UiPath Foundation’s approach to the processing of personal data goes beyond mere compliance with legal provisions. This approach is critical for building and maintaining a trust-based relationship with the beneficiaries of UiPath Foundation’s programs.

In the course of its activity, UiPath Foundation processes personal data belonging to the beneficiaries of its programs, their parents/legal guardians/representatives, its employees, or other natural persons with whom UiPath Foundation interacts (such as employees of collaborators or partner educational institutions), hereinafter referred to as “Data Subjects.”

To ensure we process all such personal data in a responsible manner, we consider it important to understand the laws and regulations governing this field (“Applicable Legislation”). We are committed to respecting the privacy of each Data Subject whose personal data we process.

Each employee is responsible for the protection of personal data processed by UiPath Foundation. Therefore, all employees must be familiar with and comply with UiPath Foundation’s data security policies and guidelines.

This Personal Data Processing Policy (“Policy”) sets out the principles governing the way personal data must be handled by those who have access to it.

We must be aware of the legal provisions regulating our day-to-day activities at the workplace. When in doubt about how personal data is processed, we must consult the person designated to manage personal data processing matters.

This Policy applies, in accordance with the Applicable Legislation, to each UiPath Foundation employee, as well as to:

• any external collaborators, including but not limited to contractors who (i) provide services to UiPath Foundation and (ii) do not have an individual employment contract with UiPath Foundation; for the purposes of this Policy, such external collaborators shall be assimilated to Employees;
• any personal data we process during UiPath Foundation’s operations that belongs to or relates to Data Subjects;
• the entire duration during which personal data is processed for the purposes of UiPath Foundation.

Being employed by UiPath Foundation is not contingent upon prior knowledge of this Policy. UiPath Foundation reserves the right to modify, suspend, or withdraw the Policy at any time.

Failure to comply with this Policy may lead to disciplinary sanctions, which may include, in accordance with Applicable Legislation, termination of the individual employment contract.

Personal data can be seen as having its own lifecycle, composed of the following processing stages:

• Collection – the act of obtaining or generating personal data for the first time. At UiPath Foundation, collection may occur during the recruitment of a new employee, the selection of a program beneficiary, the registration of a donation or a percentage redirection from income tax, or during an interaction via the Foundation’s website or platforms;
• Use – the operation of processing data in line with the purpose for which it was collected. This may include using the data for decision-making, calculations, or simply for updates. For example, we may use potential beneficiaries’ data to decide on their acceptance into a UiPath Foundation program, to disburse their scholarship, or to provide information about the structure and implementation of our programs;
• Storage – the act of saving the data, either in physical or electronic form, for later use in accordance with the purpose for which it was collected. Personal data may be stored both during daily use and when backups or archived copies are created;
• Erasure – the act of destroying the data, whether on electronic or physical media, so that it can no longer be accessed or used.

Understanding these operations is important, as we are responsible for personal data throughout its entire lifecycle.

The individuals involved in various collection and use operations, as well as the related processes, may vary. Such operations may involve software applications or manual procedures, as well as electronic (e.g., hard drives) or physical (e.g., filing cabinets) storage solutions.

We must ensure that personal data is collected and/or used only for legitimate and specific purposes, and that we collect only the minimum amount of personal data necessary to fulfill those purposes.

When collecting personal data, we must provide Data Subjects with at least the following information (not limited to):

• the types of personal data we collect;
• how we use the personal data and for what purposes;
• the recipients or categories of recipients of the personal data;
• the name and contact details of UiPath Foundation (the “Controller”), including the email address where requests concerning personal data processing can be submitted;
• the legal bases for processing and, if applicable, the legitimate interest pursued;
• if data will be transferred outside the EU, the specific safeguards required under Applicable Legislation (e.g., adequacy decisions or contractual guarantees);
• the period for which the data will be stored or, if not possible to specify, the criteria used to determine that period;
• the rights of Data Subjects regarding their personal data;
• information on the existence of automated decision-making, including profiling, and details on the logic involved and the significance and expected consequences for the Data Subject.

In certain specific situations, especially when processing special categories of personal data and where no other exception applies, we may be required to obtain the explicit consent of the Data Subjects. In such cases, the appropriate consent form must be used.

Moreover, when using personal data, we must ensure that:

• we use it solely for the specific purpose for which it was collected, as communicated to the Data Subject;
• where possible, we avoid directly identifying individuals (e.g., through pseudonymisation);
• we treat personal data with special care and avoid disclosing it to unauthorised persons or for purposes other than those communicated; we exercise even greater caution with special categories of personal data;
• data is accurate and complete, and where inaccurate, it is corrected or completed;
• we process only the minimum amount of personal data necessary to fulfill UiPath Foundation’s purposes;
• if we intend to process personal data for a purpose different from the one for which it was initially collected, we inform the Data Subjects in advance.

We store personal data only for as long as is necessary to fulfill the legitimate and specific purposes for which it was collected, except where a longer retention period is required by Applicable Legislation.

When personal data is no longer needed, we will delete or anonymize it in accordance with Applicable Legislation and UiPath Foundation policies.

The rights of Data Subjects are established under Applicable Legislation.

We are committed to ensuring that the rights of our beneficiaries and employees are fully respected.

Where the processing of personal data is based on consent, the Data Subject has the right to withdraw consent at any time (without affecting the lawfulness of the processing carried out prior to withdrawal).

If a Data Subject requests confirmation as to whether UiPath Foundation processes their personal data and, if so, requests access to that data and certain related information (“right of access”), UiPath Foundation shall respond to such requests within one month of receipt.

If a Data Subject requests it, we will rectify any inaccuracies in their personal data (“right to rectification”).

Under certain circumstances, Data Subjects have the right to have their personal data erased without undue delay (“right to be forgotten”) or to request the restriction of further processing (“right to restriction of processing”).

Data Subjects also have the right, subject to certain conditions, to receive the personal data they have provided to UiPath Foundation in a structured format and to transmit it to another organization (“right to data portability”).

In specific circumstances, Data Subjects have the right to object at any time to the processing of their personal data (“right to object”).

Personal data is handled with special care, and access is permitted only to authorised individuals.

We have implemented appropriate technical and organisational measures to ensure the security of personal data throughout the period in which it is in our possession.

Information security control mechanisms relating to personal data are aligned with the Information Security Policy applicable at UiPath Foundation.

When special categories of personal data are processed, we apply additional technical and organisational measures to address the increased risk associated with loss or unauthorised disclosure of such data. UiPath Foundation ensures that risks are properly assessed and that adequate control mechanisms are implemented where necessary.

We ensure that any third party receiving personal data from UiPath Foundation or collecting such data on our behalf complies with this Policy and implements appropriate technical and organisational safeguards to protect the personal data.

We also ensure that such third parties are aware of the obligation to notify us in the event of an incident involving the personal data they process on behalf of UiPath Foundation.

When we initiate a new project (such as developing a new system or application) or modify existing systems, we will assess whether it is necessary to conduct a data protection impact assessment of the project or modification, in order to ensure that the rights of Data Subjects and the Applicable Legislation are properly identified and respected.

If we, or the third parties we work with, become aware of the loss or unauthorised disclosure of personal data, the incident must be reported immediately to the person designated to manage personal data processing matters. That person will coordinate the necessary actions to respond to and resolve the incident.

Before transferring any personal data outside of Romania, we will carry out an assessment of the transfer to ensure that the rights of the Data Subjects and the Applicable Legislation are properly identified and upheld.

To ensure that our employees understand their responsibilities regarding the processing of personal data, we ensure they are periodically trained on Personal Data Processing.

If you become aware of or suspect any violations of this Policy, you must report them immediately to the person designated to manage personal data processing matters.

We will not tolerate retaliation against any employee who, in good faith, seeks advice, reports, or files a complaint regarding violations of this Policy.

However, if an employee submits an unfounded complaint about an alleged violation or questionable conduct with the intent to harm another person, the reporting individual will be subject to disciplinary investigation.

The designated data protection contact person must be informed immediately in the event of any communication (e.g., by phone, letter, or email) received from the Data Protection Supervisory Authority.

To learn more about our responsibilities throughout the entire personal data processing lifecycle or about any of the obligations mentioned above, please contact the designated data protection officer.

All Employees are required to comply with the following obligations:

• All new projects or proposals to modify processes and systems must follow data protection procedures and processes from the moment of their initiation;
• Any breaches of this Policy, as well as incidents involving a potential breach of the confidentiality, integrity, or availability of personal data, must be reported immediately to the person designated to manage personal data processing matters;
• Mandatory training on personal data processing that you are enrolled in must be completed within the allotted time frame;
• Any new third parties with whom we intend to contract and/or renew an existing contract shall undergo a data protection audit process;
• Whenever personal data is processed (collected, used, stored, disclosed, or deleted), UiPath Foundation will ensure that internal policies, procedures, and processes are respected. Whenever there is doubt about personal data processing, it is mandatory to contact the person designated to manage personal data processing matters.

Applicable Legislation refers to data protection laws and regulations, such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), as well as national data protection legislation.

Processing of personal data means the appropriate use of personal data under any circumstance. What is appropriate depends on the context, the law, and the expectations of the Data Subject. Processing encompasses both the rights of Data Subjects to control the collection, use, and disclosure of their personal data, and the obligations of UiPath Foundation in collecting, using, storing, deleting, and disclosing such data.

Personal data refers to any information relating to an identified or identifiable Data Subject. A Data Subject may be identifiable even if UiPath Foundation does not have access to their name, for example, through behavioural identifiers. Therefore, personal data includes—but is not limited to—names, addresses, dates of birth, employment-related data (such as information about leave, pension, compensation, benefits, or tax details). The personal data of our beneficiaries also includes data relating to education and social background, participation in UiPath Foundation programs, and IP addresses.

Special categories of personal data refers to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic and biometric data for the purpose of uniquely identifying a Data Subject, as well as data concerning health, sex life, or sexual orientation.

Processing means any operation or set of operations performed on personal data, whether or not by automated means. This includes collecting, using, retaining, disclosing, and destroying personal data.

Data Subject rights are the rights granted to individuals under Regulation (EU) 2016/679, which must be respected by any entity processing Personal Data (e.g., the right to access personal data).

Privacy by design refers to the principle of ensuring data protection from the outset of a project or system/process modification. It aims to promote and ensure the protection of personal data from the conceptual phase through to implementation. Before launching new or improved technologies, products, or services, risks associated with personal data processing must be identified, properly assessed, and, where necessary, mitigated.

Controller means the natural or legal person who determines the purposes and means of the processing of personal data.

Personal data breach means a potential breach of the confidentiality, integrity, or availability of personal data. Examples include unauthorized access to personal data or the loss of documents containing such data.

Third parties refers to the entities we work with or that act on our behalf or provide services to us, such as suppliers, contractors, consultants, and agents.

Supervisory Authority refers to the National Supervisory Authority for Personal Data Processing. It is an independent public authority responsible for monitoring the application of Regulation (EU) 2016/679, in order to safeguard the rights and fundamental freedoms of Data Subjects—particularly their right to private, family, and personal life—in connection with the processing of personal data and the free movement of such data within the European Union.