Data Processing Policy in Relations with Suppliers

This special Policy governs the processing of personal data in relations with suppliers and complements the general Personal Data Protection and Privacy Policy.

1.Commitment to data protection

Dual Borgstena Textile Portugal, Unipessoal, Lda., hereinafter referred to as Borgstena, a legal person with identification number 502355409, complies with the applicable European Union and national legal rules regarding the protection of personal data, privacy and information security of data subjects, within the scope of the processing operations carried out in the relationship with suppliers — whether the data subjects are the suppliers themselves, as natural persons, or are the employees of suppliers — in accordance with the general terms of the Personal Data Protection and Privacy Policy, accessible at www.borgstena.com or at any of the service points, and with the special terms of this Policy.

2.Personal data

Borgstena collects and processes the following categories of personal data of suppliers or suppliers' employees:

• identification data;
• contact data;
• professional data and certifications;
• traffic and premises access control data.

3.Data sources

Borgstena collects the personal data of suppliers or suppliers' employees directly from them or, indirectly, from their employer, namely through the completion of information registration forms.

4.Purpose of processing

Borgstena processes the personal data of suppliers or suppliers' employees exclusively for the purposes of verifying the legitimacy of legal representatives, access control, occupational safety, hygiene and health and the provision of the contracted services, in the exercise of its economic activity.

5.Legitimacy of processing

Borgstena bases the legitimacy of the processing of the personal data of suppliers or suppliers' employees, depending on the specific processing activity carried out, on the management of the contractual relationship, on compliance with legal obligations or on the legitimate interests of pursuing its economic activity.

6.Data retention period

Borgstena keeps the data for the period necessary to achieve the purposes of the processing, in compliance with the applicable legal deadlines, the data subject being able to request, at any time, their erasure or the exercise of any other right, under the conditions and with the limitations provided for by law. The default retention period for the personal data of suppliers or suppliers' employees is one year.

7.Communication of personal data

The personal data of suppliers or suppliers' employees are processed exclusively by Borgstena's contracting and procurement, human resources management and occupational safety and health services and are not communicated to third parties, with the exception of the situations legally provided for the mandatory communication of personal data to third parties.

8.Data processing information sheets

In compliance with the principles of fairness and transparency and the duty to provide information, Borgstena delivers directly or makes publicly available to all data subjects, depending on how their personal data are collected, information sheets on the processing operations carried out, accessible for consultation at any service point or upon request to the Data Protection Officer. The Information Sheet on Data Processing in Relations with Suppliers is available at borgstena.dataprotectionofficer.help/borgstena/information.

9.Rights of suppliers or their employees

Borgstena facilitates the exercise of the rights of suppliers or their employees regarding the protection of personal data. In addition to always being able to lodge a complaint with the respective supervisory authority, for the exercise of any type of data protection rights — namely the rights to withdraw consent, to information, of access, rectification, objection, restriction of processing or erasure — suppliers or their employees may contact Borgstena's Data Protection Officer by email at dataprotection@borgstena.com, describing the subject of the request and indicating an email address, a telephone contact or a correspondence address for reply. A Form for Exercising the Rights of Data Subjects is available at borgstena.dataprotectionofficer.help/borgstena/forms or at any Borgstena service point.

10.Reporting of personal data breach incidents

Borgstena has implemented an incident management system for data protection and information security. Should they wish to report the occurrence of a personal data breach — which, accidentally or unlawfully, results in the unauthorised destruction, loss, alteration, disclosure of, or access to, personal data transmitted, stored or otherwise processed — the supplier or supplier's employee may contact Borgstena's Data Protection Officer or use Borgstena's general contact details. A Personal Data Breach Incident Report Form is available at borgstena.dataprotectionofficer.help/borgstena/forms.

11.Permanent security contact point

Borgstena has implemented a Permanent Contact Point for the management of information security and cyberspace security incidents. Should they wish to report the occurrence of an information security incident or a cyberspace security incident, the supplier or supplier's employee may contact Borgstena's Permanent Contact Point through the communication channels available at borgstena.dataprotectionofficer.help/borgstena/security. An Information Security or Cyberspace Security Incident Reporting Form is available at borgstena.dataprotectionofficer.help/borgstena/forms.

12.Whistleblower protection

Borgstena has implemented a Whistleblowing Channel, in accordance with the legal regulations in force, namely Law No. 93/2021 of 20 December, guaranteeing the protection of the personal data of data subjects, under the terms of the Whistleblower Protection Policy accessible at borgstena.dataprotectionofficer.help/borgstena/whistleblowing. The Whistleblowing Officer at Borgstena may be contacted through the contact details available on that page, where the Whistleblowing Platform is also accessible.

13.Corruption prevention

Borgstena has implemented a Regulatory Compliance Programme within the scope of the Prevention of Corruption, in accordance with the legal regulations in force, namely Decree-Law No. 109-E/2021 of 9 December, guaranteeing the protection of the personal data of data subjects. For the purpose of submitting reports within the scope of the corruption prevention regime, any interested party may use Borgstena's Whistleblowing Platform or the Whistleblowing Form, accessible from borgstena.dataprotectionofficer.help/borgstena/whistleblowing.

14.Data protection policies

The Data Processing Policy in Relations with Suppliers is complemented by Borgstena's general Personal Data Protection and Privacy Policy, accessible at www.borgstena.com. The other special data protection policies may also be consulted, by contacting the Data Protection Officer at dataprotection@borgstena.com or by contacting any service point in person.

15.Versions of the Policy

Version of this Policy: 202605. Date: 25 May 2026. This version supersedes version 202306. In order to ensure its updating, development and continuous improvement, Borgstena may, at any time, make any changes deemed appropriate or necessary to the data protection policies, their publication in the various channels being ensured. To consult previous versions, the data subject may send a request by email to dataprotection@borgstena.com.