DATA PROCESSING AGREEMENT (DPA) – Spain Start Up

1. Object

This Data Processing Agreement (hereinafter, the “DPA”) governs the processing of personal data exchanged between Spain Startup and Investor Services S.L. (hereinafter, “Spain Startup”) and the Participant concerning the management and execution of the Collaboration Agreement related to the South Summit event. Both parties acknowledge their status as Controllers under Article 26 of the General Data Protection Regulation (EU) 2016/679 (GDPR).

2. Definitions

1. Personal Data: Any information relating to an identified or identifiable natural person, such as names, contact details, and other information provided by the legal representatives, employees, and other data subjects.
2. Processing: Any operation performed on Personal Data, including collection, recording, storage, use, or transmission.
3. Controllers: Each party that determines the purposes and means of the processing of personal data exchanged and managed independently.

3. Roles and Responsibilities of the Parties

Both parties will act as Controllers and will process the personal data they collect independently in their respective systems. Neither party shall act as a Processor for the other.

4. Data Processed and Purpose

The processing of data is limited to the following:

1. Contact details of the legal representatives of each party, such as name, surname, email address, and position.
2. These data will be processed solely for the following purposes:
   • Execution and management of the Collaboration Agreement.
   • Compliance with the contractual and legal obligations between the parties.
   Data relating to the employees and guests of the Participant will not be exchanged between the parties. These individuals must register directly on the South Summit platform to obtain their accreditation and/or ticket, and Spain Startup will be responsible for the processing of such data in accordance with its privacy policy.

5. Hypothetical Data Transfer by the Participant

In the hypothetical scenario where the Participant provides a list of attendees to Spain Startup, Spain Startup will act as the Controller of such data. This transfer will be considered a data sharing event under the GDPR, and the Participant must comply with the principles set out in the applicable regulations, including, but not limited to:
• Duly informing the data subjects whose data will be shared, specifying the purpose of the data transfer and the rights that can be exercised by the data subjects.
• Obtaining consent, where required, for the data transfer.
• Ensuring that the transfer is carried out in accordance with the lawful bases provided under the GDPR.

6. Access by Instituto de Empresa (IE)

The Instituto de Empresa (IE), as a preferred partner of Spain Startup, may access the personal data of attendees and participants at the South Summit event within the context of the agreed collaborations. In all cases, such access will be conducted in accordance with the provisions of the GDPR and will be limited to the purposes agreed upon within the collaboration, with Spain Startup acting as the Controller of the data accessible by the IE.

7. International Data Transfers

As Spain Startup organises the South Summit event in countries outside the European Economic Area (EEA), including Brazil and South Korea, personal data may be transferred outside the EEA for administrative purposes or in relation to the management of the event.
Spain Startup guarantees that such international data transfers will be carried out with appropriate safeguards in place, in accordance with Articles 44 et seq. of the GDPR, by employing:
• Standard Contractual Clauses (SCCs) adopted by the European Commission.
• Adequacy decisions adopted by the European Commission with respect to the destination country, where applicable.
• Or other mechanisms permitted under the GDPR.
Where such transfers cannot be covered under the aforementioned safeguards, the data subjects will be duly informed, and, where necessary, their explicit consent will be obtained.

8. Principle of Information and Data Subject Rights

Each Party, as a Controller, undertakes to:

1. Inform the data subjects of the following aspects, in accordance with Article 13 of the GDPR:
   • Identity and contact details of the Controller (each Party for the data they handle).
   • Purposes of the processing and the legal basis that underpins it.
   • Recipients of the data, including international transfers where applicable.
   • Retention periods for personal data.
   • Rights of the data subjects, including rights of access, rectification, erasure, objection, restriction of processing, and data portability, as well as the right to lodge a complaint with the relevant supervisory authority (the Spanish Data Protection Agency, in the case of Spain).
2. Data Subject Rights: The parties shall process and respond to requests from data subjects concerning the exercise of their rights and, where necessary, cooperate to ensure that requests are handled appropriately and within the time limits set by the applicable law.

9. Contact Details of the Data Protection Officer (DPO)

Each party must inform data subjects of the contact details of their Data Protection Officer (DPO), where applicable. For Spain Startup, interested parties may submit their inquiries or requests related to data processing to:
• Email: privacy@spain-startup.com
• Reference: “Data Subject Rights”
• DPO: The Data Protection Officer of Spain Startup can be contacted at the email address provided above.

10. Obligations of the Parties as Controllers

Each Party, as a Controller, undertakes to:

1. Collect data in compliance with applicable laws: Both parties must duly inform data subjects about the processing of their personal data, ensuring compliance with Article 13 of the GDPR.
2. Protect the data processed: Implement appropriate technical and organisational measures, in accordance with Article 32 of the GDPR, to ensure the security of personal data.
3. Limit data exchange: The parties commit to limiting the exchange of personal data to what is strictly necessary for the execution of the Collaboration Agreement.
4. Comply with data subject rights: Both parties shall handle data subject requests regarding the exercise of their rights, such as access, rectification, erasure, restriction, objection, and data portability, within the scope of the data processed by each party.

11. Retention and Deletion of Data

1. Data processed under this DPA shall be retained for as long as necessary to fulfil the purposes of the Collaboration Agreement and for the periods required by applicable law, such as the Spanish Commercial Code, which requires certain documents to be retained for at least six years.
2. Upon termination of the Agreement, each party shall delete or anonymise the personal data unless applicable law requires their retention, in which case the data will be stored securely and made available only for legal or regulatory purposes.

12. Security Breaches

Each party undertakes to notify the other party without undue delay of any security breach that may compromise the personal data processed under this DPA. The parties shall cooperate in the management and mitigation of any consequences arising from a security incident.

13. Liability

Each party shall be responsible for its own compliance with the GDPR and applicable law. In the event that a party fails to fulfil its obligations, it shall be liable for any penalty or damage suffered by or caused to the other party as a direct consequence of such non-compliance.

14. Dispute Resolution and Jurisdiction

This DPA shall be governed by Spanish law. Any dispute arising in connection with this agreement shall be submitted to the jurisdiction of the competent courts in Madrid.