For the purposes of Regulation (Eu) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights; and Law 34/2002 of 11 July on Information Society Services and Electronic Commerce, we certify that

has sufficient guarantees to comply with the obligations arising from the regulations in force regarding the protection of personal data, as well as to provide the services contracted by its clients that involve the processing of personal data on their behalf.

In this sense,

• The entity has hired specialized consultants in the field of data protection whose contact details are PRIDATECT, S.L., Avenida Josep Tarradellas nº 36, 08029, Barcelona, legal@pridatect.com
• A risk assessment has been carried out which evaluates the threats to which the entity is subject and, where appropriate, the measures needed to mitigate them. Details of the risk scenarios detected, and related tasks are available in a comprehensive executive risk report
• According to the structure of the entity, a Record of Processing Activities has been generated, where all the activities that involve data processing are documented. This
  register will be completed gradually, as it is a living document that must reflect the reality of the entity and its data processing.
• Protocols with a description of the specific technical, physical, logical and organizational measures to be implemented by the entity have been generated.
• Procedures have been foreseen to protect the rights of the data subjects and a register of technical incidents as well as a procedure to notify data breaches. The entity has the means to meet exercise of rights requests from data subjects.
• Personal data processors have been identified and contracts have been entered into that regulate and define the interactions between them and the entity.
• The entity has set in place legal notices, privacy policies and customer data collection forms to ensure compliance with the duty to inform.
• The staff of the entity has received training on data protection and privacy competencies. Likewise, the confidentiality agreements and the documents and policies containing the obligations of secrecy and the use of computer tools have been revised and/or updated.
• All documentation is stored in a secure cloud environment where it is kept regularly updated with a version history to provide evidence of regulatory compliance.

This certificate is provided and verified at the mentioned date and is wholly reliant on the information available at the date of signature of this report.

In Barcelona, 01th April 2022.