Personal data protection policy

Based on the General Data Protection Regulation (EU Regulation 2016/679) Men-Ars d.o.o. 25. On May 5, 2018, a document was issued

PERSONAL DATA PROTECTION POLICY

I. GLOSSARY

Personal data - data relating to an individual whose identity has been determined or can be determined ("the respondent").

Respondent - is a person who can be identified directly or indirectly, especially with the help of identifiers such as name, identification number, location data, network identifier or with the help of one or more factors characteristic of physical, physiological, genetic, mental, economic, cultural or the social identity of that individual.

Processing of personal data - any procedure or set of procedures performed on personal data or on sets of personal data, either by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction.

Controller - means a natural or legal person, who alone or together with others determines the purposes and means of personal data processing.

Processor - means a natural or legal person, which processes personal data on behalf of the controller.

Information system - comprehensiveness of technological infrastructure, organization, people and procedures for collecting, processing, generating, storing, transmitting, displaying and distributing information as well as disposing of it. An information system can also be defined as the interaction of information technology, data and procedures for data processing, and the people who collect said data and use it.

Supervisory body - an independent body of public authority established by the Republic of Croatia for the purpose of controlling and ensuring the implementation of the Regulation.

Confidentiality - the property of information (data) that it is not available or disclosed to unauthorized subjects.

Integrity - the property of information (data) and processes that they have not been tampered with or changed unexpectedly.

Consent - any voluntary, special, informed and unequivocal expression of the wishes of the subject by which he gives his consent to the processing of personal data relating to him by a statement or a clear affirmative action.

Pseudonymization - processing of personal data so that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an individual whose identity has been established or can be established.

Personal Data Breach - means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed.

Profiling – any form of automated processing of personal data consisting of the use of personal data for the evaluation of certain personal aspects related to an individual, especially for the analysis or prediction of aspects that are important to clients, and related to real estate mediation.

Third parties – natural or legal person, public authority, agency or other body that is not the subject, the data controller, the data controller or the persons authorized to process personal data under the direct authority of the data controller or data controller.

Distribution channels - represent means and ways through which access, contracting, use of products and services of Men-Ars d.o.o. is enabled. and sending commercial information and offers related to the products and services of Men-Ars d.o.o., including the headquarters (Zagrebačka 31, Varaždin) and the website (www.men-ars.hr) of Men-Ars d.o.o. , and the rest.

Information about the available distribution channels of Men-Ars d.o.o. is available to the client at any time by calling the number 042/200-117.

Binding corporate rules - personal data protection policies that a controller or processor with a business establishment in the territory of a member state adheres to for transfers or sets of transfers of personal data to a controller or processor in one or more third countries within a group of entrepreneurs or a group of companies that engage in joint economic activity.

II. FUNDAMENTAL PROVISIONS

Men-Ars d.o.o. ensures adequate security of personal data that it collects and processes at all levels of its operations. This Policy defines the principles and rules of personal data protection in accordance with legal regulations.

Personal data protection policy adopted by Men-Ars d.o.o. describes the purpose and goals of collecting, processing and managing personal data. The policy ensures an adequate level of data protection in accordance with the General Data Protection Regulation and other applicable valid laws that relate to the protection of personal data.

III. HEAD OF PERSONAL DATA PROCESSING

Men-Ars d.o.o., Zagrebačka 31, Varaždin, entered the court register of the Commercial Court in Varaždin, under registration subject number (MBS) 070072663, OIB: 14297783402, authorized real estate broker is the manager of personal data processing.

Contact information:

Men-Ars d.o.o., Zagrebačka 31, 42000 Varaždin

Phone: 042/200 117, Fax: 042/488 130

E-mail: info@men-ars.hr

IV. SCOPE AND OBJECTIVE

The goal of the policy is to establish appropriate processes for the protection and management of personal data of all persons (hereinafter: respondents) whose data is processed.

The policy applies to all processing of personal data within the company, except in cases where the processing is of such a nature that it involves statistical analyzes from which it is not possible to identify an individual.

The policy defines the basic general principles and rules of personal data protection in accordance with security and business requirements, as well as legal regulations.

The goal of the Policy is to establish clear and appropriate processes for the protection and management of the personal data of respondents in a publicly accessible manner so that all respondents are familiar with the manner in which personal data is handled.

V. PRINCIPLES OF DATA PROCESSING

The principles of data processing are the basic rules by which Men-Ars d.o.o. adheres to when processing personal data of respondents, and processing carried out in accordance with the principles listed below is considered legal.

Men-Ars d.o.o. processes personal data according to the following processing principles:

1. Legally and fairly - with respect to the respondents and their rights, Men-Ars d.o.o. will process personal data of respondents in accordance with applicable laws and covering all rights of respondents. Sometimes respondents will have to be asked for some personal data that is not necessary for the performance of a specific service, but is required by law to be collected (e.g. the Law on Prevention of Money Laundering and Financing of Terrorism). Your personal data Men-Ars d.o.o. will process and use legally and fairly.

2. Transparent - Men-Ars d.o.o. will ensure the transparency of personal data processing and, in accordance with the Regulation, will provide respondents with all the necessary information and, upon request, provide insight into their data, processing explanations, grounds and legality of processing, etc. Through this Policy, but also through other channels that will be available to respondents . Men-Ars d.o.o. will provide information to respondents on how personal data relating to them is collected, used, made available for inspection or otherwise processed, as well as to what extent such personal data is processed or will be processed. The respondent will be informed of all relevant information in a timely manner, i.e. before the actual data collection.

3. In addition to purpose limitation - personal data must be collected for specific, explicit and lawful purposes and must not be further processed in a manner inconsistent with these purposes. For example, if the respondent provided a set of personal data (e.g. name, surname, OIB, etc.) for the purpose of mediation in real estate transactions, Men-Ars d.o.o. will not process the same data for any other purpose, unless there are other processes that are required by law or are necessary for quality delivery of the service itself.

4. With storage limitation - Men-Ars d.o.o. ensures that the personal data of the data subject is kept in a form that enables the identification of the data subject only for as long as is necessary for the purposes for which the personal data is processed. Men-Ars d.o.o. may store personal data for longer, but for this it must have a clear purpose in terms of legal obligation or legitimate interest.

5. Reduction of the amount of data - Men-Ars d.o.o. uses only the necessary data and collects and processes personal data in such a way that they are appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Processes in Men-Ars d.o.o. are designed in such a way as not to collect data for which there is no justified need for collection.

6. Accuracy - Men-Ars d.o.o. ensures that data is accurate and up-to-date as necessary; every reasonable measure must be taken to ensure that personal data that is inaccurate, taking into account the purposes for which it is processed, is deleted or corrected without delay. Men-Ars d.o.o. ensures the application of this principle through regular controls, but also a transparent process of communication with respondents through which correction of data can be requested in the event that the respondent notices that some of his personal data is not listed correctly.

7. Integrity and confidentiality - Men-Ars d.o.o. ensures security, supervision and control over data and data processing by collecting and processing data in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical and organizational measures. Men-Ars d.o.o. uses IT systems aimed at detecting and preventing data leaks, data access control methods, data access restrictions according to the needs of the workplace, etc.

In accordance with the stated principles, the data of the respondents will be accessed by the employees of Men-Ars d.o.o. depending on their authorizations and positions, in order to successfully fulfill the tasks defined for their position. Also, part of the services for Men-Ars d.o.o. are also performed by other legal entities with whom the data of the respondent will be shared only if they are necessary for the fulfillment of contractual obligations (e.g. law firm, authorized appraisers, etc.).

In cases where there is a legal basis (e.g. ZSPNFT forms) Men-Ars d.o.o. will forward the respondent's data to state institutions.

VI. LEGALITY OF PROCESSING

Men-Ars d.o.o. considers personal data of respondents as their property and treats them as such. In order for Men-Ars d.o.o. was able to provide the service to the respondent, and in accordance with the legalities mentioned below, it is necessary to process a minimum set of data necessary for the quality provision of a particular service. Otherwise, i.e. if the respondent refuses to provide the requested set of data, Men-Ars d.o.o. will not be able to provide him with a service.

Accordingly, the personal data of the respondent is processed when one of the following conditions is met:

a) the processing is necessary for the execution of a contract in which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract

b) processing is necessary to comply with legal obligations (legal regulations that apply to employees or valid legal regulations that Men-Ars d.o.o. is obliged to act according to) - at any time when the law Men-Ars d.o.o. authorizes or obligates to certain processing, Men-Ars d.o.o. will process personal data of respondents based on that law. For example, in the event of a legal obligation, such as the Law on Prevention of Money Laundering and Financing of Terrorism, Men-Ars d.o.o. will collect and process a legally defined data set, and in case the respondent refuses to provide the requested data set, Men-Ars d.o.o. will not be able to provide him with a service

c) processing is necessary for the legitimate interests of Men-Ars d.o.o. - except when those interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child. Under the legitimate interest of Men-Ars d.o.o. includes processing that serves to improve the process, product development and business improvement, modernize services, offer products and services that would clearly facilitate business with Men-Ars d.o.o., for the protection of property and people, and for the benefit of resolving court disputes

d) the subject has given consent for the processing of his personal data for one or more special purposes - the consent must be demonstrable and voluntary, written in easily understandable language and the subject has the right to withdraw his consent at any time (withdrawing consent must be as simple as giving consent ). Men-Ars d.o.o. will request consent from the respondent for data processing and contacting via the contact information provided by the respondent to Men-Ars d.o.o. Presentation of new products and services that Men-Ars d.o.o. communicates through available distribution channels Men-Ars d.o.o. considers it to be part of the service and will not request the consent of the respondent for this, while the processing itself is in accordance with the principles of processing specified in point VI. and is based on one of the aforementioned processing laws

e) processing is necessary to protect the key interests of the data subject or other natural persons

f) the processing is necessary for the performance of duties in the public interest or for the performance of the official authority of the data controller.

VII. PERSONAL DATA PROCESSING THROUGH VIDEO SURVEILLANCE

In the company Men-Ars d.o.o. there is a video surveillance system relating to the collection and processing of personal data that includes the creation of a recording that forms or is intended to form part of a storage system.

Men-Ars d.o.o. processing of personal data through video surveillance is carried out only for the purpose that is necessary and justified for the protection of persons and property.

The video surveillance system is protected against access by unauthorized persons.

The director of the company has the right to access personal data collected through video surveillance.

Video surveillance in the company Men-Ars d.o.o. may include rooms, parts of rooms, the external surface of the building, as well as the inner part of the yard, the supervision of which is necessary to achieve the protection of persons and property.

Men-Ars d.o.o. it is obligatory to indicate in a visible place that the object, that is, an individual room in it and the external surface of the object is under video surveillance, with an indication that the notification should be visible at the latest when entering the recording area.

The notification should contain all relevant information in accordance with the provisions of Art. 13. General regulations on the protection of personal data, including a comprehensible image with text that informs respondents that the area is under video surveillance, information about the data controller and contact information through which the respondent can exercise their rights.

The processing of personal data of employees through the video surveillance system can only be carried out if, in addition to the conditions established by this law, the conditions established by the regulations governing occupational safety are met, and if the employees were individually informed in advance of such a measure, and if the employer informed the employees before making the Decision on setting up a video surveillance system.

Video surveillance of working rooms must not include rooms for rest, personal hygiene and changing.

Men - Ars d.o.o. will keep recordings obtained through video surveillance for a maximum of 6 months.

VIII. RIGHTS OF RESPONDENTS

Men-Ars d.o.o. is aware that the personal data of the respondents is its property, and although these data are necessary for the provision of the service, the respondents retain certain rights in relation to the processing of their data at all times. Men-Ars d.o.o. collects and processes data only with the existence of the aforementioned legality of processing.

Men-Ars d.o.o. will provide the following information to the respondent at the time of information collection: the identity and contact information of the data controller, the processing purposes for which personal data are used as well as the legal basis for processing, legitimate interests, recipients or categories of recipients of personal data, data storage period or criteria that define that period, rights related to consents, the potential existence of automated decision-making and the existence of the rights listed below. In case the data is not collected directly from the respondents, the source of the personal data is indicated along with the stated data.

Men-Ars d.o.o. personal data is processed in accordance with the data subject's rights defined in the Regulation, which are listed below:

• Right to erasure ("right to be forgotten") - the respondent has the right from Men-Ars d.o.o. obtain the deletion of personal data relating to him, and Men-Ars d.o.o. has the obligation to delete personal data without undue delay if one of the following conditions is met:

a. personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

b. the subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing

c. the respondent lodges an objection to the processing, and the legitimate reasons for realizing the right to erasure outweigh the legitimate interest of Men-Ars d.o.o. for processing and/or storing personal data

d. personal data were illegally processed

e. personal data must be deleted in order to comply with a legal obligation

• The right to access data - the respondent has the right from Men-Ars d.o.o. get confirmation whether his personal data is being processed and if such personal data is being processed, access to personal data and purpose of processing, categories of data, potential recipients to whom personal data will be disclosed, etc.

• Right to rectification - the respondent has the right to obtain from Men-Ars d.o.o. without undue delay correction of incorrect personal data relating to him. The respondent has the right to complete incomplete personal data. In addition, the respondent has the obligation to update personal data in the business relationship with Men-Ars d.o.o.

• The right to transfer data - the respondent has the right to receive personal data relating to him, provided by Men-Ars d.o.o., in a structured, commonly used and machine-readable format, and he has the right to transfer this data to another data controller (the right to transfer applies exclusively to the personal data of the respondent).

• The right to object - the subject has the right, based on his particular situation, to object to the processing of personal data relating to him at any time. Men-Ars d.o.o. in such a situation, it may no longer process personal data unless it proves that there are compelling legitimate reasons for the processing that go beyond the interests, rights and freedoms of the data subject or to establish, exercise or defend legal claims. If personal data is processed for the purposes of direct marketing, the data subject has the right at any time to object to the processing of personal data relating to him for the purposes of such marketing, which includes creating a profile to the extent related to such direct marketing.

• The right to restriction of processing - the subject has the right from Men-Ars d.o.o. request the right to limit processing in case he disputes the accuracy of personal data, when he considers that the processing is illegal and opposes the deletion of personal data and instead requests the restriction of their use, and in the case when the respondent has filed an objection to the processing and expects confirmation whether the legitimate reasons exceed the manager of the processing of the respondent's reasons.

The respondent has the right to demand the realization of the above-mentioned rights at any time. Men-Ars d.o.o. upon request, provides the respondent with information on the actions taken related to the aforementioned rights, no later than within 1 month of receiving the request. The deadline can be extended (depending on the amount and complexity of the request) by a maximum of another 2 months, but only if necessary. If Men-Ars d.o.o., due to objective circumstances, is unable to provide the requested data, it will inform the respondent of the reasons.

In addition, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that relate to him or similarly significantly affect him, unless that decision:

- necessary for the conclusion or execution of the contract between the respondent and Men-Ars d.o.o.

- permitted by law

- based on the express consent of the respondent

IX. OBLIGATIONS OF MEN-ARS D.O.O. ACCORDING TO THE REGULATION

Men-Ars d.o.o. implements appropriate technical and organizational measures in order to ensure an appropriate level of security of the processing of personal and all other data of respondents:

- continuous technical and organizational protection measures to ensure an adequate level of security of data processing, regardless of the form in which they are stored - paper or electronic (use of passwords, security labels, access to personal data exclusively with a protected password, safe storage of files, prints, use of appropriate protective measures for all transfers of personal data outside the network and premises of Men-Ars d.o.o. and others)

- not allowing unauthorized collection, processing or use of personal data

- application of the rule of limiting access to data only to those that are necessary for the performance of certain business tasks

- preventing unauthorized persons from gaining access to the data processing system in which personal data is processed

- preventing persons who have the right to use the data processing system from accessing personal data that are beyond their needs and authorizations and a strict ban on those persons to use the personal data of the respondents for any other purpose that is not in accordance with the conditions defined in Chapter VI. Lawfulness of processing

- ensuring that personal data during electronic transmission cannot be read, copied, changed or removed without authorization

- ensuring the availability of system records for the purpose of determining by whom they were entered, changed or removed from the data processing system

- ensuring that personal data is protected against unwanted destruction or loss

- ensuring that personal data collected for different purposes can be processed separately

- ensuring that personal data is not kept longer than necessary

It should be emphasized that Men-Ars d.o.o. in accordance with the applicable laws (e.g. the Law on Prevention of Money Laundering and Financing of Terrorism) has the right to view and process part of personal data, but only to the extent necessary to fulfill regulatory requirements or to execute a contract with the respondent.

X. AUTOMATIC DATA PROCESSING

Making decisions based on automatic data processing is an integral part of Men-Ars d.o.o. business and as such it is necessary, and is carried out in accordance with:

- valid laws to which Men-Ars d.o.o. is subject, among other things for the purposes of monitoring and preventing fraud, money laundering, etc., which is carried out in accordance with regulations, standards and recommendations of European Union institutions or national supervisory bodies

- ensuring the safety and reliability of the service provided by Men-Ars d.o.o.

- if it is necessary for the conclusion or execution of a contract between the respondent and the data controller, which includes risk reduction in business, improvement of business, certain overnight processing that is an integral part of the IT system, etc.

- when the respondent has expressly given his consent

- legitimate interest

In accordance with the Regulation, Men-Ars d.o.o. enables respondents the right to object to automatic and manual data processing for the purpose of direct marketing, including profiling to the extent related to such direct marketing, either in relation to initial or further processing, at any time and free of charge.

XI. TRANSFER OF PERSONAL DATA

For the purposes of running the business of Men-Ars d.o.o., executing contracts and complying with legal and statutory obligations, Men-Ars d.o.o. may transfer personal data of the respondent to supervisory authorities, external collaborators (e.g. law firm, authorized appraiser, etc.) and third parties that he brings into contact with the respondent (e.g. a person who is the principal of a potential buyer, tenant or lessee, and a party that is interested for purchase, rent or lease to the owner of the property and/or his representative, family member or any other contact person).

XII. PERSONAL DATA PROCESSING REGISTER

Men-Ars d.o.o. keeps records of processing activities for which it is responsible, i.e. in cases where it is in the role of processing manager. These records are in electronic and 'paper' form and contain at least the following information:

• the name and contact information of the data controller

• processing purposes

• description of categories of subjects and categories of personal data

• categories of recipients to whom personal data has been disclosed or will be disclosed to them

• provided deadlines for the deletion of different categories of data, if possible

• general description of technical and organizational security measures

XIII. STORAGE PERIOD OF PERSONAL DATA

The personal data of the respondent is kept for the duration of the contractual relationship, i.e. for the time that the consent of the respondent exists for the processing of personal data, and for the period during which Men-Ars d.o.o. it is legally mandatory to keep certain data in accordance with the retention periods prescribed by the Law on the Prevention of Money Laundering and Financing of Terrorism, which is 10 years after the end of the year in which the business relationship ended. Personal data can be stored for a longer period of time for other justified purposes (e.g. due to court and legal proceedings, legitimate interest, etc.). Personal data of employees is kept permanently in accordance with the Labor Act and the Ordinance on the content and method of keeping records on employees. Videos are kept for a maximum of 6 months.

XIV. INCIDENTS/DATA LEAKS AND THE RIGHT TO COMPLAINT

Men-Ars d.o.o. undertakes appropriate technical and organizational measures to protect the personal data of respondents. In addition, all employees have the duty to notify the responsible person in the event of an incident related to the protection of personal data, and in the event of a personal data breach, Men-ars d.o.o. is obliged to report the incident to the Personal Data Protection Agency within 72 hours after becoming aware of the violation, if this is feasible.

In the event of a breach of personal data that is likely to cause a high risk for the rights and freedoms of individuals, Men-ars d.o.o. will inform the respondent without undue delay about the violation of personal data.

The respondent has the right to submit a complaint to the supervisory body (Personal Data Protection Agency) in the event of an incident concerning his personal data or if he believes that Men-Ars d.o.o. violates his rights defined by the General Data Protection Regulation.

XV. FINAL PROVISIONS

This Policy enters into force on the day of its adoption, and it is applied from May 25, 2018.

This Policy is publicly available, it is published on the website: www.men-ars.hr and is also available at the headquarters of Men-Ars d.o.o.: Zagrebačka 31, 42000 Varaždin.

Varaždin, January 2, 2024.

MANAGER OF PERSONAL DATA PROCESSING:

Men-Ars d.o.o.