GOLF CLUB COSTA DEL SOL S.A. (the “Company”) is an organization involved in processing personal data, which entails significant responsibility in designing and organizing procedures aligned with legal compliance in this matter.

In the exercise of these responsibilities and with the aim of establishing the general principles governing the processing of personal data within the Company, we hereby approve this Personal Data Protection Policy, which is communicated to our Employees and made available to all our Stakeholders.

1. Purpose
The Personal Data Protection Policy is a proactive measure aimed at ensuring compliance with applicable legislation in this matter and, in relation to this, respecting the right to honor and privacy in the processing of personal data of all individuals associated with the Company. In line with this Personal Data Protection Policy, the Principles governing data processing within the organization are established, along with the procedures and organizational and security measures that the individuals affected by this Policy undertake to implement within their scope of responsibility. To this end, the Management will assign responsibilities to the personnel involved in data processing operations.

2. Scope of Application
This Personal Data Protection Policy shall apply to the Company, its administrators, directors, and employees, as well as to all individuals associated with it, including service providers with access to data (“Data Processors”).

3. Principles of Personal Data Processing
As a general principle, the Company will scrupulously comply with legislation regarding the protection of personal data and must be able to demonstrate this (“proactive responsibility” principle), paying special attention to treatments that may pose a greater risk to the rights of the data subjects (“risk-based approach” principle).

In line with the above, GOLF CLUB COSTA DEL SOL S.A. will ensure compliance with the following Principles:

Lawfulness, fairness, transparency, and purpose limitation. Data processing must always be informed to the data subject through clauses and other procedures; it will only be considered legitimate if there is consent for data processing (with special attention to that provided by minors), or if there is another valid legal basis and the purpose is in accordance with regulations.

Data minimization. Processed data must be adequate, relevant, and limited to what is necessary in relation to the purposes of processing.

Accuracy. Data must be accurate and, if necessary, updated. Measures will be taken to promptly delete or rectify personal data that is inaccurate concerning the purposes of processing.

Limitation of storage period. Data will be kept in a way that allows the identification of data subjects for no longer than necessary for the purposes of processing.

Integrity and Confidentiality. Data will be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures.

Data transfers. The acquisition or obtaining of personal data from illegitimate sources is prohibited, or in cases where such data has been collected or transferred in contravention of the law, or if its legitimate origin is not sufficiently guaranteed.

Hiring of providers with data access. Only providers offering sufficient guarantees for the implementation of appropriate technical and security measures in data processing will be chosen for hiring. A proper agreement regarding this matter will be documented with these third parties.

International data transfers. Any processing of personal data subject to European Union regulations involving a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established by the applicable law.

Rights of the data subjects. The Company will facilitate the exercise of the rights of access, rectification, erasure, restriction of processing, objection, and data portability to the data subjects, establishing internal procedures, and particularly the necessary and appropriate models for their exercise, which must meet, at least, the applicable legal requirements in each case.

The Company will promote the principles set forth in this Personal Data Protection Policy to be taken into account (i) in the design and implementation of all work procedures, (ii) in the products and services offered, (iii) in all contracts and obligations entered into or assumed, and (iv) in the implementation of any systems and platforms allowing employee or third-party access and/or the collection or processing of personal data.

4. Commitment of Employees
Employees are informed of this Policy and acknowledge that personal information is an asset of the Company, and in this regard, they adhere to it, committing to the following:

* Undergo the data protection awareness training provided by the Company.
* Apply user-level security measures applicable to their job, without prejudice to the responsibilities in their design and implementation that may be attributed to them depending on their role within GOLF CLUB COSTA DEL SOL S.A.
* Use the established formats for the exercise of rights by data subjects and promptly inform the Company so that the response can be effective.
* Notify the Company, as soon as they become aware, of deviations from what is established in this Policy, particularly “Personal Data Security Breaches,” using the established format for this purpose.

5. Monitoring and Evaluation
An annual verification, evaluation, and assessment, or whenever significant changes occur in data processing, will be carried out to ensure the effectiveness of technical and organizational measures to guarantee the security of the data processing.