PRIVACY POLICY

The privacy of your data is very important to us. We have developed this Privacy Policy so that you can understand how we collect, use, store, share, transmit, transfer, delete or process (generically, “process”) your personal data. This Privacy Policy describes the steps we take to ensure the protection of your personal data. We also inform you about how you can contact us to answer any questions you may have about data protection.

Benefit, a Sodexo entity, builds strong and lasting relationships with customers, partners, users, based on mutual trust: ensuring that personal data is secure and remains confidential is an absolute priority for Benefit.

Benefit has implemented a privacy policy aimed at ensuring the protection of the personal data of those who use Benefit websites and/or the 7card application:

– Users remain in control of their data. The data is processed in a transparent, confidential and secure manner.

– Benefit undertakes to continue its personal data protection efforts in accordance with the EU General Data Protection Regulation of 27 April 2016 (hereinafter “GDPR”).

The services provided by Benefit for the benefit of 7card Subscribers are established by the contracts signed between Benefit and each Employer of the Employee (“Customer”), including elements related to the costs of services, the limits to using the 7card subscription (e.g. number of visits allowed/day); Benefit has a direct contract with each of these Customers,

which establishes the terms in which the Customer’s Employees (and Companions – also called Friends) have access to the 7card Programme, taking into account the provisions of the 7card Programme Rules, as well as those of the rules of enrolment in the 7card Programme.

Benefit assumes towards Subscribers/Users, regarding the processing of personal data under GDPR, specific obligations as processor of the Customer, as well as, if applicable and for limited purposes, specific obligations of personal data controller.

Benefit has a dedicated team for the protection of personal data, consisting of a data protection officer at the group level, registered with the CNIL (National Data Protection Commission) and other EEA supervisory authorities, as well as data protection officers at the local level.

PURPOSE OF THIS POLICY

This privacy policy (“Policy”) describes how we use and protect your personal data for the management of the website www.7card.ro and the 7card application, who will have access to them and for what purposes, what rights you have and how you can contact us to exercise these rights or ask us any questions you may have regarding the protection of your personal data. If there is a conflict between this Policy and the GDPR or Law 190/2018 on measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data personal data and the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), then these laws shall, where appropriate, prevail.

This Policy may be amended, supplemented or updated, in particular to comply with any case law, regulations, or technical developments which may arise. However, your personal data shall always be processed in accordance

with the applicable policy in force at the time of data collection, unless otherwise provided by law and must be applied retroactively.

This policy describes the processing of personal data carried out through our website www.7card.ro and/or the 7card application, carried out in connection with the Employee, the Subscriber, the 7card Subscriber, the User or the Customer Representative, as will be defined below.

DEFINITIONS

Employee” – any natural person with whom the Customer has a contractual relationship based on an employment contract, mandate contract, management contract, service contract or other civil law contract with similar legal effects.

Subscriber”/“7card Subscriber”/“User” – the Employee or Companion having the right to use the products and services within the 7card Programme;

“Client’s Representative” means an employee / collaborator of the Client with HR attributions, who completes the specific contact form, available on the website www.7card.ro;

Controller” – any natural or legal person, public authority, agency, or other body which, alone or jointly with others, determine the purposes and means of the processing of personal data

Benefit” or “We” – to the extent applicable. Benefit is a member of the Sodexo group of companies.

You” – any user

Companion”, also called “Friend” – any individual designated by the Employee to benefit from 7card benefits under the same conditions of use as the Employee. The Companion is not an Employee of the Customer and may be any natural person. It is subject to the rules and regulations applicable to the Employee. The employee must not enrol in the 7card Programme a person who does not agree with the 7card Programme Rules.

Underage Companion” – any natural person under 16 years of age, a child of the Employee, designated by the Employee to benefit from 7card under the same conditions of use as the Employee. The Underage Companion participates in the 7card Program only at the initiative of and through enrolment by the parent (Customer’s Employee) who, by enrolling the Underage Companion in the 7card Programme, expressly agrees that the Underage Companion will participate in the 7card Programme; at the same time, the Customer’s Parent-Employee assumes full responsibility for the observance of the terms of the 7card Programme Rules by the Underage Companion, as well as for the processing of his/her personal data by Benefit in accordance with this Policy.

Website” – the website of Benefit available at www.7card.ro

Complaint” – any complaint lodged by a data subject with a supervisory authority or court if the data subject considers that his/her rights under the applicable data protection laws have been violated

EU/EEA” – European Union/European Economic Area

General Data Protection Regulationor GDPR” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/4 /EC.

Programme Rules/7card Programme Rules” all the instructions, rules and regulations regarding the Subscribers’ access to the services in the Programme contracted by the Client in relation to Benefit

Local Single Data Protection Point of Contact” – the person designated by Benefit, responsible for dealing with personal data processing issues of local data. This contact point is part of the global data protection network.

Personal data” – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Processing of personal data” – any operation or set of operations performed on personal data or on personal data sets, whether or not by automated means such as collection, recording, organisation, structuring, adapting or modifying, storing, searching, consulting, using, disclosing by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Privacy by design” means that where a new digital project or a new business opportunity is initiated, involving processing of personal data, data protection shall be taken into account, both at the time of the definition of the means and the related appropriate technical and organisational security

measures for the processing and at the time of the implementation of processing itself. The same principle applies where Benefit intends to merge with or acquire a company, it shall make sure that data protection principles are respected

Privacy by default” means that staff should be trained to handle personal data and implement procedures to ensure that each time personal data is processed, appropriate technical and organisational measures are taken for ensuring that, by default, only personal data which is necessary for each specific purpose is processed (in terms of amount of data processed, extent of the processing and data retention) and is made accessible only to a limited number of persons who need to know

7card Programme” or “Employee Benefits Programme” or “Programme”

– the set of offers, selected by Benefit, oriented to the needs of the Employer (Customer of Benefit), of products and services available to its Subscribers, provided for them during the validity period of the contract between the Employee’s employer and Benefit by the Benefit Partners

Request” – one of the mechanisms provided by the GDPR to individuals to allow them to exercise their rights (such as the right of access, to rectification, to erasure etc.). An individual may make a Request against any entity which processes its Personal Data.

Sensitive Personal Data” referred to as “Special categories of data” within GDPR means any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data processed solely to identify a human being, health-related data or data concerning a person’s sex life or sexual orientation. This definition also includes personal data relating to criminal convictions and offenses.

“Supervisory Authority” – an independent public authority which is established by a Member State, as specified in the GDPR

Partners” – gyms/clubs/recreational activities (only the name and surname of the data subject must be provided, exclusively for the reimbursement of visits and services provided by them).

“Sodexo entity or Sodexo entities” – any corporation, partnership or other entity or organisation which is admitted from time to time as a member of the Sodexo Group.

IDENTITY AND CONTACT DETAILS OF THE CONTROLLER

Benefit Seven S.A. – a joint stock company with registered office at Dimitrie Pompeiu Boulevard no. 9 – 9A, Iride Business Park – building 19, floor 3, Bucharest, Sector 2, 020335, Romania, correspondence address Dimitrie Pompeiu Boulevard no. 9 – 9A, Iride Business Park – building 19, floor 3, Bucharest, Sector 2, 020335, Romania, registered number J40/7148/2021, Tax Identification Number RO16696040, subscribed and paid-up share capital of RON 100,000) (hereinafter referred to as “Benefit”).

COLLECTION AND SOURCE OF PERSONAL DATA

We shall collect your personal data directly, in particular through the data collection forms or profile settings on the Website and/or in the 7card application and shall collect directly the data of the Subscribers (when you provide us directly with the enrolment/update data on the 7card platform and/or in the 7card application), as well as through the Customers (when they provide us with the data of the 7card Subscribers as employers of these Subscribers). In certain situations, we may collect the enrolment/updated data of the 7card Subscriber partly from the Customer, partly from the 7card

Subscriber. We always collect data from the 7card Subscriber based on our responsibilities and the instructions from our Customers.

The Data of the Companions are provided by the Subscribers; Benefit informs the Companion of the conditions of enrolment in the Programme, including the terms regarding the processing of personal data in accordance with this Policy, as soon as possible after the registration of the Attendant’s data on the 7card platform.

We automatically collect location data, only if the 7card Subscriber is logged in to the user account of the 7card application and has given permission for the device to display the location, strictly to indicate its position relative to the Partners’ locations, located in their proximity, in order to provide support/recommendation in the relation between the parties. We do not store location data. The location can be deactivated from the settings of the device used for accessing the 7card application user account.

We undertake to obtain your consent and/or to allow you to refuse the use of your personal data for certain purposes whenever necessary. In any case, you shall be informed about the purposes for which your data is collected through the Policy, the various forms of online data collection and through the cookie policy on. If the processing of your data is done based on consent, you have the right to withdraw this consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

LAWFULNESS, FAIRNESS AND TRANSPARENCY

We do not collect or process personal data without a legal basis to do so. We may need to collect and process your personal data where necessary to perform a contract to which you are a party, or when necessary to comply with a legal obligation to which we are subject or where necessary. We may also

collect and process your personal data for the legitimate interests of Benefit, unless such interests, rights and freedoms prevail.

Benefit does not collect (neither directly nor indirectly) and does not process special data (e.g. data on Subscribers’ health) and does not monitor/evaluate the evolution of Subscribers by participating in the activities to which the 7card provides access in accordance with the 7card Programme Rules.

When we collect and process your personal data, we will provide you with a correct and complete notification of information (e.g. this Policy/ Information Notice) or a privacy statement about who is responsible for the processing of your personal data, for what purposes your personal data is processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible or it requires disproportionate efforts to do so.

When required by applicable law, we will seek your prior consent (e.g. before collecting any sensitive Personal Data).

LEGITIMATE PURPOSE, LIMITATION AND DATA MINIMISATION

Your Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes.

When Benefit acts for its own purposes, your personal data is processed mainly for, but not limited to, the following purposes: ensuring the Subscriber’s access to the benefits offered by the 7card Programme, validating enrolment in the Programme, creating the Subscriber’s nominal card/7card account, mailing the 7card to the Subscriber, invoicing services, sending notifications on the account/invoices/outstanding payments, processing payments related

to the Subscriber’s participation in the 7card Programme, contacting/corresponding with the Subscriber, upon request/in accordance with our customer relations policies, 7card product evaluation, fraud prevention and control, IT tools or internal websites and any other digital solutions or collaboration platforms, IT support management, including infrastructure management, systems management, applications, information security management, customer relationship management, offers, sales and marketing management, supply management, internal and external communication and event management, compliance with anti-money laundering obligations or any other legal requirements, data analysis operations, corporate management and implementation of compliance processes.

DATA ACCURACY AND STORAGE LIMITATION

Benefit shall keep personal data which is processed accurate and, if necessary, up to date. Also, we shall retain personal data only for as long as is necessary for the purposes for which we collected it, including for the purpose of meeting any legal, accounting or reporting requirements and, where necessary, for Benefit to assert or to defend against legal claims, until the end of the relevant retention period or until the settlement of the claims in question. If you want to learn more about our specific retention periods for your personal data set out in our data retention policy, you may contact us at 7card@benefitseven.ro .

After the expiration of the applicable retention period, we shall securely destroy your data in accordance with applicable laws and regulations.

SECURITY OF PERSONAL DATA

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful alteration or loss, or from

unauthorized, use, disclosure or access, in accordance with our Group Information and Systems Security Policy.

We take, as appropriate, all reasonable measures based on Privacy by design and Privacy to implement the necessary safeguards and to protect the processing of personal data. We also carry out, depending on the level of risk raised by the processing, a Privacy impact assessment (“PIA”) in order to adopt appropriate safeguards and ensure the protection of personal data. We also offer additional security safeguards for data considered to be sensitive personal data.

IS IT MANDATORY TO PROVIDE PERSONAL DATA?

Personal data whose provision is necessary, given that the 7card Programme involves the issue of 7card cards/nominal application numbers: last name and first name, mobile phone number (not required for Underage Companions), home address, work email (not required for Underage Companions), date of birth; failure to provide such personal data will prevent the nominal 7card from being issued and the access to the Programme benefits (situations which shall not be the fault of Benefit Seven SA or its Partners – gyms and suppliers of other recreational activities).

When your data is requested in a login form, in the absence of providing a valid email address, you will not be able to create and access your profile on this website and/or in the 7card application, respectively you will not be able to make a request on the website/in the 7card application. If you do not want to provide this data to solve your requests, you may contact us

at 7card@benefitseven.ro.

WHAT ARE THE TYPES OF PERSONAL DATA COLLECTED AND USED BY US? HOW AND FOR WHAT PURPOSES ARE THEY USED AND WHAT

IS THE LEGAL BASIS FOR WHICH YOUR PERSONAL DATA WILL BE COLLECTED AND USED?

Categories of personal data we process:

The following personal data shall be processed by Benefit in relation to the participation of Subscribers in the 7card Programme in accordance with the 7card Program Rules:

For the Employee: full name, mobile phone number, home address, work address, work email, gender, date of birth, Subscriber Identification Number (allocated by Benefit Seven SA upon enrolment in the Programme);

For the Companion/Friend: full name, mobile phone number, email address, home address, gender, date of birth, Subscriber Identification Number (allocated by Benefit Seven SA upon enrolment in the Programme);

For underage companions (individuals below 16 years of age), the personal data processed by Benefit Seven SA is the following: full name, gender, date of birth – they shall be exclusively supplied by the parent of the underage companion upon enrolment in the Programme, Subscriber Identification Number (allocated by Benefit Seven SA upon enrolment in the Programme);

Transactional communications – communications by push-notifications in the 7card application, SMS, email on the status of a certain initiative/action of the Subscriber;

History of visits/access of Subscribers to the Partner locations – gyms/clubs/other recreational activities;

Regarding the Client’s Representative: last name and surname, mobile phone number, e-mail address, position;

Online identifiers: The IP address of the device used by the Subscriber to access www.7card.ro and/or the 7card application; the internet browser they are using and the version of the operating system of the browsing/application accessing device; HTTP/HTTPS protocol data;

Benefit Seven S.A. shall process, exclusively for informing the Subscriber on their proximity to Partner gyms/clubs/recreational activities, location data of the Subscriber’s device (location of the mobile phone whose number was filled out upon enrolment) at that specific time, only with the express consent of the Subscriber expressed immediately before the time of showing the location of the gym/club in their proximity. Benefit Seven SA shall not store/keep equipment location data.

Purposes for which we process the personal data of 7card Subscribers and legal grounds for processing:

Purposes for processing

Legal grounds for processing

Informing the Subscriber on the 7card Programme

Performance of obligations assumed under the Rules, in relation to the 7card Programme and pre-enrolment formalities, art. 6 para. 1 lett. b) of the

Data Protection Regulation

Ensuring the Subscriber’s access to the benefits provided under the 7card Programme (e.g. access to Partner locations at better prices and their preservation as

described below).

Performance of obligations assumed under the Rules, in relation to the 7card Programme, art. 6 para. 1 lett. b) of the Data Protection Regulation

Validating enrolment in the Programme, creating the

Performance of obligations assumed under the Rules, in relation to the 7card

Subscriber’s nominal card/7card account, mailing the 7card to the Subscriber, invoicing services, sending notifications on the

account/invoices/outstanding payments

Programme, art. 6 para. 1 lett. b) of the Data Protection Regulation

Authentication of the Subscriber at the time of connecting to the 7card linked account (including when accessing the 7card application on the browsing

device)

Performance of obligations assumed under the Rules, in relation to the 7card Programme (including 7card pre- enrolment stages) art. 6 para. 1 lett. b) of the Data Protection Regulation

Validating enrolment in the Programme, creating the 7card account, invoicing services, sending notifications on the account/invoices/payments, including by push-notifications in

the 7card application/email/SMS.

Performance of obligations assumed under the Rules, in relation to the 7card Programme, art. 6 para. 1 lett. b) of the Data Protection Regulation

Processing payments for the Subscriber’s participation in the 7card Programme

Legitimate interest of Benefit Seven S.A., art. 6 para. 1 lett. f) of the Data Protection Regulation

Performance of obligations assumed under the Rules, in relation to the 7card

Programme, art. 6 para. 1 lett. b) of the Data Protection Regulation

Steps to resolve card cancellations or any other issues under the 7card Programme, including any Programme changes (e.g. enrolling new gyms/sports clubs/recreational activities as Partners, removing

other Partners)

Performance of obligations assumed under the Rules, in relation to the 7card Programme, art. 6 para. 1 lett. b) of the Data Protection Regulation

Contacting/corresponding with the Subscriber, upon request/in accordance with our customer

relations policies

Performance of obligations assumed under the Rules, in relation to the 7card Programme, art. 6 para. 1 lett. b) of the

Data Protection Regulation

Contacting/corresponding with the Subscriber in aspects related to customer relations

Performance of obligations assumed under the Rules, in relation to the 7card

Programme, art. 6 para. 1 lett. b) of the Data Protection Regulation

Ensuring the Subscriber’s access to contests organized by Benefit

for Subscribers

Legitimate interest of Benefit

Monitoring the Subscriber’s behaviour and the statement of payments for the services under the 7card Program, in order to improve and diversify the services and benefits provided by Benefit through the 7card

Programme

Legitimate interest of Benefit (business operations), art. 6 para. 1 lett. f) of the Data Protection Regulation

Evaluating products and services provided by Benefit and producing statistics/statements in order to improve and diversify the

services provided by Benefit

Legitimate interest of Benefit (business operations), art. 6 para. 1 lett. f) of the Data Protection Regulation

Reimbursements of costs, as applicable, between: (i) Benefit and Partners, (ii) Benefit and Subscribers, (iii) between Benefit

and Customers.

Legitimate interest of Benefit (business operations), art. 6 para. 1 lett. f) of the Data Protection Regulation

Statistics, reports and statements on the use of the 7card

Legitimate interest of Benefit (business operations), art. 6 para. 1 lett. f) of the

Data Protection Regulation

Prevention of and fight against

fraud (the card is nominal and may only be used by its holder)

Legitimate interest of Benefit (business

operations), art. 6 para. 1 lett. f) of the Data Protection Regulation

Improving and diversifying the services of Benefit

Legitimate interest of Benefit (business

operations), art. 6 para. 1 lett. f) of the Data Protection Regulation

Maintenance and securisation of the www.7card.ro website/

application/platform.

Legitimate interest of Benefit

Company transactions (e.g. purchases, sales) which involve

audits/analyses on the

Legitimate interest of Benefit

contractual relations and/or platforms/databases of Benefit

Defending our rights (e.g. recovery of outstanding amounts, or when protecting our interests against unwarranted

claims/complaints)

Legitimate interest of Benefit, art. 6 para. 1 lett. f) of the Data Protection Regulation

Sending of customised offers for direct marketing purposes, via communication channels such as SMS/email/phone/ push-up notifications in the 7card application

The consent of the Subscriber to the sending of customised offers via the preferred communication channels of the Subscriber (SMS and/or email, push notifications in the 7card application) art. 6 para. 1 lett. a) of the Data Protection

Regulation

Sending of general commercial communications on the services/facilities provided by Benefit

Consent of the Subscriber

The Subscriber may at any time withdraw their consent to receive such communications by accessing the link at the end of the email, or by email at

7card@benefitseven.ro.

Sending of customised offers on the products/services of Benefit Seven S.A., on the basis of the browsing and behaviour of the Subscriber on www.7card.ro, as monitored by cookies

Cookie consent

The Subscriber who does not want to be monitored through cookies for being sent online ads (banners) based on their interests, may reject the setting of a browser cookie for this purpose, by deactivating the browser’s automatic acceptance of cookies. The Subscriber may also reject cookies for the advertising services of browser service suppliers (e.g. Google), by setting the browser to reject cookies originating from the respective domain. For this purpose, Subscribers are asked to read www.youronlinechoices.com/ro/optiunile- mele.

The option to opt-out from targeted online advertising will not stop

advertisements from displaying, but they

will not be customised according to the Subscriber’s interests.

Sending of customised offers based on personalised audiences (per customer lists) in Facebook

Consent of the Subscriber

The consent may be easily withdrawn by

the Subscriber at any time, by email at 7card@benefitseven.ro

Sending of commercial communications on the services/products of Partners or other collaborators of Benefit

Consent of the Subscriber

The consent may be easily withdrawn by

the Subscriber at any time, by email at 7card@benefitseven.ro

Verification of participation, validation of winners and handing out of awards for the online contests carried out on www.7card.ro and from the 7card Programme official Facebook page (for this purpose, we also process: first name, email address, phone number)

We publish the full name of winners on the official Facebook

page of Benefit and/or on our website www.7card.ro.

Consent of the Subscriber to take part in the contests organised by Benefit and receive the respective prizes

Annual financial auditing, submission of tax returns and financial statements with the tax

authorities

Legal obligations of Benefit

Procedures and investigations by the authorities and/or legal

bodies (exceptionally also under official legal procedures)

Legal obligations of Benefit

OTHER CATEGORIES OF DATA IP ADDRESSES

The IP address is a unique identifier used by some electronic devices to identify and communicate with each other over the Internet. When you access our website, we may use the IP address of the device you use with which you access www.7card.ro and/or the 7card application; the internet browser you use and the version of the operating system of the device with which you access the website/application; HTTP/HTTPS protocol data;

We use this information to determine the general physical location of the device and understand from what regions of the world our web visitors come to provide them customised experience.

Benefit shall process, exclusively in order to inform the Subscriber about its proximity in relation to the location of a Partner gym/club/recreation centre, data regarding the location of the Subscriber’s device (location of the mobile phone whose number was indicated upon enrolment in the Programme) at that time, only with the consent of the Subscriber expressly given just before the moment of highlighting the location of the gym/activity club in their proximity. Benefit shall not store/keep equipment location data.

SOCIAL NETWORKS

You have the option to click on the icons dedicated to social networks, such as Twitter, Facebook, Linkedin, etc., which appear on our website.

Social networks create a friendlier atmosphere on the website and help promote the website through sharing. Video sharing services enrich the video content of our site and increase its visibility.

When you click on these buttons, we may have access to personal information which you have made public and accessible through your profiles on the respective social networks. We do not create or use separate databases from these social networks based on the personal information you have published there, and we do not process any data regarding your privacy through these means.

If you do not want us to have access to your personal information published in the public spaces of your profile or social accounts, then you should use the procedures provided by the respective social networks to limit access to this information.

WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Access to personal data processed is limited to persons authorised by Benefit on a need-to-know basis.

We shall not disclose your personal data to unauthorised third parties. Your personal data shall only be available to internal or external third parties who need such access for the purposes listed above or if required by law.

The main categories of data recipients include, but are not limited to:

  1. The Employer (Customer), for and in the execution of the rights and obligations under the Programme Rules and the contract between the Benefit and the Employer;
  2. Companies and entities in the group of companies to which Benefit belongs;

3.Partners – gyms/clubs/recreational activities (only the full name of thedata subject shall be provided, exclusively for the reimbursements ofvisitsandservices providedby them);

  • Our suppliers supplying the following:
    • Document archiving/storage services (including cloud storage service providers),
    • Automated email sending services;
    • Automated texting services;
    • IT development/maintenance services;
    • Billing services;
    • Other types of support services for Subscribers;

Different levels of access to personal data processed on the website and in the 7card application apply to ensure that such personal data is visible only to persons who need such access for the purposes listed above or when required by law.

We do not authorise our service providers to use or disclose your personal information, unless required to provide the services on our behalf or to comply with legal obligations. Furthermore, we may share personal information about you (i) if required by law or a legal procedure to do so, (ii) in response to a request from public authorities or other officials, or (iii) if we believe that the transfer of such data is necessary or appropriate to prevent any physical injury or financial loss or for an investigation into a suspected or proven illegal activity.

INTERNATIONAL DATA TRANSFERS

Currently, our data is stored in locations within European Union countries. Third party service suppliers and/or other contractors, as applicable, may be located in third countries, where data protection laws may not provide an adequate level of personal data protection.

If Benefit discloses your personal data to such recipients (companies/ partners in non-EEA countries – EEA countries being European Union countries, plus Switzerland, Iceland, Liechtenstein and Norway considered to have equivalent laws on privacy law), we shall ensure that, before receiving any personal data, they will provide an adequate level of protection of your personal data, including appropriate technical and organisational security measures. In particular, if the recipients concerned are located in a country which does not offer an adequate level of personal data protection, Benefit will also rely on appropriate legal mechanisms, including the European Commission’s standard contractual clauses, to ensure such a transfer.

For more information, including obtaining copies of documents used to protect the information you submit, please contact us at la 7card@benefitseven.ro.

HOW WILL PERSONAL DATA BE PROTECTED?

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful alteration or loss, or from unauthorized, use, disclosure or access, in accordance with our Group Information and Systems Security Policy.

We take, as appropriate, all reasonable measures based on all reasonable measures based on Privacy by design and Privacy to implement the necessary safeguards and to protect the processing of personal data. We also carry out, depending on the level of risk raised by the processing, a Privacy impact assessment (“PIA”) in order to adopt appropriate safeguards and ensure the protection of personal data. We also offer additional security safeguards for data considered to be sensitive personal data. These measures shall include at least:

  1. administrative and organisational measures to ensure the privacy of persons who actually access the data;

(ii)operationalflowsandprocedurestoensuretheexerciseofrightsfordatasubjects;

  1. secure data hosting environments;
  1. ensuring, through reasonable steps, that our partners/subcontractors define and implement appropriate security measures with respect to the personal data we share.

HOW CAN I ACCESS MY PERSONAL DATA? RIGHTS OF THE DATA SUBJECT

Benefit undertakes to ensure the protection of your rights in accordance with applicable laws. Below is a table summarising your various rights where applicable:

RIGHT TO BE INFORMED

Your right to be informed entitles you to receive clear, transparent, easy- to-understand and easily accessible information on how we process your personal data, including details of your rights as a data subject. This

information is presented in this Policy.

RIGHT OF ACCESS

You may request access to your personal data. You may also request the rectification of inaccurate personal data or complete incomplete personal data.

You may request any available information about the source of your personal data and you may also

request a copy of your personal data processed by Benefit.

RIGHT TO BE FORGOTTEN

Your right to be forgotten entitles you to request the deletion of your personal data where:

  1. the data is no longer required for their collection or processing;
  2. you have chosen to withdraw your consent;
  3. you object to processing by automatic means using the technical specifications;
  4. your personal data has been processed illegally;
  5. there is a legal obligation to delete your personal data;
  6. the deletion is necessary to

ensure compliance with applicable laws.

RIGHT TO RESTRICT PROCESSING

You may request restriction of processing where:

  1. you challenge the accuracy of personal data;
  2. Benefit no longer needs the personal data for the purpose of processing;
  3. You have objected to the processing for legitimate purposes.

RIGHT TO DATA PORTABILITY

You may request, where appropriate, the portability of your personal data that you have provided to Benefit, in a structured, commonly used and machine-readable format. You have the right to transmit this data to another controller without hindrance by Benefit if:

a) the processing of your data is based on consent or on a contract; and

b) the processing is carried out by automated means.

You may also request the direct transmission of your personal data to a third party of your choice (where

technically feasible).

RIGHT TO OBJECT TO PROCESSING FOR DIRECT MARKETING PURPOSES

You have the right to object to (withdraw from) the processing of your personal data (especially for profiling or marketing purposes).

When we process your personal data based on your consent, you may withdraw your consent at any time.

You may withdraw your consent by clicking on the “Unsubscribe” link provided to you in each electronic marketing communication you receive, or by written request emailed at 7card@benefitseven.ro.

The withdrawal of consent shall not affect the lawfulness of the

processing based on consent before its withdrawal.

RIGHT NOT TO BE SUBJECT TO AUTOMATIC PROCESSING

You have the right not to be subject to a decision based solely on automatic processing, including profiling, which has legal or similarly

significant effects on you.

RIGHT TO OBJECT TO PROCESSING BASED ON LEGITIMATE INTEREST

The Subscriber may at any time object to any processing based on our legitimate interest. In the “Legal grounds” section of the table above, you may easily identify the cases where we process personal data based on our legitimate interest. The subscriber may exercise the right to

object by sending a written request by email at 7card@benefitseven.ro.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

You may choose to lodge a complaint with the Data Protection Supervisor in the country of your habitual residence, place of work or place of the alleged infringement.

If you have a privacy complaint against us, you may send your complaint by email or letter in accordance with our Local Claims and Complaints Policy. If you are not satisfied with our response, you may refer your complaint to the National Authority for the Supervision of Personal Data Processing (https://www.dataprotection.ro/) or

the competent court.

To exercise these rights, you may send your request or complaint following the procedure set out in the Privacy Policy brought to your attention at the time of collection of your personal data or by sending an email to the special contact point for data protection or to the data protection officer at 7card@benefitseven.ro. For more details, see the Data Protection Requests Policy.

You may choose to lodge a complaint with the Data Protection Supervisory Authority of the country of residence (for Romania, www.dataprotection.ro), place of work or place of the alleged infringement, regardless of whether you have suffered damages.

You also have the right to lodge your complaint with the competent courts where Benefit is based or where you reside.

HOW LONG WILL MY PERSONAL DATA BE STORED?

Subscribers’ personal data (including the history of participation in sports/ recreational activities) shall be kept on the Benefit platform (and those in paper format shall be archived to authorised third parties) for a maximum period of 3 (three) years from the last day of validity of a Subscriber’s subscription.

If the contract between Benefit and the Customer terminates, for any reason, the term of 3 (three) years shall run from the date of termination of the contractual relationship between Benefit and the Customer (regarding the data of employees of this Customer/companions of this Customer).

We shall retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected and processed.

This period may be extended, if necessary, for a period provided for by the applicable legal requirements.

HOW WILL I BE NOTIFIED IF THE USE OF MY DATA CHANGES?

If the use of your personal data on the 7card website/application changes significantly, we will issue an updated policy and/or take other steps to notify you of such changes in advance so that you may review and verify if they are acceptable (to the extent necessary) to you.

COOKIES

Some of our websites may use “cookies”. Cookies are portions of text which are placed on your computer’s hard drive when you visit certain websites. We may use cookies to see, for example, if you have visited the website before or if you are a new visitor and to identify features in which you may be most interested. Cookies can enhance your online experience by saving your preferences while you visit a website.

We will let you know when you visit our websites what types of cookies we use, respectively which are the cookies for the installation of which your prior consent is required and how we disable cookies. For more details, please see our Cookie Policy.

CHILDREN’S DATA

Children enjoy specific protection with regard to their personal data, as they may be less aware of the risks, consequences and guarantees involved and their rights with regard to the processing of personal data. Such specific protection should apply, in particular, to the use of children’s personal data for commercial purposes or the creation of user profiles and the collection of personal data concerning children when using services provided directly to a child.

Protecting the privacy of minors is very important to us. Benefit processes strictly the data necessary to ensure the access of Underage Companions to the services of the 7card Programme, in accordance with the 7card Programme Rules. We shall not process the personal data of minors for the creation of profiles in order to send customised offers by SMS, email, or other communication channels, monitoring by cookies or other online tracking techniques necessary to make customised offers.

UPDATES TO OUR POLICY

We may update this Privacy Policy as our business changes or legal requirements change. If we make significant changes to this Policy, we will post a notice on our website/7card application when the changes take effect and, if applicable, send you a direct communication about this change.

CONTACT

If you have any questions, comments or requests regarding this Policy, you may send them by email at: 7card@benefitseven.ro or by letter to Benefit Seven S.A., to the Data Protection Officer at B-dul Dimitrie Pompeiu nr. 9 – 9A, Iride Business Park – clădirea 19, etaj 3, Sector 2, Bucharest.