“Inclusive Bulgaria” JSC (“Company“, “Controller“, “We“) recognizes the need to implement adequate protection of personal data of data subjects (“You“, “Your“), striving to respect the privacy of your personal life. This Privacy Policy (“Policy“) has been created to help you understand how We collect, use, and protect your personal data, including when you agree to use Our website.

For the purposes of its activities as an intermediary in real estate transactions, the Company processes your personal data in strict accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR), the Personal Data Protection Act, and other applicable regulations and the Policy.

According to the General Data Protection Regulation:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”).

“Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

This Policy provides information regarding:

Data identifying the Controller and contact details

Data subjects whose personal data is processed

Categories of personal data

Purposes for which personal data is processed

Legal basis for processing personal data

Recipients of personal data

Personal data retention periods

Rights of data subjects and how to exercise them

Giving consent and withdrawing consent

Right to complain to the supervisory authority

Personal data security measures

Data identifying the Controller and contact details

The controller of personal data is “Inclusive Bulgaria” JSC with address: Sofia, 71 Todor Aleksandrov Blvd. /Opalchenska metro station/, email: [email protected]; website – https://inclusive.bg/; tel./fax: 0889365036

Categories of personal data

The Company processes the following categories of personal data, while maintaining their accuracy:

· Full name, personal identification number, date and place of birth, ID card number and date of issue, address, phone number, email address, bank account, income, photos, marital status, comments;

· Personal data contained in CV and L-1 Visa;

· Special category of personal data related to the health status of Company employees.

Data subjects whose personal data is processed

The Controller processes personal data of the following categories of data subjects:

· Clients;

· Personnel – current and former employees;

· Job applicants;

· Applicants, petitioners, complainants, and plaintiffs;

· Partners.

Purposes for which personal data is processed

When you provide personal data to the Company through any of the contact forms, We may contact you to make offers or provide services you have expressed interest in. The Controller processes personal data for the following purposes:

· To provide consulting services in the real estate sector;

· Compliance with labor and social legislation requirements regarding employees;

· For concluding contracts;

· Fulfillment of legal obligations for the Company under the Accounting Act, tax legislation, the Anti-Money Laundering Act, and other laws that require the Controller to process personal data in the field of real estate transactions;

· Marketing and advertising information;

· Maintenance and security of the Company’s website and information systems;

· Protection of legitimate interests of the Controller.

Legal basis for processing personal data

The Company processes personal data based on the following lawful grounds:

· the data subject has given consent to the processing of their personal data for one or more specific purposes;

· processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

· processing is necessary for compliance with a legal obligation to which the controller is subject;

· processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

We process special categories of personal data based on the following grounds:

· For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee.

Recipients of personal data

We may share your personal data with the following categories of recipients:

· State institutions and authorities with sovereign powers, including but not limited to the State Agency for National Security, National Revenue Agency, National Social Security Institute, notary, and others;

· Commercial companies serving the Administrator for accounting, maintenance of IT systems security, website maintenance, translation agencies, and others;

· Our partners who provide consulting services in real estate transactions.

The Company implements appropriate technical and organizational measures to guarantee the rights and freedoms of data subjects in accordance with the principle of “integrity and confidentiality”. In particular, the Controller selects appropriate recipients who have taken the necessary guarantees to protect the personal data provided to them and, in view of the existing risks, to ensure the appropriate level of security, including where appropriate:

· pseudonymization and encryption of personal data;

· ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

· ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

· process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The Controller does not transfer personal data provided by data subjects to third countries outside the European Union. Transfer of personal data in this case can only be done after the Company has previously notified the data subject in writing, as well as the grounds for the transfer.

Personal data retention periods

“Inclusive Bulgaria” JSC stores your personal data in paper and electronic form in accordance with the principle of “storage limitation”. Specifically for the above purposes, the Company will store:

· Personal data of clients is stored for a period of 5 (five) years from the completion of the respective contract according to the general statute of limitations;

· Personal data of job candidates who are not approved for appointment to a vacant position announced by the Company for a period of 1 (one) year from the completion of the appointment procedure, after which it is returned to the data subject or destroyed in an appropriate manner. Personal data may be stored for a longer period for the purpose of sending notifications about new job positions only with the explicit consent of the data subject in electronic or written form;

· Personal data of employees according to the deadlines determined in accordance with the Labor Code and its applicable ordinances, Social Security Code and its applicable ordinances, Tax Insurance Procedure Code, Accounting Act, and others;

· Personal data of data subjects given based on consent is stored for a period of 1 (one) year from its receipt by the Controller. In this case, the Company takes the necessary measures to notify data subjects of this circumstance, providing them with the opportunity to give their consent again for a period of 1 (one) year;

· Personal data contained in accounting documents is stored for the following periods:

– payroll records – 50 (fifty) years, counted from January 1st of the reporting period following the reporting period to which they relate;

– accounting registers and financial statements, including documents for tax control, audit and subsequent financial inspections – 10 (ten) years, counted from January 1st of the reporting period following the reporting period to which they relate;

– all other accounting information carriers – 3 (three) years, counted from January 1st of the reporting period following the reporting period to which they relate.

Rights of data subjects and how to exercise them

Data subjects whose data is processed by the Controller have:

· Right of access to personal data, including to obtain a copy thereof. This right can be exercised by sending an access request for information or by completing a form at the Company’s office;

· Right to rectify inaccurate or incomplete personal data by sending a request via email or completing a form at the Controller’s office;

· Right to erasure (right to be ‘forgotten’) of personal data by sending a request or completing the necessary form on site;

· Right to restriction of processing, which can be exercised by sending a request or in paper form at the Company’s office;

· Right to data portability, which can be exercised by sending a request or completing the necessary form at the Company’s office;

· Right to object which can be exercised by sending a request or by completing the corresponding form in paper format on site.

Responses to requests for exercising rights are received at the Company’s office after providing an ID card by the applicant for reference. The Company is in the process of building a system that will provide the possibility to send responses electronically through traffic encryption.

Giving consent and withdrawing consent

We may request consent from data subjects to process personal data for one or more of our specified purposes. Consent must be freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.

Consent can be withdrawn at any time in the same way it was given. You can withdraw consent by sending a form or at the Company’s office.

Right to complain to the supervisory authority

In accordance with the General Data Protection Regulation and the Personal

In accordance with the General Data Protection Regulation and the Personal Data Protection Act, data subjects have the right to file a complaint with the Commission for Personal Data Protection at address: Sofia, 2 Prof. Tsvetan Lazarov Blvd., or through the website: www.cpdp.bg.

Personal data security measures

The Controller takes necessary measures for personal data security. All paper documents containing personal data are stored in locked cabinets in the Company’s offices, with only authorized persons having access to them. The Controller’s premises have installed alarm systems that help restrict unauthorized access to the data.

Access to the Company’s information systems is done through unique user accounts and passwords for each employee. Staff members undergo training immediately after hiring and fully comply with confidentiality rules, with a prohibition on sharing personal data with unauthorized persons.