The purpose of this policy is to ensure that we handle personal data in accordance with the EU General Data Protection Regulation (GDPR). The policy covers all processing operations where personal data is handled and includes both structured and unstructured data.

This policy is supported by our owners, board of directors and our employees.

Application and revision

The Board is responsible for ensuring that the processing of personal data complies with this policy.

The policy shall be adopted by the Management Board at least once a year and updated as necessary.

Our Chair is responsible for managing the process of updating the policy annually in response to new and changing regulations.

This policy applies to company directors, employees and contractors involved in our activities.

Organization and responsibilities

The Chair of the Board has the overall responsibility for the content of this policy and for its implementation and compliance by the business.

All employees are responsible for acting in accordance with this policy and what it seeks to ensure.

Terms and abbreviations

Personal data: Personal data is any information that can be directly or indirectly attributed to a living natural person.

Data subject: The person to whom a personal data relates, i.e. the natural person who can be directly or indirectly identified from the personal data in a register.

'processing of personal data' means any operation or set of operations performed on personal data - whether or not by automated means - such as collection, recording, organization and structuring.

Processing of personal data

Any processing of personal data shall be carried out in accordance with the following principles:

• Legality
• Purpose limitation
• Task minimization
• Correctness
• Storage minimization
• Privacy and confidentiality

‍

Monitoring and evaluation of our processing of personal data shall be carried out at least annually.

Any incidents relating to personal data that we process must be reported without delay to Christel Brink who, without undue delay and within 72 hours at the latest, must report the incident to the Swedish Data Protection Authority and otherwise take the necessary measures as a result of the incident.

Our requirements for handling personal data in accordance with the GDPR must always be ensured in the procurement and development of IT solutions and services, and must be part of the requirements specification and any agreements.

Tangaroa AB - 2024-05-06