Charter of data processing of the economic partners of Mozzaik365

1. DEFINITION

This personal data protection charter informs you about Mozzaik365's commitments when personal information concerning you is collected via its website and how Mozzaik365 uses it

## TABLE

2. PREAMBLE

This charter (hereinafter the "Charter") governs the processing of personal data in the context of Mozzaik365's relationships with its business partners. Mozzaik365, concerned with the protection of personal data, is committed to complying with the regulations in force applicable to the processing of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "GDPR") as well as any applicable national regulations (hereinafter the "Regulation").

Every business partner of Mozzaik365 is required to read and fully understand all the commitments listed in this Charter, to adhere to all its principles, and to acknowledge that non-compliance may be considered a serious breach of their contractual obligations. Every business partner is also committed to informing all their direct partners and strongly encouraging them to follow these same principles and codes of conduct.

4o

‍

3. PRINCIPLES RELATING TO DATA PROCESSING

In its business relationships with its economic partners, Mozzaik365 makes every effort to continuously comply with the fundamental principles of the GDPR and assures all its economic partners that the personal data communicated to it is processed lawfully, fairly, and transparently.

Personal data is collected for specific, explicit, and legitimate purposes, and Mozzaik365 undertakes not to process it in a manner incompatible with these purposes.

Mozzaik365 adheres to the principle of data minimization, in accordance with Article 5(c) of the GDPR, which stipulates that only adequate, relevant, and limited personal data necessary in relation to the defined purposes are processed.

4. PURPOSES AND LEGAL BASIS FOR DATA PROCESSING BY MOZZAIK365

## TABLE

FOR ANY SPECIFIC PROCESSING, PARTICULARLY RELATED TO SECURITY (VIDEO SURVEILLANCE, BADGES, ETC.) OR THE USE OF A COMPUTER RESOURCE PROVIDED TO A BUSINESS PARTNER BY MOZZAIK365 (SOFTWARE, HARDWARE, ETC.), THE CONCERNED INDIVIDUALS WILL RECEIVE SPECIFIC INFORMATION INFORMING THEM ABOUT HOW THEIR PERSONAL DATA IS PROCESSED.

5. PERSONAL DATA PROCESSED

As part of our business relationships with our economic partners, these partners may communicate personal data to Mozzaik365, including the data of their employees mentioned in the table above. For more information regarding the processing of your data, please refer to the relevant economic partner's data protection policy.

## TABLE

6. RECIPIENTS

Mozzaik365 is committed to preserving the confidentiality and security of your personal data in accordance with current regulations and ensures that each Recipient adheres to appropriate security and confidentiality guarantees. The Recipients who may receive your personal data within Mozzaik365 entities include:

• Authorized personnel within Mozzaik365 for processing the data;
• Individuals responsible for audits (auditors, accountants);
• External companies contractually bound for the execution of a contract;
• Public and financial institutions, solely to meet legal obligations;
• In case of litigation, personal data may be transmitted, as necessary, to those involved in resolving the conflict; legal professionals and judicial officers in the context of debt recovery or other legal actions; judicial or administrative courts to establish, exercise, or defend the rights of Mozzaik365; judicial or administrative courts in execution of an enforceable court decision against Mozzaik365; any individual or legal entity in execution of an enforceable court decision against Mozzaik365.

Authorized service providers may also have access to your personal data in connection with the services they provide, including software solutions or IT resources used to process your personal data (maintenance, support, hosting, security, and control of IT resources, etc.).

7. DURÉE DE CONSERVATION

The retention period for your personal data is determined based on the legal and regulatory retention periods and the type of data concerned. Indicatively and not exhaustively, the retention periods for the main documents related to economic partners are as follows:

## TABLE

Mozzaik365 will not retain personal data in a form that allows the identification of the concerned individuals for a period longer than necessary, considering the purpose for which the data was originally collected.

Mozzaik365 may store data for longer periods if the personal data is processed for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes, subject to the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subjects.

8. SECURITY AND CONFIDENTIALITY

Mozzaik365 implements all technical and organizational measures it deems appropriate, in accordance with Article 32 of the GDPR, to ensure the security and confidentiality of your personal data.

We ensure that each Recipient adheres to appropriate security and confidentiality guarantees. Mozzaik365 raises awareness among its staff members about the security of personal data. For more information regarding the security of your personal data, we invite you to contact our Data Protection Officer (DPO).

9. DATA TRANSFER TO A THIRD COUNTRY

In the event of a transfer of your personal data to a recipient located in a country outside the European Community, appropriate safeguards will be put in place in accordance with the provisions of the GDPR, and Mozzaik365 will inform you by any means.

Transfers of personal data within Mozzaik365 entities not covered by a European Commission adequacy decision are generally governed by the signing of standard contractual clauses.

Mozzaik365 has implemented a data transfer policy. Our Data Protection Officer (DPO) is available for further information.

10. RIGHTS OF DATA SUBJECTS

According to the Regulation, you can access your personal data, request its correction or deletion. You also have the right to object, the right to limit the processing of your personal data, and the right to data portability, if applicable. You can fully understand these rights and the means to exercise them by sending your questions and/or requests to our Data Protection Officer (DPO) by:

• Mail to MOZZAIK365 SA – 155 rue Anatole France – 92300 LEVALLOIS-PERRET, specifying 'Personal Data' in the subject line
• Email to dpo@mozzaik365.com

You also have the right to file a complaint with the CNIL, the supervisory authority, currently located at 3 place de Fontenoy, 75007 Paris;

11.COMMITMENT OF ECONOMIC PARTNERS TO MOZZAIK365

Any economic partner processing personal data as a Processor within the meaning of the GDPR on behalf of Mozzaik365, or as a Sub-processor on behalf of one of its clients, undertakes to:

• Sign the personal data processing agreement proposed by Mozzaik365 to comply with Article 28 of the GDPR

• Comply with the Regulation

• Process the Data solely for the specific purpose(s) defined by the Data Controller

• Process the Data in accordance with the documented instructions of the Data Controller. If the economic partner believes an instruction constitutes a violation of the Regulation, they must immediately inform the Data Controller. If the economic partner is required to transfer Data to a third country or international organization under Union law or the law of the member state to which they are subject, they must inform the Data Controller of this legal obligation before processing, unless the relevant law prohibits such information on important grounds of public interest

• Ensure the confidentiality and security of the processed Data

• Ensure that individuals authorized to process the Data are committed to confidentiality and have received the necessary training in data protection

• Consider, in relation to their tools, products, applications, or services, the principles of data protection by design and by default

• Assist the Data Controller, as far as possible, in fulfilling their obligation to respond to requests for exercising the rights of data subjects: right of access, rectification, erasure, objection, limitation of processing, data portability, and right not to be subject to automated individual decision-making

• If data subjects exercise their rights with the economic partner, the economic partner will notify the Data Controller in writing of these requests as soon as they are received

• Immediately notify the Data Controller in writing of any data breach after becoming aware of it. This notification must include all relevant documentation to enable the Data Controller, if necessary, to notify the competent supervisory authority of this breach

• If applicable, provide the necessary assistance (i) to the Data Controller for conducting data protection impact assessments and (ii) for prior consultation with the supervisory authority

• Implement appropriate technical and organizational measures in accordance with the GDPR and communicate these upon request

• Upon completion of services, the economic partner agrees, at the Data Controller's choice, to (i) destroy all Data; or (ii) return all Data to the address provided. In the case of returning the Data, the economic partner will destroy all existing copies in their possession and inform the Data Controller of this destruction

• Provide the Data Controller with the name and contact details of their Data Protection Officer, if appointed in accordance with Article 37 of the GDPR

• Not recruit another Processor without the prior written consent of the Data Controller and/or the Processor, if they are a Sub-processor. If a Sub-processor is authorized to carry out specific processing activities, the same data protection obligations set out in the contract signed with the Data Controller will be imposed on that Sub-processor by contract, particularly regarding the provision of sufficient guarantees for implementing appropriate technical and organizational measures so that the processing meets the GDPR requirements. The economic partner remains fully responsible for the Sub-processor's compliance with data protection obligations

• Commit to processing the Data only within the European Union. If authorized by the Data Controller to transfer the Data outside the European Union to a non-adequate country according to the European Commission, the economic partner agrees to implement appropriate safeguards for this transfer and inform the Data Controller of the appropriate safeguards taken

• Guarantee assistance to the Data Controller and the Processor, if they are a Sub-processor, in maintaining their record of all categories of processing activities

• Provide Mozzaik365 with the necessary documentation to demonstrate compliance with all their obligations

• Agree that the Data Controller and/or the Processor, if they are a Sub-processor, may conduct audits, including inspections, either by themselves or by a third-party auditor they have appointed, and guarantee their cooperation in these audits or inspections

12. INVALIDITY OF CLAUSE

If one or more provisions of this Charter are deemed invalid or declared as such pursuant to a law or other legislative text, or following a final decision by a competent court, the remaining provisions will retain their full force and effect.

13. CHANGES TO THE CHARTER

The Charter may be amended by the Management of Mozzaik365 to take into account recommendations from the CNIL, changes in the law, jurisprudence, computer technology, and more generally, any developments in information and communication technologies.