This Privacy Policy is prepared to comply with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, the “General Data Protection Regulations”), in particular, with the provisions of Article 13 with respect to the information to be provided to the interested parties whose personal data have been collected by this Company.



a) Personal Data: any information about a Stakeholder from which its identity can be determined, directly or indirectly, in particular by means of an identifier (e.g., a name, an identification number, location data, or an online identifier); or one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

b) Recipient: individual or legal entity, public authority, service or other body to which Personal Data are communicated, whether or not it is a Third Party. Public authorities that may receive Personal Data within the framework of a specific investigation in accordance with the law of the Union or of the Member States are not considered Recipients, and the Processing of such Personal Data by such public authorities is in accordance with the rules on data protection applicable to the purposes of the processing.

c) Data processor: the natural or legal person, public authority, service or other body that processes the Personal Data on behalf of the Data Controller.

d) Group: the group constituted by the Company and other companies that exercise control over the Company or over which the Company exercises control. For the purposes of determining when control exists, the provisions of Article 42 of the Commercial Code shall apply.

e) Interested Party: you as an identified or identifiable individual with respect to whom Personal Data are collected / compiled.

f) Person in charge of the Treatment: the Company, as a legal person that determines the purposes and means of the Treatment of the Personal Data.

g) Multilateral Trading System: system in which diverse purchase and sale interests on financial instruments of multiple third parties interact, operated by the Company and which allows to gather within the system and according to non-discretionary rules the referred interests to give rise to contracts.

h) Company: European Digital Securities Exchange, S.L., with N.I.F.: B88474713, registered in the Mercantile Registry of Madrid, volume 39634, page 8, sheet M-703427, 1st entry.

i) Third party: natural or legal person, public authority, service or organization other than the Interested Party, the Data Controller, the Data Processor and the persons authorized to process the Personal Data under the direct authority of the Data Controller or the Data Processor.

j) Processing: is any operation or set of operations performed on the Personal Data or sets of Personal Data, whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, comparison or interconnection, limitation, suppression or destruction.



The Company is responsible for the processing of personal data. Your contact details for the purposes of exercising the rights recognized in the General Data Protection Regulations and specified in this Privacy Policy are as follows:

Postal address: Calle Joaquín Turina 2, escalera 1, piso 1º, puerta 11, 28224, Pozuelo de Alarcón.
E-mail: dpo@portfolio.exchange

The Company has a Data Protection Delegate dedicated to advising and informing the Company on privacy matters and whose contact details are those referred to above.

Likewise, for any claim you can go to the Spanish Data Protection Agency in its capacity as the Spanish control authority (https://www.aepd.es/es).



We inform you that the purpose of the collection and processing of the Personal Data is the execution and fulfilment of the contractual relationship that you have with the Company for the provision of services by the same, being the legal basis of this Processing the execution of the contract that regulates the referred relationship, as well as the fulfilment by the Company of the legal obligations imposed on the same as foreseen in the following section A.

In addition, the collection and processing of personal data is also for the purpose of sending you information about the Company’s services, the legal basis for this being the execution of the contract signed or, where appropriate, the express consent on your part once you have been previously informed, consent which you may withdraw at any time by exercising the right of opposition provided for in point 6 of this Privacy Policy and in the manner provided for therein.

A. Purpose of execution and compliance with the contractual relationship for the provision of services

Specifically, the Personal Data required for this purpose will be collected:

a) Provide you with the services contracted with the Company and, within the scope of the same, make available to you the information prepared by the issuers on the financial instruments admitted to trading on the Multilateral Trading System managed by the Company;

b) Verify their identity for access to the services offered by the Company for the purpose of preventing and avoiding fraudulent conduct;

c) To comply with the legal obligations provided for in the regulations for the prevention of money laundering and financing of terrorism and in the tax regulations;

d) Comply with the legal obligations laid down in the regulations applicable to the securities markets, including those relating to the evaluation of their knowledge and previous experience in the financial markets, or those relating to the regulatory reporting to the supervisory authorities of the transactions operated in the Multilateral Trading System managed by the Company.

B. Purpose information on services

The Personal Data necessary to send you commercial communications about the Company’s services, newsletters or similar, or invitations to events will be collected.



The categories of Recipients to which the Society may communicate Personal Data of the Interested Party are:

a) Authorities, services or other public bodies to which Personal Data are communicated in compliance with the legal obligations imposed on the Company as provided in point 4, section A of this Privacy Policy.

b) Companies that form part of the Company’s Group and service providers, with which the Company has signed the corresponding processing contract.



a) Right of access: the Interested Party shall have the right to obtain from the Company confirmation of whether a Processing of Personal Data is being carried out and, if so, the right of access to the Personal Data and to the following information: purposes of the Processing; categories of Personal Data processed; Recipients to whom Personal Data are communicated; term of conservation of the Personal Data or criteria used for its determination; existence of the right to request the rectification, suppression, limitation and opposition; right to file a claim before the Spanish Data Protection Agency; available information about the origin of the Personal Data in case they have not been obtained directly from the Interested Party; and existence of automated decisions.

b) Right of rectification: right to have the Company correct the inaccurate Personal Data or complete the incomplete Personal Data.

c) Right of suppression: right for the Company to suppress the Personal Data in case the circumstances set forth in Article 17 of the General Regulations on Data Protection concur.

d) Right to limit the Processing: right to request the Company to suspend the Processing of all or some of the Personal Data in the event that the circumstances set forth in Article 18 of the General Regulations on Data Protection concur.

e) Right to the portability: right to receive from the Company the Personal Data concerning the Interested Party in a structured format, of common use and mechanical reading, and to have such Personal Data transmitted to another Data Controller different from the Company whenever it is technically possible, in cases in which the Treatment is based on the consent of the Interested Party and on the execution of a contract and is carried out by automated means.

f) Right of opposition: the right for the Company not to carry out a Processing of the Personal Data for direct marketing purposes, including the elaboration of profiles.

g) Right not to be subject to automated individual decision making: right of the Data Subject not to be subject to a decision based solely on automated processing, including profiling, when such a decision has a legal effect on the Data Subject or significantly affects him/her, except when the decision is necessary for the conclusion or performance of a contract between the Data Subject and the Company, is authorized by the law of the Union or of the Member States applying to the Company and appropriate measures are taken to safeguard the rights and freedoms and legitimate interests of the Data Subject, or is based on the Data Subject’s own explicit consent.

The Interested Party may exercise the rights referred to above by sending an e-mail or a letter to the attention of the Data Protection Officer, to the e-mail address or to the postal address indicated in point 3 of this Privacy Policy. For this purpose, the interested party must send a copy of its National Identity Document or equivalent document with which to prove its identity. The exercise of these rights will be free of charge.

Likewise, the Interested Party may file a complaint regarding the Processing of Personal Data before the Spanish Data Protection Agency in its capacity as the Spanish supervisory authority (https://www.aepd.es/es).



The Company acknowledges that it does not intend to make international transfers of Personal Data outside the European Union. If such transfer is necessary, and in the cases where there is no decision of adequacy, there are no adequate guarantees, and there is not a reason that justifies it of those foreseen in the article 49.1 of the General Regulations of Data Protection, the Company commits itself to inform the interested party of such international transfer of Personal Data in all its terms and of the possible risks that it implies, and to obtain its previous consent.



The Company will keep the Personal Data during the period of time in which the contractual relationship with the Interested Party is in force and, once this is over, for the time necessary to comply with the legal obligations applicable to it, specifically, and by way of example, for a period of 10 years from the termination of the business relationship or the execution of a specific operation, as required by Article 25.1 Law 10/2010, of 28 April, on the prevention of money laundering and the financing of terrorism.



The Company does not intend to make decisions based solely on the automated processing of Personal Data. Notwithstanding the above, in the event that If any of the above occurs, the Company shall inform the Stakeholder about the logic applied, as well as about the importance and the expected consequences of such Treatment.



Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing, as well as risks of varying probability and severity to the rights and freedoms of the Stakeholders, the Company applies appropriate technical and organizational measures to ensure a level of security appropriate to the risk and to prevent unauthorized or unlawful Processing, or accidental loss, destruction or damage to the Personal Data.

The Company has a Security Policy which is available for consultation.



In relation to the Personal Data collected through the Company’s website, we refer you to the Cookie Policy approved by the Company.