Privacy Policy

Introduction
This Privacy and Personal Data Protection Policy governs the manner in which "Iris Partners RE" Ltd., operating under the Sothby's Bulgaria trademark, collects, processes and stores personal data, in accordance with the requirements of the Personal Data Protection Act of the Republic of Bulgaria , "The General Data Protection Regulation" - Regulation (EU) 2016/679 and other normative Bulgarian or international acts.

Confidentiality of information is a top priority for "Iris Partners RE" OOD. In its capacity as a personal data administrator and in accordance with legislation and good practices, "Iris Partners RE" Ltd. implements the required technical and organizational measures to protect the personal data of natural persons. This policy provides information about how and what types of personal data we collect from and about you, why we need it, to whom it may be provided or disclosed and how it is protected. Please read them carefully. By providing your personal data to "Iris Partners RE" OOD, whether electronically or on paper, you accept and agree to the practices described in this Privacy and Personal Data Protection Policy. Please contact us if you have any questions related to this policy and if you do not agree with any of the terms contained in the privacy policy.

Information about "Iris Partners RE" Ltd. as Administrator of personal data.
In connection with the processing of your personal data, you can contact us at the following address:

Name: "Iris Partners RE" Ltd

Address: Sofia 1000, "Oborishte" district, "Moskovska" street No. 29A, represented by the manager Hristo Dimitrov Angelkov

Email: hangelkov@sothebys-realty.bg

Plea
This Privacy Policy is issued on the basis of the Personal Data Protection Act and its by-laws and the General Data Protection Regulation - Regulation (EU) 2016/679 ("GDPR"). Bulgarian legislation and GDPR provide rules about how "Iris Partners RE" OOD should collect, process and store personal data.

In order for the processing of personal data to be in accordance with the legal requirements, the personal data is collected and used lawfully, the necessary security of the processing operations is ensured and "Iris Partners RE" OOD has taken the necessary measures so that the processed personal data are not subject to illegal disclosure. According to the basic principles observed by "Iris Partners RE" OOD, your personal data are:

processed lawfully, in good faith and in a transparent manner with respect to the data subject;

collected for specific, explicitly stated and legitimate purposes and not further processed in a manner incompatible with these purposes;

appropriate, related to and limited to what is necessary in relation to the purposes for which they are processed;

and and kept up-to-date; "Iris Partners RE" OOD has taken all reasonable measures to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes for which they are processed;

stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which the personal data are processed;

processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures;

"Iris Partners RE" Ltd. is responsible and is able to prove that it complies with the basic principles related to the processing of personal data.

Scope
Definitions:

"Personal Data" means any information relating to an identified natural person or an identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more characteristics specific to the physical, the physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;

"Processing" means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed;

"Personal data register" means any structured set of personal data that is accessed according to certain criteria, whether centralized, decentralized or distributed according to a functional or geographical principle;

"Administrator" means a natural or legal entity

a person, public body, agency or other structure that alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of this processing are determined by Union law or the law of a Member State, the controller or the special criteria for its determination may be established in Union law or in the law of a Member State;

"Contact persons" - natural persons - managers / executive directors / representatives of legal entities - customers / counterparties of "Iris Partners RE" OOD.

The data protection policy applies to the processing of personal data of customers, users, employees, where it has become known to partners and suppliers, as described in the registers of processing activities established in accordance with Article 30 of The General Data Protection Regulation - Regulation (EU) 2016/679 ("Registries of processing activities").

Objectives of the Policy
With the adoption and implementation of the current policy of "Iris Partners RE" OOD in accordance with Bulgarian legislation and Regulation (EU) 2016/679, the rules regarding the protection of natural persons in connection with the processing of personal data, as well as the rules regarding the free movement of personal data.

With this policy, "Iris Partners RE" Ltd. aims to guarantee:

Legality of the processing of personal data carried out by "Iris Partners RE" OOD;

The rights of natural persons, subjects of personal data according to Regulation (EU) 2016/679;

Compliance with the requirements of the regulation to "Iris Partners RE" OOD in its capacity as Administrator and/or Processor, including:

Data protection by design and by default;

Registers of processing activities;

Appropriate technical and organizational measures that are reviewed and, if necessary, updated;

Risk assessment measures related to the processing of personal data;

Compliance with the requirements when entrusting the processing of your personal data to third parties (Processors);

The obligations of the officials processing personal data and/or the persons who have access to personal data and work under the direction of the personal data processors, their liability in case of failure to fulfill these obligations;

Taking into account the achievements of technical progress, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, "Iris Partners RE" Ltd. in its capacity as Administrator and/or the Personal Data Processor implements appropriate technical and organizational measures to ensure a level of security commensurate with this risk.

It guarantees compliance with the basic principles when transferring personal data to third countries or international organizations outside the EU.

Purposes of personal data processing
According to the requirements of Section I - Transparency and conditions of the General Regulation on data protection - Regulation (EU) 2016/679 "Iris Partners RE" Ltd. provides transparent information, communication and conditions for the exercise of the rights of data subjects according to Article 12 of the Regulation .

Data may also be processed for the protection and preservation of the Company's rights, in particular, there may be cases where the Company may disclose the data if disclosure is necessary (a) for the protection, exercise or preservation of legal rights , the privacy, safety or property of the Company, its employees, intermediaries and counterparties, (b) to protect the Company against fraud, or (c) for risk management purposes;

The purposes and information regarding the processing of personal data carried out by "Iris Partners RE" OOD are provided in accordance with the performance of the main processes in the Company.

Only with your express consent to send you (via e-mail, SMS, phone, chat and social media) offers, promotions and other marketing messages related to the Company's services, services/products of related parties and/or partner organizations operating in the field of real estate business, including from our affiliated companies and branded or co-branded services and functions conducted jointly with a partner organization or related entity.

Categories of data subjects:
customers, contractors, employees.

LD categories:
Regarding customers, personal data is processed in connection with the performance of our commercial activity, namely representation and agency activity in real estate transactions, etc. These are the following data: The three names; EGN; Identity card data; telephone; email; Bank accounts;

Regarding counterparties: : The three names; EGN; telephone; email; Bank accounts.

Regarding your employees: The three names; EGN; Identity card data; Health Status, Address; Salary; Position; Business Phone; Work email; Employee file; Bank accounts; Autobiography; Education; Internship; Tel. Connection; Born

date; Workplace; Experience; Position etc.

Transparency. Rights of the persons whose data is processed by "Iris Partners RE" OOD:
Right to confirmation of processing and access to your personal data;

Correct inaccurate or incomplete personal data;

To request deletion of your personal data;

To request restriction of the processing of your personal data;

Request to be notified of any action related to correction, deletion or restriction of processing;

To object at any time to the processing of your personal data:

for the performance of a task of public interest or on the basis of official powers, or for the purposes of legitimate interests, including profiling;

for processing for direct marketing purposes;

for processing for the purposes of scientific or historical research or for statistical purposes.

You have the right to refuse to be the subject of a decision based solely on automated processing, including profiling, which gives rise to legal consequences for you or significantly affects you.

You have the right to receive the personal data;

You have the right to file a complaint with the Commission for the Protection of Personal Data in case of violations of Regulation (EU) No. 2016/679 of April 27, 2016 and the right to effective protection against the CPLD, administrator or processor of your personal data;

You have the right to compensation for material or non-material damages suffered as a result of a violation of Regulation (EU) No. 2016/679.

All subjects of personal data (customers, users or employees, where such data has become known to partners or suppliers, as described in the registers of processing activities) have the right to exercise their rights in person, by telephone and via the Internet at the indicated address for contact with "Iris Partners RE" OOD.

Provision of LD and consequences in case of refusal to provide them:
The data subject has the right to refuse to provide his data to the relevant agency or to withdraw his consent to the processing of personal data at any time with a separate request addressed to the administrator. As such, it would prevent "Iris Partners RE" OOD from fulfilling its statutory obligations.

Transfer of personal data to third countries or international organizations
Transfer of personal data that is processed or intended for processing after the transfer to a third country or an international organization outside the EU is carried out by "Iris Partners RE" OOD only under the conditions of the General Data Protection Regulation - Regulation (EU) 2016/ 679, respecting the conditions specified in Chapter V of the regulation.

"Iris Partners RE" Ltd. implements all provisions of the regulation so that the necessary level of protection of natural persons provided by the regulation is not put at risk.

In the event that "Iris Partners RE" OOD transfers personal data to a third country or to an international organization outside the EU, this transfer is carried out in accordance with the requirements for the transfer of data outside the EU. Data subjects are notified in advance in the appropriate manner.

Violations and Notification of Violations
"Personal Data Security Breach" means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed by Iris Partners RE OOD .

In the event of a violation of the security of personal data, the Administrator of personal data should be immediately notified at the indicated contact address for "Iris Partners RE" OOD.

In the event of a breach of personal data security that is likely to create a risk to the rights and freedoms of natural persons, without undue delay and where feasible — no later than 72 hours after becoming aware of it, " Iris Partners RE" OOD notifies the Personal Data Protection Commission about the violation.

In the event that a specific violation poses a risk to the rights and freedoms of natural persons, "Iris Partners RE" OOD undertakes measures to notify the affected persons in order to minimize possible adverse consequences.

"Iris Partners RE" Ltd. undertakes actions according to the "Procedure in case of violation of the security of personal data".

Destruction of LD
If necessary, "Iris Partners RE" Ltd. follows the "Procedure for storage and destruction of personal data".

Privacy Policy Changes
"Iris Partners RE" Ltd. has the right to update, amend and supplement the personal data protection policy at any time in the future, when the circumstances require it.

The current version of this document is published on the company's website.

Validated and current as of 01.03.2022.