PERSONAL DATA PROTECTION POLICY

On the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council dated April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation) and the Act on the Implementation of the General Regulation on Data Protection (NN 42/2018) the Board of RENAISSANCE CAPITAL d.o.o. adopts on January 3, 2023

PERSONAL DATA PROTECTION POLICY

POLICY GOAL

The Personal Data Protection Policy of RENAISSANCE CAPITAL d.o.o. (hereinafter abbreviated as: Policy) is a fundamental act through which the framework for the protection of personal data is established and the rules related to the protection of individuals regarding the collection and processing of personal data in the business of RENAISSANCE CAPITAL d.o.o. and its affiliated companies RENAISSANCE REAL ESTATE d.o.o., RENAISSANCE BIOENERGY d.o.o., Petrinja Chicken Company d.o.o. and LUXCONSULT d.o.o. (hereinafter: members of the RC Group). The policy is applied by all members of the RC Group after they have adopted it through the decisions of their competent bodies.

The goal of the Policy is to establish processes for the protection and management of personal data of employees, respondents, business partners of members of the RC Group, as well as other persons whose data is processed.

The policy applies to all processing of personal data within members of the RC Group, except in cases where anonymized data is processed, or the processing is of such a nature that it is not possible to identify an individual.

DEFINITIONS

Personal data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing – means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Pseudonymisation - means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Recipient - means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Personal data breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Binding corporate rules - means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity

Supervisory authority – Croatian Personal Data Protection Agency

Distribution channels - represent the means and methods through which access, contracting and/or use of products and services of RENAISSANCE CAPITAL and members of the RC Group are enabled, as well as the sending of commercial offers and information related to products and services

Personal data protection officer - employee of RENAISSANCE CAPITAL d.o.o. appointed by the decision of the Management Board, the company in accordance with Article 37 of the General Data Protection Regulation

PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

When processing the personal data of data subjects, RENAISSANCE CAPITAL and members of the RC Group are obliged to comply with the principles listed below, in order for the processing to be considered legal, and each member of the RC Group, as the manager of personal data processing, is responsible for compliance with the principles of processing and must be able to prove them ("reliability principle").

RC Group members process personal data in accordance with the following principles:

Lawfullness and fairness - in accordance with the applicable laws and fulfilling all the rights of the respondents,
Transparency - providing data subjects with all the necessary information and ensuring that their rights are met upon request
In addition to limiting the purpose - personal data collected for specific, explicit, and legitimate purposes will not be processed in a manner that is inconsistent with these purposes
Subject to a storagelimitation- the personal data of the data subject will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (except for the obligations arising from the Law on Archival Material and Archives) or legitimate interest (e.g., in case of litigation)
Data reduction- personal data is collected in such a way that it is appropriate, relevant, and limited to what is necessary in relation to the purpose for which it is processed
Accuracy – personal data must be accurate and up to date, with reasonable measures taken to ensure that personal data that are inaccurate are erased or amended without delay
Integrity and confidentiality –data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Employees of members of the RC Group will access data of respondents depending on their authorizations and positions in order to fulfill obligations according to their positions. When concluding contracts on business cooperation with other legal entities, members of the RC Group will take care to regulate the processing of personal data by contractual provisions and determine the respective roles of the contracting parties with regard to the processing of personal data.

LAWFULLNESS OF PERSONAL DATA PROCESSING

In order to provide services to the data subject, RC Group members must process a set of personal data necessary to provide a particular service - otherwise they will not be able to provide the service.

Therefore, with the aim of lawful processing of personal data, members of the RC Group process personal data when one of the following conditions is met:

processing is necessary for the execution of a contract in which the respondent is a party or to take actions at the request of the data subject before concluding the contract
processing is necessary in order to comply with the legal obligations of the controller - for example, in the case of data collection related to the Law on Prevention of Money Laundering and Financing of Terrorism (Members of the RC Group will collect and process the set of data, and if the data subject refuses to hand over the requested set of data, the Member of the RC Group will not be able to provide services)
processing is necessary for the purposes of the legitimate interests of the controller or a third party, except when these interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child. Legitimate interest means, for example, taking measures to protect persons, premises or property of members of the RC Group, which includes control or records of entry, exit and access to business premises or protected premises, including the processing of personal data through the video surveillance system in business premises or individual processing for the purpose of managing operational or reputational risks, and processing for the purpose of direct marketing to the extent that respondents did not object to such processing,
processing is necessary to protect the key interests of the data subject or other natural person
the processing is necessary for the performance of a task of public interest or in the exercise of the official authority of the data controller,
the respondent has given his consent for the processing of his personal data for one or more special purposes - the consent must be given voluntarily and must be demonstrable, written in easy-to-understand language. The subject can withdraw consent at any time, of which the subject must be informed in advance, and the withdrawal procedure is as simple as the procedure for giving consent.

Each organizational unit within the members of the RC Group is obliged to identify the legality of any processing of personal data that is within their jurisdiction, and will include a Personal Data Protection Officer who will advise them.

DATA SUBJECTS’ RIGHTS

If the personal data relating to the subject are collected from the subject, the data controller provides all the following information to the data subject at the time of collecting the personal data: the identity and contact details of the data controller, the contact details of the data protection officer, the processing purposes for which the personal data are used, as well as legal basis for processing, legitimate interests, recipients or categories of recipients of personal data, intention to transfer personal data to a third country (if any), period in which personal data will be stored or its storage criteria, rights related to consent, potential existence of automated decision-making, which includes the creation of a profile and meaningful information about the logic, as well as the importance and anticipated consequences of such processing for the data subject, and the existence of the rights listed below. In case the data is not collected directly from the data subject, the source of the personal data is indicated along with the above information.

Members of the RC Group process the data in accordance with the rights of the data subject as set out below:

Right to be forgotten - The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing
the data subject objects to the processing pursuant and there are no overriding legitimate grounds for the processing
the personal data have been unlawfully processed;
the personal data must be erased for compliance with a legal obligation.

Right to restriction of processing - The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject,
the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right to rectification - The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her – as well as to supplement incomplete personal data concerning him or her.

Right to object – the data subjectshall have the right granted by the European legislator to object, at any time, to processing of personal data concerning him or her. Member states shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

The data subject must at all times demand the realization of any of his rights. A member of the RC Group shall provide information to the data subject on the basis of his or her request on the action taken without undue delay within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.A data subject who, after contacting a member of the RC Group, has failed to exercise his rights or considers that his right to personal data protection has been violated may contact the Personal Data Protection Agency with a request to establish a breach of the right to the protection of personal data at: www.azop.hr.

Information provided for the realization of the rights of the data subject is provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or;
or refuse to act on the request.

OBLIGATIONS OF RC GROUP MEMBERS

Members of the RC Group appear as controllers in some business processes and in others as joint controllers, while they can also act as processors.

A member of the RC Group is a data controller in the businessoflegal processes where it has independently determined the purpose and method of processing personal data, while the joint controller is in business processes where, with other controllers, determines the purpose and manner of processing personal data of the data subject. An individual member of the RC Group may also be a processor in situations where it processes data on behalf of the controller.

Members of the RC Group shall continuously implement appropriate technical and organisational protection measures taking into account the nature, scope and purpose of the processing, including:

organizational and technical measures are continuously taken to protect the personal data of data subjects, apply cryptographic methods of data protection to the extent possible, and continuously improve systems to protect and prevent data leaks (through firewalls, passwords, antivirus programs, encryption, etc.) ,
the equipment on which personal data is stored is placed in a secure environment with limited physical access,
employees of RC Group members are strictly prohibited from using personal data except for the purpose for which they are collected,
employees of members of the Ghole RC are obliged to confidentialize the data they learn in the performance of their work tasks,
the implementation of the Personal Data Management Policy, as well as the Procedure and instructions related to the protection of personal data, is regularly checked within the members of the RC Group, and the verification is carried out by the Data Protection Officer, the Compliance Department and the Internal Audit Office,
trainings are regularly conducted within the members of the RC Group in order to make awareness of the importance of personal data protection satisfactory.

AUTOMATED INDIVIDUAL DECISION-MAKING

Members of the RC Group do not apply automated data processing in their business, which would result in negative legal consequences for the data subject.

PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Members of the RC Group do not process data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or an individual's sexual orientation.

USE OF PERSONAL DATA IN BUSINESS WITH BUSINESS ENTITIES

Business subjects within the members of the RC Group can be any legal entity, state authority, local or regional self-government and their bodies, associations and institutions, as well as any natural person (non-consumer) operating within the area of their registered economic activity or self-employment.

Members of the RC Group collect and process data on business entities, transactions, use of products and services, and personal data of natural persons (non-consumers) operating within the scope of their registered activity or self-employment, as well as personal data of natural persons (consumers) who are associated with business entities ( natural persons, owners of a business entity, persons authorized to represent a business entity, proxies and other natural persons whose personal data was provided by the business entity to a member of the RC Group for use for the purpose of establishing and maintaining a business relationship). This data is collected, processed and shared by members of the RC Group in accordance with the legal processing of data in the following cases:

establishing identity,
prevention of risks that may arise from a business relationship,
harmonization with the legal framework of the Republic of Croatia and the European Union,
contracting and using products and services provided by RC Group members,
collection of receivables,
reporting,
statistical processing,
contact for the purpose of fulfilling a contractual relationship,
contact for marketing purposes.

Members of the RC Group can share data on business entities that include personal data of natural persons (non-consumers) who operate within the area of their registered activity or self-employment and personal data of natural persons (consumers) who are connected to business entities while meeting the legality of the processing and in accordance with defined principles of processing according to:

a member of the RC Group
legislative, supervisory and regulatory bodies within and outside the territory of the Republic of Croatia,
financial institutions with which the RC Group member cooperates,
auditors and consultants inside and outside RC Group members.

DATA STORAGE DEADLINES

Members of the RC Group process and store personal data as long as it is necessary to fulfill contractual and legal obligations. A special internal act establishes the terms of keeping documentation and data that the member of the RC Group processes in its operations. For example, according to the Accounting Act, personal data is kept for 11 years from the year in which the business relationship ended, while according to the Law on Prevention of Money Laundering and Financing of Terrorism, members of the RENAISSANCE CAPITAL Group are obliged to keep it for 10 years after the termination of the business relationship, i.e. the performance of occasional transactions.

PERSONAL DATA PROTECTION OFFICER

Members of the RC Group have appointed a joint Data Protection Officer who is independent and responsible for the system of protection of personal data of data subjects within the members of the RC Group. It shall report directly to the highest management levels of the RC Group members and shall be bound by secrecy and confidentiality in relation to the performance of its tasks.

The data protection officer shall have at least the following tasks:

to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions,
to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits,
to provide advice where requested as regards the data protection impact assessment and monitor its performance,
to cooperate with the supervisory authority,
to act as the contact point for the supervisory authority on issues relating to processing.

The Data Protection Officer is also the primary point of contact for data subjects who want to exercise their rights or send an inquiry related to the protection of personal data, request additional information, file a complaint related to the protection of personal data.

Data subjects may contact the Data Protection Officer via e-mail address:[email protected].

DATA PROTECTION IMPACT ASSESSMENT

Each individual member of the RC Group is obliged, when the role of the controller, to carry out an impact assessment if some type of processing is likely to result in a high risk to the rights and freedoms of data subjects before the processing of personal data is initiated (e.g. when using new technologies or technological solutions for the processing of personal data or processing of personal data of employees using applications or systems for monitoring work, etc.). The data protection officer will establish the process and be supportive in carrying out the assessment in question.

The impact assessment shall contain a minimum of:

a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest,
an assessment of the necessity and proportionality of the processing operations in relation to the purposes,
an assessment of the risks to the rights and freedoms of data subjects,
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

RECORDS OF PROCESSING ACTIVITIES

Members of the RC Group shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer,
the purposes of the processing,
a description of the categories of data subjects and of the categories of personal data,
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations,
the envisaged time limits for erasure of the different categories of data,
the general description of the technical and organisational security measures

The Personal Data Protection Officer is responsible for maintaining a record of processing activities and establishing a processing record management process, and all organizational units within individual members of the RC Group are responsible for providing accurate and timely information to keep records up to date.

INCIDENTS

Members of the RC Group take procedural and technological measures on a daily basis to protect the personal data of data subjects. Employees are obliged to inform the Personal Data Protection Officer in the event of an incident that constitutes a personal data breach.

In the event that the breach is likely to cause a risk to the rights and freedoms of the individual, a Member of the RC Group shall notify the Personal Data Protection Agency within 72 hours after becoming aware of the breach and inform the data subject himself of the same.

A member of the RC Group is exceptionally not obliged to inform the respondent himself:

if appropriate technical measures have been applied to personal data (encryption - so this would make the data unintelligible to unauthorized persons)
or has taken subsequent measures to ensure that a high risk to the rights and freedoms of the data subject is no longer likely to occur.
if this would entail a disproportionate effort, and in such a case, public notification or a similar measure will be applied, which will inform the respondents in an equally effective way.

FINAL PROVISIONS

The Data Protection Officer is obliged to regularly check and update the Personal Data Protection Policy and propose appropriate amendments to the Management Board.

The policy shall enter into force and shall apply on the date of adoption.