PERSONAL DATA PROCESSING AND PROTECTION POLICY

ADVANCE BUSINESS CENTER

I. Definitions

1. Data Protection Officer - a natural person with expert knowledge of the law and practices in the field of personal data protection, appointed by the Personal Data Controller to support him in fulfilling his obligations regarding the protection of personal data.

2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

3. Personal Data Controller – Advance Business Centre EAD.

4. Personal Data – information about an identified or identifiable natural person; an identifiable natural person is a person who can be directly or indirectly be identified by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifier and information collected via cookies and other similar technology.

5. Policy – this Privacy Policy.

6. Service – website run by the Personal Data Controller at www. http://advancecenter.bg.

7. User – any natural person visiting the Service or using one or more services or functionalities described in the Policy, as well as a natural person to whom personal data processed by the Personal Data Controller relates, e.g. a person visiting the Personal Data Controller's premises or sending an e-mail inquiry to him.

II. Introduction

1. The purpose of this Policy is to define the rules, method of processing and using Users' Personal Data. The Policy also contains information on the rights of natural persons in relation to the Personal Data provided by them. The legal basis of the Policy is GDPR. This Policy is the implementation by the Personal Data Controller of the obligations arising from art. 12, 13 and 14 of GDPR.

2. The Policy applies to the Service, application or service referring to this information, as well as to data provided through them, by phone, electronically or in person at the Personal Data Controller's office. Please note that by leaving the Personal Data Controller's website, the User enters an area where the Policy does not apply. The Personal Data Controller is not responsible for the privacy policy rules applicable on websites operated by other third-party entities.

3. In connection with the Personal Data Controller's business activity and the User's use of the Service, the Personal Data Controller collects data to the extent necessary to provide individual services offered, as well as information about the User's activity on the Service. The detailed rules and purposes of processing Personal Data are described below.

III. Contact with the Personal Data Controller

In all matters related to the processing of Personal Data, you can contact the Personal Data Controller at the above-mentioned address of the registered office or by email: dataprotection@gtcgroup.com.

IV. Purposes and legal basis for the processing of Personal Data

The Personal Data Controller processes Personal Data in accordance with the business profile, for the purposes indicated below. If due to legal regulations, the nature of the service or the need to settle it, there is a need to process other personal data of the Users, the Personal Data Controller may process them to the extent necessary.

IV.1. Using the Service

Personal Data of all persons using the Service (including IP address or other identifiers and information collected via cookies or other similar technologies) are processed by the Personal Data Controller:

i. in order to provide electronic services in the scope of making content collected on the Service available to Users - then the legal basis for processing is the legitimate interest of the Personal Data Controller (Article 6(1)(b) of the GDPR);

ii. for analytical and statistical purposes - then the legal basis for processing is the legitimate interest of the Personal Data Controller (Article 6(1)(f) of the GDPR), consisting in conducting analyzes of Users' activity, as well as their preferences in order to improve the functionalities and services provided;

iii. in order to possibly establish and pursue claims or defend against claims - the legal basis for processing is the legitimate interest of the Personal Data Controller (Article 6(1)(f) of the GDPR), consisting in the protection of its rights.

The User's activity on the Service, including his Personal Data, are recorded in system logs (a special computer program used to store a chronological record containing information about events and activities that relate to the IT system used to provide services by the Personal Data Controller). The information collected in the logs is processed primarily for purposes related to the provision of services. The Personal Data Controller also processes them for technical and administrative purposes, to ensure the security of the IT system and to manage this system, as well as for analytical and statistical purposes - in this respect, the legal basis for processing is the Personal Data Controller's legitimate interest (Article 6(1)(f) of the GDPR).

IV.2. Recruitment

If you respond to our job offer, your Personal Data are processed in order to carry out the recruitment process for the position offered in our structures and to select the right person to be employed in the position specified in the job offer, including the assessment of the candidate's qualifications, abilities and skills. We obtain this data directly from you.

The legal basis for the processing of your Personal Data in the scope resulting from the provisions of law is:
- for employment contract: a legal obligation imposed on the Personal Data Controller (Article 6(1)(c) of the GDPR); in the case of providing Personal Data in a wider scope than specified in the provisions of law the legal basis for processing is your consent (Article 6(1)(a) of the GDPR);
- for civil law contract: a necessity of processing to conclude and perform the contract (Article 6(1)(b) of GDPR).

If you provide us with your application, but we are not currently recruiting, your Personal Data is processed in order to carry out future recruitment processes and select the right person for employment in a vacant position, including the assessment of qualifications, abilities and skills of the candidate for work.

The legal basis for the processing of your Personal Data for the purposes of future recruitments is your consent (Article 6(1)(a) of the GDPR). We treat the sending of application documents to us as tantamount to consent for the processing of data contained therein.

IV.3. Sending commercial/marketing information

In the event of consent to receive marketing/commercial information from the Personal Data Controller by e-mail and/or telephone, Personal Data are processed in order to provide the above-mentioned information.

The legal basis for the processing of Personal Data is the legitimate interest of the Personal Data Controller in connection with the consent given (Article 6(1)(f) of the GDPR), consisting in the provision of content requested by the User.

IV.4. Contact form/contact via email/personal contact

The Personal Data Controller provides the possibility of contacting him using electronic contact forms, via e-mail address provided on the Service or trough designated information points.

The legal basis for the processing of personal data is the legitimate interest of the Personal Data Controller - (Article 6(1)(f) of the GDPR).

IV.5. E-mail and traditional correspondence

In the case of directing to the Personal Data Controller via e-mail or traditional correspondence not related to the services provided to the sender or any other contract concluded with him, Personal Data contained in this correspondence is processed only for the purpose of communication and solving the matter to which the correspondence relates.

The legal basis for processing is the legitimate interest of the Personal Data Controller (Article 6(1)(f) of the GDPR) consisting in conducting correspondence addressed to him in connection with his business activity.

IV.6. Telephone contact

In the event of contacting the Personal Data Controller by phone, in matters not related to the concluded contract or the services provided, the Personal Data Controller may request Personal Data only if it is necessary to handle the matter to which the contact relates.

The legal basis in this case is the legitimate interest of the Personal Data Controller (Article 6(1)(f) of the GDPR) consisting in the need to resolve a reported case related to the business activity conducted by him.

IV.7. Collecting data as part of business contacts

In connection with the conducted business activity, the Personal Data Controller collects Personal Data, e.g. during business meetings or by exchanging business cards - for purposes related to initiating and maintaining business contacts.

Such Personal Data are processed in order to implement the legitimate interest of the Personal Data Controller and his contractor (Article 6(1)(f) of the GDPR) consisting in creating a network of contacts in connection with the conducted business activity.

IV.8. Processing of Personal Data of the Personal Data Controller's clients or members of the contractors' staff

In connection with concluding contracts as part of its business activity, the Personal Data Controller obtains from contractors / clients data of persons involved in the implementation of such contracts (e.g. data of contact persons performing the contract, data of persons representing the client / contractor, etc.). The scope of the data provided is in each case limited to the extent necessary to perform the contract and usually does not include information other than name, position and business contact details.

Such Personal Data are processed by the Personal Data Controller in order to:

i. conclusion and performance of the contract, on the basis of the need to perform the contract, i.e. when processing is necessary to perform the contract to which the User is a party, or to take action at the request of the User before concluding the contract (Article 6(1)(b) of the GDPR);

ii. resulting from legitimate interests pursued by the Personal Data Controller, i.e. related to the identification of parties, ensuring contact with the contractor, verification whether the person who contacts the Personal Data Controller is authorized to take actions on behalf of the contractor as well as in connection with any claims, handling requests, archiving, ongoing contact (Article 6(1)(f) of the GDPR);

iii. related to the performance of obligations arising from legal provisions, in particular in the field of taxes, accounting, civil law (Article 6(1)(c) of the GDPR.

IV.9. Implementation of legal obligations imposed on the Personal Data Controller

The Personal Data Controller processes Users' Personal Data in connection with the implementation of legal obligations imposed on him regarding accounting and accounting documentation, as well as the implementation of the rights of the Users.

Such Personal Data is processed on the basis of article 6(1)(c) of the GDPR - processing is necessary to fulfill the legal obligation imposed on the Personal data Controller

IV.10. Establishing, pursuing claims and defending against claims

In order to establish, pursue claims and defend against claims, including documenting objections to the processing of Personal Data, Users' Personal Data that they have provided to the Personal Data Controller will be processed.

The legal basis for the processing of Personal Data is article 6 (1)(f) of the GDPR, which allows for the processing of Personal Data for the purpose of possible determination, investigation or defense against claims, which are the implementation of the Personal Data Controller's legitimate interest.

IV.11. Social media

LinkedIn

Personal Data are processed in order to:

i. administration and management of the Personal Data Controller's company profile, including responding to posts and comments posted by Users, and supervision over content published by Users

- the legal basis for data processing is the Personal Data Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in the possibility of running and managing a company profile;

ii. responding to inquiries addressed to the Personal Data Controller via the LinkedIn profile

- the legal basis for data processing is the Personal Data Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in the possibility of providing answers to persons contacting the Personal Data Controller;

iii. fulfillment of legal obligations imposed on the Personal Data Controller

- the legal basis for data processing is article 6 (1)(c) of the GDPR;

iv. implementation of other legally justified interests of the Personal Data Controller, for which the Personal Data Controller considers in particular the possibility of pursuing and defending claims, preventing fraud and economic crimes

- the legal basis for data processing is article 6 (1)(f) of the GDPR.

In addition, the Personal Data Controller informs that the administrator of the LinkedIn portal as a supplier of tools is an entity jointly responsible for the processing of data of persons using the Personal Data Controller’s company profile, which may process their data for its own purposes based on its own legal grounds.

More information on data processing by the LinkedIn administrator can be found at the following link: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL

Youtube

Personal Data are processed in order to:

i. administration and management of the Personal Data Controller's company profile, including responding to posts and comments posted by Users, and supervision over content published by Users

- the legal basis for data processing is the Personal Data Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in the possibility of running and managing a company Youtube profile;

ii. fulfillment of legal obligations imposed on the Personal Data Controller

- the legal basis for data processing is article 6 (1)(c) of the GDPR;

iii. implementation of other legally justified interests of the Personal Data Controller, for which the Personal Data Controller considers in particular the possibility of pursuing and defending claims, preventing fraud and economic crimes

- the legal basis for data processing is article 6 (1)(f) of the GDPR.

In addition, the Personal Data Controller informs that the administrator of the Youtube portal as a supplier of tools is an entity jointly responsible for the processing of data of persons using the Personal Data Controller’s company profile, which may process their data for its own purposes based on its own legal grounds.

More information on data processing by the Youtube administrator can be found at the following link:

https://www.youtube.com/static?gl=PL&template=terms

IV.12. Video surveillance

The Personal Data Controller uses a video monitoring system in Advance Business Centre in Sofia 1715, Mladost District, 2 Samara Str. (hereinafter as: „Gallery”) Your Personal Data in the form of an image recorded using video monitoring will be processed in order to:

i. ensuring the safety of people staying in the Gallery, including the safety of employees, customers and to protect property,

ii. establishing, investigating and defending claims.

The use of video surveillance takes place on the basis of article 6 (1)(f) of the GDPR., i.e. in the legitimate interest pursued by the Personal Data Controller.

Places covered by video surveillance are appropriately marked with pictograms informing about installed cameras.

V. Recipients of Personal Data

In connection with the conduct of activities requiring the processing of Personal Data, Personal Data may be disclosed to external entities.

The recipients of Personal Data entrusted to the Personal Data Controller by the Users are the following entities to whom Personal Data is transferred to the minimum extent necessary to achieve the purpose / purposes for which the data was obtained:

• authorized Personal Data Controller's personnel, subcontractors and entities providing services to the Personal Data Controller (including IT services and technical support), which must have access to data in order to properly perform their duties;

• entities processing Personal Data on behalf of the Personal Data Controller (e.g. accounting office, technical service providers, hosting service providers, law firms);

• competent authorities authorized in accordance with applicable law regulations;

• in the case of data processed on the LinkedIn portal, the recipients of the data will be other LinkedIn users (due to the fact that information about people following accounts, likes, as well as the content of comments, posts and other information provided by Users are public) as well as the administrator of the LinkedIn portal;

• in the case of data processed on the Youtube portal, the recipients of the data will be other users of the Youtube channel (due to the fact that information about people following accounts, likes, as well as the content of comments, posts and other information provided by Users are public) as well as the administrator of the Youtube portal.

VI. Period of Personal Data processing

The Personal Data Controller processes the Personal Data obtained for the period necessary to achieve the purpose/purposes for which they were provided or for the period provided under the applicable laws, which impose to the Data Controller specific terms for safekeeping the data subjects’ personal data. The period of data processing is related to the purposes and grounds for their processing, therefore:

• data processed on the basis of statutory requirements (e.g. tax) will be processed for the time in which the law requires data storage;

• when the basis for processing is the performance of the contract, then the data is processed by the Personal Data Controller as long as it is necessary to perform the contract;

• data processed on the basis of the Personal Data Controller's legitimate interest will be processed until the data subject successfully submits an objection or the interest ceases. Data processed for the purpose of pursuing or defending against claims will be processed for a period equal to the period of limitation of these claims;

• data processed on the basis of consent will be processed until the consent expressed by the data subject is withdrawn;

• Personal Data processed as part of the recruitment process will be stored until the completion of this process, and in the event of consent to the processing of data for future recruitment, for a period not longer than 6 months year;

• Personal Data processed on the LinkedIn portal will be stored for the period in which the User remains an active user of the Personal Data Controller's company profile or until an objection to data processing is raised; while the data contained in posts or comments will be processed until they are deleted;

• Personal Data processed on the Youtube portal will be stored for the period in which the User remains an active user of the Personal Data Controller's company profile or until the objection to data processing; while the data contained in posts or comments will be processed until they are deleted;

• registered video surveillance recordings will be stored for a period of up to 2 months from the date of recording. In the event that the recordings will constitute evidence in proceedings conducted under the law or the Personal Data Controller becomes aware that they may constitute evidence in proceedings, the storage period of the recording will be extended until the final conclusion of such proceedings.

The period of data processing may be extended if the processing is necessary to establish or pursue claims or defend against claims, and after this period - only if and to the extent required by law. After the end of the processing period, the data is irreversibly deleted or anonymized.

VII. Users rights

The Personal Data Controller exercises the rights of the Users related to the processing of their Personal Data. In particular, each User has the right to:

• access to his Personal Data, including obtaining a copy thereof;

• rectification (correction) or completion of incomplete Personal Data;

• request deletion of Personal Data in cases provided for by law ("right to be forgotten");

• submit a request to limit the processing of Personal Data;

• object to the processing of Personal Data;

• if the basis for the processing of Personal Data is the legitimate interest of the Personal Data Controller, the User has the right to object to the processing of Personal Data at any time, without the need to justify his decision, especially when the legitimate interest consists in conducting activities related to marketing direct;

• withdrawal of consent to the processing of Personal Data. The consent expressed by the Users may be withdrawn at any time, which will not affect the lawfulness of data processing carried out before its withdrawal.

The above rights, as well as the intention to withdraw consent, may be implemented by sending a relevant request by e-mail to the e-mail address indicated in point III of the Policy or by post to the address of the Personal Data Controller's registered office given in point I and III of the Policy.

In cases where it is recognized that the processing of Personal Data of natural persons by the Personal Data Controller violates the provisions of the GDPR or is inconsistent with the Policy, Users have the right to lodge a complaint with the supervisory body.

VIII. Security of Personal Data

The Personal Data Controller ensures the security of Personal Data against unlawful disclosure to unauthorized persons, data acquisition by unauthorized persons, destruction, loss, damage or change, and personal data processing in a manner inconsistent with the provisions of the GDPR.

In order to secure the entrusted Personal Data, the Personal Data Controller takes technical and organizational measures that meet the requirements of the GDPR, in particular the measures listed in art. 24 and Art. 32 of the GDPR, ensuring confidentiality, integrity and availability of processing services for the Personal Data provided.

IX. Automated decision making and profiling

Your data may be processed by the Personal Data Controller in an automated manner, including in the form of profiling. However, individual decisions related to this processing will not be automated.

X. Final Provisions

To the extent not covered by this Policy, EU regulations on the protection of personal data shall apply.

The date of the last update of the Policy: 05.09.2023