evroc data protection policy

Date 2024-12-04

Revision A

Classification Company Confidentiality OPEN

General information on personal data processing evroc processes personal data about natural persons for different purposes.

The processing of personal data must be designed to serve the individual, while the processing must be assessed based on its function and weighed against other fundamental rights.

Regardless of whether the processing of personal data is based on, for example, the data subject's consent, labor law or legal obligation, within the framework of a customer agreement or after a balance of interests, evroc shall take into account the needs and rights of the various stakeholders.

Basic principles (In GDPR) Unless otherwise provided by law, the following principles shall be observed when processing personal data:

• Lawfulness, accuracy and transparency - evroc shall process personal data lawfully and transparently in relation to the data subject.
• Purpose limitation - evroc shall collect personal data for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
• Data minimization - Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
• Accuracy - Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Storage minimization - Personal data shall not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed.
• Integrity and confidentiality - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
• Accountability - evroc shall be able to demonstrate compliance with these Core Principles.

Objective evroc's objective is to comply at all times with the rules that follow from applicable legislation such as the Data Protection Regulation (Regulation (EU) 2016/670 of the European Parliament and of the Council), the Data Protection Act with supplementary provisions to the Data Protection Regulation, labor law legislation or sector-specific legislation and industry standards and guidelines and recommendations from relevant institutions.

evroc shall also take into account the expectations that evroc's customers place on evroc with regard to the processing of personal data and act in a trustworthy manner to protect evroc's brand and reputation in the market.

Responsibility and approach The responsibility for processing personal data within a company, such as evroc is the responsibility of all employees or persons employed by evroc. Every person who is involved in the processes where personal data is processed is responsible for keeping up-to-date and acting in accordance with the regulations in force at any given time.

The ultimate responsibility for the processing rests with the CEO of evroc. The CEO at evroc has delegated the daily work to the Data Protection Officer, who is a supporting function to the CEO. However, the responsibility follows the line responsibility, where each line manager is responsible for the processing of personal data that takes place within his/hers business area.

Should any employee at evroc draw attention to deficiencies where you are unsure how the matter should be handled, you should contact the Data Protection Officer at evroc or the CEO at evroc who with confidentiality handles the issue without the individual's identity needing to be known.

Steering evroc has decided that the management of personal data processing shall be based on this policy document. The work with integrity issues is managed within the framework of the operational activities in consultation between different roles within the business operations and functions at a central level with knowledge in, for example, IT, security and law. The work is a prioritized area within evroc's operations and has the full commitment of the group management.

Furthermore, if necessary, instructions must be drawn up to support the processing of personal data that takes place within the group's companies. All deviations from such instructions must be approved by the CEO at evroc, Head of security/CSO or Legal Counsel.