PERSONAL DATA PROTECTION POLICY SPECIFIC TO DONATIONS

In accordance with the provisions (i) in Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), (ii) in Article 11 of Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights, and. (iii) in articles 32 and 32 bis of Law 10/2010, of April 28, 2010, on the prevention of money laundering and financing of terrorism, the following points are reported:

1º. That the person responsible for the processing is FUNDACIÓN UTÓPIKA (hereinafter, “the Controller”), with Tax Identification Number G-16989576, with registered office at c/Milanesado, nº 33, 1º, 2ª, 08017 Barcelona and registered under number 3253 in the Register of Entities of the Department of Justice of the Generalitat de Catalunya, with the following e-mail address for data protection purposes: compliance@fundacionutopika.com and with telephone number 933.90.97.20.

2º. That is Delegate of Data Protection (DPO) GABINETE MARTINEZ COMIN, S.A., with NIF A08649782, with professional address in c/Aribau, 191-193, 1º 2ª, 08021 Barcelona, with e-mail of contact to the effects of developing this function compliance@fundacionutopika.com and with telephone number 933.90.97.20.

3º. That the purposes of the processing of personal data are or may be: (i) to enable the free contribution of funds or resources in favor of the Responsible Party (hereinafter, Purpose 1); (ii) in all cases, the Responsible Party’s compliance with the obligations established in Law 10/2010, of April 28, 2010, on the prevention of money laundering and terrorist financing (hereinafter, “AML/CFT Law”) and its applicable implementing regulations (hereinafter, Purpose 2); (iii) taking the necessary steps to enable the donor to benefit from the corresponding tax deductions, only in the event that the donor has so requested, and provided that the requirements established for this purpose are met (hereinafter, Purpose 3); (iv) the sending and/or communication of advertising and/or informative information on the activity of the Data Controller, only in the event that prior, express and specific consent has been given by the interested party (hereinafter, Purpose 4); and (v) to enable the processing of data for the purpose of market segmentation with the aim of
in order to execute commercial actions in a manner more in line and consistent with the specific interests of each group of interested parties, so that the interested party may receive commercial communications more in line with their interests, only in the event that prior, express and specific consent has been given by the interested party (hereinafter, Purpose 5).

4º. That Purpose 2 responds to the fact that the Responsible Party is an obligated subject of the AML/CFT Law, by virtue of Article 2.1, letter x). Among its obligations in this regard are the following (i) the application of due diligence measures, which include, with respect to the donor, formal identification and identification of the beneficial owner under the terms established by the regulations, (ii) to inform SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias) of the facts that may constitute an indication or evidence of money laundering or financing of terrorism; and (iii) Collaborate with the Commission for the Prevention of Money Laundering and Monetary Infractions and its support bodies.

5º. That the Foundation will not use the personal data collected for purposes other than those foreseen herein.

6º. That the legal basis for the processing of personal data or the lawfulness of the processing of personal data lies in (i) in the case of Purpose 1, on the consent given by the data subject to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016); (ii) in the case of Purpose 2, in compliance with a legal obligation applicable to the Data Controller (Article 6(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016); (iii) and, in the case of Purposes 3, 4 and 5, on the consent given by the data subject to the processing of his or her personal data for one or more specific purposes (Art. 6.1(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016).

7º. That, in the event that the requested personal data is not provided, (i) in the case of Purpose 1, the donor may not make a gratuitous contribution of funds or resources in favor of the Responsible Party; (ii) in the case of Purpose 2, the donation may not be made; (iii) in the case of Purpose 3, the pertinent steps may not be taken so that the donor may benefit from the corresponding tax deductions, in the event that he/she has so requested, and provided that the requirements established for such purpose are complied with; (iv) in the case of Purpose 4, it shall not be possible to send and/or communicate advertising and/or informative information on the activity of the Data Controller, in the event that prior, express and specific consent has been given by the interested party for this purpose; and (v) in the case of Purpose 5, the data may not be used for the purpose of market segmentation, in the event that prior, express and specific consent has been given by the data subject for this purpose.

8º. That, in the case of Purpose 2, in accordance with the aforementioned legal basis, the consent of the data subject is not required for the processing of personal data, nor is such consent required in the event of a possible communication of personal data to the competent authorities.

9º. That the categories of personal data processed refer or may refer, mainly, to identification data and economic data.

10º. That the Responsible, based on the personal data provided, may collect additional personal data if necessary to comply, on its part, with current regulations on the prevention of money laundering and the financing of terrorism.

11º. That personal data will not be subject to a decision based solely on automated processing (such as profiling) that produces legal effects on the data subject or similarly significantly affects him or her in a similar way.

12º. That the data subject may exercise the personal data protection rights provided by law (access; rectification; erasure; restriction of processing; portability; opposition; the right not to be subject to automated individual decisions, including profiling; and withdrawal of consent at any time) that may be applicable, provided that they do not conflict with compliance with the legal obligations imposed on the Controller, especially with regard to compliance, on its part, with the regulations in force on the prevention of money laundering and terrorist financing. In the event of a collision, the Person in Charge shall merely draw your attention to this fact. To exercise your personal data protection rights, you may send your request to the postal address c/Aribau, nº 191-193, 1º 2ª, 08021 Barcelona, or by e-mail to compliance@fundacionutopika.com. And all of the above, without prejudice to the fact that the interested party may exercise its right to complain to the competent supervisory authority when it deems it necessary.

13º. That the recipients of the personal data are or may be, as the case may be, in accordance with the purposes of the processing indicated, (i) financial entities, (ii) service providers, such as management companies or entities that provide IT and marketing services (iii) the Protectorate, (iv) the Commission for the Oversight of Terrorist Financing Activities, (v) the Commission for the Prevention of Money Laundering and Monetary Offenses, (vi) the SEPBLAC, (vii) any other support body of the Commission other than SEPBLAC, (vii) any competent authority, other than the above, requesting the Controller to disclose certain personal data, including disclosure for law enforcement purposes in the context of a criminal investigation, and (viii) the State Agency of Tax Administration. It is also informed that personal data could be shared with other entities other than the above directly or indirectly linked to the Responsible in cases of compliance with a legal obligation or for internal management purposes.

14º. That the Controller will not carry out international transfers of the personal data collected, that is, that it will not communicate such personal data from the Spanish territory to recipients established in countries outside the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland and Norway). In the event that such international transfers are necessary, the Controller shall inform the data subject beforehand and shall ensure that the Data Processors in question adopt the necessary technical and organizational measures for the protection of personal data.

15º. That the Controller will retain the personal data of the data subject for the following periods: (i) in the case of Purpose 1: for the time necessary to fulfill the purpose for which they were collected and while the statute of limitations of the different actions that may correspond to the parties are in force; (ii) in the case of Purpose 2: in accordance with the provisions of articles 39 and 25 of the PBCyFT Law, it will keep the personal data for a period of 10 years, proceeding to its elimination after that period. After 5 years from the execution of the occasional donation or from the termination of the donation relationship, the personal data retained will only be accessible by the internal control body of the Controller and, where appropriate, by those in charge of its legal defense; (iii) in the case of Purpose 3: for 4 years, in case it becomes necessary to prove compliance with tax obligations and/or the existence of tax rights; and (iv) in the case of Purposes 4 and 5: as long as the data subject does not withdraw his/her consent.