1. Our principles and the purpose of this Privacy Policy

Telefónica Group companies are committed to respecting the privacy of users and the secrecy and security of personal data, in accordance with the provisions of applicable data protection legislation.

Your privacy and the security of your data is our priority. It is part of our DNA and is reflected in the principles that govern our Privacy Policy:

• Transparency: we are 100% transparent with you about the data we collect and/or process about you and explain why we use it and for what purposes. We will not treat your data in an unexpected, obscure or abusive way.

• Control: you are the only one who can control how your data is used. We provide you with the tools to decide at any time how you want us to handle your data, how long you can access and update your personal information, and how you can access and update your personal information.

• Security: we take care to ensure the security, secrecy and confidentiality of your personal data and information. We adopt the most demanding and robust security measures to prevent their loss, alteration, misuse or unauthorised access.

In compliance with these principles, below you will find the sections that make up our Privacy Policy, where we inform you about everything necessary for you to maintain control over your data.

2. Who is the data controller?

Telefónica Open Innovation, S.L.U. (formerly named as “Wayra Investigación y Desarrollo, S.L.U.) (“Telefónica”), company with ID number B86230562 and registered office at Ronda de la Comunicación, SN, C.P. 28050, Madrid will be the data controller for the processing of your data in accordance with what we inform you in this Privacy Policy.

We also have appointed a Data Protection Officer who ensures compliance with applicable data protection legislation at Telefónica, and who can be contacted for any questions, doubts and/or complaints you may have when we process your data, by writing to DPO_telefonicasa@telefonica.com.

3. What data is processed, for what purpose and why do we process the data?

• What for? – Purposes of processing: the purposes of the processing we are pursuing are:

• • To manage this website.
  • To manage contact requests through the “contact us”, “get in touch” or “apply” forms.
  • To manage events and activities related to this website.
  • To send you our newsletters, in which we inform you about highlights and news related to startup calls.

• Why? – Applicable legal basis: the legal basis on which we rely to carry out the purposes are:

• • For the purpose “to manage this website” is the legitimate interest as the owner of the website.
  • For the purpose “To manage contact requests through the “contact us”, “apply” and “get in touch” forms”, your consent provided by clicking the acceptance checkbox.
  • For the purpose “to manage events and activities related to this website” is the execution of the contract which regulate such event or activity.
  • For the purpose “To send you Newsletters”, your consent provided by clicking the acceptance checkbox.

• What data? – Types of data: the data we process for this purpose are name, email, and any other personal data that you may want to include in the open text part of the “contact us” or “apply” form.

• Where the data come from? – Data source: we collect the data directly from you.

• Who do they belong to? – Categories of data subjects: the data we process for this purpose relates to any person interested in contact with us; entrepreneurs, students, etc.

• Who access to your data?

• For how long is the data processed? – Retention periods: the data we process for this purpose will be deleted according to our internal policies, but no more than three years.

4. How long is the data retained?

In general, we will keep your data for the period necessary to comply with each of the purposes described in each processing activity and to determine the possible liabilities that may arise from that purpose.

In any case, your data will be kept in accordance with the retention criteria or specific periods described in each processing activity and, where appropriate, until you withdraw your consent and/or object to the processing of your data. In this regard, we will make our best efforts to provide you with an automatic and simple mechanism so that you can withdraw the consent granted and/or object to the processing and, in any case, we are at your disposal at the e-mail address for exercising your rights as indicated in section 6 of this Privacy Policy.

5. Who is the recipient of the data? are there any international transfers of data?

In order to carry out the processing purposes described above, we may make use of authorised subcontractors acting on behalf of Telefónica, as data processors (e.g., internet service providers, data hosting and technical support providers, e-mail providers, general service providers and physical security service providers, etc.) and contractually subject to our instructions, only for the lawful purposes described above and only for the period of time strictly necessary for that purpose.

Where authorised subcontractors acting on behalf of Telefónica or such recipients are located or process your data outside the European Economic Area, we will be making an international transfer of your data in accordance with applicable data protection legislation. In general, we will avoid international transfers of data and your data will be processed within the European Economic Area. However, in the event that such international transfers are necessary, we will take the necessary organisational, technical and contractual measures to ensure the protection and security of your data, such as, for example, signing the European Commission’s Standard Contractual Clauses with the authorised subcontractor or third party recipient, carrying out impact assessments on the relevant international transfer to assess the risk and adopt measures to mitigate it, encryption of data in transit or at rest, pseudonymisation of the data transferred, the possibility for the data subject to claim damages directly against the authorised subcontractor or third party recipient, etc.

6. What rights do you have as a data subject?

As a data subject, applicable data protection legislation grants you certain rights over your data which, depending on how they apply, you may exercise against Telefónica. Below you will find details of these rights and how you can exercise them. We also inform you that on the website of the Spanish supervisory authority (www.aepd.es) you can find further information on the characteristics of these rights and download templates for exercising each of them.

• Right of access: this is your right to ask us for details of the data we hold about you and how we process it, and to obtain a copy of it.
• Right to rectification: this is your right to obtain the rectification of your inaccurate or erroneous data, as well as to complete incomplete data.
• Right to erasure: this is your right to request deletion or suppression of your data and information in certain circumstances. However, please note that there are certain occasions when we are legally entitled to continue to retain and process your data, for example, to comply with a legal obligation to retain data.
• Right to restriction of the processing: this is your right to restrict or limit the processing of your data in certain circumstances. For example, if you apply to have your data erased but, instead of erasing it, you would prefer that we block it and process it only for record- keeping purposes because you will need it later to file a complaint. Again, please note that there may be times when we are legally entitled to refuse your request for restriction.
• Right to object: this is your right to object to our processing of your data for a specific purpose, in certain circumstances provided for by law and related to your personal situation.
• Right of data portability: this is your right to ask us to receive your personal data in a structured, commonly used, machine-readable and interoperable format and to transfer it to another data controller, provided that we process your data by automated means.
• Right not to be subject to automated individual decisions: this is your right to ask us, in certain circumstances, not to make you subject to a decision based solely on automated processing of your data, including profiling, that produces legal effects on you or similarly significantly affects you.
• Right to withdraw consent at any time: right to withdraw your consent at any time to the processing of your data for a specific purpose, when it is based on said legitimizing basis.

In general, you may exercise these rights at any time and free of charge by contacting Telefónica at privacidad@wayra.com.

It is important to bear in mind that when you exercise a right, in most cases, you must clearly specify which right you are exercising and provide a copy of a document proving your identity.

Any exercise of rights shall be answered within a maximum period of one month, which may be extended by two months if necessary, taking into account the complexity of the request and the number of requests.

Finally, in the event that you do not agree with the way in which your data is handled by Telefónica, you have the right to lodge a complaint with the national supervisory authority by contacting the Agencia Española de Protección de Datos, whose contact details are as follows:

Agencia Española de Protección de Datos

C/ Jorge Juan, 6 – 28001 Madrid

www.aepd.es

7. Further processing of data and changes to the Privacy Policy

Telefónica reserves the right to update this Privacy Policy at any time. Such update will be made public by Telefónica, in any case, with the legally required notice prior to its entry into force. In addition, it will be communicated directly to the data subject in the event that it affects their rights or freedoms or when, for example, the inclusion of a new processing activity requires the consent of the data subject or modifies the scope of the legitimate interest that enables the processing.

Version of July 2022