Data Protection Policy

AEONIC SECURITIES CIF PLC complies with the legislation relating to the Protection of Personal Data in the sector in which it operates. This Policy sets out the basic principles by which AEONIC SECURITIES CIF PLC processes the personal data of clients, employees, suppliers, partners, and other individuals. All employees, whether indefinite or fixed-term, as well as all collaborators, representatives, or even subcontractors working on behalf of AEONIC SECURITIES CIF PLC (employed persons), are bound by this Policy.

Basic Definitions

The following are the basic definitions of the terms used in this document, as set out in the General Data Protection Regulation, to familiarize the data subjects with the terminology of the Regulation:

Personal Data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person,

Special Categories of Personal Data: Personal data that is by its nature particularly sensitive in relation to fundamental rights and freedoms deserve specific protection, as the processing thereof could entail significant risks to those fundamental rights and freedoms. Such personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data Controller: a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

Data Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller

Data Subject: any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an end user whose personal data can be collected.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Privacy Notice: a document that outlines an organization's practices concerning the collection, use, and safeguarding of personal data. It serves as a transparent communication channel between the organization and individuals whose data it processes.

Authority: The Data Protection Authority

Basic Principles Concerning the Processing of Personal Data

AEONIC SECURITIES CIF PLC, as the data controller, strictly adheres to the data protection principles defined in the General Data Protection Regulation.

Legality, Fairness, and Transparency

AEONIC SECURITIES CIF PLC processes personal data lawfully, fairly, and in a transparent manner in relation to the data subject.

Purpose Limitation

Personal data are collected for specified, explicit, and legitimate purposes and are not further processed in a manner that is incompatible with those purposes.

Data Minimization

AEONIC SECURITIES CIF PLC keeps personal data accurate and ensures that their storage is limited to what is necessary in relation to the purposes of processing. Moreover, appropriate technical measures are applied to achieve these objectives.

Accuracy

The personal data held by AEONIC SECURITIES CIF PLC are accurate and up to date. Efforts are made to ensure that inaccurate personal data, considering the purposes for which they are processed, are erased or rectified without delay.

Storage Limitation

Personal data are kept for no longer than is necessary for the purposes for which AEONIC SECURITIES CIF PLC processes them.

Integrity and Confidentiality

Taking into account the current technological and security updates, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AEONIC SECURITIES CIF PLC applies appropriate technical or organizational measures to ensure the appropriate security of personal data and protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Accountability

AEONIC SECURITIES CIF PLC is responsible and able to demonstrate compliance with the General Data Protection Regulation to the competent Data Protection Authority.

Privacy Notice, Consent, and Data Subject Rights

Notice to Data Subjects

Before collecting personal data or during their collection for any processing activity undertaken by AEONIC SECURITIES CIF PLC, including but not limited to the sale of products, services, or marketing activities, AEONIC SECURITIES CIF PLC is responsible for providing appropriate information to data subjects, including information about the types of personal data collected, the purposes of processing, processing methods, data subjects' rights regarding their personal data, the retention period, any international data transfers, whether personal data is shared with third parties, as well as AEONIC SECURITIES CIF PLC's security measures for protecting personal data. This information is provided through the Privacy Notice.

Consent

When the collection of personal data is based on the data subject's consent, AEONIC SECURITIES CIF PLC is responsible for ensuring that data subjects provide their consent freely, with positive action, explicitly, and having been informed of the content to which they are consenting. AEONIC SECURITIES CIF PLC provides data subjects with the ability to withdraw their consent at any time. Where the collection of personal data of children under 16 years of age takes place, AEONIC SECURITIES CIF PLC ensures that parental consent is obtained before collection. Processing of personal data must only be for the purpose for which it was originally collected. If AEONIC SECURITIES CIF PLC wishes to process personal data for another purpose, it must seek the consent of the data subjects in an explicit and specific written manner. Any such request must include the original purpose for which the data was collected, as well as the new or additional purpose(s).

Collection

AEONIC SECURITIES CIF PLC makes every effort to ensure that the number of personal data collected is minimal. If personal data is collected from a third party, AEONIC SECURITIES CIF PLC ensures that this data is collected lawfully.

Relationship of AEONIC SECURITIES CIF PLC with Third Parties

In cases where AEONIC SECURITIES CIF PLC has entrusted a third party to provide a service to its clients or even uses a third-party supplier or commercial partner to process personal data on its behalf, it ensures that the data processor will provide appropriate security measures and protection of personal data to address potential risks. AEONIC SECURITIES CIF PLC makes every effort to ensure that its suppliers or commercial partners process personal data only for the fulfillment of their contractual obligations to the Company, always in accordance with its instructions and for no other purpose.

Data Subject Access Rights

AEONIC SECURITIES CIF PLC, as Data Controller, is responsible for providing data subjects with access to their personal data, allowing them additionally to review, correct, delete, or transfer it.

Data Portability

Data subjects have the right to receive, upon request, a copy of the data they have provided to AEONIC SECURITIES CIF PLC in a structured format and to transfer this data to another data controller. AEONIC SECURITIES CIF PLC is responsible for ensuring that these requests are processed within one month, provided that the requests are not manifestly unfounded. When exercising the right to data portability, data subjects have the right to request the direct transfer of personal data from one data processor to another, where this is technically feasible.

Right to Erasure

Upon request, data subjects have the right, under certain conditions, to request from AEONIC SECURITIES CIF PLC the erasure of their personal data. AEONIC SECURITIES CIF PLC will take immediate action (including technical measures) to satisfy the request, provided that this does not contradict the applicable law, and will ensure the same from any third parties using or processing personal data on its behalf.

Response to Personal Data Breaches

When AEONIC SECURITIES CIF PLC becomes aware of a potential or actual personal data breach, it conducts an immediate internal investigation and takes appropriate remedial actions within a reasonable time, in accordance with the Personal Data Breach Policy. When there is a risk to the rights and freedoms of data subjects, AEONIC SECURITIES CIF PLC must notify the breach to the Authority without undue delay and in any case within 72 hours.

Communication

For the purposes of communication and submission of requests related to personal data protection, AEONIC SECURITIES CIF PLC maintains the email address DPOfficer@aeonic.com.cy (communication with Authorities, providing clarifications, etc.).