To be able to receive the services offered by ALARES HUMAN SERVICES, S.A. (hereinafter ALARES) to clients of the BANCO SANTADER, the beneficiaries will be required to complete the register indicated in this website on the form provided for the purpose.

The data provided by the user will be processed and stored by:

ALARES will only process the personal data provided directly by the service holder beneficiary in registry on the website, or during the application/provision of any of the offered services.

In the present point, a table with the description of the purposes for which the data are processed and which can be given through the present website is offered:

[ⓘ We ask users/holders of data, before accepting the privacy policy (click on the acceptance box) to read the general basic information, and specifically this table where the purpose of use of the data that you provide us with and the file or files where they can be included is determined.]

Personal data may only be processed in relation to the purpose for which they were collected and which is expressed in this section, without ALARES being able to use said data for any purpose other than those indicated.

ALARES may pass the users’ data on to the rest of the Alares Group companies in order to guarantee the correct provision of the requested services, which will be considered TREATMENT CONTROLLERS of the data provided.

In this table we offer you the companies which from the point of view of the regulatory framework for data protection and processing, are included under the name of "Alares Group” in this area:

* NB: Access by third parties to data necessary for the provision of service or request is not considered data transfer. Said third parties will use the data only to give said service, and the data must be used for any other purpose in accordance with their right to information and authorisation of express consent (on their part).

Likewise, ALARES will communicate the data provided by users to the following entities:

** NB: In order to fulfil the purposes of this Privacy and Cookies Policy, ALARES, and therefore the Group's partner companies (with activities related to assistance, conciliation and professional services to groups, and the development and support of activities that may be susceptible to contracting through the website), must treat the Personal Data to the extent that they are directly involved with each contracted or requested service, purpose of the data and procedure. Your Personal Data will also need to be passed on to the aforementioned companies and third parties that provide support services, such as financial entities, anti-fraud entities, suppliers of technological, logistics, transportation and delivery services, customer service and/or analysis of the transactions carried out through the website in order to offer users sufficient guarantees in commercial operations, etc. By providing us with your Personal Data through forms, you authorise us to process and share your information with said third parties.

In this point, we bring you information about the figure called the "Data Protection Officer" (hereinafter DPO). The DPO acts for all Alares Group companies.

The purpose is that you, if you want to establish any application, can have references to address specific people, both in Alares and in the company with which you might have a relationship.

We therefore present this informative table of the Managers:

[Note: Derived from the fact that the DPO belongs to an external consultant, the person acting as the internal coordinator, following up on the implementation of the measures in the Alares companies, is Ms. Laura Andrés Estepa.]

In accordance with what is established in this point, and following the recommendations of the Spanish Data Protection Agency, we present how to contact the DPO:

• ¹Data Protection Officer
• Email: [email protected]
• Teléfono: 91 275 05 55
• Postal mail: Paseo de la Castellana, 126, 28046, Madrid.

¹ You must ask for communication with the data protection department and your DPO according to the contact information provided.

Here we use a table to bring together the information regarding the data processing storage term that can occur through the Alares websites. Companies or data controllers (processing) may have more files registered, but only those that have an impact on the data treated on the websites are described here.

[ⓘThe maintenance of the data term is established on the basis of (1) a criterion pertaining to Alares, associated with the purpose for which the data are used, (2) criteria established by a legal basis that obliges Alares to maintain them (another law which requires their maintenance) and (3) other associated statistical or historical reports that may be of interest tothe company. Once they have fulfilled the purpose of their use, Alares may cancel (eliminate them from the production environment) or delete the data].

At this time, the Alares companies referenced in point 1 do not assign or transfer data to third parties located in a different state of the European Union.

In order to cover some of the fundamental aspects of this regulatory framework (applicable in May 2018), such as the rights attributed to natural persons (data subjects), we present the different rights and attach a downloadable "ad hoc" model for this purpose.

a. Access: The right of access is that which the data owner has, as may be your case, which consists of being able to know the information that the company has about you.

b. Rectification: The right of rectification is that which the data owner has, as may be your case, which consists of rectifying the information/data that the company has on a data holder such as you, and which is not updated or adapted to reality of the data holder or is wrong.

c. Suppression: The right of suppression is that which the data owner has, as may be your case, which consists of suppressing the information/data that the company has and which you do not wish to continue to be able to use (information/data).

d. Data portability: It is designed so that Alares can, in a standard format, for example Excel, allow the migration/sending of data to another third party authorised by you. To achieve this right, you must: (a) certify that you are the owner of the data; (b) identify the third party that is the receiver of the data; (c) irrevocably authorise their portability (sending of data).

e. Opposition to their processing: The right of opposition is that which the data owner has, as may be your case, which consists of opposing the information/data that the company has on you and which you do not wish to continue to be able to use (information/data) for certain specific purposes, for example, not receiving commercial information.]

f. Right to withdraw consent or given consent: The right is that which the data owner has, as may be your case, which consists of opposing the use of those purposes for which consent was given or which were treated on a legitimate basis. If you, as the data holder, do not wish your information/data to continue to be used for specific purposes, for example, in order not to receive commercial information.

g. Right of Origin (of the data): The right to know where or how your data were obtained.

To exercise all the rights defined above, the party concerned must send a copy of their ID to ALARES HUMAN SERVICES, S.A., as the unit intervening in data protection for all group companies. Written communication can be made in two ways:

• By mail to address: Paseo de la Castellana no 126, 28046- Madrid.
• By email to: [email protected]

Through this website, the data are generally obtained:

• From the person concerned.
• From others (individuals or legal entities), with sufficient legitimacy for communication.

As an expression of responsibility for data protection and in accordance with the new regulatory change, Alares is committed to comply with Spanish legislation for the protection of personal data. These sections are part of an internal guide and/or code valid for the Alares Group and are based on principles recognised by the Spanish State and the Spanish Data Protection Agency.

Data protection is one of the bases of a commercial or trusting relationship and of the image of the companies in Alares. Therefore, through this block, Alares wishes to present the framework of the necessary conditions for data exchange between the Group Companies and the data (own or of third parties) holders. This block is intended to inform the user of thecriteria, values and efforts made by Alares to establish an adequate level of personal data processing protection required by the European Directive and by various national regulations for their correct processing.

These headings are limited to the Alares Group companies, that is to say, Alares and all the group companies that are dependent in data protection, and are included in the present privacy policy and information block.

A dependent company according to this guide is considered to be any company in which Alares may demand general or specific compliance with this data protection and processing guide by belonging to the group, by collaborating with it or by carrying out any action that involves data processing (as well as formalising the relationship between the data controller through an "ad hoc" contract for the activity or service that will be provided or performed by the group company or companies).

The individual companies of Alares are not authorised to adopt provisions that differ from the internal code and that established by their Data Protection Officer (DPO). Additional guidelines on data protection may be created in coordination with the Alares Data Protection Officer, if the processing, activity or process so requires. Changes can only be made to the internal code after consensus with the Alares DPO by other controllers and coordinator. The changes will immediately be reported to the Alares Group companies within an internal communication procedure.

All the Alares companies are responsible for pursuing compliance with the data protection and processing guidelines and the legal obligations within the legal framework of the Spanish State. If you, as a data user/holder, have reason to assume that there are legal obligations that contradict the obligations derived from this block and epigraphs, you may inform the Data Protection Officer of the Group (see contact information in the "Basic Information" section).

4.1. Honesty and legitimacy

During the collection and processing of personal data through the websites owned by Alares, Alares will ensure that the personal rights of the data owners are covered. Personal data must be collected according to the principles of consent and information, and treated honestly and legitimately.

4.2. Use for specific purposes

Personal data can only be processed in relation to the purpose for which they were originally collected. Informative clauses have therefore been established in forms or similar items (unambiguous/express acceptance boxes), where there is no cause of legitimacy for that purpose. Subsequent modification of the specific purpose/s will be possible only under certain conditions and requires objective justification or sufficient accreditation.

4.3. Transparency

The data owner must be informed over the use of their data. As a general rule, personal data, through this website, are always collected directly from the parties concerned. Whenever personal data are collected, the data subject must be able to personally recognise the following aspects, or be informed about them:

• The identity of the controller collecting the data
• The purpose of the data processing
• All possible third parties or categories of third parties to which the data are transferred, where appropriate

For this reason, it is recommended to read the privacy policy. Especially the "Basic Information" block where the previous points are contained, and to accept it through a function provided on some of the available forms.

4.4. Avoid and reduce data collection and processing

Alares, according to this block and the new regulatory framework, before collecting and subsequently processing personal data, will study the set of necessary data, and to what extent they are relevant in achieving the activity and intended purpose. For this purpose, "risk analysis" and "impact evaluation" reports will be made whenever possible, to achieve the intended purpose and to ensure that the costs are reasonable in relation to the purpose. No personal data should be collected and processed as a preventive measure for possible future uses, unless required or permitted by legislation in force at the time.

4.5. Deletion

Alares will delete the personal data associated with the data collected and processed in this website which are not necessary after the expiration of the prescribed storage periods or as allowed by law, according to the data and the registered file. If in an individual case, there are signs of a need for protection or historical interest of these data, the storage period of these data will be extended until the legal need for protection has been clarified, or until Alares has assessed the historical relevance of the data for inclusion in the archive.

4.6. Data accuracy and currency

Alares will keep the personal data as you have communicated them and according to your resources and the subsequent communications that you might make in this regard, and they will be updated whenever necessary or known.

[ⓘ Note: For this purpose, a procedure associated with this situation has been established, updating/modifying of data, and a Data Protection Delegate, Coordinator and Manager has been appointed for each company.]

4.7. Non-disclosure and data security

Alares personal data are subject to a non-disclosure commitment. In other words, they will be treated confidentially by their human resources and will be protected by appropriate organisational and technical measures from access by unauthorised persons, illegal processing or illicit transfer to third parties, as well as from casual loss, modification or destruction.

[ⓘ Note: In order to comply with the principle of confidentiality, commitments have been established in this respect for employees and third-party processing/confidentiality contracts.]

It is legal to collect, process and use personal data only if one of the requirements of legality described in what will be established below is met. One of the legality requirements must also be met if the purpose of the collection, processing and use of personal data is to be changed in relation to the original purpose.

5.1. Data processing for a contractual relationship

The personal data of the party concerned, the client and/or user of the website can be treated for the preparation, performance or cancellation of a contract or request. This also includes the contractual user/client service, as long as it is related to the object of the contract.

Before the formalisation of a contract - that is, in the prior phase - personal data may be processed to prepare offers, to prepare requests for products or services, or to fulfil other wishes of the party concerned in order to reach the conclusion of the business relationship. Potential clients or users may be contacted, depending on circumstances, during the pre- information phase, using the data that they have communicated or to be able to offer similar products or services or that may be of interest due to the profile of potential client/user. If applicable, the restrictions mentioned by the party concerned (data holder) should be taken into account.

5.2. Data processing for advertising purposes

If the party concerned addresses an Alares company requesting information (for example, request to send informative material on a product, act or service), their data may be processed to allow this desire to be fulfilled.

Client/user advertising and loyalty measures require compliance with other legal requirements. The processing of personal data for advertising or market research and opinion purposes is permitted if this processing is compatible with the purpose for which they were collected or express consent has been obtained. The affected parties will be informed about the use of their data (see “Basic Information” block, purpose of use). If data is collected exclusively for advertising measures, their communication by the affected party will always be voluntary.

If the party concerned rejects the use of their data for advertising purposes, their data should not continue to be used for this purpose and will be blocked accordingly (use of "Robinson list").

5.3. Consent to the processing of data

It is possible to process data if the party concerned has given their consent. Before requesting their consent, the party concerned will be informed in accordance with section 4.3 of this block on the data protection and processing guidelines. For reasons of plausibility, the declaration of consent must always be collected in writing or electronically (acceptance ofconditions on the form). Under certain conditions, such as telephone counselling, verbal consent may be granted. The granted consent will be documented.

5.4. Data processing due to legal permission

The processing of personal data is also legal if there are legal provisions that require, presuppose or authorise this processing. The type and extent of data processing must be necessary for the processing authorised by legislation, and must be carried out in accordance with these provisions.

5.5. Data processing due to a legitimate interest

Personal data may also be processed if necessary, to safeguard a legitimate interest of Alares. In general, legitimate interests can be of a legal nature (for example, making pending titles) or economic (for example, avoiding contract disturbances). The processing of personal data by reason of a legitimate interest is not permitted if in some particular cases there are signs that the protection of the legitimate interests of the party concerned predominates over the interest of the responsible body in the processing of the data. The legitimacy of these interests will be examined before each data processing.

5.6. Processing of data subject to special protection

Personal data subject to special protection can only be treated if it is mandatory by law, or if the party concerned has given their express consent.

Otherwise, these data may also be processed if this is necessary for the responsible party to be able to exercise their rights, claim them or defend them against the party concerned. If there is an intention to process data subject to special protection, the Alares Data Protection Officer will be informed in advance.

5.7. User data and the Internet

Whenever personal data is collected, used or processed on the website or on integrated platforms, the parties concerned will be informed about this aspect in notices on data protection and, where appropriate, on cookies. The notices about the protection and processing of data on cookies must be integrated so that they are available continuously, and the party concerned can recognise them easily and access them immediately.

If the possibility of accessing personal data is offered in a restricted area (subject to registration) of web pages or Apps, the identification and authentication of the party concerned will be configured in such a way that an adequate level of protection of this access is achieved.

The transfer of personal data to recipients outside the Alares Group or to recipients within the Alares Group is subject to the legitimacy requirements for the processing of described personal data. The data recipient must agree to use them exclusively for the defined purposes.

In case of data transfer to a recipient outside the Alares Group with a headquarters in a third state, the recipient must guarantee a level of data protection appropriate to the terms of this guide and the regulatory framework of data protection of the Spanish State.

If data are transferred from third parties to Alares Group companies, it must be ensured they can be used legitimately for the intended use.

All parties concerned may enforce the rights specified below. The responsible body must immediately process the claim of rights, and the parties concerned should not be discriminated against in any way for asserting their rights.

1. The party concerned may require information on the personal data stored on them, about their origin and their intended use.

2. If personal data are transferred to third parties, the identity of the recipient or the categories of recipients will also be reported.

3. If the personal data are incorrect or incomplete, the party concerned may demand their correction or complementing.

4. The party concerned may oppose the processing of their personal data for the purpose of publicity, or within the framework of market and opinion studies. In this case, the data will be blocked to prevent them from being used for this purpose.

5. The party concerned has the right to demand that their data be deleted if the legal basis for processing the data has lapsed or expired. The same applies if the reason for the data processing has expired either for the time elapsed or for other reasons. The mandatory storage periods of certain documents and the legitimate rights that oppose the deletion or allow cancellation will be taken into account.

6. The party concerned has a basic right of opposition to the processing of their personal data, which will be taken into account whenever it is found that their interest in the protection of their personal data predominates because of their particular personal situation over the interest in the processing of the data. This right does not apply if there is a legal regulation that prescribes the data processing.

Personal data are subject to the principle of confidentiality. Employees are informed that the collection, processing and use of data cannot occur without knowledge or/and without authorisation. Any data processing carried out by an employee or third outside their role or without authorisation is considered illegal. Alares establishes supervisory procedures so that employees only have access to personal data when necessary and in the context of the need for their tasks or functions. Derived from the above, Alares performs an allocation and precise division of roles and privileges, as well as the implementation and updating within the framework of authorisation concepts.

Employees or third parties (in charge of processing) may not use personal data for specific or economic uses, deliver them to unauthorised third parties or allow third parties access in any other way. The superiors will inform their employees and present a specific commitment, at the beginning of an employment relationship, about the obligation to observe data confidentiality. This obligation will persist after the employment relationship ends.

Compliance with the data protection guidelines of this guide and current data protection laws is guaranteed through periodic audits and other checks. The fulfilment will be promoted by the Data Protection Officer of the Group, the Coordinator and Controller (by companies) of data protection and other departments of the each of the companies with control rights or authorised external auditors.

The results of the checks (situation checks, impact evaluation studies, audits, etc.) of data protection will be monitored by the DPO. They will transfer them and inform the Surveillance Committee of Alares about relevant results within the framework of the corresponding information obligations.

The results of the data protection checks shall be made available to the competent data protection authorities, if they should so request. The competent data protection authorities may also make their own checks of compliance with this rule in accordance with the authorisations contemplated in the legislation.

All Alares Group employees have the capacity and channels to inform their superiors, their Data Protection Coordinator or the Group Data Protection Officer about incidents or breaches of the recommendations, guidelines or directives of this data protection and processing guide. The coordinator (controller or valid spokesperson of each of the companies) shall generally inform the Data Protection Officer, and specifically in the following cases:

• Reception or illegal delivery of personal data to or by third parties,
• Unauthorised third-party access to personal data,
• Loss of personal data. In this scenario, the Data Controller or Data Protection Officer (management of incidents against information security) shall be informed as soon as possible to meet the legal obligations concerning the reporting of these kinds of incidents.

The Data Protection Officer (DPO) of the Group is an external, independent figure who ensures compliance with national data protection requirements. They are responsible for the guidelines or directives related to data protection and processing, and ensure their fulfilment.

The Group Data Protection Officer is appointed by the Surveillance Committee of the Alares Group. Group companies obliged to do so also appoint the Group Officer as their formal data protection and processing controller. Specific exceptions to this rule should be agreed with the Group DPO. The Coordinator and Data Protection Controllers diligently inform the Group DPO about risks of data protection and processing in specific processing areas of the company to the person representing them as a valid spokesperson.

Any party concerned may at any time address the DPO, Coordinator and Controllers (of each of the companies) responsible for data protection to make suggestions, process inquiries, request information or submit complaints in relation to the protection of personal data and the security of such data. If the party concerned so wishes, the Coordinator and the Officer process these queries and complaints confidentially.

The Group Companies Controllers must take into consideration the decisions of the Group Officer in relation to incidents or breaches of the data protection regulations. The Data Protection Officer of the Alares Group will always be informed of queries from authorities. The Data Protection Officer of the Group and their collaborators are available according to the information provided.