The company Arestalfer S.A., for the purposes of compliance with the legal regime for the protection of whistleblowers, processes the personal data of whistleblowers and, in general, of all persons who use the whistleblowing channels or who, in any way, are involved in the whistleblower protection system, in accordance with the applicable standards in the field of data protection or information security, in particular, the General Data Protection Regulation and the Implementing Act of the General Data Protection Regulation, and the data processing is performed in the following parameters:

1. Responsible for processing: company (hereinafter referred to as company), with Tax ID No. PT503 648 825, with registered office at Rua do Arestal, nº32, 3740-418 Sever do Vouga, Phone: (+351) 234 591 000, E-mail: geral@arestalfer.com com and website: www.arestalfer.com.

2. Contacts for the Data Protection Officer: the Data Protection Officer has a specific email for the purposes of personal data protection, and the Data Protection Officer is available at dpo@arestalfer.com.

3. Categories of data subjects: whistleblowers and, in general, any and all persons who use the whistleblowing channels or are otherwise involved in the whistleblower protection system, including, also, the data subjects.

4. Personal data to be processed: where the individual chooses to identify him or herself, the personal data processed are general whistleblower identification data (name) and contact data (residence, telephone and email), and other data may be processed depending on the specific procedures for following up complaints, such as voice in the case of recording messages or telephone communications, where such processing is deemed necessary, proportionate and appropriate for such follow-up.

5. Context and purpose of processing: the personal data of the data subjects will be processed solely for the purpose of receiving and following up the complaints lodged, and of carrying out any technical or organisational measures necessary to protect the complainants or persons concerned.

6. Legal basis: depending on the specific situation, data processing is based on the data subject's express consent, on compliance with legal obligations, or on the pursuit of legitimate interests, the basis being specified for each of the activities carried out.

7. Consequences of not providing the data: in addition to the possibility of submitting anonymous complaints, where the basis of the legitimacy of data processing is consent, the data subject is not obliged to allow the processing of personal data, whereby, by not consenting, or subsequently withdrawing the consent previously given, the same shall not be processed, and, in the latter case, after the request, the personal data in question shall be deleted, or the use thereof shall be cancelled for ancillary purposes, depending on the express will of the data subject, without affecting, however, the legality of the operations carried out in the meantime up to the date of the withdrawal of consent.

8. Recipients: the controller performs the processing itself (through professionals subject to the obligation of professional secrecy) or on its behalf, through accredited subcontractors for the provision of services selected by it and bound by strict technical and organizational measures adjusted to the protection of personal data.

9. Security measures: technical and organizational security measures are in place that are deemed appropriate to ensure a level of data processing security appropriate to the risk.

10. Data collection location: data is collected by technicians designated by the controller, using paper or digital forms, whereby the privacy or confidentiality of data collection, data integrity, quality and accuracy are guaranteed.

11. Storage period: without prejudice to exceptional situations of extension of the storage period provided by law or deemed necessary for the defense of rights or legitimate interests, as well as situations of withdrawal of consent, deletion, opposition or limitation of processing, which produce immediate effects without affecting, however, the legality of the operations carried out in the meantime, the personal data processed are stored by default for a period of five years, after which they will be deleted, and may be deleted before this storage period if they are not deemed necessary for the follow-up of the complaints made.

12. Communication of data and confidentiality: except in situations where data communication is legally obligatory, there are no data communication operations. Personal data is not communicated to third parties and the identity of the whistleblower, as well as any information that directly or indirectly allows the identity of the whistleblower to be deduced, is qualified as confidential and access is restricted to the persons responsible for receiving or following up complaints.

13. Interconnection of data and automated decisions: no interconnection of personal data is performed.

14. International transfers of personal data: no transfer of personal data of whistleblowers to a third country or an international organization outside the European Union takes place.

15. Processing and media: personal data is collected by a technician from the controller, and is subject to multiple non-automated and automated processing and being incorporated into various types of analog or digital media deemed necessary to achieve the purposes of the activities, and is always treated confidentially.

16. Rights of the data subject: in addition to the possibility of anonymous reporting or withdrawal of consent, the data subject has the right to request the controller to access, rectify or delete their personal data, as well as to limit or oppose processing and data portability, under the conditions provided by law.

17. Right to complain to the supervisory authority: the data subject may always exercise, if he or she deems it necessary, the right to complain to the National Data Protection Commission (www.cnpd.pt).

18. Address for exercising rights: to request any information, present complaints or request the exercise of rights, please contact dpo@arestalfer.com.

19. Data Protection Policy: personal data processing operations are carried out in accordance with the General Data Protection Policy which is available at www.arestalfer.com.