspace security incident as soon as they become aware of it, by contacting the Permanent Contact Point, without undue delay, through the communication channels indicated at borgstena.dataprotectionofficer.help/borgstena/security.

12.2. Employees must use the Information Security or Cyberspace Security Incident Reporting Form, accessible at borgstena.dataprotectionofficer.help/borgstena/forms or at any workplace service point, and which may also be requested by email to the Permanent Contact Point.

13.Whistleblower protection

Employees are informed that the Employer has implemented a Whistleblowing Channel, in accordance with the legal regulations in force, namely Law No. 93/2021 of 20 December, guaranteeing the protection of the personal data of data subjects. The Whistleblowing Channel and the corresponding Whistleblowing Form are accessible at borgstena.dataprotectionofficer.help/borgstena/whistleblowing or at any workplace service point, and the Employer's Whistleblowing Officer may be contacted through the contact details available on that page.

14.Data processing information sheets

Employees may consult all of the Employer's Data Processing Information Sheets on the Data Protection Platform, accessible at borgstena.dataprotectionofficer.help/borgstena/information, or in person at any workplace service point.

15.Changes to internal procedures, policies or standards

15.1. In order to ensure their updating, development and continuous improvement, employees are informed that the Employer may, at any time, make any changes deemed appropriate or necessary to the internal Data Protection Procedures, Policies or Standards, which are published in the various internal channels to ensure transparency and information for employees.

15.2. Employees are informed that they may consult the applicable updated versions of the internal Data Protection Procedures, Policies or Standards on the Data Protection Platform, accessible at borgstena.dataprotectionofficer.help/borgstena, or in person at any workplace service point, and may also consult the document history by emailing a request to dataprotection@borgstena.com.

16.Support from the Data Protection Officer

To request intervention or technical and regulatory assistance or support in the field of data protection or privacy, employees should contact the Employer's Data Protection Officer by email at dataprotection@borgstena.com. The functional description, procedures and contact details of the Data Protection Officer are available on the Platform's Support page, accessible to employees at borgstena.dataprotectionofficer.help/support.

17.Versions of the Policy

Version of this Policy: 202605. Date: 25 May 2026. This version supersedes version 202306 of 20 June 2023 and corrects the section numbering of the previous version, in which the section on whistleblower protection was duplicated. To consult previous versions of the Data Protection and Privacy at Work Policy, employees may send a request by email to dataprotection@borgstena.com.