Information Sheet on the Processing of Applicants Data

Selection and Recruitment Procedures

The Companies of the SODECIA Group process the personal data of candidates in human resources selection and recruitment procedures, in accordance with the applicable data protection or information security rules in the employment context, namely the Labor Law, the General Data Protection Regulation and the Personal Data Protection Act, and the data processing is carried out within the following parameters:

1. Data officer: SODECIA Group companies, represented by Sodecia – Participações Sociais, SGPS, SA (hereinafter referred to as Sodecia), with the Tax Number PT503437786, with registered office at Rua António Bessa Leite, 1430, 4º – 4150-074 Porto, Portugal, telephone (+351) 220101900 and email sodecia@sodecia.com.

2. Contact of the Data Protection Officer: the data controller has a specific email address for personal data protection purposes, and the Data Protection Officer is available at dpo@sodecia.com.

3. Categories of data subjects: applicants for human resources selection and recruitment procedures for SODECIA.

4. Personal data to be processed: general categories of data such as identification data (name, marital status, civil, tax, social security and health user identification numbers, age, date of birth, place of birth), qualification data (academic, technical, professional), contact data, household data, training data and professional performance evaluation data, as well as, named and possibly, special categories of personal data, such as biometric data and data relating to health.

5. Context and purpose of processing: Applicants’ personal data is processed for the purposes inherent in the processing and management of applications for selection and recruitment procedures and possible subsequent management of the employment relationship, including compliance with related legal obligations, namely planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of persons and property, for the purposes of exercising and enjoying, individually or collectively, employment-related rights and benefits, as well as for the purposes of terminating the employment relationship, the purposes being specified in the support for collecting or processing such personal data.

6. Legal basis: the processing of data is based on the fulfillment of legal obligations, the management of the contractual relationship or the pursuit of SODECIA’s legitimate interests, depending on the case, and may, in very specific and limited situations, expressly identified as such, be based on the consent of the applicants.

7. Consequences of failure to provide compulsory data: failure to provide data that is considered necessary or compulsory for submitting an application to a selection and recruitment procedure makes it impossible to submit that application.

8. Consequences of not providing optional data: the data subject is not obliged to allow the processing of non-mandatory or optional data, so if they do not consent, or subsequently withdraw the consent previously given, they will not be processed, and in the latter case, after the request, the personal data in question will be deleted, or their use for ancillary purposes will be canceled, depending on the express will of the employee, without, however, affecting the legality of the operations carried out up to the date of withdrawal of consent.

9. Recipients: the data officer processes personal data himself (through professionals subject to the obligation of professional secrecy) or on his behalf, through subcontractors accredited to provide services selected by him and bound by strict technical and organizational measures adjusted to the protection of personal data.

10. Security measures: the technical and organizational security measures deemed appropriate to ensure a level of data processing security appropriate to the risk are in place.

11. Where the data is collected: the data is collected at the time of submitting the application or at a later date as part of the management of the contractual relationship, through the various work service channels of the data controller, guaranteeing the privacy or confidentiality of its collection and the integrity, quality and accuracy of the data.

12. Retention period: without prejudice to the exceptional situations of extension of the retention period provided for by law or considered necessary for the defense of legitimate rights or interests, the personal data processed is kept for the period necessary for the execution or processing of the request, application or request of the candidates, after which it will be deleted, the default retention period for active applications being ten years and the default retention period for non-active applications being three years.

13. Signage: all face-to-face service points where candidates’ personal data is processed are duly signposted, with specific signage with a commitment to data protection in the workplace, ensuring transparency and information on the correct use of systems and procedures for processing applicants’ personal data.

14. Communication of data: with the exception of situations where there is a legal obligation to communicate data or where data is communicated between companies in the SODECIA Group for the purposes of managing selection and recruitment procedures, there are no data communication operations and personal data is not communicated to third parties.

15. Interconnection of data and automated decisions: no interconnection of personal data is carried out, and only manual or computerized human resources management systems are integrated for the purposes of processing applicants’ data within the scope of selection and recruitment procedures and possible management of the employment relationship, and only the automated decisions necessary to carry out these procedures or the employment contract to be concluded following the outcome of this procedure are carried out.

16. International transfers of personal data: with the exception of transfers carried out between SODECIA Group companies for the purposes of managing selection and recruitment procedures, no operations are carried out to transfer applicants’ personal data to a third country or an international organization.

17. Processing and media: personal data is collected during the initial application, selection and recruitment process, during the process of eventually concluding the employment contract and during the subsequent process of managing the employment relationship, and is subject to multiple non-automated and automated processing and incorporation into various types of analog or digital media that are deemed necessary to guarantee compliance with the legal obligations to process applicants’ data or the obligations arising from the possible employment contract to be concluded.

18. Rights of the data subject: the data subject has the right to ask the data officer to access, rectify or erase their personal data, as well as to restrict or oppose processing and data portability, under the conditions laid down by law.

19. Right to lodge a complaint with the supervisory authority: the data subject may always exercise the right to lodge a complaint with the Supervisory Authorities of any of the countries in which the SODECIA Group companies are domiciled, should they deem it necessary.

20. Address for exercising rights: to request any information, submit complaints or request the exercise of rights, please contact dpo@sodecia.com.

21. Data Protection Policy: personal data processing operations are carried out in accordance with the General Data Protection Policy available at www.sodecia.com.

22. Special policies and rules on data protection in the employment context: the internal policies and rules on data protection of applicants or data protection in the employment context are available for consultation in the Human Resources Department.