First layer

Basic information

Information on the processing of personal data

through internal information channels

Basic data protection information

 Controller

Lío Group entities

For more information, see "Additional information".

Purpose

Receipt, recording, evaluation and processing of the information reported.

Investigation and adoption of measures that may be necessary according to the information communicated.

Communication of the reported information to the competent authorities.

Legal basis

Compliance with legal obligations

Recipients

Only if necessary, other entities of the Lío Group may be involved.

Only if necessary, public authorities or State Security Forces and Corps.

Rights

You may exercise your rights of access, rectification, deletion or opposition, among others, as indicated in the "Additional Information".

Additional information

More information can be found in the "Privacy Notice: Information on the processing of personal data through internal information channels" indicated below.

 

Second layer

Privacy Notice

Information on the processing of personal data

through internal information channels

Introduction

Galaxia Estelar ("Lío") is committed to guaranteeing compliance with applicable regulations and the highest standards of professional ethics by all the people in its activity. For this reason, Lío has established a series of mechanisms that allow people interact with Lío and with the different entities of the Lío Group to safely report irregular practices or behaviors that could infringe applicable legislation.

These mechanisms are included in the Internal Reporting System, implemented by the Lío Group entities for this purpose, and seek to ensure that informants, their identity, and the information provided are protected at all times concerning the consequences that may arise from their communication.

For more information on the Internal Information System, the Procedure for processing information, or the different channels for communicating information, please contact compliance@liogroup.com.

This Privacy Notice details how the different entities of Grupo Lío will process your personal data in the operation of the Internal Information System.

Who processes your personal data?

We are part of a group of undertakings, the Lío Group. In general, each entity that makes up the Lío Group is the controller of personal data in the Internal Information System concerning the behavior that takes place within its organization. You can obtain information about the entities that make up our group of undertakings in the following link.

In case you need it, the details of the parent entity of the Lío Group, Galaxia Estelar S.L., are as follows:

• Address: C/ Canarias 35, Torre 4, Pta 4ª, Edif. Cetis, 07800, Ibiza, Islas Baleares, España

• Email for data protection: lopd@liogroup.com

We have appointed a data protection officer ("DPO"). If you wish to contact our DPO directly, you may use the contact details below:

• Address: C/ Canarias 35, Torre 4, Pta 4ª, Edif. Cetis, 07800, Ibiza, Islas Baleares, España.

• Email: dpo@liogroup.com

What kind of personal data do we process?

The personal data we collect and process about you depends on your use of the Internal Information System, your choices, and, where applicable, information that others may provide about you or your behaviors through various channels. It may include:

• If you use the channels to report someone’s behavior, the personal data would include the data you decide to provide through the enabled channels, such as your identity or your personal or professional characteristics, or aspects related to how you became aware of the reported behavior.

• In the case someone reports a behavior that concerns you, the personal data would include those data that third parties may provide about you, such as your identity or professional characteristics that they know about you, are related to the reported behavior and are relevant to assess its conduction and the adoption of measures.

Please note that all data included in the Internal Information System are subject to particular duties of privacy, confidentiality, and security, especially with regard to the identity of the persons reporting. Thus, even if you include information concerning your identity when reporting behaviors, your identity will remain confidential and will only be known to certain persons to the extent necessary to manage the System and process the information. In addition, you should know that you can provide information through the System entirely anonymously.

For what purposes do we process your personal data?

We will collect and process your personal data according to the legal grounds mentioned below and for the following purposes:

Receiving, recording, evaluating, and processing information communicated, including the implementation and management of the Internal Information System and the channels through which communications are received. We process your personal data for this purpose because we have the legal obligation to do so, imposed by the regulations for the protection of the persons who report breaches of applicable laws.

Investigation and adoption of measures that may be necessary based on the information reported, which may involve disciplinary, contractual, or legal actions. We process personal data for this purpose because, in some instances, we have a legal obligation to do so under applicable mandatory regulations and, in other cases, because we believe we have a legitimate interest in acting against irregular behaviors that may breach of applicable law. You can obtain further information about our balancing of legitimate interests in this respect by contacting us or our data protection officer using the contact details set out in this Legal Notice.

Communication of information to the competent authorities when we have an obligation to communicate the reported behavior. This may include communication to the State Security Forces and Corps, members of the Public Prosecutor's Office, judges and courts, or administrative authorities. We process personal data for this purpose because we have a legal obligation to report or communicate to the authorities irregular behavior of which we become aware based on various mandatory regulations (e.g., reporting of criminal offenses).

Do we share your personal data?

In order to fulfill some of the purposes described above, such as taking appropriate action against reported behavior, we may need to disclose your personal data to entities within our group of enterprises. This is because particular entrepreneurial and organizational functions are centralized in certain entities of our group. You can find more information about the entities that make up our group of enterprises at the link provided at the beginning of this Privacy Notice.

In case it is necessary for the adoption of appropriate measures against the reported behavior, specific data may be communicated to the competent authorities, such as the State Security Forces and Corps, members of the Public Prosecutor's Office, judges and courts, or administrative authorities. In any case, these communications will be made within the channels provided by law and under obligations of reserve and confidentiality.

On certain occasions, it may be necessary for us to communicate your personal data to third parties that support us in developing this activity with their services, such as technological and security service providers. They will process your personal data as processors, following our instructions, under specific contractual terms and subject to specific obligations of confidentiality and reserve and to the applicable data protection regulations.

Do we transfer your personal data abroad?

Your data will, remain within the European Economic Area. In this way, your data will maintain the protection standard afforded to them by the European data protection regulations.

What are your rights when you provide us with your data?

In accordance with the provisions of applicable data protection laws and regulations, you may exercise your rights of access, rectification, erasure, objection, and limitation of processing at any time.

You can exercise your rights simply by contacting us or our data protection officer using the contact details provided above. Please note that in case we do not have enough information to identify you and proceed with your request, we may need to ask you for further information.

You also have the right to lodge a complaint with the relevant data protection authority should you consider it necessary. In Spain, the supervisory authority is the Spanish Data Protection Agency.

How long will we process your data?

We will store your data for the time necessary to decide on the processing of the information provided. When it is not necessary to process a specific piece of information; when it is proven that the information is not required, relevant, or truthful; or, in any case, within a maximum period of three months, we will delete or anonymize its content immediately.

When it is necessary to process specific information, we will process the data for as long as needed for the investigation and the adoption of the corresponding measures, as the case may be. With respect to such information that has been processed, please note that we will also keep your personal data blocked for the period for which liability may arise from the processing.

Considerations regarding personal data about third parties.

By providing information to us through a channel, you may communicate personal data related to third parties. In such cases, you acknowledge and declare that the personal data you provide to us is true, accurate, and up to date at the time of provision.