Mediatel Data Privacy Policy

This document outlines Mediatel Data's commitment to compliance with data protection laws and establishes the general principles for Processing Personal Data. It serves as a comprehensive standard but does not supersedeany specific data protection requirements applicable to a particular businessunit or function.

Our Principles as a Data Controller

When Mediatel Data acts as the entity determining the purposes and means ofprocessing (Controller), we commit to the following principles:

• Lawfulness and Transparency: We ensure all Processing complies  with applicable laws. At the time of collection, we will clearly inform individuals how their Personal Data will be Processed.
• Purpose Limitation: We will only obtain and Process Personal Data for specified, explicit, and legitimate purposes that are known to the individual or are based on an actual business collaboration and are relevant to Mediatel Data’s operations. Further Processing will only occur if compatible with the original purposes and applicable law.
• Data Minimization and Accuracy: We will only retain Personal Data for as long as necessary to fulfill the purposes for which it was     collected and Processed.
• Security and Confidentiality: We implement appropriate technical and organizational measures to ensure a level of security for Personal Data that is commensurate with the risk to the rights and freedoms of     individuals. We will comply with all data security breach notification requirements under applicable law.
• Data Subject Rights: We adhere to the Data Subject rights procedure, responding to requests for access, rectification, erasure, or cessation of Processing in accordance with applicable law.
• International Transfer: We will not transfer Personal Data to third parties outside of Europe.
• Marketing Opt-Out: We will allow our customers to opt-out of receiving marketing information.

OurPrinciples as a Data Processor/ Provider/ Empowered Person

WhenMediatel Data Processes Personal Data on behalf of a client (Controller) byproviding call and contact center technology support operations, we commit tocooperating and assisting our clients with their data protection obligations:

Principle Our   Commitment

Lawfulness  of Processing

We ensure all  Processing is carried out in accordance with applicable laws and will  cooperate with the Data Controller to meet their obligations.

Fairness  and Transparency

We will  assist the Data Controller in fulfilling the requirement to inform and  explain to individuals how their Personal Data will be Processed.

Purpose  Limitation

We only  Process Personal Data strictly on behalf of and according to the instructions  of the Data Controller.

Data  Minimization & Accuracy

We assist the  Data Controller in maintaining the accuracy and completeness of the Personal  Data.

Limited  Retention

We only  retain Personal Data for the duration necessary under the terms of the  contract or legally binding agreement with the Data Controller.

Security  and Confidentiality

We implement  appropriate technical and organizational measures to safeguard Personal Data.  We will notify the Data Controller without undue delay of any security breach  in accordance with our contract.

Sub-Processors

We will  comply with the Data Controller’s requirements regarding the appointment of  any sub-processor.

Rights of  Individuals

We assist  Data Controllers in complying with their duty to respect the rights of  individuals based on the existing collaboration contract.

Contractual Requirement (DPA): The relationshipbetween Mediatel Data (Processor/ Empowered Person) and the client (Controller)will be governed by a formal Data Processing Agreement (DPA) whichsets out the subject matter, duration, nature, and purpose of the Processing,the types of Personal Data, and the categories of Data Subjects. This DPAwill ensure Processing meets all requirements of the GDPR.

Assistance with DPIA: Mediatel Data will assistthe Data Controller in ensuring compliance with their obligationsregarding Data Protection Impact Assessments (DPIAs) and priorconsultations (Articles 35 and 36), taking into account the nature of theProcessing and the information available to us.

Sub-Processor Compliance: We will not engage anothersub-processor without the Data Controller's prior specific or general authorization. Wherewe use a sub-processor, we will impose the same data protectionobligations on that sub-processor as set out in our contract with theData Controller, in particular concerning the provision of sufficientguarantees to implement appropriate technical and organisational measures.

Audit and Compliance Demonstration: Mediatel Data will makeavailable to the Controller all information necessary to demonstrate compliancewith this Policy and the DPA, and will allow for and contribute to audits conductedby the Controller or an auditor mandated by the Controller, upon reasonablenotice.

End-of-Service Obligation: At the termination of the serviceprovision, Mediatel Data will, at the choice of the Data Controller, deleteor return all Personal Data to the Controller, and delete existingcopies, unless Union or Member State law requires storage of the Personal Data.

Organizationaland Technical Measures

MediatelData employs robust security protocols to protect the Personal Data we manage:

• Secure Infrastructure: All computers and equipment     utilize anti-virus programs and other security systems. Access to     customer data is managed through a secure, pass-lock network for     workstations.
• Access Control: We limit personnel access to the     minimum level necessary for their duties, ensuring adherence to the     principle of least privilege. Staff are subject to written privacy     obligations and only process data according to their instructions.
• Training and Compliance: Mediatel Data staff are properly     trained in the processing of Personal Data and security measures as     required by GDPR regulations.
• Physical Security and Logging: We maintain an access register for     all physical access levels and logical logs for equipment managing     Personal Data. Visitors are registered upon entry/exit and must be     permanently accompanied by employees.
• Strict Adherence to Instructions: We will strictly access and     Process information provided by our clients according to their specific     instructions and purpose. We reserve the right to refuse any action     requested that infringes upon GDPR regulations.
• Policy Updates: Mediatel Data reserves the right     to change, modify, or update this Policy at any time, in accordance with     current applicable law. Please review it frequently for updates.

TheEU General Data Protection Regulation (GDPR) 2016/679 took effect on May 25,2018.

Formore information, please contact us at dpo@mediatel.ro.

‍