Personal Data Protection and Privacy Policy

This Policy is the Borgstena Group's reference document on the protection of personal data and privacy, from which the special policies and information sheets applicable to each processing context are derived.

1.Commitment to data protection and privacy

The Borgstena Group undertakes to comply with all applicable European Union and national legal standards in the field of data protection and information security.

To this end, the Borgstena Group has implemented a Personal Data Protection System and an Information Security System, in order to ensure regulatory compliance and to demonstrate institutional accountability in matters of data protection and information security, implementing all the necessary technical and organisational measures deemed appropriate, both to comply with the legal regime of the General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April, hereinafter the GDPR) and to comply with the legal regime of the GDPR Implementing Law (Law No. 58/2019 of 8 August, hereinafter the LERGPD), as well as the other applicable complementary legislation.

For any clarification, additional information or exercise of rights in this regard, the data subject may contact the Borgstena Group's Data Protection Officer at dataprotection@borgstena.com.

2.Definitions

For the purposes of this Policy, and in accordance with Article 4 of the GDPR, the following terms have the meanings set out below:

Personal data

Information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifiers or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Processing of personal data

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller

The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor

The natural or legal person who processes personal data on behalf of the controller and on the controller's instructions.

Cookies (connection testimonials)

Small text files, containing information considered relevant, that are downloaded by the devices used to access the internet — computers, mobile phones or other portable devices — through the browser when a website is visited by the user.

3.Entity responsible for processing

Borgstena, a legal person with identification number 502355409, hereinafter referred to as Borgstena, is the entity responsible for the forms, online sites, systems or computerised applications — hereinafter referred to as channels or applications — through which Users, Service Recipients or Users have remote access to the Borgstena services that are, at any time, presented or provided to them, and is the entity considered responsible for the processing of personal data.

The use of the channels, systems or applications by any User, Service Recipient or User may imply the performance of personal data processing operations, the protection, privacy and security of which are ensured by Borgstena, as the entity responsible for the respective processing, under this Policy. Each company of the Borgstena Group is responsible for the processing of personal data it carries out in the exercise of its activity, this Policy applying, with the necessary adaptations, to all companies of the Group.

4.Institutional contacts of the controller

To contact the Borgstena Group's Data Protection Officer, the data subject may send an email to dataprotection@borgstena.com or to each of the specific addresses identified in the forms, online sites or applications, describing the subject of the request and indicating an email address, a telephone contact or a correspondence address for reply.

For any other purpose, the following general contact details of Borgstena, as controller, may be used:

• postal address: EN 234 — km 87.7 (Chão do Pisco), Apartado 35, 3521-909 Nelas;
• general email address: info@borgstena.com;
• general telephone: (+351) 232 427 660;
• website: www.borgstena.com.

5.Collection and processing of personal data

Borgstena processes the personal data strictly necessary for the provision of information and the operation of its channels, according to the uses made by Users, Service Recipients or Users — whether those provided for the purpose of registering requests or obtaining information, those provided for the purpose of joining those channels, or those resulting from the use of the services provided by Borgstena through them, such as access, queries, instructions, requests or applications, transactions and other records relating to their use.

In particular, the use or activation of certain functionalities of the channels may imply the processing of various direct or indirect personal identifiers, such as name, residence address, personal contacts, device addresses or geographic location, provided that there is express consent of the data subject, where this is necessary for the management of the contractual relationship or the pursuit of legitimate interests or, finally, for the purpose of complying with legal obligations. In all cases, data subjects are informed in advance of the need to access such data, as well as of the respective lawful bases for processing.

The personal data collected by Borgstena are processed manually or, in certain cases, in an automated or computerised manner, within the scope of the management of the pre-contractual, contractual or post-contractual relationship with the data subjects, under the national and European Union regulations in force.

6.Categories of personal data and data subjects processed

The categories or types of personal data processed are, in general, as follows:

• identification data;
• contact data;
• professional data;
• billing data;
• traffic and access control data.

At the various establishments of the controller, biometric data may also be processed, through video surveillance systems or other biometric systems that are installed. The categories or types of data subjects processed are, in general, Users, Service Recipients or Users, and may also include, in special processing situations, the members of their household or visitors to the controller's premises. The detailed list of categories of personal data and data subjects is set out in the Data Processing Information Sheets relating to each specific processing activity.

7.Legal principles

All data processing operations comply with the fundamental legal principles in the field of data protection and privacy, namely as regards lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, accuracy, integrity and confidentiality. Borgstena is available to demonstrate compliance with these principles to the data subject, to the authorities or to any other third party with a legitimate interest in this matter, giving effect to the accountability principle enshrined in Article 5 of the GDPR.

8.Lawful bases

All data processing operations carried out by Borgstena have a lawful basis, provided for in Article 6 of the GDPR, namely: the data subject's consent to the processing of their personal data for one or more specific purposes; the necessity of the processing for the performance of a contract to which the data subject is a party or for pre-contractual steps at the data subject's request; compliance with a legal obligation to which the controller is subject; the public interest; or the pursuit of the legitimate interests pursued by Borgstena or by a third party. The specific lawful basis is indicated in the specific data processing activities.

9.Purposes of processing

All personal data processed through Borgstena's channels are used exclusively to provide information to Users, to manage the personal information of Service Recipients deemed necessary for the purposes of relationship management or communication, to provide services to Users and, in general, to manage the pre-contractual, contractual or post-contractual relationship with data subjects.

The personal data collected may also be processed for statistical purposes, for the dissemination of information or promotional actions and for communication actions, namely to promote the dissemination of new functionalities or new services. While prior information and the collection of express authorisation for these latter purposes are always ensured, Users, Service Recipients or Users may, at any time, exercise their right to withdraw consent or their right to object to or restrict the use of their personal data for purposes that go beyond the management of the relationship with the controller, by sending a written request to the Data Protection Officer.

10.Data processing information sheets

In compliance with the principles of fairness and transparency and the duty to provide information, Borgstena delivers directly or makes publicly available to all data subjects, depending on how their personal data are collected, information sheets on the processing activities carried out, accessible for consultation at any service unit or upon request to the Data Protection Officer. With regard to websites and online services, please consult the Information Sheet on Data Processing on Websites, accessible at borgstena.dataprotectionofficer.help/borgstena/information.

11.Data retention periods

Personal data are stored only for the period necessary for the purposes for which they were collected or subsequently processed, ensuring compliance with the applicable legal rules on archiving and specifying the specific storage period in each of the Data Processing Information Sheets. Once the applicable period has elapsed, the data are securely deleted or anonymised.

12.Use of cookies

Regarding the use of cookies or connection testimonials by Borgstena, please consult the Cookies Policy, accessible at borgstena.dataprotectionofficer.help/borgstena/policies.

13.Communication of data to other entities

The provision of information or the provision of services by Borgstena to its Users, Service Recipients or Users, through the channels, may imply the use of the services of processors, joint controllers or other autonomous controllers, including entities established outside the European Union, which may imply access by these entities to such personal data. In these circumstances, and whenever necessary, Borgstena uses only entities that provide sufficient guarantees of the implementation of appropriate technical and organisational measures, so that the processing meets the requirements of the applicable rules, such guarantees being formalised in a contract concluded between Borgstena and each of those entities, under Article 28 of the GDPR.

14.Data recipients

Except in the context of compliance with legal obligations, the performance of contracts or the pursuit of legitimate interests, in no case are the personal data of Users, Service Recipients or Users communicated to third parties other than processors or legitimate recipients, nor is any other communication made for purposes other than those referred to in this Policy without the prior and express consent of the data subject.

15.International data transfers

Any transfer of personal data to a third country or an international organisation is carried out only within the framework of compliance with legal obligations or to ensure compliance with the applicable European Union and national legal rules, and observes the requirements of Chapter V of the GDPR, namely the existence of an adequacy decision or, in its absence, of appropriate safeguards.

16.Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity, Borgstena and all entities that are its processors apply the appropriate technical and organisational measures to ensure a level of security commensurate with the risk, in accordance with Article 32 of the GDPR. To this end, various security measures are adopted in order to protect personal data against their dissemination, loss, misuse, alteration, unauthorised processing or access, as well as against any other form of unlawful processing.

It is the sole responsibility of Users, Service Recipients or Users to keep their access codes secret and not to share them with third parties, and, in the particular case of the computer applications used to access the channels, to keep and maintain the access devices in a secure condition and to follow the security practices advised by manufacturers or operators. Where it engages processors that may have access to personal data, Borgstena requires its processors to adopt the security measures and protocols, at organisational and technical level, necessary to protect the confidentiality and security of personal data.

17.Exercise of the rights of data subjects

Users, Service Recipients or Users of Borgstena may, as holders of personal data, exercise their data protection and privacy rights at any time, namely:

• the right to withdraw consent, where the processing is based on that ground;
• the right of access to personal data and to information about the processing thereof;
• the right to rectification of inaccurate or incomplete data;
• the right to erasure of data, in the situations provided for by law;
• the right to restriction of processing;
• the right to data portability;
• the right to object to processing.

Any request to exercise rights must be addressed in writing by the data subject to the Data Protection Officer, in accordance with the procedure and contact details described in this Policy. A Form for Exercising the Rights of Personal Data Subjects is available at borgstena.dataprotectionofficer.help/borgstena/forms, at any Borgstena service point or upon request to the Data Protection Officer. The exercise of rights is free of charge and Borgstena responds within one month, extendable by two months in justified cases, under Article 12(3) of the GDPR.

18.Complaints and suggestions

Users, Service Recipients or Users have the right to submit a complaint, either by registering the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities. In the latter case, they may submit a petition or complaint directly to the National Data Protection Commission (CNPD), through the contacts available at www.cnpd.pt. Data subjects may also make suggestions by email addressed to the Data Protection Officer at dataprotection@borgstena.com.

19.Reporting of personal data breach incidents

Borgstena has implemented an incident management system for data protection and information security. Should they wish to report the occurrence of a personal data breach — which, accidentally or unlawfully, results in the unauthorised destruction, loss, alteration, disclosure of, or access to, personal data transmitted, stored or otherwise processed — the data subject may contact the Data Protection Officer or use Borgstena's general contact details. A Personal Data Breach Incident Report Form is available at borgstena.dataprotectionofficer.help/borgstena/forms.

20.Permanent security contact point

Borgstena has implemented a Permanent Contact Point for the management of information security and cyberspace security incidents. Should they wish to report the occurrence of an information security incident or a cyberspace security incident, the data subject may contact Borgstena's Permanent Contact Point through the communication channels available at borgstena.dataprotectionofficer.help/borgstena/security. An Information Security or Cyberspace Security Incident Reporting Form is available at borgstena.dataprotectionofficer.help/borgstena/forms.

21.Whistleblower protection

Borgstena has implemented a Whistleblowing Channel, in accordance with the legal regulations in force, namely Law No. 93/2021 of 20 December, which establishes the General Regime for the Protection of Whistleblowers, guaranteeing the protection of the personal data of data subjects. The Whistleblowing Officer at Borgstena may be contacted through the contact details available at borgstena.dataprotectionofficer.help/borgstena/whistleblowing, where the Whistleblowing Platform is also accessible.

22.Corruption prevention

Borgstena has implemented a Regulatory Compliance Programme within the scope of the Prevention of Corruption, in accordance with the legal regulations in force, namely Decree-Law No. 109-E/2021 of 9 December, which establishes the General Regime for the Prevention of Corruption, guaranteeing the protection of the personal data of data subjects. For the purpose of submitting reports within the scope of the corruption prevention regime, any interested party may use Borgstena's Whistleblowing Platform or the Whistleblowing Form, accessible from borgstena.dataprotectionofficer.help/borgstena/whistleblowing.

23.Special policies and information sheets

With a commitment to transparency and information, and to ensure that the Data Protection Policy is appropriate to the different processing operations and to the different categories of data subjects, Borgstena develops special data protection policies, namely:

• the Data Protection Policy in Application Management;
• the Data Protection Policy in the Employment Context;
• the Data Protection Policy in Procurement;
• the Cookies Policy.

These special policies are made available directly to the respective categories of data subjects or in the context of the related processing activities and may be consulted on the Data Protection Platform or upon request to the Data Protection Officer. The data protection policies are further complemented by Data Processing Information Sheets, reinforcing transparency and information on specific processing activities.

24.Information sheet on relations with users

The Information Sheet on Data Processing in Relations with Users, Service Recipients or Users is available at borgstena.dataprotectionofficer.help/borgstena/information.

25.Data Protection Officer

For any information, complaint, incident report or exercise of any type of data protection and privacy rights, or for any matter relating to data protection and information security, the Users, Service Recipients and Users who interact with Borgstena may contact the Data Protection Officer directly by email at dataprotection@borgstena.com, describing the subject of the request and providing an email address, a telephone contact or a correspondence address for reply, or, if they prefer, contact any Borgstena unit or service point, requesting communication with the Data Protection Officer.

26.Informed consent and acceptance

The terms of this Policy are complementary to the terms and provisions on personal data set out in the Specific Conditions of Use of each of Borgstena's communication channels. The free, specific and informed provision of personal data by the respective data subject implies knowledge and acceptance of the conditions contained in this Policy, and it is considered that, by using the channels or by providing their personal data, Users, Service Recipients and Users expressly authorise the processing thereof, in accordance with the rules defined in each of the applicable collection channels or instruments.

27.Changes to the Policy

In order to ensure its updating, development and continuous improvement, Borgstena may, at any time, make any changes deemed appropriate or necessary to this Policy, its publication in the different channels being ensured in order to guarantee transparency and information to Users, Service Recipients and Users.

28.Versions of the Policy

Version of this Policy: 202605. Date: 25 May 2026. This version supersedes version 202306 of 20 June 2023. To consult previous versions of the Data Protection and Privacy Policy, the data subject may send a request by email to dataprotection@borgstena.com.