CONFIDENTIALITY AND PERSONAL DATA PROTECTION POLICY
Advance Terrafund REIT, having its headquarters and address of management in Sofia, 1 Zlatovrah Street, registered in the Commercial Register of the Registry Agency at the Ministry of Justice under UIC 131418187 (hereinafter referred to as "the Company") is a personal data administrator pursuant to Regulation 2016/679 of EU and the Personal Data Protection.
Contact information: 02/4008-332, E-mail: atera@karoll.bg
Pursuant to Article 18 of the Law for the Special Investment Purpose Companies, Advance Terrafund REIT carries out the operation and maintenance of the acquired real estates under the Service Agreement with Karoll Finance EOOD, UIC 131421411 ("Servicing Company"). In this regard, Advance Terrafund REIT is a personal data administrator who processes data with its own resources or under contractual relations with the Servicing Company.
The collection and processing of personal data only takes place in compliance with the requirements of local and European legislation. Any data processing is related to a particular reason and cannot be done without limitation.
This Policy defines the rights of shareholders and counterparties in processing their personal data for the purposes of the Company's business and the order in which they may exercise these rights under Personal Data Protection Law.
The management and employees who process personal data undergo periodic training on confidentiality and become familiar with the applicable legislation.
Operations that require processing of personal data by Advance Terrafund REIT as a personal data administrator and by Karoll Finance EOOD as a Service Company and personal data processor for the purposes and activities of Advance Terrafund REIT:
1. In the case of shareholding in the Company, the personal data are processed on a legal basis, in compliance with the statutory obligations that apply to the Company.
2. As a public issuer of securities, the company has the obligation to identify its shareholders in relation to the exercise of their shareholder rights (for example, voting rights in the general meeting, right to dividend, right to participate in capital increase, etc.).
3. Regarding persons with access to inside information within the meaning of Regulation (EU) No 596/2014, their data are processed on a statutory basis, in compliance with the statutory obligations to keep accounts for such persons that apply to the public Company.
4. When entering into a contract with a contractor for performance or provision of a particular service, their personal data are processed on a contractual basis in order to fulfil the obligations and exercise the rights of the Company under the contract. These personal data typically include names, identification numbers and contact details of the representing persons, as well as other persons designated to contact for the performance of the contract.
5. The Company periodically submits by email to its current and prospective potential investors officially disclosed inside information for which they express their prior consent.
6. Maintaining of data in up-to-date condition requires their periodical updating, correction, or confirmation of their correctness.
TERMS AND DEFINITIONS USED IN THIS POLICY
"Personal data" means any information related to an identified natural person or a natural person that can be identified directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or by one or more signs specific for the physical, physiological, genetic, intellectual, mental, economic, cultural or social identity of that individual. The most common personal data collected for the above mentioned purposes are: names, PIN, address, email address, telephone number, bank account and, in some cases, citizenship.
"Personal data administrator" is a natural or legal person, public authority, agency or other entity which, alone or jointly with others, defines the purposes and means of personal data processing; where the objectives and means for such processing are determined by either EU law or the law of a Member State, the administrator or the specific criteria for its determination may be established in EU law or in the law of a Member State.
"Personal data processor" means a natural or legal person, a public authority, an agency or other entity that processes personal data on behalf of the administrator.
"Processing of personal data" is any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data becomes available, arranging or combining, restriction, deletion or destroying.
"Applicable law" means legislation of the European Union and the Republic of Bulgaria, which is relevant to the protection of personal data.
"Data subject" means a natural person who can be identified directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier, or by one or more of the features specific to the physical, physiological, genetic, intellectual, mental, economic, cultural or social identity of that individual.
"Regulation (EU) 2016/679" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation), promulgated in the Official Journal of the European Union on 4 May 2016.
I. COMMON RULES AND PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
Article 1.
(1) Legitimacy, good faith and transparency – Processing in the context of a legal basis, with due care and after notification of the data subject.
(2) Limitation to the purposes – Collection of data for specific, explicit and legitimate purposes and prohibition of further processing in a way inconsistent with those purposes.
(3) Minimizing of data – Data should be relevant, related and limited to the purposes of the processing.
(4) Accuracy – Keeping of data up-to-date and taking all reasonable steps to ensure timely erasing or correction of inaccurate data, taking into account the purposes of the processing.
(5) Storage limitation – Data must be processed for a minimum duration period according to the objectives. Keeping for longer periods is acceptable for purposes of archiving in the public interest, for scientific or historical researches or for statistical purposes, provided that appropriate technical and organizational measures are applied.
(6) Integrity and confidentiality – Processing in a way that ensures an adequate level of security of personal data by applying appropriate technical or organizational measures.
(7) Accountability – The administrator is responsible and must be able to demonstrate compliance with all principles related to the processing of personal data.
II. RIGHTS OF THE PERSONAL DATA SUBJECTS
Article 2. Data subjects have the following rights regarding their personal data:
1. Right to access;
2. Right to correction;
3. Right to data portability;
4. Right to wipe (right to be "forgotten");
5. Right to request restriction of processing;
6. Right to object to the processing of personal data;
7. The right of the data subject not to be the subject of a decision based solely on automated processing involving profiling.
Article 3. Right to access.
(1) Upon request, Advance Terrafund REIT provides the personal data subject with the following information:
1.1.Confirmation whether the Company processes the person's personal data or not;
1.2.A copy of the person's personal data processed by the Company, and
1.3.Explanation of the data processed.
(2) The explanation under Article 3, Paragraph 1, Item 1.3 includes the following information about the personal data processed by the Company and is provided to the data subjects by means of a confidentiality notification:
2.1. The purposes of processing;
2.2. The relevant categories of personal data;
2.3. The recipients or categories of recipients to whom personal data are or will be disclosed, in particular recipients in third countries or international organizations;
2.4. Where possible, the foreseen time limit for which the personal data will be stored and, if that is not possible, the criteria used to determine that period;
2.5. The existence of a right to request correction or erasing of personal data or to limit the processing of personal data relating to the data subject or to object to such processing;
2.6. The right to appeal to a supervisory authority;
2.7. Where personal data are not collected from the data subject, any available information about their source;
2.8. The existence or absence of automated decision-making, including profiling, and information on the logic used and the significance and predicted consequences of such processing for the data subject;
2.9. In case the personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate transmission assurance.
(3) Upon request by the personal data subject, the Company may provide a copy of the personal data that is being processed.
(4) When providing a copy of personal data, the Company may not disclose the following categories of data:
4.1. Personal data of third parties unless they have expressly agreed to do so;
4.2. Data that constitutes business secrecy, bank secrecy or confidential information;
4.3. Other information that is protected under the applicable law.
Article 4. (1) The provision of access to personal data subjects shall not adversely affect the rights and freedoms of third parties or lead to a breach of a Company's regulatory obligation.
(2) Where requests for access are obviously unfounded or excessive, especially because of their repeatability, the Company may charge a reasonable fee based on the administrative costs of providing the information or refuse to respond to the request for access.
(3) The Company shall judge on a case-by-case basis whether a request is obviously unfounded or excessive.
(4) In case of refusal to grant access to personal data, the Company will justify its refusal and inform the data subject about his/her right to file a complaint with the Personal Data Protection Commission (PDPC).
Article 5. Right to correction.
(1) Data subjects may request correction of their personal data processed by the Company if the data are inaccurate or incomplete.
(2) Upon a satisfied request for correction of personal data, the Company will notify the other recipients to whom the data have been disclosed (for example state authorities, service providers) in order to enable them to reflect the changes.
Article 6. Right to wipe (right to be "forgotten").
(1) Upon request by a client, the Company is obliged to delete personal data if any of the following reasons is present:
1.1. Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
1.2. The data subject withdraws his/her consent on which the processing of the data is based and there is no other legal basis for the processing;
1.3. The data subject objects to the processing and there are no high-priority legitimate grounds for the processing;
1.4. The data subject objects to the processing of personal data for the purposes of direct marketing;
1.5. Personal data has been processed unlawfully;
1.6. Personal data must be deleted in order to comply with a legal obligation of the Company;
(2) The Company may refuse to delete personal data, as far as processing is necessary:
2.1. To comply with a statutory obligation of the Company;
2.2. For the establishment, exercise or defence of legal claims.
Article 7. Withdrawal of consent.
(1) In the rare cases in which the collection, processing and transfer of personal data for a particular purpose is based on consent, the data subject is entitled at any time to withdraw his/her consent to this particular type of processing. Once the Company receives notification that the consent has been withdrawn, it will cease processing for the purpose or purposes that it initially agreed to, unless there is another justified reason not to do so pursuant to the law.
Article 8. Right to restrict processing.
(1) The data subject has the right to request restriction of processing when one of the following grounds exists:
1.1. The accuracy of the personal data is disputed by the data subject, for a period which allows the administrator to verify the accuracy of the personal data;
1.2. The processing is illegal, but the data subject does not want the personal data to be deleted, but instead requires a limitation of their use;
1.3. The administrator no longer needs the personal data for the purpose of processing but the data subject requests them for the establishment, exercise or defence of legal claims;
1.4. The data subject has objected to the processing on the basis of the legitimate interest of the Company and an examination whether the administrator's legal grounds take precedence over the interests of the data subject is underway.
(2) The Company may process personal data whose processing is restricted only for the following purposes:
2.1. Storage of data;
2.2. With the consent of the data subject;
2.3. For the establishment, exercise or defence of legal claims;
2.4. To protect the rights of another individual, or
2.5. Due to important reasons of public interest.
(3) In case a data subject has requested restriction of the processing and if any of the grounds referred to in Paragraph 1 above is present, the Company will inform him/her prior to the revocation of the restriction of the processing.
Article 9. Right to transfer of data.
(1) The data subject has the right to receive the personal data concerning him/her which he/she has provided to the Company in a structured, widely used and machine readable format.
(2) Upon request, such data may be transferred to another administrator designated by the data subject where this is technically feasible.
(3) The personal data subject may exercise the right to transfer in the following cases:
3.1. Processing is based on the consent of the personal data subject;
3.2. Processing is based on a contractual obligation;
3.3. Processing is done in an automated manner.
(4) The right to transfer shall not adversely affect the rights and freedoms of other entities.
Article 10. Right to objection.
(1) The data subject has the right to object to the processing of his/her personal data by the Company if the data are processed on one of the following grounds:
1.1. Processing is necessary for the performance of a task of public interest or for the exercise of official powers granted to the administrator;
1.2. Processing is necessary for purposes related to the legitimate interests of the Company or a third party;
1.3. Data processing involves profiling.
(2) The administrator will discontinue the processing of the personal data unless he/she is able to prove that there are convincing legal grounds for its continuation which take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Article 11. Right to objection to personal data processing for the purposes of direct marketing:
(1) When processing personal data for the purposes of direct marketing, the data subject may at any time object to the processing of personal data for that purpose, including in relation to profiling related to direct marketing.
(2) When the data subject objects to processing for the purposes of direct marketing, the processing of personal data for these purposes is terminated.
III. PROCEDURE FOR EXERCISING THE RIGHTS OF DATA SUBJECTS
Article 12. Data subjects may exercise their rights in accordance with this Policy by requesting to exercise the relevant right.
Article 13. Requests to exercise the rights of data subjects may be made in the following manner:
1.1. Electronically on the following e-mail address: atera@karoll.bg
1.2. On site at the Company’s office: Sofia, 1 Zlatovrah Street;
1.3. By mail to the management address: Sofia, 1 Zlatovrah Street.
Article 14. The request to exercise the rights on personal data must contain the following information:
1.1. Personal identification – name and PIN
1.2. Feedback contacts – address, phone number, e-mail address
1.3. Request – description of the request
Article 15. The Company provides information on the actions taken in relation to a request to exercise the rights of the subjects within one month of receiving the request.
Article 16. If needed, this term may be extended by two more months taking into account the complexity and the number of requests by a given person. The Company informs the person of any such extension within one month of receiving the request by indicating the reasons for the delay.
Article 17. The Company is not obliged to respond to a request if it is unable to identify the data subject.
Article 18. The Company may request additional information necessary to confirm the identity of the data subject, when there are justified concerns regarding the identity of the physical body which issues the request.
Article 19. Where the request was made by electronic means, the information shall be provided, if possible, by electronic means, unless the data subject indicated otherwise in his/her request.
Article 20. Every data subject has the right to inform the Personal Data Protection Commission in case of violation of his/her rights under Regulation (EU) 2016/679 and the Personal Data Protection Act within one year after finding out about the violation but no later than five years after it was committed.
Article 21. Apart from the above, every data subject has the right to appeal the actions and deeds of the administrator and the processor in court under the general rules on jurisdiction.
IV. DISCLOSURE OF PERSONAL DATA
Article 22. The Company may disclose personal data processed by it in its capacity of administrator to state authorities and supervisory bodies who are exercising their functions as specified by the law, by ensuring the necessary degree of protection depending on the method used.
Article 23. (1) Taking into account the activity of the Company, it may sign written agreements for the provision and receipt of different types of services with contractors who act as personal data processors or recipients of personal data. While observing the legal requirements, it is possible that the Company disclose the provided personal data to the following non-exhaustively listed entities in their capacity of contractors:
1. Proxies under the signed proxy agreements, legal offices or other providers of consultancy services, investment intermediaries, Central Depository, payment service banks, registered auditors, courier service providers. In case the Company discloses personal data to one of the abovementioned entities, it must have a valid reason for such actions, and the recipients of personal data must ensure an adequate level of protection based on the agreement;
2. Third persons to whom, by virtue of law, the Company has delegated some of its functions under Article 18 of the Special-Purpose Entities Act;
3. Other companies in the Karoll group: Disclosure of personal data in this case is made in observance of the applicable Bulgarian and European law;
(2) These persons process or receive personal data in the name of and/or as assigned by the Company. They may not process the personal data that has been provided to them for purposes other than the performance of the work entrusted to them. The Company shall take the necessary measures to ensure that the engaged processors and recipients of personal data strictly comply with the legislation on personal data protection and that they have taken appropriate technical and organizational measures to protect personal data.
V. TERM FOR THE STORAGE OF PERSONAL DATA
Article 24. The company stores personal data for a period no longer than the one necessary to achieve the relevant goals. Data are stored taking into consideration the terms for storage of accounting information, tax control, limitation periods (including the period for making any legal claims). Under certain circumstances, if the Company is required by law to store personal data for a longer time, these may be stored for a prolonged period.
VI. PERSONAL DATA PROTECTION
Article 25. (1) Personal data processed by the Company are subject to a number of organizational, physical and technological measures aimed at guaranteeing data security. The necessary internal rules and policies have been adopted, employees and management undergo periodic training and are aware of data protection requirements, and processing is limited to the minimum of data required to achieve the relevant objectives.
(2) The Company does not use automatic decision making or profiling.
(3) Multiple measures for the effective implementation of data protection principles have been taken, including but not limited to:
- Ensuring consistent confidentiality, integrity, availability and sustainability of processing systems and services;
- Measures for the timely restoration of availability and access to personal data in the event of a physical or technical incident;
- Internal process of regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing;
- Technical and organizational measures to prevent accidental or unlawful deletion, loss, change, unauthorized disclosure or access to personal data.
VII. POLICY REGARDING COOKIES
Article 26. On the website of the Company, information may also be collected regarding:
1. Browser identifier with a high degree of uniqueness;
2. History of pages visited, including secondary processing, to identify preferences for certain content types;
3. History of data searches made by the data subject on the Company's page.
4. Data collected from reading cookies. When users use the services of the Company on its Web site - reading news, watching videos, using e-mail, etc., cookies are among the data that help the Company understand how its services work best. They represent small text files which are sent from the web server to the used browser and are stored on the data subject’s device, so that the website can recognize them. There are two types of cookies – permanent and temporary or ‘session’ cookies. Permanent cookies are stored as a file on the data subject’s computer or mobile device for a longer period of time. Session cookies are temporarily stored on the data subject’s computer when they visit a Company website but are erased the moment the webpage is closed. Most cookies do not contain sensitive information for the data subject or personal data through which the data subject may be directly identified. The purposes for which cookies are used are mostly related to tracking the data subject’s behaviour in the following aspects:
· Tracking sections of the website visited by the data subject;
· The time the data subject spent on a website;
· The time the data subject watched a given video;
· Advertisements that the data subject saw and/or interacted with;
· When the data subject visited the Company’s website.
FINAL PROVISIONS
§ 1. The present policy was adopted as per record from the meeting of the Board of Directors of Advance Terrafund REIT, which took place on 09.05.2018.
§ 2. The present policy is subject to periodical revision, at least once a year, and is to be updated when necessary by a decision of the Board of Directors of Advance Terrafund REIT.