1. Introduction

This Data Protection Policy (a) applies to the Processing of Personal Data by electronic means and in paper-based filing systems, (b) excludes any processing of Personal Data of employees, candidates of the Company, and (c) does not address obligations Company may be subject to under local laws and other applicable regulatory laws.

This Data Protection Policy enters into force on June 5, 2019. Until then, all Company personnel will make all necessary actions to abide by it.


EU Data Protection Laws impose the Company the full observance of the following principles:

Lawfulness, fairness and transparency

Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

Purpose limitation

Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimization

Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.


Personal Data shall be accurate and, where necessary, kept up to date

Storage limitation

Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

Integrity and confidentiality

Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.


Company, as data controller shall be responsible for, and be able to demonstrate compliance with the EU Data Protection Laws.

2.     Data Protection Compliance starts with every person making the personnel of Company. (“Company ” and/or the “Company”).


3.     Company personnel is expected to handle Personal Data with care. In this Data Protection Compliance Policy, it is explained how the protection of Personal Data must be achieved throughout the Company. The following main directions are mandatory and explained in this document:

·         I only process Personal Data for specific Purpose(s) of Processing. I know that the Purpose of Processing has a valid lawful basis,


·         I am transparent with Data Subjects. I am always informing natural persons in what the Company does with Personal Data (regardless of the natural person being a client, a supplier or any other business partner). The fact that I obtain Personal Data of a natural person representing a legal person or which is acting as an employee of a legal person does not make that Personal Data less important or outside data protection area,


·         I only use Sensitive Personal Data if necessary and where expressly allowed,


·         I make sure that Personal Data are up-to-date, complete and accurate,


·         I treat seriously any request regarding Personal Data. I allow Data Subjects to correct, delete or block their Personal Data,


·         I protect the Personal Data from unauthorized loss, alteration, disclosure or access.



4.     This Data Protection Policy was drafted based on the letter of GDPR as at the time of its drafting no local law was enacted. Any regulatory development (either at EU or national level) may trigger the need to amend or supplement this policy.



5.     Throughout this Data Protection Policy, the following terms will have the following meaning:



means companies which are part of Company Group in European Union to which Company sends Personal Data.

“Automated decision making”

means a process where input data are evaluated exclusively using IT devices, with no humans involved, i.e. in accordance with pre-defined criteria/algorithms and the ultimate decision passed has significant consequences for the Data Subject.

“Data Controller”

Means Company , as it stands for the entity which determines the purposes and means of the Processing of Personal Data.

“Data Processor”

means the entity which performs the Processing of Personal Data on behalf of the Data Controller.

“Data Protection Officer”

means an individual appointed by Company pursuant to a mandatory obligation under EU Data Protection Laws. DPO’s role is mainly: (a) to inform and advise the Company and its employees about their obligations to comply with the EU Data Protection Laws, (b) to monitor compliance with the EU Data Protection Laws, and (c) to be the first point of contact for supervisory authorities and for individuals whose data is processed. Details on DPO rights and responsibilities are set within this document.

“Data Subject”

means the identified or identifiable person to whom Personal Data relates. For the sake of this policy, Data Subjects may be clients or representatives of suppliers and business partners.

“EU Data Protection Laws”

means all laws and regulations applicable in European Union, regardless of them being primary legislation (such as national laws and/or GDPR, defined below) or secondary legislation (such as the Working Party Guidelines or other guidelines issued by the Supervisory Authority), applicable to the Processing of Personal Data.


means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

“Internal Regulation”

means all internal documents (regardless of their name and object matter) mentioned in the Internal Registry.

“Personal Data”

means any information relating to an identified or identifiable natural person and, where such information is protected under applicable EU Data Protection Laws and Regulations. For the purpose herein, Personal Data includes Personal Data relating to criminal convictions and offences (as defined below) and Special Categories of Personal Data (as defined below).

„Personal Data relating to criminal convictions and offences“

means Personal Data relating to criminal convictions, offences and/or pardons.


means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as for example collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Company Records of processing”

means records kept at Company level that provides an overview of all Processing activities within the organisation (e.g. what kind of data categories are being processed, by whom (which departments or business units) and for which underlying purposes of processing.


  • Company has an inventory of the Purposes of Processing currently applicable to the Company,


  • The Purposes of Processing are exhaustively mentioned in the Company Records of Processing (kept by the Data Protection Officer),


  • Each Purpose of Processing has a legal valid basis and is directly linked with the business activities of the Company,


  • The Purposes of Processing constitute the starting point for each activity of Processing and any deviation or amendment to them will be immediately notified to the Data Protection Officer,


  • Processing of Personal Data (collection, use, storage etc.) is to be done in strict compliance with the Purpose of Processing.


Company has identified specific Purposes of Processing

6.     Generally, the Company collects, uses, stores or otherwise Processes Personal Data in the following ways:

a.     when Data Subject submits any form or document, enters into a formal agreement or provides other documentation or information in respect of its interactions and commercial relationship with Company;


b.     when Data Subject interacts with Company personnel, including customer service officers, relationship personnel and other representatives, for example, via telephone calls, letters, fax, face-to-face meetings and email;


c.      when Data Subject’s images are captured by Company via CCTV cameras while Data Subject is within the Company’s premises;


d.     when Data Subject uses Company services provided through online and other technology platforms;


e.     when Data Subject requests that Company contact him, be included in an email or other mailing list; or when Data Subject responds to Company’s request for additional Personal Data;


f.       when Data Subject uses the Company’s electronic services, or interact with Company via our websites;


g.     when Company carries out checks, due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations or the Company’s risk management procedures that may be required by law or that may have been put in place by Company;


h.     when Company acts on preventing or investigating any fraud, unlawful activity or omission or misconduct relating to Data Subject’s relationship with Company or any other matter arising from Data Subject’s relationship with Company,


i.        Company will collect your e-mail address to send you “transactional emails” with the product if you decide to buy it. If you agree to subscribe to the service newsletter, we will, from time to time, send free commercial marketing, content and promotional materials to your email address;


j.        when Company is complying with or as required by any request or direction of any public authority; or responding to requests for information from regulatory agencies, ministries, statutory boards or other similar authorities,


k.      when Company performs financial reporting, regulatory reporting, management reporting, risk management reporting (including monitoring risk exposure) audit reporting,


l.        when Company seeks information about Data Subject and receive Data Subject’s Personal Data in connection with its relationship with Company, from business partners, public agencies, current – employer and the relevant authorities; and/or


m.   when Data Subject submits its Personal Data or the Personal Data of a third party (e.g. information on spouse, children, parents, and/or employees etc.) to Company for any other reason



7.     All the above activities are labelled as Purposes of Processing and are listed in the Company Records of Processing.


Company’s Purpose of Processing have a lawful and valid basis

8.     Company’s Purposes of Processing are grounded on one of the following basis:



the Data Subject whom the Personal Data is about has consented to the Processing.


the Processing is necessary:

a.     in relation to a contract which the Data Subject has entered into; or


b.     because the Data Subject has asked for something to be done so it can enter into a contract.


the Processing is necessary because of a legal obligation that applies to Company.


the processing is in accordance with the “legitimate interests” condition.

9.     The basis for each Company’s Purpose of Processing is mentioned in Company Records of Processing.


The Processing is limited to only what is necessary for achieving the Company’s Purpose of Processing

1.     Company’s Purposes of Processing are limited to certain categories of Data Subjects and to certain categories of Personal Data (data minimization)


10. Internal Regulations list the documents and thus the exact Personal Data that is to be requested from Data Subject and to be processed in respect of that Data Subject. On one hand, the appendices to the Internal Regulations enlist the template forms and the template contracts that have to be filled in and/or signed by the Data Subject. On the other hand, the Internal Regulations allow the Personal Data to be collected by word of mouth directly from the Data Subject and introduced directly in the IT system of Company


11. The Purposes of Processing refer to Personal Data which is not included in the category of „Special Categories of Personal Data” nor in the category of „Personal Data relating to criminal convictions and offences“, as these terms are defined in Section 2 of this policy.


12. Processing that entails „Special Categories of Personal Data” and/or „Personal Data relating to criminal convictions and offences“ is to be treated as an exception and is to be avoided for as much as possible (except if expressly required by an Internal Regulation or the provisions of a law).


13. Any supplementary Personal Data, outside the Personal Data specifically mentioned in the Company Records of Processing and outside the Personal Data mentioned in the Internal Regulations, cannot be requested from Data Subjects unless with prior authorization from the supervisory manager and/or the Data Protection Officer.


14. Any supplementary Personal Data, outside the Personal Data specifically mentioned in the Company Records of Processing and outside the Personal Data mentioned in the Internal Regulations, which reaches the Company (either intentional or accidentally), from other source than Data Subject, is to be treated as a data privacy incident and brought to the attention of the Data Protection Officer.


2.     Personal Data collected by Company is accurate, integral and confidential (accuracy and confidentiality)


15. All Personal Data collected by Company in relation to any Purpose of Processing must be accurate. Internal Regulations require that Company personnel makes sure that the Personal Data obtained directly from Data Subjects or indirectly is verified against relevant documentation.


16. The integrity and the confidentiality of all Personal Data collected by Company in relation to any Purpose of Processing is mandatory at all times. Internal Regulations require that Company personnel makes sure that the Personal Data obtained directly from Data Subjects or indirectly is safely stored and accessed only on a need to know basis.


3.     Processing of Personal Data within Company is performed for the period needed to fulfil the Purpose of Processing (storage limitation)


17. Depending on the Purpose of Processing, Personal Data collected by Company is kept in either hard-copy or electronic form (or both):

a.     for the time needed to accomplish the Purpose of Processing, or


b.     to the extent necessary to comply with an applicable legal requirement for the time mentioned by a law provision, or


c.      as advisable in light of an applicable statute of limitations.



18. Company sets and implements retention period of documents (regardless of their form and title which may contain or not Personal Data).


19. All personnel needs to analyze the Personal Data stored by them against the decided retention periods and decide to maintain or erase Personal Data accordingly.


4.     Personal Data collected by Company is accurate, integral and confidential (accuracy and confidentiality)


20. Generally, Personal Data will be used only for the Purpose(s) of Processing for which it was originally collected (original purpose). Personal Data may be Processed for legitimate purposes of Company different from the original purpose (secondary purpose) only if the original purpose and secondary purpose are closely related.


21. It is generally permissible to use Personal Data for the following secondary purposes:

a.     establishing the risk profile of the Data Subject or the company which the Data Subject represents, or


b.     internal audits or investigations; or


c.      dispute resolution or litigation; or


d.     regulatory reporting purposes.



22. Any Processing of Personal Data outside the Purposes of Processing specifically established in the Company Records of Processing will be immediately suspended and the situation will be brought to the attention of the Data Protection Officer as soon as possible.


23. Any change in the original Purpose of Processing will be assessed carefully and in case of doubt, Company’s personnel will bring the matter to the attention of Data Protection Officer, before executing any further processing.


Transfer of Personal Data

24. While rendering its services, the Company can transfer data to other country or international/foreign organizations but only if in that country or international/foreign organizations data security is guaranteed appropriately.


25. When transferring Personal Data to a state outside European Economic Area, the Company provides adequate guarantees of data protection on the basis of a contract concluded with that legal or physical person or international organization.


Profiling and Automated Data Decision Making

26. Processing in Company may involve profiling, automated decision making or both in case of:

a.     risk management purpose analyses with the view to ensure the security and reliability of the debt recovery process or to prevent and filter out fraud,


b.     periodic automatic review of the Data Subject’s payments.



27. In all such cases, Company will observe the rights of Data Subjects, as mentioned under the following section.



Under Data Protection Laws. Data Subjects have strict rights:

  • the right to be informed,


  • the right of access,


  • the right to rectification,


  • the right to erase (right to be forgotten),


  • the right to restrict processing,


  • the right to data portability,


  • the right to object,


  • rights in relation to automated decision making and profiling.


All Company personnel is aware and know how to react to any exercise of the Data Subjects’ rights.

Company informs the Data Subjects of the Processing activity

28. As a rule, documents that are given to Data Subject (either forms or contracts) contain all the required information for Company to observe the Company’s obligations to duly inform the Data Subjects of the Processing Activity.


29. Notwithstanding the letter of the documents given to Data Subjects, upon request, Company personnel will explain thoroughly to what business activity is the Processing related to, what type of Personal Data is requested from the Data Subject, and that Company has set-up appropriate organizational and technical measures to ensure that Personal Data is kept safe and confidential.


30. In case the Data Subjects are not required to fill in independently forms as Data Subjects are only required to submit certain documentation or to give their Personal Data verbally, Company personnel will have the obligation to inform the Data Subject of all the coordinates of the Processing activity. The checklist of the aspects that need to be brought to the attention of the Data Subject are the following:


What information must be supplied?

At the time the Personal Data are obtained:

Identity and contact details of the Data controller and the DPO

Purpose of the Processing and the lawful basis for the processing

The legitimate interests of the Data controller

Categories of Personal Data


Any recipient or categories of recipients of the Personal Data

Details of transfers to third country and safeguards

Retention period or criteria used to determine the retention period

The existence of each of Data Subject’s rights

The source the Personal Data originates from and whether it came from publicly accessible sources


Whether the provision of Personal Data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the Personal Data

The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

31. In case of profiling and/or automated decision making, Company will ensure the observance of the Data Subject’s rights:

a.     duty to inform – Data Subject shall be informed, upon the commencement of data processing, of the fact of profiling/automated decision-making, the range of his/her Personal Data involved in profiling, the logic involved in the method applied and the possible consequences of automated decision-making on the Data Subject.

Where a decision can be delivered in a process either entirely as a result of an automated sub-process or also with human intervention, the Data Subject must then be informed of the cases where the Company can make decision entirely by automated means (as a result of a sub-process).

When informing about the logic the automated decision-making is based on, it is not necessary to disclose in detail the algorithm, formula or business rationale applied (this information need not to be so in-depth as to compromise the Company’s business secrets). It is suggested to present the operation of automated decision-making by using examples.


b.     revision of automated decisions: The Data Subject subjected to an automated decision-making is entitled to request human intervention from the Company, to make his/her position known and submit an objection against that decision. This right to challenge does not entitle the Data Subject to force the conclusion of the contract, but to dispute the decision based on automated data processing leading to the rejection of concluding the contract.

The Data Subject must be granted the opportunity in any case to avail of his/her right to make an objection.


c.      the right to object: if the legal basis for Processing is a legitimate interest of Company, the Data Subject is entitled to the right to object. It follows from the right to object that the Company must examine whether this objection is justified (i.e. whether the Data Subject’s interests override the Company’s interests) and decide on the objection.



Company personnel recognises and knows how to deal with a request from Data Subjects

32. EU Data Protection Laws impose that any Data Subject request is responded as soon as possible but no later than 30 days from receipt.


33. Company employees will treat with the utmost importance all enquiries from Data Subjects about the Processing activity.


34. In all cases, Company employees will inform Data Subjects that they may submit a formal request and/or a complaint to the designated address, representing the contact details of the DPO appointed by the Company.



1.     Data Protection Officer appointed by Company


35. The Company appoints a Data Protection Officer that fulfils the required skills profile as defined in the EU Data Protection Laws:

a.     Data Protection Officer function is established as a position directly subordinated and in direct reporting line to Top Management;


b.     Data Protection Officer function is not subject to conflicting interests;


c.      Company involves Data Protection Officer properly and in a timely manner in all issues which relate to the protection of Personal Data;



36. Company shall:

a.     publish the contact details of the Data Protection Officer to Data Subjects and also internally on Company’s intranet, internal telephone directory, and organizational charts to ensure that his or her existence and function is known within the organization;


b.     communicate the contact details to the competent supervisory authority;


c.      make sure that Data Protection Officer is invited to participate regularly in meetings of senior management;


d.     always give a due weight to Data Protection Officer´s opinion. In case of disagreement it is important to document the reasons for not following the Data protection Officer’s advice;


e.     promptly and without undue delay consult the Data Protection Officer once a data breach or other incident has occurred;


f.       support Data Protection Officer by ‘providing resources necessary to carry out his/her tasks and access to Personal Data and processing operations, and to maintain his or her expert knowledge’.


g.     provide the Data Protection Officer with regular training. Data Protection Officer will be given the opportunity to stay up to date with regard to developments within data protection. The aim should be to constantly increase the level of expertise of Data Protection Officer, he/she should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.;


h.     ensure that the Data Protection Officer ‘does not receive any instructions regarding the exercise of his or her tasks’.



37. Data Protection Officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.


2.     Internal roles dedicated to Data Protection Compliance at business departments’ level


38. Data protection compliance is a continuous independent responsibility for each and every employee of the Company and failure to observe this policy may lead to professional liability.


3.     Internal Regulations


39. As a general statement, this Data Protection Policy supplements all existing policies. In case of any discrepancies within this Data Protection Policy and EU Data Protection Laws, the latter shall prevail.


Data Protection Policy

Company 2021