Commitment to Data Protection and Privacy

ROVENSA, S.A. complies with all applicable EU and national legal rules in the area of data protection, privacy and information security.

ROVENSA, S.A. is implementing a Personal Data Protection System and an Information Security System in order to ensure regulatory compliance and demonstration of institutional responsibility for data protection and information security, implementing all necessary technical and organizational measures, both to comply with the general legal regime of the current Data Protection Law and to comply with the special legal regime of the General Data Protection Regulation applicable from 25 May 2018.

For any clarification or additional information or to exercise rights in this area, please contact the ROVENSA, S.A. Data Protection Office by email at dataprotection@rovensa.com.

‘Personal data’ means information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers may be, for example, a name, an identification number, location data, identifiers by electronic means or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means an operation or a set of operations carried out on personal data or on personal data sets by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, comparison or interconnection, limitation, deletion or destruction.

‘Cookies’ are small text files stored on a user’s device (such as a computer or mobile phone) via the web browser when visiting a website. They contain information that enables the website to remember the user’s actions and preferences over time, such as login details, language selection, or other personalized settings. Cookies can also be used for statistical, analytical, or marketing purposes, depending on their type and the user’s consent.

ROVENSA, S.A., headquartered at Ed. Central Office, Av. Dom João II 45 8º, 1990-084 Lisboa – Portugal enrolled in the Commercial Registry Office of Lisbon under No 514194910 and holding the same Corporate Person number, with a share capital of 232.200.591,00€, hereinafter referred to as ROVENSA, S.A is the entity responsible for the websites www.rovensa.com and for the computerized applications, hereinafter referred to as channels or applications, through which Users, Service Recipients or Clients have remote access to the services and products of the Agrobusiness, which are presented, marketed or provided, at any time, through them.

The use of channels or applications by any User, Service Recipient or Client may entail the performance of personal data processing operations, whose protection, privacy and security by ROVENSA, S.A., as the entity responsible for their processing, is in accordance with the terms of this Data Protection and Privacy Policy.

For any inquiries, including those related to the processing of personal data, you may contact the Data Controller, ROVENSA, S.A., using the following contact details:– Postal address: Ed. Central Office, Av. Dom João II 45 8º, 1990-084 Lisboa – Portugal

– General Telephone: +351 213 222 750

In addition, you may contact the Data Protection Officer (DPO) of ROVENSA, S.A. specifically for matters related to data protection by email: dataprotection@rovensa.com. Please include the subject of your request.

ROVENSA, S.A. processes the personal data strictly necessary to ensure the disclosure of information and the operation of its channels, according to the uses made by Users, Service Recipients or Clients, whether those provided by Users or Service Recipients for the purpose of registering requests or obtaining information, or those provided by Clients for the purposes of subscribing to those channels, or those resulting from the use of the services provided by ROVENSA, S.A. through them, such as access, consultation, instructions, transactions and other records relating to their use.

In particular, the use or activation of certain channel functionalities may involve the processing of a number of direct or indirect personal identifiers, such as name, address, contact details, device addresses or geographical location, provided that the express consent of the User, Service Recipient or User/Client for such use has been given.

In all cases, Users, Service Recipients or Clients will always be informed of the need to access such data for the use of the functionalities of the channels in question.

The personal data collected by ROVENSA, S.A. are processed electronically, in certain cases in an automated way, including file processing or profile definition and in the scope of pre-contractual, contractual or post-contractual relationship management with Users, Service Recipients or Clients, in accordance with current national and Community regulations.

The categories or types of personal data of Users, Service Recipients or Clients processed are name, surname, date of birth, address, postcode, country, landline number, mobile number, e-mail, taxpayer number or identification document number (non-mandatory).

All personal data processing carried out by ROVENSA, S.A. complies with the principles established in applicable data protection legislation, particularly the General Data Protection Regulation (GDPR). These include the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

ROVENSA, S.A. also adheres to the principle of accountability and is committed to being able to demonstrate compliance with these principles to data subjects or any third party with a legitimate interest.

ROVENSA, S.A. processes personal data only where there is a valid legal basis under Article 6 of the General Data Protection Regulation. The lawful bases for processing include:

• The data subject has given their consent to the processing of his or her personal data for one or more specific purposes;

• The processing is necessary for compliance with a legal obligation to which the controller is subject;

• The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

• The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

ROVENSA, S.A. processes personal data for specific, explicit and legitimate purposes, in accordance with Article 5(1)(b) and Article 13(1)(c) of the GDPR. The main purposes for which personal data is collected and processed include:

• Providing information requested by users and service recipients;

• Managing communications and relationships with users and clients, including pre-contractual, contractual and post-contractual interactions;

• Performing and delivering the services subscribed by clients;

• Ensuring the technical and operational functioning of ROVENSA, S.A.’s digital channels;

• Complying with legal and regulatory obligations;

• Generating aggregated statistics for internal analysis and service improvement;

• Sending promotional or marketing communications about new features, products or services, through electronic or traditional means (e.g., email, SMS, telephone or postal mail);

• Conducting satisfaction surveys or other forms of direct engagement for promotional purposes;

Each of these processing activities is based on a lawful ground under Article 6(1) of the GDPR, such as the necessity for contract performance, legal obligation, consent, or legitimate interests pursued by ROVENSA, S.A.. Where applicable, the specific lawful basis will be communicated to the data subject at the time of data collection.

Where personal data is to be processed for purposes other than those for which it was originally collected, ROVENSA, S.A. will ensure that such processing is compatible with the original purpose, or will obtain the data subject’s explicit consent when required. In such cases, the data subject will always be informed in advance of the new purpose, and of their rights in relation to such processing, in accordance with applicable data protection legislation.

ROVENSA, S.A. retains personal data only for as long as is strictly necessary to fulfil the purposes for which it was collected, in accordance with the principle of storage limitation under the GDPR.

Retention periods are determined based on the nature of the data, the processing purposes, and any legal or regulatory obligations that require longer retention. Where no specific legal retention period applies, data will be securely deleted or anonymised once it is no longer needed.

ROVENSA, S.A. ensures compliance with all applicable laws and regulations concerning data retention.

ROVENSA, S.A. may use cookies and similar technologies on its websites and digital communication channels to ensure proper functionality, enhance user experience, and support analytical and marketing activities.

Cookies are small text files that are stored on the user’s device via their browser when visiting a website. They enable websites to remember user preferences, facilitate secure login, improve performance, and collect statistical information about browsing behaviour.

Depending on their purpose, cookies used by ROVENSA, S.A. may fall into the following categories:

(i) Essential cookies: These cookies are strictly necessary for accessing and navigating certain areas of the website, such as secure login areas or user sessions. Without these cookies, services requiring authentication or specific features cannot be provided. These cookies do not require prior user consent.

(ii) Functionality cookies: These cookies allow the website to remember user choices (such as language, region, or interface preferences) and provide enhanced and more personalised features. While not strictly necessary, they improve usability.

(iii) analytical cookies – these cookies are used to analyse how users use websites, highlighting articles or services that may be of interest to users, monitoring site performance, and identifying the most popular pages, the most effective means of linking pages, or to determine why some pages receive error messages – these cookies are only used for statistical analysis and creation, without ever gathering information of a personal nature.

Regarding their duration, cookies used by ROVENSA, S.A. may be classified as:

(i) Permanent cookies: These cookies are stored on the user’s device and remain active for a defined period or until manually deleted. They are used to remember preferences and browsing patterns over multiple visits, enabling a more personalised and consistent user experience.

(ii) session cookies – These are temporary cookies that are deleted once the browser session ends.

Users, Service Recipients, and Clients may manage or disable cookies at any time through their browser settings. Instructions for managing cookies are generally available within the help section of most web browsers. Please note that disabling certain types of cookies, particularly essential cookies, may affect the functionality or availability of some parts of the website.

ROVENSA, S.A. may also use tracking technologies within direct electronic communications, such as emails or newsletters, for statistical purposes—for example, to determine whether a message was opened or if embedded links were clicked. Users can opt out of receiving such communications at any time by using the unsubscribe link included in the footer of each message.

The disclosure of information or the provision of services by ROVENSA, S.A. to its Users or Clients through the channels may possibly involve the use of services of subcontracted third parties, including entities with head offices outside the European Union, to provide certain services, which may imply access by these entities to the personal data of Users or Clients.

In such cases, ROVENSA, S.A. ensures that all processors provide sufficient guarantees of implementing appropriate technical and organisational measures, in accordance with applicable data protection legislation. These obligations are formalised through written data processing agreements, in compliance with Article 28 of the GDPR.

Where personal data is transferred to countries outside the European Economic Area (EEA), ROVENSA, S.A. ensures that such transfers comply with Chapter V of the GDPR.

In addition, ROVENSA, S.A. may disclose personal data to third parties when required to do so by law, for example in response to lawful requests by public authorities, regulators, courts, or law enforcement agencies, in accordance with legal obligations to which ROVENSA, S.A. is subject (Article 6(1)(c) of the GDPR).

Outside these situations, personal data will not be disclosed to third parties who are not processors.

Except in the scope of compliance with legal obligations, in no case will there be any communication of the personal data of Users, Service Recipients or Clients to third parties that are not subcontracted entities or legitimate recipients, and also no other communication will be carried out for any purposes other than those mentioned above.

Any transfer of personal data to a country outside the European Economic Area (EEA) or to an international organisation will only take place in compliance with Chapter V of the General Data Protection Regulation (GDPR).

ROVENSA, S.A. implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are adopted taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of risks to the rights and freedoms of data subjects.

Such security measures aim to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and any other form of unlawful processing.

Where ROVENSA, S.A. relies on third-party processors that may access personal data, these entities are required, under written agreement, to implement equivalent security measures to ensure the confidentiality, integrity, and availability of the data, in accordance with applicable data protection laws.

Users, Service Recipients, and Clients also have an important role in safeguarding their personal data. They are responsible for maintaining the confidentiality of their access credentials and must not share them with third parties. In particular, when using computer applications or digital channels provided by ROVENSA, S.A., they should ensure that their access devices are kept secure and follow recommended security practices. This includes, among other measures, installing and regularly updating antivirus software or any other necessary security applications, as advised by device manufacturers or service providers.

Data subjects have the right to request from the controller access to their personal data, as well as the rectification or erasure of such data. They also have the right to request the restriction of processing, to object to the processing of their data, and to request the portability of their personal data to another controller, where applicable.

Where the processing is based on consent data subjects have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing carried out prior to its withdrawal.

Furthermore, data subjects have the right to lodge a complaint with a supervisory authority.

These rights may be exercised at any time by submitting a written request to the DPO of ROVENSA, S.A.. Requests can be sent via email to dataprotection@rovensa.com.

Users and Clients of ROVENSA, S.A. have the right to submit a complaint by submitting a complaint to the data protection control authorities.

Users and Clients may address any suggestions, enquiries, or concerns related to data protection by contacting the Data Protection Officer via email at dataprotection@rovensa.com.

ROVENSA, S.A. has implemented an incident management system to ensure a timely and effective response to any personal data breaches, in line with applicable data protection and information security obligations.

A personal data breach is defined as any event that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Users and Clients who become aware of or suspect the occurrence of a personal data breach are encouraged to report the incident promptly. Reports may be submitted to the Data Protection Officer via dataprotection@rovensa.com.

In order to ensure its updating, development and continuous improvement, ROVENSA, S.A. may, at any time, make any changes considered appropriate or necessary to this Data Protection and Privacy Policy, and its publication is assured in the different channels to guarantee their transparency and information to Users and Clients.

The terms of the Data Protection and Privacy Policy are complementary to the terms and provisions regarding personal data provided in the General Conditions of Use of ROVENSA, S.A.’s channels.

The free, specific and informed disclosure of personal data by the data subject implies the knowledge and acceptance of the conditions contained in this Policy, considering that, by using the channels or by making their personal data available, Users, Service Recipients and Clients expressly authorize their processing, in accordance with the rules defined in each of the applicable channels or collection instruments.

For any requests concerning data protection, including the exercise of their rights under the GDPR, Users, Service Recipients, and Clients of ROVENSA, S.A. may contact the Data Protection Officer via email at: dataprotection@rovensa.com.