I. Introduction

This Personal Data Protection Policy (hereinafter referred to as the “Policy”) sets out the rules for securing the processing of personal data applicable at Zoomlion Heavy Industry (Poland) sp. z o.o., ul. Sokołowska 47B, 05-806 Sokołów (hereinafter referred to as “Zoomlion”) and applies to all persons who have access to the personal data database processed by Zoomlion. It includes the scope of personal data collected and the manner of its protection, as well as a description of the organizational and technical measures used to optimize information security, as well as mechanisms for the protection of personal data processed both in traditional (paper) files and in electronic systems. In addition, it regulates the methods of updating documentation related to personal data protection, introduces uniform rules for issuing authorizations for the processing of personal data, and formalizes the process of providing information.

II. General provisions

1. This Policy is implemented by a resolution of the Management Board in order to standardize the processes related to the processing of personal data at Zoomlion and to define the rules for the proper performance of the duties of the personal data controller and the proper protection of personal data processed at Zoomlion.

2. This Policy applies to the protection of all personal data processed at Zoomlion in a traditional manner (on paper, in files, indexes, books, lists, and other records) and using IT systems, including when data is processed outside of a data set.

III. Definitions

The terms used in this Policy shall have the following meanings:

a) Policy – this Personal Data Protection Policy at Zoomlion;

b) GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

c) PUODO – President of the Personal Data Protection Office, a state authority appointed to protect personal data;

d) Personal data – any information relating to an identified or identifiable natural person, i.e. a natural person whose identity can be determined, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Information shall not be considered as enabling the identification of a person if it would require excessive costs, time or effort;

e) Personal Data Controller (PDC) – Zoomlion, acting on behalf of the PDC is the Management Board;

f) Management – a person/persons operationally designated at Zoomlion who holds a managerial position in a given organizational unit or office, within the area of which he/she is responsible for the functioning of the personal data system or set;

g) Personal data set – an organized set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized, or dispersed functionally or geographically;

h) Processing of personal data – any operation performed on personal data, such as collection, recording, storage, processing, alteration, disclosure, and erasure, in particular those performed in information systems;

i) Information system – a set of interrelated devices, programs, information processing procedures, and software tools used for data processing;

j) Data deletion – destruction of personal data or such modification that does not allow the identification of the data subject (e.g. anonymization of data);k) Consent of the data subject – a statement of intent to consent to the processing of personal data of the person making the statement; consent may be withdrawn at any time;

l) Data recipient – anyone to whom personal data is disclosed, with the exception of:

• the data subject,

• persons authorized to process the data,

• state authorities or local government bodies to whom the data is disclosed in connection with proceedings;

m) Third country – a country not belonging to the European Economic Area; the transfer of personal data to a third country requires the fulfillment of additional obligations specified by law;

n) IT System Administrator (ASI) – a person or team supervising the operation of the IT system and performing activities on it that require special authorizations, acting on behalf of the Personal Data Controller;

o) System User/User – a person authorized to work in the IT system in accordance with their scope of authorization;

p) Authorized Person – any Zoomlion employee or associate who has been granted written authorization by Zoomlion to process personal data.

IV. Personal Data Controller Declaration

1. The Personal Data Controller understands the need to take special care to ensure the security of personal data as well as to operate in accordance with the law and in accordance with accepted standards in the field of personal data security, and declares that it collects and processes data only for legitimate purposes specified in this Policy and takes the necessary measures to prevent unauthorized access to data. To this end, rules for the processing of personal data at Zoomlion are introduced and updated on an ongoing basis.

2. The Personal Data Administrator undertakes to implement and apply technical and organizational measures at Zoomlion to ensure the protection of the personal data being processed, appropriate to the risks and categories of data covered by the protection, in particular to protect such data against unauthorized access, unauthorized persons, processing in violation of the law, and alteration, loss, damage, or destruction.

3. The Personal Data Administrator undertakes to take appropriate steps to ensure that personal data, throughout the entire period of its processing, is:

a) processed in accordance with the law,

b) collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes, factually correct and adequate in relation to the purposes for which they are processed, stored in a form which permits identification of the data subjects for no longer than is necessary for the purposes of processing.

4. The Personal Data Controller, after considering the legitimacy of all organizational and technical measures for the protection of personal data and their proportionality, has decided not to appoint a Data Protection Officer. The Personal Data Controller undertakes to monitor the security of personal data protection on an ongoing basis and to appoint a Data Protection Officer immediately after identifying such a need.

V. Main principles of personal data protection

1. The principles of personal data processing security introduced by this Policy are intended in particular to ensure:

a) confidentiality, understood as the property ensuring that personal data are not made available to unauthorized persons,

b) integrity, understood as the property ensuring that personal data has not been altered or destroyed in an unauthorized manner,

c) accountability, understood as the property ensuring that the actions of an entity with regard to personal data can be attributed unambiguously only to that entity,

d) availability, understood as the property ensuring that personal data will be accessible and usable upon request, within the set time, by an authorized person.

2. The principles set out in this Policy and in related documents should be known and applied by Zoomlion employees and associates who process personal data, whose controller is Zoomlion, as well as those for whom Zoomlion is the processor, in particular, every employee/associate authorized to process data is required to take appropriate measures to protect data against loss or unauthorized alteration, access, or disclosure.

3. Employees/associates are aware of the possibility of personal data breaches, comply with procedures related to the presence of unauthorized persons in areas where personal data is processed, and respond appropriately to situations that raise suspicion of a breach of information security and the Policy.

4. Each person processing personal data at Zoomlion receives written authorization from the Personal Data Administrator before being allowed to process personal data.

5. Before commencing the processing of personal data, each employee/associate shall be familiarized with the rules for the processing of personal data applicable at Zoomlion, in particular with the applicable provisions of law on the protection of personal data, the Policy, and the rules for the use of IT equipment and systems used for the processing of personal data, the rules for access to premises where personal data is processed, the procedure to be followed in the event of a breach of personal data protection or the IT system, and the liability for personal data breaches, as well as the rules for the processing of personal data provided for in the GDPR.

6. Persons authorized to process data are obliged to keep the personal data collected at Zoomlion confidential, as well as the methods used to secure it.

7. Each person processing personal data is responsible for its ongoing protection to the extent consistent with their authorization, competence, or role in the data processing process.

8. Zoomlion employees/associates are required to report any suspected or observed violations and weaknesses in the personal data processing system to the IT System Administrator, Management, or the direct Personal Data Administrator.

VI. Roles and responsibilities

A. Duties and powers of the Personal Data Controller

1. The Personal Data Controller is responsible for the processing and protection of personal data at Zoomlion in accordance with the law, including the implementation of procedures to ensure the proper processing of personal data.

2. The Personal Data Administrator is authorized to process all personal data processed at Zoomlion in accordance with applicable law in this regard.

3. The Personal Data Administrator is responsible for the division of tasks and responsibilities related to the organization of personal data protection at Zoomlion, accepting and approving the necessary documents required by generally applicable law or the current state of affairs regulating the protection of personal data at Zoomlion (including the Policy and Instructions for the Management of the IT System processing personal data), providing the necessary resources and tools to implement the Policy effectively and monitoring its compliance.

4. The Personal Data Administrator shall provide persons processing personal data at Zoomlion with initial and periodic training on personal data protection and the risks associated with its processing, with particular emphasis on data processing in IT Systems.

5. The duties of the Personal Data Administrator shall include:

a) ensuring compliance with personal data protection regulations,

b) implementing the necessary procedures regarding the rules for processing personal data at Zoomlion,

c) ensuring that persons authorized to process personal data are familiar with the provisions on personal data protection.

6. Furthermore, in accordance with the provisions of the GDPR, the Personal Data Administrator is primarily responsible for ensuring that processing is carried out in accordance with the GDPR and that this can be effectively demonstrated. To this end, he or she shall implement appropriate and effective technical and organizational measures:

a) which ensure the highest level of protection known and possible at the time of data processing,

b) the measures referred to above are reviewed and updated where necessary, taking into account the nature, scope, context and purposes of the processing and the risk of varying likelihood and severity of the risk to the rights and freedoms of natural persons,

c) where proportionate in relation to the processing activities, these measures shall include the implementation by the controller of appropriate data protection policies.

B. Responsibilities and powers of the Information System Administrator (ASI)

1. In order to ensure proper and reliable control over the security of personal data processed at Zoomlion, an Information System Administrator (ASI) shall be appointed, who shall be responsible for compliance with the security requirements of information systems processing personal data.

2. A professional person responsible for Zoomlion’s IT services has been appointed to perform the duties of the ISA on the basis of a separate agreement.

3. The duties of the ISA include, in particular:

a) supervising the security and compliance with this Policy of data processing in IT systems, databases, and computer equipment;

b) configuring systems, installing and updating software;

c) supervising, detecting and eliminating system malfunctions;

d) assisting and cooperating with external specialists in installation, configuration and repair work, if such work needs to be performed by an external entity;

e) supervising the repair, maintenance and disposal of computer equipment on which personal data is stored;

f) verifying the correctness and accuracy of backup copies and their recoverability in the event of an incident or failure;

g) checking the ICT security measures in place for resilience and currency of the IT security measures used;

h) supervision over the provision and verification of emergency power supply for computers and other devices affecting the security of data processing.

4. The DPO is also responsible for verifying the systems used to process personal data in terms of the requirements of the GDPR, i.e. ensuring that they provide the following functionalities:

a) pseudonymization, encryption, and anonymization of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

C. Responsibilities and competences of management

1. Management is responsible for determining and ensuring an appropriate level of security, taking into account the risks and categories of data processed in a given Collection/IT System, and for establishing the authorizations for processing data in the collection/system and the rules for verifying these authorizations.

2. In addition, each person, in particular the Management, is responsible for ensuring compliance with this Policy and other procedures implemented regarding the rules for the collection and processing of personal data at Zoomlion.

3. In order to ensure that data is stored in a form that allows the identification of data subjects for no longer than is necessary to achieve the purpose of processing, Management shall, in each case, determine the period for which personal data shall be stored in the Databases/Systems, up to a maximum of the period necessary to achieve the purpose for which the data was collected, unless there is a legal provision requires Zoomlion to store such data for a longer period. After the specified period, the data will be deleted or anonymized in such a way as to prevent identification of the data subjects.

D. Obligations and responsibilities of Users

1. The system user is responsible for complying with the security requirements set out in the law and this Policy, as well as for processing data in accordance with their scope of authorization and privileges in a given IT system.

2. The duties of each person authorized to process personal data include, in particular, exercising due diligence to protect the data and applying, to the greatest extent possible, all available means of personal data protection, eliminating the risk of unauthorized access to the workstation. In addition, the duties of each person include, in particular:

a) processing personal data in accordance with applicable law and accepted regulations;

b) acting in accordance with established internal regulations concerning the processing of personal data;

c) keeping personal data and information about the means of its protection confidential;

d) informing the Personal Data Administrator, through their supervisor or directly, of any suspected or observed violations and weaknesses in the personal data processing system.

E. Authorization of persons to process personal data

1. Before allowing a Zoomlion employee/associate to perform tasks related to the processing of personal data, the ADO shall:

a) familiarize the employee/associate with the provisions on personal data protection, this Policy, and other internal regulations applicable in this regard at Zoomlion;

b) obtains from the employee/associate a signed commitment to keep personal data and the means of securing it confidential and to process personal data in accordance with applicable regulations, as well as a statement of familiarity with this Policy and the Instructions for Managing the IT System used to process personal data at Zoomlion. A template of this statement is attached to this Policy;

c) grants the employee/associate formal authorization to process personal data within a specified scope.

2. The statements and authorizations referred to in section 1 above shall be kept in the personal files of the employee/associate.

VII. Authorizations and records of persons authorized to process personal data

1. Procedure for issuing authorizations:

a) on behalf of Zoomlion (Personal Data Controller), individual authorizations to process personal data for individual employees shall be granted by the Management;

b) authorizations in writing (electronic form – email – is acceptable) and/or on paper shall be issued at the request of the immediate superior or at the request of the ADO;

c) if it is necessary to grant authorization to process personal data to a new employee, the immediate superior of that person shall submit a written request (it is acceptable to submit the request in electronic form, i.e., a business email) to the Personal Data Administrator, indicating the scope of the requested permissions in the IT system for the new employee (if the permissions are to be standard, it is sufficient to indicate the group of permissions determined by the position in the given organizational unit);

d) The ADO issues a written authorization to create the appropriate physical permissions in the IT system (a business email is acceptable);

e) After the authorization is issued and the permissions are granted, the employee may begin work.

2. The authorizations referred to above shall remain valid until the termination of the employment relationship or the duties related to the processing of personal data, unless otherwise specified in the authorization.

3. Zoomlion shall ensure that a record of persons authorized to process personal data is kept (electronic form is acceptable).

4. The register of persons authorized to process personal data shall include:

a) the first and last name of the person authorized to process personal data;

b) the scope of authorization to process personal data;

c) the ID number, if the authorized person is registered in the IT system used for the processing of personal data;

d) the date of granting and expiry of the authorization.5. Each granting of authorization to a new User for a file/system should be previously reported by the ADO to the register.

6. Any change in the information contained in the register should be immediately updated in the register.

7. The Management is responsible for reporting authorizations for the person keeping the records. Changes in the scope of authorizations should be recorded on an ongoing basis by the Management, supervisors and HR staff are responsible for immediately reporting to the ADO any persons who have lost their access rights or authorization to process personal data.

VIII. Information obligation

1. The Personal Data Controller is obliged to fulfill the information obligation in every case of data collection. Such a clause should inform the person whose data we collect primarily about:

a) the contact details of the ADO;

b) the legal provision on the basis of which the processing takes place;

c) if the processing is based on the legitimate interest of the ADO or a third party, this interest must be indicated;

d) if the processing is based on the consent of the data subject, the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal;

e) where the data have not been obtained directly from the data subject, the source of the personal data and, where applicable, whether they come from publicly available sources;

f) information on the intention to transfer the data to a third country or international organization and on the European Commission’s determination or absence of an adequate level of protection. In the event of transfer to a country that does not guarantee an adequate level of protection, information shall be provided on the appropriate or suitable safeguards and on the possibilities of obtaining a copy of the data or the place where the data are made available;

g) the period for which the personal data will be stored, or, if this is not possible, the criteria for determining this period;

h) the right to request from the ADO access to personal data concerning the data subject, rectification, erasure or restriction of processing, and the right to object to processing, as well as the right to data portability;

i) the right to lodge a complaint with the PUODO;

j) automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the expected consequences of such processing for the data subject.

2. The information clause described in paragraph 1 above shall not apply in cases where:

a) there is a specific provision that allows the processing of data without disclosing the actual purpose of their collection;

b) the data subject already has the information referred to in point 1.

3. In the case of personal data being collected from an entity other than the data subject, the data subject shall be informed, immediately after the collected data have been recorded, of:

a) the address of the registered office and full name of the ADO;

b) the purpose of data collection, and in particular, the recipients or categories of recipients of the data known to the ADO at the time of providing the information, if the data will be made available to other entities;

c) the source of the data (i.e., where or from whom Zoomlion obtained the personal data, e.g., from another person, another entity, from publicly available sources);

d) the right to access the content of their personal data;

e) the rights of the data subject under the law, in particular:

• the right to submit a written, reasoned request to cease processing their data due to their particular situation,

• the right to object to the processing of their data in cases provided for by law.

4. The information obligation described in section 3 above does not apply only in cases where:

a) there is a specific provision that provides for or allows the collection of personal data without the knowledge of the data subject;

b) the data collected is necessary for scientific, educational, historical, statistical or public opinion research, its processing does not violate the rights and freedoms of the data subject, and compliance with the information obligation would require excessive effort or jeopardize the achievement of the research objective;

c) the data subject already has the information in question.

5. The information obligation may be fulfilled by placing it on the Privacy Policy website to the extent provided therein. The Privacy Policy is attached to this Policy.

IX. Area of personal data processing

1. Personal data may only be processed in areas of personal data processing, which consist of office premises and buildings where Zoomlion conducts its business.

2. A detailed list of areas of personal data processing is attached to the Policy.

3. The provisions of paragraph 1 do not exclude the possibility of personal data being processed outside the areas of personal data processing by an employee/associate using business equipment.

4. The authorization to process personal data in the manner referred to in paragraph 3 should be granted in the authorization referred to in Chapter VII.

X. Identification of threats

1. Depending on the source of a potential threat, the following groups are distinguished:

a) external random threats – e.g. natural disasters, floods, power outages – their occurrence may lead to data destruction, loss of data integrity and damage to the technical infrastructure of the system; in this case, the continuity of the system is disrupted, but there is no breach of data confidentiality;

b) internal random threats – e.g. hardware failures, administrator errors, software errors – the continuity of the system may be disrupted, and data may be destroyed or its confidentiality compromised;

c) deliberate threats – the most serious threat to data confidentiality, usually without disruption to the continuity of the system or damage to the infrastructure.

2. The personal data processing system has been designed to allow connection to the public network, therefore the risk of external access to the system has been subject to a special analysis. However, internal threats are more serious and their occurrence may lead to significant losses and disruptions in the operation of the system. Threats from the company’s own employees are also identified. Defining a list and the extent of threats allows for the introduction of methods and rules to prevent them, appropriate to the type of threat and the risk of its occurrence, as well as the implementation of appropriate security measures.

3. Cases classified as a breach or justification of suspicion of a breach of IT system security, subject to constant monitoring, include in particular:

a) random or unforeseen external events (e.g., gas explosion, fire, flooding, construction disaster, robbery, terrorist act, undesirable actions of a repair crew, etc.);

b) inappropriate operating environment (e.g., excessive humidity, excessive temperature, electromagnetic field interference);

c) damage to equipment or software directly indicating intentional action aimed at violating data protection, improper operation of the service, or the mere fact of leaving service technicians unattended;

d) the occurrence of an alarm from a part of the system directly responsible for the protection of resources;

e) low data quality in the system or other deviation from the expected state indicating system disruption or other extraordinary and undesirable modification in the system;

f) occurrence of a breach or attempted breach of system integrity;

g) occurrence of an unacceptable change to personal data in the system;

h) disclosure to third parties of personal data or confidential data processing procedures or other protected elements of the security system;

i) demonstration of a non-accidental deviation from the established work rhythm indicating a breach or abandonment of personal data protection;

j) disclosure of an unauthorized account for access to the system;

k) deletion or copying of data in an unauthorized manner;

l) gross violation of work discipline in the field of information security procedures (e.g. leaving the workplace without first logging out or securing the workplace, leaving personal data on a photocopier or printer, leaving a room with a computer unlocked, working on data for private purposes, etc.).

4. Risk analyses related to the occurrence and severity of a possible incident shall be carried out by the ADO or a person designated by him/her.

XI. Personal data protection during the design phase and default data protection 1. 2. 3. 4. When planning processes that will involve the processing of personal data, it is necessary to carry out an assessment of the personal data protection requirements under the GDPR.

The assessment shall take into account:

a) the state of the art;

b) the cost of implementation;

c) the nature, scope, context and purposes of the processing;

d) the risk of infringement of the rights or freedoms of natural persons of varying likelihood and severity of the risk resulting from the processing. The process may only be launched if the personal data protection requirements are met. In order to take data protection into account at the design stage and to apply data protection by default, the Controller shall implement appropriate organizational measures.

XII. Security measures

1. After thorough analysis, Zoomlion has selected specific security methods and technical conditions to be applied to ensure optimal security of the personal data processed, depending on the current level of risk.

2. The following organizational and physical security measures are applied, among others:

a) entrance doors secured with a lock and an internal personal identification system;

b) personal data processed in paper and electronic form is stored in rooms secured with additional lockable doors, to which only authorized persons have access;

c) the area where personal data is processed is protected by appropriate physical security measures, in particular by ensuring that the external walls of the rooms are of solid construction and that the external doors are adequately secured against unauthorized access by means of security mechanisms (alarms and locks);

d) the data processing area is protected against unauthorized access. Access by third parties is only possible under the supervision of an authorized person;

e) main data storage and processing centers, such as server rooms and archives, are classified as critical areas with restricted, regulated access. Critical areas must be adequately protected against fire, flooding, etc.;

f) access to rooms where personal data is processed is restricted by doors equipped with locks;

g) the room where personal data is processed should be protected against fire by a free-standing fire extinguisher;

h) paper data and electronic media containing personal data shall be protected against unauthorized access in cabinets located in a specially designated area separated from rooms where third parties may be present without the supervision of authorized persons;

i) documents containing personal data shall be destroyed mechanically using document shredders after they are no longer needed;

j) backup/archival copies of personal data files shall be stored in a dedicated archive located in a separate room or cabinet;

k) monitors and computer screens on which personal data is processed in the Company should be positioned in such a way as to prevent unauthorized persons from viewing the screens; employees/co-workers are required to follow a clean desk and screen policy when working with personal data;

l) when leaving the workplace, documents containing personal data should be stored away and computer screens locked (e.g. using a password-protected screen saver);

m) printouts should be removed from the printer immediately, and working, incorrect or outdated printouts should be destroyed immediately using a paper shredder or other means ensuring their effective removal or anonymization;

n) the processing of personal data on portable computers requires the application of and compliance with the rules for data processing outside the processing area, as described in the IT System Management Manual for the processing of personal data at Zoomlion.

3. In terms of hardware security and IT and telecommunications infrastructure, Zoomlion uses measures such as:

a) fire extinguishers, hydrants, and smoke detectors to protect the IT infrastructure system used for processing personal data;

b) securing access to the operating system of the computer on which personal data is processed by means of a password authentication process;

c) equipping each workstation with antivirus software to protect against malicious software such as worms, viruses, Trojan horses, and rootkits;

d) a standard firewall system offered with Windows software to protect access to the computer network;

e) prohibition of the use of company equipment for private purposes;

f) securing information carriers which, after work, are left in the room before being taken away by an unauthorized person or destroyed, by locking the equipment in a lockable cabinet to which only the user of the equipment has access;

g) the obligation to secure information carriers containing personal data taken home by employees, computer equipment against unauthorized access, and to make every effort to protect the equipment against destruction, etc.;

h) the use of automatic screen savers and the obligation for employees to lock unused workstations, automatic computer lockout during prolonged absence of an employee from their workstation, if they have not secured the computer themselves;

i) in order to protect against the loss of stored data, regular backups are performed, and Zoomlion has designated persons responsible for securing data in the event of an incident or random event that could disrupt the continuity of data processing;

j) the server and each workstation are equipped with antivirus protection.

4. In order to maximize the security of the personal data processed, the following security measures, among others, have been selected within the software tools and databases:

a) measures have been used to record changes made to individual elements of the personal data set;

b) measures have been used to determine access rights to the specified scope of data within the personal data set being processed;

c) access to the personal data set requires authentication using a password, cryptographic measures are used to protect personal data, and only the private key and the corresponding certificate for VPN connections may be imported to the workstation.

5. The following rules apply to organizational measures for securing the personal data being processed:

a) persons employed in data processing have been familiarized with the provisions on personal data protection;

b) persons employed in personal data processing have been trained in IT system security;

c) persons employed in personal data processing are required to keep it confidential;

d) a record of persons authorized to process personal data is kept;

e) only persons with appropriate authorization have access keys to the office and are authorized to open and close the areas of personal data processing listed in the appendix;

f) Zoomlion has a “clean desk” policy.

XIII. Joint administration of personal data

1. Where the Controller determines the purposes and means of processing personal data jointly with another entity or entities, joint arrangements must be made between the entities acting as joint controllers. Such arrangements may take the form of, in particular, a contract or other agreement between the parties.

2. The agreements must specify the respective responsibilities of the joint controllers for fulfilling their obligations under the GDPR, in particular with regard to the exercise of the rights of data subjects and the fulfillment of the information obligations referred to in Articles 13 and 14 of the GDPR, unless the responsibilities and scope of the joint controllers are determined by Union law or the law of the Member State to which the joint controllers are subject. The arrangements shall also indicate the contact point for data subjects. The main content of the arrangements shall be made available to the data subjects.

3. In order to comply with the obligations relating to joint control, the Controller shall verify the rules of cooperation with other entities in order to determine whether joint control of data with other entities occurs.

XIV. Entrusting the processing of personal data

1. The processing of personal data is entrusted when Zoomlion, as the personal data controller, commissions another entity to perform tasks in which that entity will have access to such data and will carry out any operations on them, such as collection, recording, storage, processing, alteration, disclosure, and deletion, in particular those which are performed in IT systems. The entity entrusted with the processing of personal data may process such data only on behalf of and with the consent of the ADO, which remains the controller of such personal data.

2. In order to ensure control over personal data and in compliance with the provisions of the Act, the ADO shall ensure that the entrusting of personal data processing takes place only after the conclusion of a written personal data processing agreement with the entity entrusted with the processing of such data. The ADO shall keep a register of entities to which it has entrusted the processing of personal data.

3. The contract for the processing of personal data shall specify, in particular, the purpose and scope of the processing of personal data. Such provisions may be part of a general cooperation agreement.

4. Each contract for the processing of personal data and contracts on the basis of which information is exchanged shall include, inter alia, the following elements:

a) the identity of the data controller;

b) identification of the entity processing the data on behalf of the controller;

c) a statement by the data controller confirming that it has the right to decide on the purpose and means of processing the entrusted data;

d) the subject matter and duration of the processing;

e) the nature and purpose of the processing, the type of personal data entrusted and the categories of persons to whom the entrustment relates (i.e. specifying what data, in what quantity and in what form are entrusted);

f) a statement by the processor that it has the necessary physical and organizational security measures required by law to ensure that the processing of data complies with the provisions, in particular that:

• it has implemented appropriate technical and organizational measures to ensure that the processing of the data entrusted to it complies with the GDPR and protects the rights of the data subjects,

• the measures implemented are at least at the same level as those of the ADO and have been selected and applied on the basis of a risk and threat analysis,

• it ensures regular testing, measurement, and evaluation of the data protection measures implemented,

• it has trained and obliged the personnel who will process the data to maintain confidentiality,

• informs the controller of the obligation to transfer the entrusted data to a third country or international organization, as required by law. In such a situation, the controller has the right to withdraw the entrustment;

g) rules for further entrusting data: whether the ADO agrees to further entrusting. If so, to whom the data will be entrusted and whether further entrusting is planned (obligation to inform the ADO of any further entrusting and obtain its consent);

h) determination of the responsibility of the processor for any further transfer, including for the conclusion of an appropriate contract and ensuring that the processor provides a level of protection not lower than that provided by the controller;

i) the obligation (to the extent possible) to assist in fulfilling the information obligations towards the data subject;

j) the obligation to delete or return the data after the processing has been completed;

k) the right to be audited by the ADO;

l) the obligation to immediately inform the ADO of any breach or suspected breach of the confidentiality of the entrusted data.

5. The personal data processing agreement does not exclude Zoomlion’s responsibility for the security of such personal data.

6. The transfer of personal data to third countries outside the European Economic Area shall take place after the ADO has verified the relevant legal requirements applicable in this regard.

7. The ADO may entrust the verification referred to in paragraph 6 to the Management Board.

8. The ADO shall only use the services of entities that provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.XV. Procedure in the event of a breach or suspected breach of personal data protection

1. Before commencing work, Zoomlion employees and associates are required to check the condition of IT equipment and inspect their workstation, paying particular attention to any circumstances indicating a breach or attempted breach of the protection of personal data processed in IT systems and in non-IT collections (in paper form).

2. The following circumstances may be considered a breach or suspected breach of data protection or of a personal data processing system:

a) Inadequate physical security of premises, computer equipment or documentation;

b) failure to comply with personal data protection rules (e.g., failure to apply the clean desk/screen rule, password protection and change, failure to lock rooms and cabinets containing documents);

c) random events (e.g., fire, flooding, power failure) and breakdowns;

d) intentional incidents (e.g., system intrusion, theft of equipment);

e) unauthorized access or attempted access to personal data or the premises where it is located;

f) unintentional alteration or loss of data stored on backup copies;

g) unauthorized access to personal data (signal of illegal login or other indication of an attempt or action related to illegal access to the system);

h) disclosure of personal data or parts thereof to unauthorized persons;

i) a state of the IT system or premises other than that left by the user after finishing work;

j) loss of data carriers, i.e. loss or theft of IT equipment or external media containing personal data (e.g. computer printouts, CD-ROMs, hard drives, external memory devices, etc.);

k) leaving unauthorized persons unattended in places where personal data is processed and easily accessible;

l) transferring personal data during a telephone conversation without verifying whether the caller is authorized to obtain such information;

m) disposing of handwritten notes or documents in ordinary waste bins without using a paper shredder.

3. In the event of a breach or circumstances indicating a breach of personal data protection, the person who identifies the breach is required to:

a) refrain from starting or continuing work, as well as from taking any action that may result in the destruction of traces or other evidence of the breach;

b) secure elements of the IT system or documentation, primarily by preventing unauthorized persons from accessing them;

c) take appropriate and necessary measures to prevent further threats that may result in the loss of personal data;

d) immediately notify the ADO, Management and ASI of the breach if it concerns data processed in the IT system; follow the instructions of these entities.

4. In the event of a breach or circumstances indicating a breach of personal data protection, the ADO shall:

a) determine the scope and causes of the threat and its possible consequences;

b) assess the situation, taking into account, in particular, the condition of the premises where personal data are processed and the condition of the equipment;

c) hear the account of the person who made the notification and other persons involved in the incident;

d) recommends preventive measures to eliminate similar incidents in the future;

e) decides on the course of further proceedings, depending on the scope of the breach or the validity of the suspicion of a personal data breach;

f) documents the proceedings;

g) assesses the risk of a possible violation of the rights and freedoms of natural persons as a result of the situation;

h) analyzes the incident in order to prevent its recurrence in the future;

i) each incident is recorded by the ADO.

5. If the personal data breach is the result of a breach of Zoomlion’s work discipline, the ADO shall clarify all the circumstances of the incident and take appropriate action against the persons who committed the breach.

6. The ADO may delegate all or some of the tasks listed in sections 4 and 5 to the Management or a third party.

7. Detailed procedures in the event of breaches are set out in the Data Breach Reporting Procedure attached to this

Policy.

XVI. Rules for the processing of personal data in cloud computing and on external servers

1. Before transferring Zoomlion resources containing personal data to cloud processing, a risk assessment must be carried out in the context of personal data processing in the cloud, in particular the possible risk of ADO’s lack of control over the data and insufficient information about the processing operations themselves.

2. Zoomlion must obtain from the cloud service provider full information about all physical locations of the servers on which Zoomlion’s personal data will be processed. Information about any change in the location of data processing should be provided to Zoomlion in advance so that it can consider compliance with the regulations and data security risks, in particular if the data is to be transferred to third countries.

3. Zoomlion should be able to review the documentation regarding the security policies and technical measures used by the cloud service provider to protect personal data.

4. Zoomlion is required to have full information about subcontractors and entities cooperating with the cloud provider, and each of these entities should be bound by the same contractual clauses as the cloud provider.

5. If Zoomlion uses the services offered by the cloud provider, it shall sign a personal data processing agreement governing the scope of data transfer and management.

6. Zoomlion shall specify in the agreement with the cloud service provider the rules for the processing of personal data in the cloud, the retention and deletion of such data, and the reporting of incidents, as well as all methods and means of securing personal data.

7. If the entity providing servers to Zoomlion is not aware of the type of data processed on these servers by the ADO and is unable to access this data, Zoomlion should at least contractually oblige this entity to comply with data security rules.

8. In the case of foreign entities as cloud service providers or hosting service providers, Zoomlion shall ensure that the contract with the service provider contains provisions ensuring that personal data will be protected no less than at Zoomlion and in accordance with Polish data protection regulations.

9. A detailed description of the security measures and methods and procedures used for the processing of personal data is contained in the IT System Management Manual, which is attached to the Policy and is used for the processing of personal data at Zoomlion.

XVII. Security rules for the transfer of personal data

1. When transferring information or documents containing personal data, Zoomlion employees and associates are required to observe the following security rules:

a) use cryptographic techniques when transmitting data via public telecommunications networks;

b) ensure the protection of personal data being transferred against interception, copying, modification, and destruction by using appropriate technical and organizational measures and due diligence;

c) before verbally transferring personal data, ensure that the person you are talking to is authorized to obtain the specific personal data;

d) exercise particular caution during telephone conversations to avoid unauthorized persons overhearing personal data;

e) do not leave messages containing personal data on answering machines.

2. The transport of personal data in electronic and paper form between areas where personal data is processed should be carried out by authorized persons in a manner that limits the possibility of unauthorized persons obtaining and reading the data.

XVIII. Sanctions for violation of personal data protection rules

1. An employee who discloses or uses personal data in a manner contrary to its intended purpose (e.g., using personal data for private purposes) or processes it in a manner inconsistent with the procedures adopted by Zoomlion, in particular this Policy, may be punished with a warning or a reprimand.

2. In the event of a serious breach of the obligation to keep personal data confidential or to process it in a manner grossly contrary to the accepted rules and procedures, Zoomlion may terminate the employment contract without notice due to the employee’s fault.

3. Sanctions for disclosure of confidential personal data shall apply mutatis mutandis to disclosure by an employee of information relating to the security of personal data at Zoomlion.

4. Zoomlion’s associates shall be liable for any breach of this Policy in accordance with the provisions of their cooperation agreement with Zoomlion.

5. Any person required to comply with this Policy may be required to remedy any damage resulting from a breach of this Policy.

XIX. Final provisions

1. This Policy and related documents are subject to periodic review and update by the DPO. Ad hoc reviews shall be carried out as necessary, in particular whenever there is a change in the factual or legal situation relating to the processing of personal data, organizational changes at Zoomlion, and when necessary as a result of changes introduced following security incidents and/or the results of internal and external audits.

2. The Personal Data Controller is authorized to periodically review and update the records of personal data files and IT systems used for personal data processing.

3. All Zoomlion employees and associates are required to strictly comply with the provisions of this Policy when processing personal data, and in the event of regulations separate from those contained in this Policy existing in other procedures applicable at Zoomlion, employees and associates are required to apply more extensive provisions, the application of which will ensure a higher level of personal data protection.

XX. Appendices

1. The following appendices are attached to the Policy:

a) Register of processing activities,

b) Privacy Policy,

c) Breach Reporting Procedure,

d) Data Retention Policy,

e) Data Retention Instructions,

f) IT Systems Management Instructions

2. 3. 4. Amendments to Appendices a), c), d), e) and f) shall be made by notifying ASI and the Management Board in the manner accepted by the employer. Amendments to Appendix b) shall be made by publishing the amended version on the website. In addition, amendments to Appendix f) shall be consulted with the ASI.