Privacy Policy

Personal Data Protection Policy Statement

TEAMWILL places the protection of personal data at the heart of its mission and the services it provides. Accordingly, TEAMWILL is committed, in compliance with applicable regulations, to implementing appropriate measures to ensure the protection, confidentiality and security of the personal data of every individual from whom data is collected.

This Personal Data Protection Policy is intended to inform you of the commitments made by TEAMWILL to safeguard your personal data. Respect for fundamental rights and personal data protection rules is an integral part of TEAMWILL's ethical values.

The General Data Protection Regulation ("GDPR"), applicable across all Member States of the European Union, strengthens the rights of natural persons over their personal data through a harmonised framework of data protection principles within the European Union.

The GDPR introduces a new principle of "accountability" for both private and public sector actors, requiring them to demonstrate that they have implemented appropriate measures to ensure compliance with data protection rules.

These new requirements are reflected in particular in the appointment of a Data Protection Officer ("DPO"), the maintenance of a register to document compliance with personal data processing activities, and the implementation of enhanced security measures.

In order to honour its commitments to its clients — particularly those in the European Union — TEAMWILL is required to comply with the GDPR. Failure to comply with these rules may result in severe penalties and reputational damage.

In response to these new challenges, TEAMWILL's senior management has decided to adopt a policy designed to ensure the protection of the personal data of employees, clients and suppliers, in accordance with its Code of Ethics.

Personal data protection is an asset in support of our digital transformation and contributes to sustaining the trust of our employees, clients and partners. It represents a significant challenge for the long-term conduct of our business.

The DPO, reporting to the IT Department (DSI), is responsible for enforcing this Policy on behalf of TEAMWILL.

I therefore call upon all employees to mobilise in ensuring its proper implementation.

Chief Executive Officer

‍

Objectives

Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC, published on 4 May 2016 in the Official Journal of the European Union.

‍

Terms and Definitions

GDPR

Personal Data

Means any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Processing of Personal Data

Means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction.

‍

Scope of Application

Entities, Employees and Subcontractors Subject to the Policy

This Policy applies to all TEAMWILL stakeholders carrying out activities in both national and international territories.

This Policy applies to all employees, including occasional workers, and to all subcontractors (data processors), within the meaning of the GDPR, who process personal data.

Personal Data and Processing Activities Covered by the Policy

The Policy covers personal data held in any paper or digital format that is hosted or processed, in particular:

• on any IT infrastructure: servers in a data centre or in the cloud, workstations or smartphones;

• via applications, databases or data warehouses;

• via portals accessible on the internet or on the intranet;

• via connected devices or smart grids, as well as digitalisation projects.

The Policy applies to all processing activities involving the personal data of employees, clients, suppliers or partners that is collected, used or transferred by TEAMWILL employees.

‍

Governance & Oversight

Each employee must comply with this Policy. The DPO is responsible for disseminating the Policy throughout the company and its teams, and for ensuring its implementation.

The DPO establishes a governance framework aimed at implementing the organisational measures required by the GDPR and enabling the effective deployment of this Policy.

a. Raising Awareness and Promoting a Data Protection Culture

The Data Protection Officer:

• Leads or oversees, in a structured manner, awareness-raising activities targeting management and employees — including staff involved in processing operations — regarding the rules to be observed in relation to the protection of personal data.

• Ensures that compliance efforts are presented as productive and positive, rather than merely as constraints.

• Ensures that data subjects are informed of the processing operations involving their personal data, as well as of their rights.

b. Ensuring Compliance with the Legal Framework

The Data Protection Officer independently monitors compliance with Tunisian and European regulations (GDPR), other provisions of Union or Member State law, and the internal data protection rules of the controller or processor, including the allocation of responsibilities. The DPO's analysis and advice extends to subcontractors and service providers involved in processing activities decided by the controller.

The DPO provides guidance to the relevant business teams and, where necessary, to the controller, and issues reasoned and documented opinions and recommendations. To carry out these tasks, the DPO is provided by the controller with all necessary information and is given adequate resources.

The Data Protection Officer is, in particular, closely involved in the following matters:

• Privacy Impact Assessments (PIAs);

• Privacy by Design (incorporating privacy considerations from the outset of any project);

• Notification of data breaches and communication to data subjects via: dpo@teamwillgroup.com

The DPO must be consulted before any new processing activity is implemented or any material change is made to an existing processing activity, and may make any recommendation to the controller.

c. Informing and Advising the Controller; Raising Alerts Where Necessary

The Data Protection Officer promptly informs the controller of any risk that may arise from operational initiatives or from failure to follow the DPO's recommendations, whether to the organisation or its management. To this end, the DPO may make any recommendation to the controller and submit requests for arbitration (it being the controller's responsibility to decide whether to proceed with a processing activity notwithstanding the DPO's recommendations). The DPO ensures that a procedure is formalised to notify the controller directly of any major non-compliance.

d. Analysis, Investigation, Auditing and Monitoring

The Data Protection Officer conducts, commissions or oversees, in a structured and independent manner, any action necessary to assess the organisation's level of compliance, to identify any non-conformities (their severity, potential impact on data subjects, origin, responsibility, etc.), and to verify adherence to the legal framework and the proper application of procedures, methods and instructions relating to the protection of personal data.

e. Establishing and Maintaining Documentation under the Accountability Principle

The Data Protection Officer establishes and maintains documentation relating to personal data processing activities (including the records of processing activities), in accordance with the controller's accountability obligations, and ensures that such documentation is accessible to the supervisory authority.

f. Acting as Mediator for Data Subjects

The Data Protection Officer receives, via dpo@teamwillgroup.com, complaints from data subjects in respect of the processing activities for which the DPO has been designated, and ensures that data subjects' rights are upheld. The DPO handles these complaints and grievances impartially, or implements the procedures necessary to ensure they are properly addressed.

g. Liaising with the Supervisory Authority

The Data Protection Officer serves as the primary point of contact for the supervisory authority, with which the DPO communicates independently on matters relating to the processing activities carried out by the organisation that appointed them, including the prior consultation referred to in Article 36 of the GDPR, and may conduct consultations, as appropriate, on any other matter.

‍

Data Protection Principles under the GDPR

Accountability

Under the accountability principle set out in the GDPR, TEAMWILL commits to:

• Being able to document at any time the manner in which it ensures the protection of personal data;

• Implementing appropriate technical and organisational measures in order to demonstrate that each personal data processing activity complies with the GDPR and applicable national and international legislation.

In practice, this principle is implemented through the following measures:

• Appointment of a DPO, where such appointment is required under the GDPR or applicable regulations;

• Maintenance of an internal register of personal data processing activities, mapping the processing carried out by employees;

• Data Protection Impact Assessments (DPIAs), in the mandatory cases provided for under the GDPR;

• Privacy by Design: incorporating personal data protection from the outset of any new relevant project;

• Implementation by employees of appropriate procedures in the event of risks arising from personal data processing activities linked to their work.

Specified, Explicit and Legitimate Purposes

Personal data must be processed lawfully, fairly and transparently. It must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those original purposes.

Each employee must pay particular attention to the processing of special categories of personal data (sensitive data) that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or data concerning a person's health, sex life or sexual orientation.

Each employee may only process such personal data with the explicit consent of the data subject, or in cases expressly authorised by applicable legislation and the GDPR.

Relevance, Proportionality and Data Minimisation

Personal data processed by employees must be accurate, relevant and limited to what is necessary for the purposes for which it is collected.

Lawfulness of Personal Data Processing

Each employee remains responsible for ensuring the lawfulness of the personal data processing activities they carry out.

For personal data processing to be lawful within the meaning of the GDPR, it must be based on one of the following grounds:

• Compliance with a legal obligation to which TEAMWILL is subject;

• Performance of a contract to which the data subject is a party;

• Legitimate interests pursued by TEAMWILL, unless overridden by the interests, fundamental rights or freedoms of the data subject;

• The data subject's express consent for one or more specific purposes, in the cases provided for by the GDPR.

Transparency and the Right to Information

The DPO must ensure that data subjects are informed of personal data processing activities, by means of the notices required under the GDPR, through any medium that enables concise, transparent, intelligible and easily accessible communication.

Where data is collected directly from the data subject, the information must be provided at the time the personal data is obtained.

Where data is collected indirectly, data subjects must be informed within a reasonable period not exceeding one month from the date of collection, and in any event no later than the first communication with the data subject or prior to any disclosure to a third party.

Limited Retention Periods

Each TEAMWILL employee is responsible for ensuring that personal data is not retained beyond the period necessary for the purposes for which it was processed, in compliance with applicable legislation.

Where personal data is no longer required for the purposes that justified its processing, it must be erased or anonymised.

Rights of Data Subjects

TEAMWILL is committed to facilitating the exercise of the rights conferred on data subjects under Articles 15 to 22 of the GDPR.

Right of Access, Rectification, Restriction, Erasure and Objection

Data subjects have the right to access, rectify and restrict the personal data held about them, the right to erasure (right to be forgotten), the right to object to processing, and the right to data portability, under the conditions set out in the GDPR.

These rights may be exercised at any time. The procedures for responding to the exercise of these rights are specified by the DPO.

Each employee must ensure that data subjects affected by their personal data processing activities are genuinely able to exercise their rights.

‍

Security of Personal Data

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks — varying in likelihood and severity — to the rights and freedoms of natural persons, TEAMWILL commits to implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Classification, Confidentiality Level and Security of Personal Data

Personal data is classified in accordance with TEAMWILL's "Information Classification Policy", which is available on the TEAMWILL intranet.

Documents containing routine personal data are to be classified at the "internal" level.

Documents containing special categories of personal data (sensitive data) are to be classified at the "confidential" level.

In addition, each employee must take the necessary measures — having regard to the nature of the personal data, the context and purposes of the processing — to ensure a level of security appropriate to the identified risks.

The level of security must ensure the confidentiality, integrity and availability of personal data, and minimise any risk of destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Personal data being processed must be protected in accordance with the security guidelines and access control policy available on the TEAMWILL intranet.

Embedding Personal Data Protection in Project Management

Personal data protection must be integrated into project management processes and, from the design stage onwards, for all new services.

Data Protection Impact Assessment

The controller must carry out a Data Protection Impact Assessment (DPIA) prior to implementing any new personal data processing activity where the criteria set out in the GDPR are met — in particular where the processing involves large-scale processing of special categories of personal data (sensitive data) or the use of new technologies.

Relationships with Subcontractors

TEAMWILL employees who entrust the collection, use or processing of personal data to subcontractors, within the meaning of the GDPR, remain responsible for the protection of that data. Such employees must ensure that subcontractors provide sufficient guarantees with regard to this Policy and the GDPR. Any contract concluded with a subcontractor must define that subcontractor's obligations, including security and confidentiality measures, in accordance with the requirements of the GDPR.

‍

Operational Implementation

The DPO, the IT Department (DSI) and the Information Systems Security Manager support TEAMWILL employees in implementing this Policy.

The following actions are implemented in order to achieve its objectives:

Awareness-Raising and Training

The DPO must ensure that employees have sufficient knowledge to fulfil their obligations under the GDPR and applicable regulations, commensurate with their level of involvement in personal data processing activities.

Given the importance of personal data protection, all relevant staff participate in the awareness-raising activities organised by the DPO.

Provision of Procedures and Deliverables

The Policy is deployed through methodologies, procedures and awareness initiatives tailored to the specific requirements of applicable regulations.

TEAMWILL regularly publishes thematic guides designed to disseminate best practices and to enable the operational implementation of the objectives set out in the GDPR.

Security Event Logging

In accordance with TEAMWILL's security rules, automated logging of security events is in place. The DPO may determine which events are to be logged, taking into account the context, the systems involved (such as workstations, network equipment and servers), the risks, and the requirements of each applicable regulation.

Security Incident Management and Personal Data Breach Handling

The DPO establishes a procedure for reporting security incidents and managing personal data breaches, including crisis management, in compliance with the GDPR and applicable regulations.

The DPO must be notified without delay of any personal data breach within the meaning of the GDPR. If the breach identified is likely to result in a serious risk to the rights and freedoms of data subjects, the DPO notifies the competent supervisory authority (and, where necessary, the data subjects concerned) as soon as possible — and, where feasible, within 72 hours of becoming aware of the breach.

Compliance Reviews, Controls, Audits and Sanctions

The technical and organisational measures implemented to ensure the compliance of personal data processing activities are tested, analysed and evaluated to verify their effectiveness.

Internal compliance checks against the GDPR, local regulations and this Policy are carried out on a regular basis. Subcontractors must provide the information necessary to demonstrate compliance with their legal obligations.

The effective conduct of internal controls may, where necessary, be subject to review by the Security Manager, with the possible support of TEAMWILL's IT Department (DSI).

The results of these controls may be communicated to the relevant stakeholders and to the Executive Committee (CODIR), and may be made available to the competent supervisory authority in accordance with the GDPR.

Corrective measures adopted in response to any deficiencies identified during a compliance review are documented and updated on a regular basis.

TEAMWILL bears direct responsibility for any sanctions that may result from non-compliance with the GDPR and applicable regulations in connection with its personal data processing activities.