Dimune’s Privacy Policy

By virtue of the Constitution of the Republic of Ecuador, considering the fundamental right to  the protection of data and the right to privacy with respect to the processing of personal data, DIMUNE S.A. has developed this Personal Data Protection Privacy Policy (the “Policy”) to identify and describe the levels of protection for any personal data when this is collected, analyzed, processed, communicated, transferred, updated, filed, kept, changed or erased, in strict compliance with the principles, rights and obligations set forth in the regulations. The purpose of this Policy is to comply with the legal provisions of Ecuador, in particular with the Organic Law for Personal Data Protection published in Official Gazette Supplement 459 on May 26, 2021, which establishes the general provisions that govern the subject matter (the “Data Protection Law”).

DIMUNE S.A. is committed to processing data in a lawful, transparent, timely manner and limited to what is necessary in relation to the relevant purposes.

DIMUNE S.A., in its capacity as the data controller, has its registered address in the province of Pichincha, city of Quito, at Av. Francisco de Orellana and 6 de Diciembre, Alisal de Orellana building, Office 1101.

“Data Protection Law”: The Organic Law for Personal Data Protection published in Official Gazette Supplement 459 on May 26, 2021.

“Data Controller”: DIMUNE S.A., who determines the purpose and means of the processing of personal data.

“Data Subject”: A natural person whose data is subject to processing.

“Data Processor”: The Data Processor (where applicable) or the Data Controller identified / appointed by DIMUNE S.A. and who acts under its instructions.

“Processing Activity”: Any operation or set of operations which is performed on Personal Data or sets of Personal Data.

“Personal Data Breach”: A breach of Personal Data (security breach) such as destruction, loss, or accidental or illegal alteration of the information.

“Personal Data”: Data that identifies or makes identifiable a natural person, directly or indirectly.

“Credit Data”: Data about the financial behavior of natural persons, to analyze their financial standing.

“Sensitive Data”: Data concerning ethnic origin, gender identity, cultural identity, religion, ideology, political affiliation, criminal record, immigration status, sexual orientation, health, biometric data, genetic data, and those where improper processing may give rise to discrimination or threaten or may threaten fundamental rights and freedoms.

“Business Partner”: Any natural or legal person, public authority, agency or other entity which has a business relationship with DIMUNE S.A.

“Service Provider” or “Data Processor”: Any natural or legal person, public authority, agency or other institution which provides its services to DIMUNE S.A. in connection with the processing of personal data.

“Client”: Any person, whether natural or legal, which obtains the provision of a service from DIMUNE S.A.

“Candidate”: A natural person who sends their CV, whether directly or through a third party, and other data relating to their profession or trade for consideration in selection processes managed by DIMUNE S.A.

“Employee”: A natural person who provides a service to DIMUNE S.A. under an employment contract.

DIMUNE S.A. makes the policy on the processing of personal data collected in the provision of services and/or products offered by DIMUNE S.A. available to partners, directors, employees, collaborators, business partners, providers, visitors, clients and prospects. This is to communicate the purpose of collecting data, the processing, as well as the rights of the data subjects and the procedures that DIMUNE S.A. implements for the exercise of the rights.

The personal data processed by DIMUNE S.A. may come from the following sources and be of the following types:

TYPES

Data provided by the Data Subject: The rights holder provides identifying data (name, surname, ID card number, telephone number, email address, city, etc.).

Data generated by a Contract: The personal data of the data subject is obtained according to the development, maintenance or start of the relationship between the data subject and DIMUNE S.A.

Inferred Data: DIMUNE S.A. collects personal data by means of profiling with the prior consent of the data subject.

Data from Third Parties: Third parties may belong to the public or private sector, and the data may be from public information or publicly accessible sources (data from public records, newspapers and official journals, telephone directories, lists of members of professional groups, credit information systems, social networks, etc.).

SOURCES

Users, Website and Social Networks:

– Through forms on DIMUNE’s website, and through social networks.
– Through the automatic storage of data of users who access DIMUNE’s website by the use of cookies.
– Through links and hyperlinks that take users to the websites of our partners.

Other technological means and other:

– By the exchange of emails.
– By telephone calls.
– By event forms of DIMUNE S.A.
– By sales invoices.
– By WhatsApp.
– By the use of CRM.
– By offers and service proposals.
– By transmission or transfer on the part of strategic partners.

a) LINKS AND WEBSITE:

DIMUNE S.A. will provide its privacy policy and legal notice on its website, and those who contact DIMUNE S.A. via the website agree to comply with the policies of DIMUNE S.A.

We receive and store any information that you knowingly provide to us by completing any form on the website or with us. When necessary, this information may include:

– Contact information (name, surname, email, telephone number, country and city).
– Application information (name, surname, email, telephone number and CV).
– Newsletter subscription information (name, surname, email, telephone number, country and city).
– Form for exercising personal data rights.

You may choose not to provide your personal data to us; as a result, it is possible that you may not benefit from some of the services that we offer.

Data of Job Candidates. For example, contact details, CV information, employment history, work references, information about training, knowledge, among others.

Personal Data of Potential Clients. This includes basic data (for example, name, surname, address, city, telephone number, email address, nationality, date of birth, passport, sector, written or electronic signature, voice from telephone call recordings, image from ID document).

Personal Data of Clients. This includes basic data (for example, name, surname, address, city, main street, neighborhood, telephone number, email address, nationality, credit information, main occupation, profession, written or electronic signature, voice from telephone call recordings, image, company/place of work, current position, employment relationship, work address, city, main street, neighborhood, income, assets, net worth. In specific cases, the following data may be collected: dependents, name of spouse, ID number of spouse, spouse’s place of work, position, address, telephone number, bank references, personal references).

Personal Data of Employees. Personal data of DIMUNE’s employees, basic data such as name, telephone number, date of birth, email address. Special data such as image, credit data and health data.

Personal Data of Providers/Business Partners. Data of individuals or members of staff of providers. For example, contact details, information contained in emails and other business communications, bank account information; data about procured products and services, characteristics of the procured products and services, contracts, invoicing, enquiries, requests and claims made, among others.

Personal Data of Website Users. For example, IP address, location information, log file data, contact details. User data and password for registration and access to Apps or web platforms of DIMUNE S.A.

a) SENSITIVE DATA

In the case of sensitive data, the data subject will have the power to give explicit authorization for the processing of said data. In the event of receiving sensitive data, DIMUNE S.A. guarantees that it will maintain the security and confidentiality of the data.
Image, physical appearance, voice.

– Data concerning criminal record and biometric data.
– Data concerning health will be processed with the duty of confidentiality and medical confidentiality as determined by the applicable law.
– Data of minors.
– Data of disabled people.

The collected data will be stored and/or processed in the servers in a data center, whether DIMUNE’s own or contracted with third parties and/or providers, located within or outside the country, which meet the characteristics of a safe harbour and which guarantee all security measures for information available in physical and/or digital means directly at the offices of DIMUNE S.A. and/or at the facilities of third parties and/or providers, and for the storage of personal data and special data duly authorized by the data subjects.

The following principles will govern the processing of personal data at DIMUNE S.A. from collection:

PRINCIPLES

– Principle of Legality: The personal data must be processed in strict accordance and compliance with the principles, rights and obligations established in the Constitution of Ecuador, international instruments, the Law and Regulations thereto, and other applicable regulations and case law.

– Principle of Fairness: The processing of personal data must be fair. Therefore, it must be clear to the data subjects that personal data concerning them is being collected, used, consulted or otherwise processed, as well as the forms in which such data is or will be processed. In no case can personal data be processed by unlawful or unfair means or for unlawful or unfair purposes.

– Principle of Transparency: The processing of personal data must be transparent. Therefore, any information or communication relating to this processing must be easily accessible and easy to understand and must use clear and plain language. The relationships derived from the processing of personal data must also be transparent.

– Principle of Purpose: The purposes of processing must be determined, explicit, legitimate and communicated to the data subject; personal data cannot be processed for purposes other than those for which it was collected, unless new processing is allowed on one of the grounds in accordance with the bases for lawful processing indicated in the law. The processing of personal data for purposes other than those for which it was initially collected must only be permitted when it is compatible with the purposes of the initial collection. To this end, it is necessary to consider the context in which the data was collected, the information provided to the data subject in that process, and in particular the reasonable expectations of the data subject based on their relationship with the controller as to later use of the data, the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in both the original and intended further processing operations.

– Principle of Relevance and Minimization of Personal Data: The personal data must be relevant and limited to the extent strictly necessary to achieve the purpose of the processing.

– Principle of Proportionality of Processing. The processing must be appropriate, necessary, timely, relevant and not excessive in relation to the purposes for which the data has been collected or the very nature of the special categories of data.

– Principle of Confidentiality: The processing of personal data must be devised on the basis of due confidentiality and secrecy, that is, data must not be processed or communicated for a purpose other than the purpose for which it was collected, unless new processing is allowed on one of the grounds in accordance with the bases for lawful processing indicated in the law. To this end, the controller must take the technical and organizational measures to comply with this principle.

– Principle of Quality and Accuracy: The personal data that is subject to processing must be accurate, unabridged, precise, complete, ascertainable, clear and, where necessary, kept duly up to date, so that its veracity is not altered. All reasonable measures will be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. In the case of processing by a processor, the quality and accuracy will be the obligation of the controller of personal data.

– Principle of Storage: The personal data will be stored for no longer than is necessary to achieve the purpose for which the data is processed. To guarantee that the personal data is not stored for longer than necessary, the controller will establish timeframes for its erasure or periodic review. Extended storage of processed personal data will only be carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, provided that timely and necessary personal data security and protection guarantees are established to safeguard the rights set forth in this Policy.

– Principle of Personal Data Security: The controllers and processors of personal data must implement all appropriate and necessary security measures, understood to be those accepted as the state of the art, whether these are organizational, technical or of any other kind, to protect the personal data from any risk, threat or vulnerability, in line with the nature of the personal data, the scope and context.

– Principle of Demonstrated and Proactive Accountability: The controller of personal data must demonstrate that it has implemented personal data protection mechanisms, that is, compliance with the principles, rights and obligations established in the Law. For this purpose, in addition to the provisions of applicable regulations, it can make use of standards, best practices, co- and self-regulation schemes, protection codes, certification systems, data protection seals or any other mechanism that is deemed appropriate for the purposes, the nature of the personal data or the risk of the processing. The controller of personal data is obliged to account for the processing to the data subject and to the Personal Data Protection Authority. The controller of personal data must evaluate and review the mechanisms it adopts to comply with the principle of accountability in a continuous and ongoing manner, for the purpose of improving its level of efficacy as regards the application of the Law.

– Principle of Application in Favor of the data subject: In case of doubt regarding the scope of the legal or contractual provisions applicable to personal data protection, the judicial and administrative officers will interpret and apply the provisions in the sense most favorable to the data subject.

PROVISIONS

The DIMUNE’s employees who process personal data must verify that they comply with security standards and have proper consent for the processing of personal data. They will also be governed by the following provisions:

1. Any client, employee or provider who provides false data will be permanently excluded from our network; additionally, DIMUNE S.A. reserves the right to take the legal or out-of-court measures that are warranted.

2. Only data that is necessary in the course of business will be collected, and provided that the data subject has given their prior, express and informed consent. This is with the exception of the cases in which the applicable rules allow data processing without requiring authorization.

3. The data subjects must clearly understand the purposes for which they authorize the provision of their data. Authorizations for the processing of data will contain the purposes and will be granted by means of the signing of contracts, privacy notices, informed consent, among others. In any case, these will include both the authorization and the purposes of the personal data processing. We can use any mechanism indistinctly to formalize the user’s willingness to share their personal data and to use it. These mechanisms will comply with the minimum legal requirements and the compliance standards of the company.

Strict security and confidentiality measures will be used in the receipt of personal data and sensitive personal data. The company and its employees are committed to maintaining the confidentiality of any kind of personal data and to not disclosing any personal data to unauthorized third parties (both from DIMUNE S.A. and externally).

Purposes of processing data with business partners as strategic partners to provide services:

– Sufficiently evaluate the provider for the purpose of guaranteeing an adequate level for the processing of data required to provide a service.

– Evaluate the quality and performance of the provider in compliance with its duties.

– Document and provide instruction about the appropriate processing of shared data assets.

– Comply with the standard on relationships with providers.

– Provide the data collected from the providers to regulatory and supervisory authorities, police, and court and/or administrative authorities by reason of a legal requirement.

– Transfer and communicate the personal data to countries that meet adequate levels of data protection, according to security standards.

– Evaluate technical and organizational mechanisms of the provider for the protection of personal data.

Purposes of processing personal data of clients and potential clients:

– Process and use the personal data provided by clients or prospects, whether in physical or electronic form, by means of contracts, quotes, websites, applications, among others; to send them information about the product and/or service acquired or desired to the registered email addresses or contact numbers.

– Use the information received and/or collected to market products and/or services with strategic partners with which DIMUNE S.A. has a business relationship.

– Provide the collected data to the regulatory and supervisory authorities, police, and court and/or administrative authorities by reason of a legal requirement and/or use or disclose this data.

– Contact by telephone, email and/or digital means to carry out surveys, studies and/or confirmation of personal data which is necessary for the execution of a contractual relationship.

– Contact the data subject by email to send account statements or invoices in connection with the obligations under a contract between the parties.

– Process and use personal data to offer services and respond to requests through automated systems that improve the quality of service. In addition, the client or potential client may be subject to analysis and profiling questions to cater to their specific interests.

– Allow control bodies to access data to carry out internal or external audits.

– Keep the data subjects’ data up to date.

– Use personal data to exchange information, communications, requests, approvals and/or any other kind of expression of will.

– Collect identifying data to respond to requests and queries from the client when the user has contacted DIMUNE S.A. through social networks.

– Personal data of clients will be processed for the purpose of sending information concerning the ordinary course of business, advertising, legal newsletter, training and webinar notifications, and information that may be of interest to the client.

– Personal data of clients may be used in order that they be contacted later by a given third party to evaluate their satisfaction with the services and to rate the services.

– The data will be used to contact people who request and authorize this in order to respond to their requests.

– Respond to requests for information, assistance or services.

– Respond to complaints, claims and requests by users, including the power to contact them to appropriately process the request and respond satisfactorily.

– Regarding processing through digital channels and the website, data can be collected, processed and stored in order to handle the procurement of services, manage applications to the company, advise and provide support to users and/or clients, and provide notifications and general information about legal situations and our services through the newsletter which can be subscribed to.

– Give notice of changes to this Privacy Policy.

– Comply with legally established obligations and verify compliance with contractual obligations.

Purposes of processing data of employees and candidates:

– Record and process the information of applicants in a selection process or for future processes.

– Contact candidates for recruitment to a given position or future selection processes if interested.

– Verify the veracity and authenticity of the information provided in the person’s CV with the institutions that the person has studied at and been employed at.

– Share data with providers and partners for new employee medical checks and other activities as part of the selection process.

– Fulfill the employment obligations of DIMUNE S.A. in its capacity as an employer, as established in employment legislation, the employment contract, the Internal Work Regulations and Corporate Policies.

– Carry out activities inherent in the employment relationship and the ordinary course of business of DIMUNE S.A.

– Carry out control, follow-up, monitoring, supervision and, in general, facilitate the security of the facilities, assets and employees of the company.

– Any other purpose that is necessary to perform the corporate purpose and business activity of DIMUNE S.A.

– Inform the employee of any change to the contractual relationship. Evaluate the quality and performance of the employee in accordance with their duties under the employment contract.

– Provide information to the control bodies for internal and external audits, as required.

– Assign work tools for the performance of their duties (creation of corporate email accounts, mobile phones for contacting clients, signing confidentiality and non-disclosure agreements, signing the manual on appropriate data processing, appropriate use of devices provided, among others).

– Check personal references and work references during the hiring process.

– Process information of relatives for benefits and, in case of emergency, to contact family members.

In addition to the above, DIMUNE S.A. can process personal data in other ways in accordance with the legal bases that authorize it to do so and for which the data subject will receive the necessary information in relation to such processing, and DIMUNE S.A. will request the data subject’s consent if this is necessary.

In compliance with the legal framework for the protection of personal data, DIMUNE S.A. states that it will use adequate and sufficient mechanisms to obtain the authorization and prior, free, specific, informed and unequivocal consent of the data subject through different forms, the website or in any other format that guarantees subsequent consultation, for the processing of personal data in the applicable database of DIMUNE S.A.

The data subject is clearly, fully and expressly informed of the processing that their personal data will be subject to, as well as the optional nature of providing sensitive data and their rights as a data subject, as well as the identification and the address or email address of the data controller.

DIMUNE S.A., as the data controller, will keep evidence of the authorization given by the data subjects or, otherwise, the legal basis for the processing carried out.

The data subject will have the power to withdraw consent at any time, without retroactive effect, that was previously given to authorize the processing of their data for a given purpose

DIMUNE S.A. will not sell, exchange, lease or share the personal data of the data subject except in the forms established in this Policy.

DIMUNE S.A. will share information with service providers or with the companies with whom it has a partnership, which contribute to improving or facilitating operations. DIMUNE S.A. will ensure that standards of protection are met, by means of signing contracts or agreements whose purpose is the privacy and confidentiality of the personal data of the data subject.

The data subject will have the power to accept that DIMUNE S.A. discloses or shares personal data with third parties that are service providers or companies that are partners, affiliated or related to DIMUNE S.A.

DIMUNE S.A. will cooperate with the authorities with which it must act to guarantee compliance with the Law. DIMUNE S.A. will collaborate with the competent authorities in order to safeguard the integrity and security of the community and of its data subjects. However, DIMUNE S.A. may disclose the personal data to the authorities or third parties without the data subject’s consent due to court orders, when this is permitted by law, or for the prevention of money laundering or the financing of terrorism.

By means of the data subject’s authorization, DIMUNE S.A. will be authorized to transfer personal data in whole or in part to any of the controlled companies, parent companies and/or related companies of DIMUNE S.A., on any basis and at the time and in the manner and conditions it deems appropriate. DIMUNE S.A. will guarantee the privacy and security of the data.

The personal data of the data subjects will be stored for the time necessary to achieve the indicated purposes. When DIMUNE S.A. no longer needs to use the personal data to achieve the purposes for which the data was collected, or to meet contractual or legal obligations, the personal data will be erased from the system and records. DIMUNE S.A. will take the necessary measures to anonymize the personal data so that the data subject is no longer identifiable.

When a processing activity, and specifically the implementation of a new technology or information system, will likely result in the processing of personal data and an elevated risk to individual rights and freedoms—having particular regard to the nature, scope, context and purpose of the proposed processing activity—an impact assessment will be conducted on the protection of data before the processing activity is implemented.

DIMUNE S.A. will comply with all technical and organizational measures applicable in security measures for the protection of personal data. Industry standards for the protection of data confidentiality will be used, including, in other measures: layered protection schemes, firewall, network segmentation, access control to servers and services, endpoint detection and response system, cloud backup and encryption of hard drives. DIMUNE S.A. considers the personal data of the data subjectto be an asset which must be protected from any loss or unauthorized access. To that end, DIMUNE S.A. uses various security techniques to protect such data from unauthorized access by holders of the data within or outside the company.

The information within DIMUNE S.A. can only be accessed by those teams or employees who need to know the information. DIMUNE S.A. ensures that it implements the rights and management policies within the company, and it takes all necessary measures to guarantee that employees, advisors and service providers keep the files confidential.

DIMUNE S.A. is not responsible for illegal interception or breach of its systems or databases by unauthorized persons.

Right of Access: The data subject can check their personal data that is being processed by DIMUNE S.A.. The data subject has the right to know and obtain from the controller, free of charge, access to all their personal data and information without having to present any justification. The controller of personal data must establish reasonable methods which allow the exercise of this right, which must be addressed within a period of fifteen (15) days.

Right to Rectification and Updating: The data subject has the right to obtain from the controller the rectification and updating of their inaccurate or incomplete personal data. To do this, the data subject must present the justifications whenever it is relevant. The controller must deal with the request within a period of fifteen (15) days and in this same period it must inform the recipient of the data, if relevant, about the rectification so that the recipient updates it.

Right to Erasure: The data subject has the right to have the controller erase their personal data when: 1) The processing does not comply with the principles established in the law; 2) The processing is not necessary or relevant for the purpose; 3) The personal data has achieved the purpose for which it was collected or processed; 4) The period for keeping the personal data has expired; 5) The processing affects fundamental rights or individual freedoms; 6) The data subject revokes the consent given, or indicates not having given it for one or more specific purposes, without having to have any justification; or 7) There is a legal obligation. The controller of personal data will implement methods and techniques to eliminate, make illegible or render unrecognizable, definitively and safely, the personal data. This obligation must be met within the period of fifteen (15) days from receipt of the data subject’s request and will be free of charge.

Right to Object: The data subject has the right to object to or deny the processing of their personal data in the following cases: 1) it does not affect the fundamental rights and freedoms of third parties, the law permits it, and it does not concern public information, or public interest or processing ordered by law. 2) The processing of personal data is for the purpose of direct marketing; the data subject will have the right to object at any time to the processing of personal data which concerns them, including profiling, in which case the personal data will no longer be processed for these purposes. 3) When the data subject’s consent for the processing is not necessary as a result of a legitimate interest, and it is justified by a particular personal situation of the data subject, provided a law does not state otherwise. The controller will no longer process the personal data in these cases, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of claims. This request must be dealt with within the period of fifteen (15) days.

Right to Portability: The data subject has the right to receive their personal data from the controller in a compatible, up to date, structured, commonly used, interoperable and machine-readable format, preserving its characteristics; or to transmit it to other controllers. The data subject may request the controller to transfer or communicate their personal data to another controller where technically feasible and the controller cannot claim any impediment to slow down the access, transmission or re-utilization of data by the data subject or by another controller. When the transfer of data has been completed, the controller who makes the transfer will erase it unless the data subject stipulates its storage.

Right to the Suspension of Processing: The data subject will have the right to obtain from the controller the suspension of processing of the data when any of the following conditions are met: 1) When the data subject contests the accuracy of the personal data, while the controller verifies the accuracy of the data. 2) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; 3) The controller no longer needs the personal data for the purposes of the processing, but the data subject needs the personal data for the establishment, exercise or defense of claims; 4) When the data subject has objected to processing, while it is verified whether the legitimate grounds of the controller override those of the data subject. When the data subject contests the accuracy of the personal data, the controller, while verifying the accuracy, must show in the same database containing the contested data that it has been challenged by the data subject. The controller may process the personal data which has been subject to the exercise of this right by the data subject only in the following cases: for the establishment, exercise or defense of claims; in order to protect the rights of another natural or legal person; or for reasons of important public interest.

Right Not to be Subject to a Decision Based Solely or Partly on Automated Assessments: The data subject has the right not to be subject to a decision based solely or partly on assessments which are the product of automated processes, including profiling, which produces legal effects concerning them or which threaten their fundamental rights and freedoms.

The data subject may take any of the actions described above by contacting DIMUNE S.A. at the following email address: asistentegerencia@dimune.com

All requests to exercise personal data rights must be sent to the department in charge of data protection at DIMUNE S.A. with the subject line – Personal Data Protection.

The data subject can exercise their personal data rights at any time, and DIMUNE S.A. must respond to the request within a maximum of fifteen (15) days from the date it receives the request. DIMUNE S.A. can ask the data subject for a clarification of, or further details about, the information in the request within five (5) days of receiving the request. As a result, the data subject will have ten (10) days from the day after receiving the notification to clarify or complete the request.

If the data subject clarifies or completes the request within the period provided, DIMUNE S.A. will respond to the request in the corresponding timeframe. An unsuccessful request can be archived with a notification stating the reasons sent to the data subject. This does not prevent the data subject from submitting a new request.

Data subjects can, at any time, rectify, know and update their data, among others, in the face of partial, inaccurate, incomplete, fragmented or misleading data, or data the processing of which is specifically prohibited or has not been authorized. Moreover, the data subject or their representative can request the correction or updating of their data.

The request will be made in writing and will include the following information:

i) Identification of the data subject or the representative (full name, ID or passport number, and address or email address for notifications). The details of the person being represented will also be included.

ii) A clear and precise description of the personal data in respect of which the person wishes to exercise any of the rights, and any detail that helps the personal data to be found at the institution the data was provided to.

iii) A clear and precise explanation of the request.

iv) Identification of the right or rights the person wishes to exercise.

v) Documents that prove the person’s identity and legal representation.

DIMUNE S.A. may amend this Policy and/or emailing practices. If DIMUNE S.A. amends this Policy, it will notify the data subject by publishing an updated version of the Policy in this section or by sending an email or giving notice on the main page or other sections to keep the data subject up to date with the changes made. The data subject must decide whether or not to accept the changes to the Policy. If the data subject does not accept the new terms and conditions of the Policy, the link between the data subject and DIMUNE S.A. will be dissolved and the data subject’s personal data will not be used other than for the purpose stated at the time it was obtained.

If the data subject has any concerns about the processing of their personal data, they can contact DIMUNE S.A. at the following email address: asistentegerencia@dimune.com. The response time to any request will be 15 business days from the day on which the request was received, in accordance with the Organic Law for Personal Data Protection.

This Policy will come into effect as of December 2025. Personal data that has been stored, used or transmitted will be kept in DIMUNE’s databases for the time required to fulfill the purposes set forth in this document or for the company to fulfill its legal obligations.

However, the information will be reviewed each year to check the accuracy of the data and the purpose of continuing the processing.