DATA PROTECTION POLICY OF BOSTON GLOBAL FORUM

The Directors/Governing Body of the Boston Global Forum (hereinafter, the data controller) assumes maximum responsibility and commitment to establishing, implementing and maintaining this Data Protection Policy, with the data controller guaranteeing continuous improvement in order to achieve excellence with regards to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, on the protection of individuals in relation to the processing and free circulation of their personal data, which repeals Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016), and Spanish regulations on the protection of personal data (Data Protection Act, specific sector legislation and its implementing regulations).

Boston Global Forum’s Data Protection Policy rests on the principle of proactive responsibility, according to which the data controller is responsible for compliance with the regulatory and jurisprudential framework governed by this Policy, and is able to prove such compliance before the competent supervisory authorities.

In this regard, the data controller will be governed by the following principles, which all its personnel should use as a guide and reference framework for processing personal data:

1. Data protection starting from design: the data controller will, both when determining the data processing media and at the time of processing, implement appropriate technical and organizational measures (e.g. pseudonymization) in order to effectively apply the principles of data protection (e.g. minimization of data), and ensure the processing includes all the necessary guarantees.

2. Data protection by default: the data controller will apply appropriate technical and organizational measures with a view to ensuring that, by default, only the personal data necessary for each of the specific purposes are processed.

3. Data protection in the information life cycle: the measures that guarantee the protection of personal data will apply throughout the life cycle of the information.

4. Legality, loyalty and transparency: personal data will be processed lawfully, loyally and transparently with regards to the data subject.

5. Limitation of purpose: personal data will be collected for specific, explicit, legitimate purposes, and will not be subsequently processed in any way which is incompatible with these purposes.

6. Data minimization: personal data will be adequate, pertinent and limited to that which is strictly necessary for the purposes they are processed for.

7. Accuracy: personal data will be accurate and, if necessary, updated; all reasonable measures will be taken to ensure that any personal data that are inaccurate with regards to the purposes they are processed for are immediately deleted or rectified.

8. Limitation of the conservation period: personal data will only be maintained to identify the data subjects for the time necessary for the purposes they are processed for.

9. Integrity and confidentiality: suitable technical or organizational measures will be implemented to ensure personal data are processed in such a way as to guarantee their adequate security, including protection against unauthorized or illicit processing and against loss, destruction or accidental damage.

10. Information and training: one of the keys to guaranteeing the protection of personal data is training and information for all personnel involved in processing them. All personnel with access to the data will be duly trained and informed of their obligations with regards to compliance with data protection regulations throughout the information life-cycle.

The Boston Global Forum’s Data Protection Policy is made known to all the data controller’s personnel and is available to all data subjects.

In consequence, this Data Protection Policy involves all the data controller’s personnel, who must know and assume it as their own, with each member being responsible for applying it and for verifying the data protection rules which apply to his or her activity, and for identifying and proposing any opportunities for improvement which he or she deems appropriate in order to reach excellence in terms of compliance.

This Policy will be reviewed as often as considered necessary by the Directors/Governing Body of the Boston Global Forum, in order to ensure it is aligned with current provisions on the protection of personal data.