Privacy Policy

This Privacy Policy has been drawn up taking into account the current provisions of the Organic Law on the Protection of Personal Data, as well as Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, hereinafter GDPR. This Privacy Policy is intended to inform data subjects about the specific aspects of the processing of their personal data, in particular the purposes for which they are processed, the contact details for exercising their rights, the retention period of the information and the security measures implemented.

In terms of data protection, ITER ADVISORS, S.L. is considered the Data Controller for the files and processing operations identified in this policy, in particular in the data processing section. Information about the controller: • Data Controller: ITER ADVISORS, S.L. • Postal address: Calle Balmes 77, Principal 2a, 08007 Barcelona • Email address: contact@iteradvisors.com

The personal data requested will only be that which is strictly necessary to identify and respond to the request of the data subject. This data will be processed fairly, lawfully and transparently. Likewise, the data collected will be used for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes. The data collected will be adequate, relevant and limited to the purposes for which they are collected, and will be updated if necessary. The data subject will be informed, prior to the collection of their data, of the general principles regulated by this policy in order to give their express, precise and unequivocal consent for the processing thereof.

The specific purposes of each processing operation are set out in the informative clauses included in the various data collection methods (online forms, paper forms, advertisements or informative notes). However, personal data will be used exclusively to provide an effective response to user requests, defined according to the service or collection system used.

As a general rule, ITER ADVISORS, S.L. obtains the express and unequivocal consent of the data subject prior to any processing of their personal data, through informative clauses incorporated into the various collection systems. If consent is not required, the processing will be based on a legal or regulatory basis that authorizes or requires the processing of the data subject's data.

As a general rule, ITER ADVISORS, S.L. does not share data with third parties, except by legal obligation. If it becomes necessary to share data with third parties, the data subject will be informed through the consent clauses included in the personal data collection systems.

As a general rule, personal data is collected directly from the data subject. However, in certain cases, it may be obtained through third parties or external services. The data subject will be informed within a reasonable period and, at the latest, within one month from the date of data collection.

The information will be retained for the time necessary to achieve the purpose for which it was collected. Once the purpose has been achieved, the data will be deleted. After deletion, the data will remain blocked and only public authorities, judges and courts will be able to access it in the event of legal liability during the limitation period. Once this period has elapsed, the data will be permanently destroyed. For information purposes, the legal data retention periods are as follows: • Social and social security documentation: 4 years (Article 21 of Royal Legislative Decree 5/2000) • Accounting and tax documentation for commercial purposes: 6 years (Article 30 of the Commercial Code) • Accounting and tax documentation for tax purposes: 4 years (Articles 66 to 70 of the General Tax Law) • Building access control: 1 month (AEPD Instruction 1/1996) • Video surveillance: 1 month (AEPD Instruction 1/2006, Organic Law 4/1997)

Navigation data collected through the website will be processed in accordance with applicable regulations. For more information, please consult the Cookie Policy published on the website.

Data protection regulations confer a number of rights on data subjects: • Right of access: to obtain information on the processing of their data, the purposes, the recipients, the retention period and the origin of the data. • Right of rectification: to correct inaccurate or incomplete data. • Right of erasure: to obtain the deletion of data in certain cases: when the data is no longer necessary, when the data subject withdraws consent, when the data subject objects to the processing, when the data must be deleted to comply with a legal obligation, or when the data has been collected as part of a digital service in accordance with Article 8(1) of the GDPR. • Right of opposition: to object to processing based on consent. • Right to restrict processing: in certain cases, when the accuracy of the data is contested, when the processing is unlawful but the data subject objects to deletion, when the company no longer needs the data but the data subject needs it for a claim, or when the data subject has objected to the processing, pending verification of its legitimacy. • Right to portability: to obtain data in a structured format that can be transferred to another data controller when the processing is based on consent and carried out by automated means. • Right of recourse: to lodge a complaint with the competent supervisory authority. The data subject may exercise their rights by written request addressed to ITER ADVISORS, S.L., Calle Balmes 77, Principal 2a, 08007 Barcelona, specifying in the subject the right they wish to exercise. ITER ADVISORS, S.L. will process the request within the deadlines established by current regulations.

The security measures adopted by ITER ADVISORS, S.L. comply with the provisions of Article 32 of the GDPR. These measures take into account technological advances, implementation costs and the nature, scope and purposes of data processing, in order to guarantee an adequate level of security. ITER ADVISORS, S.L. has implemented mechanisms to: • Guarantee the confidentiality, integrity and availability of processing systems and services. • Rapidly restore access to data in the event of a physical or technical incident. • Regularly verify, evaluate and improve the effectiveness of security measures. • Pseudonymize and encrypt personal data when necessary.