PRIVACY REGULATIONS ROCKMED B.V.

General Data Protection Regulation:

On 25 May 2018, the General Data Protection Regulation, hereinafter referred to as the ‘GDPR’, will enter into force. This document sets out Rockmed's implementation of this regulation:

These regulations will be provided to each member of staff or third party engaged to work for Rockmed at the commencement of the employment contract/before the commencement of the work.

At the time of adoption of these regulations, this document will be sent by e-mail to all staff and third parties engaged by Rockmed with the instruction to take cognizance of its contents.

If changes are made to these regulations, a new regulation will be issued to all staff/third parties.

Staff:

Recruitment of staff:

Purpose:

The personal data are processed for the purpose of selecting and then

hiring of staff.

Working method:

The data of the person hired after the selection process is retained by Rockmed to the extent necessary for the performance of the employment contract. The person, at that time an employee, must give permission for this in writing. A provision in which the employee gives their consent is included in the employment contract.

If Rockmed makes use of an employment contract or temporary employment contract drawn up by the employment agency or third party which does not contain such a consent clause, Rockmed will have the employee sign a separate document in which the employee will provide the consent to Rockmed.

The personal data of unsuccessful candidates will be deleted at the end of the selection procedure.

Processing of personal data of employees:

Purpose:

The personal data of employees is processed for the purpose that Rockmed is able to perform the employment contract and meet the obligations arising from the employment contract.

Written consent of employees:

Written consent for the processing of personal data is requested from all Rockmed employees. Rockmed will use employees' personal data only for the purpose for which it needs them, i.e. to fulfil its obligations under the employment contract.

The employment contract gives the employee the option of withdrawing permission. After the withdrawal of the consent, the data (except for the data which Rockmed has a legal obligation to retain) will be immediately destroyed. The data that Rockmed is required to retain for five years by law will be destroyed upon expiration of the retention period. This is included in the employment contract.

In this way, the right of employees to be forgotten is realized.

Transfer of data to third parties:

Rockmed will only provide the personal data of its employees or temporary employees to third parties if this is necessary for the performance of the employment contract and the legal obligations associated with it. This includes taking out various insurances, pensions, recording absenteeism due to illness, etc.

The third parties to whom Rockmed provides the personal data of its employees/temporary employees are:

- The accountant;

- The sick leave insurer;

- The pension insurer;

- Other intermediaries/insurers, if any.

The employee gives permission for this in the provision of the employment contract. If the employee withdraws the consent, the employer will order the third party to destroy the employee's personal data.

Third parties to whom personal data are provided also sign a declaration that they are aware of the GDPR and of these regulations and that they comply with them.

Termination of employment contract:

After termination of an employment contract with an employee, Rockmed will no longer provide the personal data of the ex-employee to any third party.

Rockmed will at that time instruct the third parties to destroy the personal data provided.

Rockmed will retain the documents on which the ex-employee's personal data have been processed for the statutory retention period of five years.

After that period, it will destroy the documents.

Storage of data:

Rockmed stores the processed personal data in a file and digitally. The personal data stored in a file can only be viewed after the safe in which the file is kept has been opened. Only the management, HR department, and financial administration employees have access to the safe.

The safe can only be opened with a key. Only the management, HR department, and financial administration employees have this key.

The personal data stored digitally is stored on a secure disk and can only be accessed by the management, HR department, and financial administration employees after the code has been entered.

When a member of the management board, HR, or financial administration department no longer works for Rockmed, the code will be changed immediately.

All these persons have signed a declaration stating that they will use and process the personal data only for the purpose for which Rockmed has them at its disposal.

Processing of personal data of existing and potential customers

Purpose of data processing:

Rockmed processes the personal data of its customers in order to be able to deliver the products ordered/to be ordered by the customers, to invoice the customers for these products, and to collect the invoice from the customer.

The customer data will not be provided to third parties.

Newsletters are sent to business clients. This does not involve the use of personal data, but the use of company data. If the customer indicates that they wish to receive the newsletter, the data will be used for that purpose.

The customer can withdraw their consent to use this data for the newsletter at any time by sending an e-mail to info@rockmed.nl. This is also indicated under each newsletter.

Processing of personal data for sales and purchases via the online store:

A potential customer can create an account to place an order.

Personal data form part of the data to be filled in.

The application form for the login code is attached to these regulations.

By signing the application form, the potential customer gives permission to process their personal data.

These personal data are only used for the purpose as defined under the heading 'purpose of data processing'.

The customer may withdraw their consent to the processing of this personal data for the purpose described above at any time by sending an e-mail to info@rockmed.nl.

This is also stated on the application form for obtaining a login code.

When the customer withdraws their consent, the personal data will be destroyed.

Storing of customer data:

The personal data of the customers are included in the customer database.

This customer data will not be used for any purpose other than that stated in these regulations.

The customer data is kept until the moment the customer withdraws their consent to the processing of the data.

The customer data is not provided to others and is stored on a computer, the access to which is secured by means of a password.

This computer is also protected against hackers by spyware and security software.

The spyware and security software is kept up to date by a hired IT professional. For this reason, the IT person also has access to the customer data, and has signed a declaration that they are aware of the GDPR. All future IT professionals will also sign such a declaration.

Use of customer data by employees:

Employees can use these data only for the purpose stated in these regulations.

Employees must comply with the regulations.

Employees are expressly prohibited from using and/or distributing customer data for any other purpose.

Employees have the opportunity to work from home. Employees can log in using a VPN connection after entering a password. Upon termination of the employment, the password of that VPN connection will be changed immediately. Employees declare that they will treat the access code confidentially and ensure that third parties do not have access to Rockmed's data via the VPN connection.

Use of staff and customer data by third parties:

All third parties who are able to process and view the staff and customer data for the purpose of work and assignments for Rockmed sign a declaration that they are aware of the GDPR and these regulations, and that they will comply with them.

Conclusion:

By applying and complying with these regulations, Rockmed complies with the General Data Protection Regulation, which came into force in May 2018.

Oirschot, The Netherlands,

April 2018