Each Aliaxis legal entity/affiliate is therefore responsible for completing, implementing and, if needed, adapting this Notice in compliance with applicable local laws and within the framework of its corporate legal independence.

Contents:

1. Purpose of this Notice

2. Definitions

3. Processing of Data Subjects’ Personal Data

4. Data Subjects’ Data privacy rights

5. Inquiries or concerns

6. Updates to this Notice

1. Purpose of this Notice

This Notice is valid from 1st February 2022.

The purpose of this Notice is to lay down the principles that ABS Marketing Services DMCC has adopted regarding the use and protection of its customers’ and suppliers’ Personal Data.

We respect the privacy rights of our customers and suppliers and are committed to handling Personal Data responsibly in accordance with applicable laws. This Notice sets out the Personal Data that we collect and process about you, the purposes of the Processing and the rights that you have in connection with it.

Should you have any questions about the applicable standards, comments or complaints about this Notice, please contact us as explained under section 5 below.

2. Definitions

Personal Data” means any information about an identified or identifiable natural person (i.e. a Data Subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Sensitive Personal Data” means any information relating to a Data Subject’s race or ethnic origin, political or philosophical opinions, religious beliefs, physical or mental health or condition, sexual life, preference or orientation, trade union membership or affiliation, biometric data, genetic information, commission or alleged commission of a criminal offence and any related legal actions or past convictions.

Data Subject” means (i) any representative or business contact of a customer, a supplier, a service provider and/or a distributor, whether existing or prospective; (ii) any natural person which can be considered as an end-customer (final clients, distributors, installers, private individuals…).

3. Processing of Data Subjects’ Personal Data

3.1 General information

We process Personal Data related to Data Subjects whose Personal Data may have been provided to us.

For the purpose of this Notice, ABS Marketing Services DMCC will act as the data controller for your Personal Data. Furthermore, other Aliaxis Companies may also act as data controller for certain processing activities in relation to such Personal Data on a group-wide level.

3.2 Types of Personal Data that we may collect

The types of Personal Data we process about you may include, but are not limited to: identification data and contact details (such as name, address, telephone number, email address, date of birth…), professional details (such as employer, job title, position, office location, etc.), location and electronic data (such as browsing history on Aliaxis’ websites), details about personal and professional life, national identifiers (such as tax ID and VAT number ID/passport, immigration/visa status), IT related information required to provide access to Company web platform or mobile app (such as IP addresses, navigation data and login information), financial details (such as bank account number, credit card details) and any other information which may be voluntarily disclosed by you (such as information related to a Data Subject’s questions or complaints).

In most of the cases, Personal Data is collected directly from you but, in some cases, it may be obtained indirectly from:

• other entities of the Aliaxis Group;

• the Aliaxis Group’s IT/security systems;

• public sources such as company registers and other publicly available information about companies; and

• third parties, if permitted by the applicable law or with your consent (such as the employer of a Data Subject or data brokers).

3.3 Sensitive Personal Data

As a general rule, we will not collect or process any Sensitive Personal Data from you. However, in some circumstances and where required under national law, we may need to collect, or request on a voluntary disclosure basis, some Sensitive Personal Data for legitimate business-related purposes, for example, criminal convictions and offenses (e.g. in case of bankruptcy proceedings) or religious belief (e.g. when we organize travel for a Data Subject, a copy of identity proof is requested to request a visa: in some countries, the passport might disclose information about the religion).

3.4 Lawfulness of the Processing

The legal basis on which we rely to collect and process Personal Data will vary depending on the Personal Data itself and the specific purpose for which such Personal Data is collected.

In general, we will process Data Subjects’ Personal Data on the following legal and legitimate grounds:

• compliance with legal obligations to which we are subject (e.g. contract and tax laws);

• necessity for the conclusion or the performance of a contract with the Data Subject and/or his employer/company (including opening of client accounts, logistics (such as shipping and deliveries), invoicing, management of disputes…);

• where such Processing is in our legitimate interest and is not overridden by the Data Subjects’ data protection interests or fundamental rights and freedoms (e.g. for the general conduct of our business or to manage our customers/suppliers);

• consent of the Data Subject (e.g. when a Data Subject registers to a newsletter).

Where the Processing of Personal Data is necessary to perform a contract with a Data Subject and/or his employer/company (i.e. to manage such relationship) or comply with applicable laws, the provision of Personal Data is a statutory or contractual requirement. Therefore, we will not be able to manage such relationship, nor to comply with applicable laws if the Data Subject does not provide us with such Personal Data.

Where legally required, we will ask the Data Subject to give his/her prior consent in order to process Personal Data (e.g. for the Processing of Sensitive Personal Data).

3.5 Purposes of the Processing

Personal Data is generally Processed for the purpose of managing our relationship with the Data Subject or his employer/company. We may also Process Personal Data for the following purposes:

• customer/supplier account management purposes (management of orders, billing, invoicing, debt collection, etc.);

• promoting, advertising and marketing our products and services;

• providing information to customers (via our newsletters, by email, social media platforms and brand centre);

• responding to requests/complaints from customers/suppliers;

• assessing business performances;

• performing accounting, forecasting, budgeting and financial planning activities;

• managing mobile applications;

• gathering evidence in case of disputes;

• providing technical support services to our customers and after sales services (including technical information about our products);

• managing customer account profiles on our web platforms and mobile apps and giving access to such profiles. For more information regarding the Personal Data we collect online, please refer to our Web Privacy Notice;

• helping us conduct our business more effectively and efficiently and checking and improving the quality of our products and/or services;

• carrying out surveys, satisfaction inquiries and studies with our customers; and

• complying with applicable laws and regulations, or exercising or defending our legal rights.

If we intend to further process Personal Data for a purpose other than the ones described in this Notice, we shall inform Data Subjects and provide any other relevant information prior to starting the Processing.

3.6 Disclosures of Personal Data

We make sure to grant access to Personal Data only to our employees who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. In case we disclose Personal Data to another entity of the Aliaxis Group or to a third party, we will take all necessary steps to ensure an adequate level of protection of such data.

In particular, Personal Data of Data Subjects may be disclosed to the following categories of recipients:

a) Other Aliaxis companies: we may share Personal Data with other entities within the Group in order to develop our relationship with the Data Subjects and/or their employer/company, as well as for other legitimate business purposes such as IT services/security, tax and accounting, and general business management.

b) Third party service providers: we may also disclose certain Personal Data to third parties who provide services to us, such as IT providers, external consultants, lawyers and advisors on a need-to-know basis.

c) Public authorities: we may also disclose Personal Data to public authorities, in accordance with applicable laws.

d) Other third parties: we may also disclose Personal Data to other third parties on other lawful grounds, including:

• where we are legally compelled to do so (for instance, to comply with valid legal processes such as search warrants, subpoenas or court orders, etc.);

• such disclosure is required for the purpose of providing services and/or information to the concerned Data Subjects and/or their employer/company;

• such disclosure is justified by our legitimate interests as defined above;

• such disclosure is related to our regular reporting activities to other Aliaxis Group Companies;

• in connection with the sale, assignment or other transfer of all or part of our business;

• with the Data Subject’s prior consent.

3.7 International transfer of Personal Data

Our Group operates at a global level and, as a result, we may need to transfer Personal Data to group affiliates or third-party service providers located in countries other than the ones in which the Personal Data was originally collected to facilitate the management of our relationship with customers and suppliers globally.

In such case, we will implement appropriate safeguards to ensure that an adequate level of protection for any Personal Data transferred.

Where the transfer relates to Personal Data of European residents to countries outside the European Union (EU) and European Economic Area (EEA), we will take the required measures to provide an adequate level of data protection under EU law, such as entering into EU standard contractual clauses with the party who is receiving the data.

3.8 Protection of the Personal Data

We are committed to ensuring the protection of the Personal Data of Data Subjects. In order to prevent unauthorised access or disclosure or any other unlawful form of Processing of Personal Data, we have set up appropriate physical, technical and procedural measures to protect the Personal Data in its possession.

Access to Personal Data is restricted to authorised employees only in order to fulfil their job responsibilities. Furthermore, we have implemented appropriate technical measures including but not limited to firewalls, anti-virus measures, back-up, and disaster recovery plans, which are designed to provide a level of security appropriate to the risk of Processing Personal Data.

3.9 Retention and Deletion of Personal Data

We shall retain Personal Data in accordance with applicable laws and only as long as it is necessary to fulfil the purposes for which such data are collected. Generally, this means Personal Data will be retained as long as we are in a relationship with the Data Subject and/or his employer/company, plus a reasonable period of time thereafter to respond to inquiries or to deal with any legal matters.

At the end of the retention period, we will ensure that Personal Data is deleted or anonymised, or if this is not possible (for example, because the Personal Data has been stored in backup archives), then we will securely store the Personal Data and refrain from any further processing activity.

4. Data Subjects’ Data privacy rights

Data Subjects have the following rights:

• the right to obtain confirmation as to whether or not Personal Data concerning them are being processed and, where that is the case, the right to access and/or to receive a copy of their Personal Data;

• the right to rectify or update any inaccurate or incomplete Personal Data;

• the right to obtain the erasure of their Personal Data;

• the right to restrict the Processing of their Personal Data on certain legal grounds;

• the right to object to the Processing of their Personal Data on grounds relating to their particular situation, where such Processing is necessary for the purposes of a Company’s legitimate interest;

• the right to opt-out of marketing communications we send to you at any time;

• the right to receive their Personal Data in a structured, commonly used and machine-readable format and to have their Personal Data transmitted to another controller where the Processing is carried out by automated means and is based on the Data Subject’s consent or on contractual terms with the Data Subject or his employer/company;

• the right not be subject to decisions that are based only on automated processing (including profiling) and which produce legal effects or affect Data Subjects.

• the right to withdraw their consent at any time if the Processing of Personal Data is based on their consent. Withdrawing consent will not affect the lawfulness of any Processing that is conducted prior to such withdrawal, nor will it affect the Processing of Personal Data conducted in reliance on lawful Processing grounds other than consent; and

• the right to lodge a complaint with a competent data protection authority.

If you wish to exercise any of the rights described above, please contact us as described under Section 5 below. We will respond to all requests in accordance with applicable data protection laws.

5. Inquiries or concerns

If you have any questions or concerns regarding the manner in which we process Personal Data, or for any further information about this Notice, or if you wish to exercise your data privacy rights, please contact our Data Protection Coordinator at: privacy.ae@aliaxis.com

6. Updates to this Notice

This Notice may be periodically updated to reflect any necessary changes in our privacy practices. The date of the last update is indicated in the first section of this Notice.