Title 1

This Data Privacy Policy (“Policy”) represents the minimum standards that MiCommV FZ LLC and
its affiliates (“MiCommV”) has set with respect to data privacy, for ensuring that MiCommV
collects, uses, retains and discloses Personal Data in a fair, transparent and secure way.
This Policy aligns with (and in some cases exceeds) the main requirements of applicable laws and
regulations. This Policy is also aligned with other specific policies of MiCommV relating to the
collection and use of information or of Personal Data implemented by MiCommV to cover the
specific Personal Data processing purposes needed for the day to day activity (e.g. cookies policy,
specific local policies). This Policy acknowledges that certain MiCommV affiliates are located in
countries with varying legal and cultural approaches to privacy and data protection. This Policy
may thus be supplemented by other policies and procedures in certain geographic regions as may
be appropriate to comply with applicable laws and meet cultural norms.
In the event of a conflict between this Policy and the local applicable privacy policies and/or
applicable local law as relevant, or inapplicability of the provisions of this Policy, the local
applicable policy and local law should prevail.
Some useful definitions are provided in Section 2 of this Policy for your ease of reference.
1. What is the scope of this Policy?
1.1 The Policy covers all Personal Data in any form, including but not limited to electronic
data, paper documents and disks and all types of processing, whether manual or
automated that is under the possession or control of MiCommV, in all geographies areas
where MiCommV operates. This will include information held about MiCommV members,
partners, employees, consultants, clients, suppliers, business contacts and any third
parties.
1.2 MiCommV cares about protecting minors and has implemented certain reasonable
measures to prevent the processing of the Personal Data of minors. Therefore, MiCommV
does not process Personal Data from minors knowingly. If MiCommV is informed or
becomes aware that MiCommV processes Personal Data of minors, MiCommV will
immediately delete it.
1.3 This Policy also applies to any Third Party who performs services for or on behalf of
MiCommV and who are expected to embrace standards of conduct consistent with the
principles of this Policy.
2. Definitions.
2.1 MiCommV shall mean MiCommV FZ LLC and its affiliates.
2.2 Third Party shall mean a third party who receives from MiCommV or who is otherwise
entrusted with Personal Data on behalf of MiCommV, for example suppliers, contractors,
sub-contractors and other service providers.
2.3 Data Subject shall mean an identified or identifiable person whose Personal Data is being
processed by MiCommV.
2.4 Informed Consent shall mean any freely given specific and informed indication of the
Data Subject’s agreement to the processing of his/her Personal Data.
2.5 Personal Data shall mean any information capable of identifying a natural person,
directly or indirectly, in particular by reference to an identification number or to one or
more factors specific to his or her physical, physiological, mental, economic, cultural or
social identity. Data is considered personal when it enables anyone to link information to a
specific person, even if the person or entity holding that data cannot make that link.
2.6 Sensitive Data are a subset of Personal Data, which due to their nature have been
classified by law or by an applicable policy as deserving additional privacy and security
protections.

2.7 Process / Processing shall mean any operation or set of operations that is performed
upon Personal Data, whether or not by automatic means, including, but not limited to
collection, recording, organization, storage, access, adaptation, alteration, retrieval,
consultation, use, disclosure, dissemination, making available, alignment, combination,
blocking, deleting, erasure, or destruction (and Process shall be interpreted accordingly).
3. How does MiCommV ensure the Lawfulness, Fairness and Transparency of our
data processing?
3.1 Personal Data is processed on the basis of legal grounds with the informed knowledge of
the Data Subjects.
3.2 MiCommV will only use Personal Data:
– if necessary to perform a contract with the Data Subjects (e.g. employees, contractors,
clients, suppliers etc.);
– if required to comply with a legal obligation;
– where MiCommV has a legitimate business need or a legitimate business reason to use
Personal Data as part of our business activities (e.g. when carrying out a Know Your
Client processing) ; or
– where MiCommV has the Data Subject’s Informed Consent when it is specifically
required. For instance where required by law (e.g. to send marketing information
through electronic communication means) or by applicable policy, MiCommV may need
to obtain the consent of Data Subjects in order to collect, use, retain and disclose their
Personal Data. This may also be the case where no other valid grounds described
above is applicable. In particular, MiCommV will not sell Personal Data for marketing
purposes without appropriate consent and/or legal basis.
3.3 MiCommV considers that it is important to assess the privacy risks before MiCommV
collects, uses, retains or discloses Personal Data, such as in a new system or as part of a
project.
3.4 MiCommV will only Process Personal Data in the way described in its privacy notices or
privacy policies and in accordance with any Informed Consent MiCommV may have
obtained from the Data Subject.
3.5 MiCommV will not carry out profiling activities based on automated decision making,
unless legally grounded on a requirement of applicable law or the performance of a
contract or the Data Subject’s consent and provided that suitable safeguards are
implemented to protect the Data Subjects rights.
3.6 MiCommV uses cookie technology on its websites to allow it to evaluate and improve their
functionality. Cookies could also be used for advertising or analytics purposes, subject to
consent and depending on the choice made by using the cookie control tool. For more
information about how MiCommV uses cookies, please read the online [Privacy Policy and
Cookie Policy].
3.7 Where legally required, MiCommV will ensure that Data Subjects are provided with a
relevant information, concerning the processing of their Personal Data, unless there is an
impossibility to provide such information or if it requires disproportionate efforts to provide
such information. Such information will notably include, the purposes of the data
processing, the types of data collected (if the data have not been obtained directly from
the Data Subject), the categories of recipients, the list of rights which may be exercised by
the Data Subjects, the consequences of a failure to reply, the conditions of the transfer of
personal data outside EU, if any, and the mechanism used to protect the data in the event
of a transfer, etc. This requirement may be satisfied by issuing a privacy notice to Data
Subjects at the point where Personal Data are originally collected from them. Privacy
notices shall be written in language which provides Data Subjects with a clear
understanding as to how their Personal Data will be used.

Specific and legitimate purpose, Data Minimization and Accuracy.
4.1 Personal Data will only be collected and processed for legitimate purposes, complying with
the Personal Data Minimization principle and ensuring the accuracy of the Personal Data
processed.
4.2 Personal Data will be collected for specified, explicit and legitimate purposes (which could
be multiple) and not further processed in a manner that is incompatible with those
purposes.
4.3 MiCommV carefully evaluates and defines the purposes of the Personal Data Processing
before launching a project (e.g. management of HR data, management of recruitment
data; payroll purpose, accounting and financial management, risk management,
management of employees’ safety, allocation of IT tools and any other digital solutions or
collaborative platforms, IT support management, health and safety management,
information security management, client relationship management, bids, sales and
marketing management, supply management, internal and external communication and
events management, compliance with anti-money laundering and anti-bribery obligations
or any other legal requirements, data analytics operations, implementation of compliance
processes , management of mergers and acquisition, etc.).
4.4 MiCommV will ensure that the Personal Data collected is relevant, adequate and not
excessive in relation to the purpose of the Data Processing and its eventual use (insights,
marketing, promotions, etc.). This means that only necessary and relevant information for
the purpose sought can be collected and processed.
4.5 When collecting Sensitive Data, proportionality is fundamental. For instance, there is no
need to request information on the nationality of a consumer when he/she pass an order.
MiCommV does not collect Sensitive Data (or Special Categories of Data), unless required
by applicable law or subject to the Data Subject’s prior express consent.
4.6 Every reasonable step will be taken to ensure that Personal Data are maintained in an
appropriately accurate and up-to-date form at every step of Personal Data Processing (i.e.
collect, transfer, storage and retrieval).
4.7 MiCommV encourages Data Subjects to help maintaining their Personal Data up to date by
exercising their rights notably of access and rectification.
5. Security and confidentiality.
5.1 MiCommV ensures the security and confidentiality of the Personal Data it Processes.
5.2 MiCommV protects any Personal Data collected, used, retained and disclosed to support
the business activities by following the relevant usage, technical and organizational
policies, standards and processes.
5.3 Employees, customers, consumers and business partners put their trust in MiCommV when
they provide their Personal Data.
5.4 Industry standard technical and organizational measures are implemented to prevent
against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or
access, or any other unlawful or unauthorized forms of Processing.
5.5 Where processing is to be carried out on behalf of MiCommV, MiCommV will select service
providers providing sufficient guarantees to implement appropriate technical and
organizational measures in such a manner that processing will meet the requirements of
applicable data protection laws and ensure the protection of the rights of the Data Subject.
5.6 MiCommV endeavors to take reasonable measures based on Privacy by design and Privacy
by default as appropriate to implement necessary safeguards when processing Personal
Data Processing.
5.7 When a Personal Data Processing is likely to result in a high risk to the rights and
MiFocus Privacy Policy – 3rd March 2023 Page 4 of 6
freedoms of Data Subjects, MiCommV will carry out a risk impact assessment prior to its
implementation.
5.8 MiCommV will examine all claims related to any breach to this Policy or applicable data
protection laws, potential or actual, that are brought to its attention or that MiCommV
becomes aware of and will take all reasonable measures to limit their impact.
5.9 Further information on the IT security measures are described in MiCommV’s Security
Program which includes the Global IT Security Policy, IT Usage Policy and any other
security measures available within MiCommV.
6. Personal Data Retention.
6.1 Any person handling Personal Data for MiCommV will keep it only for as long as it is
necessary for the purpose for which it has been collected and processed (and other
compatible purposes) which may include:
– to meet or support a business activity;
– to comply with a legal or regulatory requirement and comply with applicable
statute of limitation requirements; or
– to defend against legal or contractual actions (in which case, the Personal Data
may be retained until the end of the corresponding statute of limitation or in
accordance with any applicable litigation hold policies).
6.2 Personal Data is retained and destroyed in a manner consistent with applicable law and in
accordance with MiCommV’s applicable retention policy.
7. What are your rights, as Data Subject?
7.1 MiCommV is receptive to queries or requests made by Data Subjects in connection with
their Personal Data and where required by law, MiCommV provides Data Subjects with the
ability to access, correct, restrict and erase their Personal Data. MiCommV also allows
them to oppose the processing of their personal data, and to exercise their right to
portability.
7.2 Access right: MiCommV will provide access to all Personal Data related to a Data Subject
as required by law, to the purposes of the processing, categories of data processed,
categories of recipients, data retention term, rights to rectify, delete or restrict the data
accessed if applicable, etc.).
7.3 Right to portability: MiCommV may also provide a copy of any Personal Data that it
holds in a format compatible and structured to allow the exercise of right to data
portability to the extent it is relevant under applicable law.
7.4 Right to rectification: Data Subjects can request to correct, amend, erase, any
information which is incomplete, out of date or inaccurate.
7.5 Right to erasure: Data Subjects can request the deletion of their Personal Data (i) if such
Personal Data is no longer necessary for the purpose of the data processing, (ii) the Data
Subject has withdrawn his/her consent on the data processing based exclusively on such
consent, (iii) the Data Subject objected to the data processing, (iv) the Personal Data
processing is unlawful, (v) the Personal Data must be erased to comply with a legal
obligation applicable to MiCommV. MiCommV will take reasonable steps to inform the other
entities of MiCommV of such erasure.
7.6 Right to restriction: (i) in the event the accuracy of the Personal Data is contested to
allow MiCommV to check such accuracy, (ii) if the Data Subject wishes to restrict the
Personal Data rather than deleting it despite the fact that the processing is unlawful, (iii) if
the Data Subject wishes MiCommV to keep the Personal Data because he/she needs it
for his/her defense in the context of legal claims (iv) if the Data Subject has objected to
the processing but MiCommV conducts verification to check whether it has legitimate
grounds for such processing which may override the Data Subject’s own rights.
MiFocus Privacy Policy – 3rd March 2023 Page 5 of 6
7.7 Right to withdraw his/her consent: When the Personal Data processing is based on
Data Subject’s consent, Data Subject may withdraw such consent at any moment, without
affecting the lawfulness of processing based on consent before its withdrawal.
7.8 Right to object: Data Subject can also indicate his/her objection to the processing
of his/her Personal Data at any time:
– when used for marketing purpose or profiling to send targeted advertising;
– to object to the sharing of his/her Personal Data with third parties or within
MiCommV; or
– when the processing is based on MiCommV’s legitimate interests, unless MiCommV
demonstrates compelling legitimate grounds for the processing which override the
interests, rights and freedoms of the Data Subject or for the establishment, exercise
or defense of legal claims.
To exercise these rights, please use the contact details below in Section 10.2 of this Policy.
Data Subject has also the right to lodge a complaint with the competent supervisory
authority.
8. Disclosure to third parties.
8.1 Personal Data is only disclosed outside MiCommV where there is an overarching legal
justification to do this.
8.2 Disclosure is made on a strictly limited ‘need to know’ basis where there is clear
justification for transferring Personal Data – either because the Data Subject has consented
to the transfer or because disclosure is required to perform a contract to which the Data
Subject is a party, or for a legitimate purpose that does not infringe the Data Subject’s
fundamental rights, including the right to privacy (e.g. sharing in the context of a merger
and acquisition operation etc.). In each case the Data Subject will be aware that the
disclosure is likely to take place. Assurances will also be sought from the recipient that
they will only use the Personal Data for legitimate / authorized purposes and keep it
secure.
8.3 If a particular disclosure is required to meet a legal obligation (for example to a
government agency or police force / security service) or in connection with legal
proceedings, generally the Personal Data may be provided so long as the disclosure is
limited to that which is legally required and, if permitted by law, the Data Subjects has
been made aware of the situation (i.e. the Data Subject was told of the possibility of such
an event in an Informed Consent or is notified at the time of the request for disclosure).
9. How are international transfers from EU protected?
9.1 Personal Data originating from those MiCommV entities operating within the EU will not be
transferred outside the EU to a third country which does not ensure an adequate level of
protection unless appropriate safeguards are implemented in accordance with applicable
laws.
9.2 International Personal Data transfer is a very sensitive topic, and taken seriously before
transferring any Personal Data from its EEA country of origin to another non EEA country,
whether such transfer is done for technical purposes (storage, hosting, technical support,
maintenance etc.) or the main purposes (HR management, clients database management,
etc.).
9.3 MiCommV will not carry out international transfers of Personal Data from a EEA country to
another non EEA country without ensuring that appropriate transfer mechanisms as
required by applicable data protection laws are in place, to ensure adequate protection of
the data when transferred (e.g. adequacy decision, privacy shield certification if the
transfer is made to the US, signature of EU Commission model clauses as appropriate,
etc.). In some cases, MiCommV may also have to notify or gain pre-approval from the
relevant privacy regulator prior to the transfer taking place.
MiFocus Privacy Policy – 3rd March 2023 Page 6 of 6
10. Complaint handling.
10.1 MiCommV is committed to resolving the legitimate privacy issues of its staff, clients and
other contacts. If a member of staff feels that he/she has done something in breach of this
Privacy Policy, they must contact the Privacy Committee and report the matter.
10.2 Data Subjects are informed that they can complain about privacy issues by writing an
email to the Privacy Committee at privacy@midisgroup.com. In particular, this shall be
expressly specified in the privacy notices communicated to and/or accessible by Data
Subjects.
10.3 If an individual covered by this Privacy Policy makes a complaint about the processing of
his/her or someone else’s Personal Data, and the complaint is not satisfactorily resolved
through this internal procedure, MiCommV will co-operate with the appropriate data
protection authorities and comply with the advice of such authorities to resolve any
outstanding complaints. In the event that MiCommV Privacy Committee or the data
protection authorities determine that MiCommV or one or more of its staff failed to comply
with this Privacy Policy or the data protection laws, upon recommendation of the
authorities or MiCommV Privacy Committee, MiCommV will take appropriate steps to
address any adverse effects and to promote future compliance.
11. Update of this Policy.
11.1 As the business and the regulatory environment change regularly, this Policy may also
change. You are thus invited to consult it on a regular basis.