Your privacy is important to Vantage Towers (“we”, “us”, “our”, or “Vantage Towers”).

We respect the privacy rights of all individuals, and we are committed to handling personal data responsibly and in accordance with applicable laws. This privacy notice explains what personal data Vantage Towers collects about you, how we use your personal data and your rights to this personal data.

This privacy notice applies once you conclude an employment contract with Vantage Towers, S.A.  (hereinafter referred to as “the Contract”).

You can access the employee privacy notice any time on the intranet here: Landing Page – Home

1. Data Controller

who is responsible for data processing

Vantage Towers, S.A.

2. Address:

Arquiparque VII, R. Dr. António Loureiro Borges, 7, floor 3, 1495-131 Algés

e-mail: info.pt@vantagetowers.com

3. Contact our Group Data Protection Officer

Vantage Towers AG – attn: Data Protection Officer

Address: Prinzenallee 11-13, 40549 Düsseldorf, Germany

e-Mail: privacy@vantagetowers.com

4. Personal Data which we process (this includes data that you provide to us, that we collect about you, or that we assign to you)

For the purpose of fulfilling the Contract to which you are a party, we process the following personal data:

• Personal information such as name, date of birth, address, housing address (if you are relocating) personal email address, telephone number, emergency contact details, proof of identity, photo, marital status / children, academic and professional qualifications, education status (degree, university, speciality), driving license if you are driving a company car, frequent flyer number;
• Personal information pertaining to beneficiaries´ and dependents´ data (e.g., children, spouse, partners, relatives) such as first name, last name, postal address, mobile number, age, email address, family support –information about your family in case of relocation, that you have provided to us;
• Personal information such as your photographs, digital images and sound, captured and processed through technical means allowing your identification or authentication;
• Additional contact information such as your personal email address(es) and/or mobile phone number(s) that you have provided to us;
• Identification information and official documentation, such as personal identification number, insurance number, passport, birth certificate, marriage certificate, children’s birth certificate;
• Employment information, meaning job related information such as employee number, contract of employment, amendments to terms and conditions, letter of resignation, record of service, annual leave forms, company email address, company mobile number, job title, job description, proof of previous employment, insurance contributions, work schedule (working hours and absences), travel bookings, travel approvals, itineraries ,  feedback forms, replies to exit questionnaires, notes in relation to exit;
• Recruitment information, such as your application, CV, interview notes, references from previous employers, internal references, declaration regarding military service, residence permit (in case you are a foreign employee);
• Salary and payment information, such as social security number, record of pay, payments for travel allowances (e.g., car share), bank details, tax reference details, expenses claims and payments, pension records, visa details (relocation: identification information and official documentation), bank account statement or proof of bank account, relocation expenses (if you are relocating), expense receipts;
• Performance and talent information, such as training, training evaluation records, qualifications, personal development reviews, performance and talent rating, evidence from investigations, records of disciplinary actions, exit interviews content;
• General HR administration information such as general correspondence with HR, redundancy records, records of complaints and grievances;
• Employee authentication information, such as your Vantage Towers username and password needed to log in to the Vantage Towers network;
• We review, to the extent permitted by applicable law, your use of work devices, services, systems, networks, accounts and corporate communications, such as:
  • Vantage Towers/Vodafone’s own devices (e.g., your company laptop, tablet and phone);
  • User-owned devices (e.g., devices owned by a Vantage Towers employee that access, process, store and transmit company data to Vantage Towers/Vodafone systems and company data);
  • Enterprise networks and IT (e.g., your access to document management systems, your use of internal networks, tools, applications and your online browsing behaviour); and
  • Corporate communication accounts (e.g., your messages and data that you send via Outlook or Microsoft Teams)

These measures are subject to strict control and approval procedures and, in certain circumstances, may include access to the content of your messages. If this is relevant, we inform you separately on the specific procedures.

• Security in the workplace, such as onsite CCTV footage and access card records.
• We may also process special categories of personal data in the sense of Art. 9 para. 1 GDPR about you – but only where this is strictly necessary to perform our legal obligations as an employer or when this information is provided on a voluntary basis (consent). You can withdraw your consent, effective for the future, anytime, without any adverse consequences for you

For example:

• • we may process information about your racial or ethnic origin to evaluate our compliance with the requirements set by equal employment legislation. For example, we may use this information to comply with anti-discrimination laws and government reporting obligations, to monitor and ensure diversity and equal treatment and opportunity – Art. 9 para. 2 lit. b GDPR;
  • we may process information about your health, such as sickness records, medical certificates, in order to provide sick pay or maternity cover and to perform our health and safety obligations as an employer – Art. 9 para. 2 lit. b GDPR;
  • we may collect information about your trade union membership in order to comply with our obligations as an employer according to trade union legislation – Art. 9 para. 2 lit. b GDPR;
  • we may collect information about your sexual orientation to create anonymous and aggregated reports – but only where you provide this information voluntarily and we have collected your consent to process information for these purposes – Art. 9 para. 2 lit. a GDPR. You can withdraw your consent, effective for the future, anytime, without any adverse consequences for you.

5. Purpose and legal basis for processing your personal data

We process your personal data for the following purposes:

• Meeting our contractual obligations as your employer, such as managing your employment contract. For example, we must include your name, address, VAT number and other information in the employment contract you conclude with us;
• Meeting our legal obligations as an employer, such as providing government agencies with your employment information and managing our tax responsibilities. For example, we will provide your tax information to government agencies;
• Resourcing, managing internal and /or international mobility when you have applied internally for a new job opportunity.
• Learning and development, such as identifying learning requirements, and managing learning solutions;
• Rewards and recognition, such as performing annual reward review, managing recognition and reward. For example, we use information about your pay to generate your end of year reward statement;
• Communication and involvement, such as conducting surveys amongst employees, letting you know about important business change. For example, we may conduct surveys with our employees to collect insights on a specific topic like diversity and inclusion;
• Internal and External Communications and involvement, such as where you register for internal networks, corporate or events and /or third -party events for promoting the company as an employer, company´s activities and involvement in industry events;
• Maintain employee health, safety, and wellbeing, such as managing employee safety and wellbeing incidents, monitoring employee wellbeing, conducting employee safety and wellbeing audit. For example: using information about incidents to register workplace incidents;
• Organisation, effectiveness, and change, such as internal reporting or analysis to support business and cultural change or reviewing organisational effectiveness. For example, we may use your workplace location and access card records to understand the impact on desk capacity in our sites;
• Operational and administration, such as managing requests and changes to your information during your employment lifecycle including payroll, recording time and attendance, travel and expenses, user access management, making available corporate recourses like IT equipment, sending VT promotional gifts, Office IT and resolving issues and requests raised to HR services;
• Performance and talent management, such as managing employee performance aligned to business goals, review employee potential, identify and review development of talent, management of resource. For example, we differentiate our reward based on performance and potential;
• Security and IT, such as protecting the confidentiality, integrity and availability of Vantage Towers´ business information, your personal information and information from our IT and other systems, by reviewing your use of corporate networks and corporate communications accounts to address threats such as computer viruses, attempts to access suspicious third-party websites, unauthorized access attempts, and internal abuse (e.g., violations of our information security policies) and to respond appropriately and quickly.

Similarly, this includes applications on your work device that check the system behaviour and the flow of information emanating from your device and trigger further analysis in the event of discrepancies. In the event of non- compliance, such as a breach of security policies, further clarification and follow-up measures are taken.

If confidential data is transmitted outside the secure corporate environment, the transmission of the data may be interrupted in the event of a deviation from local security guidelines (e.g. when sending unencrypted C3/C4 data to third parties).

We encourage you to read our Global Policy Vantage Towers IT – Cyber & Information Security Acceptable Use DR which explains how to use your corporate devices and your own devices, networks and communication accounts in accordance with internal company policies. You can find the policy here

• Defend Vantage Tower’s legal interests, for example in legal or investigatory proceedings in accordance with applicable laws.
• Investigations and disciplinary actions, such as investigating and supporting decisions on disciplinary actions or terminations, conduct grievance management or when necessary to detect fraud or other types of wrongdoing.

Processing your personal data as set out in Clause 3 above is necessary for the achieving the purpose laid out in this Clause, including the performance of the Contract.

The legal basis for processing your personal data as such is:

• • The performance of your employment contract with Vantage Towers and to take action on your requests, including for example, leave requests or providing you with the correct pay (Art. 6 para. 1 b) GDPR);
  • Processing of employee data in the employment context: Personal data of employees may be processed for purposes of the employment relationship if this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination in compliance with Art.88 para.1 GDPR;
  • Vantage Tower’s legitimate business interest, including for example, fraud prevention, management of network and information security systems, cybersecurity, internal investigations relating to potential violations of law or/and violations of internal policies, to defend our lawful interests in legal proceedings, meeting our targets for diversity, organisational planning and effectiveness and improving our services and workplace for employees (Art. 6 para. 1 f) GDPR);
  • Compliance with a mandatory legal obligation, subject to strict internal policies and procedures which control the scope of legal assistance to be provided (Art. 6 para. 1 c) GDPR);
  • Consent you provide, where Vantage Towers does not rely on another legal basis or in addition to performance of a contract or reliance on our legitimate business interests, you choose to provide us with your personal data and the processing of that information is voluntary including for example, when you take part in events organised by Vantage Towers (Art. 6 para. 1 a) GDPR). You can withdraw your consent, effective for the future, any time without any adverse consequences for you.
  • Collective agreements such as works agreements or union rates.

6. Retention period for personal Data

Your personal Data will be stored for the duration of the Contract and thereafter until the end of the applicable statute of limitations (for example: 20 years for the social security information). Your personal Data will thereafter be deleted unless we are legally obliged under Art. 6 para. 1 c) GDPR to document and archive your personal Data for a longer period in order to comply with any applicable tax laws or commercial laws; or there is a litigation in progress and your personal data will be stored until the final conclusion of the process Art. 6 para.1 f) GDPR or you have lawfully consented to a longer storage period in accordance with Art. 6 para. 1 a) GDPR.

7. How we collect your Personal Data

We collect your personal data primarily from you. We may also collect personal data about you from the following sources: (i) public databases/online search engines (professional and social history data, e.g. in case of suspicion of a conflict of interest), (ii) public authorities/entities or private enterprises (e.g. incidents, audit, requests for information, references from former employer, standard letters of recommendation of good standing including references to your professional conduct and level), (iii) other employees/future employees of the Group, if they declare that they are in a relationship or are related to you, in order to prevent conflict of interest (iv) Referrals

8. Your rights in relation to your personal data (Data Subject Rights)

1. You have the right to request information on the categories of personal data concerned, the purposes of the processing, any recipients of the data, and the envisaged storage period (Right of Access, Art. 15 GDPR);
2. to request that incorrect or incomplete data be rectified or supplemented (Right to rectification, Art. 16 GDPR);
3. to withdraw consent at any time with effect for the future (Art. 7 para. 3 GDPR);
4. to object to the processing of the data on the grounds of legitimate interests, for reasons relating to your particular situation (Right to object Art. 21 GDPR);
5. to request the erasure of data in certain cases under Art. 17 GDPR (Right to erasure)-especially if the data is no longer necessary in relation to the purposes for which it was collected or it is unlawfully processed or you withdraw your consent according to Art. 7 para. 3 GDPR or object according to Art. 21 GDPR (Right to object);
6. to demand, under certain circumstances, the restriction of data where erasure is not possible, or the erasure obligation is disputed (Art. 18 GDPR, Right to restriction of processing);
7. to data portability,e. you can receive the data that you provided to us in a commonly used and machine-readable format such as CSV, and can, where necessary, transfer the data to others (Art. 20 GDPR, Right to data portability); and
8. to file a complaint about the data processing with the responsible supervisory authority (Art. 77 GDPR)

To exercise your rights, you can send an email “Exercise of personal data rights” to privacy@vantagetowers.com in attention of the Group Data Protection Officer, describing the right you want to exercise.

In case you think that the protection of your personal data is affected in any way, you can file a complaint to the supervisory authority CNPD – Comissão Nacional de Proteção de Dados, geral@cnpd.pt, Av. D. Carlos I, 134, 1º, 1200-651 Lisboa. Detailed instructions for filing a complaint are provided on the website of the authority.

9. Recipients or categories of recipients of your personal data or Processors

We may share personal data about you with:

• Other companies of the Vodafone Group (being Vodafone Group Plc and any company or other organisation in which Vodafone Group Plc owns 50% or above of the share capital) and Vantage Towers Group (being Vantage Towers AG and any company or other organisation in which Vantage Towers AG owns 50% or above of the share capital) subject to inter-company data processing agreements;
• Companies or consultants who are engaged to perform services for, or on behalf of the Vantage Towers Group including for example, those who process our pension and share incentive schemes, company car hire, business travel bookings, payroll and any requests raised to HR services or Office IT services;
• Law enforcement agencies, government bodies, regulatory organisations, courts, other public authorities, or third parties if we are required to, or are authorised to by law;
• Other third parties when we have your consent to do so (for example providing a personal reference to a bank, building society, landlord or property agent);
• In conjunction with any merger, sale or acquisition of a company in the Vantage Towers Group.

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). If we transfer your personal data to companies outside the EEA (third countries), they will only process your data following our request and instructions and provided that they possess a European Commission´s competence decision (adequacy decision pursuant to Art. 45 GDPR) or if appropriate, clauses ( EU standard contractual clauses pursuant to Art. 46 GDPR) ensuring a high level of security with regard to processing your personal data, exist. (confirm the validity of this statement and make necessary amendments if necessary)

• If a transfer of your personal data to companies belonging to the Group is necessary, for the purposes described in Clause 4, this is secured by corresponding reciprocal agreements.

10. Your responsibilities

Data accuracy

We need you to help to keep our records accurate and current. This means that we need you to be vigilant with keeping information that you have provided to us, up to date. In some cases, failing to provide us with accurate data will impact our ability to function as business and to comply with legal obligations.

Data stewardship

We rely on you to “Be an Owner”. Employees with access to personal data must endeavour to make informed choices on how they use the data. This means ensuring that you are thoroughly assessing (1) why you need the data, (2) whether the use abides with the purpose and legal basis for the processing of the data as in Clause 4 and (3) whether there is another way to get to your goals without using any personal data. After assessing, it is equally important to ensure that you maintain good data security practices for the data in your possession, report data misuse, whether accidental or malicious, and keep up with required training.

Data confidentiality

We rely on you to keep data confidential. You may use data only as necessary for the performance of your role and must protect the confidentiality of personal data at all times