PERSONAL DATA PROCESSING AND PROTECTION POLICY

---

1. What does the personal data processing and protection policy entail?

• The purpose of this Policy is to explain to you what data we process, why we process it and what we do with it.
• Our company uses technical means to store data securely.
• Our company will only disclose personal data in pursuit of your interests and for fulfilling legal obligations.
• We take privacy seriously and never sell lists or email addresses. We make every effort to securely store and process your personal data. We do not provide personal data to third parties without your consent.
• We do not use your personal data to make automated decisions or in automated profiling processes.
• Sending a message through this website confirms that you have accepted the conditions set forth below. If you do not agree with them, please do not continue to access the website and/or send us a message.

---

2. Who we are and how to contact us

PROFESSIONAL INTEGRATION TEAM S.A. COMPANY

• Romania Headquarters: Timişoara, Republicii boulevard, no. 21, 1-st floor, Timiş county
• Headquarters in Germany: Lichtenbergstraße 8, D-85748 Garching bei München
• Email: info@pinteam.eu

---

3. Explanations of the terms and phrases used in this Policy

• Personal data controller - The controller responsible for the processing of personal data within the meaning of the Regulation on the protection of personal data no. 679/2016 is the company Professional Integration Team S.A.
• Data subject within the meaning of the Regulation on the protection of personal data no. 679/2016 - identified or identifiable individual (who can be identified, directly or indirectly, in particular by reference to an identification element: name, identification number, location data, an online identifier, or to one or more specific elements, specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity). The data subject may be the person requesting a service provided by the Controller, as well as any other natural person whose personal data are transmitted to the Controller (for example, a client or potential client, a user of the Controller's website, etc.).
• Processing of personal data means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, examination, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Profiling means any form of automated processing of personal data consisting in the use of personal data to assess certain personal aspects relating to a person, in particular to analyse or foresee aspects concerning the performance at work, the economic situation, health, personal preferences, interests, reliability, behaviour, location or trips of that natural person.
• A personal data security breach or a security breach means a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration or unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
• In accordance with the provisions of the Regulation no. 679/2016 on the protection of individuals with regard to the processing of personal data, in the relationship between the company Professional Integration Team S.A. and you, you are a data subject and the company Professional Integration Team S.A. has the position of data controller.

---

4. Which personal data do we process?

We collect your personal data requested in the "Contact" section, respectively your e-mail address, which you provide to us when sending a message by using the "Contact" section.

We collect your personal data requested in the "Career" section. You provide your data when submitting an application while using the "Careers" / "Apply" button section. These data are sent to the BambooHR platform that are used just for recruiting purpose.

---

5. Why and how we process your personal data?

We process your email to transmit the data requested within the website, in order to be able to provide you with an answer to the message that you sent to us, for communication with you, for carrying out our legitimate activity.

---

We process the content of the messages written by you on https://pinteam.eu/ website, on our e-mail address and the data transmitted by you because this content is necessary in order to be able to respond personally to you and to provide you with solutions tailored to your specific situation. The collection of these personal data and the texts of the messages written by you on https://pinteam.eu/ website and on our e-mail address is the result of an action by which you choose to send us a message, and the processing of this data will be carried out in accordance with the provisions of art. 6, paragraph 1, letter f) of Regulation No 679/2016 on the processing of personal data, respectively for the legitimate interest of the undersigned, taking into consideration our object of activity.

---

6. What is the legal basis for the processing of your personal data?

The processing of your personal data transmitted by messages in the "Contact" section is represented by Art. 6, paragraph 1, letter f) of Regulation No 679/2016 on the processing of personal data, respectively for the legitimate interest of the undersigned, taking into consideration our object of activity.

---

The storage and archiving of the personal data transmitted by you is carried out by the undersigned pursuant to Art. 6, paragraph 1, letter f) of Regulation no. 679/2016 regarding the processing of personal data, respectively for the fulfilment of the legal obligations of the undersigned.

---

If, as a result of discussions with you, we conclude a contract, it will include an information note regarding the protection of personal data in which all the legal grounds on which your personal data will be processed gradually: service provision, storage, archiving, deletion, etc. will be made known to you.

---

7. About the purposes for which we process personal data

We process your personal data for the purposes described in Section 5.

Our purposes for processing your personal data are:

• real;
• present;
• legitimate.

We inform you before processing your personal data for secondary purposes:

• if we initially collect your personal data for a primary purpose;
• if our secondary purpose is incompatible with the main purpose.

---

8. How long do we keep your personal data?

• We limit the storage time of your personal data at the time of reaching the purposes for which we request your personal data, as well as for the fulfilment of the legal obligations of the undersigned company.

We review the need to continue to retain your personal data, every year we analyse the collected and processed data, in order to filter, sort and maintain the processing only for the data for which the purpose of the processing is current.

• If, as a result of the message sent by you, we conclude a contract, it will include an information note regarding the protection of personal data in which all the legal grounds on which your personal data will be processed gradually: service provision, storage, archiving, deletion, etc. will be made known to you.

---

9. Do we disclose your personal data?

• Our company does not disclose your personal data, unless a contract is concluded and this is necessary for the implementation of the contract or there are certain legal obligations incumbent on the undersigned company that involve the disclosure of your personal data.
• We remind you that we guarantee the strict confidentiality of your personal data and the messages you send us, maintaining your privacy is an essential value for us.

---

10. Do we transfer your personal data outside the EU or EEA?

We do not transfer your personal data:
- in countries outside the EU or EEA;
- to international organisations outside the EU or EEA.

---

11. Is your personal data safe?

We keep your personal data safe:

• with appropriate technical measures;
• with appropriate organisational measures;
• with an adequate level of security;
• with measures against unauthorised processing;
• with measures against unlawful processing;
• with measures against accidental or illegal loss;
• with measures against accidental or unlawful destruction;

If we have a reasonable degree of certainty that there has been a breach of the security of the processing of your personal data, then:
- we report the security incident to the management of our company.
- immediately, a person responsible shall:
A. analyse whether the breach of security may have unfavourable effects for you;
B. inform the relevant staff of the undersigned company;
C. determine to what extent it is necessary to notify the Supervisory Authority about the security incident;
D. determine whether it is necessary to provide you with information about the security incident.
- we are investigating the security incident.
- we try to prevent the security incident from leading to:
A. accidental or unlawful destruction of personal data;
B. accidental or unlawful loss of control of personal data;
C. accidental or unlawful loss of access to personal data;
D. accidental or unlawful alteration of personal data;
E. unauthorized disclosure of personal data;
F. unauthorized access to personal data.
- we make every effort to mitigate the immediate risk of damage.
- we notify the Supervisory Authority about the security incident, if the violation is likely to lead to a high risk for your rights and freedoms.
- we inform you about the security breach:
A. if the breach is likely to result in a high risk to your rights and freedoms;
B. as soon as possible;
C. by appropriate contact channels, for example by e-mail, on our website, etc.
- we are not obliged to inform you directly if:
A. we have taken steps to make your personal data be incomprehensible to any person who is not authorized to access it;
B. as soon as possible;
C. immediately after the security incident, we have taken steps to ensure that the high risk to your rights and freedoms is no longer possible to occur;
D. it would involve disproportionate efforts from the part of the undersigned company.

---

12. What are your rights in relation to your personal data?

According to Regulation no. 679/2016 on the protection of personal data, as a data subject you benefit from a cumulation of rights, namely:

• The right to information and access to personal data: the right to obtain a confirmation as to whether or not personal data concerning you are being processed and, if so, access to that data.
• The right to rectification: the right to request the Controller and to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or to obtain the completion of personal data that are incomplete.
• The right to delete the data ("the right to be forgotten"): the right to obtain the deletion of personal data concerning you, without undue delay, in the cases specified in the Regulation no.679/2016.
• The right to restrict the processing: the right to obtain the restriction of the processing in certain cases.
• Right to data portability: the right to receive personal data concerning you and to transfer it to another controller.
• The right to object: the right to oppose at any time the processing of personal data concerning you, under the conditions of Regulation no. 679/2016.
• The right not to be the subject of a decision based solely on automatic processing, including the creation of profiles, which produces legal effects that concern you or similarly affect you to a significant extent.
• The right to address with a complaint to the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) if you consider that your data have not been processed in accordance with the legal provisions.

The rights listed above are not absolute. There are exceptions, so each received request will be analysed so that we can decide whether it is well-founded or not. To the extent that the request is well-founded, we will make it easier for you to exercise your rights. If the request is unfounded or there is a legal reason, we will reject it, but we will inform you of the reasons for the refusal and of the rights to file a complaint with the Supervisory Authority and to address the competent courts of law.

---

13. How can you enforce your rights?

• We invite you to communicate with us about the exercise of your rights on the protection of your personal data.
• We only accept written requests, as we cannot deal with verbal requests immediately, without first analysing the content of the application and without first identifying you.
• Your request must contain a detailed and precise description of the right you wish to exercise.
• You must provide us with a copy of an identification document to confirm your identity, for example:
  - identity card
  - passport.
• Using the information in your identification document:
  - is limited to the activity of confirming your identity;
  - it will not generate a storage of your personal data more than necessary for this purpose or for the legitimate interest, to which you have consented by providing the document.
• If we make every effort and fail to identify you, and you do not provide us with additional information to help us identify you, we are not obliged to comply with your request.
• You can submit your request regarding the protection of your personal data to:
  - the e-mail address: info@pinteam.eu
  - directly at our headquarters.
• You will receive our response to your requests concerning the protection of your personal data on our web form directly to your contact addresses officially communicated to us: e-mail.
• We inform you that the undersigned company will respond to your requests by the same manner of communication in which you will send us the requests (post, e-mail, etc.), unless you indicate in the request a less expensive means of communication for the undersigned company.
• We have implemented policies that ensure that a request for the protection of your personal data is effective and settled within the terms specified by law.
• We will try to respond to your request within 1 month of the receipt of the request. However, the term can be extended under the law, by 2 months, depending on different aspects, such as the complexity of the request, the large number of applications received or the impossibility to identify you within a useful time. If we are unable to reply to you within the 1-month period, within this period we will inform you of the extension of the deadline for replying and of the reasons for the extension.
• However, if we consider that your applications are substantially unfounded, excessive in particular because of their repetitive nature, then:
  - Either we will refuse to comply with the request;
  - Either we will ask you to pay a fee taking into account the administrative costs for filtering the requested information or for communicating it, or for taking the requested measures.

---

For even more details you can examine all the following legal acts:

• Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data.
• Law no. 506/2004 concerning the processing of personal data and privacy in electronic communications.